CN105407068B - Network Data Capture methods, devices and systems - Google Patents
Network Data Capture methods, devices and systems Download PDFInfo
- Publication number
- CN105407068B CN105407068B CN201410307404.5A CN201410307404A CN105407068B CN 105407068 B CN105407068 B CN 105407068B CN 201410307404 A CN201410307404 A CN 201410307404A CN 105407068 B CN105407068 B CN 105407068B
- Authority
- CN
- China
- Prior art keywords
- ssl
- network data
- tls
- server
- tls server
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
Network Data Capture methods, devices and systems of the invention carry out encryption encapsulation based on SSL/TLS Protocol Through Network data acquisition request;It is sent to SSL/TLS server via middle layer later, by obtaining network data from destination server after SSL/TLS server decryption processing;Then the network data that will acquire carries out encryption encapsulation based on SSL/TLS agreement and returns to terminal device via middle layer.The present invention is to be carried out data transmission between terminal device and SSL/TLS server by way of ciphertext, and network data is obtained by way of SSL/TLS transit server, the flow when the targeted website of https agreement is not supported in access will be prevented and kidnap phenomenon.
Description
Technical field
The present invention relates to mobile communication technology fields, more specifically, are related to Network Data Capture method, apparatus and are
System.
Background technique
The mainstream transmission mode of network transmission is http at present.And it is based on the process that http agreement carries out network transmission
Plaintext transmission, flow arbitrary can on the way be controlled.In advance down toward local, when operation, only communicates traditional program
Flow;And the WebApp used online, existing communication data in flow, and have interface and the code of program, kidnap it is simply light and
Yi Ju.So being kidnapped in many flows in internet and mobile Internet.
Fig. 1 shows the flow chart of normal access target website.As shown in Figure 1, when user requests access to targeted website, it is first
The connection based on http agreement is established in first terminal device and targeted website, then sends network to targeted website via middle layer and asks
It asks.Requested network data is sent to terminal device via middle layer by network request based on the received for targeted website.
Fig. 2 shows the flow charts that the catastrophe of access target website is held.As shown in Fig. 2, when user requests access to targeted website,
Terminal device and targeted website establish the connection based on http agreement first, then send network to targeted website via middle layer
Request, network operator or hacker use flow bypass analysis system or Network Sniffing system in middle layer, intercept and capture user's request
Content then branches in the station address of forgery, or the network data that user requests is tried to be the first response to terminal device.It visits
Ask targeted website catastrophe hold will lead to forgery website carry out fishing type attack or the frequent illegal advertisement pop-up of implantation or
Poison to the caching of http with illegal malice sniff account system etc..If the network data that user requests is tried to be the first response to eventually
End equipment will lead to the wrong data of terminal device acquisition or be non-legal data.Middle layer refers to except user terminal and target network
The all-network node passed through between standing, the including but not limited to service such as the home router, network operator at different levels of user
Device, network equipment etc..
The data that the prior art has used SSL/TLS to encrypt carry out network transmission and are difficult to crack, it is easier to be modified.From
SSL/TLS can be very good to solve the problems, such as that flow is kidnapped from the point of view of actual conditions.But the Websites quantity of the https of country's deployment at present is also
It is considerably less.So not supporting the website of https agreement to there is the phenomenon that being kidnapped by operator or hacker in access.
Summary of the invention
In view of the above problems, it the object of the present invention is to provide a kind of Network Data Capture method, apparatus and system, can solve
Access does not support the flow of the targeted website of https agreement to kidnap problem.
According to an aspect of the present invention, a kind of Network Data Capture method executed in terminal equipment side is provided, comprising:
According to the destination server address in detected network data acquiring request, in the SSL/TLS being locally stored
Corresponding SSL/TLS server address is obtained in server database, wherein store in the SSL/TLS server database
There is the mapping table between destination server address and SSL/TLS server address;
After getting corresponding SSL/TLS server address, the Network Data Capture is asked based on SSL/TLS agreement
It asks and carries out encryption encapsulation;
It sends the network data acquiring request after the encryption encapsulation to and SSL/TLS server address via middle layer
Corresponding SSL/TLS server, for obtaining network number from the destination server after the SSL/TLS server decryption processing
According to;
Successively via the SSL/TLS server and the middle layer, receive returned from destination server by described
SSL/TLS server carries out the network data after encryption and package process based on SSL/TLS agreement.
Wherein, the SSL/TLS server database being locally stored utilizes external data dispatching platform to the terminal
The mapping table of the destination server address that equipment issues and SSL/TLS server address is updated.
Wherein, the mapping table of the destination server address and SSL/TLS server address is by the external data
Dispatching platform kidnaps what information determined according to the network data acquiring request counted in advance.
Wherein, the external data dispatching platform issues the destination server to the terminal device using broadcast mode
The mapping table of address and SSL/TLS server address.
Wherein, SSL/TLS server address includes the IP address of SSL/TLS server or the domain of SSL/TLS server
Name address.
Wherein, it when SSL/TLS server address is the domain name addresses of SSL/TLS server, is counted with terminal device
SSL/TLS server according to transmission is determined according to the current network state of terminal device.
A kind of another Network Data Capture method of the preferred present invention, comprising:
In terminal equipment side,
According to the destination server address in detected network data acquiring request, in the SSL/TLS being locally stored
Corresponding SSL/TLS server address is obtained in server database, wherein store in the SSL/TLS server database
There is the mapping table between destination server address and SSL/TLS server address;
After getting corresponding SSL/TLS server address, the Network Data Capture is asked based on SSL/TLS agreement
It asks and carries out encryption encapsulation;
SSL/ corresponding with SSL/TLS server address is sent by the network data acquiring request after the encryption encapsulation
TLS server, for obtaining network data from the destination server after the SSL/TLS server decryption processing;
Successively via the SSL/TLS server and the middle layer, receive returned from destination server by described
SSL/TLS server carries out the network data after encryption and package process based on SSL/TLS agreement.
And
In SSL/TLS server side,
To it is received encryption encapsulation after network data acquiring request be decrypted;
Based on the network data acquiring request after the decryption, network data is obtained from corresponding destination server;
Acquired network data is carried out after carrying out encryption and package process based on SSL/TLS agreement, terminal is sent to and sets
It is standby.
On the other hand, the present invention also provides a kind of Network Data Capture devices, comprising:
SSL/TLS server address acquiring unit, for according to the target in detected network data acquiring request
Server address obtains corresponding SSL/TLS server address in the SSL/TLS server database being locally stored, wherein
The corresponding pass between destination server address and SSL/TLS server address is stored in the SSL/TLS server database
It is table;
Encryption unit is requested, for getting corresponding SSL/TLS server in SSL/TLS server address acquiring unit
Behind address, encryption encapsulation is carried out to the network data acquiring request based on SSL/TLS agreement;
Request transmitting unit takes for sending the network data acquiring request after the encryption encapsulation to SSL/TLS
The corresponding SSL/TLS server in business device address, for being obtained after the SSL/TLS server decryption processing from the destination server
Take network data;
Network data receiving unit, for successively via the SSL/TLS server and the middle layer, receiving from target
What server returned is carried out the network data net after encryption and package process by the SSL/TLS server based on SSL/TLS agreement
Network data.
It wherein, further include data updating unit, for what is issued using external data dispatching platform to the terminal device
The mapping table of destination server address and SSL/TLS server address is with the SSL/TLS server data that is newly locally stored
Library.
The preferred Network Data Capture device, the Network Data Capture device are arranged in terminal device.
On the other hand, the present invention also provides a kind of Network Data Capture devices, comprising: is set to the SSL/ of terminal device
TLS server address acquiring unit requests encryption unit, request transmitting unit, network data receiving unit and is set to SSL/
The decryption unit of TLS server, Network Data Capture unit, network data encryption unit,
The SSL/TLS server address acquiring unit, for according in detected network data acquiring request
Destination server address obtains corresponding SSL/TLS server address in the SSL/TLS server database being locally stored,
Wherein, pair being stored in the SSL/TLS server database between destination server address and SSL/TLS server address
Answer relation table;
The request encryption unit, for getting corresponding SSL/TLS clothes in SSL/TLS server address acquiring unit
It is engaged in behind device address, encryption encapsulation is carried out to the network data acquiring request based on SSL/TLS agreement;
The request transmitting unit, for sending the network data acquiring request after the encryption encapsulation to and SSL/
The corresponding SSL/TLS server of TLS server address, for being taken after the SSL/TLS server decryption processing from the target
Business device obtains network data;
The network data receiving unit, for successively via the SSL/TLS server and the middle layer, receive from
What destination server returned is carried out the network number after encryption and package process by the SSL/TLS server based on SSL/TLS agreement
According to network data.
The decryption unit, for via the middle layer from the terminal device it is received encryption encapsulation after network
Data acquisition request is decrypted;
The Network Data Capture unit, for based on the network data acquiring request after the decryption, from corresponding mesh
It marks server and obtains network data;
The network data transmission unit carries out acquired network data to carry out encryption envelope based on SSL/TLS agreement
After dress processing, it is sent to terminal device.
On the other hand, the present invention also provides a kind of Network Data Capture systems, comprising: terminal device, middle layer and SSL/
TLS server,
The terminal device, including mentioned-above SSL/TLS server address acquiring unit, request encryption unit, ask
Ask transmission unit, network data receiving unit and be set to the decryption unit of SSL/TLS server, Network Data Capture unit,
Network data encryption unit and/or data updating unit, for what is issued using external data dispatching platform to the terminal device
The mapping table of destination server address and SSL/TLS server address is with the SSL/TLS server data that is newly locally stored
Library;
The SSL/TLS server, comprising:
Decryption unit, for via the middle layer from the terminal device it is received encryption encapsulation after network data
Acquisition request is decrypted;
Network Data Capture unit, for being taken from corresponding target based on the network data acquiring request after the decryption
Business device obtains network data;
Acquired network data carry out based on SSL/TLS agreement at encryption encapsulation by network data encryption unit
Through being sent to terminal device by the middle layer after reason.
It wherein, further include external data dispatching platform;The external data dispatching platform, comprising:
Data distributing unit, the destination server address for issuing to the terminal device is with SSL/TLS server
The mapping table of location;
Data statistics unit determines destination server for kidnapping information according to the network data acquiring request counted in advance
The mapping table of address and SSL/TLS server address.
Network Data Capture methods, devices and systems of the invention are based on SSL/TLS Protocol Through Network data acquisition request
Carry out encryption encapsulation;Be sent to SSL/TLS server via middle layer later, by after SSL/TLS server decryption processing from mesh
It marks server and obtains network data;Then the network data that will acquire is based on SSL/TLS agreement and carries out encryption encapsulation via centre
Layer returns to terminal device.The present invention is that data are carried out by way of ciphertext between terminal device and SSL/TLS server
Transmission, and network data is obtained by way of SSL/TLS transit server, it will prevent and not support https in access
The flow when targeted website of agreement kidnaps phenomenon.
To the accomplishment of the foregoing and related purposes, one or more aspects of the present invention include be particularly described below and
The feature particularly pointed out in claim.Certain illustrative aspects of the invention is described in detail in the following description and the annexed drawings.
However, these aspects indicate only usable some of the various ways in the principles of the present invention.In addition, of the invention
It is intended to include all such aspects and their equivalent.
Detailed description of the invention
By reference to the following description in conjunction with the accompanying drawings and the contents of the claims, and with to it is of the invention more comprehensively
Understand, other objects and results of the present invention will be more clearly understood and understood.In the accompanying drawings:
Fig. 1 shows the flow chart of normal access target website;
Fig. 2 shows the flow charts that the catastrophe of access target website is held;
Fig. 3 shows the structure chart of the Network Data Capture system of embodiment according to the present invention;
Fig. 4 shows the instance graph of Network Data Capture system 10;
Fig. 5 shows an exemplary block diagram of the Network Data Capture device 300 of embodiment according to the present invention;
Fig. 6 show the SSL/TLS server 40 of the network according to the invention data-acquisition system 10 one is exemplary
Block diagram;
Fig. 7 shows the Network Data Capture method flow diagram of embodiment according to the present invention;
Fig. 8 shows the structure chart of Network Data Capture system according to another embodiment of the present invention;
Fig. 9 is the exemplary diagram of the Network Data Capture system 20 of Fig. 8;
Figure 10 shows the device block diagram of external data dispatching platform.
Identical label indicates similar or corresponding feature or function in all the appended drawings.
Specific embodiment
Following will be combined with the drawings in the embodiments of the present invention, and technical solution in the embodiment of the present invention carries out clear, complete
Whole description, it is clear that described embodiments are only a part of the embodiments of the present invention, instead of all the embodiments.It is based on
Embodiment in the present invention, it is obtained by those of ordinary skill in the art without making creative efforts every other
Embodiment shall fall within the protection scope of the present invention.
A kind of Network Data Capture method, apparatus and system provided by the invention, by there are flow kidnap region make
It is transmitted with the data of encryption, prevents the flow when the targeted website of https agreement is not supported in access and kidnap problem.
Fig. 3 shows the structure chart of the Network Data Capture system of embodiment according to the present invention.
Network Data Capture system 10 as indicated at 3, including terminal device 30, SSL/TLS server 40 and middle layer 50.
The terminal device includes Network Data Capture device 300.
Fig. 4 shows the instance graph of Network Data Capture system 10.
Fig. 5 shows an exemplary block diagram of the Network Data Capture device 300 of embodiment according to the present invention.
As shown in figure 5, Network Data Capture device 300 includes: SSL/TLS server address acquiring unit 301, requests to add
Close unit 302, request transmitting unit 303, network data receiving unit 304.
SSL/TLS server address acquiring unit 301, for according to the mesh in detected network data acquiring request
Server address is marked, corresponding SSL/TLS server address is obtained in the SSL/TLS server database being locally stored,
In, it is stored in the SSL/TLS server database corresponding between destination server address and SSL/TLS server address
Relation table.Network data acquiring request include obtain web data request or obtain network others data request, such as
Obtain the request of some software installation packet.
Destination server can be the server for some webpage that user requests access to, it is also possible to user's request
Server when a data.Such as when obtaining some software installation packet, destination server is just to provide the service of the software download
Device.
Encryption unit 302 is requested, for getting corresponding SSL/TLS in SSL/TLS server address acquiring unit 301
After server address, encryption encapsulation is carried out to the network data acquiring request based on SSL/TLS agreement.
Request transmitting unit 303, for sending the network data acquiring request after the encryption encapsulation to and SSL/TLS
The corresponding SSL/TLS server of server address, for after the SSL/TLS server decryption processing from the destination server
Obtain network data.
Request transmitting unit 303 sends the network data acquiring request after encryption encapsulation to SSL/TLS server
Before the corresponding SSL/TLS server 40 in location, the network of terminal device 30 establishes module (not shown) and SSL/TLS is serviced
Device needs to establish the network connection based on SSL/TLS agreement according to network data acquiring request, when establishing network connection, when
When SSL/TLS server address is IP address, then SSL/TLS server directly corresponding with the IP address establishes network connection.
When SSL/TLS server address is the domain name of SSL/TLS server, first passes around domain name resolution server and domain name is solved
Analysis, the IP address of the SSL/TLS server parsed may have multiple.It is according to current network shape in a preferred embodiment
State is come the SSL/TLS server that selects terminal device to carry out data transmission, and domain name resolution server is by the SSL/TLS server
IP address returns to terminal device, and terminal device SSL/TLS server corresponding with the IP address carries out data transmission.Preferred
In embodiment, the IP address that domain name resolution server also passes through CDN choice of technology SSL/TLS server returns to terminal device.
When SSL/TLS server address is the domain name of SSL/TLS server, pressed according to present terminal device network state
According to by CDN choice of technology SSL/TLS server, selects optimal SSL/TLS server cluster and network line and make net
Network message transmission rate is faster.Improve network data transmission efficiency.
Network data receiving unit 304, for connecing successively via the SSL/TLS server 40 and the middle layer 50
What receipts were returned from destination server is carried out the net after encryption and package process by the SSL/TLS server based on SSL/TLS agreement
Network data.
Fig. 6 show the SSL/TLS server 40 of the network according to the invention data-acquisition system 10 one is exemplary
Block diagram.
The SSL/TLS server 40 as shown in Figure 6 includes decryption unit 401, Network Data Capture unit 402, network
DEU data encryption unit 403 and network data transmission unit 404.
Decryption unit 401, for via the middle layer from the terminal device it is received encryption encapsulation after network
Data acquisition request is decrypted.Network data acquiring request after being decrypted that is, http agreement net
Network request of data, between SSL/TLS server and destination server by http agreement transmit data, SSL/TLS server with
It is by carrying out data transmission in plain text between destination server.Since the network data request after decryption is assisted based on http
View, thus obtain here the mode of network data with it is common identical based on the http agreement acquisition mode of network data, this
In repeat no more.
Network Data Capture unit 402, for based on the network data acquiring request after the decryption, from corresponding target
Server obtains network data.
It in a preferred embodiment, further include network data encryption unit 403, for carrying out acquired network data
Encryption and package process is carried out based on SSL/TLS agreement.Due to the network established between terminal device and SSL/TLS server before
It is SSL/TLS agreement.So the network data returned must carry out the network number after encryption encapsulation by SSL/TLS agreement
According to.
Network data transmission unit 404, for by network data encryption unit 403 carry out encryption and package process after network
Data are sent to the network data receiving unit 304 of terminal device 30 via middle layer 50.
Fig. 7 shows the Network Data Capture method flow diagram of embodiment according to the present invention.
As shown in fig. 7, receive user input network data acquiring request after, execute step S700, terminal device according to
Destination server address in detected network data acquiring request, in the SSL/TLS server database being locally stored
It is middle to obtain corresponding SSL/TLS server address.Wherein, destination server is stored in the SSL/TLS server database
Mapping table between address and SSL/TLS server address.
Network data acquiring request include obtain web data request or obtain network others data request, such as
Obtain the request of some software installation packet.
Destination server can be the server for some webpage that user requests access to, it is also possible to user's request
Server when a data.Such as when obtaining some software installation packet, destination server is just to provide the service of the software download
Device.
SSL/TLS server address includes the IP address or SSL/TLS server of SSL/TLS server in this step
Domain name addresses.
When SSL/TLS server address is the domain name addresses of SSL/TLS server, it is also necessary to pass through domain name resolution service
Device parses the domain name, obtains the IP address of SSL/TLS server.
After getting corresponding SSL/TLS server address, step S710 is executed, terminal device is assisted based on SSL/TLS
View carries out encryption encapsulation to the network data acquiring request.This step is equivalent to originally be that the network data of http agreement obtains
It is converted into the request network data acquiring request based on https agreement after taking request to carry out encryption encapsulation by SSL/TLS agreement,
But since destination server does not support https, https is decrypted to obtain so needing to be arranged SSL/TLS server
The network data acquiring request of http agreement.Originally direct directly connect with destination server by terminal device of http agreement is obtained
Network Data Capture mode is taken to be converted into obtaining network data by the mode of SSL/TLS transit server.Obtained in network data
It takes and the address of SSL/TLS server is added in request to realize that the mode of SSL/TLS transit server obtains network data.
Complete S710 after, execute S720, terminal device via middle layer by it is described encryption encapsulation after Network Data Capture
Request is sent to SSL/TLS server corresponding with SSL/TLS server address.
Before executing step S720, need to be asked according to Network Data Capture between terminal device and SSL/TLS server
It asks and establishes the network connection based on SSL/TLS agreement.When establishing network connection, when SSL/TLS server address is IP address
When, then SSL/TLS server directly corresponding with the IP address establishes network connection.When SSL/TLS server address is SSL/
It when the domain name of TLS server, first has to parse domain name by domain name resolution server, the SSL/TLS clothes parsed
The IP address of business device may have multiple.It is to select terminal device to be counted according to current network state in a preferred embodiment
According to the SSL/TLS server of transmission, the IP address of the SSL/TLS server is returned to terminal device by domain name resolution server,
Terminal device SSL/TLS server corresponding with the IP address carries out data transmission.In a preferred embodiment, domain name resolution service
The IP address that device also passes through CDN choice of technology SSL/TLS server returns to terminal device.
When SSL/TLS server address is the domain name of SSL/TLS server, pressed according to present terminal device network state
According to by CDN choice of technology SSL/TLS server, can select optimal SSL/TLS server cluster and network line makes
Obtain network data transmission rate faster.Improve network data transmission efficiency.
After SSL/TLS server receives the network data acquiring request after encryption encapsulation, S730, SSL/TLS clothes are executed
Business device to institute it is received encryption encapsulate after network data acquiring request be decrypted.Network number after being decrypted
According to acquisition request that is, the network data of http agreement is requested, pass through between SSL/TLS server and destination server
Http agreement transmits data, is by carrying out data transmission in plain text between SSL/TLS server and destination server.
After completing S730, S740 is executed, SSL/TLS server sends the network data acquiring request after decryption to target and takes
Business device.Due to decryption after network data request be based on http agreement, so here obtain network data mode with
The common mode for obtaining network data based on http agreement is identical, repeats no more.
After destination server receives network data acquiring request, returns to network data and give SSL/TLS server.SSL/
TLS server is based on SSL/TLS Protocol Through Network data and carries out encryption encapsulation (S750).SSL/TLS server will encrypt later
The network data of encapsulation returns to terminal device (S760) via middle layer.Due to terminal device before and SSL/TLS server
Between the network established be SSL/TLS agreement.So the network data returned must be encrypted by SSL/TLS agreement
Network data after encapsulation.
After terminal device receives the network data after encryption encapsulation, S770 is executed, the network data of decryption encryption encapsulation obtains
To final network data.
The Network Data Capture method of the present embodiment, by carrying out network acquisition request based on SSL/ in terminal device
The encryption of tls protocol encapsulates, and is then decrypted by SSL/TLS server, is gone later based on the network acquisition request after decryption
Destination server obtains network data and carries out the encryption based on SSL/TLS agreement to network data after getting network data
Terminal device is returned to after encapsulation, terminal device is decrypted to obtain final data to the network data after encryption encapsulation.This
Embodiment is to be carried out data transmission by way of ciphertext, and pass through SSL/TLS between terminal device and SSL/TLS server
The mode of transit server obtains network data, will prevent when the targeted website of https agreement is not supported in access
Flow kidnaps phenomenon.
The present invention also provides Network Data Capture devices on the basis of Network Data Capture device 300 as shown in Figure 5
Increase decryption unit 401, Network Data Capture unit 402, network data encryption unit 403 and network data transmission unit
404。
The decryption unit 401, Network Data Capture unit 402, network data encryption unit 403 and network data are sent
Unit 404 is identical as the working method of previous embodiment and effect, and which is not described herein again.
Fig. 8 shows the structure chart of Network Data Capture system according to another embodiment of the present invention.
Fig. 9 is the exemplary diagram of the Network Data Capture system 20 of Fig. 8.
Increase on the basis of Network Data Capture system 20 as shown in Figure 8 Network Data Capture system 10 shown in Fig. 3
External data dispatching platform 60 is added.
Figure 10 shows the device block diagram of external data dispatching platform.
External data dispatching platform 60 as shown in Figure 10, comprising:
Data statistics unit 601 determines that target takes for kidnapping information according to the network data acquiring request counted in advance
The mapping table of business device address and SSL/TLS server address.
Wherein SSL/TLS server address includes the IP address of SSL/TLS server or the domain name of SSL/TLS server
Address.When SSL/TLS server address is the domain name addresses of SSL/TLS server, it is also necessary to pass through domain name resolution server
The domain name is parsed, the IP address of SSL/TLS server is obtained.
Data distributing unit 602, destination server address and SSL/TLS for issuing to the terminal device 30 service
The mapping table of device address.The data statistics unit 601 of external data dispatching platform 60 passes through statistics discovery certain areas
The phenomenon that user is held as a hostage there are flow just records these user locations and destination service that these users request access to
Device information, destination server information may include the information such as the address of destination server, then distribute SSL/ according to these information
TLS server address.Then the corresponding relationship of destination server address and SSL/TLS server address is generated.
From the external data dispatching platform 60 in a preferred embodiment data distributing unit 602 using broadcast mode to
The terminal device 30 issues the mapping table of the destination server address Yu SSL/TLS server address.
Terminal device 30 further includes data updating unit (not shown) in preferred embodiment, for utilizing external data
The mapping table of destination server address and SSL/TLS server address that dispatching platform 60 is issued to the terminal device 30
With the SSL/TLS server database being newly locally stored.
CD server, that is, external data dispatching platform 60 as shown in Figure 7, Figure 8 is connect with terminal device 30.
The mapping table of destination server address described in the present embodiment and SSL/TLS server address is by the outside
Data distributing platform data statistic unit 601 kidnaps what information determined according to the network data acquiring request counted in advance.And
Middle layer between SSL/TLS server and terminal device be there are network data acquiring request kidnap risk middle layer, and
When SSL/TLS server goes destination server to obtain network data, between SSL/TLS server and destination server there is also in
Interbed.The SSL/TLS server of safe area is selected to carry out Network Data Capture in preferred embodiment, i.e., there is no kidnap for selection
The SSL/TLS server of risk obtains network data, so that the mid-level network between SSL/TLS server and destination server
It is that there is no the mid-level networks for kidnapping risk for data transmission.I.e. SSL/TLS server arrangement is in unpolluted network area
In.SSL/TLS server is laid out in the unpolluted network area by the statistics of external data dispatching platform.
There are flows by counting the user of discovery certain areas for the data statistics unit 601 of external data dispatching platform 60
The phenomenon that being held as a hostage just records these user locations and destination server information that these users request access to, target
Server info may include the information such as the address of destination server, then with distributing SSL/TLS server according to these information
Location.The mapping table of destination server address and SSL/TLS server address is generated later.Such as external data dispatching platform
Data statistics unit by statistics discovery Guangzhou user access Sina when exist be held as a hostage the phenomenon that, just selection one layout exist
The SSL/TLS server cluster in Wuhan generates the SSL/ of Sina website's server address and Wuhan as SSL/TLS server
The mapping table of TLS server set group address.It specifically can be the domain of the SSL/TLS server cluster in Sina's domain name and Wuhan
Name mapping table.
The data distributing unit 602 of external data dispatching platform 60 services destination server address and SSL/TLS later
The mapping table of device address is sent to terminal device 30 by way of broadcast.
The SSL/TLS server database that terminal device 30 is locally stored uses broadcast using external data dispatching platform
The mapping table of destination server address and SSL/TLS server address that form is issued to the terminal device 30 carries out more
Newly.
After terminal device 30 receives the network data acquiring request of user's input, the SSL/TLS server of terminal device 30
Address acquisition unit 301 according to the destination server address requested in network data acquiring request go destination server address with
The mapping table of SSL/TLS server address searches SSL/TLS server address, when in destination server address and SSL/
When can inquire corresponding and SSL/TLS server address in the mapping table of TLS server address.It is then single by request encryption
First 302 terminal devices 30 are added the common network data acquiring request based on http agreement by SSL/TLS agreement
Sealing dress.Become the network data acquiring request based on https agreement.Then module (figure is established by the network of terminal device 30
In be not shown) between terminal device 30 and SSL/TLS server 40 establish the network connection based on https agreement.Again by end
The request transmitting unit 303 of end equipment 30 will encryption encapsulation after network data acquiring request via middle layer 50 be sent to
The corresponding SSL/TLS server 40 of SSL/TLS server address.It is single by decryption after SSL/TLS server 40 receives the request
Member 401 is decrypted it, and Network Data Capture unit 402 is according to the network data acquiring request after decryption from the mesh later
It marks server and obtains network data.
After the network data for receiving destination server return, 403 base of network data encryption unit of SSL/TLS server 40
Encryption encapsulation is carried out to the network data in SSL/TLS agreement.Then network data transmission unit 404 will via middle layer 50
Network data after the encryption encapsulation returns to terminal device 30.The network data of 30 pairs of terminal device encryption encapsulation solves
It is close to obtain final network data.
The Network Data Capture system of the present embodiment, by carrying out network acquisition request based on SSL/ in terminal device
The encryption of tls protocol encapsulates, and is then decrypted by SSL/TLS server, is gone later based on the network acquisition request after decryption
Destination server obtains network data and carries out the encryption based on SSL/TLS agreement to network data after getting network data
Terminal device is returned to after encapsulation, terminal device is decrypted to obtain final data to the network data after encryption encapsulation.This
Embodiment is to be carried out data transmission by way of ciphertext, and pass through SSL/TLS between terminal device and SSL/TLS server
The mode of transit server obtains network data, will prevent when the targeted website of https agreement is not supported in access
Flow kidnaps phenomenon.
Those of ordinary skill in the art may be aware that list described in conjunction with the examples disclosed in the embodiments of the present disclosure
Member and algorithm steps can be realized with the combination of electronic hardware or computer software and electronic hardware.These functions are actually
It is implemented in hardware or software, the specific application and design constraint depending on technical solution.Professional technician
Each specific application can be used different methods to achieve the described function, but this realization is it is not considered that exceed
The scope of the present invention.
It is apparent to those skilled in the art that for convenience and simplicity of description, the system of foregoing description,
The specific work process of device and unit, can refer to corresponding processes in the foregoing method embodiment, and details are not described herein.
In several embodiments provided herein, it should be understood that disclosed systems, devices and methods, it can be with
It realizes by another way.For example, the apparatus embodiments described above are merely exemplary, for example, the unit
It divides, only a kind of logical function partition, there may be another division manner in actual implementation, such as multiple units or components
It can be combined or can be integrated into another system, or some features can be ignored or not executed.Another point, it is shown or
The mutual coupling, direct-coupling or communication connection discussed can be through some interfaces, the indirect coupling of device or unit
It closes or communicates to connect, can be electrical property, mechanical or other forms.
The unit as illustrated by the separation member may or may not be physically separated, aobvious as unit
The component shown may or may not be physical unit, it can and it is in one place, or may be distributed over multiple
In network unit.It can select some or all of unit therein according to the actual needs to realize the mesh of this embodiment scheme
's.
It, can also be in addition, the functional units in various embodiments of the present invention may be integrated into one processing unit
It is that each unit physically exists alone, can also be integrated in one unit with two or more units.
It, can be with if the function is realized in the form of SFU software functional unit and when sold or used as an independent product
It is stored in a computer readable storage medium.Based on this understanding, technical solution of the present invention is substantially in other words
The part of the part that contributes to existing technology or the technical solution can be embodied in the form of software products, the meter
Calculation machine software product is stored in a storage medium, including some instructions are used so that a computer equipment (can be a
People's computer, server or network equipment etc.) or processor (processor) execute side described in each embodiment of the present invention
The all or part of the steps of method.And storage medium above-mentioned includes: USB flash disk, mobile hard disk, read-only memory (ROM, Read-Only
Memory), random access memory (RAM, Random Access Memory), magnetic or disk etc. are various can store journey
The medium of sequence code.
The above description is merely a specific embodiment, but scope of protection of the present invention is not limited thereto, any
Those familiar with the art in the technical scope disclosed by the present invention, can easily think of the change or the replacement, and should all contain
Lid is within protection scope of the present invention.Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.
Claims (13)
1. a kind of Network Data Capture method executed in terminal equipment side, comprising:
According to the destination server address in detected network data acquiring request, in the SSL/TLS service being locally stored
Corresponding SSL/TLS server address is obtained in device database, wherein be stored with mesh in the SSL/TLS server database
Mark the mapping table between server address and SSL/TLS server address;
After getting corresponding SSL/TLS server address, based on SSL/TLS agreement to the network data acquiring request into
Row encryption encapsulation;
Network data acquiring request after the encryption is encapsulated is sent to corresponding with SSL/TLS server address via middle layer
SSL/TLS server, for after the SSL/TLS server decryption processing from the destination server obtain network data;
Successively via the SSL/TLS server and the middle layer, receive returned from destination server by the SSL/TLS
Server carries out the network data after encryption and package process based on SSL/TLS agreement.
2. Network Data Capture method as described in claim 1, wherein the SSL/TLS server data being locally stored
The destination server address and SSL/TLS server address that Cooley is issued with external data dispatching platform to the terminal device
Mapping table is updated.
3. Network Data Capture method as claimed in claim 2, wherein the destination server address and SSL/TLS are serviced
The mapping table of device address kidnaps letter according to the network data acquiring request counted in advance by the external data dispatching platform
Breath determination.
4. Network Data Capture method as claimed in claim 2, wherein the external data dispatching platform uses broadcast mode
The mapping table of the destination server address Yu SSL/TLS server address is issued to the terminal device.
5. Network Data Capture method as described in claim 1, wherein SSL/TLS server address includes SSL/TLS service
The IP address of device or the domain name addresses of SSL/TLS server.
6. Network Data Capture method as claimed in claim 5, wherein when SSL/TLS server address is SSL/TLS service
When the domain name addresses of device, the SSL/TLS server carried out data transmission with terminal device is the current network according to terminal device
What state determined.
7. a kind of Network Data Capture method, comprising:
In terminal equipment side,
According to the destination server address in detected network data acquiring request, in the SSL/TLS service being locally stored
Corresponding SSL/TLS server address is obtained in device database, wherein be stored with mesh in the SSL/TLS server database
Mark the mapping table between server address and SSL/TLS server address;
After getting corresponding SSL/TLS server address, based on SSL/TLS agreement to the network data acquiring request into
Row encryption encapsulation;
Network data acquiring request after the encryption is encapsulated is sent to corresponding with SSL/TLS server address via middle layer
SSL/TLS server, for after the SSL/TLS server decryption processing from the destination server obtain network data;
Successively via the SSL/TLS server and the middle layer, receive returned from destination server by the SSL/TLS
Server carries out the network data after encryption and package process based on SSL/TLS agreement;
And
In SSL/TLS server side,
To it is received encryption encapsulation after network data acquiring request be decrypted;
Based on the network data acquiring request after the decryption, network data is obtained from corresponding destination server;
After acquired network data is based on SSL/TLS agreement progress encryption and package process, it is sent to terminal device.
8. a kind of Network Data Capture device for being set to terminal device, comprising:
SSL/TLS server address acquiring unit, for according to the destination service in detected network data acquiring request
Device address obtains corresponding SSL/TLS server address, wherein described in the SSL/TLS server database being locally stored
The mapping table being stored in SSL/TLS server database between destination server address and SSL/TLS server address;
Encryption unit is requested, for getting corresponding SSL/TLS server address in SSL/TLS server address acquiring unit
Afterwards, encryption encapsulation is carried out to the network data acquiring request based on SSL/TLS agreement;
Request transmitting unit, for sending the network data acquiring request after the encryption encapsulation to and SSL/ via middle layer
The corresponding SSL/TLS server of TLS server address, for being taken after the SSL/TLS server decryption processing from the target
Business device obtains network data;
Network data receiving unit, for successively via the SSL/TLS server and the middle layer, receiving from destination service
What device returned is carried out the network data after encryption and package process by the SSL/TLS server based on SSL/TLS agreement.
9. Network Data Capture device as claimed in claim 8, further includes,
Data updating unit, destination server address for being issued using from external data dispatching platform to the terminal device with
The mapping table of SSL/TLS server address updates the SSL/TLS server database being locally stored.
10. Network Data Capture device as claimed in claim 8, the Network Data Capture device is arranged in terminal device.
11. a kind of Network Data Capture device, comprising: be set to the SSL/TLS server address acquiring unit of terminal device, ask
It asks encryption unit, request transmitting unit, network data receiving unit and is set to the decryption unit of SSL/TLS server, network
Data capture unit, network data encryption unit and network data transmission unit,
The SSL/TLS server address acquiring unit, for according to the target in detected network data acquiring request
Server address obtains corresponding SSL/TLS server address in the SSL/TLS server database being locally stored, wherein
The corresponding pass between destination server address and SSL/TLS server address is stored in the SSL/TLS server database
It is table;
The request encryption unit, for getting corresponding SSL/TLS server in SSL/TLS server address acquiring unit
Behind address, encryption encapsulation is carried out to the network data acquiring request based on SSL/TLS agreement;
The request transmitting unit, for by it is described encryption encapsulation after network data acquiring request via middle layer be sent to
The corresponding SSL/TLS server of SSL/TLS server address, for after the SSL/TLS server decryption processing from the mesh
It marks server and obtains network data;
The network data receiving unit, for successively via the SSL/TLS server and the middle layer, receiving from target
What server returned is carried out the network data after encryption and package process by the SSL/TLS server based on SSL/TLS agreement;
The decryption unit, for via the middle layer from the terminal device it is received encryption encapsulation after network data
Acquisition request is decrypted;
The Network Data Capture unit, for being taken from corresponding target based on the network data acquiring request after the decryption
Business device obtains network data;Acquired network data is based on SSL/TLS agreement and is added by the network data encryption unit
Close encapsulation process;
The network data transmission unit is set for the network data after encryption and package process to be sent to terminal
It is standby.
12. a kind of Network Data Capture system, comprising: terminal device, middle layer and SSL/TLS server,
The terminal device, including Network Data Capture device as claimed in claim 8 or 9;
The SSL/TLS server, comprising:
Decryption unit, for via the middle layer from the terminal device it is received encryption encapsulation after Network Data Capture
Request is decrypted;
Network Data Capture unit, for based on the network data acquiring request after the decryption, from corresponding destination server
Obtain network data;
Acquired network data is based on SSL/TLS agreement and carries out encryption and package process by network data encryption unit;
Network data transmission unit, for the network data after encryption and package process to be sent to end via the middle layer
End equipment.
13. Network Data Capture system as claimed in claim 12, further includes, external data dispatching platform;
The external data dispatching platform, comprising:
Data distributing unit, destination server address and SSL/TLS server address for being issued to the terminal device
Mapping table;
Data statistics unit determines destination server address for kidnapping information according to the network data acquiring request counted in advance
With the mapping table of SSL/TLS server address.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410307404.5A CN105407068B (en) | 2014-06-30 | 2014-06-30 | Network Data Capture methods, devices and systems |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410307404.5A CN105407068B (en) | 2014-06-30 | 2014-06-30 | Network Data Capture methods, devices and systems |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN105407068A CN105407068A (en) | 2016-03-16 |
| CN105407068B true CN105407068B (en) | 2019-02-15 |
Family
ID=55472326
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410307404.5A Active CN105407068B (en) | 2014-06-30 | 2014-06-30 | Network Data Capture methods, devices and systems |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105407068B (en) |
Families Citing this family (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106657105B (en) * | 2016-12-29 | 2019-10-11 | 网宿科技股份有限公司 | The sending method and device of target resource |
| CN108270748A (en) * | 2016-12-30 | 2018-07-10 | 北京酷我科技有限公司 | A kind of data transmission method and system |
| CN106850663A (en) * | 2017-02-28 | 2017-06-13 | 成都瑞小博科技有限公司 | A kind of method for preventing webpage from kidnapping on the router |
| CN108282511B (en) * | 2017-09-15 | 2021-08-13 | 阿里巴巴(中国)有限公司 | Network data access method, device, system, storage medium and user terminal |
| CN110728602A (en) * | 2019-10-24 | 2020-01-24 | 广州谢大家科技有限公司 | Efficient novel education recruitment resource integration system |
| CN112738117A (en) * | 2020-12-31 | 2021-04-30 | 青岛海尔科技有限公司 | Data transmission method, device and system, storage medium and electronic device |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101034981A (en) * | 2006-03-07 | 2007-09-12 | 上海品伟数码科技有限公司 | Network access control system and its control method |
| CN101141244A (en) * | 2006-09-08 | 2008-03-12 | 飞塔信息科技(北京)有限公司 | Network encrypted data virus detection and elimination system, proxy server and method |
| CN101834875A (en) * | 2010-05-27 | 2010-09-15 | 华为技术有限公司 | Method, device and system for defending DDoS (Distributed Denial of Service) attacks |
| CN202679412U (en) * | 2012-07-12 | 2013-01-16 | 郑州信大信安科技有限公司 | Data transmission encrypting and decrypting system |
| CN103139185A (en) * | 2011-12-02 | 2013-06-05 | 中科信息安全共性技术国家工程研究中心有限公司 | Method of achieving safe reverse proxy service |
| CN103179128A (en) * | 2013-03-28 | 2013-06-26 | 国家电网公司 | Communication security enhancement agent system between Android platform browser and website server |
| CN103563335A (en) * | 2011-05-05 | 2014-02-05 | 阿卡麦科技公司 | Combined cdn reverse proxy and an edge forward proxy with secure connections |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8352728B2 (en) * | 2006-08-21 | 2013-01-08 | Citrix Systems, Inc. | Systems and methods for bulk encryption and decryption of transmitted data |
-
2014
- 2014-06-30 CN CN201410307404.5A patent/CN105407068B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101034981A (en) * | 2006-03-07 | 2007-09-12 | 上海品伟数码科技有限公司 | Network access control system and its control method |
| CN101141244A (en) * | 2006-09-08 | 2008-03-12 | 飞塔信息科技(北京)有限公司 | Network encrypted data virus detection and elimination system, proxy server and method |
| CN101834875A (en) * | 2010-05-27 | 2010-09-15 | 华为技术有限公司 | Method, device and system for defending DDoS (Distributed Denial of Service) attacks |
| CN103563335A (en) * | 2011-05-05 | 2014-02-05 | 阿卡麦科技公司 | Combined cdn reverse proxy and an edge forward proxy with secure connections |
| CN103139185A (en) * | 2011-12-02 | 2013-06-05 | 中科信息安全共性技术国家工程研究中心有限公司 | Method of achieving safe reverse proxy service |
| CN202679412U (en) * | 2012-07-12 | 2013-01-16 | 郑州信大信安科技有限公司 | Data transmission encrypting and decrypting system |
| CN103179128A (en) * | 2013-03-28 | 2013-06-26 | 国家电网公司 | Communication security enhancement agent system between Android platform browser and website server |
Also Published As
| Publication number | Publication date |
|---|---|
| CN105407068A (en) | 2016-03-16 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN105407068B (en) | Network Data Capture methods, devices and systems | |
| CN108270882A (en) | The analysis method and device of domain name, storage medium, electronic device | |
| CN107181804B (en) | The method for down loading and device of resource | |
| CN108141745A (en) | The method and apparatus of download profile in mobile communication system | |
| CN107925575A (en) | Technology for managing network communication privacy | |
| CN103166985A (en) | Global load balancing scheduling method and data transmission method and device and system | |
| CN105228140A (en) | A kind of data access method and device | |
| US11025738B2 (en) | Systems and methods for determining a destination location for transmission of packetized data in a network system based on an application server attribute | |
| CN106131165B (en) | Anti-stealing link method and device for content distributing network | |
| JP2017142822A (en) | Management method and management server for using multiple sim cards | |
| CN103997479B (en) | A kind of asymmetric services IP Proxy Methods and equipment | |
| CN104640114A (en) | Verification method and device of access request | |
| CN111447133A (en) | Message transmission method and device, storage medium and electronic device | |
| CN105163071B (en) | Obtain the system and method for the monitor video of monitor supervision platform | |
| CN109819068A (en) | User terminal and its block chain domain name analytic method | |
| CN105827463B (en) | A kind of configuration method of client traffic, apparatus and system | |
| US10116535B1 (en) | Monitoring internet usage on home networks of panelist users using a measurement device | |
| WO2019009263A1 (en) | Apparatus and method for remotely managing devices, and program therefor | |
| US12015546B2 (en) | Routing destination evaluation apparatus, routing destination evaluating method and program | |
| CN106688243A (en) | Device-to-device content providing method | |
| CN109194706A (en) | Internet resources dial testing method and terminal | |
| CN104854930B (en) | Method, control node, gateway and the computer program that device for allowing with newly detecting is communicated | |
| US20120246235A1 (en) | Attribute information sharing providing system, access information management device, access information proxy management device, method and program therefor | |
| CN204168327U (en) | Network Data Capture system | |
| CN109962888A (en) | A kind of anti-tamper business access method, client and server |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20210106 Address after: 310052 room 508, 5th floor, building 4, No. 699 Wangshang Road, Changhe street, Binjiang District, Hangzhou City, Zhejiang Province Patentee after: Alibaba (China) Co.,Ltd. Address before: 12 / F, 28 Chengfu Road, Haidian District, Beijing 100083 Patentee before: UC MOBILE Ltd. |
|
| TR01 | Transfer of patent right |