CN113407880A - Access behavior identification method suitable for encrypted HTTP/2 webpage - Google Patents

Access behavior identification method suitable for encrypted HTTP/2 webpage Download PDF

Info

Publication number
CN113407880A
CN113407880A CN202110490616.1A CN202110490616A CN113407880A CN 113407880 A CN113407880 A CN 113407880A CN 202110490616 A CN202110490616 A CN 202110490616A CN 113407880 A CN113407880 A CN 113407880A
Authority
CN
China
Prior art keywords
webpage
web
fingerprint
http
tls
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202110490616.1A
Other languages
Chinese (zh)
Inventor
王伟平
诸亿郎
宋虹
王建新
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Central South University
Original Assignee
Central South University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Central South University filed Critical Central South University
Priority to CN202110490616.1A priority Critical patent/CN113407880A/en
Publication of CN113407880A publication Critical patent/CN113407880A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/90Details of database functions independent of the retrieved data types
    • G06F16/95Retrieval from the web
    • G06F16/958Organisation or management of web site content, e.g. publishing, maintaining pages or automatic linking
    • G06F16/972Access to data in other repository systems, e.g. legacy data or dynamic Web page generation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/60Scheduling or organising the servicing of application requests, e.g. requests for application data transmissions using the analysis and optimisation of the required network resources

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Databases & Information Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Data Mining & Analysis (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

The invention discloses an access behavior identification method suitable for an encrypted HTTP/2 webpage, which comprises the steps of firstly extracting information of the encrypted HTTP/2 webpage as fingerprint characteristics of the webpage. The TLS flow to the website is then monitored and blocked when there are concurrent requests. And extracting all response data transmitted between two adjacent requests, and matching the response data in a preset sliding time window with the fingerprint characteristics. The invention fully utilizes the characteristics of HTTP/2 and TLS protocols, restores the transmission flow characteristics into a recognizable mode by blocking the HTTP/2, extracts the plaintext domain name attribute and the ciphertext data packet attribute in TLS flow on the premise of not decrypting the user access flow to recognize the access behavior of the encrypted HTTP/2 webpage, has higher reliability and stability, and solves the problem that the existing webpage fingerprint recognition technology cannot recognize the access behavior of the encrypted HTTP/2 webpage adopting the TLS protocol.

Description

Access behavior identification method suitable for encrypted HTTP/2 webpage
Technical Field
The invention belongs to the field of network security, and particularly relates to an access behavior identification method suitable for an encrypted HTTP/2 webpage.
Background
In recent years, with the development of internet technology, more and more websites adopt the TLS protocol to transmit web page content, which brings about a small challenge to the management of internet behavior. This is because, when a user accesses a certain web page, the TLS protocol encrypts the web page contents using a negotiated encryption algorithm, and the internet behavior management system cannot recognize the web page access behavior of the user by analyzing the transmitted plaintext contents as in the past.
In order to solve the problem, some internet behavior management systems decrypt the page content accessed by the user by deploying a CA certificate at the user end and acting on the TLS access traffic of the user, so as to identify the webpage access behavior of the user. However, this approach is expensive to manage and may violate the privacy of the user, and is currently being replaced by web fingerprinting technology. Because the TLS protocol does not significantly change the characteristics of the size, the transmission direction, the transmission sequence, the transmission interval and the like of the data packet during the transmission of the webpage content, the webpage fingerprint identification technology utilizes the characteristics to construct the fingerprint of the webpage, thereby identifying the webpage access behavior. However, as the current HTTP/2 protocol is increasingly popular, new problems are encountered in the web page fingerprint identification technology.
The HTTP/2 protocol is a newer version of the HTTP/1.1 protocol, with the greatest improvement in traffic transmission being the introduction of a multiplexing mechanism. Compared with the HTTP/1.1 protocol which can only receive one request response at a time, the multiplexing mechanism enables the HTTP/2 protocol to receive a plurality of request responses simultaneously, and the efficiency of flow transmission is greatly improved. However, this mechanism changes the transmission mode of HTTP web content so that the packet characteristics at the time of transmission are no longer available. Therefore, the above-mentioned web fingerprinting technology is no longer applicable to encrypted HTTP/2 web pages using the TLS protocol.
Disclosure of Invention
In order to solve the technical problem that the access behavior cannot be identified when the encrypted HTTP/2 webpage based on the TLS protocol is accessed at present, the invention provides an access behavior identification method suitable for the encrypted HTTP/2 webpage.
In order to achieve the technical purpose, the technical scheme of the invention is that,
an access behavior identification method suitable for encrypting HTTP/2 web pages comprises the following steps:
step 1: extracting information of the encrypted HTTP/2 webpage as fingerprint characteristics of the webpage;
step 2: monitoring TLS flow of an access website, and blocking when a concurrent request exists so as to convert the concurrent request into a form of sending a next request after a single request is sent and a response is received;
and step 3: and extracting all response data transmitted between two adjacent requests, matching the response data in a preset sliding time window with the fingerprint characteristics, and if the response data is completely matched with the fingerprint characteristics, determining that a behavior of accessing the webpage exists in the time window corresponding to the corresponding request.
The access behavior identification method suitable for the encrypted HTTP/2 webpage comprises the following steps of 1:
step 101: the method comprises the steps that different browsers are used for accessing the same encrypted HTTP/2 webpage for multiple times at different times, and plaintext flow and ciphertext flow accessed by the webpage under various conditions are obtained;
step 102: and extracting the type, the domain name and the corresponding ciphertext length average value of each Web resource contained in the webpage from the plaintext flow and the ciphertext flow, and taking the extracted type, the domain name and the corresponding ciphertext length average value as the fingerprint characteristic of the webpage.
In the step 101, at least 4 browsers are used to access the encrypted HTTP/2 webpage at least 10 random time points with an interval of more than 6 hours, and plaintext traffic and ciphertext traffic of at least 40 accesses are acquired to form a data set.
The access behavior identification method suitable for the encrypted HTTP/2 webpage comprises the step 102 of extracting each Web resource R contained in the webpage from plaintext flow and ciphertext flowiType T (R)i) Domain name N (R)i) And the corresponding ciphertext length mean value E (R)i) Wherein i is more than or equal to 1 and less than or equal to N, and N is the number of Web resources contained in the webpage; then, constructing the fingerprint characteristics of the webpage as follows: FP ═ F (FR)i|1≤i≤N,T(Ri) E.g., TP }, where FR isi={N(Ri),L(Ri) Denotes a Web resource RiThe feature set of (1), TP ═ document, javascript, css }, represents three Web resource types that are significantly related to the Web page content; l (R)i)=[E(Ri)·(1-α),E(Ri)·(1+α)]Denotes a compound of formula E (R)i) And (5) constructing a ciphertext length interval after the elastic coefficient alpha is scaled.
The access behavior identification method suitable for the encrypted HTTP/2 webpage comprises the following steps that step 2, TLS flows of all connected webpages are monitored, when a plurality of concurrent requests are initiated in a certain TLS flow, the concurrent requests are blocked so that only one request can be sent at one time, and the next request is sent only after the response content of the last request is received.
The method for identifying the access behavior of the encrypted HTTP/2 webpage is implemented by acquiring a resource domain name set NL of the webpage and monitoring TLS flows of domain names in all the connection NL, wherein NL is { N (R)i)|1≤i≤N,T(Ri)∈TP},N(Ri) For a Web resource R contained in a Web pageiN is the number of Web resources contained in the Web page, T (R)i) For a Web resource R contained in a Web pageiAnd (2) Type of (TP) { document, javascript, css }, which represents three Web resource types significantly related to Web page content.
In the step 3, all response data transmitted between two adjacent requests are extracted, the response data are sent in a single request form after concurrent requests are blocked in a monitored TLS flow for accessing a website, and any two adjacent requests req are sentjAnd reqj+1All response data transmitted therebetween, treated as reqjResponsive Web resource R'jAnd extracting domain name N (R'j) And ciphertext length size l (R'j)。
In the step 3, the response data in the preset sliding time window is matched with the fingerprint characteristics, and the accessed webpage W is obtained in the preset sliding time window with the length of teb resources as attribute set RP ═ FR'jJ is more than or equal to |0 and less than or equal to N' } to match with the fingerprint features; wherein N ' is Web resource number, FR ' visited in sliding time window 'j={N(R′j),l(R′j) Denotes Web resource R'jThe attribute of (2).
In the step 3, the matching of all fingerprint features refers to matching of a Web resource attribute set RP accessed by a user and a fingerprint feature FP of a Web page within a sliding time window, and obtaining a user access Web resource set RM ═ R 'successfully matched with the fingerprint feature FP'j|N(R′j)=N(Ri),l(R′j)∈L(Ri) I is more than or equal to 1 and less than or equal to | FP |, j is more than or equal to 0 and less than or equal to N' }, wherein | FP | represents the number of characteristic Web resources in the fingerprint characteristics, namely Web resources which are the same as a certain Web resource domain name in the characteristic fingerprint and have the ciphertext length within the length interval are found out from the page Web resources accessed by the user, the number of elements in RM, namely the number of the Web resources successfully matched is recorded as | RM |, and when | RM |, the number of elements in RM is | FP |, the elements are completely matched with the fingerprint characteristics.
In the step 3, the preset sliding time window is not less than the time required for sending a single request and finishing receiving a response.
The technical effect of the invention is that the characteristics of HTTP/2 and TLS protocol are fully utilized, the transmission flow characteristic is reduced to a recognizable mode by blocking HTTP/2, the plaintext domain name attribute and the ciphertext data packet attribute in TLS flow are extracted to recognize the access behavior of the encrypted HTTP/2 webpage on the premise of not decrypting the user access flow, and the invention has higher reliability and stability.
Embodiments of the present invention will be described below with reference to the drawings.
Drawings
FIG. 1 is a flow chart of the present invention.
Detailed Description
Referring to fig. 1, the access behavior identification method suitable for encrypting the HTTP/2 webpage provided by this embodiment includes the following steps:
step 1: the method for collecting the plaintext and ciphertext flow when accessing a target encryption HTTP/2 webpage H comprises the following steps:
step 1.1: first, a traffic collection environment is constructed, and in this embodiment, the browser is set to allow the TLS session key to be derived, so that the browser can be used to decrypt collected traffic to obtain plaintext traffic data.
Step 1.2: and controlling different browsers to access the target encryption HTTP/2 webpage H at different moments by a webdriver designed automatic script to generate TLS encryption traffic. Wherein the access time point in the present embodiment is set to 15 accesses, each interval being 8 hours. And accessing by using four browsers of IE, Chrome, Firefox and Edge respectively to obtain 60 times of access data in total.
Step 1.3: the TLS encrypted traffic for access is captured using tshark and decrypted with the slave TLS session key to get the clear traffic.
Step 2: extracting the characteristics of the target webpage H from the processed traffic, wherein the characteristics comprise the following steps:
step 2.1: analyzing the collected clear text flow accessed by the webpage H to acquire each Web resource R contained in the target HTTP/2 webpageiWherein i is more than or equal to 1 and less than or equal to N, and N is the number of Web resources contained in the webpage H. The Web resources refer to contents of a plurality of HTTP requests initiated in the process of loading a webpage, and the contents are Web resources including html text, js script, jpg pictures and the like.
Step 2.2: extracting individual Web resources R from plaintext trafficiType T (R)i) Domain name N (R)i) Then finding out the corresponding Web resource ciphertext flow from the ciphertext flow, and counting the Web resource ciphertext flow lengths accessed by different browsers at different moments to obtain a ciphertext length average value E (R)i)。
And step 3: constructing fingerprint features of the webpage H, including:
step 3.1: selecting the Web resources with the types in the set TP { document, javascript, css } from the Web resources of the webpage H, taking the Web resources as fingerprint Web resources, wherein TP represents three Web resource types which are obviously related to the webpage content. These resource types are used to pick the appropriate resources to construct the feature fingerprint. Wherein document is a document type, and resources of the type are html, php, jsp, asp and the like; javascript is a scripting language type, and the resources of the type are mainly js; css is a cascading style sheet type, and the resources of this type are primarily cs. Other Web resources, such as fonts or icons, are not utilized to identify Web pages and are not resources that are significantly related to the content of the Web page.
Step 3.2: constructing feature set FR of fingerprint Web resourcei={N(Ri),L(Ri) Wherein L (R)i)=[E(Ri)·(1-α),E(Ri)·(1+α)]Denotes a compound of formula E (R)i) The ciphertext length interval constructed after the elastic coefficient α is scaled, α is set according to the stability of the network where α is located, and is set to 5% in this embodiment. Since the target webpage is identified in the scene that cannot be decrypted, the ciphertext content is not decrypted and identified, that is, only the length and the domain name of the ciphertext can be used as the feature. The length may be used to represent a resource in the target web page, and the domain name represents the website where the target web page is located.
Step 3.3: merging the feature set of each fingerprint Web resource into the fingerprint feature FP of the whole webpage H, wherein the FP is { FR }i|1<=i<=N,T(Ri)∈TP}。
Step 3.4: acquiring Web resource domain name set NL ═ { N (R) of webpage Hi)|1≤i≤N,T(Ri) E.g., TP) for identifying subsequent TLS flows that need monitoring. The domain name represents a website where a target webpage is located, and is used for determining network connection needing to be monitored in the subsequent identification process, so that the identification efficiency is improved, and the false alarm rate is reduced.
And 4, step 4: identifying and blocking HTTP/2 flow, and restoring the HTTP/2 flow into HTTP/1.1 transmission mode, including:
step 4.1: in a user network needing to identify the access behavior of the target HTTP/2 webpage, the Web resource domain name set NL of the webpage H is utilized to identify and monitor the TLS flow S which can possibly access the target webpage H.
Step 4.2: when multiple concurrent requests are initiated in the TLS stream S, it is determined that the stream is a multiplexed HTTP/2 stream.
Step 4.3: the concurrent requests in the TLS stream S are blocked to send only one request at a time, and the next concurrent request is sent if and only if the response content of the last request is received, thereby restoring the transmission mode of the HTTP/2 stream to the transmission mode of HTTP/1.1. It should be noted that the present embodiment only downgrades from the traffic transfer mode level, the transferred content is not affected, and the browser and the website still use HTTP/2 protocol for communication, because the protocol labeled in the transferred content is still HTTP/2.
And 5: identifying Web resource traffic R 'transported in TLS stream S'jAnd extracting the characteristics of the Web resources to construct a user access Web resource characteristic set, which comprises the following steps:
step 5.1: req any two adjacent TCP requests in TLS stream SjAnd reqj+1All response data transmitted therebetween, treated as reqjResponsive Web resource R'j
Step 5.2: extracting Web resources Rj'Domain name N (R'j) And ciphertext length size l ((R)'j) Wherein N (R'j) Get in clear text field of TLS handshake traffic,/((R'j) By accumulating reqjAnd reqj+1The length of all response data transmitted therebetween.
Step 5.3: if a time interval t is specified and 3s is set in this embodiment, a sliding time window with a length of t is used to obtain a feature set RP ═ FR 'of the Web resource accessed by the user'jJ is more than or equal to 0 and less than or equal to N ', wherein N' is the number of Web resources, FR 'visited in the time window'j={N(R′j),l(R′j) Denotes Web resource R'jThe characteristics of (1).
Step 6: identifying whether the access behavior of the target webpage H exists in the time window or not, wherein the identifying comprises the following steps:
step 6.1: matching a webpage Web resource attribute set RP accessed by a user with the fingerprint characteristics FP of the webpage H in each sliding time window, and acquiring a user access Web resource set RM ═ R'j|N(R′j)=N(Ri),l(R′j)∈L(Ri) I is more than or equal to 1 and less than or equal to | FP | and j is more than or equal to 0 and less than or equal to N' }, wherein | FP | represents the number of feature Web resources in the fingerprint feature. Namely, the Web resource which is the same as a certain Web resource domain name in the characteristic fingerprint and has the ciphertext length within the length interval is found out from the Web resources of the page accessed by the user.
Step 6.2: and recording the number of elements in the RM, namely the number of the successfully matched Web resources as | RM |. When the | RM | ═ FP |, that is, the characteristic fingerprint of the web page H is matched in the time window, it is considered that the user has the access behavior of the web page H, otherwise, it is considered that the user has not been identified.

Claims (10)

1. An access behavior recognition method suitable for encrypting HTTP/2 web pages is characterized by comprising the following steps:
step 1: extracting information of the encrypted HTTP/2 webpage as fingerprint characteristics of the webpage;
step 2: monitoring TLS flow of an access website, and blocking when a concurrent request exists so as to convert the concurrent request into a form of sending a next request after a single request is sent and a response is received;
and step 3: and extracting all response data transmitted between two adjacent requests, matching the response data in a preset sliding time window with the fingerprint characteristics, and if the response data is completely matched with the fingerprint characteristics, determining that a behavior of accessing the webpage exists in the time window corresponding to the corresponding request.
2. An access behavior recognition method for an encrypted HTTP/2 web page as claimed in claim 1, wherein the step 1 comprises the following processes:
step 101: the method comprises the steps that different browsers are used for accessing the same encrypted HTTP/2 webpage for multiple times at different times, and plaintext flow and ciphertext flow accessed by the webpage under various conditions are obtained;
step 102: and extracting the type, the domain name and the corresponding ciphertext length average value of each Web resource contained in the webpage from the plaintext flow and the ciphertext flow, and taking the extracted type, the domain name and the corresponding ciphertext length average value as the fingerprint characteristic of the webpage.
3. The method according to claim 2, wherein in step 101, at least 4 browsers are used to access the encrypted HTTP/2 web page at random time points with at least 10 intervals longer than 6 hours, and plaintext traffic and ciphertext traffic are obtained and formed into the data set for at least 40 accesses.
4. The method as claimed in claim 2, wherein the step 102 is to extract each Web resource R included in the Web page from plaintext traffic and ciphertext trafficiType T (R)i) Domain name N (R)i) And the corresponding ciphertext length mean value E (R)i) Wherein i is more than or equal to 1 and less than or equal to N, and N is the number of Web resources contained in the webpage; then, constructing the fingerprint characteristics of the webpage as follows: FP ═ FRi|1≤i≤N,T(Ri) E.g., TP }, where FR isi={N(Ri),L(Ri) Denotes a Web resource RiThe feature set of (1), TP ═ document, javascript, css }, represents three Web resource types that are significantly related to the Web page content; l (R)i)=[E(Ri)·(1-α),E(Ri)·(1+α)]Denotes a compound of formula E (R)i) And (5) constructing a ciphertext length interval after the elastic coefficient alpha is scaled.
5. The method as claimed in claim 1, wherein the step 2 is to monitor TLS streams of all connected web pages, block concurrent requests to send only one request at a time when multiple concurrent requests are initiated in a TLS stream, and send the next request only after receiving the response content of the previous request.
6. The method as claimed in claim 5, wherein the monitoring TLS flow of all connected web pages is performed by obtaining resource domain name set NL of web pages and monitoring domain names in all connected NLTLS stream, where NL ═ { N (R)i)|1≤i≤N,T(Ri)∈TP},N(Ri) For a Web resource R contained in a Web pageiN is the number of Web resources contained in the Web page, T (R)i) For a Web resource R contained in a Web pageiAnd (2) Type of (TP) { document, javascript, css }, which represents three Web resource types significantly related to Web page content.
7. The method as claimed in claim 1, wherein the step 3 of extracting all response data transmitted between two adjacent requests is performed in a monitored TLS stream of the visited website, after concurrent requests are blocked, the response data is transmitted as a single request, and any two adjacent requests req are transmittedjAnd reqj+1All response data transmitted therebetween, treated as reqjResponsive Web resource R'jAnd extracting domain name N (R'j) And ciphertext length size l (R'j)。
8. The method as claimed in claim 7, wherein in step 3, the response data in the preset sliding time window is matched with the fingerprint feature, and the Web resource of the accessed Web page is obtained as the attribute set RP ═ FR 'in the preset sliding time window with length t'jJ is more than or equal to |0 and less than or equal to N' } to match with the fingerprint features; wherein N ' is Web resource number, FR ' visited in sliding time window 'j={N(R′j),l(R′j) Denotes Web resource R'jThe attribute of (2).
9. The method for identifying the access behavior applicable to the encrypted HTTP/2 webpage according to claim 8, wherein the step 3 of matching all the fingerprint features means that a user-accessed webpage Web resource attribute set RP and a webpage fingerprint feature FP are matched in a sliding time window, and a user-accessed Web resource set RM successfully matched with the feature fingerprint FP is obtained={R′j|N(R′j)=N(Ri),l(R′j)∈L(Ri) I is more than or equal to 1 and less than or equal to | FP |, j is more than or equal to 0 and less than or equal to N' }, wherein | FP | represents the number of characteristic Web resources in the fingerprint characteristics, namely Web resources which are the same as a certain Web resource domain name in the characteristic fingerprint and have the ciphertext length within the length interval are found out from the page Web resources accessed by the user, the number of elements in RM, namely the number of the Web resources successfully matched is recorded as | RM |, and when | RM |, the number of elements in RM is | FP |, the elements are completely matched with the fingerprint characteristics.
10. The method as claimed in claim 1, wherein in step 3, the predetermined sliding time window is not less than the time required for sending a single request and completing receiving a response.
CN202110490616.1A 2021-05-06 2021-05-06 Access behavior identification method suitable for encrypted HTTP/2 webpage Pending CN113407880A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110490616.1A CN113407880A (en) 2021-05-06 2021-05-06 Access behavior identification method suitable for encrypted HTTP/2 webpage

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110490616.1A CN113407880A (en) 2021-05-06 2021-05-06 Access behavior identification method suitable for encrypted HTTP/2 webpage

Publications (1)

Publication Number Publication Date
CN113407880A true CN113407880A (en) 2021-09-17

Family

ID=77677972

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110490616.1A Pending CN113407880A (en) 2021-05-06 2021-05-06 Access behavior identification method suitable for encrypted HTTP/2 webpage

Country Status (1)

Country Link
CN (1) CN113407880A (en)

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102624740A (en) * 2012-03-30 2012-08-01 奇智软件(北京)有限公司 Data interaction method, client and server
CN104765884A (en) * 2015-04-30 2015-07-08 哈尔滨工业大学 Fingerprint extraction method and fingerprint identification method of HTTPS web pages
CN106302391A (en) * 2016-07-27 2017-01-04 上海华为技术有限公司 A kind of enciphered data transmission method and proxy server
CN108337259A (en) * 2018-02-01 2018-07-27 南京邮电大学 A kind of suspicious web page identification method based on HTTP request Host information
CN109831448A (en) * 2019-03-05 2019-05-31 南京理工大学 For the detection method of particular encryption web page access behavior
US20200366761A1 (en) * 2019-05-17 2020-11-19 Netflix, Inc. Fire-and-forget offload mechanism for network-based services

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102624740A (en) * 2012-03-30 2012-08-01 奇智软件(北京)有限公司 Data interaction method, client and server
CN104765884A (en) * 2015-04-30 2015-07-08 哈尔滨工业大学 Fingerprint extraction method and fingerprint identification method of HTTPS web pages
CN106302391A (en) * 2016-07-27 2017-01-04 上海华为技术有限公司 A kind of enciphered data transmission method and proxy server
CN108337259A (en) * 2018-02-01 2018-07-27 南京邮电大学 A kind of suspicious web page identification method based on HTTP request Host information
CN109831448A (en) * 2019-03-05 2019-05-31 南京理工大学 For the detection method of particular encryption web page access behavior
US20200366761A1 (en) * 2019-05-17 2020-11-19 Netflix, Inc. Fire-and-forget offload mechanism for network-based services

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
吴阳波等: "基于Nginx与Http2.0技术的web服务器性能优化研究", 《新余学院学报》, no. 04, 10 August 2017 (2017-08-10) *
晓涵: "HTTP协议揭秘", 《计算机与网络》, 12 February 2017 (2017-02-12), pages 64 - 71 *
石健等: "加密HTTP/2流中网页对象的识别研究", 《电脑知识与技术》, no. 20, 15 July 2018 (2018-07-15) *

Similar Documents

Publication Publication Date Title
US9307036B2 (en) Web access using cross-domain cookies
EP3144839A1 (en) Detection device, detection method and detection program
CN107577729B (en) Webpage data evidence obtaining method and system based on two channels
US10972496B2 (en) Upload interface identification method, identification server and system, and storage medium
CN103179132A (en) Method and device for detecting and defending CC (challenge collapsar)
CN103455600B (en) A kind of video URL grasping means, device and server apparatus
JP2008532398A (en) Method and system for mapping encrypted HTTPS network packets to specific URL names and other data without decryption outside the secure web server (mapping)
CN107612926B (en) One-sentence speech WebShell interception method based on client recognition
CN109831448A (en) For the detection method of particular encryption web page access behavior
EP3101580A1 (en) Website information extraction device, system, website information extraction method, and website information extraction program
CN109257393A (en) XSS attack defence method and device based on machine learning
CN113407886A (en) Network crime platform identification method, system, device and computer storage medium
Nguyen et al. Detection of DoH Tunneling using Semi-supervised Learning method
CN112187774B (en) Encrypted data length reduction method based on HTTP/2 transmission characteristics
CN113407880A (en) Access behavior identification method suitable for encrypted HTTP/2 webpage
Kamal et al. Vulnerability of virtual private networks to web fingerprinting attack
CN110363023B (en) Anonymous network tracing method based on PHMM
CN110602059A (en) Method for accurately restoring clear text length fingerprint of TLS protocol encrypted transmission data
US20140019575A1 (en) Maintaining Client-Side Persistent Data using Caching
Wu et al. Inferring adu combinations from encrypted quic stream
Yamada et al. Robust identification of browser fingerprint comparison using edit distance
Wang et al. Towards comprehensive analysis of tor hidden service access behavior identification under obfs4 scenario
CN114205151A (en) HTTP/2 page access flow identification method based on multi-feature fusion learning
CN103095529A (en) Method and device for detecting engine device, firewall and network transmission file
Limmer et al. Dialog-based payload aggregation for intrusion detection

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20210917

RJ01 Rejection of invention patent application after publication