No exaggeration or criticism! A rational view of the value and application challenges of cyberspace mapping technology

The protection concept of "invisible, no security" has become an industry consensus, and has also attracted more attention from companies to the emerging cyberspace mapping technology. It is believed that it can achieve a comprehensive grasp and panoramic display of various resources in cyberspace, and build a holographic map connecting cyberspace and the real world. It is of great significance to grasp the global network security situation and enhance the social governance capacity of cyberspace. From the perspective of practical application, how should we evaluate the value of cyberspace mapping technology? What challenges will its future development face?

1. Overview of Cyberspace Mapping Technology

Cyberspace mapping technology refers to the theory and technology that takes cyberspace resources as the object, based on computer science, network science, mapping science, information science, and adopts network detection, network analysis, entity positioning, geographic mapping and geographic information system technologies. Through detection, collection, processing, analysis and display, it obtains the location, attributes and topological structure of cyberspace physical resources and virtual resources in cyberspace, maps them to geographic space, draws their coordinates, topology, surrounding environment and other information in the form of maps or other visual forms, and displays related situations, and conducts spatial analysis and application based on this.

The cyberspace surveying and mapping technology system mainly includes detection technology, analysis technology, positioning technology, verification technology, mapping technology and application technology. The system is a cyclic process of "detection, analysis/positioning, mapping and application", which conducts collaborative detection of various cyberspace resources, performs fusion analysis and multi-domain mapping of the detected data, and forms a cyberspace resource knowledge base. On this basis, a holographic map of cyberspace resources is constructed through multi-domain superposition and comprehensive mapping, and the holographic map is applied on demand according to different scene objectives, and the surveying and mapping capabilities are continuously improved through iterative evolution.

Cyberspace Mapping Technology System

According to the content of cyberspace resources, the development of cyberspace mapping technology can be roughly divided into three stages:

Three stages of the development of cyberspace mapping technology

Phase 1: IP+device resource phase. In the first phase of the development of cyberspace mapping technology, cyberspace resources mainly include IP and devices, as well as hardware attributes and business attributes of the Internet exposure surface. Cyberspace resources are divided into physical layer, network layer, transport layer, and application layer. Among them, the physical layer corresponds to the hardware layer in the implementation model, the network layer and transport layer correspond to the operating system in the implementation model, and the application layer corresponds to the application, application framework, middleware, and database in the implementation model.

The cyberspace mapping platform detects open ports and fingerprint information by scanning IP addresses, and determines the hardware type, manufacturer, brand, model, operating system, service, application and version through fingerprint information. In this way, the hardware attributes and business attributes of the IP address are detected. This stage mainly scans the fingerprint information of the IP address, matches known vulnerabilities, and grasps the risks faced by the IP address, so as to give early warning of the risks of the entire cyberspace.

The second stage: IP+device+location resource stage. This stage realizes the positioning of cyberspace resources and the linkage of asset geographical attributes, network attributes, and communication attributes. Geographic attributes refer to location information such as the country, district, county, and block, as well as longitude and latitude. Through IP address information, the specific geographical location is located and the corresponding enterprise is obtained, and the type of enterprise, such as financial companies and security companies, or relevant information on national critical infrastructure, such as water conservancy, banks, transportation, power plants, etc., is obtained, and the application scenarios are known through the nature of critical infrastructure.

The third stage: the cyberspace resource system stage. The cyberspace resources in this stage are divided into four levels: geographical environment, network environment, behavioral subject and business environment. They are interconnected and influence each other, and together constitute the cyberspace resource system.

Cyberspace resource system

• Geographic environment layer. It mainly includes the geographical attributes of cyberspace resources, such as the geographical location, spatial distribution and characteristics of network infrastructure and network behavior entities, involving concepts such as distance, scale, boundary, and spatial mapping.
• Network environment layer. It mainly consists of nodes and links formed by various network space resources, that is, logical topology relationships, which can be divided into physical environment and logical environment, including various network devices, network applications, software, data, IP, protocols, etc.
• Behavior subject layer . It includes physical roles and virtual roles, and focuses on the interactive behaviors of network behavior subjects (i.e. physical roles or virtual roles) and their social relationships, including information flow, virtual communities, public activity spaces, etc.
• Business environment layer. Mainly includes various types of network security incidents (cases) that the business department focuses on, network security service entities, network security protection objects, etc.

2. The value of cyberspace mapping technology

Advantages of Cyberspace Mapping Technology

• More data support. The mapping and integration of cyberspace resource geographic data, network data, behavioral subject data, and related business data provide more data support for cyberspace big data mining and application.
• Holographic map display. The cyberspace resource holographic map comprehensively describes and displays cyberspace information.
• Situational awareness and information control, in a unified space-time framework, seamlessly integrates, mines and applies cyberspace mapping results and geographic space information, to achieve cyberspace situational awareness and information control.
• Internet-related incident monitoring and early warning, through comprehensive analysis of cyberspace resources and events, improves the intelligence, automation and visualization of event warning and processing capabilities.

The shortcomings of cyberspace mapping technology

• There is a lack of unified standards and specifications. For example, a relatively systematic classification system for cyberspace elements has not yet been formed, and the design and expression of cyberspace map symbols are still blank.
• Network measurement technology is immature and can only detect and analyze cyberspace infrastructure and logical topology. It cannot accurately detect all resources covering cyberspace. Full-spectrum detection is difficult, detection capabilities are insufficient, detection of cloud computing networks is more difficult, and accuracy is low.
• The mapping technology is immature, and there is a lack of systematic and mature technical ideas for projecting high-dimensional, dynamic virtual resources into geographic space.
• Visualization technology is immature. The early development of cyberspace visualization expression faced problems such as weak theoretical foundation and immature technology.

3. Application of cyberspace mapping technology

The essence of cyberspace mapping technology is to visualize cyberspace, comprehensively display network information in the form of cyberspace maps, realize the visualization and digitization of cyberspace, and provide decision makers with intuitive and valuable information to improve the accuracy of decision-making. Cyberspace mapping technology is mainly used in three application scenarios: asset discovery, identification and risk control, cyberspace service evaluation and network security incident visualization analysis.

Application scenario 1: asset discovery, identification and risk control

By identifying and controlling network assets through cyberspace mapping technology, we can better protect the data of individuals and organizations and prevent existing and potential risks.

The specific functions are as follows:

(1) Asset discovery and identification: Assets are automatically acquired through active scanning and traffic monitoring, and the assets of interest are analyzed and counted, making it easier to understand and control important information system assets, IoT device assets, etc.

(2) Monitor business risks caused by vulnerabilities: Determine the number of assets affected by vulnerabilities based on the system's pre-set common and popular vulnerabilities and asset component characteristics; based on statistical analysis of assets and vulnerabilities, conduct situational awareness and alarm on the asset quantity, distribution, component application, vulnerabilities, and threat assets to achieve security monitoring of assets and vulnerabilities.

(3) Warning of illegal external connections and data leakage risks: Automatically discover and manage devices that are connected to both the intranet and the Internet, and report the device's intranet IP address, Internet exit IP address, external connection time, and visited URLs. Automatically discover risky device points connected to the Internet in the intranet environment, report device information, and issue timely warnings.

(4) Asset Assessment and Management: Monitor the compliance of asset equipment use; discover irregularities within the enterprise; accurately push asset vulnerabilities and combine them with special vulnerability scans and weak password scans to achieve comprehensive detection and assessment of the compliance, irregularities, survivability, and vulnerability of intranet assets.

(5) Anti-fraud in cyberspace: Draw a diagram of the network nodes and network connections of devices in cyberspace and create a portrait of each device; combine risk control theory with the practice of anti-fraud and black and gray industry detection to provide accurate identity recognition for e-commerce, payment, online credit and other industries.

Asset Valuation Framework

Application scenario 2: Cyberspace service evaluation

Cyberspace services refer to various ubiquitous application services in cyberspace (such as website services). The goal of cyberspace service mapping is to use active and passive collaborative detection and intelligent analysis methods to discover dynamic, time-varying, and hidden service attributes and relationships, and to visualize them through "maps" to support various applications of cyberspace security.

Cyberspace Service Evaluation Framework

The specific functions are as follows:

(1) Discover and identify specific services: Obtain information about specific services through active scanning, traffic monitoring, and other detection methods. Analyze and collect statistics on specific services of interest to facilitate understanding of specific services.

(2) Evaluate service status: Draw a status diagram of the service impact range in cyberspace, and provide accurate attack effect evaluation for applications such as network target ranges in network attack and defense practices.

(3) User analysis of specific services: Draw a connection diagram between services and users in cyberspace, and conduct group analysis on users and potential users of specific services.

(4) Service recommendation for specific users: Draw a service-to-service connection diagram in cyberspace and make service recommendations for specific users.

Application scenario three: Visual analysis of network security events

Visual analysis of cybersecurity incidents is to conduct visual analysis of complex and dynamic cybersecurity incidents based on changes in factors such as the subject, object and impact of the behavior, analyze the driving factors and internal mechanisms of cybersecurity incidents, achieve situational awareness and early warning of cybersecurity incidents, and present portraits and processes on cyberspace maps.

Cybersecurity incident visualization example

Specific functions include: real-time monitoring of network attacks, tracking and tracing of network security incidents, network security situation awareness, notification and warning, emergency response, investigation and crackdown, command and dispatch, etc.

The entire process of network security incident analysis is displayed in a centralized manner through spatial maps and network maps. Artificial intelligence and big data analysis technologies are combined to profile attack incidents, attackers, and attack methods. The full life cycle scenario of cyberspace elements, model operations, and emergency response is displayed.

4. Development and challenges of cyberspace mapping technology

Although the relevant concepts of cyberspace mapping technology have been widely recognized by academia and industry, the relevant standards and specifications of cyberspace mapping technology still have problems such as unclear concepts and inconsistent definitions. At the same time, with the rapid promotion and popularization of emerging technologies such as IPv6, Internet of Things, cloud computing, 4G/5G, cyberspace is becoming increasingly large and complex, which also brings huge challenges to cyberspace mapping.

Specifically, the challenges are:

(1) Research on cyberspace resource mapping technology is still in its infancy. The industry has not yet formed a unified understanding of cyberspace resource mapping technology, and lacks a top-level design for the cyberspace resource mapping technology system. In terms of mapping technology, there is a lack of systematic and mature technical ideas on how to map high-dimensional and dynamic virtual resources and how to project multiple types of resources in cyberspace into geographic space and map them. In terms of cyberspace elements, a relatively systematic classification system for cyberspace elements has not yet been formed.

(2) With the rapid promotion and application of emerging technologies such as IPv6, Internet of Things, cloud computing, 4G/5G, cyberspace is becoming increasingly large and complex, bringing huge challenges to cyberspace mapping. For example, the widespread popularity of IPv6 has increased the difficulty of full-spectrum detection. Theoretically, the IPv6 address space can reach 2 to the 128th power, which is almost infinite. In addition, the IPv6 address space has the characteristics of sparsity, which makes the detection and identification technology for IPv4 impossible to apply, and the full-spectrum detection is very difficult.

The rapid increase in IoT devices has increased the demand for detection capabilities for IoT devices. Currently, a large number of IoT devices are distributed in enterprises, homes and individuals, and their relatively weak security can easily lead to large-scale attacks such as DDoS. This means that the large-scale detection capabilities of IoT devices also need to be rapidly improved. The computing model is cloud-based, and a large number of services are migrated to cloud networks, and computing resources are further centralized and scaled. Features such as virtualization, elastic computing and cloud protection have subverted traditional network models and evolved rapidly, making it more difficult for security personnel to detect cloud computing networks and reducing accuracy.

(3) To prevent detection, a large number of devices have removed product features and reduced exposure, making it increasingly difficult to accurately identify device attributes. At the same time, traffic monitoring based on national characteristics has also made a large number of nodes difficult to reach.

In view of this, in order for cyberspace asset mapping technology to truly be implemented, it is necessary to rapidly improve in the following aspects: establish a unified map symbol standard, a unified element classification system, improve the level of surveying and mapping technology, and improve the level of visualization technology.

Specifically include:

(1) Establish a unified map symbol standard. The design and expression of cyberspace map symbols are still blank. There is an urgent need for a mature and complete set of cyberspace resource visualization symbol standards that can be applied to the visualization expression of cyberspace maps to promote the further application of cyberspace resource mapping results. Based on in-depth research on the types and hierarchical division of cyberspace mapping resources, reference should be made to map symbol design, and factors such as the attributes, levels, and actual uses of various virtual and physical resource elements in cyberspace should be combined to form a complete, reasonable, targeted, and scalable symbol expression specification to provide a basis and standard for the multi-dimensional visualization expression of cyberspace resources.

(2) Establish a unified element classification system. The visualization of cyberspace elements is the basis of the visualization of cyberspace elements. However, a relatively systematic cyberspace element classification system has not yet been formed. We should refer to the theories, methods and technical means of geographic space spatiotemporal data models, and establish a cyberspace element standard system that can effectively express the spatiotemporal semantics of cyberspace elements based on the structure and characteristics of cyberspace elements and the needs of network security services, so as to achieve a unified description and effective application of various cyberspace elements.

(3) Improve the level of surveying and mapping technology. In terms of mapping technology, domestic and foreign research teams have proposed some guidelines, such as telecommunication network analysis methods for cyberspace geographic images, several rules for cyberspace landscape mapping, and topological visualization. However, existing research is mainly based on the visualization of physical devices and topological relationships in geographic space. There is a lack of systematic and mature technical ideas on how to map high-dimensional and dynamic virtual resources and how to project multiple types of resources in cyberspace into geographic space and map them. New theoretical models for cyberspace resource mapping should be studied in combination with visualization, graphics, artificial intelligence, machine learning, data mining theory and methods.

(4) Improve the level of visualization technology. The early development of cyberspace visualization expression faces problems such as weak theoretical foundation and immature technology. A mechanism of multi-faceted collaboration and multi-disciplinary cross-integration should be established to meet the business application needs of cyberspace visualization expression.