In recent years, cyberspace surveying and mapping has become one of the frontier fields of multidisciplinary integration such as network communication technology, cyberspace security, and geography.
This field focuses on the construction of "holographic maps" of cyberspatial information, and is committed to building a strong infrastructure for real-time observation, accurate sampling, mapping and development of global networks.
Through the use of network detection, data collection, information aggregation, in-depth analysis and visualization, cyberspace mapping models and expresses the attributes of cyberspace resources and the correlation between network resources, and realizes the holographic digital mapping and visual map display of all elements of global cyberspace, so as to reflect the state changes, network behaviors and user intentions of cyberspace resources.
In the digital era, cyberspace mapping is regarded as one of the infrastructures to realize digital production, life and governance. Its role is not only limited to providing a detailed map of the global network, but also interacts with the development and evolution of cyberspace, and provides new perspectives and advanced technologies for building a global community with a shared future in cyberspace.
Specifically, cyberspace surveying and mapping mainly involves the fields of network security, digital management, and surveying and mapping definition network in terms of application scenarios. In the progress of these three directions, network security applications can be described as the beginning of surveying and mapping. So, what role does cyberspace mapping play in the field of security?
Since 2008, relevant work in the field of cyberspace resources surveying and mapping has emerged at home and abroad, among which country M, as the earliest and most mature country to carry out cyberspace resources surveying and mapping, has made systematic progress in the field of cyberspace resources and commercial applications.
In country M, the SHind (SHODAN IntelligenceExtraction) program was launched in 2008, which focuses on monitoring and analyzing the network and security situation of critical infrastructure-related equipment in country M. Its goal is to build the basic support of the country's critical infrastructure security protection framework and provide strong support for cyberspace security.
In November 2012, the Defense Advanced Research Projects Agency (DARPA) of Nation M released the "Plan X" program, which was later renamed Project Ike. The program aims to build a digital map for cyberspace combat support, enabling personnel to visually establish, execute, and enhance cyberspace combat programs.
This initiative promotes the application of digital map technology in the field of political affairs, providing new tools and perspectives for defense and attacks in cyberspace.
In 2013, the "Treasure Map Project" was based on the whole network data to achieve multi-level and large-scale information detection and analysis. The goal of the program is to monitor the dynamics of all devices in the entire cyberspace at any place and at any time, and to draw a near-real-time, interactive, multi-dimensional map of global cyberspace. This initiative has promoted technological innovation and development in cyberspace mapping on a global scale.
In addition, in the commercial field, a series of Internet cyberspace surveying and mapping and resource retrieval systems and services open to the public have been launched at home and abroad.
In the early days, there were mainly foreign shodanio、censys.IO, as well as ZoomEye in Chinaorg、fofa.so etc. These systems and services detect global networked devices and services, and combine with the user community to collect and disclose vulnerability data, etc., to form an Internet business service system that integrates community operation, cyberspace mapping, asset data search, and vulnerability risk association. These platforms not only export some of their capabilities to other areas, but also facilitate information sharing and cooperation on a global scale.
In the current field of cybersecurity, the design ideas and initial concepts of some active commercial cyberspace mapping systems are basically based on an anonymous hacker report published in 2012 - InternetCensus 2012.
The report describes the first use of the NMAP scripting engine (NSE) to detect a staggering number of unauthenticated or default-authenticated embedded devices on the Internet, and hack into these devices to build Carna Botnet, a botnet of approximately 420,000 detectors.
Subsequently, Carna Botnet was used to scan the IPv4 addresses of the whole network, including common ports, ICMP pings, reverse DNS, and SYN. Through the analysis of the scan data, the researchers estimated the use of IP addresses, and finally presented a dynamic graph of global cyberspace IP usage in the report.
This early, anonymous report shows the main technical ideas and working steps followed by the current cyberspace mapping system. Commercial systems often borrow these ideas, including the use of advanced scanning engines (such as NMAP), building large probe networks, extensively scanning the network for devices and ports, and presenting multi-dimensional network status through data analysis and visualization.
These design ideas emphasize the all-round observation and detection of cyberspace, providing cybersecurity practitioners with a deeper and more comprehensive understanding to better understand and respond to potential cyber threats. In the development of commercial systems, these initial concepts laid the foundation for building more powerful and intelligent network mapping tools, thereby improving the overall level of cybersecurity.
Basic probing
The concept and technology of the basic detection part of the cyberspace mapping system are mainly derived from two open source projects, namely Network Mapper (NMAP) and ZMAP.
NMAP is a network scanning engine developed by Gordon Lyon in 1997, which is widely used in network management and network security to detect and analyze hosts and devices in the network through packet sending and packet return analysis. Another project, ZMAP, was launched in 2013 by Zakir Durumeric, Eric Wustrow, and JAlex Halderman was created at the University of Michigan primarily for cybersecurity research.
NMAP and ZMAP use similar techniques for packet sending and packet return analysis in the basic detection part. The difference is that ZMAP separates packet sending and packet return analysis, and uses stateless scanning technology, i.e., there is no full TCP three-way handshake. This feature enables ZMAP to have large-scale one-way packet detection capabilities. ZMAP's architecture diagram illustrates its technical implementation and composition.
In addition, based on the idea of ZMAP, Masscan is another open source project that also uses stateless scanning technology. By using PF Ring technology, Masscan can scan the entire Internet in as little as 6 minutes. In addition to the underlying scanning engine, the quantity, quality, and distribution of detection nodes in a cyberspatial mapping system are also important factors that determine its detection capability.
These open-source projects provide cyberspace mapping systems with powerful foundational detection capabilities, enabling them to conduct efficient and accurate network scanning on a global scale. The development of these technologies provides powerful tools for cyber security research and network management, and also promotes the wide application of cyberspace mapping systems in practice.
Product Identification
In cyberspace surveying and mapping, scanning and detection provide a large amount of data, and the analysis and identification of these data at the product and device level gives practical significance to surveying and mapping assets. Asset identification is mainly done through the correlation analysis of data such as IP attributes and product information.
The identification of mapping assets mainly relies on the analysis of the detected component resource data and service resource data. To identify the entire attack surface of an IP, the following techniques and strategies are required:
Port Policy: Determines how many ports to probe to get a complete picture of the target's port openness.
Protocol Identification: Determines how many protocols are probed to identify the various network protocols running on the target system.
Product identification: The ability to identify how many devices or components are used to understand the hardware or software used by the target system by analyzing the product information in the data.
Service identification: It can identify how many application services, analyze the various services running on the target system, and understand the functions and service providers of the system.
Finally, the cyberspace mapping system has formed a port policy, protocol library and product feature identification database in the application. In particular, the product feature identification database, also known as the product fingerprint feature database, has become one of the most important indicators of this type of system.
On the basis of product identification, some systems can build an asset object library through asset data attribute association, so as to have a more comprehensive understanding of the devices, components and services in the target cyberspace. The results of these analyses and identifications provide valuable information for cybersecurity research and network management, helping to effectively identify and manage cyber attack exposure surfaces.
Unfinished) References:
Gao Chundong, Guo Qiquan, Jiang Dong, et al. Theoretical Basis and Technical Path of Cyberspatial Geography Acta Geographica Sinica,2019,74(9):518
Shen Yi, Jiang Tianjiao, The Offensive and Defensive Balance of Cyberspace and the Construction of Cyber Deterrence, World Economy and Politics, 2018(2): 4970+157
Chen Qing, Li Han, Du Yuejin, etc. Practice and Thinking of Cyberspace Surveying and Mapping Technology[J].Information and Communication Technology and Policy, 2021, 47(08): 30-38
If you have any questions, please contact us to delete.