CN113810336A - Data message encryption determination method and device and computer equipment - Google Patents

Data message encryption determination method and device and computer equipment Download PDF

Info

Publication number
CN113810336A
CN113810336A CN202010533234.8A CN202010533234A CN113810336A CN 113810336 A CN113810336 A CN 113810336A CN 202010533234 A CN202010533234 A CN 202010533234A CN 113810336 A CN113810336 A CN 113810336A
Authority
CN
China
Prior art keywords
array
data
messages
encrypted
information entropy
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202010533234.8A
Other languages
Chinese (zh)
Inventor
王方立
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Winicssec Technologies Co Ltd
Original Assignee
Beijing Winicssec Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Winicssec Technologies Co Ltd filed Critical Beijing Winicssec Technologies Co Ltd
Priority to CN202010533234.8A priority Critical patent/CN113810336A/en
Publication of CN113810336A publication Critical patent/CN113810336A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a data message encryption determination method, a data message encryption determination device and computer equipment, wherein the method comprises the following steps: acquiring a plurality of messages transmitted by the tested equipment; sequentially extracting data of the nth unit of the plurality of messages according to a preset unit to form N number groups, wherein the value of N is determined according to the message with the minimum length, and the value range of N is 1-N; respectively calculating the information entropy of each array according to the message data in each array; and determining whether the plurality of messages are encrypted according to the information entropy of each array. The method utilizes the randomness principle of encrypted messages to judge whether the data messages are encrypted, and because the encrypted messages have strong data randomness, after the encrypted messages are aligned in the longitudinal direction, the information entropy of an array obtained by cutting in the longitudinal direction is very large, while the encrypted messages do not have the information entropy of an array obtained by cutting in the longitudinal direction after the encrypted messages are aligned in the longitudinal direction, the information entropy of the array obtained by cutting in the longitudinal direction is very small, and through the characteristic, whether the encrypted messages are encrypted or not can be simply and quickly determined.

Description

Data message encryption determination method and device and computer equipment
Technical Field
The invention relates to the technical field of industrial control, in particular to a data message encryption determination method, a data message encryption determination device and computer equipment.
Background
At present, with the continuous cross fusion of industrialization and informatization processes, more and more information technologies are applied to the industrial field. Meanwhile, as the industrial control system widely adopts general software and hardware and network facilities and is integrated with an enterprise management information system, the industrial control system is more and more open and generates data exchange with an enterprise intranet or even the internet, and therefore, in order to guarantee the safe and stable operation of the industrial control equipment, industrial control vulnerability mining is started for the industrial control equipment so as to detect whether the industrial control equipment is vulnerable or not.
Aiming at the vulnerability mining technology of the industrial control equipment, the relatively authoritative Achilles test method of Wurldtech is mainly used for carrying out vulnerability mining on the industrial control protocol of the industrial control equipment. At present, vulnerability mining methods performed on industrial control protocols of industrial control equipment are classified into generation-based and variation-based methods, wherein a variation-based method is performed after packet capture analysis is performed under normal flow, but the variation-based method is not applicable to encrypted messages, and when the existing vulnerability mining technology is used for testing the messages, mining processing is still performed on the encrypted messages, so that processing resources are wasted, and the overall mining testing efficiency is influenced.
Disclosure of Invention
In view of this, in order to overcome the defects that the existing vulnerability mining method based on variation cannot screen whether a message is encrypted or not, so that the vulnerability mining process still mines the encrypted message, thereby wasting processing resources and affecting the overall mining test efficiency, embodiments of the present invention provide a data message encryption determination method, apparatus, and computer device.
According to a first aspect, an embodiment of the present invention provides a data message encryption determination method, including: acquiring a plurality of messages transmitted by the tested equipment; sequentially extracting data of the nth unit of the plurality of messages according to a preset unit to form N number groups, wherein the value of N is determined according to the message with the minimum length, and the value range of N is 1-N; respectively calculating the information entropy of each array according to the message data in each array; and determining whether the plurality of messages are encrypted according to the information entropy of each array.
Optionally, the step of calculating the information entropy of each array according to the message data in each array includes: counting the probability of data occurrence of each unit in each array; and respectively calculating the information entropy of each array according to the probability.
Optionally, the information entropy of each array is calculated by the following formula:
H(x)=-∑P(xi)log(2,P(xi))(i=1,2,..N),
wherein, h (x) is the information entropy of the array, p (xi) is the probability of the data of the unit xi in the array, the value range of xi is 1-M, M is the size of the array, and N is the total number of unit data of the message with the minimum length.
Optionally, determining whether the multiple packets are encrypted according to the information entropy of each array includes: judging whether the information entropy of each array is larger than a preset threshold value; and if the information entropy of each array is larger than a preset threshold value, determining that the plurality of messages are encrypted.
Optionally, if the information entropies of the arrays are not all greater than the preset threshold, determining that the multiple messages are not encrypted.
According to a second aspect, an embodiment of the present invention provides a data message encryption determination apparatus, including: the acquisition module is used for acquiring a plurality of messages transmitted by the tested equipment; the extraction module is used for sequentially extracting the data of the nth unit of the plurality of messages according to a preset unit to form N number groups, the value of N is determined according to the message with the minimum length, and the value range of N is 1-N; the calculation module is used for respectively calculating the information entropy of each array according to the message data in each array; and the determining module is used for determining whether the plurality of messages are encrypted according to the information entropy of each array.
Optionally, the computing module comprises: the statistic submodule is used for counting the probability of data occurrence of each unit in each array; and the calculating submodule is used for respectively calculating the information entropy of each array according to the probability.
Optionally, the determining module includes: the judgment submodule is used for judging whether the information entropy of each array is larger than a preset threshold value; and the determining submodule is used for determining that the plurality of messages are encrypted if the information entropy of each array is greater than a preset threshold value.
According to a third aspect, an embodiment of the present invention provides a computing device, including: at least one processor; and a memory communicatively coupled to the at least one processor; the memory stores instructions executable by a processor, and the instructions are executed by at least one processor to cause the at least one processor to execute the method for determining encryption of data packets according to the first aspect or any embodiment of the first aspect.
According to a fourth aspect, an embodiment of the present invention provides a computer-readable storage medium, where computer instructions are stored, and the computer instructions are configured to cause a computer to execute the data packet encryption determination method in the first aspect or any implementation manner of the first aspect.
According to the data message encryption determination method, the data message encryption determination device and the computer equipment, a plurality of messages transmitted by the tested equipment are obtained; sequentially extracting data of the nth unit of the plurality of messages according to a preset unit to form N number groups, wherein the value of N is determined according to the message with the minimum length, and the value range of N is 1-N; respectively calculating the information entropy of each array according to the message data in each array; the method determines whether a plurality of messages are encrypted according to the information entropy of each array, judges whether the data messages are encrypted by utilizing the randomness principle of the encrypted messages, and has strong randomness of data, so that the information entropy of the arrays obtained by cutting in the longitudinal direction is very large after the plurality of encrypted messages are aligned in the longitudinal direction, but the plurality of messages without encryption have fixed meanings in each field, so that the value range is limited, the information entropy of the arrays obtained by cutting in the longitudinal direction is very small after the plurality of encrypted messages are aligned in the longitudinal direction, and by the characteristics, whether the plurality of messages are encrypted can be simply and quickly determined, so that the encrypted messages can be screened, thereby solving the problem that the existing vulnerability mining method based on variation can not screen whether the messages are encrypted or not, and leading the vulnerability mining process to still mine the encrypted messages, thereby causing the problems of resource waste and influencing the whole excavation test efficiency.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and other drawings can be obtained by those skilled in the art without creative efforts.
Fig. 1 shows a flowchart of a data packet encryption determination method according to an embodiment of the present invention;
FIG. 2 is a diagram illustrating the process of calculating information entropy according to an embodiment of the present invention;
fig. 3 is a schematic diagram illustrating a determination that multiple messages are encrypted according to an embodiment of the present invention;
fig. 4 is a schematic diagram illustrating a determination that a plurality of messages are not encrypted according to an embodiment of the present invention;
fig. 5 is a block diagram showing a structure of a data packet encryption determination apparatus according to an embodiment of the present invention;
FIG. 6 shows a block diagram of the hardware of the computer device of an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
An embodiment of the present invention provides a data message encryption determination method, as shown in fig. 1, including:
s101, acquiring a plurality of messages transmitted by the tested equipment; specifically, one end of the testing device can be connected with the tested equipment, the other end of the testing device is connected with the upper computer, the testing device is used for obtaining a data stream sent to the tested equipment by the upper computer to obtain messages, and one data stream comprises a plurality of messages. The number M of the specifically acquired messages is related to the number of bits of the data of the messages participating in the operation, and the relational expression is as follows: m < 2BAnd B is the bit number of the message data participating in calculation. For example, when calculating in single byte numbers, M is less than 28(28256) when calculated in double-byte numbers, M is less than 216(21665536). In the embodiment of the present invention, M < 256 is taken as an example for illustration, but the invention is not limited thereto, and the value of M is also within the protection scope of the present patent applicationInside the enclosure.
S102, sequentially extracting data of the nth unit of a plurality of messages according to a preset unit to form N number groups, wherein the value of N is determined according to the message with the minimum length, and the value range of N is 1-N; specifically, the preset unit may be a byte, a double byte, or the like. In the embodiment of the present invention, a byte is taken as an example for explanation. As shown in fig. 2, in the embodiment of the present invention, the nth bytes of a plurality of messages are sequentially extracted in units of bytes and stored in an array, so that N arrays are formed in total. The value range of N is 1-N, N is the total number of bytes of the message with the minimum length, and the size of each group of arrays is M.
S103, respectively calculating the information entropy of each array according to the message data in each array; specifically, as shown in fig. 2, the information entropy of each array may be calculated according to the probability of occurrence of each packet data in each array, and the information entropy of each array may be stored as an entropy array.
And S104, determining whether the plurality of messages are encrypted according to the information entropy of each array. Specifically, the encrypted messages have strong data randomness, so that after the encrypted messages are aligned in the longitudinal direction, the information entropy of the array obtained by cutting in the longitudinal direction is very large, while the unencrypted messages have no fixed meaning in each field, so that the value range is limited, and after the encrypted messages are aligned in the longitudinal direction, the information entropy of the array obtained by cutting in the longitudinal direction is very small, so that whether the messages are encrypted can be determined through the characteristic.
The data message encryption determination method provided by the embodiment of the invention obtains a plurality of messages transmitted by the tested equipment; sequentially extracting data of the nth unit of the plurality of messages according to a preset unit to form N number groups, wherein the value of N is determined according to the message with the minimum length, and the value range of N is 1-N; respectively calculating the information entropy of each array according to the message data in each array; the method determines whether a plurality of messages are encrypted according to the information entropy of each array, judges whether the data messages are encrypted by utilizing the randomness principle of the encrypted messages, and has strong randomness of data, so that the information entropy of the arrays obtained by cutting in the longitudinal direction is very large after the plurality of encrypted messages are aligned in the longitudinal direction, but the plurality of messages without encryption have fixed meanings in each field, so that the value range is limited, the information entropy of the arrays obtained by cutting in the longitudinal direction is very small after the plurality of encrypted messages are aligned in the longitudinal direction, and by the characteristics, whether the plurality of messages are encrypted can be simply and quickly determined, so that the encrypted messages can be screened, thereby solving the problem that the existing vulnerability mining method based on variation can not screen whether the messages are encrypted or not, and leading the vulnerability mining process to still mine the encrypted messages, thereby causing the problems of resource waste and influencing the whole excavation test efficiency.
In an alternative embodiment, step S103, respectively calculating the information entropy of each array according to the packet data in each array, includes: counting the probability of data occurrence of each unit in each array; and respectively calculating the information entropy of each array according to the probability. Specifically, probability statistics is carried out on each byte data in each array, and the probability P (xi) of each byte data appearing in the corresponding array is counted, wherein the value range of xi is 1-M. And then, calculating the information entropy of each array according to the calculated probability of each byte data of each array and an information entropy calculation formula.
In an alternative embodiment, the information entropy of each array is calculated by the following formula:
H(x)=-∑P(xi)log(2,P(xi))(i=1,2,..N),
wherein, h (x) is the information entropy of the array, p (xi) is the probability of the data of the unit xi in the array, the value range of xi is 1-M, M is the size of the array, and N is the total number of unit data of the message with the minimum length.
In an alternative embodiment, step S104, determining whether multiple packets are encrypted according to the information entropy of each array includes: judging whether the information entropy of each array is larger than a preset threshold value; and if the information entropy of each array is larger than a preset threshold value, determining that the plurality of messages are encrypted. And if the information entropies of the arrays are not all larger than the preset threshold value, determining that the plurality of messages are not encrypted. Specifically, as shown in fig. 3 to 4, an entropy threshold K may be set, and when the values of all data in the entropy array are greater than K, it is determined that the data of the multiple packets are encrypted, otherwise, the packets are unencrypted.
An embodiment of the present invention further provides a data message encryption determining apparatus, as shown in fig. 5, including:
the acquiring module 21 is configured to acquire multiple messages transmitted by the device under test; the detailed description of the specific implementation manner is given in step S101 in the above method embodiment, and is not repeated here.
The extracting module 22 is configured to sequentially extract data of an nth unit of the multiple messages according to a preset unit to form N number groups, a value of N is determined according to a message with a minimum length, and a value range of N is 1-N; the detailed description of the specific implementation manner is given in step S102 in the above method embodiment, and is not repeated here.
The calculation module 23 is configured to calculate the information entropy of each array according to the message data in each array; the detailed implementation manner is described in step S103 in the above method embodiment, and is not described herein again.
And the determining module 24 is configured to determine whether the multiple messages are encrypted according to the information entropy of each array. The detailed description of the specific implementation manner is given in step S104 in the above method embodiment, and is not repeated here.
The data message encryption determination device provided by the embodiment of the invention obtains a plurality of messages transmitted by the tested equipment; sequentially extracting data of the nth unit of the plurality of messages according to a preset unit to form N number groups, wherein the value of N is determined according to the message with the minimum length, and the value range of N is 1-N; respectively calculating the information entropy of each array according to the message data in each array; the method determines whether a plurality of messages are encrypted according to the information entropy of each array, judges whether the data messages are encrypted by utilizing the randomness principle of the encrypted messages, and has strong randomness of data, so that the information entropy of the arrays obtained by cutting in the longitudinal direction is very large after the plurality of encrypted messages are aligned in the longitudinal direction, but the plurality of messages without encryption have fixed meanings in each field, so that the value range is limited, the information entropy of the arrays obtained by cutting in the longitudinal direction is very small after the plurality of encrypted messages are aligned in the longitudinal direction, and by the characteristics, whether the plurality of messages are encrypted can be simply and quickly determined, so that the encrypted messages can be screened, thereby solving the problem that the existing vulnerability mining method based on variation can not screen whether the messages are encrypted or not, and leading the vulnerability mining process to still mine the encrypted messages, thereby causing the problems of resource waste and influencing the whole excavation test efficiency.
In an alternative embodiment, the calculation module 23 includes: the statistic submodule is used for counting the probability of data occurrence of each unit in each array; and the calculating submodule is used for respectively calculating the information entropy of each array according to the probability.
In an alternative embodiment, the determination module 24 includes: the judgment submodule is used for judging whether the information entropy of each array is larger than a preset threshold value; and the determining submodule is used for determining that the plurality of messages are encrypted if the information entropy of each array is greater than a preset threshold value.
An embodiment of the present invention further provides a computing device, as shown in fig. 6, including: at least one processor 31; and a memory 32 communicatively coupled to the at least one processor; fig. 6 illustrates an example of connection via a bus.
The processor 31 may be a Central Processing Unit (CPU). The Processor 31 may also be other general purpose processors, Digital Signal Processors (DSPs), Application Specific Integrated Circuits (ASICs), Field Programmable Gate Arrays (FPGAs) or other Programmable logic devices, discrete Gate or transistor logic devices, discrete hardware components, or combinations thereof.
The memory 32 is a non-transitory computer readable storage medium, and can be used to store non-transitory software programs, non-transitory computer executable programs, and modules, such as program instructions/modules corresponding to the data packet encryption determination method in the embodiment of the present invention. The processor 31 executes various functional applications and data processing of the processor by running the non-transitory software program, instructions and modules stored in the memory 32, that is, implements the data packet encryption determination method in the above method embodiment.
The memory 32 may include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program required for at least one function; the storage data area may store data created by the processor 31, and the like. Further, the memory 32 may include high speed random access memory, and may also include non-transitory memory, such as at least one magnetic disk storage device, flash memory device, or other non-transitory solid state storage device. In some embodiments, the memory 32 may optionally include memory located remotely from the processor 31, and these remote memories may be connected to the processor 31 via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
One or more of the modules described above are stored in the memory 32 and, when executed by the processor 31, perform the data packet encryption decision method in the embodiment shown in fig. 1.
The details of the computer device can be understood with reference to the corresponding related descriptions and effects in the embodiment shown in fig. 1, and are not described herein again.
It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above can be implemented by a computer program, which can be stored in a computer-readable storage medium, and when executed, can include the processes of the embodiments of the methods described above. The storage medium may be a magnetic Disk, an optical Disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a Flash Memory (Flash Memory), a Hard Disk (Hard Disk Drive, abbreviated as HDD) or a Solid State Drive (SSD), etc.; the storage medium may also comprise a combination of memories of the kind described above.
Although the embodiments of the present invention have been described in conjunction with the accompanying drawings, those skilled in the art may make various modifications and variations without departing from the spirit and scope of the invention, and such modifications and variations fall within the scope defined by the appended claims.

Claims (10)

1. A method for determining encryption of a data message, comprising:
acquiring a plurality of messages transmitted by the tested equipment;
sequentially extracting data of the nth unit of the plurality of messages according to a preset unit to form N number groups, wherein the value of N is determined according to the message with the minimum length, and the value range of N is 1-N;
respectively calculating the information entropy of each array according to the message data in each array;
and determining whether the plurality of messages are encrypted according to the information entropy of each array.
2. The method for determining encryption of data packets according to claim 1, wherein said calculating the entropy of each array according to the packet data in each array comprises:
counting the probability of data occurrence of each unit in each array;
and respectively calculating the information entropy of each array according to the probability.
3. The method according to claim 2, wherein the entropy of each array is calculated by the following formula:
H(x)=-∑P(xi)log(2,P(xi))(i=1,2,..N)
wherein, h (x) is the information entropy of the array, p (xi) is the probability of the data of the unit xi in the array, the value range of xi is 1-M, M is the size of the array, and N is the total number of unit data of the message with the minimum length.
4. The method for determining encryption of data packets according to any one of claims 1 to 3, wherein the determining whether the plurality of packets are encrypted according to the entropy of the information of each array includes:
judging whether the information entropy of each array is larger than a preset threshold value;
and if the information entropy of each array is larger than a preset threshold value, determining that the plurality of messages are encrypted.
5. The method of claim 4, wherein the message encryption decision is performed,
and if the information entropies of the arrays are not all larger than a preset threshold value, determining that the messages are not encrypted.
6. A data message encryption decision device, comprising:
the acquisition module is used for acquiring a plurality of messages transmitted by the tested equipment;
the extraction module is used for sequentially extracting the data of the nth unit of the plurality of messages according to a preset unit to form N number groups, the value of N is determined according to the message with the minimum length, and the value range of N is 1-N;
the calculation module is used for respectively calculating the information entropy of each array according to the message data in each array;
and the determining module is used for determining whether the plurality of messages are encrypted according to the information entropy of each array.
7. The apparatus for determining encryption of data packets according to claim 6, wherein the computing module comprises:
the statistic submodule is used for counting the probability of data occurrence of each unit in each array;
and the calculating submodule is used for respectively calculating the information entropy of each array according to the probability.
8. The apparatus for determining encryption of data packets according to claim 6, wherein the determining module comprises:
the judgment submodule is used for judging whether the information entropy of each array is larger than a preset threshold value;
and the determining submodule is used for determining that the plurality of messages are encrypted if the information entropy of each array is larger than a preset threshold value.
9. A computing device, comprising:
at least one processor; and a memory communicatively coupled to the at least one processor; wherein the memory stores instructions executable by the at least one processor to cause the at least one processor to perform the method of data packet encryption determination of any one of claims 1-5.
10. A computer-readable storage medium storing computer instructions for causing a computer to execute the data packet encryption decision method according to any one of claims 1 to 5.
CN202010533234.8A 2020-06-11 2020-06-11 Data message encryption determination method and device and computer equipment Pending CN113810336A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010533234.8A CN113810336A (en) 2020-06-11 2020-06-11 Data message encryption determination method and device and computer equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010533234.8A CN113810336A (en) 2020-06-11 2020-06-11 Data message encryption determination method and device and computer equipment

Publications (1)

Publication Number Publication Date
CN113810336A true CN113810336A (en) 2021-12-17

Family

ID=78943886

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010533234.8A Pending CN113810336A (en) 2020-06-11 2020-06-11 Data message encryption determination method and device and computer equipment

Country Status (1)

Country Link
CN (1) CN113810336A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115174451A (en) * 2022-07-19 2022-10-11 中国工商银行股份有限公司 Message encryption detection method, device, equipment, storage medium and program product

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105430021A (en) * 2015-12-31 2016-03-23 中国人民解放军国防科学技术大学 Encrypted traffic identification method based on load adjacent probability model
CN105721242A (en) * 2016-01-26 2016-06-29 国家信息技术安全研究中心 Information entropy-based encrypted traffic identification method
CN108171060A (en) * 2017-12-29 2018-06-15 哈尔滨安天科技股份有限公司 Method, system and the storage medium of encryption deformation script are identified based on comentropy

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105430021A (en) * 2015-12-31 2016-03-23 中国人民解放军国防科学技术大学 Encrypted traffic identification method based on load adjacent probability model
CN105721242A (en) * 2016-01-26 2016-06-29 国家信息技术安全研究中心 Information entropy-based encrypted traffic identification method
CN108171060A (en) * 2017-12-29 2018-06-15 哈尔滨安天科技股份有限公司 Method, system and the storage medium of encryption deformation script are identified based on comentropy

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
赵博等: "基于加权累积和检验的加密流量盲识别算法", 《软件学报》 *
陈利等: "基于信息熵的加密会话检测方法", 《计算机科学》 *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115174451A (en) * 2022-07-19 2022-10-11 中国工商银行股份有限公司 Message encryption detection method, device, equipment, storage medium and program product
CN115174451B (en) * 2022-07-19 2024-02-27 中国工商银行股份有限公司 Message encryption detection method, device, equipment and storage medium

Similar Documents

Publication Publication Date Title
CN112003870B (en) Network encryption traffic identification method and device based on deep learning
US10652265B2 (en) Method and apparatus for network forensics compression and storage
US11546372B2 (en) Method, system, and apparatus for monitoring network traffic and generating summary
CN109257390B (en) CC attack detection method and device and electronic equipment
US11706114B2 (en) Network flow measurement method, network measurement device, and control plane device
CN112839017B (en) Network attack detection method and device, equipment and storage medium thereof
CN112165484B (en) Network encryption traffic identification method and device based on deep learning and side channel analysis
CN110808994A (en) Method and device for detecting brute force cracking operation and server
CN106330611A (en) Anonymous protocol classification method based on statistical feature classification
CN113114671A (en) Cloud data security identification and classification method
US20160205118A1 (en) Cyber black box system and method thereof
Zhang et al. RTMA: Real time mining algorithm for multi-step attack scenarios reconstruction
CN111324809A (en) Hotspot information monitoring method, device and system
CN113810336A (en) Data message encryption determination method and device and computer equipment
CN113806204B (en) Method, device, system and storage medium for evaluating message segment correlation
CN112104628A (en) Adaptive feature rule matching real-time malicious flow detection method
CN111885034A (en) Internet of things attack event tracking method and device and computer equipment
CN109361658B (en) Industrial control industry-based abnormal flow information storage method and device and electronic equipment
Han et al. A DDoS attack detection system based on spark framework
CN111080362A (en) Advertisement monitoring system and method
CN113810332B (en) Encrypted data message judging method and device and computer equipment
CN104796421A (en) Multimedia network intrusion detecting method
CN114186637A (en) Traffic identification method, traffic identification device, server and storage medium
CN110225025B (en) Method and device for acquiring abnormal network data behavior model, electronic equipment and storage medium
CN111639277A (en) Automated extraction method of machine learning sample set and computer-readable storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination