CN114363073A - TLS encrypted traffic analysis method and device, terminal device and storage medium - Google Patents
TLS encrypted traffic analysis method and device, terminal device and storage medium Download PDFInfo
- Publication number
- CN114363073A CN114363073A CN202210017255.3A CN202210017255A CN114363073A CN 114363073 A CN114363073 A CN 114363073A CN 202210017255 A CN202210017255 A CN 202210017255A CN 114363073 A CN114363073 A CN 114363073A
- Authority
- CN
- China
- Prior art keywords
- certificate
- service
- server
- tls
- traffic
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000004458 analytical method Methods 0.000 title claims abstract description 36
- 238000012795 verification Methods 0.000 claims abstract description 98
- 238000000034 method Methods 0.000 claims abstract description 53
- 230000002457 bidirectional effect Effects 0.000 claims abstract description 20
- 238000004590 computer program Methods 0.000 claims description 11
- 238000012544 monitoring process Methods 0.000 claims description 4
- 230000008569 process Effects 0.000 abstract description 7
- 238000001514 detection method Methods 0.000 description 10
- 230000005540 biological transmission Effects 0.000 description 9
- 238000010586 diagram Methods 0.000 description 5
- 238000005516 engineering process Methods 0.000 description 5
- 230000007547 defect Effects 0.000 description 4
- 238000005206 flow analysis Methods 0.000 description 3
- 230000006870 function Effects 0.000 description 3
- 230000003993 interaction Effects 0.000 description 3
- 230000001360 synchronised effect Effects 0.000 description 3
- 238000004891 communication Methods 0.000 description 2
- 238000002955 isolation Methods 0.000 description 2
- 238000010801 machine learning Methods 0.000 description 2
- 241000700605 Viruses Species 0.000 description 1
- 238000013528 artificial neural network Methods 0.000 description 1
- 238000013135 deep learning Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000011156 evaluation Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000008447 perception Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 230000001681 protective effect Effects 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 238000007619 statistical method Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 230000007723 transport mechanism Effects 0.000 description 1
Images
Abstract
The disclosure provides a security transport protocol TLS encrypted traffic analysis method, a security transport protocol TLS encrypted traffic analysis device, a terminal device and a computer readable storage medium, which are used for at least solving the problems that the subdivision granularity in a certificate authentication process is coarse, and the encrypted traffic safety and high-efficiency analysis of different services are difficult to meet simultaneously. The method comprises the following steps: in a TLS handshaking stage of TLS encrypted traffic, judging whether a service corresponding to the TLS encrypted traffic is a first type service; if the service is the first type service, verifying the certificate security from the client to the server to obtain a first certificate verification result, and verifying the certificate security from the server to the client to obtain a second certificate verification result; analyzing whether the TLS encrypted traffic is malicious traffic based on the first certificate verification result and the second certificate verification result. According to the method and the device, the service type of TLS encrypted flow is judged, and bidirectional verification is adopted only when the first service type is adopted, so that the high-efficiency analysis of the service is met while the certificate authentication security is guaranteed.
Description
Technical Field
The present disclosure relates to the field of information security technologies, and in particular, to a method for analyzing a security transport protocol TLS encrypted traffic, a system for analyzing a security transport protocol TLS encrypted traffic, a terminal device, and a computer-readable storage medium.
Background
The data transmission is preceded by a Security Transport Protocol (TLS) handshake phase, and information of the TLS handshake phase is not encrypted, that is, the phase is a key phase for identifying malicious traffic, wherein certificate identification and analysis occupy an important position, the malicious certificate can be quickly interpreted by comparing characteristics of a legal certificate and characteristics of the malicious certificate, and then the malicious traffic can be judged and analyzed, and related protective measures are taken. However, in the current TLS encrypted traffic analysis scheme at the TLS handshake phase, for certificate authentication, either two-way certificate verification or one-way certificate verification is adopted, and the subdivision granularity is coarse, so that the security and efficient detection of encrypted traffic of different services is difficult to meet at the same time.
Disclosure of Invention
The present disclosure provides a security transport protocol TLS encrypted traffic analysis method, apparatus, terminal device and computer readable storage medium, so as to at least solve the problems in the prior art that the granularity of certificate authentication process subdivision is relatively coarse, and it is difficult to satisfy the encrypted traffic security and high-efficiency analysis of different services at the same time.
In order to achieve the above object, the present disclosure provides a method for analyzing an encrypted traffic of a security transport protocol TLS, including:
in a TLS handshaking stage of TLS encrypted traffic, judging whether a service corresponding to the TLS encrypted traffic is a first type service;
if the service is the first type service, verifying the certificate security from the client to the server to obtain a first certificate verification result, and verifying the certificate security from the server to the client to obtain a second certificate verification result;
and analyzing whether the TLS encrypted traffic is malicious traffic or not based on the first certificate verification result and the second certificate verification result.
In an embodiment, before determining whether the service corresponding to the TLS encrypted traffic is the first type service, the method further includes:
and dividing the service into a first type service and a second type service according to the importance degree of the service.
In an embodiment, after determining whether the service corresponding to the TLS encrypted traffic is a first type service, and before verifying the security of the certificate from the client to the server to obtain a first certificate verification result, and verifying the security of the certificate from the server to the client to obtain a second certificate verification result, the method further includes:
if the service is the first type service, a bidirectional certificate authentication container is established;
the verifying the security of the certificate from the client to the server to obtain a first certificate verification result, and verifying the security of the certificate from the server to the client to obtain a second certificate verification result, comprising:
and verifying the certificate security from the server side to the client side in the two-way certificate authentication container to obtain a first certificate verification result, and verifying the certificate security from the server side to the client side in the two-way certificate authentication container to obtain a second certificate verification result.
In an embodiment, after determining whether the service corresponding to the TLS encrypted traffic is the first type service, the method further includes:
if the traffic is not the first type of traffic, judging whether the traffic corresponding to the TLS encrypted traffic is the second type of traffic;
if the service is the second type service, verifying the certificate security from the server side to the client side to obtain a third certificate verification result;
analyzing whether the TLS encrypted traffic is malicious traffic based on the third verification result.
In an embodiment, after determining whether the service corresponding to the TLS encrypted traffic is the second type service, and before verifying the security of the certificate from the server to the client, and obtaining a third certificate verification result, the method further includes:
if the two first type services exist, a one-way certificate authentication container is established;
the verifying the security of the certificate from the server side to the client side to obtain a third certificate verification result comprises the following steps:
and verifying the security of the certificate from the server side to the client side in the one-way certificate authentication container to obtain a third certificate verification result.
In one embodiment, after analyzing whether the TLS encrypted traffic is malicious traffic based on the first certificate verification result and the second certificate verification result, the method further includes:
if the TLS encrypted traffic is not malicious traffic, establishing TLS session connection between the server and the client;
storing the session ID and session key of the client to which the TLS session is connected in the server.
In one embodiment, the method further comprises:
establishing a reconnection server end;
in the TLS session connection stage, continuously monitoring whether session interruption occurs between a server side and a client side;
and if the session is interrupted, synchronizing the session ID and the session key stored by the server to the reconnection server so that the reconnection server reestablishes the TLS session connection with the client based on the session ID and the session key.
In order to achieve the above object, the present disclosure further provides a security transport protocol TLS encrypted traffic analyzing apparatus, including:
the first judgment module is arranged for judging whether the service corresponding to the TLS encrypted flow is a first type service or not in the TLS handshake stage of the TLS encrypted flow;
the first verification module is arranged for verifying the certificate security from the client to the server to obtain a first certificate verification result and verifying the certificate security from the server to the client to obtain a second certificate verification result when the first judgment module judges that the service is the first type service;
an analysis module configured to analyze whether the TLS encrypted traffic is malicious traffic based on the first and second certificate verification results.
In order to achieve the above object, the present disclosure further provides a terminal device, including a memory and a processor, where the memory stores a computer program, and when the processor runs the computer program stored in the memory, the processor executes the TLS encrypted traffic analysis method.
To achieve the above object, the present disclosure also provides a computer-readable storage medium, on which a computer program is stored, and when the computer program is executed by a processor, the processor executes the secure transport protocol TLS encrypted traffic analysis method.
According to the TLS encrypted flow analysis method of the security transport protocol provided by the disclosure, whether a service corresponding to TLS encrypted flow is a first type service or not is judged in a TLS handshaking stage of the TLS encrypted flow; if the service is the first type service, verifying the certificate security from the client to the server to obtain a first certificate verification result, and verifying the certificate security from the server to the client to obtain a second certificate verification result; analyzing whether the TLS encrypted traffic is malicious traffic based on the first certificate verification result and the second certificate verification result. According to the method and the device, the service type of TLS encrypted flow is judged, and bidirectional verification is adopted only when the first service type is adopted, so that the high-efficiency analysis of the service is met while the certificate authentication security is guaranteed. According to the method and the device, the business type of TLS encrypted flow is judged, and the bidirectional verification is adopted when the business type is the first business type, so that compared with the granularity division of certificate authentication in the prior art, the granularity division is finer, the requirements of different businesses for certificate authentication can be met, the safety of the businesses is guaranteed, and meanwhile, the efficient analysis of the businesses is met.
Additional features and advantages of the disclosure will be set forth in the description which follows, and in part will be obvious from the description, or may be learned by the practice of the disclosure. The objectives and other advantages of the disclosure may be realized and attained by the structure particularly pointed out in the written description and claims hereof as well as the appended drawings.
Drawings
The accompanying drawings are included to provide a further understanding of the disclosed embodiments and are incorporated in and constitute a part of this specification, illustrate embodiments of the disclosure and together with the example serve to explain the principles of the disclosure and not to limit the disclosure.
Fig. 1 is a schematic flowchart of a method for analyzing an encrypted traffic of a security transport protocol TLS according to an embodiment of the present disclosure;
fig. 2 is a schematic flowchart of a method for analyzing an encrypted traffic of a security transport protocol TLS according to a second embodiment of the present disclosure;
fig. 3 is a schematic flowchart of a method for analyzing an encrypted traffic of a security transport protocol TLS according to a third embodiment of the present disclosure;
fig. 4 is a schematic flowchart of a method for analyzing an encrypted traffic of a security transport protocol TLS according to a fourth embodiment of the present disclosure;
fig. 5 is a schematic flowchart of a method for analyzing an encrypted traffic of a security transport protocol TLS according to a fifth embodiment of the present disclosure;
fig. 6 is a schematic flowchart of a method for analyzing an encrypted traffic of a security transport protocol TLS according to a sixth embodiment of the present disclosure;
fig. 7 is a second schematic flowchart of a method for analyzing an encrypted traffic of a security transport protocol TLS according to a sixth embodiment of the present disclosure;
fig. 8 is a schematic structural diagram of an apparatus for analyzing encrypted traffic of a security transport protocol TLS according to an embodiment of the present disclosure;
fig. 9 is a schematic structural diagram of a terminal device according to an embodiment of the present disclosure.
Detailed Description
To make the objects, technical solutions and advantages of the embodiments of the present disclosure more apparent, specific embodiments of the present disclosure are described below in detail with reference to the accompanying drawings. It should be understood that the detailed description and specific examples, while indicating the present disclosure, are given by way of illustration and explanation only, not limitation.
It should be noted that the terms "first," "second," and the like in the description and claims of the present disclosure and in the above-described drawings are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order; also, the embodiments and features of the embodiments in the present disclosure may be arbitrarily combined with each other without conflict.
In the following description, suffixes such as "module", "component", or "unit" used to denote elements are used only for the convenience of explanation of the present disclosure, and have no specific meaning in themselves. Thus, "module", "component" or "unit" may be used mixedly.
Encrypted flow detection and analysis is always a hotspot and a difficult point of network security field research, more emphasis is given to how to identify malicious flow in the encrypted flow under the condition of not decrypting the flow, network security capability is improved, and particularly under the influence of new crown epidemic situations, home telecommuting and online meetings become mainstream, encrypted flow expands rapidly, and meanwhile, an attacker hides malicious codes, viruses and the like for transmission through encryption, tries to avoid firewalls, and performs detection on safety equipment such as intrusion detection.
In the detection and analysis of encrypted traffic, TLS encrypted traffic accounts for the highest proportion, the technical means currently adopted for the detection and analysis of the encrypted traffic mainly comprise analysis means based on single-dimensional features, machine learning, deep learning, multi-dimensional features and the like, in the detection and analysis of the single-dimensional features, certificate identification is the most typical and most convenient and efficient, because in the current TLS1.2 edition (the TLS referred to in the disclosure is the 1.2 edition), a TLS handshake stage is required before data transmission, information in the handshake stage is not encrypted, namely the stage is a key stage for identifying malicious traffic, the certificate identification and analysis occupy important positions, and the malicious certificate can be quickly interpreted by comparing the characteristics of a legal certificate and the malicious certificate, so that the malicious traffic is judged and analyzed, measures are taken, the malicious certificate is usually self-signed, and the valid period of the signature is longer, The certificate is used as a malicious flow detection and identification, and is an important single-dimensional characteristic mode, and in the aspect of certificate verification, fine-grained division exists. If the characteristics of the certificate can be distinguished in a fine-grained manner, the method has important value significance for guaranteeing the reliability and safety of the service.
In order to improve the accuracy and efficiency of TLS encrypted traffic detection and analysis in the related art, one or more means such as machine learning, neural network-based, statistical analysis-based, etc. are combined, and although a certain effect is achieved in improving the accuracy of detection and analysis, the following two defects still exist: firstly, in a server-side certificate verification link in TLS handshake, the subdivided granularity is thicker, the certificate is only limited to be distinguished in one direction or two directions, further division is not performed, the continuity and the accuracy of the service are better met, the network safety protection capability is improved, and the precision of service protection is not accurate enough; secondly, aiming at session reconnection, the problem exists at present that when a session is reconnected, the original session ID can only be stored in the original server, and when the new server is redirected during reconnection, other technical means are needed to continue the original session and the session key, so that the process is complex, the efficiency is low, and the service continuity is influenced.
Aiming at the defects of TLS encrypted flow analysis, the embodiment of the disclosure provides a TLS encrypted flow analysis method based on a certificate grading idea, on one hand, the problem of certificate authentication granularity is solved, the important level of access resources is divided through the evaluation of service importance, so that the certificate authentication mode is determined, then an end-to-end secure access channel is provided for a client through establishing a differentiated isolation mode, and the continuity and the security of the service are guaranteed; on the other hand, aiming at the problem of low efficiency of the session reconnection redirection server, a reconnection server establishing mode is adopted, and the continuity of the session reconnection service is ensured and the efficiency is improved by synchronously disconnecting the session from the reconnection server.
Having described the general principles of the present application, various non-limiting embodiments of the present application will now be described with reference to the accompanying drawings.
Referring to fig. 1, fig. 1 is a schematic flow chart of a method for analyzing an encrypted traffic of a security transport protocol TLS according to an embodiment of the present disclosure, where the method includes steps S101 to S104.
In step S101, in a TLS handshake phase of a TLS encrypted traffic, it is determined whether a service corresponding to the TLS encrypted traffic is a first type service, if the service is the first type service, step S102 is executed, otherwise, the TLS encrypted traffic is analyzed according to a prior art flow, and the flow is ended.
In this embodiment, the first type of service generally refers to important data or sensitive data, such as high-value data, e.g., customer data, technical data, personal information, and the like, which is uploaded or downloaded. In practical applications, a person skilled in the art may classify the corresponding data services into the first type of services according to the prior art and practical applications.
In step S102, the security of the certificate from the client to the server is verified, and a first certificate verification result is obtained.
In step S103, the security of the certificate from the server to the client is verified, and a second certificate verification result is obtained.
Specifically, certificate features can be extracted to verify the security of a certificate from a client to a server/from the server to the client, and the certificate features are compared with malicious certificate features, if the comparison is successful (for example, a certain similarity threshold is reached), the flow is determined to be malicious flow and should be blocked immediately, if the comparison is failed, the flow is determined to be non-malicious flow, and TLS connection can be established, wherein the security of the certificate from the verification client to the server can be verified by the server, and the security of the certificate from the verification server to the client can be verified by the client.
In step S104, whether the TLS encrypted traffic is malicious traffic is analyzed based on the first and second certificate verification results.
Compared with the related technology, the subdivision granularity is coarse in certificate verification, whether the certificate verification is unidirectional (only unidirectional certificate verification from a server to a client) or bidirectional (bidirectional certificate verification from the server to the client and bidirectional certificate verification from the client to the server) is not clearly distinguished, either bidirectional verification or unidirectional verification is adopted, the embodiment adopts bidirectional verification when the first service type is adopted by judging the service type of TLS encrypted flow, namely the client and the server mutually verify the certificate of the other party, so that the safety is improved, safety events such as man-in-the-middle attack and the like are prevented, safety risks are reduced, the established TLS connection at the moment belongs to the high level, the service is guaranteed to be efficient, and the reliability and the safety of the service are effectively guaranteed.
Referring to fig. 2, fig. 2 is a schematic flow diagram of a method for analyzing a security transport protocol TLS encrypted traffic according to a second embodiment of the present disclosure, where on the basis of the above embodiment, before determining whether a service corresponding to the TLS encrypted traffic is a first type service (step S101), different certificate levels (bidirectional/unidirectional) are respectively authenticated for different types of services by dividing the first type service and the second type service, so as to improve security and ensure verification efficiency, and specifically, the method further includes the following step S201:
in step S201, the services are divided into a first type service and a second type service according to the importance of the services.
Specifically, according to the requirements of service scenes, the services are divided into a first type service and a second type service according to the importance degree of the services, wherein the first type service corresponds to an important scene service, the second type service corresponds to a common scene service, for example, high-value data transmission services such as customer data, technical data, personal information and the like correspond to the important scene service, and simple web page access or simple information interaction corresponds to the common scene service.
Referring to fig. 3, fig. 3 is a schematic flow chart of an analysis method for security transport protocol TLS encrypted traffic provided in a third embodiment of the present disclosure, based on the above embodiment, in this embodiment, a bidirectional certificate authentication container is created, and certificate authentication is performed in the bidirectional certificate authentication container to ensure security of a certificate in a verification process, so as to avoid certificate information from being leaked, specifically, after determining whether a service corresponding to the TLS encrypted traffic is a first type service (step S101), and before verifying security of a certificate from a client to a server to obtain a first certificate verification result (step S102), step S301 is further included, and step S102 and step S103 are further divided into step S102a and step S103 a.
In step S301, if the service is the first type service, a bidirectional certificate authentication container is created;
in step S102a, verifying the security of the certificate from the client to the server in the bidirectional certificate authentication container to obtain a first certificate verification result; and, in step S103a, verifying the security of the certificate from the server side to the client side in the two-way certificate authentication container to obtain a second certificate verification result.
Referring to fig. 4, fig. 4 is a schematic flow chart of a method for analyzing a security transport protocol TLS encrypted traffic according to a fourth embodiment of the present disclosure, where on the basis of the foregoing embodiment, this embodiment adopts a one-way authentication manner for a second type of service, and adopts different certificate level authentication manners based on different service types, so that certificate authentication efficiency can be improved while certificate security is effectively guaranteed, and after determining whether a service corresponding to the TLS encrypted traffic is a first type of service (step S101), the method further includes:
in step S401, if the TLS encrypted traffic is not the first type of traffic, it is determined whether the traffic corresponding to the TLS encrypted traffic is the second type of traffic, if the traffic is the second type of traffic, step S402 is executed, otherwise, the TLS encrypted traffic is verified according to the prior art, and the process is ended.
In step S402, the security of the certificate from the server side to the client side is verified to obtain a third certificate verification result;
in step S403, whether the TLS encrypted traffic is malicious traffic is analyzed based on the third verification result.
For example, the service is a scenario of simple web access or simple information interaction, and in this embodiment, only the server needs to send the certificate to the client for verification, and correspondingly, the server-client certificate is extracted, and malicious or normal TLS encrypted traffic is determined according to the certificate, so as to ensure high efficiency of the service, where the established TLS connection is of a normal level.
Further, the embodiment creates a one-way certificate authentication container, completes one-way certificate authentication in the one-way certificate authentication container to ensure security in the certificate verification process, and after determining whether the TLS encrypted traffic corresponding service is a second type service (step S401), and before verifying the certificate security from the server side to the client side to obtain a third certificate verification result (step S402), further includes the following steps:
if the service is the second type service, a one-way certificate authentication container is established;
the verifying the security of the certificate from the server side to the client side to obtain a third certificate verification result (step S402), which specifically comprises the following steps:
and verifying the security of the certificate from the server side to the client side in the one-way certificate authentication container to obtain a third certificate verification result.
In this embodiment, a bidirectional/unidirectional certificate authentication container is created for different certificate authentication processes, and after a service type corresponding to TLS encrypted traffic is identified, certificate authentication is performed in the corresponding container, and the classification of the certificate container ensures service isolation, which is very important for an operator to provide private network service capability for customers in a certain field, and provides customized security capability for the customers, such as the medical industry, which carries important user information, and the secure transmission of medical data has higher security requirements, and how to ensure the security and reliability of end-to-end medical services has an important role.
Referring to fig. 5, fig. 5 is a schematic flow diagram of a TLS encrypted traffic analysis method according to a fifth embodiment of the present disclosure, where on the basis of the first embodiment, when verifying that TLS encrypted traffic is not malicious traffic, a TLS session connection between a server and a client is established, a session ID and a session key of the client are stored in the server, so as to implement secure transmission of TLS traffic, and specifically, after analyzing whether TLS encrypted traffic is malicious traffic based on the first certificate verification result and the second certificate verification result (step S104), the method further includes step S501 and step S502.
In step S501, if the TLS encrypted traffic is not malicious traffic, establishing a TLS session connection between the server and the client;
in step S502, the session ID and the session key of the client to which the TLS session is connected are stored in the server.
In some embodiments, after step S403, if the TLS encrypted traffic is not malicious traffic in the analysis result of analyzing whether the TLS encrypted traffic is malicious traffic based on the first certificate verification result and the second certificate verification result, the flow of the analysis result is the same as that in this embodiment, and details are not described here.
Referring to fig. 6, fig. 6 is a flowchart illustrating an analysis method for security transport protocol TLS encrypted traffic according to a sixth embodiment of the present disclosure, where on the basis of the previous embodiment, the present embodiment implements a fast reconnection service for interrupting a session by creating a reconnection server, and specifically, the method further includes steps S601 to S603.
In step S601, a reconnection server is created;
in step S602, in the TLS session connection phase, it is continuously monitored whether a session interruption occurs between the server and the client, if the session interruption occurs, S603 is performed after the execution is insufficient, otherwise, the flow is ended.
It is understood that step S602 follows step S502.
In step S603, the session ID and the session key stored in the server are synchronized to the reconnection server, so that the reconnection server reestablishes the TLS session connection with the client based on the session ID and the session key.
In this embodiment, the establishment of the reconnection server is mainly aimed at that redirection to a new server occurs if a session is interrupted after TLS handshake is completed, and since an original session ID can only be stored in an originally connected server, various optimized methods are proposed in the related art for the defect, but the method is usually limited to encryption transmission of an original session ID and an original session key to a new server, which undoubtedly increases the risk of key exposure, and from the security perspective, the security of key internal transmission is higher than that of external transmission.
Therefore, in order to solve this defect, in this embodiment, by configuring the reconnection server, once the original server finds that the client is "disconnected", the session ID of the client that is "disconnected" and the related key are automatically synchronized to the reconnection server, in some embodiments, a counter mode may be added at the same time, so as to facilitate timing, and continuously monitor whether the client re-initiates the session ID, and if the client does not re-initiate the session ID within a specified time (for example, 5 minutes), the session is released, the reconnection server has a main function of providing a service for the client that needs to resume the original session, that is, once the session is "disconnected", the original session server will synchronously send the original session ID and the corresponding interaction key information to the reconnection server, so as to facilitate the continuation of subsequent services, and compared with the related technology, the method has higher security in re-transmitting the session ID and the key over the network, and the method can realize the operation without the perception of the user, and ensure the continuity of the service, because the client is presented with the original server, the problems of complex session reconnection, low efficiency and the like in the prior art are effectively solved.
For convenience of understanding, referring to fig. 7, a second flow diagram of a security transport protocol TLS encrypted traffic analysis method provided in a sixth embodiment of the present disclosure is divided into certificate authentication in a TLS (connection) handshake phase and session reconnection in a (TLS) session connection phase, where the certificate authentication in the TLS handshake phase is divided into an important or sensitive service scenario corresponding to a first type of service and a common service scenario corresponding to a second type of service, for the first type of service, a bidirectional certificate authentication container is created between a client and a server a, certificate features from the server a to the client and certificate features from the client to the server a are extracted from the bidirectional certificate authentication container, and are respectively compared with malicious certificate features, if the comparison is not successful, a TLS session connection between the server a and the client is established, a reconnection server a is created in a session connection phase, and storing information such as the session ID, the session key and the like of the original server A, and completing service reconnection by setting a timer. Correspondingly, aiming at the second type of service, a one-way certificate authentication container is established between the client and the server B, certificate characteristics from the server to the client are extracted from the one-way certificate authentication container, the certificate characteristics are compared and judged, TLS session connection between the server B and the client is further established, a reconnection server B is established at a session connection stage, information such as a session ID and a session key of the original server B is stored, and service reconnection is completed by setting a timer.
It should be noted that the server a and the server B, and the reconnection server a and the reconnection server B are only used for distinguishing two cases of the first type service and the second type service, and have no other special meaning. It will be appreciated that the client and server sides may establish multiple sessions simultaneously, including session ID1 … session IDn.
Based on the same technical concept, the embodiment of the present disclosure correspondingly provides a device for analyzing an encrypted traffic of a security transport protocol TLS, where as shown in fig. 8, the device includes:
the first judging module 81 is configured to judge whether a service corresponding to a TLS encrypted traffic is a first type service when receiving an analysis request of the TLS encrypted traffic;
a first verification module 82 configured to, when the first determination module determines that the traffic is the first type of traffic, verify, in a TLS handshake phase of the TLS encrypted traffic, security of a certificate from the client to the server to obtain a first certificate verification result, and verify security of a certificate from the server to the client to obtain a second certificate verification result;
an analysis module 83 arranged to analyze whether the TLS encrypted traffic is malicious traffic based on the first and second certificate verification results.
In one embodiment, the apparatus further comprises:
a dividing module configured to divide the service into the first type service and the second type service according to the importance degree of the service before the first judging module 81 judges whether the service is the first type service.
In one embodiment, the apparatus further comprises:
a first container creation module configured to create a bidirectional certificate authentication container after the first determination module 81 determines whether the service is the first type service and before the first verification module 82 verifies the certificate security;
the first verification module 82 is specifically configured to verify the security of the certificate from the client to the server in the bidirectional certificate authentication container to obtain a first certificate verification result, and to verify the security of the certificate from the server to the client to obtain a second certificate verification result.
In one embodiment, the apparatus further comprises:
the second judging module is set to judge whether the corresponding service of the TLS encrypted flow is a second type service when the first judging module judges that the corresponding service is not the first type service;
the second verification module is set to verify the security of the certificate from the server side to the client side when the second judgment module judges that the second type of service is not the second type of service, and a third certificate verification result is obtained;
the analyzing module 83 is further configured to analyze whether the TLS encrypted traffic is malicious traffic based on the third verification result.
In one embodiment, the apparatus further comprises:
the second container creating module is used for creating the one-way certificate authentication container after the second judging module judges that the service is the second type of service and before the second verifying module verifies the safety of the certificate;
the second verification module is specifically configured to verify the security of the certificate from the server to the client in the one-way certificate authentication container to obtain a third certificate verification result.
In one embodiment, the apparatus further comprises:
the session establishing module is configured to establish TLS session connection between the server and the client when the analyzing module 83 analyzes that the TLS encrypted traffic is not malicious traffic;
a storage module configured to store a session ID and a session key of a client to which the TLS session is connected in a server.
In one embodiment, the apparatus further comprises:
a reconnect server creation module configured to create a reconnect server side;
the continuous monitoring module is set to continuously monitor whether session interruption occurs between the server side and the client side in a TLS session connection stage;
and the synchronous reconnection module is configured to synchronize the session ID and the session key stored by the server to the reconnection server when the continuous monitoring module monitors that the session is interrupted, so that the reconnection server reestablishes the TLS session connection with the client based on the session ID and the session key.
Based on the same technical concept, the embodiment of the present disclosure correspondingly provides a terminal device, as shown in fig. 9, where the terminal device includes a memory 91 and a processor 92, the memory 91 stores a computer program, and when the processor 92 runs the computer program stored in the memory 91, the processor 92 executes the secure transport protocol TLS encrypted traffic analysis method.
Based on the same technical concept, embodiments of the present disclosure correspondingly provide a computer-readable storage medium, on which a computer program is stored, where when the computer program is executed by a processor, the processor executes the secure transport protocol TLS encrypted traffic analysis method.
It will be understood by those of ordinary skill in the art that all or some of the steps of the methods, systems, functional modules/units in the devices disclosed above may be implemented as software, firmware, hardware, and suitable combinations thereof. In a hardware implementation, the division between functional modules/units mentioned in the above description does not necessarily correspond to the division of physical components; for example, one physical component may have multiple functions, or one function or step may be performed by several physical components in cooperation. Some or all of the physical components may be implemented as software executed by a processor, such as a central processing unit, digital signal processor, or microprocessor, or as hardware, or as an integrated circuit, such as an application specific integrated circuit. Such software may be distributed on computer readable media, which may include computer storage media (or non-transitory media) and communication media (or transitory media). The term computer storage media includes volatile and nonvolatile, removable and non-removable media implemented in any method or technology for storage of information such as computer readable instructions, data structures, program modules or other data, as is well known to those of ordinary skill in the art. Computer storage media includes, but is not limited to, RAM, ROM, EEPROM, flash memory or other memory technology, CD-ROM, Digital Versatile Disks (DVD) or other optical disk storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other medium which can be used to store the desired information and which can accessed by a computer. In addition, communication media typically embodies computer readable instructions, data structures, program modules or other data in a modulated data signal such as a carrier wave or other transport mechanism and includes any information delivery media as known to those skilled in the art.
Finally, it should be noted that: the above embodiments are only used for illustrating the technical solutions of the present disclosure, and not for limiting the same; while the present disclosure has been described in detail with reference to the foregoing embodiments, those of ordinary skill in the art will understand that: the technical solutions described in the foregoing embodiments may still be modified, or some or all of the technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present disclosure.
Claims (10)
1. A method for analyzing the encrypted traffic of a secure transport protocol (TLS) is characterized by comprising the following steps:
in a TLS handshaking stage of TLS encrypted traffic, judging whether a service corresponding to the TLS encrypted traffic is a first type service;
if the service is the first type service, verifying the certificate security from the client to the server to obtain a first certificate verification result, and verifying the certificate security from the server to the client to obtain a second certificate verification result;
analyzing whether the TLS encrypted traffic is malicious traffic based on the first certificate verification result and the second certificate verification result.
2. The method of claim 1, before determining whether the traffic corresponding to the TLS encrypted traffic is the first type of traffic, further comprising:
and dividing the service into a first type service and a second type service according to the importance degree of the service.
3. The method as claimed in claim 1, wherein after determining whether the TLS encrypted traffic corresponding service is a first type of service, and before verifying the security of the certificate from the client to the server to obtain a first certificate verification result, and verifying the security of the certificate from the server to the client to obtain a second certificate verification result, the method further comprises:
if the service is the first type service, a bidirectional certificate authentication container is established;
the verifying the security of the certificate from the client to the server to obtain a first certificate verification result, and verifying the security of the certificate from the server to the client to obtain a second certificate verification result, comprising:
and verifying the certificate security from the server side to the client side in the two-way certificate authentication container to obtain a first certificate verification result, and verifying the certificate security from the server side to the client side in the two-way certificate authentication container to obtain a second certificate verification result.
4. The method as claimed in claim 1, wherein after determining whether the traffic corresponding to the TLS encrypted traffic is the first type of traffic, the method further comprises:
if the traffic is not the first type of traffic, judging whether the traffic corresponding to the TLS encrypted traffic is the second type of traffic;
if the service is the second type service, verifying the certificate security from the server side to the client side to obtain a third certificate verification result;
analyzing whether the TLS encrypted traffic is malicious traffic based on the third verification result.
5. The method according to claim 4, wherein after determining whether the service corresponding to the TLS encrypted traffic is the second type service, and before verifying the security of the certificate from the server side to the client side and obtaining a third certificate verification result, the method further comprises:
if the service is the second type service, a one-way certificate authentication container is established;
the verifying the security of the certificate from the server side to the client side to obtain a third certificate verification result comprises the following steps:
and verifying the security of the certificate from the server side to the client side in the one-way certificate authentication container to obtain a third certificate verification result.
6. The method of claim 1, after analyzing whether the TLS encrypted traffic is malicious traffic based on the first and second certificate verification results, further comprising:
if the TLS encrypted traffic is not malicious traffic, establishing TLS session connection between the server and the client;
storing the session ID and session key of the client to which the TLS session is connected in the server.
7. The method of claim 6, further comprising:
establishing a reconnection server end;
in the TLS session connection stage, continuously monitoring whether session interruption occurs between a server side and a client side;
and if the session is interrupted, synchronizing the session ID and the session key stored by the server to the reconnection server so that the reconnection server reestablishes the TLS session connection with the client based on the session ID and the session key.
8. A security transport protocol TLS encrypted traffic analyzing apparatus, comprising:
the first judgment module is arranged for judging whether the service corresponding to the TLS encrypted flow is a first type service or not in the TLS handshake stage of the TLS encrypted flow;
the first verification module is arranged for verifying the certificate security from the client to the server to obtain a first certificate verification result and verifying the certificate security from the server to the client to obtain a second certificate verification result when the first judgment module judges that the service is the first type service;
an analysis module configured to analyze whether the TLS encrypted traffic is malicious traffic based on the first and second certificate verification results.
9. A terminal device, characterized by comprising a memory and a processor, wherein the memory stores a computer program, and when the processor runs the computer program stored in the memory, the processor executes the secure transport protocol TLS encrypted traffic analysis method according to any one of claims 1 to 7.
10. A computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, causes the processor to carry out the secure transport protocol TLS encrypted traffic analysis method according to any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210017255.3A CN114363073A (en) | 2022-01-07 | 2022-01-07 | TLS encrypted traffic analysis method and device, terminal device and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210017255.3A CN114363073A (en) | 2022-01-07 | 2022-01-07 | TLS encrypted traffic analysis method and device, terminal device and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114363073A true CN114363073A (en) | 2022-04-15 |
Family
ID=81107932
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210017255.3A Pending CN114363073A (en) | 2022-01-07 | 2022-01-07 | TLS encrypted traffic analysis method and device, terminal device and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114363073A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115514583A (en) * | 2022-11-21 | 2022-12-23 | 北京长亭未来科技有限公司 | Flow acquisition and blocking method, system, equipment and storage medium |
Citations (15)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101051896A (en) * | 2006-04-07 | 2007-10-10 | 华为技术有限公司 | Certifying method and system |
| US20100122081A1 (en) * | 2008-11-12 | 2010-05-13 | Sato Akane | Method of validation public key certificate and validation server |
| CN101969639A (en) * | 2010-10-19 | 2011-02-09 | 广州杰赛科技股份有限公司 | Multi-certificate and multi-certification mode combined access authentication method and system |
| CN102546168A (en) * | 2011-11-30 | 2012-07-04 | 北京祥云天地科技有限公司 | Communication device for identity authentication |
| CN106161435A (en) * | 2016-06-28 | 2016-11-23 | 天脉聚源(北京)传媒科技有限公司 | A kind of mutual authentication method based on Nginx and device |
| US20170118029A1 (en) * | 2015-10-26 | 2017-04-27 | Online Solutions Oy | Method and a system for verifying the authenticity of a certificate in a web browser using the ssl/tls protocol in an encrypted internet connection to an https website |
| CN106874730A (en) * | 2015-12-11 | 2017-06-20 | 平安科技(深圳)有限公司 | The method of calibration and client of bank server login certificate |
| CN108965250A (en) * | 2018-06-06 | 2018-12-07 | 阿里巴巴集团控股有限公司 | A kind of digital certificate installation method and system |
| DE102017211267A1 (en) * | 2017-07-03 | 2019-01-03 | Siemens Aktiengesellschaft | Method for protecting a certificate request of a client computer and corresponding communication system |
| CN109495503A (en) * | 2018-12-20 | 2019-03-19 | 新华三技术有限公司 | A kind of SSL VPN authentication method, client, server and gateway |
| US10454689B1 (en) * | 2015-08-27 | 2019-10-22 | Amazon Technologies, Inc. | Digital certificate management |
| CN112217762A (en) * | 2019-07-09 | 2021-01-12 | 北京观成科技有限公司 | Malicious encrypted traffic identification method and device based on purpose |
| CN112653672A (en) * | 2020-12-11 | 2021-04-13 | 苏州浪潮智能科技有限公司 | Two-way authentication method, device, equipment and readable medium based on cryptographic algorithm |
| CN113301016A (en) * | 2021-04-16 | 2021-08-24 | 航天信息股份有限公司 | Method, device and system for realizing https bidirectional verification |
| CN113328980A (en) * | 2020-02-29 | 2021-08-31 | 杭州迪普科技股份有限公司 | TLS authentication method, device and system, electronic equipment and readable medium |
-
2022
- 2022-01-07 CN CN202210017255.3A patent/CN114363073A/en active Pending
Patent Citations (15)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101051896A (en) * | 2006-04-07 | 2007-10-10 | 华为技术有限公司 | Certifying method and system |
| US20100122081A1 (en) * | 2008-11-12 | 2010-05-13 | Sato Akane | Method of validation public key certificate and validation server |
| CN101969639A (en) * | 2010-10-19 | 2011-02-09 | 广州杰赛科技股份有限公司 | Multi-certificate and multi-certification mode combined access authentication method and system |
| CN102546168A (en) * | 2011-11-30 | 2012-07-04 | 北京祥云天地科技有限公司 | Communication device for identity authentication |
| US10454689B1 (en) * | 2015-08-27 | 2019-10-22 | Amazon Technologies, Inc. | Digital certificate management |
| US20170118029A1 (en) * | 2015-10-26 | 2017-04-27 | Online Solutions Oy | Method and a system for verifying the authenticity of a certificate in a web browser using the ssl/tls protocol in an encrypted internet connection to an https website |
| CN106874730A (en) * | 2015-12-11 | 2017-06-20 | 平安科技(深圳)有限公司 | The method of calibration and client of bank server login certificate |
| CN106161435A (en) * | 2016-06-28 | 2016-11-23 | 天脉聚源(北京)传媒科技有限公司 | A kind of mutual authentication method based on Nginx and device |
| DE102017211267A1 (en) * | 2017-07-03 | 2019-01-03 | Siemens Aktiengesellschaft | Method for protecting a certificate request of a client computer and corresponding communication system |
| CN108965250A (en) * | 2018-06-06 | 2018-12-07 | 阿里巴巴集团控股有限公司 | A kind of digital certificate installation method and system |
| CN109495503A (en) * | 2018-12-20 | 2019-03-19 | 新华三技术有限公司 | A kind of SSL VPN authentication method, client, server and gateway |
| CN112217762A (en) * | 2019-07-09 | 2021-01-12 | 北京观成科技有限公司 | Malicious encrypted traffic identification method and device based on purpose |
| CN113328980A (en) * | 2020-02-29 | 2021-08-31 | 杭州迪普科技股份有限公司 | TLS authentication method, device and system, electronic equipment and readable medium |
| CN112653672A (en) * | 2020-12-11 | 2021-04-13 | 苏州浪潮智能科技有限公司 | Two-way authentication method, device, equipment and readable medium based on cryptographic algorithm |
| CN113301016A (en) * | 2021-04-16 | 2021-08-24 | 航天信息股份有限公司 | Method, device and system for realizing https bidirectional verification |
Non-Patent Citations (6)
| Title |
|---|
| "Kubernetes双向TLS配置" * |
| MAY: "SSL双向认证与SSL单向认证有什么区别?" * |
| 吴志刚;李世岗;颜晗;池亚平;: "基于TCM的SSL VPN防中间人攻击的改进协议" * |
| 牛乐园;: "TLS1.2协议安全性分析" * |
| 罗敏;刘帮涛;陈爱国;尹德辉;: "一种基于智能移动终端的网银认证方案研究" * |
| 金仑;彭召阳;谢俊元;: "一种新型的安全信任协商策略算法" * |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115514583A (en) * | 2022-11-21 | 2022-12-23 | 北京长亭未来科技有限公司 | Flow acquisition and blocking method, system, equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11503043B2 (en) | System and method for providing an in-line and sniffer mode network based identity centric firewall | |
| EP3013086B1 (en) | Method, apparatus and electronic device for connection management | |
| CN105635084B (en) | Terminal authentication apparatus and method | |
| US9094823B2 (en) | Data processing for securing local resources in a mobile device | |
| JP2020064668A (en) | Network connection automatization | |
| CN110941844B (en) | Authentication method, system, electronic equipment and readable storage medium | |
| CN110611564A (en) | System and method for defending API replay attack based on timestamp | |
| US20080150753A1 (en) | Secure Data Transfer In A Communication System Including Portable Meters | |
| CN114598540A (en) | Access control system, method, device and storage medium | |
| CN114826754A (en) | Communication method and system among different networks, storage medium and electronic device | |
| CN112968910B (en) | Replay attack prevention method and device | |
| CN111614548A (en) | Message pushing method and device, computer equipment and storage medium | |
| CN108322366B (en) | Method, device and system for accessing network | |
| CN106209905B (en) | Network security management method and device | |
| CN111585970A (en) | Token verification method and device | |
| CN110839036B (en) | Attack detection method and system for SDN (software defined network) | |
| CN108418679B (en) | Method and device for processing secret key under multiple data centers and electronic equipment | |
| CN114363073A (en) | TLS encrypted traffic analysis method and device, terminal device and storage medium | |
| CN114223233A (en) | Data security for network slice management | |
| CN116647572B (en) | Access endpoint switching method, device, electronic equipment and storage medium | |
| EP2747345A1 (en) | Ips detection processing method, network security device and system | |
| CN107846390B (en) | Authentication method and device for application program | |
| CN115623013A (en) | Strategy information synchronization method, system and related product | |
| CN115022004B (en) | Data processing method, device and server | |
| CN115529157B (en) | Enterprise application access system, method and access system based on zero trust |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20220415 |
|
| RJ01 | Rejection of invention patent application after publication |