CN108337322A - A kind of preposition auditing method - Google Patents

A kind of preposition auditing method Download PDF

Info

Publication number
CN108337322A
CN108337322A CN201810212834.7A CN201810212834A CN108337322A CN 108337322 A CN108337322 A CN 108337322A CN 201810212834 A CN201810212834 A CN 201810212834A CN 108337322 A CN108337322 A CN 108337322A
Authority
CN
China
Prior art keywords
data packet
audit
data
preposition
module
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201810212834.7A
Other languages
Chinese (zh)
Inventor
黄雯
严乐平
周金洪
徐魏
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
SHENZHEN ZHONGKE SEEN INFORMATION TECHNOLOGY DEVELOPMENT Co Ltd
Original Assignee
SHENZHEN ZHONGKE SEEN INFORMATION TECHNOLOGY DEVELOPMENT Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by SHENZHEN ZHONGKE SEEN INFORMATION TECHNOLOGY DEVELOPMENT Co Ltd filed Critical SHENZHEN ZHONGKE SEEN INFORMATION TECHNOLOGY DEVELOPMENT Co Ltd
Priority to CN201810212834.7A priority Critical patent/CN108337322A/en
Publication of CN108337322A publication Critical patent/CN108337322A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a kind of preposition auditing methods in Network Information Security Audit field, audit analysis behavior is completed by auditing system, network packet is intercepted and captured especially by netfilter, by the matching for carrying out corresponding strategies to intercepted data packet, by changing the last one data packet in data packet stream, it is inserted into corresponding js before it, js obtains necessary information in client browser, to realize audit process.The present invention improves audit efficiency, changes the mode of audit, and user more can get comprehensively and efficiently required information using the system, extend existing behavior auditing mode.

Description

A kind of preposition auditing method
Technical field
The present invention relates to Network Information Security Audit fields, in particular to a kind of be directed to and public security department's business The preposition auditing method that the abundant of relevant visual human's identity information, data acquire.
Background technology
With network become increasingly popular and the development of the relevant technologies and maturation, it is extremely abundant that people come into information content Epoch, internet brings many facilities, while also bringing many problems, using the new network of network implementation crime it is illegal with Criminal offence is also increased therewith.In face of network it is virtual with it is uncertain, network behavior audit just become information security Necessary means and guarantee.
Existing internet security behavior auditing technology in a manner of flowing through, by two kinds of deployment modes to network behavior into Row audit.One is the chain roads that equipment is deployed in outlet in a manner of gateway/bridge, to the bidirectional flow on outbound Amount is analyzed and is audited, and is most common network behavior audit measure;Another kind is that bypass mode is deployed in interchanger mirror As mouth, by the mirror image technology of interchanger to being analyzed and being audited by the uplink and downlink flow of interchanger.
The data packet that internet behavior in LAN is obtained by way of bridge/gateway, bypass, passes through data packet It parses one by one, it is corresponding to also original acquisition to carry out matching to the various characteristic values of agreement or keyword(Such as text, title)Etc. information. If agreement changes, the method for reply is relative complex in this method, audit measure underaction;Second the disadvantage is that for branch The reduction for holding content needs a complicated retrieving algorithm as support, and this reduction can not support the concurrent data of multithreading Packet analysis, causes system bottleneck.
The disadvantage that the audit measure for the formula that flows through of auditing is apparent must be that data traffic that must be all reaches ability on audit device The analysis of related protocol is carried out, this mode is inefficient.Especially need to carry out data packet in audit mail, web page access etc. When reduction can just take the information such as text, title, addressee, can arise a cumbersome retrieving algorithm, and can not be real It is concurrent under existing big data, become the bottleneck of whole system.
Invention content
In order to overcome the shortcomings of that existing technology, the present invention provide a kind of preposition auditing method, improve audit efficiency, change The mode of audit is become, user more can get comprehensively and efficiently required information using the system, extend existing Some behavior auditing modes.
Technical solution of the present invention is as described below:
A kind of preposition auditing method, which is characterized in that audit analysis behavior is completed by auditing system, especially by Netfilter system frameworks intercept and capture network packet, by carrying out the matching of corresponding strategies to intercepted data packet, pass through The last one data packet in data packet stream is changed, is inserted into corresponding js before it, js obtains necessity in client browser Information, to realize audit process.
According to the present invention of said program, which is characterized in that the auditing system is preposition on the user terminal browser.
According to the present invention of said program, which is characterized in that the auditing system includes network registry module, tactical management Module and injection module:
The network registry module is by the data packet services intercepted in the injection module;The policy management module is to flowing through Type of data packet and user ip carry out the matching and management of strategy, and serve the injection module;The injection module will Legacy data packet content is modified, and is sent on the client browser and relevant information is extracted and audited.
According to the present invention of said program, which is characterized in that the network registry module passes through netfilter system frameworks Registration the data packet flowed through is intercepted and captured.
Further, it is first initial to network registry information during the network registry module carries out Data Packet Seize Change, then carries out Data Packet Seize.
Further, the process of the network registry module intercepted data packet specifically includes:
(1)Initial configuration information stores chained list;
(2)Reading configuration file information, including the network card equipment title that needs js information, the data packet injected to send out;
(3)Hook Function is initialized, and realizes the registration of the Hook Function, makes the qualified network number by protocol stack The Hook Function is called according to packet, realizes Data Packet Seize.
According to the present invention of said program, which is characterized in that the policy management module carries out intercepted data packet related The matched process of strategy specifically includes:
Step 1 judges whether the data packet of interception is tcp data packets, if then entering in next step, if not then exiting audit stream Journey;
Step 2 judges whether data port is 80 ports, if so, entering in next step, if it is not, then exiting audit process;
Step 3 judges application layer data length, if application layer data length is equal to 0, enters step 4, if application layer data Length is more than 0, then enters step 5, if application layer data length is less than, exit audit process;
Step 4 judges that tpc data packets whether there is in machine tree, if sending data packets to the injection module in the presence of if, Audit process is exited if being not present;
Step 5 judges whether packet content is js requests, and the injection module is sent data packets to if having js requests, Audit process is exited if no js is asked.
Further, during the injection module changes legacy data packet content:
Skb data frames are changed if tpc exists in machine tree, first data frame are determined whether, in first data frame Upper modification Content-Length attributes, by initial data frame length plus the length for the js scripts for needing to inject;
It is compared by Content-Length and the data packet length of the same data flow to have added up, judges that data frame is No is last frame, if it is, it would be desirable to the js script informations of injection paste the tail portion of data frame, with first frame data length picture It is corresponding.
It will be re-assemblied after the injection module changes legacy data packet content according to the present invention of said program Data frame by being sent out in pre-set network card equipment, be presented to above the client browser;Pass through the js of injection Script information obtains the audit of webpage information.
According to the present invention of said program, advantage is, the present invention reaches the effect of audit using js injection techniques Fruit fully shows its flexibility and diversity compared with traditional audit measure;For in efficiency and implementation method, utilize Js injection will audit it is preposition arrive client, greatly reduce audit device hardware requirement has been expanded audit mode;It is preposition to examine Meter has abandoned the audit of traditional data packet reduction mode, improves audit efficiency, and reduce the complexity of retrieving algorithm.
Description of the drawings
Fig. 1 is the structural diagram of the present invention.
Specific implementation mode
Below in conjunction with the accompanying drawings and the present invention is further described in embodiment:
As shown in Figure 1, a kind of preposition auditing method, completes audit analysis behavior, wherein auditing system is preposition by auditing system It is preposition to completing on client browser by the audit analysis behavior on original audit device on user terminal browser, it shares The responsibility of script audit device.
Network packet is intercepted and captured by netfilter system frameworks, by carrying out related plan to intercepted data packet Matching slightly is inserted into corresponding js, js is in Client browse before it by changing the last one data packet in data packet stream Necessary information is obtained in device, to realize audit process.
Auditing system includes network registry module, policy management module and injection module.
1, network registry module intercepts and captures the data packet flowed through by the registration of netfilter system frameworks, and will The data packet services intercepted are in injection module.
During network registry module carries out Data Packet Seize, first to network registry information initializing, then data are carried out Packet capturing, detailed process include:
(1)Initial configuration information stores chained list;
(2)Reading configuration file information, the network card equipment title for needing js information, the data packet injected to send out;
(3)Hook Function is initialized by structure struct nf_hook_ops, and passes through nf_register_hooks functions The registration for realizing Hook Function makes the qualified network packet by protocol stack call Hook Function, realizes data packet It intercepts and captures.
1, structure struct nf_hook_ops are defined as follows, and wherein hook is a function pointer, can will be made by oneself The function assignment of justice gives it, and customized function is called when there is data packet arrival to realize, realizes packet capture.
struct nf_hook_ops
{
struct list_head list;// chained list member
/* User fills in from here down. */
nf_hookfn *hook;// Hook Function pointer
struct module *owner;
int pf;// protocol family is PF_INET for ipv4
int hooknum;//hook types
/* Hooks are ordered in ascending priority. */
int priority;// priority
};
2, policy management module carries out the matching and management of strategy to the type of data packet and user ip that flow through, and serves injection Module.
The matched process that policy management module carries out intercepted data packet corresponding strategies specifically includes:
Step 1 judges whether the data packet of interception is tcp data packets, if then entering in next step, if not then exiting audit stream Journey;
Step 2 judges whether data port is 80 ports, if so, entering in next step, if it is not, then exiting audit process;
Step 3 judges application layer data length, if application layer data length is equal to 0, enters step 4, if application layer data Length is more than 0, then enters step 5, if application layer data length is less than, exit audit process;
Step 4 judges tpc in machine tree(Queue)In whether there is, if sending data packets to injection module in the presence of if, if not In the presence of then exiting audit process;
Step 5 judges whether packet content is js requests, injection module is sent data packets to if having js requests, if nothing Audit process is then exited in js requests.
3, injection module modifies legacy data packet content, is sent on client browser and is carried out to relevant information Extraction and audit.During injection module changes legacy data packet content:
Skb data frames are changed if tpc data packets exist in machine tree, first data frame are determined whether, at first Content-Length attributes are changed on data frame, by initial data frame length plus the length for the js scripts for needing to inject;It is logical It crosses Content-Length and the data packet length of the same data flow to have added up is compared, judge whether data frame is most A later frame, if it is, it would be desirable to the js script informations of injection paste the tail portion of data frame, corresponding with first frame data length picture.
After injection module changes legacy data packet content, the data frame re-assemblied is passed through into pre-set network interface card It sends out, is presented to above client browser in equipment;By the js script informations of injection, the audit of webpage information is obtained, such as Title, content of posting etc..
The invention has the characteristics that:
(1)Really audit actions are preposition is transferred on the browser of client, mitigates the pressure of audit device in this way, Reduce the hardware requirement to audit device.
(2)It realizes that logic is simpler, is supported without data packet recovery module, it is simple and more flexible.
It should be understood that for those of ordinary skills, it can be modified or changed according to the above description, And all these modifications and variations should all belong to the protection domain of appended claims of the present invention.
Illustrative description has been carried out to patent of the present invention above in conjunction with attached drawing, it is clear that the realization of patent of the present invention not by The limitation of aforesaid way, if the various improvement of the methodology and technical solution progress of patent of the present invention are used, or without It improves and the design of patent of the present invention and technical solution is directly applied into other occasions, be within the scope of the invention.

Claims (4)

1. a kind of preposition auditing method, which is characterized in that audit analysis behavior is completed by auditing system, especially by Netfilter system frameworks intercept and capture network packet, by carrying out the matching of corresponding strategies to intercepted data packet, pass through The last one data packet in data packet stream is changed, is inserted into corresponding js before it, js obtains necessity in client browser Information, to realize audit process.
2. preposition auditing method according to claim 1, which is characterized in that the auditing system includes network registry mould Block, policy management module and injection module:
The network registry module is by the data packet services intercepted in the injection module;The policy management module is to flowing through Type of data packet and user ip carry out the matching and management of strategy, and serve the injection module;The injection module will Legacy data packet content is modified, and is sent on the client browser and relevant information is extracted and audited.
3. preposition auditing method according to claim 2, which is characterized in that the network registry module passes through The data packet flowed through is intercepted and captured in the registration of netfilter system frameworks.
4. preposition auditing method according to claim 2, which is characterized in that the policy management module is to intercepted data packet The matched process for carrying out corresponding strategies specifically includes:
Step 1 judges whether the data packet of interception is tcp data packets, if then entering in next step, if not then exiting audit stream Journey;
Step 2 judges whether data port is 80 ports, if so, entering in next step, if it is not, then exiting audit process;
Step 3 judges application layer data length, if application layer data length is equal to 0, enters step 4, if application layer data Length is more than 0, then enters step 5, if application layer data length is less than, exit audit process;
Step 4 judges that tpc data packets whether there is in machine tree, if sending data packets to the injection module in the presence of if, Audit process is exited if being not present;
Step 5 judges whether packet content is js requests, and the injection module is sent data packets to if having js requests, Audit process is exited if no js is asked.
CN201810212834.7A 2018-03-15 2018-03-15 A kind of preposition auditing method Pending CN108337322A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810212834.7A CN108337322A (en) 2018-03-15 2018-03-15 A kind of preposition auditing method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810212834.7A CN108337322A (en) 2018-03-15 2018-03-15 A kind of preposition auditing method

Publications (1)

Publication Number Publication Date
CN108337322A true CN108337322A (en) 2018-07-27

Family

ID=62930806

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810212834.7A Pending CN108337322A (en) 2018-03-15 2018-03-15 A kind of preposition auditing method

Country Status (1)

Country Link
CN (1) CN108337322A (en)

Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060006876A1 (en) * 2004-07-12 2006-01-12 Midtronics, Inc. Wireless battery tester/charger
CN101887463A (en) * 2010-07-22 2010-11-17 北京天融信科技有限公司 Virtual domain-based HTTP reduction display method
CN102594587A (en) * 2012-01-17 2012-07-18 京信通信系统(中国)有限公司 Embedded WEB debugging and testing maintenance method and debugging and testing maintenance system
CN102868738A (en) * 2012-08-30 2013-01-09 福建富士通信息软件有限公司 Hyper text transfer protocol (HTTP)/hypertext transfer protocol secure (HTTPS) behavior management and control auditing method based on Web proxy
US20130262702A1 (en) * 2012-03-29 2013-10-03 A10 Networks, Inc. Hardware-based packet editor
CN104219330A (en) * 2014-09-29 2014-12-17 北京神州绿盟信息安全科技股份有限公司 Method and system for auditing screen record based on WEB proxy
CN104506519A (en) * 2014-12-22 2015-04-08 中软信息系统工程有限公司 Web site access security audit method for MIPS (Million Instructions Per Second) platform
CN105471883A (en) * 2015-12-10 2016-04-06 中国电子科技集团公司第三十研究所 Tor network tracing system and tracing method based on web injection
CN105634835A (en) * 2014-10-27 2016-06-01 任子行网络技术股份有限公司 Internet data cloud auditing method and system, and audit router

Patent Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060006876A1 (en) * 2004-07-12 2006-01-12 Midtronics, Inc. Wireless battery tester/charger
CN101887463A (en) * 2010-07-22 2010-11-17 北京天融信科技有限公司 Virtual domain-based HTTP reduction display method
CN102594587A (en) * 2012-01-17 2012-07-18 京信通信系统(中国)有限公司 Embedded WEB debugging and testing maintenance method and debugging and testing maintenance system
US20130262702A1 (en) * 2012-03-29 2013-10-03 A10 Networks, Inc. Hardware-based packet editor
CN102868738A (en) * 2012-08-30 2013-01-09 福建富士通信息软件有限公司 Hyper text transfer protocol (HTTP)/hypertext transfer protocol secure (HTTPS) behavior management and control auditing method based on Web proxy
CN104219330A (en) * 2014-09-29 2014-12-17 北京神州绿盟信息安全科技股份有限公司 Method and system for auditing screen record based on WEB proxy
CN105634835A (en) * 2014-10-27 2016-06-01 任子行网络技术股份有限公司 Internet data cloud auditing method and system, and audit router
CN104506519A (en) * 2014-12-22 2015-04-08 中软信息系统工程有限公司 Web site access security audit method for MIPS (Million Instructions Per Second) platform
CN105471883A (en) * 2015-12-10 2016-04-06 中国电子科技集团公司第三十研究所 Tor network tracing system and tracing method based on web injection

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
申婷婷: ""面向纵向业务开发平台的访问控制与安全审计系统研究与实现"", 《中国优秀硕士学位论文全文数据库》 *

Similar Documents

Publication Publication Date Title
Dainotti et al. Issues and future directions in traffic classification
US11399288B2 (en) Method for HTTP-based access point fingerprint and classification using machine learning
CN109756501A (en) A kind of high concealment network agent method and system based on http protocol
CN110113345A (en) A method of the assets based on Internet of Things flow are found automatically
CN106330584B (en) A kind of recognition methods of Business Stream and identification device
EP1512302A1 (en) Device for lawful intercept of internet communications
CN110048908A (en) Instruction Network Test System Platform, network test method and device
US6490290B1 (en) Default internet traffic and transparent passthrough
CN106559289A (en) The concurrent testing method and device of SSLVPN gateways
CN110120884A (en) Layout is managed from driving and the more VBNG of adaptivity
CN106789242A (en) A kind of identification application intellectual analysis engine based on mobile phone client software behavioral characteristics storehouse
CN104484823B (en) E-bank's PKI method of servicing and its system
CN104113598A (en) Three-layer auditing method for database
JP2011514066A (en) Inbound mechanism for monitoring end-to-end QOE of services using application awareness
CN110401672A (en) A kind of network access control system and method based on Microsoft Loopback Adapter
CN107360122A (en) The method and apparatus for preventing malicious requests
CN104009972A (en) Network security access authentication system and authentication method thereof
CN108090419A (en) A kind of dynamic human face recognition methods based on WebSocket agreements
CN101075992B (en) Method and system for exchanging IP multiple service
CN108337322A (en) A kind of preposition auditing method
Zhang Research on key technology of VPN protocol recognition
EP1624638A1 (en) Access control method and apparatus
CN103001966A (en) Processing and identifying method and device for private network IP
CN105337797A (en) Data capturing method of network protocol of complex electronic information system
WO2012000248A1 (en) System and method for realizing service speed limitation

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20180727