CN108737407A - A kind of method and device for kidnapping network flow - Google Patents
A kind of method and device for kidnapping network flow Download PDFInfo
- Publication number
- CN108737407A CN108737407A CN201810448152.6A CN201810448152A CN108737407A CN 108737407 A CN108737407 A CN 108737407A CN 201810448152 A CN201810448152 A CN 201810448152A CN 108737407 A CN108737407 A CN 108737407A
- Authority
- CN
- China
- Prior art keywords
- domain name
- ssl
- protocol version
- network flow
- server
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/30—Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/18—Protocol analysers
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/45—Network directories; Name-to-address mapping
- H04L61/4505—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
- H04L61/4511—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/16—Implementing security features at a particular protocol layer
- H04L63/168—Implementing security features at a particular protocol layer above the transport layer
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/16—Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]
- H04L69/161—Implementation details of TCP/IP or UDP/IP stack architecture; Specification of modified or new header fields
- H04L69/162—Implementation details of TCP/IP or UDP/IP stack architecture; Specification of modified or new header fields involving adaptations of sockets based mechanisms
Abstract
The embodiment of the present invention provides a kind of method and device for kidnapping network flow, the method includes:Obtain the network flow of web page browsing port;According to the network flow, the connection request for establishing the SSL that user end to server is sent during establishing Secure Socket Layer SSL connections is obtained;The connection request is parsed, to extract the domain name field of the protocol version field and the server of the SSL;If the corresponding protocol version of the protocol version field is preset protocol version, domain name field is parsed, to obtain domain name addresses to be visited;If domain name address is included in default domain name addresses, the corresponding network flows of the SSL are kidnapped.Described device executes the above method.The method and device provided in an embodiment of the present invention for kidnapping network flow can rationally, effectively kidnap the corresponding network flows of SSL, and then effectively control the internet behavior of enterprise personnel.
Description
Technical field
The present embodiments relate to network behavior administrative skill fields, and in particular to it is a kind of kidnap network flow method and
Device.
Background technology
With computer, the rapid development of broadband technology, the enterprise networks such as enterprise staff inoperative online abuse phenomenon compared with
It is serious.
Therefore, enterprise needs to be managed the internet behavior of employee, is protected to the data safety of enterprise, so needing
In-company network behavior is detected and is controlled.Currently, network application is usually using puppy parcs such as HTTPS,
HTTPS agreements pass through Secure Socket Layer (Secure Sockets Layer, referred to as " SSL ") association on the basis of http protocol
View is encrypted, and due to being ciphertext, needs to kidnap SSL flows using technologies such as similar man-in-the-middle attacks, man-in-the-middle attack is former
Reason is in the both ends of communication, i.e. client and server establishes independent contact respectively, and exchanges its data received, makes to lead to
Them are thought by the connection of a secret and other side's direct dialogue in the both ends of news, but in fact entire session is all attacked
Person controls completely.Then after the ciphertext data of abduction being become clear data, then content is parsed to it, following same http protocol
Management and control.
Fig. 1 is the process schematic of prior art SSL man-in-the-middle attacks, is attacked as shown in Figure 1, middle attack people needs to know
The object hit, the i.e. IP address of object of attack.Man-in-the-middle attack often relies on DNS packets, according to the domain name mapping inside DNS packets
IP out carries out the abduction of SSL flows, and prior art application scenarios are as follows:
If 1. without DNS packets by SSL man-in-the-middle attacks device the corresponding device of method of Fig. 1 (execute), but it is known
IP, it is only necessary to the flow of all 443 ports for meeting the IP is redirected to SSL man-in-the-middle attack devices and carry out SSL flows
It kidnaps.
2. if there are DNS packets by SSL man-in-the-middle attack devices, DNS packets are kidnapped, then its Context resolution is obtained
Obtain the IP inside DNS packets.At this time in two kinds of situation:
If 1) DNS Protocol of standards, matches according to domain name, the corresponding IP of domain name needed for DNS packets the inside can be found,
The flow of all 443 ports for meeting the IP is then redirected to the abduction that SSL man-in-the-middle attack devices carry out SSL flows.
If 2) can not normally extract IP, it is divided at this time as two kinds of situations:
(1) is if not DNS standard agreements, then can not parse its content to extract IP, eventually leading to can not kidnap
SSL flows.
(2) domain name inside .DNS packets is alias, i.e., the domain name of required domain name and return unmatches, and eventually leads to nothing
Method kidnaps SSL flows.
3. after successfully kidnapping SSL flows according to IP, still there is following several scenes at this time:
1) there are part proprietary protocols to use 443 ports, if what is kidnapped at this time is proprietary protocol, because being non-ssl protocol,
It can not normally decrypt at this time, it is possible to influence even to interrupt company parts business.
2) the case where corresponding to multiple domain names there are an IP.It, can all domains corresponding to the IP if kidnapping the flow of the IP
The flow of name is kidnapped, and causes accidentally to kidnap, and not only influences the performance of SSL man-in-the-middle attack devices, it is also possible to company
Business is interfered.
3) is the flow of standard SSL, can normally be decrypted.By ciphertext data deciphering at clear content, then in it
Appearance is analyzed, and the management and control of variable grain degree can be carried out to server ip, domain name, keyword etc..
By above description, the prior art includes following defect:
1. dependent on the parsing of DNS packets, no DNS packets or DNS packets only SSL man-in-the-middle attacks device can not be covered
Scene.It needs under the premise of obtaining domain name corresponding IP or known domain names IP from DNS packets, the misfortune of SSL flows could be carried out
It holds.Simultaneously need to kidnap all DNS packets, influence the performance of SSL man-in-the-middle attack devices, therefore, using dependent on DNS packets into
The method of the abduction of row SSL flows, it is not reasonable.
2. under the scene for corresponding to multiple domain names for same IP, the flow of the corresponding all domain names of the IP can be kidnapped at this time,
The flow of single domain name can not be distinguished, therefore, using this method, can not effectively carry out the abduction of SSL flows.
3. if 443 ports of proprietary protocol also, cannot be distinguished proprietary protocol and ssl protocol, kidnap privately owned association at this time
View, but can not normally decrypt, it is possible to part corporate business is influenced, therefore, the abduction of SSL flows is carried out not using this method
It is enough reasonable.
4. same domain name corresponds to multiple IP, i.e., the IP that the domain name different time or different location parse is different, right
In the IP of this dynamic change, SSL flows are caused to kidnap effect poor.
5. for using the domain name of alias inside DNS packets, i.e., under the inconsistent scene of the domain name inside domain name and DNS packets,
The corresponding IP of original domain name can not be proposed at this time, cause that SSL flows can not be kidnapped.
Therefore, how drawbacks described above is avoided, can rationally, effectively kidnaps the corresponding network flows of SSL, and then effectively control
The internet behavior of enterprise personnel processed, becoming need solve the problems, such as.
Invention content
In view of the problems of the existing technology, the embodiment of the present invention provides a kind of method and device for kidnapping network flow.
In a first aspect, the embodiment of the present invention provides a kind of method for kidnapping network flow, the method includes:
Obtain the network flow of web page browsing port;
According to the network flow, obtains user end to server during establishing Secure Socket Layer SSL connections and send out
That send establishes the connection request of the SSL;
The connection request is parsed, to extract the domain name field of the protocol version field and the server of the SSL;
If the corresponding protocol version of the protocol version field is preset protocol version, domain name field is parsed, to obtain
Take domain name addresses to be visited;
If domain name address is included in default domain name addresses, the corresponding network flows of the SSL are kidnapped.
Second aspect, the embodiment of the present invention provide a kind of device for kidnapping network flow, and described device includes:
First acquisition unit, the network flow for obtaining web page browsing port;
Second acquisition unit, for according to the network flow, obtaining during establishing Secure Socket Layer SSL connections
The connection request for establishing the SSL that user end to server is sent;
Extraction unit, for parsing the connection request, with the protocol version field for extracting the SSL and the server
Domain name field;
Resolution unit, if for judging to know that the corresponding protocol version of the protocol version field is preset protocol version,
Domain name field is parsed, to obtain domain name addresses to be visited;
Unit is kidnapped, if for judging to know that domain name address is included in default domain name addresses, kidnaps the SSL
Corresponding network flow.
The third aspect, the embodiment of the present invention provide a kind of electronic equipment, including:Processor, memory and bus, wherein
The processor and the memory complete mutual communication by the bus;
The memory is stored with the program instruction that can be executed by the processor, and the processor calls described program to refer to
Order is able to carry out following method:
Obtain the network flow of web page browsing port;
According to the network flow, obtains user end to server during establishing Secure Socket Layer SSL connections and send out
That send establishes the connection request of the SSL;
The connection request is parsed, to extract the domain name field of the protocol version field and the server of the SSL;
If the corresponding protocol version of the protocol version field is preset protocol version, domain name field is parsed, to obtain
Take domain name addresses to be visited;
If domain name address is included in default domain name addresses, the corresponding network flows of the SSL are kidnapped.
Fourth aspect, the embodiment of the present invention provide a kind of non-transient computer readable storage medium, including:
The non-transient computer readable storage medium stores computer instruction, and the computer instruction makes the computer
Execute following method:
Obtain the network flow of web page browsing port;
According to the network flow, obtains user end to server during establishing Secure Socket Layer SSL connections and send out
That send establishes the connection request of the SSL;
The connection request is parsed, to extract the domain name field of the protocol version field and the server of the SSL;
If the corresponding protocol version of the protocol version field is preset protocol version, domain name field is parsed, to obtain
Take domain name addresses to be visited;
If domain name address is included in default domain name addresses, the corresponding network flows of the SSL are kidnapped.
The method and device provided in an embodiment of the present invention for kidnapping network flow, by protocol version to SSL and waits visiting
The domain name addresses asked carries out priority judgement, and the corresponding network flows of the SSL for meeting Rule of judgment are kidnapped, can rationally,
The corresponding network flows of SSL are effectively kidnapped, and then effectively control the internet behavior of enterprise personnel.
Description of the drawings
In order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, to embodiment or will show below
There is attached drawing needed in technology description to be briefly described, it should be apparent that, the accompanying drawings in the following description is this hair
Some bright embodiments for those of ordinary skill in the art without creative efforts, can be with root
Other attached drawings are obtained according to these attached drawings.
Fig. 1 is the process schematic of prior art SSL man-in-the-middle attacks;
Fig. 2 is the method flow schematic diagram that the embodiment of the present invention kidnaps network flow;
Fig. 3 is the information exchange figure that the embodiment of the present invention kidnaps network flow;
Fig. 4 is the apparatus structure schematic diagram that the embodiment of the present invention kidnaps network flow;
Fig. 5 is electronic equipment entity structure schematic diagram provided in an embodiment of the present invention.
Specific implementation mode
In order to make the object, technical scheme and advantages of the embodiment of the invention clearer, below in conjunction with the embodiment of the present invention
In attached drawing, technical scheme in the embodiment of the invention is clearly and completely described, it is clear that described embodiment is
A part of the embodiment of the present invention, instead of all the embodiments.Based on the embodiments of the present invention, those of ordinary skill in the art
The every other embodiment obtained without creative efforts, shall fall within the protection scope of the present invention.
Fig. 2 is the method flow schematic diagram that the embodiment of the present invention kidnaps network flow, as shown in Fig. 2, the embodiment of the present invention
A kind of method of the abduction network flow provided, includes the following steps:
S201:Obtain the network flow of web page browsing port.
Specifically, device obtains the network flow of web page browsing port.Device can be the network management device of enterprise, figure
3 kidnap the information exchange figure of network flow for the embodiment of the present invention, as shown in figure 3, " equipment " in Fig. 3 corresponds to the device, Fig. 3
In " Client " correspond to client, client can be mobile phone, the computer etc. that the office worker in the enterprise uses." Server " is right
It should be in the server to be accessed by network of the office worker in enterprise.Web page browsing port can be 443 ports, can be by resetting
The network flow for the Servers-all that all office workers in enterprise access is obtained to the mode of the network flow of all 443 ports.
S202:According to the network flow, client is obtained during establishing Secure Socket Layer SSL connections to service
The connection request for establishing the SSL that device is sent.
Specifically, device obtains client during establishing Secure Socket Layer SSL connections according to the network flow
The connection request for establishing the SSL sent to server.With reference to Fig. 3, connection request corresponds to the " Client- in Fig. 3
During carrying out SSL connections, client can send Client-hello requests by hello ", i.e. client and server,
Include ssl protocol version field information, the Encryption Algorithm of support and the domain name field of server etc. in Client-hello requests
Information.
S203:The connection request is parsed, to extract the protocol version field of the SSL and the domain name word of the server
Section.
Specifically, device parses the connection request, with the protocol version field for extracting the SSL and the server
Domain name field.Device extracts the domain name word of the protocol version field and server for the SSL for including in Client-hello requests
Section.
S204:If the corresponding protocol version of the protocol version field is preset protocol version, domain name field is parsed,
To obtain domain name addresses to be visited.
Specifically, if device judgement knows that the corresponding protocol version of the protocol version field is preset protocol version, solve
Domain name field is analysed, to obtain domain name addresses to be visited.Protocol version can have SSL2.0, SSL3.0, TLS1.0,
TLS1.1, TLS1.2, TLS1.3 etc., preset protocol version can be independently arranged according to actual conditions, be chosen as TLS1.2.It waits visiting
The domain name addresses asked can be exemplified below:Such as news website, search website, online game website, professional knowledge study website
Deng.
S205:If domain name address is included in default domain name addresses, the corresponding network flows of the SSL are kidnapped.
Specifically, if device judgement knows that domain name address is included in default domain name addresses, described SSL pairs is kidnapped
The network flow answered.Default domain name addresses can be independently arranged according to the actual needs of enterprise, and usual enterprise does not allow office worker to visit
Ask the online game website etc. unrelated with business event, it therefore, can be using the network address of above-mentioned website as default domain name addresses.Such as
The fruit domain name addresses is www.xabc.com, corresponds to online game website, also, the online game website is in default domain name
In location, then the corresponding network flows of the SSL are kidnapped so that the client can not access domain name addresses and be corresponded to for www.xabc.com
Server.If the domain name addresses is www.abc.com, search website is corresponded to, also, the search website is not or not default domain
In name address, then the corresponding network flows of the SSL of letting pass so that the client accesses domain name addresses and corresponded to for www.abc.com
Server.
It should be noted that:In order to which whether more convenient, to effectively determine in default domain name addresses include the domain name
Address, may be used string searching method, and specific string searching method can be multi-mode matching ACBM.
Preset format expression may be used in the default domain name addresses, which may include true domain name, Yi Jigen
It is true domain name, fuzzy matching domain with reference to the example above www.xabc.com according to the fuzzy matching domain name that the true domain name obtains
Name can be * .xabc.com, be not especially limited to the concrete mode of fuzzy matching.In order to further be convenient for presetting domain name
Address is managed, analyzes, and domain name addresses is preset in the form storage that tables of data may be used.
It should be noted that:If it is determined that knowing that the corresponding protocol version of above-mentioned protocol version field is not preset protocol
Version, the then corresponding network flows of the SSL of letting pass so that it is the corresponding clothes of www.abc.com that the client, which accesses domain name addresses,
Business device.
The embodiment of the present invention can solve the problems, such as following scene:
1. a domain name corresponds to the same IP more than.Such as the IP of the known websites A is 1.1.1.1, the IP of the websites B is also
1.1.1.1, the IP of the websites C is still 1.1.1.1.If only needing to audit to the websites A at this time, to B, C lets pass website.
If being based on IP hijacking, can A, this 3 websites B, C be given and be kidnapped, although meeting the needs of business, kidnapped simultaneously
The website that should not be kidnapped, causes the performance of device to decline.
2. there is no DNS packets.If desired the websites A are kidnapped, only know the domain name of the websites A at this time, it is not known that its IP address.At this time
DNS packets can only be kidnapped, parsing DNS packets correspond to IP to obtain the domain name, the abduction based on domain name, are substantially to need to rely on DNS
There are three kinds of situations at this time in packet:1. without in the case of DNS packets, DNS response bags can not be obtained, and then can not know domain name pair
The IP answered.2. the DNS packets having without SSL man-in-the-middle attack devices, at this time can not parse DNS packets, can not also know
The corresponding IP of domain name.3. some requests are not the IP address obtained by DNS, such as DNS-Over-HTTP agreements, at this time also without
Method obtains the corresponding IP of domain name.
3. proprietary protocol.Because part proprietary protocol is also to have used 443 ports.Include by extracting Client-hello
The information of the field of ssl protocol version information, judge whether be standard ssl protocol.If proprietary protocol, then not to privately owned association
View is kidnapped.
4.DNS dynamic IPs.I.e. multiple IP correspond to the same domain name, different time or place and are come out to same domain name mapping
IP it is different.If the SSL flows based on IP hijacking, kidnapping accuracy rate can be affected.If being based on Client-hello
Abduction be then avoided that such situation not against the parsing of DNS packets.
The method provided in an embodiment of the present invention for kidnapping network flow, passes through protocol version to SSL and domain to be visited
Name address carries out priority judgement, and the corresponding network flows of the SSL for meeting Rule of judgment are kidnapped, can rationally, effectively
The corresponding network flows of SSL are kidnapped, and then effectively control the internet behavior of enterprise personnel.
On the basis of the above embodiments, the method further includes:
Using string searching method, determine in the default domain name addresses whether include domain name address.
Specifically, device uses string searching method, determine in the default domain name addresses whether include described
Domain name addresses.Above-described embodiment is can refer to, is repeated no more.
The method provided in an embodiment of the present invention for kidnapping network flow is determined by using string searching method pre-
If whether including the domain name addresses in domain name addresses, it can efficiently determine whether in default domain name addresses include the domain name
Address has advanced optimized this method.
On the basis of the above embodiments, the string searching method includes multi-mode matching ACBM.
Specifically, the string searching method in device includes multi-mode matching ACBM.Above-described embodiment is can refer to,
It repeats no more.
The method provided in an embodiment of the present invention for kidnapping network flow, is looked by using the character string of multi-mode matching ACBM
Method is looked for, determines whether in default domain name addresses include the domain name addresses, can further efficiently be determined in default domain name
Whether include the domain name addresses in address, has advanced optimized this method.
On the basis of the above embodiments, the method further includes:
The default domain name addresses is indicated using preset format, the preset format includes true domain name, and according to institute
State the fuzzy matching domain name that true domain name obtains.
Specifically, device indicates the default domain name addresses using preset format, the preset format includes true domain name,
And the fuzzy matching domain name obtained according to the true domain name.Above-described embodiment is can refer to, is repeated no more.
The method provided in an embodiment of the present invention for kidnapping network flow indicates to preset domain name addresses, energy using preset format
It is enough easily to determine whether in default domain name addresses include the domain name addresses, advanced optimized this method.
On the basis of the above embodiments, the method further includes:
If domain name address is not included in the default domain name addresses, the corresponding network flows of the SSL of letting pass,
So that the client accesses the server.
Specifically, if device judgement knows that domain name address is not included in the default domain name addresses, let pass institute
The corresponding network flows of SSL are stated, so that the client accesses the server.Above-described embodiment is can refer to, is repeated no more.
The method provided in an embodiment of the present invention for kidnapping network flow, is not included in by letting pass in default domain name addresses
The corresponding network flows of SSL are capable of the online of more efficient control enterprise personnel to enable the client to normally access server
Behavior.
On the basis of the above embodiments, the method further includes:
If the corresponding protocol version of the protocol version field is not preset protocol version, the SSL that lets pass is corresponding
Network flow, so that the client accesses the server.
If specifically, device judgement know that the corresponding protocol version of the protocol version field is not preset protocol version,
It then lets pass the corresponding network flows of the SSL, so that the client accesses the server.
The method provided in an embodiment of the present invention for kidnapping network flow is not SSL pairs of preset protocol version by clearance
The network flow answered is capable of the internet behavior of more efficient control enterprise personnel to enable the client to normally access server.
On the basis of the above embodiments, the network flow for obtaining web page browsing port, including:
The network flow for redirecting all 443 ports, to obtain the network flow.
Specifically, device redirects the network flow of all 443 ports, to obtain the network flow.It can refer to above-mentioned
Embodiment repeats no more.
The method provided in an embodiment of the present invention for kidnapping network flow, by the network flow for redirecting all 443 ports
Mode, can rationally obtain network flow.
Fig. 4 is the apparatus structure schematic diagram that the embodiment of the present invention kidnaps network flow, as shown in figure 4, the embodiment of the present invention
Provide it is a kind of kidnap network flow device, including first acquisition unit 401, second acquisition unit 402, extraction unit 403,
Resolution unit 404 and abduction unit 405, wherein:
First acquisition unit 401 is used to obtain the network flow of web page browsing port;Second acquisition unit 402 is used for basis
The network flow obtains described in the foundation that user end to server is sent during establishing Secure Socket Layer SSL connections
The connection request of SSL;Extraction unit 403 is for parsing the connection request, to extract protocol version field and the institute of the SSL
State the domain name field of server;If resolution unit 404 knows that the corresponding protocol version of the protocol version field is for judging
Preset protocol version parses domain name field, to obtain domain name addresses to be visited;If kidnapping unit 405 to obtain for judging
Know that domain name address is included in default domain name addresses, then kidnaps the corresponding network flows of the SSL.
Specifically, first acquisition unit 401 is used to obtain the network flow of web page browsing port;Second acquisition unit 402
For according to the network flow, obtaining what user end to server during establishing Secure Socket Layer SSL connections was sent
Establish the connection request of the SSL;Extraction unit 403 is for parsing the connection request, to extract the protocol version of the SSL
The domain name field of field and the server;If resolution unit 404 knows the corresponding association of the protocol version field for judging
It is preset protocol version to discuss version, domain name field is parsed, to obtain domain name addresses to be visited;Unit 405 is kidnapped to be used for
If judgement knows that domain name address is included in default domain name addresses, the corresponding network flows of the SSL are kidnapped.
The device provided in an embodiment of the present invention for kidnapping network flow, passes through protocol version to SSL and domain to be visited
Name address carries out priority judgement, and the corresponding network flows of the SSL for meeting Rule of judgment are kidnapped, can rationally, effectively
The corresponding network flows of SSL are kidnapped, and then effectively control the internet behavior of enterprise personnel.
On the basis of the above embodiments, the abduction unit 405 is specifically used for:
Using string searching method, determine in the default domain name addresses whether include domain name address.
Specifically, the abduction unit 405 is specifically used for:Using string searching method, determine in the default domain name
Whether include domain name address in address.
The device provided in an embodiment of the present invention for kidnapping network flow is determined by using string searching method pre-
If whether including the domain name addresses in domain name addresses, it can efficiently determine whether in default domain name addresses include the domain name
Address has advanced optimized the device.
On the basis of the above embodiments, the string searching method includes multi-mode matching ACBM.
Specifically, the string searching method in device includes multi-mode matching ACBM.
The device provided in an embodiment of the present invention for kidnapping network flow, is looked by using the character string of multi-mode matching ACBM
Method is looked for, determines whether in default domain name addresses include the domain name addresses, can further efficiently be determined in default domain name
Whether include the domain name addresses in address, has advanced optimized the device.
On the basis of the above embodiments, the resolution unit 404 is specifically used for:
The default domain name addresses is indicated using preset format, the preset format includes true domain name, and according to institute
State the fuzzy matching domain name that true domain name obtains.
Specifically, the resolution unit 404 is specifically used for:
The default domain name addresses is indicated using preset format, the preset format includes true domain name, and according to institute
State the fuzzy matching domain name that true domain name obtains.
The device provided in an embodiment of the present invention for kidnapping network flow indicates to preset domain name addresses, energy using preset format
It is enough easily to determine whether in default domain name addresses include the domain name addresses, advanced optimized the device.
On the basis of the above embodiments, the abduction unit 405 is specifically used for:
If judgement knows that domain name address is not included in the default domain name addresses, the SSL that lets pass is corresponding
Network flow, so that the client accesses the server.
It is specifically used for specifically, stating and kidnapping unit 405:If judgement knows that domain name address is not included in the default domain
In name address, then the corresponding network flows of the SSL of letting pass, so that the client accesses the server.
The device provided in an embodiment of the present invention for kidnapping network flow, is not included in by letting pass in default domain name addresses
The corresponding network flows of SSL are capable of the online of more efficient control enterprise personnel to enable the client to normally access server
Behavior.
On the basis of the above embodiments, the resolution unit 404 is specifically used for:
If judgement knows that the corresponding protocol version of the protocol version field is not preset protocol version, described in clearance
The corresponding network flows of SSL, so that the client accesses the server.
Specifically, the resolution unit 404 is specifically used for:If the corresponding agreement version of the protocol version field is known in judgement
This is not preset protocol version, then the corresponding network flows of the SSL of letting pass, so that the client accesses the server.
The device provided in an embodiment of the present invention for kidnapping network flow is not SSL pairs of preset protocol version by clearance
The network flow answered is capable of the internet behavior of more efficient control enterprise personnel to enable the client to normally access server.
On the basis of the above embodiments, the first acquisition unit 401 is specifically used for:
The network flow for redirecting all 443 ports, to obtain the network flow.
Specifically, the first acquisition unit 401 is specifically used for:The network flow for redirecting all 443 ports, to obtain
The network flow.
The device provided in an embodiment of the present invention for kidnapping network flow, by the network flow for redirecting all 443 ports
Mode, can rationally obtain network flow.
The device provided in an embodiment of the present invention for kidnapping network flow specifically can be used for executing above-mentioned each method embodiment
Process flow, details are not described herein for function, is referred to the detailed description of above method embodiment.
Fig. 5 is electronic equipment entity structure schematic diagram provided in an embodiment of the present invention, as shown in figure 5, the electronic equipment
Including:Processor (processor) 501, memory (memory) 502 and bus 503;
Wherein, the processor 501, memory 502 complete mutual communication by bus 503;
The processor 501 is used to call the program instruction in the memory 502, to execute above-mentioned each method embodiment
The method provided, such as including:Obtain the network flow of web page browsing port;According to the network flow, acquisition is being established
The connection request for establishing the SSL that user end to server is sent during Secure Socket Layer SSL connections;Parse the company
Request is connect, to extract the domain name field of the protocol version field and the server of the SSL;If the protocol version field pair
The protocol version answered is preset protocol version, domain name field is parsed, to obtain domain name addresses to be visited;If domain name
Address is included in default domain name addresses, then kidnaps the corresponding network flows of the SSL.
The present embodiment discloses a kind of computer program product, and the computer program product includes being stored in non-transient calculating
Computer program on machine readable storage medium storing program for executing, the computer program include program instruction, when described program instruction is calculated
When machine executes, computer is able to carry out the method that above-mentioned each method embodiment is provided, such as including:Obtain web page browsing port
Network flow;According to the network flow, user end to server during establishing Secure Socket Layer SSL connections is obtained
The connection request for establishing the SSL sent;The connection request is parsed, to extract protocol version field and the institute of the SSL
State the domain name field of server;If the corresponding protocol version of the protocol version field is preset protocol version, the domain is parsed
File-name field, to obtain domain name addresses to be visited;If domain name address is included in default domain name addresses, described in abduction
The corresponding network flows of SSL.
The present embodiment provides a kind of non-transient computer readable storage medium, the non-transient computer readable storage medium
Computer instruction is stored, the computer instruction makes the computer execute the method that above-mentioned each method embodiment is provided, example
Such as include:Obtain the network flow of web page browsing port;According to the network flow, obtains and establishing Secure Socket Layer SSL companies
The connection request for establishing the SSL that user end to server is sent during connecing;The connection request is parsed, to extract
State the domain name field of the protocol version field and the server of SSL;If the corresponding protocol version of the protocol version field is
Preset protocol version parses domain name field, to obtain domain name addresses to be visited;If domain name address is included in default
In domain name addresses, then the corresponding network flows of the SSL are kidnapped.
One of ordinary skill in the art will appreciate that:Realize that all or part of step of above method embodiment can pass through
The relevant hardware of program instruction is completed, and program above-mentioned can be stored in a computer read/write memory medium, the program
When being executed, step including the steps of the foregoing method embodiments is executed;And storage medium above-mentioned includes:ROM, RAM, magnetic disc or light
The various media that can store program code such as disk.
The embodiments such as electronic equipment described above are only schematical, illustrate as separating component wherein described
Unit may or may not be physically separated, and the component shown as unit may or may not be object
Manage unit, you can be located at a place, or may be distributed over multiple network units.It can select according to the actual needs
Some or all of module therein is selected to achieve the purpose of the solution of this embodiment.Those of ordinary skill in the art are not paying wound
In the case of the labour for the property made, you can to understand and implement.
Through the above description of the embodiments, those skilled in the art can be understood that each embodiment can
It is realized by the mode of software plus required general hardware platform, naturally it is also possible to pass through hardware.Based on this understanding, on
Stating technical solution, substantially the part that contributes to existing technology can be expressed in the form of software products in other words, should
Computer software product can store in a computer-readable storage medium, such as ROM/RAM, magnetic disc, CD, including several fingers
It enables and using so that a computer equipment (can be personal computer, server or the network equipment etc.) executes each implementation
Method described in certain parts of example or embodiment.
Finally it should be noted that:The above various embodiments is only to illustrate the technical solution of the embodiment of the present invention rather than right
It is limited;Although the embodiment of the present invention is described in detail with reference to foregoing embodiments, the ordinary skill of this field
Personnel should understand that:It still can be with technical scheme described in the above embodiments is modified, or to which part
Or all technical features carries out equivalent replacement;And these modifications or replacements, it does not separate the essence of the corresponding technical solution
The range of various embodiments of the present invention technical solution.
Claims (16)
1. a kind of method for kidnapping network flow, which is characterized in that including:
Obtain the network flow of web page browsing port;
According to the network flow, obtain what user end to server during establishing Secure Socket Layer SSL connections was sent
Establish the connection request of the SSL;
The connection request is parsed, to extract the domain name field of the protocol version field and the server of the SSL;
If the corresponding protocol version of the protocol version field is preset protocol version, domain name field is parsed, is waited for obtaining
The domain name addresses of access;
If domain name address is included in default domain name addresses, the corresponding network flows of the SSL are kidnapped.
2. according to the method described in claim 1, it is characterized in that, the method further includes:
Using string searching method, determine in the default domain name addresses whether include domain name address.
3. according to the method described in claim 2, it is characterized in that, the string searching method includes multi-mode matching
ACBM。
4. method according to any one of claims 1 to 3, which is characterized in that the method further includes:
The default domain name addresses is indicated using preset format, the preset format includes true domain name, and according to described true
The fuzzy matching domain name that real domain name obtains.
5. method according to any one of claims 1 to 3, which is characterized in that the method further includes:
If domain name address is not included in the default domain name addresses, the corresponding network flows of the SSL of letting pass, so that
The client accesses the server.
6. method according to any one of claims 1 to 3, which is characterized in that the method further includes:
If the corresponding protocol version of the protocol version field is not preset protocol version, the corresponding networks of the SSL of letting pass
Flow, so that the client accesses the server.
7. method according to any one of claims 1 to 3, which is characterized in that the network flow for obtaining web page browsing port
Amount, including:
The network flow for redirecting all 443 ports, to obtain the network flow.
8. a kind of device for kidnapping network flow, which is characterized in that including:
First acquisition unit, the network flow for obtaining web page browsing port;
Second acquisition unit, for according to the network flow, obtaining client during establishing Secure Socket Layer SSL connections
Hold the connection request for establishing the SSL sent to server;
Extraction unit, for parsing the connection request, to extract the domain of the protocol version field and the server of the SSL
File-name field;
If resolution unit parses for judging to know that the corresponding protocol version of the protocol version field is preset protocol version
Domain name field, to obtain domain name addresses to be visited;
Unit is kidnapped, if for judging to know that domain name address is included in default domain name addresses, the SSL is kidnapped and corresponds to
Network flow.
9. device according to claim 8, which is characterized in that the abduction unit is specifically used for:
Using string searching method, determine in the default domain name addresses whether include domain name address.
10. device according to claim 9, which is characterized in that the string searching method includes multi-mode matching
ACBM。
11. according to any device of claim 8 to 10, which is characterized in that the resolution unit is specifically used for:
The default domain name addresses is indicated using preset format, the preset format includes true domain name, and according to described true
The fuzzy matching domain name that real domain name obtains.
12. according to any device of claim 8 to 10, which is characterized in that the abduction unit is specifically used for:
If judgement knows that domain name address is not included in the default domain name addresses, the corresponding networks of the SSL of letting pass
Flow, so that the client accesses the server.
13. according to any device of claim 8 to 10, which is characterized in that the resolution unit is specifically used for:
If judgement knows that the corresponding protocol version of the protocol version field is not preset protocol version, let pass described SSL pairs
The network flow answered, so that the client accesses the server.
14. according to any device of claim 8 to 10, which is characterized in that the first acquisition unit is specifically used for:
The network flow for redirecting all 443 ports, to obtain the network flow.
15. a kind of electronic equipment, which is characterized in that including:Processor, memory and bus, wherein
The processor and the memory complete mutual communication by the bus;
The memory is stored with the program instruction that can be executed by the processor, and the processor calls described program to instruct energy
Enough methods executed as described in claim 1 to 7 is any.
16. a kind of non-transient computer readable storage medium, which is characterized in that the non-transient computer readable storage medium is deposited
Computer instruction is stored up, the computer instruction makes the computer execute the method as described in claim 1 to 7 is any.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810448152.6A CN108737407A (en) | 2018-05-11 | 2018-05-11 | A kind of method and device for kidnapping network flow |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810448152.6A CN108737407A (en) | 2018-05-11 | 2018-05-11 | A kind of method and device for kidnapping network flow |
Publications (1)
Publication Number | Publication Date |
---|---|
CN108737407A true CN108737407A (en) | 2018-11-02 |
Family
ID=63937309
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201810448152.6A Pending CN108737407A (en) | 2018-05-11 | 2018-05-11 | A kind of method and device for kidnapping network flow |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN108737407A (en) |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111596942A (en) * | 2020-05-21 | 2020-08-28 | 四川普思科创信息技术有限公司 | Method and device for forcibly triggering software upgrading and software upgrading system |
CN112152866A (en) * | 2019-06-27 | 2020-12-29 | 中国移动通信集团湖南有限公司 | Method, device, equipment and storage medium for synthesizing browsing type XDR data |
CN113873057A (en) * | 2021-09-28 | 2021-12-31 | 奇安信科技集团股份有限公司 | Data processing method and device |
CN116155549A (en) * | 2022-12-23 | 2023-05-23 | 武汉雨滴科技有限公司 | Terminal external connection detection method and device, electronic equipment and storage medium |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20080263215A1 (en) * | 2007-04-23 | 2008-10-23 | Schnellbaecher Jan F | Transparent secure socket layer |
CN101741644A (en) * | 2009-12-16 | 2010-06-16 | 成都市华为赛门铁克科技有限公司 | Flow detection method and apparatus |
CN103618726A (en) * | 2013-12-04 | 2014-03-05 | 北京中创信测科技股份有限公司 | Method for recognizing mobile data service based on HTTPS |
CN103825887A (en) * | 2014-02-14 | 2014-05-28 | 深信服网络科技(深圳)有限公司 | Hypertext transfer protocol over secure socket layer (HTTPS) encryption-based web filtering method and system |
CN103873466A (en) * | 2014-03-04 | 2014-06-18 | 深信服网络科技(深圳)有限公司 | HTTPS (Hypertext Transfer Protocol Secure) website filtration and interdict alarm method and device |
CN104270379A (en) * | 2014-10-14 | 2015-01-07 | 北京蓝汛通信技术有限责任公司 | HTTPS proxy forwarding method and device based on transmission control protocol |
-
2018
- 2018-05-11 CN CN201810448152.6A patent/CN108737407A/en active Pending
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20080263215A1 (en) * | 2007-04-23 | 2008-10-23 | Schnellbaecher Jan F | Transparent secure socket layer |
CN101741644A (en) * | 2009-12-16 | 2010-06-16 | 成都市华为赛门铁克科技有限公司 | Flow detection method and apparatus |
CN103618726A (en) * | 2013-12-04 | 2014-03-05 | 北京中创信测科技股份有限公司 | Method for recognizing mobile data service based on HTTPS |
CN103825887A (en) * | 2014-02-14 | 2014-05-28 | 深信服网络科技(深圳)有限公司 | Hypertext transfer protocol over secure socket layer (HTTPS) encryption-based web filtering method and system |
CN103873466A (en) * | 2014-03-04 | 2014-06-18 | 深信服网络科技(深圳)有限公司 | HTTPS (Hypertext Transfer Protocol Secure) website filtration and interdict alarm method and device |
CN104270379A (en) * | 2014-10-14 | 2015-01-07 | 北京蓝汛通信技术有限责任公司 | HTTPS proxy forwarding method and device based on transmission control protocol |
Cited By (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112152866A (en) * | 2019-06-27 | 2020-12-29 | 中国移动通信集团湖南有限公司 | Method, device, equipment and storage medium for synthesizing browsing type XDR data |
CN112152866B (en) * | 2019-06-27 | 2022-06-17 | 中国移动通信集团湖南有限公司 | Method, device, equipment and storage medium for synthesizing browsing type XDR data |
CN111596942A (en) * | 2020-05-21 | 2020-08-28 | 四川普思科创信息技术有限公司 | Method and device for forcibly triggering software upgrading and software upgrading system |
CN113873057A (en) * | 2021-09-28 | 2021-12-31 | 奇安信科技集团股份有限公司 | Data processing method and device |
CN113873057B (en) * | 2021-09-28 | 2024-03-15 | 奇安信科技集团股份有限公司 | Data processing method and device |
CN116155549A (en) * | 2022-12-23 | 2023-05-23 | 武汉雨滴科技有限公司 | Terminal external connection detection method and device, electronic equipment and storage medium |
CN116155549B (en) * | 2022-12-23 | 2023-12-29 | 武汉雨滴科技有限公司 | Terminal external connection detection method and device, electronic equipment and storage medium |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
EP2850770B1 (en) | Transport layer security traffic control using service name identification | |
US8065719B2 (en) | Method and apparatus for reducing firewall rules | |
KR101662605B1 (en) | System and method for correlating network information with subscriber information in a mobile network environment | |
JP3443529B2 (en) | Method of providing firewall service and computer system providing firewall service | |
US7444408B2 (en) | Network data analysis and characterization model for implementation of secure enclaves within large corporate networks | |
US8233486B2 (en) | Remote management of network devices | |
CN108737407A (en) | A kind of method and device for kidnapping network flow | |
US20110154477A1 (en) | Dynamic content-based routing | |
US20110255688A1 (en) | Method and system for monitoring online computer network behavior and creating online behavior profiles | |
CN104636392B (en) | Carry out method, system, server and browser that recommendation information issues | |
CN110213212A (en) | A kind of classification method and device of equipment | |
US8914510B2 (en) | Methods, systems, and computer program products for enhancing internet security for network subscribers | |
US10498618B2 (en) | Attributing network address translation device processed traffic to individual hosts | |
KR20230004222A (en) | System and method for selectively collecting computer forensic data using DNS messages | |
CN103957207B (en) | A kind of session keeping method and device | |
CN107528712A (en) | The determination of access rights, the access method of the page and device | |
CN113271299B (en) | Login method and server | |
EP1950917A1 (en) | Methods for peer-to-peer application message identifying and operating realization and their corresponding devices | |
CN106790073B (en) | Blocking method and device for malicious attack of Web server and firewall | |
US8745691B1 (en) | System, method, and computer program product for preventing communication of data over a network connection | |
CN111225038B (en) | Server access method and device | |
CN106295366B (en) | Sensitive data identification method and device | |
CN105959248B (en) | The method and device of message access control | |
KR101017015B1 (en) | Network based high performance contents security system and method thereof | |
CN110581843B (en) | Mimic Web gateway multi-application flow directional distribution method |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20181102 |