CN107528837B - Encrypted video identification method and device, computer device and readable storage medium - Google Patents

Encrypted video identification method and device, computer device and readable storage medium Download PDF

Info

Publication number
CN107528837B
CN107528837B CN201710707511.0A CN201710707511A CN107528837B CN 107528837 B CN107528837 B CN 107528837B CN 201710707511 A CN201710707511 A CN 201710707511A CN 107528837 B CN107528837 B CN 107528837B
Authority
CN
China
Prior art keywords
data
total
preset
encrypted
encrypted data
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201710707511.0A
Other languages
Chinese (zh)
Other versions
CN107528837A (en
Inventor
朱隽
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Sangfor Technologies Co Ltd
Original Assignee
Sangfor Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Sangfor Technologies Co Ltd filed Critical Sangfor Technologies Co Ltd
Priority to CN201710707511.0A priority Critical patent/CN107528837B/en
Publication of CN107528837A publication Critical patent/CN107528837A/en
Application granted granted Critical
Publication of CN107528837B publication Critical patent/CN107528837B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L65/00Network arrangements, protocols or services for supporting real-time applications in data packet communication
    • H04L65/60Network streaming of media packets
    • H04L65/75Media network packet handling
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/06Protocols specially adapted for file transfer, e.g. file transfer protocol [FTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/45Network directories; Name-to-address mapping
    • H04L61/4505Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
    • H04L61/4511Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]

Abstract

The embodiment of the invention discloses an encrypted video identification method and device, a computer device and a readable storage medium, which are used for realizing the identification of encrypted videos in a plurality of service sharing servers, DNS (domain name system) and the like so as to realize the effective management of the encrypted videos. The method provided by the embodiment of the invention comprises the following steps: counting total encrypted data transmitted within a preset time length, wherein the total encrypted data comprises sub encrypted data transmitted for a preset number of times, and the sub encrypted data comprises first uplink data and first downlink data; detecting whether first uplink data and first downlink data in the sub-encrypted data transmitted each time in preset times are both matched with preset characteristics; if yes, detecting whether the transmission mode of second uplink data in the total encrypted data conforms to a preset rule or not; and if not, determining that the total encrypted data is the encrypted video.

Description

Encrypted video identification method and device, computer device and readable storage medium
Technical Field
The invention relates to the technical field of internet, in particular to an encrypted video identification method and device, a computer device and a readable storage medium.
Background
Generally, the traffic of HTTPS is encrypted, and the plaintext content in HTTPS cannot be viewed theoretically. With the emphasis on security and privacy, more and more websites start to use HTTPS nowadays.
However, the user can obtain the content security, and a lot of problems are brought to the network administrator. For example, a user may view a video without any throttling, wasting a lot of bandwidth, but since all content is encrypted, there is no way for an administrator to effectively control the user's video access.
The biggest difficulty in identifying encrypted video at present is that it is hidden in a large system. For example, if a website provides video, the website can be blocked by directly and simply blocking the DNS. However, if the Video traffic is embedded in a larger system, such as FaceBook, all FaceBook's sociamedia, games, and Video are certificates and servers of the public FaceBook, for this case, a further method is needed to explore the encrypted traffic content, so as to identify that there is a Game, or Video, or other traffic content inside.
For the conventional technology, when an HTTPS website is accessed, a DNS needs to be resolved in the first step, a key for HTTPS needs to be negotiated in the second step, and a specific data transmission is performed in the third step. Thus, DNS can be blocked for the first step and blocked for the second step by the ServerName or certificate authority. However, in a large system such as FaceBook, YouTube, etc. which integrates multiple services, since all services are in the same DNS and certificate, the above approaches cannot be applied.
Disclosure of Invention
The embodiment of the invention provides an encrypted video identification method and device, a computer device and a readable storage medium, which are used for realizing identification of encrypted videos in a plurality of service sharing servers, DNS (domain name system) and the like so as to realize effective management of the encrypted videos.
In view of the above, a first aspect of the present invention provides an encrypted video identification method, which may include:
counting total encrypted data transmitted within a preset time length, wherein the total encrypted data comprises sub encrypted data transmitted for a preset number of times, and the sub encrypted data comprises first uplink data and first downlink data;
detecting whether first uplink data and first downlink data in the sub-encrypted data transmitted each time in preset times are both matched with preset characteristics;
if yes, detecting whether the transmission mode of second uplink data in the total encrypted data conforms to a preset rule or not;
and if not, determining that the total encrypted data is the encrypted video.
Further, the total encrypted data is encrypted data based on the HTTPS protocol.
Further, detecting whether the first uplink data and the first downlink data in the sub-encrypted data transmitted each time in the preset number of times are matched with the preset features includes:
determining a first total data capacity of first uplink data and a first number of uplink data packets, a second total data capacity of first downlink data and a second number of downlink data packets in the sub-encrypted data;
and detecting whether the first total data capacity, the first quantity, the second total data capacity and the second quantity corresponding to the sub-encrypted data transmitted each time in the preset times are matched with the preset characteristics or not.
Further, detecting whether a first total data capacity, a first amount, a second total data capacity, and a second amount corresponding to each sub-encrypted data transmitted in a preset number of times are all matched with a preset feature includes:
determining a first ratio of the first total data capacity to the second total data capacity and determining a second ratio of the first quantity to the second quantity;
comparing the first proportion with a first preset threshold value to obtain a first comparison result, and comparing the second proportion with a second preset threshold value to obtain a second comparison result;
calculating the first comparison result and the second comparison result according to a preset rule to obtain a target comparison result;
and detecting whether a target comparison result corresponding to the sub-encrypted data transmitted each time in the preset times is larger than a third preset threshold value, if so, determining that the first total data capacity, the first quantity, the second total data capacity and the second quantity corresponding to the sub-encrypted data transmitted each time in the preset times are matched with the preset characteristics.
Further, the method further comprises:
acquiring a first actual total data capacity and a first historical number of historical uplink data packets in historical sub-encrypted data, and a second actual total data capacity and a second historical number of historical downlink data packets in the historical sub-encrypted data;
updating a first preset threshold according to the first actual total data capacity and the second actual total data capacity, and updating a second preset threshold according to the first historical quantity and the second historical quantity;
and updating the third preset threshold according to the updated first preset threshold and the updated second preset threshold.
Further, detecting whether the transmission mode of the second uplink data in the total encrypted data conforms to a preset rule includes:
detecting whether second uplink data in the total encrypted data are transmitted according to a preset interval within a preset time length;
if not, determining that the transmission mode of the second uplink data does not accord with the preset rule.
Further, after detecting whether the transmission mode of the second uplink data in the total encrypted data conforms to the preset rule, the method further includes:
and carrying out corresponding processing on the total encrypted data according to the detection result.
Further, the processing mode corresponding to the total encrypted data includes at least one of blocking HTTPS connection corresponding to the total encrypted data, managing and controlling the total encrypted data, and generating a flow report according to the total encrypted data.
A second aspect of the present invention provides an encrypted video identification apparatus, which may include:
the statistical unit is used for counting total encrypted data transmitted within a preset time length, wherein the total encrypted data comprises sub encrypted data transmitted by preset times, and the sub encrypted data comprises first uplink data and first downlink data;
the first detection unit is used for detecting whether first uplink data and first downlink data in the sub-encrypted data transmitted each time in preset times are matched with preset characteristics or not;
the second detection unit is used for detecting whether the transmission mode of the second uplink data in the total encrypted data conforms to a preset rule or not when the first uplink data and the first downlink data are matched with the preset characteristics;
and the determining unit is used for determining the total encrypted data as the encrypted video when the transmission mode of the second uplink data does not accord with the preset rule.
Further, the total encrypted data is encrypted data based on the HTTPS protocol.
Further, the first detecting unit is specifically configured to:
determining a first total data capacity of first uplink data and a first number of uplink data packets, a second total data capacity of first downlink data and a second number of downlink data packets in the sub-encrypted data;
and detecting whether the first total data capacity, the first quantity, the second total data capacity and the second quantity corresponding to the sub-encrypted data transmitted each time in the preset times are matched with the preset characteristics or not.
Further, the first detecting unit is specifically configured to:
determining a first ratio of the first total data capacity to the second total data capacity and determining a second ratio of the first quantity to the second quantity;
comparing the first proportion with a first preset threshold value to obtain a first comparison result, and comparing the second proportion with a second preset threshold value to obtain a second comparison result;
calculating the first comparison result and the second comparison result according to a preset rule to obtain a target comparison result;
and detecting whether a target comparison result corresponding to the sub-encrypted data transmitted each time in the preset times is larger than a third preset threshold value, if so, determining that the first total data capacity, the first quantity, the second total data capacity and the second quantity corresponding to the sub-encrypted data transmitted each time in the preset times are matched with the preset characteristics.
Further, the apparatus further comprises:
the acquiring unit is used for acquiring a first actual total data capacity and a first historical number of historical uplink data packets in the historical sub-encrypted data, and a second actual total data capacity and a second historical number of historical downlink data packets in the historical sub-encrypted data;
the first updating unit is used for updating the first preset threshold according to the first actual total data capacity and the second actual total data capacity and updating the second preset threshold according to the first historical quantity and the second historical quantity;
and the second updating unit is also used for updating the third preset threshold according to the updated first preset threshold and the updated second preset threshold.
Further, the second detection unit is specifically configured to:
detecting whether second uplink data in the total encrypted data are transmitted according to a preset interval within a preset time length;
if not, determining that the transmission mode of the second uplink data does not accord with the preset rule.
Further, the apparatus further comprises:
and the processing unit is used for carrying out corresponding processing on the total encrypted data according to the detection result.
Further, the processing mode corresponding to the total encrypted data includes at least one of blocking HTTPS connection corresponding to the total encrypted data, managing and controlling the total encrypted data, and generating a flow report according to the total encrypted data.
A third aspect of the invention provides a computer arrangement comprising a processor arranged, when executing a computer program stored in a memory, to carry out the steps of:
counting total encrypted data transmitted within a preset time length, wherein the total encrypted data comprises sub encrypted data transmitted for a preset number of times, and the sub encrypted data comprises first uplink data and first downlink data;
detecting whether first uplink data and first downlink data in the sub-encrypted data transmitted each time in preset times are both matched with preset characteristics;
if yes, detecting whether the transmission mode of second uplink data in the total encrypted data conforms to a preset rule or not;
and if not, determining that the total encrypted data is the encrypted video.
A fourth aspect of the present invention provides a computer readable storage medium having stored thereon a computer program which, when executed by a processor, causes the processor to perform the steps of:
counting total encrypted data transmitted within a preset time length, wherein the total encrypted data comprises sub encrypted data transmitted for a preset number of times, and the sub encrypted data comprises first uplink data and first downlink data;
detecting whether first uplink data and first downlink data in the sub-encrypted data transmitted each time in preset times are both matched with preset characteristics;
if yes, detecting whether the transmission mode of second uplink data in the total encrypted data conforms to a preset rule or not;
and if not, determining that the total encrypted data is the encrypted video.
According to the technical scheme, the embodiment of the invention has the following advantages:
the invention provides an encrypted video identification method, which can detect sub-encrypted data transmitted in preset times in the total encrypted data by counting the total encrypted data in preset time, namely, detect whether first uplink data and second downlink data in the sub-encrypted data transmitted each time are matched with preset characteristics or not, when the first uplink data and the second downlink data in the sub-encrypted data transmitted each time in the preset times are matched with the preset characteristics, based on the transmission characteristics of an encrypted video and a download which are similar, the total encrypted data can be considered to be the encrypted video or the download, but in order to further distinguish the total encrypted data, based on the transmission characteristics of a download which are different from the encrypted video, whether the transmission mode of the second uplink data in the total encrypted data conforms to the preset rules or not can be detected, so that when the transmission mode of the second uplink data does not conform to the preset rules, it can be determined that the total encrypted data is not a download but an encrypted video. Therefore, even if a plurality of services share a server, a DNS and the like, the encrypted data can be effectively identified in the transmission process of the encrypted data.
Drawings
FIG. 1 is a diagram of an embodiment of an encrypted video identification method according to an embodiment of the present invention;
FIG. 2 is a diagram of another embodiment of an encrypted video identification method according to an embodiment of the present invention;
FIG. 3 is a schematic diagram of an embodiment of an encrypted video identification apparatus according to an embodiment of the present invention;
fig. 4 is a schematic diagram of another embodiment of an encrypted video identification device according to the embodiment of the present invention.
Detailed Description
The embodiment of the invention provides an encrypted video identification method and device, a computer device and a readable storage medium, which are used for realizing identification of encrypted videos in a plurality of service sharing servers, DNS (domain name system) and the like so as to realize effective management of the encrypted videos.
In order to make the technical solutions of the present invention better understood, the technical solutions in the embodiments of the present invention are clearly and completely described below, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The terms "first," "second," "third," "fourth," and the like in the description and in the claims, as well as in the drawings, if any, are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It will be appreciated that the data so used may be interchanged under appropriate circumstances such that the embodiments described herein may be practiced otherwise than as specifically illustrated or described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
For convenience of understanding, a detailed flow in the embodiment of the present invention is described below, and referring to fig. 1, an embodiment of the method for identifying encrypted video in the embodiment of the present invention includes:
101. counting total encrypted data transmitted within a preset time length;
generally, in consideration of security and privacy protection, a website accessed by a user usually uses an encryption protocol, such as an HTTPS protocol, an existing HTTPS protocol is a network protocol which is constructed by SSL and HTTP protocol and can perform encryption transmission and identity authentication, data transmitted by using HTTPS is encrypted and transmitted, in practical application, when a client performs data interaction through the website using HTTPS, an administrator cannot obtain plaintext information of corresponding interaction data, and various services can share a server, a DNS, and the like, so that it is difficult to supervise operation of the client, and it is not beneficial to perform differential management on encrypted data of different services, especially encrypted video.
In this embodiment, in order to identify the encrypted video, for example, a packet capture tool may be used to obtain the encrypted data transmitted by the website using the encryption protocol, that is, the total encrypted data transmitted within the preset time period may be counted. The total encrypted data comprises sub encrypted data transmitted for preset times, and the sub encrypted data comprises first uplink data and first downlink data.
Specifically, the description is given by taking the total encrypted data as the encrypted data based on the HTTPS protocol as an example, in the process of data interaction between the client and the website adopting the HTTPS protocol, the sub-encrypted data transmitted by the preset times may be counted, the transmission time lengths corresponding to the sub-encrypted data transmitted each time are consistent, the total transmission time length of the sub-encrypted data transmitted by the preset times is the preset time length, and if it is assumed that the sub-encrypted data is transmitted once in 10ms and the preset time length is 80ms, the sub-encrypted data transmitted by 8 times in 80ms may be counted. It should be noted that, in practical application, the preset time duration and the preset number of times in this embodiment may also be other numerical values, which may be specifically set according to practical needs, and this embodiment is only an example.
102. Detecting whether first uplink data and first downlink data in each time of transmitted sub-encrypted data in preset times are both matched with preset features, if so, executing step 103, and if not, executing step 105;
in this embodiment, after the total encrypted data transmitted within the preset time period is counted, it may be detected whether the first uplink data and the first downlink data in the sub-encrypted data transmitted each time are both matched with the preset feature when the total encrypted data is transmitted for the preset number of times.
Specifically, the video traffic has strong statistical characteristics, generally speaking, when the client interacts with the video data using the website, the downlink data is greatly increased, and the uplink data is almost reduced to a very low degree, and almost only tcp basic ack is retained. Therefore, based on the characteristics, the preset characteristics can be preset so as to preliminarily judge whether the first uplink data and the first downlink data in the sub-encrypted data are matched with the preset characteristics. However, in practical applications, the downloaded data is much more downlink than uplink data, so the above features are applicable to not only video data but also download, and the sub-encrypted data transmitted at one time cannot effectively distinguish video data from download.
For example, following the description of step 101, assuming that sub-encrypted data transmitted 8 times in 80ms is counted, it may be detected whether the first uplink data and the first downlink data of the sub-encrypted data acquired every 10ms in 80ms match the preset feature.
After counting the sub-encrypted data transmitted for the preset times within the preset time, the detection can be performed in the following two ways: 1. according to the time acquisition sequence, each time the transmitted sub-encrypted data is acquired, whether first uplink data and first downlink data in the transmitted sub-encrypted data are matched with preset characteristics or not is detected until all sub-encrypted data transmitted within preset time length for preset times are correspondingly detected; 2. and after counting the sub-encrypted data transmitted by the preset times within the preset time length, carrying out corresponding detection on the sub-encrypted data in turn, or simultaneously carrying out corresponding detection on the sub-encrypted data transmitted by the preset times. Preferably, in order to realize effective identification of the encrypted video in the process of data interaction between the client and the website, the sub-encrypted data may be detected according to the first manner, for example, if the first uplink data and the first downlink data of the sub-encrypted data transmitted in the 1ms to 10ms do not match with the preset features, the sub-encrypted data transmitted in 8 times in the 11ms to 90ms may be correspondingly detected, along with the above description.
103. Detecting whether the transmission mode of second uplink data in the total encrypted data meets a preset rule, if not, executing step 104, and if so, executing step 105;
in this embodiment, if the first uplink data and the first downlink data of the sub-encrypted data transmitted each time in the preset number of times are both matched with the preset feature, it may be detected whether the transmission mode of the second uplink data in the total encrypted data conforms to the preset rule.
Specifically, for video data, although downlink data is far larger than uplink data, transmission of the uplink data is irregular, and the downlink data is regularly mixed with the uplink data during downloading, based on the difference, a preset rule can be preset, and the preset rule is used for detecting the transmission mode of the second uplink data in the total encrypted data. In this embodiment, the second uplink data includes first uplink data, that is, the uplink data is transmitted every time within a preset time length, and whether a transmission mode formed by the uplink data transmitted every time conforms to a preset rule is integrally analyzed within the preset time length, and the first uplink data refers to uplink data that is transmitted multiple times in the sub-encrypted data transmitted every time.
It can be understood that, in this embodiment, the transmission mode of the second uplink data in the total encrypted data is detected correspondingly, but not the transmission mode of the first uplink data in the sub-encrypted data, and whether the sub-encrypted data is the encrypted video is detected singly, which is not only beneficial to timely eliminating non-video data and downloading in the interaction process between the client and the website, and improving the identification efficiency, but also beneficial to analyzing the transmission regularity of the uplink data and improving the identification accuracy of the total encrypted data within the preset time period, compared with the sub-encrypted data transmitted within the preset time period in a short time.
104. Determining the total encrypted data as an encrypted video;
in this embodiment, if it is detected that the transmission mode of the second uplink data in the total encrypted data does not conform to the preset rule, which indicates that the transmission of the second uplink data in the total encrypted data conforms to the characteristic that the transmission of the uplink data in the video data is irregular, it may be determined that the encrypted data is an encrypted video and is distinguished from the download.
Further, following the content described in step 101, if the total encrypted data counted in 80ms is an encrypted video, the corresponding detection may be continuously performed on the total encrypted data counted in the next 80ms, so as to determine whether the total encrypted data counted in the next 80ms is an encrypted video, thereby achieving the purpose of real-time supervision during the data interaction process between the client and the website.
105. And ending the flow.
In this embodiment, if the first uplink data and the first downlink data of the sub-encrypted data transmitted each time in the preset number of times are unevenly matched with the preset feature, it is indicated that the total encrypted data may not be the encrypted video, and then other operations may not be performed, that is, the process is ended. It can be understood that, in practical application, when the first uplink data and the first downlink data of the sub-encrypted data transmitted for one or more times in a preset time period are not matched with the preset characteristics, corresponding detection may be performed on the sub-encrypted data transmitted for a preset number of times in the next preset time period, in this case, the calculation time difference at the head end between two adjacent preset time periods is the transmission time period for transmitting the sub-encrypted data for one time, for example, 10ms, that is, the next preset time period of the preset time period, for example, 1ms to 80ms, is 11ms to 90ms, so as to be able to accurately identify the interactive data between the client and the website.
In this embodiment, if it is detected that the transmission mode of the second uplink data in the total encrypted data conforms to the preset rule, it indicates that the total encrypted data may be downloaded, and then the process may be ended without performing other operations. It can be understood that, in practical applications, when the transmission mode of the second uplink data in the total encrypted data conforms to the preset rule, the total encrypted data in the next preset time duration may be correspondingly detected, in this case, the calculation time difference at the head end between two adjacent preset time durations is the transmission time duration for transmitting the total encrypted data once, for example, 80ms, that is, the next preset time duration of the preset time duration, for example, 1ms to 80ms, is 81ms to 160ms, so as to identify the total encrypted data in the next preset time duration.
In this embodiment, by counting the total encrypted data within the preset duration, the sub-encrypted data transmitted in the preset number of times in the total encrypted data may be detected, that is, whether the first uplink data and the second downlink data in the sub-encrypted data transmitted each time match the preset characteristics is detected, when the first uplink data and the second downlink data in the sub-encrypted data transmitted each time within the preset number of times match the preset characteristics, based on the transmission characteristics of the encrypted video that are similar to the download, the total encrypted data may be considered to be the encrypted video or the download, but to further distinguish the total encrypted data, based on the transmission characteristics of the download that are different from the encrypted video, it may be detected whether the transmission mode of the second uplink data in the total encrypted data conforms to the preset rule, so that when the transmission mode of the second uplink data does not conform to the preset rule, the total encrypted data may be determined not to be the download, but rather encrypted video. Therefore, even if multiple services share a server, a DNS and the like, the encrypted data can be effectively identified in the transmission process of the encrypted data under the condition that the DNS is not analyzed, the DNS is not blocked and the like, and normal operation of other interactive data between the client and the website is favorably ensured.
It is understood that in a website adopting the HTTPS protocol, video data which interacts with a client has corresponding characteristics, and the identification of encrypted video is specifically described below based on the corresponding characteristics:
referring to fig. 2, another embodiment of the method for identifying encrypted video according to the embodiment of the present invention includes:
201. counting total encrypted data transmitted within a preset time length;
step 201 in this embodiment is the same as step 202 in the embodiment shown in fig. 1, and is not described here again.
202. Determining a first total data capacity of first uplink data and a first number of uplink data packets, a second total data capacity of first downlink data and a second number of downlink data packets in the sub-encrypted data;
in this embodiment, after counting the total encrypted data within the preset time duration, it may be determined that, when the total encrypted data is transmitted for the preset number of times, a first total data capacity and a first number of uplink data packets of first uplink data, a second total data capacity of first downlink data, and a second number of downlink data packets in each time of transmission of the sub-encrypted data.
Specifically, in the data interaction process between the client and the website, the uplink data and the downlink data may be transmitted in the form of data packets, and when the uplink data and the downlink data are transmitted, different numbers of data packets may be transmitted, and the capacities of the corresponding data packets may also be different. In practical applications, video data and download are generally large for all current site resources, and therefore, for downlink data far larger than uplink interactive data, it is necessary to exclude small interactive data to prevent false detection. In this embodiment, the first uplink data in the sub encrypted data is determined. The total data capacity corresponding to the second upstream data and the number of corresponding data packets may exclude smaller interactive data from these two dimensions, and may also distinguish video data and downloads from other interactive data.
Taking the total encrypted data within 80ms as an example for explanation, in the 80ms, if the time length of each transmission of the sub-encrypted data is 10ms, there are 8 times of transmission of the sub-encrypted data. For each transmitted sub-encrypted data, a first number, e.g., a, of uplink data packets of the first uplink data may be determined, and a total capacity, e.g., B, of all uplink data packets, i.e., a first total data capacity of the first uplink data may be determined according to the first number of uplink data packets and the size of each uplink data packet.
203. Detecting whether a first total data capacity, a first quantity, a second total data capacity and a second quantity corresponding to each time of sub-encrypted data transmitted in preset times are matched with preset characteristics, if so, executing a step 204, and if not, executing a step 206;
in this embodiment, after determining the first total data capacity and the first number of uplink data packets of the first uplink data, the second total data capacity and the second number of downlink data packets in the sub-encrypted data, it may be detected whether the first total data capacity, the first number, the second total data capacity and the second number corresponding to the sub-encrypted data transmitted each time in the preset number of times are all matched with the preset feature.
In this embodiment, a specific manner of detecting whether the first total data capacity, the first amount, the second total data capacity, and the second amount corresponding to the sub-encrypted data transmitted each time in the preset number of times are all matched with the preset feature may be:
determining a first ratio of the first total data capacity to the second total data capacity and determining a second ratio of the first quantity to the second quantity;
comparing the first proportion with a first preset threshold value to obtain a first comparison result, and comparing the second proportion with a second preset threshold value to obtain a second comparison result;
calculating the first comparison result and the second comparison result according to a preset rule to obtain a target comparison result;
and detecting whether a target comparison result corresponding to the sub-encrypted data transmitted each time in the preset times is larger than a third preset threshold value, if so, determining that the first total data capacity, the first quantity, the second total data capacity and the second quantity corresponding to the sub-encrypted data transmitted each time in the preset times are matched with the preset characteristics.
For example, following the description of step 202, in the sub-encrypted data transmitted 8 times, taking the sub-encrypted data transmitted one time as an example, in the sub-encrypted data, assuming that the first number is a, the first total data capacity is B, the second total data capacity is C, and the second number is D, B and C may be compared, a and D are compared, and the comparison results are compared again with the corresponding preset thresholds, respectively, if the comparison result of B and C is 1:90, the comparison result of a and D is 1:5, the first preset threshold is 1:80, and the second preset threshold is 1:3, it is known that 1:90 is less than 1:80, if the second total data capacity of the first downlink data is different from the reference total data capacity by 1, that is 5, the first comparison result between 1:90 and 1:80 is 50, and 1:5 is also less than 1:3, if the second number of downlink packets of the first downlink data differs from the reference number by 1, i.e. is 1, the second comparison result between 1:5 and 1:3 is 2, and illustratively, the target comparison result may be determined according to the weight (e.g. 80%) of the first comparison result and the weight (e.g. 20%) of the second comparison result, and then the target comparison result may be, e.g. 40.4, and 40.4 may be compared with a third preset threshold (e.g. 25). When the first total data capacity is compared with the second total data capacity, due to the setting of the first preset threshold, the second total data capacity is far larger than the first total data capacity and also meets a certain proportion, and therefore according to the comparison, downlink data can be far larger than interactive data which are uplink and have smaller total data capacity. Therefore, when the target comparison result is greater than the third preset threshold, it can be determined that the first downlink data in the sub-encrypted data is far greater than the first uplink data, and the total data capacity of the sub-encrypted data meets the size characteristic of the number of videos, and the sub-encrypted data may be an encrypted video, otherwise, the sub-encrypted data may not be the encrypted video.
It should be noted that, for different site resources, the total data capacity of the video data and the number of the data packets may be different, and therefore the first preset threshold, the second preset threshold, and the third preset threshold may be actually set for the corresponding site resources, which is only an example in the embodiment.
It can be understood that, in this embodiment, only the above contents are described to describe a specific manner of whether the first uplink data and the first downlink data in the sub-encrypted data transmitted each time in the preset number of times are matched with the preset features, in practical applications, in addition to performing corresponding detection by using two dimensions, namely, the total data capacity and the number of data packets, other dimensions may be used for performing comprehensive detection, meanwhile, when performing corresponding detection by using the total data capacity and the number of data packets, a manner other than the above contents may also be used as long as video data, download and other encrypted data can be distinguished, and a specific limitation is not limited herein.
204. Detecting whether second uplink data in the total encrypted data is transmitted according to a preset interval within a preset time length, if not, executing a step 205, and if so, executing a step 206;
in this embodiment, if it is detected that the first total data capacity, the first amount, the second total data capacity, and the second amount corresponding to the sub-encrypted data transmitted each time in the preset number of times are all matched with the preset feature, it may be detected whether the second uplink data in the total encrypted data is transmitted at the preset interval within the preset time length.
Specifically, the downloaded uplink data has a regularity compared with the uplink data in the video data, and the regularity is represented by: when the interactive data is downloaded when the client interacts with the website, a section of uplink data is transmitted after a section of downlink data, the transmission time of each section of downlink data is within a certain range, and the data capacity of each section of uplink data is also within a certain range. Therefore, in the total encrypted data within the counted preset time length, each section of uplink data can be classified as second uplink data, each section of downlink data is classified as second downlink data, whether one section of second uplink data is mixed in two adjacent sections of second downlink data or not is detected, and meanwhile, whether the transmission of the second downlink data is not larger than the preset interval or not can be detected, so that whether the second uplink data in the total encrypted data is transmitted within the preset time length or not according to the preset interval or not can be determined.
205. Determining the total encrypted data as an encrypted video;
in this embodiment, if it is detected that the second uplink data in the total encrypted data is transmitted at the preset interval within the preset time duration, it may be determined that the total encrypted data is an encrypted video.
The same content in this embodiment may refer to the content described in step 104 in the embodiment shown in fig. 1, and is not described here again.
Further, in this embodiment, when detecting whether the first total data capacity, the first amount, the second total data capacity, and the second amount corresponding to the sub-encrypted data transmitted each time in the preset number of times are all matched with the preset features, the detection reference value, such as the first preset threshold, the second preset threshold, and the third preset threshold, may perform self-learning to perform dynamic updating, so as to improve the identification accuracy, specifically, the following manner is used:
acquiring a first actual total data capacity and a first historical number of historical uplink data packets in historical sub-encrypted data, and a second actual total data capacity and a second historical number of historical downlink data packets in the historical sub-encrypted data;
updating a first preset threshold according to the first actual total data capacity and the second actual total data capacity, and updating a second preset threshold according to the first historical quantity and the second historical quantity;
and updating the third preset threshold according to the updated first preset threshold and the updated second preset threshold.
Specifically, in this embodiment, the historical total encrypted data is encrypted data within a preset time period counted before the current total encrypted data, and the historical total encrypted data may also include historical sub-encrypted data transmitted at preset times, where the historical sub-encrypted data includes historical uplink data and historical downlink data. After determining that the historical total encrypted data is the encrypted video, recording related information in the historical total encrypted data, namely a first actual total data capacity and a first historical number of historical uplink data packets in the historical sub-encrypted data, and a second actual total data capacity and a second historical number of historical downlink data packets in the historical sub-encrypted data.
In practical application, a first actual total data capacity and a first historical number of historical uplink data packets in the preset number of historical sub-encrypted data can be obtained, and a second actual total data capacity and a second historical number of historical downstream packets in the historical sub-encrypted data, and after the proportion of the first actual total data capacity to the second actual total data capacity is calculated in a weighted manner, the first preset threshold is updated according to the safety threshold range, for example, the original first preset threshold is 1:80, however, if the ratio of the first actual total data capacity to the second actual total data capacity is calculated as 1:95, which is greater than 1:80, then in order to improve the recognition accuracy, prevent false detection, 1:80 may be updated to 1:90 within a security threshold so that the criterion of 1:90 may be referred to for the judgment of the correlation of the subsequent sub-encrypted data. Similarly, the second preset threshold may also be updated according to the first historical amount and the second historical amount, and since the target comparison result compared with the third preset threshold is obtained according to the first preset threshold and the second preset threshold, the third preset threshold may be correspondingly updated according to the updated first preset threshold and the updated second preset threshold.
It can be understood that, in addition to the contents described above, in practical applications, the method for dynamically updating the first preset threshold, the second preset threshold, and the third preset threshold in this embodiment may also adopt other manners as long as the first preset threshold, the second preset threshold, and the third preset threshold can be dynamically updated, and the specific details are not limited herein.
206. And ending the flow.
In this embodiment, if it is detected that the first total data capacity, the first amount, the second total data capacity, and the second amount of the sub-encrypted data transmitted each time in the preset number of times are not uniform and match the preset feature, it is indicated that the total encrypted data may not be the encrypted video, and then other operations may not be performed, that is, the process is ended. It can be understood that, in practical applications, when the first total data capacity, the first amount, the second total data capacity, and the second amount of the sub-encrypted data transmitted each time in the preset number of times are not uniform and match the preset characteristics, the sub-encrypted data transmitted in the preset number of times within the next preset time period may be correspondingly detected, in this case, the calculation time difference at the head end between two adjacent preset time periods is the transmission time period of the sub-encrypted data transmitted one time, for example, 10ms, that is, the next preset time period of the preset time period, for example, 1ms to 80ms, is 11ms to 90ms, so as to be able to accurately identify the interactive data between the client and the website.
In this embodiment, if it is detected that the second uplink data in the total encrypted data is transmitted at the preset interval within the preset time duration, and if it is described that the second uplink data in the total encrypted data has the transmission regularity, the total encrypted data may be downloaded, then other operations may not be performed, and the process is ended. It can be understood that, in practical applications, when the second uplink data in the total encrypted data is transmitted at the preset interval within the preset time duration, the total encrypted data within the next preset time duration may be correspondingly detected, in this case, the calculated time difference at the head end between two adjacent preset time durations is the transmission time duration for transmitting the total encrypted data once, for example, 80ms, that is, the next preset time duration of the preset time duration, for example, 1ms to 80ms, is 81ms to 160ms, so as to identify the total encrypted data within the next preset time duration.
Further, in this embodiment, after step 204, it may be determined whether the total encrypted data is an encrypted video, but whether the total encrypted data is an encrypted video or is downloaded, according to the detection result, the total encrypted data may be processed correspondingly, that is, according to the difference of the total encrypted data, corresponding management may be performed. The processing mode corresponding to the total encrypted data may include, but is not limited to, at least one of blocking HTTPS connection corresponding to the total encrypted data, managing and controlling the total encrypted data, and generating a traffic report according to the total encrypted data.
Specifically, the description is given by taking the total encrypted data as the encrypted video as an example, when the total encrypted data is the encrypted video, in order to prevent a user of the client from watching the video without any control, and waste a large amount of bandwidth, when the data capacity of the total encrypted data is too large, the connection of HTTPS corresponding to the total encrypted data may be blocked, that is, the connection between the client and the website is cut off, and the user of the client is prevented from watching the video on the website; or, the total encrypted data may be managed, for example, in the process of transmitting the total encrypted data from the website to the client, priority marking may be performed on data packets corresponding to the total encrypted data, so as to limit the encrypted video; or, a corresponding flow report may be generated according to the total encrypted data, in the flow report, information such as identification time, data capacity, and the like of the total encrypted data may be recorded, and may be analyzed according to the recorded information in the flow report, so as to form a trend prediction for the use condition of the interactive data of the client at the website, for example, it may be predicted which time period the user watches the video according to the identification time and the data capacity, so that corresponding identification may be performed only at the corresponding time period, so as to perform more effective targeted management on the total encrypted data transmitted by the website to the client.
With reference to fig. 3, the encrypted video identification method in the embodiment of the present invention is described above, and an encrypted video identification apparatus in the embodiment of the present invention is described below, where an embodiment of the encrypted video identification apparatus in the embodiment of the present invention includes:
a counting unit 301, configured to count total encrypted data transmitted within a preset time duration, where the total encrypted data includes sub-encrypted data transmitted at preset times, and the sub-encrypted data includes first uplink data and first downlink data;
a first detecting unit 302, configured to detect whether first uplink data and first downlink data in the sub-encrypted data transmitted each time in the preset number of times are both matched with a preset feature;
a second detecting unit 303, configured to detect whether a transmission manner of second uplink data in the total encrypted data meets a preset rule when both the first uplink data and the first downlink data match the preset feature;
a determining unit 304, configured to determine that the total encrypted data is an encrypted video when the transmission manner of the second uplink data does not meet a preset rule.
Referring to fig. 4, another embodiment of the apparatus for identifying encrypted video according to the present invention includes:
unit 401 in this embodiment is the same as unit 301 in the embodiment shown in fig. 3, unit 402 is the same as unit 302 in the embodiment shown in fig. 3, unit 403 is the same as unit 303 in the embodiment shown in fig. 3, and unit 404 is the same as unit 304 in the embodiment shown in fig. 3, and thus, description thereof is omitted.
A processing unit 405, configured to perform corresponding processing on the total encrypted data according to the detection result;
an obtaining unit 406, configured to obtain a first actual total data capacity and a first historical number of historical uplink data packets in the historical sub-encrypted data, and a second actual total data capacity and a second historical number of historical downlink data packets in the historical sub-encrypted data;
a first updating unit 407, configured to update the first preset threshold according to the first actual total data capacity and the second actual total data capacity, and update the second preset threshold according to the first history number and the second history number;
the second updating unit 408 is further configured to update the third preset threshold according to the updated first preset threshold and the updated second preset threshold;
optionally, in some embodiments of the present invention, the first detecting unit 402 may be further specifically configured to:
determining a first total data capacity of first uplink data and a first number of uplink data packets, a second total data capacity of first downlink data and a second number of downlink data packets in the sub-encrypted data;
and detecting whether the first total data capacity, the first quantity, the second total data capacity and the second quantity corresponding to the sub-encrypted data transmitted each time in the preset times are matched with the preset characteristics or not.
Optionally, in some embodiments of the present invention, the first detecting unit 402 may be further specifically configured to:
determining a first ratio of the first total data capacity to the second total data capacity and determining a second ratio of the first quantity to the second quantity;
comparing the first proportion with a first preset threshold value to obtain a first comparison result, and comparing the second proportion with a second preset threshold value to obtain a second comparison result;
calculating the first comparison result and the second comparison result according to a preset rule to obtain a target comparison result;
and detecting whether a target comparison result corresponding to the sub-encrypted data transmitted each time in the preset times is larger than a third preset threshold value, if so, determining that the first total data capacity, the first quantity, the second total data capacity and the second quantity corresponding to the sub-encrypted data transmitted each time in the preset times are matched with the preset characteristics.
Optionally, in some embodiments of the present invention, the second detecting unit 403 may be further specifically configured to:
detecting whether second uplink data in the total encrypted data are transmitted according to a preset interval within a preset time length;
if not, determining that the transmission mode of the second uplink data does not accord with the preset rule.
The encrypted video identification apparatus in the embodiment of the present invention is described above from the perspective of the modular functional entity, and the computer apparatus in the embodiment of the present invention is described below from the perspective of hardware processing:
one embodiment of a computer apparatus in an embodiment of the present invention includes:
a processor and a memory;
the memory is used for storing the computer program, and the processor is used for realizing the following steps when executing the computer program stored in the memory:
counting total encrypted data transmitted within a preset time length, wherein the total encrypted data comprises sub encrypted data transmitted for a preset number of times, and the sub encrypted data comprises first uplink data and first downlink data;
detecting whether first uplink data and first downlink data in the sub-encrypted data transmitted each time in preset times are both matched with preset characteristics;
if yes, detecting whether the transmission mode of second uplink data in the total encrypted data conforms to a preset rule or not;
and if not, determining that the total encrypted data is the encrypted video.
In some embodiments of the present invention, the processor may be further configured to:
determining a first total data capacity of first uplink data and a first number of uplink data packets, a second total data capacity of first downlink data and a second number of downlink data packets in the sub-encrypted data;
and detecting whether the first total data capacity, the first quantity, the second total data capacity and the second quantity corresponding to the sub-encrypted data transmitted each time in the preset times are matched with the preset characteristics or not.
In some embodiments of the present invention, the processor may be further configured to:
determining a first ratio of the first total data capacity to the second total data capacity and determining a second ratio of the first quantity to the second quantity;
comparing the first proportion with a first preset threshold value to obtain a first comparison result, and comparing the second proportion with a second preset threshold value to obtain a second comparison result;
calculating the first comparison result and the second comparison result according to a preset rule to obtain a target comparison result;
and detecting whether a target comparison result corresponding to the sub-encrypted data transmitted each time in the preset times is larger than a third preset threshold value, if so, determining that the first total data capacity, the first quantity, the second total data capacity and the second quantity corresponding to the sub-encrypted data transmitted each time in the preset times are matched with the preset characteristics.
In some embodiments of the present invention, the processor may be further configured to:
acquiring a first actual total data capacity and a first historical number of historical uplink data packets in historical sub-encrypted data, and a second actual total data capacity and a second historical number of historical downlink data packets in the historical sub-encrypted data;
updating a first preset threshold according to the first actual total data capacity and the second actual total data capacity, and updating a second preset threshold according to the first historical quantity and the second historical quantity;
and updating the third preset threshold according to the updated first preset threshold and the updated second preset threshold.
In some embodiments of the present invention, the processor may be further configured to:
detecting whether second uplink data in the total encrypted data are transmitted according to a preset interval within a preset time length;
if not, determining that the transmission mode of the second uplink data does not accord with the preset rule.
In some embodiments of the present invention, the processor may be further configured to:
and carrying out corresponding processing on the total encrypted data according to the detection result.
It is to be understood that, when the processor in the computer apparatus described above executes the computer program, the functions of each unit in the corresponding apparatus embodiments may also be implemented, and are not described herein again. Illustratively, the computer program may be partitioned into one or more modules/units that are stored in the memory and executed by the processor to implement the invention. The one or more modules/units may be a series of computer program instruction segments capable of performing specific functions, which are used to describe the execution process of the computer program in the encrypted video recognition apparatus. For example, the computer program may be divided into units in the above-described encrypted video identification apparatus, and each unit may implement specific functions as described above for the corresponding encrypted video identification apparatus.
The computer device can be a desktop computer, a notebook, a palm computer, a cloud server and other computing equipment. The computer device may include, but is not limited to, a processor, a memory. It will be appreciated by those skilled in the art that the processor, memory are merely examples of a computer apparatus and are not meant to be limiting, and that more or fewer components may be included, or certain components may be combined, or different components may be included, for example, the computer apparatus may also include input output devices, network access devices, buses, etc.
The Processor may be a Central Processing Unit (CPU), other general purpose Processor, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field-Programmable gate array (FPGA) or other Programmable logic device, discrete gate or transistor logic device, discrete hardware component, etc. The general purpose processor may be a microprocessor or the processor may be any conventional processor or the like which is the control center for the computer device and which connects the various parts of the overall computer device using various interfaces and lines.
The memory may be used to store the computer programs and/or modules, and the processor may implement various functions of the computer device by running or executing the computer programs and/or modules stored in the memory and invoking data stored in the memory. The memory may mainly include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program required for at least one function, and the like; the storage data area may store data created according to the use of the terminal, and the like. In addition, the memory may include high speed random access memory, and may also include non-volatile memory, such as a hard disk, a memory, a plug-in hard disk, a Smart Media Card (SMC), a Secure Digital (SD) Card, a Flash memory Card (Flash Card), at least one magnetic disk storage device, a Flash memory device, or other volatile solid state storage device.
The present invention also provides a computer-readable storage medium having a computer program stored thereon, which, when executed by a processor, the processor is operable to perform the steps of:
counting total encrypted data transmitted within a preset time length, wherein the total encrypted data comprises sub encrypted data transmitted for a preset number of times, and the sub encrypted data comprises first uplink data and first downlink data;
detecting whether first uplink data and first downlink data in the sub-encrypted data transmitted each time in preset times are both matched with preset characteristics;
if yes, detecting whether the transmission mode of second uplink data in the total encrypted data conforms to a preset rule or not;
and if not, determining that the total encrypted data is the encrypted video.
In some embodiments of the invention, the computer program stored on the computer-readable storage medium, when executed by the processor, may be specifically configured to perform the steps of:
determining a first total data capacity of first uplink data and a first number of uplink data packets, a second total data capacity of first downlink data and a second number of downlink data packets in the sub-encrypted data;
and detecting whether the first total data capacity, the first quantity, the second total data capacity and the second quantity corresponding to the sub-encrypted data transmitted each time in the preset times are matched with the preset characteristics or not.
In some embodiments of the invention, the computer program stored on the computer-readable storage medium, when executed by the processor, may be specifically configured to perform the steps of:
determining a first ratio of the first total data capacity to the second total data capacity and determining a second ratio of the first quantity to the second quantity;
comparing the first proportion with a first preset threshold value to obtain a first comparison result, and comparing the second proportion with a second preset threshold value to obtain a second comparison result;
calculating the first comparison result and the second comparison result according to a preset rule to obtain a target comparison result;
and detecting whether a target comparison result corresponding to the sub-encrypted data transmitted each time in the preset times is larger than a third preset threshold value, if so, determining that the first total data capacity, the first quantity, the second total data capacity and the second quantity corresponding to the sub-encrypted data transmitted each time in the preset times are matched with the preset characteristics.
In some embodiments of the invention, the computer program stored on the computer-readable storage medium, when executed by the processor, may be specifically configured to perform the steps of:
acquiring a first actual total data capacity and a first historical number of historical uplink data packets in historical sub-encrypted data, and a second actual total data capacity and a second historical number of historical downlink data packets in the historical sub-encrypted data;
updating a first preset threshold according to the first actual total data capacity and the second actual total data capacity, and updating a second preset threshold according to the first historical quantity and the second historical quantity;
and updating the third preset threshold according to the updated first preset threshold and the updated second preset threshold.
In some embodiments of the invention, the computer program stored on the computer-readable storage medium, when executed by the processor, may be specifically configured to perform the steps of:
detecting whether second uplink data in the total encrypted data are transmitted according to a preset interval within a preset time length;
if not, determining that the transmission mode of the second uplink data does not accord with the preset rule.
In some embodiments of the invention, the computer program stored on the computer-readable storage medium, when executed by the processor, may be specifically configured to perform the steps of:
and carrying out corresponding processing on the total encrypted data according to the detection result.
It will be appreciated that the integrated units, if implemented as software functional units and sold or used as a stand-alone product, may be stored in a corresponding one of the computer readable storage media. Based on such understanding, all or part of the flow of the method according to the above embodiments may be implemented by a computer program, which may be stored in a computer-readable storage medium and used by a processor to implement the steps of the above embodiments of the method. Wherein the computer program comprises computer program code, which may be in the form of source code, object code, an executable file or some intermediate form, etc. The computer-readable medium may include: any entity or device capable of carrying the computer program code, recording medium, usb disk, removable hard disk, magnetic disk, optical disk, computer Memory, Read-only Memory (ROM), Random Access Memory (RAM), electrical carrier wave signals, telecommunications signals, software distribution medium, etc. It should be noted that the computer readable medium may contain content that is subject to appropriate increase or decrease as required by legislation and patent practice in jurisdictions, for example, in some jurisdictions, computer readable media does not include electrical carrier signals and telecommunications signals as is required by legislation and patent practice.
It is clear to those skilled in the art that, for convenience and brevity of description, the specific working processes of the above-described systems, apparatuses and units may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.
In the several embodiments provided in the present application, it should be understood that the disclosed system, apparatus and method may be implemented in other manners. For example, the above-described apparatus embodiments are merely illustrative, and for example, the division of the units is only one logical division, and other divisions may be realized in practice, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit.
The above-mentioned embodiments are only used for illustrating the technical solutions of the present invention, and not for limiting the same; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.

Claims (11)

1. An encrypted video identification method, comprising:
counting total encrypted data transmitted within a preset time length, wherein the total encrypted data comprises sub encrypted data transmitted in preset times, and the sub encrypted data comprises first uplink data and first downlink data;
detecting whether the first uplink data and the first downlink data in the sub-encrypted data transmitted each time in the preset times are matched with preset characteristics or not;
if yes, detecting whether the transmission mode of second uplink data in the total encrypted data conforms to a preset rule or not;
if not, determining the total encrypted data as an encrypted video;
wherein the detecting whether the first uplink data and the first downlink data in the sub-encrypted data transmitted each time in the preset number of times are both matched with preset features comprises:
determining a first total data capacity and a first number of uplink data packets of the first uplink data, a second total data capacity and a second number of downlink data packets of the first downlink data in the sub-encrypted data;
detecting whether the first total data capacity, the first quantity, the second total data capacity and the second quantity corresponding to the sub-encrypted data transmitted each time in the preset times are matched with preset characteristics or not;
the detecting whether the first total data capacity, the first quantity, the second total data capacity, and the second quantity corresponding to the sub encrypted data transmitted each time in the preset number of times are all matched with preset features includes:
determining a first ratio of the first total data capacity to the second total data capacity and determining a second ratio of the first quantity to the second quantity;
comparing the first proportion with a first preset threshold value to obtain a first comparison result, and comparing the second proportion with a second preset threshold value to obtain a second comparison result;
calculating the first comparison result and the second comparison result according to a preset rule to obtain a target comparison result;
detecting whether the target comparison result corresponding to the sub-encrypted data transmitted each time in the preset times is larger than a third preset threshold value, if so, determining that the first total data capacity, the first quantity, the second total data capacity and the second quantity corresponding to the sub-encrypted data transmitted each time in the preset times are all matched with preset characteristics.
2. The method of claim 1, wherein the total encrypted data is encrypted data based on an HTTPS protocol.
3. The method of claim 1, further comprising:
acquiring a first actual total data capacity and a first historical number of historical uplink data packets in historical sub-encrypted data, and a second actual total data capacity and a second historical number of historical downlink data packets in the historical sub-encrypted data;
updating the first preset threshold according to the first actual total data capacity and the second actual total data capacity, and updating the second preset threshold according to the first historical quantity and the second historical quantity;
and updating the third preset threshold according to the updated first preset threshold and the updated second preset threshold.
4. The method according to claim 1, wherein the detecting whether a transmission mode of the second uplink data in the total encrypted data complies with a preset rule comprises:
detecting whether second uplink data in the total encrypted data is transmitted according to a preset interval within the preset time;
if not, determining that the transmission mode of the second uplink data does not accord with the preset rule.
5. The method according to claim 2, wherein after the detecting whether a transmission manner of the second uplink data in the total encrypted data complies with a preset rule, the method further comprises:
and correspondingly processing the total encrypted data according to the detection result.
6. The method according to claim 5, wherein the processing manner corresponding to the total encrypted data includes at least one of blocking an HTTPS connection corresponding to the total encrypted data, managing and controlling the total encrypted data, and generating a traffic report according to the total encrypted data.
7. An encrypted video recognition apparatus, comprising:
the device comprises a counting unit, a first sending unit and a second sending unit, wherein the counting unit is used for counting total encrypted data transmitted within a preset time length, the total encrypted data comprises sub encrypted data transmitted by preset times, and the sub encrypted data comprises first uplink data and first downlink data;
a first detecting unit, configured to detect whether the first uplink data and the first downlink data in the sub-encrypted data transmitted each time in the preset number of times are both matched with a preset feature;
the second detection unit is used for detecting whether the transmission mode of second uplink data in the total encrypted data conforms to a preset rule or not when the first uplink data and the first downlink data are matched with the preset characteristics;
a determining unit, configured to determine that the total encrypted data is an encrypted video when a transmission mode of the second uplink data does not meet the preset rule;
the first detection unit is specifically configured to:
determining a first total data capacity and a first number of uplink data packets of the first uplink data, a second total data capacity and a second number of downlink data packets of the first downlink data in the sub-encrypted data;
detecting whether the first total data capacity, the first quantity, the second total data capacity and the second quantity corresponding to the sub-encrypted data transmitted each time in the preset times are matched with preset characteristics or not;
the first detection unit is specifically configured to:
determining a first ratio of the first total data capacity to the second total data capacity and determining a second ratio of the first quantity to the second quantity;
comparing the first proportion with a first preset threshold value to obtain a first comparison result, and comparing the second proportion with a second preset threshold value to obtain a second comparison result;
calculating the first comparison result and the second comparison result according to a preset rule to obtain a target comparison result;
detecting whether the target comparison result corresponding to the sub-encrypted data transmitted each time in the preset times is larger than a third preset threshold value, if so, determining that the first total data capacity, the first quantity, the second total data capacity and the second quantity corresponding to the sub-encrypted data transmitted each time in the preset times are all matched with preset characteristics.
8. The apparatus of claim 7, further comprising:
the acquiring unit is used for acquiring a first actual total data capacity and a first historical number of historical uplink data packets in historical sub-encrypted data, and a second actual total data capacity and a second historical number of historical downlink data packets in the historical sub-encrypted data;
a first updating unit, configured to update the first preset threshold according to the first actual total data capacity and the second actual total data capacity, and update the second preset threshold according to the first historical quantity and the second historical quantity;
and the second updating unit is further used for updating the third preset threshold according to the updated first preset threshold and the updated second preset threshold.
9. The apparatus according to claim 7 or 8, wherein the second detection unit is specifically configured to:
detecting whether second uplink data in the total encrypted data is transmitted according to a preset interval within the preset time;
if not, determining that the transmission mode of the second uplink data does not accord with the preset rule.
10. A computer device, characterized by: the computer arrangement comprises a processor for implementing the steps of the method of encrypted video identification according to any one of claims 1 to 6 when executing a computer program stored in a memory.
11. A computer-readable storage medium having stored thereon a computer program, characterized in that: the computer program implementing the steps of the method for encrypted video identification according to any one of claims 1 to 6 when executed by a processor.
CN201710707511.0A 2017-08-17 2017-08-17 Encrypted video identification method and device, computer device and readable storage medium Active CN107528837B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710707511.0A CN107528837B (en) 2017-08-17 2017-08-17 Encrypted video identification method and device, computer device and readable storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710707511.0A CN107528837B (en) 2017-08-17 2017-08-17 Encrypted video identification method and device, computer device and readable storage medium

Publications (2)

Publication Number Publication Date
CN107528837A CN107528837A (en) 2017-12-29
CN107528837B true CN107528837B (en) 2020-06-09

Family

ID=60681383

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710707511.0A Active CN107528837B (en) 2017-08-17 2017-08-17 Encrypted video identification method and device, computer device and readable storage medium

Country Status (1)

Country Link
CN (1) CN107528837B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109151579B (en) * 2018-09-07 2021-02-26 杭州迪普科技股份有限公司 Method, device and equipment for testing whether web video traffic is correctly identified
CN110971530B (en) * 2018-09-28 2023-07-14 深信服科技股份有限公司 Video traffic data identification method, device and equipment
CN111064717B (en) * 2019-12-06 2022-11-22 浙江大华技术股份有限公司 Data encoding method, data decoding method, related terminal and device

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103873320A (en) * 2013-12-27 2014-06-18 北京天融信科技有限公司 Encrypted flow rate recognizing method and device
EP2860911A1 (en) * 2013-10-11 2015-04-15 Mitsubishi Electric R&D Centre Europe B.V. Method and device for classifying encrypted data flows between at least one web client and at least one web server
CN104954365A (en) * 2015-05-27 2015-09-30 北京亿赛通网络安全技术有限公司 Method capable of rapidly automatically identifying encrypted network behaviors
CN106257867A (en) * 2015-06-18 2016-12-28 中兴通讯股份有限公司 A kind of business recognition method encrypting flow and device

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20160283859A1 (en) * 2015-03-25 2016-09-29 Cisco Technology, Inc. Network traffic classification

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2860911A1 (en) * 2013-10-11 2015-04-15 Mitsubishi Electric R&D Centre Europe B.V. Method and device for classifying encrypted data flows between at least one web client and at least one web server
CN103873320A (en) * 2013-12-27 2014-06-18 北京天融信科技有限公司 Encrypted flow rate recognizing method and device
CN104954365A (en) * 2015-05-27 2015-09-30 北京亿赛通网络安全技术有限公司 Method capable of rapidly automatically identifying encrypted network behaviors
CN106257867A (en) * 2015-06-18 2016-12-28 中兴通讯股份有限公司 A kind of business recognition method encrypting flow and device

Also Published As

Publication number Publication date
CN107528837A (en) 2017-12-29

Similar Documents

Publication Publication Date Title
CN109951500B (en) Network attack detection method and device
EP3780523B1 (en) Network traffic identification method and related device
CN110324210B (en) Detection method and device for covert channel communication based on ICMP (Internet control protocol)
US9990507B2 (en) Adapting decoy data present in a network
CN105577608B (en) Network attack behavior detection method and device
EP3544250A1 (en) Method and device for detecting dos/ddos attack, server, and storage medium
CN107528837B (en) Encrypted video identification method and device, computer device and readable storage medium
US9282116B1 (en) System and method for preventing DOS attacks utilizing invalid transaction statistics
CN109698809B (en) Method and device for identifying abnormal login of account
CN107645478B (en) Network attack defense system, method and device
CN110071941B (en) Network attack detection method, equipment, storage medium and computer equipment
CN110636075A (en) Operation and maintenance management and control and operation and maintenance analysis method and device
CN108521405B (en) Risk control method and device and storage medium
CN110855717B (en) Method, device and system for protecting equipment of Internet of things
EP2854362B1 (en) Software network behavior analysis and identification system
JP5739034B1 (en) Attack detection system, attack detection device, attack detection method, and attack detection program
CN108737110B (en) Data encryption transmission method and device for preventing replay attack
CN111371774A (en) Information processing method and device, equipment and storage medium
US20170171188A1 (en) Non-transitory computer-readable recording medium, access monitoring method, and access monitoring apparatus
US9942255B1 (en) Method and system for detecting abusive behavior in hosted services
KR102044181B1 (en) Apparatus and method for creating whitelist with network traffic
KR102119636B1 (en) Anonymous network analysis system using passive fingerprinting and method thereof
CN108347359B (en) Method and device for judging large Network Address Translation (NAT) outlet
CN107317790B (en) Network behavior monitoring method and device
CN113938312B (en) Method and device for detecting violent cracking flow

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant