CN108737407A - A kind of method and device for kidnapping network flow - Google Patents

A kind of method and device for kidnapping network flow Download PDF

Info

Publication number
CN108737407A
CN108737407A CN201810448152.6A CN201810448152A CN108737407A CN 108737407 A CN108737407 A CN 108737407A CN 201810448152 A CN201810448152 A CN 201810448152A CN 108737407 A CN108737407 A CN 108737407A
Authority
CN
China
Prior art keywords
domain name
ssl
protocol version
network flow
server
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201810448152.6A
Other languages
Chinese (zh)
Inventor
李鸣
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Qianxin Technology Co Ltd
Original Assignee
Beijing Qianxin Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Qianxin Technology Co Ltd filed Critical Beijing Qianxin Technology Co Ltd
Priority to CN201810448152.6A priority Critical patent/CN108737407A/en
Publication of CN108737407A publication Critical patent/CN108737407A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/30Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/18Protocol analysers
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/45Network directories; Name-to-address mapping
    • H04L61/4505Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
    • H04L61/4511Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/168Implementing security features at a particular protocol layer above the transport layer
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/16Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]
    • H04L69/161Implementation details of TCP/IP or UDP/IP stack architecture; Specification of modified or new header fields
    • H04L69/162Implementation details of TCP/IP or UDP/IP stack architecture; Specification of modified or new header fields involving adaptations of sockets based mechanisms

Abstract

The embodiment of the present invention provides a kind of method and device for kidnapping network flow, the method includes:Obtain the network flow of web page browsing port;According to the network flow, the connection request for establishing the SSL that user end to server is sent during establishing Secure Socket Layer SSL connections is obtained;The connection request is parsed, to extract the domain name field of the protocol version field and the server of the SSL;If the corresponding protocol version of the protocol version field is preset protocol version, domain name field is parsed, to obtain domain name addresses to be visited;If domain name address is included in default domain name addresses, the corresponding network flows of the SSL are kidnapped.Described device executes the above method.The method and device provided in an embodiment of the present invention for kidnapping network flow can rationally, effectively kidnap the corresponding network flows of SSL, and then effectively control the internet behavior of enterprise personnel.

Description

A kind of method and device for kidnapping network flow
Technical field
The present embodiments relate to network behavior administrative skill fields, and in particular to it is a kind of kidnap network flow method and Device.
Background technology
With computer, the rapid development of broadband technology, the enterprise networks such as enterprise staff inoperative online abuse phenomenon compared with It is serious.
Therefore, enterprise needs to be managed the internet behavior of employee, is protected to the data safety of enterprise, so needing In-company network behavior is detected and is controlled.Currently, network application is usually using puppy parcs such as HTTPS, HTTPS agreements pass through Secure Socket Layer (Secure Sockets Layer, referred to as " SSL ") association on the basis of http protocol View is encrypted, and due to being ciphertext, needs to kidnap SSL flows using technologies such as similar man-in-the-middle attacks, man-in-the-middle attack is former Reason is in the both ends of communication, i.e. client and server establishes independent contact respectively, and exchanges its data received, makes to lead to Them are thought by the connection of a secret and other side's direct dialogue in the both ends of news, but in fact entire session is all attacked Person controls completely.Then after the ciphertext data of abduction being become clear data, then content is parsed to it, following same http protocol Management and control.
Fig. 1 is the process schematic of prior art SSL man-in-the-middle attacks, is attacked as shown in Figure 1, middle attack people needs to know The object hit, the i.e. IP address of object of attack.Man-in-the-middle attack often relies on DNS packets, according to the domain name mapping inside DNS packets IP out carries out the abduction of SSL flows, and prior art application scenarios are as follows:
If 1. without DNS packets by SSL man-in-the-middle attacks device the corresponding device of method of Fig. 1 (execute), but it is known IP, it is only necessary to the flow of all 443 ports for meeting the IP is redirected to SSL man-in-the-middle attack devices and carry out SSL flows It kidnaps.
2. if there are DNS packets by SSL man-in-the-middle attack devices, DNS packets are kidnapped, then its Context resolution is obtained Obtain the IP inside DNS packets.At this time in two kinds of situation:
If 1) DNS Protocol of standards, matches according to domain name, the corresponding IP of domain name needed for DNS packets the inside can be found, The flow of all 443 ports for meeting the IP is then redirected to the abduction that SSL man-in-the-middle attack devices carry out SSL flows.
If 2) can not normally extract IP, it is divided at this time as two kinds of situations:
(1) is if not DNS standard agreements, then can not parse its content to extract IP, eventually leading to can not kidnap SSL flows.
(2) domain name inside .DNS packets is alias, i.e., the domain name of required domain name and return unmatches, and eventually leads to nothing Method kidnaps SSL flows.
3. after successfully kidnapping SSL flows according to IP, still there is following several scenes at this time:
1) there are part proprietary protocols to use 443 ports, if what is kidnapped at this time is proprietary protocol, because being non-ssl protocol, It can not normally decrypt at this time, it is possible to influence even to interrupt company parts business.
2) the case where corresponding to multiple domain names there are an IP.It, can all domains corresponding to the IP if kidnapping the flow of the IP The flow of name is kidnapped, and causes accidentally to kidnap, and not only influences the performance of SSL man-in-the-middle attack devices, it is also possible to company Business is interfered.
3) is the flow of standard SSL, can normally be decrypted.By ciphertext data deciphering at clear content, then in it Appearance is analyzed, and the management and control of variable grain degree can be carried out to server ip, domain name, keyword etc..
By above description, the prior art includes following defect:
1. dependent on the parsing of DNS packets, no DNS packets or DNS packets only SSL man-in-the-middle attacks device can not be covered Scene.It needs under the premise of obtaining domain name corresponding IP or known domain names IP from DNS packets, the misfortune of SSL flows could be carried out It holds.Simultaneously need to kidnap all DNS packets, influence the performance of SSL man-in-the-middle attack devices, therefore, using dependent on DNS packets into The method of the abduction of row SSL flows, it is not reasonable.
2. under the scene for corresponding to multiple domain names for same IP, the flow of the corresponding all domain names of the IP can be kidnapped at this time, The flow of single domain name can not be distinguished, therefore, using this method, can not effectively carry out the abduction of SSL flows.
3. if 443 ports of proprietary protocol also, cannot be distinguished proprietary protocol and ssl protocol, kidnap privately owned association at this time View, but can not normally decrypt, it is possible to part corporate business is influenced, therefore, the abduction of SSL flows is carried out not using this method It is enough reasonable.
4. same domain name corresponds to multiple IP, i.e., the IP that the domain name different time or different location parse is different, right In the IP of this dynamic change, SSL flows are caused to kidnap effect poor.
5. for using the domain name of alias inside DNS packets, i.e., under the inconsistent scene of the domain name inside domain name and DNS packets, The corresponding IP of original domain name can not be proposed at this time, cause that SSL flows can not be kidnapped.
Therefore, how drawbacks described above is avoided, can rationally, effectively kidnaps the corresponding network flows of SSL, and then effectively control The internet behavior of enterprise personnel processed, becoming need solve the problems, such as.
Invention content
In view of the problems of the existing technology, the embodiment of the present invention provides a kind of method and device for kidnapping network flow.
In a first aspect, the embodiment of the present invention provides a kind of method for kidnapping network flow, the method includes:
Obtain the network flow of web page browsing port;
According to the network flow, obtains user end to server during establishing Secure Socket Layer SSL connections and send out That send establishes the connection request of the SSL;
The connection request is parsed, to extract the domain name field of the protocol version field and the server of the SSL;
If the corresponding protocol version of the protocol version field is preset protocol version, domain name field is parsed, to obtain Take domain name addresses to be visited;
If domain name address is included in default domain name addresses, the corresponding network flows of the SSL are kidnapped.
Second aspect, the embodiment of the present invention provide a kind of device for kidnapping network flow, and described device includes:
First acquisition unit, the network flow for obtaining web page browsing port;
Second acquisition unit, for according to the network flow, obtaining during establishing Secure Socket Layer SSL connections The connection request for establishing the SSL that user end to server is sent;
Extraction unit, for parsing the connection request, with the protocol version field for extracting the SSL and the server Domain name field;
Resolution unit, if for judging to know that the corresponding protocol version of the protocol version field is preset protocol version, Domain name field is parsed, to obtain domain name addresses to be visited;
Unit is kidnapped, if for judging to know that domain name address is included in default domain name addresses, kidnaps the SSL Corresponding network flow.
The third aspect, the embodiment of the present invention provide a kind of electronic equipment, including:Processor, memory and bus, wherein
The processor and the memory complete mutual communication by the bus;
The memory is stored with the program instruction that can be executed by the processor, and the processor calls described program to refer to Order is able to carry out following method:
Obtain the network flow of web page browsing port;
According to the network flow, obtains user end to server during establishing Secure Socket Layer SSL connections and send out That send establishes the connection request of the SSL;
The connection request is parsed, to extract the domain name field of the protocol version field and the server of the SSL;
If the corresponding protocol version of the protocol version field is preset protocol version, domain name field is parsed, to obtain Take domain name addresses to be visited;
If domain name address is included in default domain name addresses, the corresponding network flows of the SSL are kidnapped.
Fourth aspect, the embodiment of the present invention provide a kind of non-transient computer readable storage medium, including:
The non-transient computer readable storage medium stores computer instruction, and the computer instruction makes the computer Execute following method:
Obtain the network flow of web page browsing port;
According to the network flow, obtains user end to server during establishing Secure Socket Layer SSL connections and send out That send establishes the connection request of the SSL;
The connection request is parsed, to extract the domain name field of the protocol version field and the server of the SSL;
If the corresponding protocol version of the protocol version field is preset protocol version, domain name field is parsed, to obtain Take domain name addresses to be visited;
If domain name address is included in default domain name addresses, the corresponding network flows of the SSL are kidnapped.
The method and device provided in an embodiment of the present invention for kidnapping network flow, by protocol version to SSL and waits visiting The domain name addresses asked carries out priority judgement, and the corresponding network flows of the SSL for meeting Rule of judgment are kidnapped, can rationally, The corresponding network flows of SSL are effectively kidnapped, and then effectively control the internet behavior of enterprise personnel.
Description of the drawings
In order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, to embodiment or will show below There is attached drawing needed in technology description to be briefly described, it should be apparent that, the accompanying drawings in the following description is this hair Some bright embodiments for those of ordinary skill in the art without creative efforts, can be with root Other attached drawings are obtained according to these attached drawings.
Fig. 1 is the process schematic of prior art SSL man-in-the-middle attacks;
Fig. 2 is the method flow schematic diagram that the embodiment of the present invention kidnaps network flow;
Fig. 3 is the information exchange figure that the embodiment of the present invention kidnaps network flow;
Fig. 4 is the apparatus structure schematic diagram that the embodiment of the present invention kidnaps network flow;
Fig. 5 is electronic equipment entity structure schematic diagram provided in an embodiment of the present invention.
Specific implementation mode
In order to make the object, technical scheme and advantages of the embodiment of the invention clearer, below in conjunction with the embodiment of the present invention In attached drawing, technical scheme in the embodiment of the invention is clearly and completely described, it is clear that described embodiment is A part of the embodiment of the present invention, instead of all the embodiments.Based on the embodiments of the present invention, those of ordinary skill in the art The every other embodiment obtained without creative efforts, shall fall within the protection scope of the present invention.
Fig. 2 is the method flow schematic diagram that the embodiment of the present invention kidnaps network flow, as shown in Fig. 2, the embodiment of the present invention A kind of method of the abduction network flow provided, includes the following steps:
S201:Obtain the network flow of web page browsing port.
Specifically, device obtains the network flow of web page browsing port.Device can be the network management device of enterprise, figure 3 kidnap the information exchange figure of network flow for the embodiment of the present invention, as shown in figure 3, " equipment " in Fig. 3 corresponds to the device, Fig. 3 In " Client " correspond to client, client can be mobile phone, the computer etc. that the office worker in the enterprise uses." Server " is right It should be in the server to be accessed by network of the office worker in enterprise.Web page browsing port can be 443 ports, can be by resetting The network flow for the Servers-all that all office workers in enterprise access is obtained to the mode of the network flow of all 443 ports.
S202:According to the network flow, client is obtained during establishing Secure Socket Layer SSL connections to service The connection request for establishing the SSL that device is sent.
Specifically, device obtains client during establishing Secure Socket Layer SSL connections according to the network flow The connection request for establishing the SSL sent to server.With reference to Fig. 3, connection request corresponds to the " Client- in Fig. 3 During carrying out SSL connections, client can send Client-hello requests by hello ", i.e. client and server, Include ssl protocol version field information, the Encryption Algorithm of support and the domain name field of server etc. in Client-hello requests Information.
S203:The connection request is parsed, to extract the protocol version field of the SSL and the domain name word of the server Section.
Specifically, device parses the connection request, with the protocol version field for extracting the SSL and the server Domain name field.Device extracts the domain name word of the protocol version field and server for the SSL for including in Client-hello requests Section.
S204:If the corresponding protocol version of the protocol version field is preset protocol version, domain name field is parsed, To obtain domain name addresses to be visited.
Specifically, if device judgement knows that the corresponding protocol version of the protocol version field is preset protocol version, solve Domain name field is analysed, to obtain domain name addresses to be visited.Protocol version can have SSL2.0, SSL3.0, TLS1.0, TLS1.1, TLS1.2, TLS1.3 etc., preset protocol version can be independently arranged according to actual conditions, be chosen as TLS1.2.It waits visiting The domain name addresses asked can be exemplified below:Such as news website, search website, online game website, professional knowledge study website Deng.
S205:If domain name address is included in default domain name addresses, the corresponding network flows of the SSL are kidnapped.
Specifically, if device judgement knows that domain name address is included in default domain name addresses, described SSL pairs is kidnapped The network flow answered.Default domain name addresses can be independently arranged according to the actual needs of enterprise, and usual enterprise does not allow office worker to visit Ask the online game website etc. unrelated with business event, it therefore, can be using the network address of above-mentioned website as default domain name addresses.Such as The fruit domain name addresses is www.xabc.com, corresponds to online game website, also, the online game website is in default domain name In location, then the corresponding network flows of the SSL are kidnapped so that the client can not access domain name addresses and be corresponded to for www.xabc.com Server.If the domain name addresses is www.abc.com, search website is corresponded to, also, the search website is not or not default domain In name address, then the corresponding network flows of the SSL of letting pass so that the client accesses domain name addresses and corresponded to for www.abc.com Server.
It should be noted that:In order to which whether more convenient, to effectively determine in default domain name addresses include the domain name Address, may be used string searching method, and specific string searching method can be multi-mode matching ACBM.
Preset format expression may be used in the default domain name addresses, which may include true domain name, Yi Jigen It is true domain name, fuzzy matching domain with reference to the example above www.xabc.com according to the fuzzy matching domain name that the true domain name obtains Name can be * .xabc.com, be not especially limited to the concrete mode of fuzzy matching.In order to further be convenient for presetting domain name Address is managed, analyzes, and domain name addresses is preset in the form storage that tables of data may be used.
It should be noted that:If it is determined that knowing that the corresponding protocol version of above-mentioned protocol version field is not preset protocol Version, the then corresponding network flows of the SSL of letting pass so that it is the corresponding clothes of www.abc.com that the client, which accesses domain name addresses, Business device.
The embodiment of the present invention can solve the problems, such as following scene:
1. a domain name corresponds to the same IP more than.Such as the IP of the known websites A is 1.1.1.1, the IP of the websites B is also 1.1.1.1, the IP of the websites C is still 1.1.1.1.If only needing to audit to the websites A at this time, to B, C lets pass website. If being based on IP hijacking, can A, this 3 websites B, C be given and be kidnapped, although meeting the needs of business, kidnapped simultaneously The website that should not be kidnapped, causes the performance of device to decline.
2. there is no DNS packets.If desired the websites A are kidnapped, only know the domain name of the websites A at this time, it is not known that its IP address.At this time DNS packets can only be kidnapped, parsing DNS packets correspond to IP to obtain the domain name, the abduction based on domain name, are substantially to need to rely on DNS There are three kinds of situations at this time in packet:1. without in the case of DNS packets, DNS response bags can not be obtained, and then can not know domain name pair The IP answered.2. the DNS packets having without SSL man-in-the-middle attack devices, at this time can not parse DNS packets, can not also know The corresponding IP of domain name.3. some requests are not the IP address obtained by DNS, such as DNS-Over-HTTP agreements, at this time also without Method obtains the corresponding IP of domain name.
3. proprietary protocol.Because part proprietary protocol is also to have used 443 ports.Include by extracting Client-hello The information of the field of ssl protocol version information, judge whether be standard ssl protocol.If proprietary protocol, then not to privately owned association View is kidnapped.
4.DNS dynamic IPs.I.e. multiple IP correspond to the same domain name, different time or place and are come out to same domain name mapping IP it is different.If the SSL flows based on IP hijacking, kidnapping accuracy rate can be affected.If being based on Client-hello Abduction be then avoided that such situation not against the parsing of DNS packets.
The method provided in an embodiment of the present invention for kidnapping network flow, passes through protocol version to SSL and domain to be visited Name address carries out priority judgement, and the corresponding network flows of the SSL for meeting Rule of judgment are kidnapped, can rationally, effectively The corresponding network flows of SSL are kidnapped, and then effectively control the internet behavior of enterprise personnel.
On the basis of the above embodiments, the method further includes:
Using string searching method, determine in the default domain name addresses whether include domain name address.
Specifically, device uses string searching method, determine in the default domain name addresses whether include described Domain name addresses.Above-described embodiment is can refer to, is repeated no more.
The method provided in an embodiment of the present invention for kidnapping network flow is determined by using string searching method pre- If whether including the domain name addresses in domain name addresses, it can efficiently determine whether in default domain name addresses include the domain name Address has advanced optimized this method.
On the basis of the above embodiments, the string searching method includes multi-mode matching ACBM.
Specifically, the string searching method in device includes multi-mode matching ACBM.Above-described embodiment is can refer to, It repeats no more.
The method provided in an embodiment of the present invention for kidnapping network flow, is looked by using the character string of multi-mode matching ACBM Method is looked for, determines whether in default domain name addresses include the domain name addresses, can further efficiently be determined in default domain name Whether include the domain name addresses in address, has advanced optimized this method.
On the basis of the above embodiments, the method further includes:
The default domain name addresses is indicated using preset format, the preset format includes true domain name, and according to institute State the fuzzy matching domain name that true domain name obtains.
Specifically, device indicates the default domain name addresses using preset format, the preset format includes true domain name, And the fuzzy matching domain name obtained according to the true domain name.Above-described embodiment is can refer to, is repeated no more.
The method provided in an embodiment of the present invention for kidnapping network flow indicates to preset domain name addresses, energy using preset format It is enough easily to determine whether in default domain name addresses include the domain name addresses, advanced optimized this method.
On the basis of the above embodiments, the method further includes:
If domain name address is not included in the default domain name addresses, the corresponding network flows of the SSL of letting pass, So that the client accesses the server.
Specifically, if device judgement knows that domain name address is not included in the default domain name addresses, let pass institute The corresponding network flows of SSL are stated, so that the client accesses the server.Above-described embodiment is can refer to, is repeated no more.
The method provided in an embodiment of the present invention for kidnapping network flow, is not included in by letting pass in default domain name addresses The corresponding network flows of SSL are capable of the online of more efficient control enterprise personnel to enable the client to normally access server Behavior.
On the basis of the above embodiments, the method further includes:
If the corresponding protocol version of the protocol version field is not preset protocol version, the SSL that lets pass is corresponding Network flow, so that the client accesses the server.
If specifically, device judgement know that the corresponding protocol version of the protocol version field is not preset protocol version, It then lets pass the corresponding network flows of the SSL, so that the client accesses the server.
The method provided in an embodiment of the present invention for kidnapping network flow is not SSL pairs of preset protocol version by clearance The network flow answered is capable of the internet behavior of more efficient control enterprise personnel to enable the client to normally access server.
On the basis of the above embodiments, the network flow for obtaining web page browsing port, including:
The network flow for redirecting all 443 ports, to obtain the network flow.
Specifically, device redirects the network flow of all 443 ports, to obtain the network flow.It can refer to above-mentioned Embodiment repeats no more.
The method provided in an embodiment of the present invention for kidnapping network flow, by the network flow for redirecting all 443 ports Mode, can rationally obtain network flow.
Fig. 4 is the apparatus structure schematic diagram that the embodiment of the present invention kidnaps network flow, as shown in figure 4, the embodiment of the present invention Provide it is a kind of kidnap network flow device, including first acquisition unit 401, second acquisition unit 402, extraction unit 403, Resolution unit 404 and abduction unit 405, wherein:
First acquisition unit 401 is used to obtain the network flow of web page browsing port;Second acquisition unit 402 is used for basis The network flow obtains described in the foundation that user end to server is sent during establishing Secure Socket Layer SSL connections The connection request of SSL;Extraction unit 403 is for parsing the connection request, to extract protocol version field and the institute of the SSL State the domain name field of server;If resolution unit 404 knows that the corresponding protocol version of the protocol version field is for judging Preset protocol version parses domain name field, to obtain domain name addresses to be visited;If kidnapping unit 405 to obtain for judging Know that domain name address is included in default domain name addresses, then kidnaps the corresponding network flows of the SSL.
Specifically, first acquisition unit 401 is used to obtain the network flow of web page browsing port;Second acquisition unit 402 For according to the network flow, obtaining what user end to server during establishing Secure Socket Layer SSL connections was sent Establish the connection request of the SSL;Extraction unit 403 is for parsing the connection request, to extract the protocol version of the SSL The domain name field of field and the server;If resolution unit 404 knows the corresponding association of the protocol version field for judging It is preset protocol version to discuss version, domain name field is parsed, to obtain domain name addresses to be visited;Unit 405 is kidnapped to be used for If judgement knows that domain name address is included in default domain name addresses, the corresponding network flows of the SSL are kidnapped.
The device provided in an embodiment of the present invention for kidnapping network flow, passes through protocol version to SSL and domain to be visited Name address carries out priority judgement, and the corresponding network flows of the SSL for meeting Rule of judgment are kidnapped, can rationally, effectively The corresponding network flows of SSL are kidnapped, and then effectively control the internet behavior of enterprise personnel.
On the basis of the above embodiments, the abduction unit 405 is specifically used for:
Using string searching method, determine in the default domain name addresses whether include domain name address.
Specifically, the abduction unit 405 is specifically used for:Using string searching method, determine in the default domain name Whether include domain name address in address.
The device provided in an embodiment of the present invention for kidnapping network flow is determined by using string searching method pre- If whether including the domain name addresses in domain name addresses, it can efficiently determine whether in default domain name addresses include the domain name Address has advanced optimized the device.
On the basis of the above embodiments, the string searching method includes multi-mode matching ACBM.
Specifically, the string searching method in device includes multi-mode matching ACBM.
The device provided in an embodiment of the present invention for kidnapping network flow, is looked by using the character string of multi-mode matching ACBM Method is looked for, determines whether in default domain name addresses include the domain name addresses, can further efficiently be determined in default domain name Whether include the domain name addresses in address, has advanced optimized the device.
On the basis of the above embodiments, the resolution unit 404 is specifically used for:
The default domain name addresses is indicated using preset format, the preset format includes true domain name, and according to institute State the fuzzy matching domain name that true domain name obtains.
Specifically, the resolution unit 404 is specifically used for:
The default domain name addresses is indicated using preset format, the preset format includes true domain name, and according to institute State the fuzzy matching domain name that true domain name obtains.
The device provided in an embodiment of the present invention for kidnapping network flow indicates to preset domain name addresses, energy using preset format It is enough easily to determine whether in default domain name addresses include the domain name addresses, advanced optimized the device.
On the basis of the above embodiments, the abduction unit 405 is specifically used for:
If judgement knows that domain name address is not included in the default domain name addresses, the SSL that lets pass is corresponding Network flow, so that the client accesses the server.
It is specifically used for specifically, stating and kidnapping unit 405:If judgement knows that domain name address is not included in the default domain In name address, then the corresponding network flows of the SSL of letting pass, so that the client accesses the server.
The device provided in an embodiment of the present invention for kidnapping network flow, is not included in by letting pass in default domain name addresses The corresponding network flows of SSL are capable of the online of more efficient control enterprise personnel to enable the client to normally access server Behavior.
On the basis of the above embodiments, the resolution unit 404 is specifically used for:
If judgement knows that the corresponding protocol version of the protocol version field is not preset protocol version, described in clearance The corresponding network flows of SSL, so that the client accesses the server.
Specifically, the resolution unit 404 is specifically used for:If the corresponding agreement version of the protocol version field is known in judgement This is not preset protocol version, then the corresponding network flows of the SSL of letting pass, so that the client accesses the server.
The device provided in an embodiment of the present invention for kidnapping network flow is not SSL pairs of preset protocol version by clearance The network flow answered is capable of the internet behavior of more efficient control enterprise personnel to enable the client to normally access server.
On the basis of the above embodiments, the first acquisition unit 401 is specifically used for:
The network flow for redirecting all 443 ports, to obtain the network flow.
Specifically, the first acquisition unit 401 is specifically used for:The network flow for redirecting all 443 ports, to obtain The network flow.
The device provided in an embodiment of the present invention for kidnapping network flow, by the network flow for redirecting all 443 ports Mode, can rationally obtain network flow.
The device provided in an embodiment of the present invention for kidnapping network flow specifically can be used for executing above-mentioned each method embodiment Process flow, details are not described herein for function, is referred to the detailed description of above method embodiment.
Fig. 5 is electronic equipment entity structure schematic diagram provided in an embodiment of the present invention, as shown in figure 5, the electronic equipment Including:Processor (processor) 501, memory (memory) 502 and bus 503;
Wherein, the processor 501, memory 502 complete mutual communication by bus 503;
The processor 501 is used to call the program instruction in the memory 502, to execute above-mentioned each method embodiment The method provided, such as including:Obtain the network flow of web page browsing port;According to the network flow, acquisition is being established The connection request for establishing the SSL that user end to server is sent during Secure Socket Layer SSL connections;Parse the company Request is connect, to extract the domain name field of the protocol version field and the server of the SSL;If the protocol version field pair The protocol version answered is preset protocol version, domain name field is parsed, to obtain domain name addresses to be visited;If domain name Address is included in default domain name addresses, then kidnaps the corresponding network flows of the SSL.
The present embodiment discloses a kind of computer program product, and the computer program product includes being stored in non-transient calculating Computer program on machine readable storage medium storing program for executing, the computer program include program instruction, when described program instruction is calculated When machine executes, computer is able to carry out the method that above-mentioned each method embodiment is provided, such as including:Obtain web page browsing port Network flow;According to the network flow, user end to server during establishing Secure Socket Layer SSL connections is obtained The connection request for establishing the SSL sent;The connection request is parsed, to extract protocol version field and the institute of the SSL State the domain name field of server;If the corresponding protocol version of the protocol version field is preset protocol version, the domain is parsed File-name field, to obtain domain name addresses to be visited;If domain name address is included in default domain name addresses, described in abduction The corresponding network flows of SSL.
The present embodiment provides a kind of non-transient computer readable storage medium, the non-transient computer readable storage medium Computer instruction is stored, the computer instruction makes the computer execute the method that above-mentioned each method embodiment is provided, example Such as include:Obtain the network flow of web page browsing port;According to the network flow, obtains and establishing Secure Socket Layer SSL companies The connection request for establishing the SSL that user end to server is sent during connecing;The connection request is parsed, to extract State the domain name field of the protocol version field and the server of SSL;If the corresponding protocol version of the protocol version field is Preset protocol version parses domain name field, to obtain domain name addresses to be visited;If domain name address is included in default In domain name addresses, then the corresponding network flows of the SSL are kidnapped.
One of ordinary skill in the art will appreciate that:Realize that all or part of step of above method embodiment can pass through The relevant hardware of program instruction is completed, and program above-mentioned can be stored in a computer read/write memory medium, the program When being executed, step including the steps of the foregoing method embodiments is executed;And storage medium above-mentioned includes:ROM, RAM, magnetic disc or light The various media that can store program code such as disk.
The embodiments such as electronic equipment described above are only schematical, illustrate as separating component wherein described Unit may or may not be physically separated, and the component shown as unit may or may not be object Manage unit, you can be located at a place, or may be distributed over multiple network units.It can select according to the actual needs Some or all of module therein is selected to achieve the purpose of the solution of this embodiment.Those of ordinary skill in the art are not paying wound In the case of the labour for the property made, you can to understand and implement.
Through the above description of the embodiments, those skilled in the art can be understood that each embodiment can It is realized by the mode of software plus required general hardware platform, naturally it is also possible to pass through hardware.Based on this understanding, on Stating technical solution, substantially the part that contributes to existing technology can be expressed in the form of software products in other words, should Computer software product can store in a computer-readable storage medium, such as ROM/RAM, magnetic disc, CD, including several fingers It enables and using so that a computer equipment (can be personal computer, server or the network equipment etc.) executes each implementation Method described in certain parts of example or embodiment.
Finally it should be noted that:The above various embodiments is only to illustrate the technical solution of the embodiment of the present invention rather than right It is limited;Although the embodiment of the present invention is described in detail with reference to foregoing embodiments, the ordinary skill of this field Personnel should understand that:It still can be with technical scheme described in the above embodiments is modified, or to which part Or all technical features carries out equivalent replacement;And these modifications or replacements, it does not separate the essence of the corresponding technical solution The range of various embodiments of the present invention technical solution.

Claims (16)

1. a kind of method for kidnapping network flow, which is characterized in that including:
Obtain the network flow of web page browsing port;
According to the network flow, obtain what user end to server during establishing Secure Socket Layer SSL connections was sent Establish the connection request of the SSL;
The connection request is parsed, to extract the domain name field of the protocol version field and the server of the SSL;
If the corresponding protocol version of the protocol version field is preset protocol version, domain name field is parsed, is waited for obtaining The domain name addresses of access;
If domain name address is included in default domain name addresses, the corresponding network flows of the SSL are kidnapped.
2. according to the method described in claim 1, it is characterized in that, the method further includes:
Using string searching method, determine in the default domain name addresses whether include domain name address.
3. according to the method described in claim 2, it is characterized in that, the string searching method includes multi-mode matching ACBM。
4. method according to any one of claims 1 to 3, which is characterized in that the method further includes:
The default domain name addresses is indicated using preset format, the preset format includes true domain name, and according to described true The fuzzy matching domain name that real domain name obtains.
5. method according to any one of claims 1 to 3, which is characterized in that the method further includes:
If domain name address is not included in the default domain name addresses, the corresponding network flows of the SSL of letting pass, so that The client accesses the server.
6. method according to any one of claims 1 to 3, which is characterized in that the method further includes:
If the corresponding protocol version of the protocol version field is not preset protocol version, the corresponding networks of the SSL of letting pass Flow, so that the client accesses the server.
7. method according to any one of claims 1 to 3, which is characterized in that the network flow for obtaining web page browsing port Amount, including:
The network flow for redirecting all 443 ports, to obtain the network flow.
8. a kind of device for kidnapping network flow, which is characterized in that including:
First acquisition unit, the network flow for obtaining web page browsing port;
Second acquisition unit, for according to the network flow, obtaining client during establishing Secure Socket Layer SSL connections Hold the connection request for establishing the SSL sent to server;
Extraction unit, for parsing the connection request, to extract the domain of the protocol version field and the server of the SSL File-name field;
If resolution unit parses for judging to know that the corresponding protocol version of the protocol version field is preset protocol version Domain name field, to obtain domain name addresses to be visited;
Unit is kidnapped, if for judging to know that domain name address is included in default domain name addresses, the SSL is kidnapped and corresponds to Network flow.
9. device according to claim 8, which is characterized in that the abduction unit is specifically used for:
Using string searching method, determine in the default domain name addresses whether include domain name address.
10. device according to claim 9, which is characterized in that the string searching method includes multi-mode matching ACBM。
11. according to any device of claim 8 to 10, which is characterized in that the resolution unit is specifically used for:
The default domain name addresses is indicated using preset format, the preset format includes true domain name, and according to described true The fuzzy matching domain name that real domain name obtains.
12. according to any device of claim 8 to 10, which is characterized in that the abduction unit is specifically used for:
If judgement knows that domain name address is not included in the default domain name addresses, the corresponding networks of the SSL of letting pass Flow, so that the client accesses the server.
13. according to any device of claim 8 to 10, which is characterized in that the resolution unit is specifically used for:
If judgement knows that the corresponding protocol version of the protocol version field is not preset protocol version, let pass described SSL pairs The network flow answered, so that the client accesses the server.
14. according to any device of claim 8 to 10, which is characterized in that the first acquisition unit is specifically used for:
The network flow for redirecting all 443 ports, to obtain the network flow.
15. a kind of electronic equipment, which is characterized in that including:Processor, memory and bus, wherein
The processor and the memory complete mutual communication by the bus;
The memory is stored with the program instruction that can be executed by the processor, and the processor calls described program to instruct energy Enough methods executed as described in claim 1 to 7 is any.
16. a kind of non-transient computer readable storage medium, which is characterized in that the non-transient computer readable storage medium is deposited Computer instruction is stored up, the computer instruction makes the computer execute the method as described in claim 1 to 7 is any.
CN201810448152.6A 2018-05-11 2018-05-11 A kind of method and device for kidnapping network flow Pending CN108737407A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810448152.6A CN108737407A (en) 2018-05-11 2018-05-11 A kind of method and device for kidnapping network flow

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810448152.6A CN108737407A (en) 2018-05-11 2018-05-11 A kind of method and device for kidnapping network flow

Publications (1)

Publication Number Publication Date
CN108737407A true CN108737407A (en) 2018-11-02

Family

ID=63937309

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810448152.6A Pending CN108737407A (en) 2018-05-11 2018-05-11 A kind of method and device for kidnapping network flow

Country Status (1)

Country Link
CN (1) CN108737407A (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111596942A (en) * 2020-05-21 2020-08-28 四川普思科创信息技术有限公司 Method and device for forcibly triggering software upgrading and software upgrading system
CN112152866A (en) * 2019-06-27 2020-12-29 中国移动通信集团湖南有限公司 Method, device, equipment and storage medium for synthesizing browsing type XDR data
CN113873057A (en) * 2021-09-28 2021-12-31 奇安信科技集团股份有限公司 Data processing method and device
CN116155549A (en) * 2022-12-23 2023-05-23 武汉雨滴科技有限公司 Terminal external connection detection method and device, electronic equipment and storage medium

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080263215A1 (en) * 2007-04-23 2008-10-23 Schnellbaecher Jan F Transparent secure socket layer
CN101741644A (en) * 2009-12-16 2010-06-16 成都市华为赛门铁克科技有限公司 Flow detection method and apparatus
CN103618726A (en) * 2013-12-04 2014-03-05 北京中创信测科技股份有限公司 Method for recognizing mobile data service based on HTTPS
CN103825887A (en) * 2014-02-14 2014-05-28 深信服网络科技(深圳)有限公司 Hypertext transfer protocol over secure socket layer (HTTPS) encryption-based web filtering method and system
CN103873466A (en) * 2014-03-04 2014-06-18 深信服网络科技(深圳)有限公司 HTTPS (Hypertext Transfer Protocol Secure) website filtration and interdict alarm method and device
CN104270379A (en) * 2014-10-14 2015-01-07 北京蓝汛通信技术有限责任公司 HTTPS proxy forwarding method and device based on transmission control protocol

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080263215A1 (en) * 2007-04-23 2008-10-23 Schnellbaecher Jan F Transparent secure socket layer
CN101741644A (en) * 2009-12-16 2010-06-16 成都市华为赛门铁克科技有限公司 Flow detection method and apparatus
CN103618726A (en) * 2013-12-04 2014-03-05 北京中创信测科技股份有限公司 Method for recognizing mobile data service based on HTTPS
CN103825887A (en) * 2014-02-14 2014-05-28 深信服网络科技(深圳)有限公司 Hypertext transfer protocol over secure socket layer (HTTPS) encryption-based web filtering method and system
CN103873466A (en) * 2014-03-04 2014-06-18 深信服网络科技(深圳)有限公司 HTTPS (Hypertext Transfer Protocol Secure) website filtration and interdict alarm method and device
CN104270379A (en) * 2014-10-14 2015-01-07 北京蓝汛通信技术有限责任公司 HTTPS proxy forwarding method and device based on transmission control protocol

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112152866A (en) * 2019-06-27 2020-12-29 中国移动通信集团湖南有限公司 Method, device, equipment and storage medium for synthesizing browsing type XDR data
CN112152866B (en) * 2019-06-27 2022-06-17 中国移动通信集团湖南有限公司 Method, device, equipment and storage medium for synthesizing browsing type XDR data
CN111596942A (en) * 2020-05-21 2020-08-28 四川普思科创信息技术有限公司 Method and device for forcibly triggering software upgrading and software upgrading system
CN113873057A (en) * 2021-09-28 2021-12-31 奇安信科技集团股份有限公司 Data processing method and device
CN113873057B (en) * 2021-09-28 2024-03-15 奇安信科技集团股份有限公司 Data processing method and device
CN116155549A (en) * 2022-12-23 2023-05-23 武汉雨滴科技有限公司 Terminal external connection detection method and device, electronic equipment and storage medium
CN116155549B (en) * 2022-12-23 2023-12-29 武汉雨滴科技有限公司 Terminal external connection detection method and device, electronic equipment and storage medium

Similar Documents

Publication Publication Date Title
EP2850770B1 (en) Transport layer security traffic control using service name identification
US8065719B2 (en) Method and apparatus for reducing firewall rules
KR101662605B1 (en) System and method for correlating network information with subscriber information in a mobile network environment
JP3443529B2 (en) Method of providing firewall service and computer system providing firewall service
US7444408B2 (en) Network data analysis and characterization model for implementation of secure enclaves within large corporate networks
US8233486B2 (en) Remote management of network devices
CN108737407A (en) A kind of method and device for kidnapping network flow
US20110154477A1 (en) Dynamic content-based routing
US20110255688A1 (en) Method and system for monitoring online computer network behavior and creating online behavior profiles
CN104636392B (en) Carry out method, system, server and browser that recommendation information issues
CN110213212A (en) A kind of classification method and device of equipment
US8914510B2 (en) Methods, systems, and computer program products for enhancing internet security for network subscribers
US10498618B2 (en) Attributing network address translation device processed traffic to individual hosts
KR20230004222A (en) System and method for selectively collecting computer forensic data using DNS messages
CN103957207B (en) A kind of session keeping method and device
CN107528712A (en) The determination of access rights, the access method of the page and device
CN113271299B (en) Login method and server
EP1950917A1 (en) Methods for peer-to-peer application message identifying and operating realization and their corresponding devices
CN106790073B (en) Blocking method and device for malicious attack of Web server and firewall
US8745691B1 (en) System, method, and computer program product for preventing communication of data over a network connection
CN111225038B (en) Server access method and device
CN106295366B (en) Sensitive data identification method and device
CN105959248B (en) The method and device of message access control
KR101017015B1 (en) Network based high performance contents security system and method thereof
CN110581843B (en) Mimic Web gateway multi-application flow directional distribution method

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20181102