CN108337322A - A kind of preposition auditing method - Google Patents
A kind of preposition auditing method Download PDFInfo
- Publication number
- CN108337322A CN108337322A CN201810212834.7A CN201810212834A CN108337322A CN 108337322 A CN108337322 A CN 108337322A CN 201810212834 A CN201810212834 A CN 201810212834A CN 108337322 A CN108337322 A CN 108337322A
- Authority
- CN
- China
- Prior art keywords
- data packet
- audit
- data
- preposition
- module
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a kind of preposition auditing methods in Network Information Security Audit field, audit analysis behavior is completed by auditing system, network packet is intercepted and captured especially by netfilter, by the matching for carrying out corresponding strategies to intercepted data packet, by changing the last one data packet in data packet stream, it is inserted into corresponding js before it, js obtains necessary information in client browser, to realize audit process.The present invention improves audit efficiency, changes the mode of audit, and user more can get comprehensively and efficiently required information using the system, extend existing behavior auditing mode.
Description
Technical field
The present invention relates to Network Information Security Audit fields, in particular to a kind of be directed to and public security department's business
The preposition auditing method that the abundant of relevant visual human's identity information, data acquire.
Background technology
With network become increasingly popular and the development of the relevant technologies and maturation, it is extremely abundant that people come into information content
Epoch, internet brings many facilities, while also bringing many problems, using the new network of network implementation crime it is illegal with
Criminal offence is also increased therewith.In face of network it is virtual with it is uncertain, network behavior audit just become information security
Necessary means and guarantee.
Existing internet security behavior auditing technology in a manner of flowing through, by two kinds of deployment modes to network behavior into
Row audit.One is the chain roads that equipment is deployed in outlet in a manner of gateway/bridge, to the bidirectional flow on outbound
Amount is analyzed and is audited, and is most common network behavior audit measure;Another kind is that bypass mode is deployed in interchanger mirror
As mouth, by the mirror image technology of interchanger to being analyzed and being audited by the uplink and downlink flow of interchanger.
The data packet that internet behavior in LAN is obtained by way of bridge/gateway, bypass, passes through data packet
It parses one by one, it is corresponding to also original acquisition to carry out matching to the various characteristic values of agreement or keyword(Such as text, title)Etc. information.
If agreement changes, the method for reply is relative complex in this method, audit measure underaction;Second the disadvantage is that for branch
The reduction for holding content needs a complicated retrieving algorithm as support, and this reduction can not support the concurrent data of multithreading
Packet analysis, causes system bottleneck.
The disadvantage that the audit measure for the formula that flows through of auditing is apparent must be that data traffic that must be all reaches ability on audit device
The analysis of related protocol is carried out, this mode is inefficient.Especially need to carry out data packet in audit mail, web page access etc.
When reduction can just take the information such as text, title, addressee, can arise a cumbersome retrieving algorithm, and can not be real
It is concurrent under existing big data, become the bottleneck of whole system.
Invention content
In order to overcome the shortcomings of that existing technology, the present invention provide a kind of preposition auditing method, improve audit efficiency, change
The mode of audit is become, user more can get comprehensively and efficiently required information using the system, extend existing
Some behavior auditing modes.
Technical solution of the present invention is as described below:
A kind of preposition auditing method, which is characterized in that audit analysis behavior is completed by auditing system, especially by
Netfilter system frameworks intercept and capture network packet, by carrying out the matching of corresponding strategies to intercepted data packet, pass through
The last one data packet in data packet stream is changed, is inserted into corresponding js before it, js obtains necessity in client browser
Information, to realize audit process.
According to the present invention of said program, which is characterized in that the auditing system is preposition on the user terminal browser.
According to the present invention of said program, which is characterized in that the auditing system includes network registry module, tactical management
Module and injection module:
The network registry module is by the data packet services intercepted in the injection module;The policy management module is to flowing through
Type of data packet and user ip carry out the matching and management of strategy, and serve the injection module;The injection module will
Legacy data packet content is modified, and is sent on the client browser and relevant information is extracted and audited.
According to the present invention of said program, which is characterized in that the network registry module passes through netfilter system frameworks
Registration the data packet flowed through is intercepted and captured.
Further, it is first initial to network registry information during the network registry module carries out Data Packet Seize
Change, then carries out Data Packet Seize.
Further, the process of the network registry module intercepted data packet specifically includes:
(1)Initial configuration information stores chained list;
(2)Reading configuration file information, including the network card equipment title that needs js information, the data packet injected to send out;
(3)Hook Function is initialized, and realizes the registration of the Hook Function, makes the qualified network number by protocol stack
The Hook Function is called according to packet, realizes Data Packet Seize.
According to the present invention of said program, which is characterized in that the policy management module carries out intercepted data packet related
The matched process of strategy specifically includes:
Step 1 judges whether the data packet of interception is tcp data packets, if then entering in next step, if not then exiting audit stream
Journey;
Step 2 judges whether data port is 80 ports, if so, entering in next step, if it is not, then exiting audit process;
Step 3 judges application layer data length, if application layer data length is equal to 0, enters step 4, if application layer data
Length is more than 0, then enters step 5, if application layer data length is less than, exit audit process;
Step 4 judges that tpc data packets whether there is in machine tree, if sending data packets to the injection module in the presence of if,
Audit process is exited if being not present;
Step 5 judges whether packet content is js requests, and the injection module is sent data packets to if having js requests,
Audit process is exited if no js is asked.
Further, during the injection module changes legacy data packet content:
Skb data frames are changed if tpc exists in machine tree, first data frame are determined whether, in first data frame
Upper modification Content-Length attributes, by initial data frame length plus the length for the js scripts for needing to inject;
It is compared by Content-Length and the data packet length of the same data flow to have added up, judges that data frame is
No is last frame, if it is, it would be desirable to the js script informations of injection paste the tail portion of data frame, with first frame data length picture
It is corresponding.
It will be re-assemblied after the injection module changes legacy data packet content according to the present invention of said program
Data frame by being sent out in pre-set network card equipment, be presented to above the client browser;Pass through the js of injection
Script information obtains the audit of webpage information.
According to the present invention of said program, advantage is, the present invention reaches the effect of audit using js injection techniques
Fruit fully shows its flexibility and diversity compared with traditional audit measure;For in efficiency and implementation method, utilize
Js injection will audit it is preposition arrive client, greatly reduce audit device hardware requirement has been expanded audit mode;It is preposition to examine
Meter has abandoned the audit of traditional data packet reduction mode, improves audit efficiency, and reduce the complexity of retrieving algorithm.
Description of the drawings
Fig. 1 is the structural diagram of the present invention.
Specific implementation mode
Below in conjunction with the accompanying drawings and the present invention is further described in embodiment:
As shown in Figure 1, a kind of preposition auditing method, completes audit analysis behavior, wherein auditing system is preposition by auditing system
It is preposition to completing on client browser by the audit analysis behavior on original audit device on user terminal browser, it shares
The responsibility of script audit device.
Network packet is intercepted and captured by netfilter system frameworks, by carrying out related plan to intercepted data packet
Matching slightly is inserted into corresponding js, js is in Client browse before it by changing the last one data packet in data packet stream
Necessary information is obtained in device, to realize audit process.
Auditing system includes network registry module, policy management module and injection module.
1, network registry module intercepts and captures the data packet flowed through by the registration of netfilter system frameworks, and will
The data packet services intercepted are in injection module.
During network registry module carries out Data Packet Seize, first to network registry information initializing, then data are carried out
Packet capturing, detailed process include:
(1)Initial configuration information stores chained list;
(2)Reading configuration file information, the network card equipment title for needing js information, the data packet injected to send out;
(3)Hook Function is initialized by structure struct nf_hook_ops, and passes through nf_register_hooks functions
The registration for realizing Hook Function makes the qualified network packet by protocol stack call Hook Function, realizes data packet
It intercepts and captures.
1, structure struct nf_hook_ops are defined as follows, and wherein hook is a function pointer, can will be made by oneself
The function assignment of justice gives it, and customized function is called when there is data packet arrival to realize, realizes packet capture.
struct nf_hook_ops
{
struct list_head list;// chained list member
/* User fills in from here down. */
nf_hookfn *hook;// Hook Function pointer
struct module *owner;
int pf;// protocol family is PF_INET for ipv4
int hooknum;//hook types
/* Hooks are ordered in ascending priority. */
int priority;// priority
};
2, policy management module carries out the matching and management of strategy to the type of data packet and user ip that flow through, and serves injection
Module.
The matched process that policy management module carries out intercepted data packet corresponding strategies specifically includes:
Step 1 judges whether the data packet of interception is tcp data packets, if then entering in next step, if not then exiting audit stream
Journey;
Step 2 judges whether data port is 80 ports, if so, entering in next step, if it is not, then exiting audit process;
Step 3 judges application layer data length, if application layer data length is equal to 0, enters step 4, if application layer data
Length is more than 0, then enters step 5, if application layer data length is less than, exit audit process;
Step 4 judges tpc in machine tree(Queue)In whether there is, if sending data packets to injection module in the presence of if, if not
In the presence of then exiting audit process;
Step 5 judges whether packet content is js requests, injection module is sent data packets to if having js requests, if nothing
Audit process is then exited in js requests.
3, injection module modifies legacy data packet content, is sent on client browser and is carried out to relevant information
Extraction and audit.During injection module changes legacy data packet content:
Skb data frames are changed if tpc data packets exist in machine tree, first data frame are determined whether, at first
Content-Length attributes are changed on data frame, by initial data frame length plus the length for the js scripts for needing to inject;It is logical
It crosses Content-Length and the data packet length of the same data flow to have added up is compared, judge whether data frame is most
A later frame, if it is, it would be desirable to the js script informations of injection paste the tail portion of data frame, corresponding with first frame data length picture.
After injection module changes legacy data packet content, the data frame re-assemblied is passed through into pre-set network interface card
It sends out, is presented to above client browser in equipment;By the js script informations of injection, the audit of webpage information is obtained, such as
Title, content of posting etc..
The invention has the characteristics that:
(1)Really audit actions are preposition is transferred on the browser of client, mitigates the pressure of audit device in this way,
Reduce the hardware requirement to audit device.
(2)It realizes that logic is simpler, is supported without data packet recovery module, it is simple and more flexible.
It should be understood that for those of ordinary skills, it can be modified or changed according to the above description,
And all these modifications and variations should all belong to the protection domain of appended claims of the present invention.
Illustrative description has been carried out to patent of the present invention above in conjunction with attached drawing, it is clear that the realization of patent of the present invention not by
The limitation of aforesaid way, if the various improvement of the methodology and technical solution progress of patent of the present invention are used, or without
It improves and the design of patent of the present invention and technical solution is directly applied into other occasions, be within the scope of the invention.
Claims (4)
1. a kind of preposition auditing method, which is characterized in that audit analysis behavior is completed by auditing system, especially by
Netfilter system frameworks intercept and capture network packet, by carrying out the matching of corresponding strategies to intercepted data packet, pass through
The last one data packet in data packet stream is changed, is inserted into corresponding js before it, js obtains necessity in client browser
Information, to realize audit process.
2. preposition auditing method according to claim 1, which is characterized in that the auditing system includes network registry mould
Block, policy management module and injection module:
The network registry module is by the data packet services intercepted in the injection module;The policy management module is to flowing through
Type of data packet and user ip carry out the matching and management of strategy, and serve the injection module;The injection module will
Legacy data packet content is modified, and is sent on the client browser and relevant information is extracted and audited.
3. preposition auditing method according to claim 2, which is characterized in that the network registry module passes through
The data packet flowed through is intercepted and captured in the registration of netfilter system frameworks.
4. preposition auditing method according to claim 2, which is characterized in that the policy management module is to intercepted data packet
The matched process for carrying out corresponding strategies specifically includes:
Step 1 judges whether the data packet of interception is tcp data packets, if then entering in next step, if not then exiting audit stream
Journey;
Step 2 judges whether data port is 80 ports, if so, entering in next step, if it is not, then exiting audit process;
Step 3 judges application layer data length, if application layer data length is equal to 0, enters step 4, if application layer data
Length is more than 0, then enters step 5, if application layer data length is less than, exit audit process;
Step 4 judges that tpc data packets whether there is in machine tree, if sending data packets to the injection module in the presence of if,
Audit process is exited if being not present;
Step 5 judges whether packet content is js requests, and the injection module is sent data packets to if having js requests,
Audit process is exited if no js is asked.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810212834.7A CN108337322A (en) | 2018-03-15 | 2018-03-15 | A kind of preposition auditing method |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810212834.7A CN108337322A (en) | 2018-03-15 | 2018-03-15 | A kind of preposition auditing method |
Publications (1)
Publication Number | Publication Date |
---|---|
CN108337322A true CN108337322A (en) | 2018-07-27 |
Family
ID=62930806
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201810212834.7A Pending CN108337322A (en) | 2018-03-15 | 2018-03-15 | A kind of preposition auditing method |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN108337322A (en) |
Citations (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20060006876A1 (en) * | 2004-07-12 | 2006-01-12 | Midtronics, Inc. | Wireless battery tester/charger |
CN101887463A (en) * | 2010-07-22 | 2010-11-17 | 北京天融信科技有限公司 | Virtual domain-based HTTP reduction display method |
CN102594587A (en) * | 2012-01-17 | 2012-07-18 | 京信通信系统(中国)有限公司 | Embedded WEB debugging and testing maintenance method and debugging and testing maintenance system |
CN102868738A (en) * | 2012-08-30 | 2013-01-09 | 福建富士通信息软件有限公司 | Hyper text transfer protocol (HTTP)/hypertext transfer protocol secure (HTTPS) behavior management and control auditing method based on Web proxy |
US20130262702A1 (en) * | 2012-03-29 | 2013-10-03 | A10 Networks, Inc. | Hardware-based packet editor |
CN104219330A (en) * | 2014-09-29 | 2014-12-17 | 北京神州绿盟信息安全科技股份有限公司 | Method and system for auditing screen record based on WEB proxy |
CN104506519A (en) * | 2014-12-22 | 2015-04-08 | 中软信息系统工程有限公司 | Web site access security audit method for MIPS (Million Instructions Per Second) platform |
CN105471883A (en) * | 2015-12-10 | 2016-04-06 | 中国电子科技集团公司第三十研究所 | Tor network tracing system and tracing method based on web injection |
CN105634835A (en) * | 2014-10-27 | 2016-06-01 | 任子行网络技术股份有限公司 | Internet data cloud auditing method and system, and audit router |
-
2018
- 2018-03-15 CN CN201810212834.7A patent/CN108337322A/en active Pending
Patent Citations (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20060006876A1 (en) * | 2004-07-12 | 2006-01-12 | Midtronics, Inc. | Wireless battery tester/charger |
CN101887463A (en) * | 2010-07-22 | 2010-11-17 | 北京天融信科技有限公司 | Virtual domain-based HTTP reduction display method |
CN102594587A (en) * | 2012-01-17 | 2012-07-18 | 京信通信系统(中国)有限公司 | Embedded WEB debugging and testing maintenance method and debugging and testing maintenance system |
US20130262702A1 (en) * | 2012-03-29 | 2013-10-03 | A10 Networks, Inc. | Hardware-based packet editor |
CN102868738A (en) * | 2012-08-30 | 2013-01-09 | 福建富士通信息软件有限公司 | Hyper text transfer protocol (HTTP)/hypertext transfer protocol secure (HTTPS) behavior management and control auditing method based on Web proxy |
CN104219330A (en) * | 2014-09-29 | 2014-12-17 | 北京神州绿盟信息安全科技股份有限公司 | Method and system for auditing screen record based on WEB proxy |
CN105634835A (en) * | 2014-10-27 | 2016-06-01 | 任子行网络技术股份有限公司 | Internet data cloud auditing method and system, and audit router |
CN104506519A (en) * | 2014-12-22 | 2015-04-08 | 中软信息系统工程有限公司 | Web site access security audit method for MIPS (Million Instructions Per Second) platform |
CN105471883A (en) * | 2015-12-10 | 2016-04-06 | 中国电子科技集团公司第三十研究所 | Tor network tracing system and tracing method based on web injection |
Non-Patent Citations (1)
Title |
---|
申婷婷: ""面向纵向业务开发平台的访问控制与安全审计系统研究与实现"", 《中国优秀硕士学位论文全文数据库》 * |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
Dainotti et al. | Issues and future directions in traffic classification | |
US11399288B2 (en) | Method for HTTP-based access point fingerprint and classification using machine learning | |
CN109756501A (en) | A kind of high concealment network agent method and system based on http protocol | |
CN110113345A (en) | A method of the assets based on Internet of Things flow are found automatically | |
CN106330584B (en) | A kind of recognition methods of Business Stream and identification device | |
EP1512302A1 (en) | Device for lawful intercept of internet communications | |
CN110048908A (en) | Instruction Network Test System Platform, network test method and device | |
US6490290B1 (en) | Default internet traffic and transparent passthrough | |
CN106559289A (en) | The concurrent testing method and device of SSLVPN gateways | |
CN110120884A (en) | Layout is managed from driving and the more VBNG of adaptivity | |
CN106789242A (en) | A kind of identification application intellectual analysis engine based on mobile phone client software behavioral characteristics storehouse | |
CN104484823B (en) | E-bank's PKI method of servicing and its system | |
CN104113598A (en) | Three-layer auditing method for database | |
JP2011514066A (en) | Inbound mechanism for monitoring end-to-end QOE of services using application awareness | |
CN110401672A (en) | A kind of network access control system and method based on Microsoft Loopback Adapter | |
CN107360122A (en) | The method and apparatus for preventing malicious requests | |
CN104009972A (en) | Network security access authentication system and authentication method thereof | |
CN108090419A (en) | A kind of dynamic human face recognition methods based on WebSocket agreements | |
CN101075992B (en) | Method and system for exchanging IP multiple service | |
CN108337322A (en) | A kind of preposition auditing method | |
Zhang | Research on key technology of VPN protocol recognition | |
EP1624638A1 (en) | Access control method and apparatus | |
CN103001966A (en) | Processing and identifying method and device for private network IP | |
CN105337797A (en) | Data capturing method of network protocol of complex electronic information system | |
WO2012000248A1 (en) | System and method for realizing service speed limitation |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20180727 |