CN110198297A - Data on flows monitoring method, device, electronic equipment and computer-readable medium - Google Patents

Data on flows monitoring method, device, electronic equipment and computer-readable medium Download PDF

Info

Publication number
CN110198297A
CN110198297A CN201811166760.4A CN201811166760A CN110198297A CN 110198297 A CN110198297 A CN 110198297A CN 201811166760 A CN201811166760 A CN 201811166760A CN 110198297 A CN110198297 A CN 110198297A
Authority
CN
China
Prior art keywords
data
certificate
flows
packet
information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201811166760.4A
Other languages
Chinese (zh)
Other versions
CN110198297B (en
Inventor
郭晶
胡珀
郑兴
杨勇
范宇河
唐文韬
曾智洋
董志成
罗喜军
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tencent Technology Shenzhen Co Ltd
Original Assignee
Tencent Technology Shenzhen Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tencent Technology Shenzhen Co Ltd filed Critical Tencent Technology Shenzhen Co Ltd
Priority to CN201811166760.4A priority Critical patent/CN110198297B/en
Publication of CN110198297A publication Critical patent/CN110198297A/en
Application granted granted Critical
Publication of CN110198297B publication Critical patent/CN110198297B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/16Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]

Abstract

This disclosure relates to a kind of abnormal flow data monitoring method, device, electronic equipment and computer-readable medium.This method comprises: the data packet in data on flows is recombinated to generate a plurality of types of groups of packets;By extracting first kind group packet in a plurality of types of groups of packets;Information is indicated by extracting certificate and server name in the first kind group packet;And indicate that information determines whether the data on flows is abnormal flow data by the certificate and the server name.This disclosure relates to abnormal flow data monitoring method, device, electronic equipment and computer-readable medium, can to the advanced duration in data on flows threaten detect.

Description

Data on flows monitoring method, device, electronic equipment and computer-readable medium
Technical field
This disclosure relates to computer information processing field, in particular to a kind of abnormal flow data monitoring method, dress It sets, electronic equipment and computer-readable medium.
Background technique
Network information system faces and comes from many aspects to threatening, and can change with the variation of time.Its In, artificial attack is the artificial attack to network information system, and hacker passes through the weakness for finding network system, with unauthorized ways The purpose of reaching destruction, cheat and stealing data information.To there are many kinds of the artificial attack means of network, wherein APT attack (Advanced Persistent Threat, advanced duration threaten) refer to using advanced attack means to specific objective into The principle of the attack form of row long duration network attack, APT attack is more advanced and advanced relative to other attack forms, Its advanced property is mainly reflected in APT and needs to carry out accurately the operation flow and goal systems of object of attack before offensive attack Collection.During collecting herein, this attack can be excavated actively by the loophole of object of attack accredited system and application program, benefit Network needed for setting up attacker with these loopholes, and attacked for the loophole of patch not yet.
Therefore, it is necessary to a kind of new abnormal flow data monitoring method, device, electronic equipment and computer-readable mediums.
Above- mentioned information are only used for reinforcing the understanding to the background of the disclosure, therefore it disclosed in the background technology part It may include the information not constituted to the prior art known to persons of ordinary skill in the art.
Summary of the invention
In view of this, the disclosure provides a kind of abnormal flow data monitoring method, device, electronic equipment and computer-readable Medium can threaten the advanced duration in data on flows and detect.
Other characteristics and advantages of the disclosure will be apparent from by the following detailed description, or partially by the disclosure Practice and acquistion.
According to the one side of the disclosure, a kind of abnormal flow data monitoring method is proposed, this method comprises: by data on flows In data packet recombinated to generate a plurality of types of groups of packets;By extracting first kind group packet in a plurality of types of groups of packets;By Certificate is extracted in the first kind group packet and server name indicates information;And pass through the certificate and the server name Instruction information determines whether the data on flows is referred to as abnormal flow data.
In a kind of exemplary embodiment of the disclosure, further includes: by obtaining institute in gateway in such a way that mirror image is divided State data on flows.
In a kind of exemplary embodiment of the disclosure, the data packet in data on flows is recombinated to generate multiple types The group of type includes: to recombinate the transmission control protocol data packet in the data on flows to generate a plurality of types of groups Packet.
In a kind of exemplary embodiment of the disclosure, include: by extracting first kind group packet in a plurality of types of groups of packets By extracting secure transport layer protocol conversation group packet in a plurality of types of groups of packets.
In a kind of exemplary embodiment of the disclosure, by extracting secure transport layer protocol session in a plurality of types of groups of packets Group includes: to extract the header packet information of a plurality of types of groups of packets;And secure transport layer protocol session is extracted according to header packet information Group packet.
In a kind of exemplary embodiment of the disclosure, by extracting certificate and server name in the first kind group packet Indicate that information includes: the Client Hello message determined in first kind group packet by predetermined document;And in the Client Hello Server name is extracted in message indicates information.
In a kind of exemplary embodiment of the disclosure, by extracting certificate and server name in the group packet of the first kind Claim instruction information further include: obtain and the associated Server Hello message of the Client Hello message;And in the server The certificate is extracted in hello messages.
In a kind of exemplary embodiment of the disclosure, indicate that information determines by the certificate and the server name The data on flows whether be abnormal flow data include following situations at least one: in the certificate and the server name When indicating that information is invalid field, determine that the data on flows is abnormal flow data;It verifies and loses in the certificate chain of the certificate When losing, determine that the data on flows is abnormal flow data;And the domain name in server name instruction information is not wrapped When being contained in predetermined position, determine that the data on flows is abnormal flow data.
In a kind of exemplary embodiment of the disclosure, in the certificate chain authentication failed of the certificate, the stream is determined It includes: successively to be verified the root certificate into certificate chain to every first class certificate in certificate chain that data, which are measured, as abnormal flow data Until;And in verification process when any level certification authentication failure, determine that the data on flows is abnormal flow data.
In a kind of exemplary embodiment of the disclosure, predetermined position is not included in server name instruction information When, determine the data on flows be abnormal flow data include: the server name indicate information in domain name do not include When in the root certificate in certificate chain, determine that the data on flows is abnormal flow data.
According to the one side of the disclosure, propose that a kind of abnormal flow data monitoring device, the device include: recombination module, For recombinating the data packet in data on flows to generate a plurality of types of groups of packets;Group packet extraction module, for by a variety of First kind group packet is extracted in the group packet of type;Information extraction modules, for by the first kind group packet extract certificate and Server name indicates information;And abnormal judgment module, for indicating information by the certificate and the server name Determine whether the data on flows saves as abnormal flow data.
According to the one side of the disclosure, a kind of electronic equipment is proposed, which includes: one or more processors; Storage device, for storing one or more programs;When one or more programs are executed by one or more processors, so that one A or multiple processors realize such as methodology above.
According to the one side of the disclosure, it proposes a kind of computer-readable medium, is stored thereon with computer program, the program Method as mentioned in the above is realized when being executed by processor.
It, can be right according to abnormal flow data monitoring method, device, electronic equipment and the computer-readable medium of the disclosure Advanced duration threat in data on flows is detected.
It should be understood that the above general description and the following detailed description are merely exemplary, this can not be limited It is open.
Detailed description of the invention
Its example embodiment is described in detail by referring to accompanying drawing, above and other target, feature and the advantage of the disclosure will It becomes more fully apparent.Drawings discussed below is only some embodiments of the present disclosure, for the ordinary skill of this field For personnel, without creative efforts, it is also possible to obtain other drawings based on these drawings.
Fig. 1 is the schematic diagram of abnormal flow data monitoring method in the prior art.
Fig. 2 is the system signal of a kind of abnormal flow data monitoring method and device shown according to an exemplary embodiment Figure.
Fig. 3 is the application scenarios of a kind of abnormal flow data monitoring method and device shown according to an exemplary embodiment Schematic diagram.
Fig. 4 is a kind of flow chart of abnormal flow data monitoring method shown according to an exemplary embodiment.
Fig. 5 is a kind of flow chart of the abnormal flow data monitoring method shown according to another exemplary embodiment.
Fig. 6 is a kind of schematic diagram of the abnormal flow data monitoring method shown according to another exemplary embodiment.
Fig. 7 is a kind of flow chart of the abnormal flow data monitoring method shown according to another exemplary embodiment.
Fig. 8 is a kind of block diagram of abnormal flow data monitoring device shown according to an exemplary embodiment.
Fig. 9 is the block diagram of a kind of electronic equipment shown according to an exemplary embodiment.
Figure 10 is that a kind of computer readable storage medium schematic diagram is shown according to an exemplary embodiment.
Specific embodiment
Example embodiment is described more fully with reference to the drawings.However, example embodiment can be real in a variety of forms It applies, and is not understood as limited to embodiment set forth herein;On the contrary, thesing embodiments are provided so that the disclosure will be comprehensively and complete It is whole, and the design of example embodiment is comprehensively communicated to those skilled in the art.Identical appended drawing reference indicates in figure Same or similar part, thus repetition thereof will be omitted.
In addition, described feature, structure or characteristic can be incorporated in one or more implementations in any suitable manner In example.In the following description, many details are provided to provide and fully understand to embodiment of the disclosure.However, It will be appreciated by persons skilled in the art that can with technical solution of the disclosure without one or more in specific detail, Or it can be using other methods, constituent element, device, step etc..In other cases, it is not shown in detail or describes known side Method, device, realization or operation are to avoid fuzzy all aspects of this disclosure.
Block diagram shown in the drawings is only functional entity, not necessarily must be corresponding with physically separate entity. I.e., it is possible to realize these functional entitys using software form, or realized in one or more hardware modules or integrated circuit These functional entitys, or these functional entitys are realized in heterogeneous networks and/or processor device and/or microcontroller device.
Flow chart shown in the drawings is merely illustrative, it is not necessary to including all content and operation/step, It is not required to execute by described sequence.For example, some operation/steps can also decompose, and some operation/steps can close And or part merge, therefore the sequence actually executed is possible to change according to the actual situation.
It should be understood that although herein various assemblies may be described using term first, second, third, etc., these groups Part should not be limited by these terms.These terms are to distinguish a component and another component.Therefore, first group be discussed herein below Part can be described as the second component without departing from the teaching of disclosure concept.As used herein, term " and/or " include associated All combinations for listing any of project and one or more.
It will be understood by those skilled in the art that attached drawing is the schematic diagram of example embodiment, module or process in attached drawing Necessary to not necessarily implementing the disclosure, therefore it cannot be used for the protection scope of the limitation disclosure.
The inventors of the present application found that as shown in Figure 1, currently based on network flow APT attack detecting strategy, predominantly Active scanning loophole discovery APT attack, enterprise is generally in Office Area gateway and server exit deployment firewall and IDS Take precautions against APT attack.It audits for going out inbound traffics, judges whether there is malicious act.Such as: audit internet log, setting can Traffic policy is arranged in the white list of access, and domain name blacklist is arranged, and black IP etc. judges current network with the presence or absence of abnormal.Specifically Following several means can be divided into:
IDS (Intrusion-detection system, TCP layer flow blacklist mode).IDS is a kind of network security Equipment or application software, can monitoring network transmission, perhaps system checks whether there is suspicious activity or violates the policy of enterprise. Sound an alarm when detecting or take the initiative reactive measures.IDS mode mainly passes through analysis Malware traffic behavior, establishes Malware traffic policy blacklist, in TCP (Transmission Control Protocol, transmission control protocol) packet Include some character, some mark, certain section of text etc..By analyzing TCP layer network flow, detect whether that there are malicious attack rows To alert if having hit strategy.
It threatens information IOC ((Indicator of compromise, application layer blacklist mode).IOC is interconnection netting index According to center, building environment is provided, internet communication route takes to bandwidth resources, trust server or rental and related increment Business.Threatening information IOC mode is to carry out the detection of APT strategy by analysis Malware or the information of each producer, such as: black domain Name, black IP, black URL or file hash.Judged by the domain name of dynamic setting monitoring user or the access of IDC machine, is It is no that there are known APT attacks.Wherein, IDC is Internet data center (Internet Data Center), provides computer room ring Border, internet communication route and bandwidth resources, trust server or rental and pertinent value added services.
Firewall (white list mode).By the way that network A CL (Access Control List, accesses control list) is arranged, White list control is carried out, only allows to access website trusty, any threat that may be present is prevented, but will cause on user Net inconvenience.
The implementation of above-mentioned several active scanning loophole discovery APT attacks, can not for the data on flows of encryption Audit.This is because traditional IDS and firewall be directed to be all plaintext flow, in plain text or having the flow of special marking It can be monitored, but then can not be monitored and audit after encryption;
The implementation of above-mentioned several active scanning loophole discovery APT attacks, belongs to delay and lag detection property, causes New attack behavior can not be found in time, this is because monitoring and inspection policies are updated dependent on security firm, update has certain Time delay, and after generally some event knows, just announce its details, be then policy update again.
In view of above-mentioned technological deficiency, the application proposes a kind of abnormal flow data monitoring method, for APT attack process It middle the characteristics of using SSL (Secure Sockets Layer, Secure Socket Layer) communication encryption channel, is obtained in network flow When SSL encryption communication protocol, while obtaining corresponding SNI (Server Name Indication, server name instruction letter Breath) and certificate, by checking the match condition of content in certificate validity and SNI and certificate, and then carry out abnormal flow monitoring.
Fig. 2 is a kind of system schematic of abnormal flow data monitoring method shown according to an exemplary embodiment.
As shown in Fig. 2, system architecture 200 may include terminal device 201,202,203, network 204, traffic monitoring equipment 205 and server 206.Network 204 is in terminal device 201,202,203 and traffic monitoring equipment 205, and service The medium of communication link is provided between device 206.Network 204 may include various connection types, such as wired, wireless communication link Or fiber optic cables etc..
User can be used terminal device 201,202,203 and pass through network 204 and traffic monitoring equipment 205, and service The interaction of device 206, to receive or send message etc..Various telecommunication customer ends can be installed on terminal device 201,202,203 to answer With, such as shopping class application, web browser applications, searching class application, instant messaging tools, mailbox client, social platform Software etc..
Terminal device 201,202,203 can be the various electronic equipments with display screen and supported web page browsing, packet Include but be not limited to smart phone, tablet computer, pocket computer on knee and desktop computer etc..
Traffic monitoring equipment 205 may be, for example, the equipment being divided with traffic mirroring and flow, and traffic monitoring equipment 205 is used In the data on flows for obtaining terminal device 201,202,203.
Server 206 for example can obtain data on flows by traffic monitoring equipment 205;Server 206 can be for example by flow Data packet in data is recombinated to generate a plurality of types of groups of packets;Server 206 can be for example by a plurality of types of groups of packets Extract first kind group packet;Server 206 can be indicated for example by extracting certificate and server name in the first kind group packet Information;Server 206 for example can indicate whether information determines the data on flows by the certificate and the server name For abnormal flow data.
Server 206 can be the server of an entity, also may be, for example, multiple server compositions, needs to illustrate It is that abnormal flow data monitoring method provided by the embodiment of the present disclosure can be executed by server 206, correspondingly, exception stream Amount data monitoring device can be set in server 206.And the page end for being supplied to user's progress web page browsing is normally at In terminal device 201,202,203.
Fig. 3 is the application scenarios of a kind of abnormal flow data monitoring method and device shown according to an exemplary embodiment Schematic diagram.
User accesses network by electronic equipment, and the network data of user is transmitted in Ethernet by gateway.The application Abnormal flow data monitoring device the data on flows of user in gateway, then convection current can be obtained in such a way that mirror image is divided It measures data and carries out data processing.Data that treated are sent to Strategy Center and carry out abnormal flow judgement, in judging flow book Comprising it is abnormal when, can also further generate security alarm information.
Can also for example, according to the user identity information in abnormal flow data, to the electronic equipment that user uses carry out into The security protection of one step is handled, such as the network behavior etc. of the temporarily disconnected user, and the application is not limited.
According to the abnormal flow data monitoring method and device of the disclosure, by the way that the data packet in data on flows is carried out weight Group is to generate a plurality of types of groups of packets;By extracting first kind group packet in a plurality of types of groups of packets, by first kind group packet Certificate and server name instruction information determine the data on flows whether be abnormal flow data mode, to judge network In whether there is APT attack, can to the advanced duration in data on flows threaten detect.
Fig. 4 is a kind of flow chart of abnormal flow data monitoring method shown according to an exemplary embodiment.Exception stream It measures data monitoring method 40 and includes at least step S402 to S408.
As shown in figure 4, the data packet in data on flows is recombinated in S402 to generate a plurality of types of groups of packets. It can be by way of traffic mirroring and flow light splitting by obtaining the data on flows in gateway.
In one embodiment, traffic mirroring mode can be realized by gateway port mirror-image fashion, and Port Mirroring is will to refer to A mode for arriving other ports (destination port) of message duplication of fixed end mouthful (source port), destination port and other data monitorings Equipment is connected, and the message for copying to destination port is analyzed by data monitoring equipment, carries out network monitoring and troubleshooting. In the embodiment of the present application, the two-way mirror image in the direction of traffic mirroring, as incoming traffic mirror image and directional flow mirror image out.Enter Directional flow mirror image, which refers to, carries out mirror image to the message received from source port;Directional flow mirror image refers to and only sends out from source port out Message out carries out mirror image.
In one embodiment, flow spectroscopic modes can be realized by optical splitter, and optical splitter is a kind of passive device, also known as Optical splitter.Optical splitter is the optical fiber tandem device with multiple input terminals and multiple output ends, be usually used in optical signal coupling, Branch and distribution.In the network of the embodiment of the present application, application specific probe of the optical splitter as monitoring signaling can acquire primary flow Data are measured, subsequent data processing system is cooperated, auxiliary carries out real time monitoring and depth fault location to network.
In one embodiment, the data packet in data on flows is recombinated to generate a plurality of types of groups of packets and include: Transmission control protocol data (TCP) packet in the data on flows is recombinated to generate a plurality of types of groups of packets.Due to net Data in network are existed in the form of TCP data packet, and TCP is a kind of transmission connection-oriented, reliable, based on byte stream Layer communication protocol.Data in network can be divided into TCP and think to be most suitable for hair when being transmitted by Transmission Control Protocol The data block sent.Therefore in the embodiment of the present application, after obtaining network data, it is necessary first to recombinate in network data TCP data packet, to recover original data information.
The general process of data is transmitted according to TCP: after TCP issues a data block, be will start a timer, is waited mesh End acknowledge receipt of this data block.If a confirmation cannot be received in time, this data block will be retransmitted.When TCP receives hair From the data of the TCP connection other end, it will send a confirmation.TCP will keep the inspection of stem and data and this is an end To end inspection and, it is therefore an objective to any variation of the detection data in transmission process.If receiving the inspection of section and having mistake, TCP will abandon this message segment and not acknowledge receipt of this message segment.It in the embodiment of the present application, will after receiving data on flows It resequences to the data block received by Transmission Control Protocol, the data received is recombinated with correctly sequence sequence, pass through row Data after sequence recombination carry out subsequent data analysis.
In one embodiment, for example TCP bottom data packet can be recombinated.After being recombinated for TCP data packet, Different types of group of packet can be for example generated, data packet is mainly by the parts such as " purpose IP address ", " source IP address ", " carrying data only " It constitutes, including packet header and backpack body, packet header is regular length, the indefinite length of backpack body, and each field length is fixed, the number of request of both sides It is consistent according to the head-coating structure of packet and reply data packet, the difference is that the definition of backpack body.Purpose IP address is to illustrate this number It is whose to be issued according to packet;Source IP address be illustrate this data packet be from where;And data are carried only and are equivalent to specifically Content.Exactly because data packet has a structure in which, it is mounted between the computer of ICP/IP protocol just be in communication with each other.Respectively The different user of kind or network protocol party have the group packet rule of oneself, and the application is not limited.
As shown in figure 4, in S404, by extracting first kind group packet in a plurality of types of groups of packets.First kind group packet can For example, TLS group is wrapped.
According to described above, the characteristics of carrying out data encryption using SSL in APT attack process, extracting includes SSL encryption The TLS group packet of relevant information carries out subsequent processing.Wherein, SSL is that one kind of safety and data integrity is provided for network communication Security protocol.Ssl protocol provides safe support between ICP/IP protocol and various application layer protocols, for data communication.SSL Agreement can be divided into two layers: SSL record protocol (SSL Record Protocol): establish reliable transport protocol (such as TCP) it On, the support of the basic functions such as data encapsulation, compression, encryption is provided for upper-layer protocol.Ssl handshake protocol (SSL Handshake Protocol): establishing on SSL record protocol, for before the transmission of actual data starts, communication two party progress identity to be recognized Card, consulted encryption algorithm, exchange encryption key etc..
It in one embodiment, include: to extract by extracting secure transport layer protocol conversation group in a plurality of types of groups of packets The header packet information of a plurality of types of groups of packets;And secure transport layer protocol conversation group packet is extracted according to header packet information.It can be for example, will It is determined as TLS group packet in TCP file with 1603 beginning group packets.
Wherein, the target of TLS (Transport Layer Security Protocol) agreement is provided for information transmission Three basic guarantees: encryption, authentication and data integrity, TLS are the more new versions of SSL.
As shown in figure 4, indicating information by extracting certificate and server name in the first kind group packet in S406. It include: the Client Hello message determined by predetermined document in first kind group packet;And it is mentioned in the Client Hello message Server name is taken to indicate information.
Client before exchanging data by TLS, needs to negotiate to establish encryption channel with server.Negotiate content packet Include: TLS version, encryption suite will also verify certificate when necessary.It negotiates every time, require it is round-trip in client and server-side, It is as follows specifically to establish encryption channel process:
The server authentication stage: 1) user end to server sends a start information " client Hello " to start One new session connection;2) server determines the need for generating new master key according to the information of client, if needed, takes Business device passes through " client Hello " information of " server hello " customer in response, will be close comprising generating master in response message Information needed for key;3) client generates a master key according to the server response message received, and close with disclosing for server Server is transmitted to after key encryption;4) server replys the master key, and returns to one information authenticated with master key of client, with This allows authenticated client server.
User authentication phase: before this, server has already been through authenticated client, this stage mainly completes to client Certification.Certified server sends one and puts question to client, and client then returns to the enquirement and its disclosure after (number) signature Key, to provide certification to server.
In one embodiment, the Client Hello message in first kind group packet is determined by predetermined document, in the visitor Server name is extracted in the hello messages of family and indicates information, can specifically pass through 5246 text of RFC (Request For Comments) Shelves identification " client hello " packet.And according to TLS pack arrangement, in extensions_server_name (expansion service device name) Server name instruction information (Server Name Indication, SIN) is taken out in field.
In one embodiment, it is also wrapped by extracting certificate and server name instruction information in the group packet of the first kind It includes: obtaining and the associated Server Hello message of the Client Hello message;And it is extracted in the Server Hello message The certificate.It is associated with by entering and leaving, identifies " server hello " packet of server passback, can be for example according to RFC document, it will Middle certificate relevant information of shaking hands extracts.
As shown in figure 4, indicating that information determines the flow number by the certificate and the server name in S408 According to whether being abnormal flow data.Can for example, the certificate and the server name instruction information be invalid field when, really The fixed data on flows is abnormal flow data;In the certificate chain authentication failed of the certificate, determine that the data on flows is Abnormal flow data;And when the server name indicates that the domain name in information is not included in predetermined position, described in determination Data on flows is abnormal flow data.
In one embodiment, can whether effective by detection certificate, it is whether expired comprising certificate, if to be from visa Book;It can also be for example by examining destination server name and certificate main body whether consistent, if in the domain name that certificate subject includes; It can also be such as judging to judge whether data on flows is abnormal flow data with the presence or absence of mode malice character in certificate field.
In one embodiment, according to above-mentioned condition, judge whether destination address is addressable domain name list of cert, or Judge whether malice, can also for example pass through audit of manually following up.
According to the abnormal flow data monitoring method of the disclosure, by extracting certificate and server name in TLS group packet Indicate information, so determine the data on flows whether be abnormal flow data mode, can judge to whether there is in network APT attack can also threaten the advanced duration in data on flows and detect.
It will be clearly understood that the present disclosure describes how to form and use particular example, but the principle of the disclosure is not limited to These exemplary any details.On the contrary, the introduction based on disclosure disclosure, these principles can be applied to many other Embodiment.
In one embodiment, agreement is recombinated according to TCP data, TCP layer receives resolve into section after the bulk message of upper layer after It sends out.In addition to Ethernet prefix value region, IP datagram maximum transfer unit is MTU (Maximum Transmission Unit, Effect of short board), for most of local area networks using Ethernet, MTU=1500.TCP number It is segmented into MSS according to the maximum data that packet can transmit every time, it is double when establishing TCP connection in order to reach optimal transmission efficiency Side negotiates MSS value, the minimum value for the MSS value that both sides provide for example can be determined as the maximum MSS value specifically connected.
Fig. 5 is a kind of flow chart of the abnormal flow data monitoring method shown according to another exemplary embodiment.It is abnormal Data on flows monitoring method 50 " is referred to by the certificate and the server name in abnormal flow data monitoring method 40 Show that information determines whether the data on flows is abnormal flow data " detailed description.Abnormal flow data monitoring method 50 can Including step S502 to S508.
In S502, obtains and extract certificate and server name instruction information in first kind group packet.It can be for example, according to packet Head information extracts TLS conversation group packet in data on flows.
In S504, when the certificate and server name instruction information are invalid field, the flow is determined Data are abnormal flow data.It can be for example, thinking that certificate is effective field in the case where certificate field length is greater than 0, in SNI Field length thinks that SNI is effective field in the case where being greater than 0.
In one embodiment, in the case where certificate field length is less than 0 either feelings of the SNI field length less than 0 Under condition, assert that the data on flows is abnormal flow data.
In S506, in the certificate chain authentication failed of the certificate, determine that the data on flows is abnormal flow data. It include: until successively being verified root certificate into certificate chain to every first class certificate in certificate chain;And in verification process When middle any level certification authentication fails, determine that the data on flows is abnormal flow data.
Authentication is to establish each one important component part of TLS connection.After all, TLS can pass through with any end The tunnel of one encryption is communicated, including attacker, unless we be believed that the other side communicated with us be it is trusty, Not so all encrypted works are all invalid.Can the mode of such as certificate of utility prove that some host is believable.Certificate is issued Sending out mechanism (CA) is a trustworthy third-party mechanism (owner), and certificate is credible.Certificate chain (The Certificate Chains) it is the structure with multiple certificates composition of level, the generation of the digital certificate in certificate chain is Hierarchical, the certificate of next stage needs the private key signature of first class certificate thereon.So the latter is the former certificate authority person, That is the subject of upper level certificate is the distribution name of its next stage certificate.
In one embodiment, root certificate list can be safeguarded by the data preparation to certification authority, certificate is issued Hair mechanism may need cancel or revoked certificate, this may be broken due to the private key of certificate, certification authority itself by Break through or some other normal reason for example certificate replacement, certificate issuance mechanism change, etc..In order to solve this A problem, certificate itself contain the logic for checking whether and having revoked.Therefore, in order to ensure trust chain will not shadow under attack It rings, each node can check the state of each certificate, together with signing messages.
As shown in fig. 6, in one embodiment, certificate chain verifying needs the CA public key (public of upper level certificate Key) verifying has issuer to the signature of this certificate.Indicate that this layer of certificate is strictly to be issued by upper level CA if verifying, so After whether continue to verify upper level CA certificate credible, by multi-level verification, until authenticate to root certificate it is credible until.
In specific credentials verification process, in some necessary informations for obtaining certificate Requestor, (object oriented, public key are private Key) after, certificate authority person obtains the abstract of certificate content by decryption, then gives the abstract encryption of this part with the private key of oneself, obtains To digital signature.Comprehensive existing information, generates two certificates for separately including public key and private key.
Such as verify certificate validity when, can according to the content in certificate chain from level to level look for issuer Certificate, until the root certificate of oneself signature, then by corresponding public key again in turn verify next stage digital signature just True property.
In S508, when the domain name in server name instruction information is not included in predetermined position, described in determination Data on flows is abnormal flow data.
In one embodiment, the domain name in server name instruction information is not included in the card of the root in certificate chain When in book, determine that the data on flows is abnormal flow data.Concretely: according to being method above, to certificate chain into Row is split, and takes out the user of first certificate, validity period, the certificate fields information such as issuer.Judge SNI domain name whether In the domain name that the user of top certificate includes, if the domain name that the domain name of SNI does not include in the user of top certificate, Then determine that the data on flows is abnormal flow data.
Fig. 7 is a kind of flow chart of the abnormal flow data monitoring method shown according to another exemplary embodiment.It is abnormal Data on flows monitoring method 70 is the exemplary illustration to abnormal flow data monitoring method overall process in the application.
In S702, TCP data packet is obtained.
In S704, data processing obtains TLS group packet.
In S706, extracts certificate and server name indicates information.
In S708, judge whether the data traffic is abnormal flow.
In S710, if it is abnormal flow, pushed information is generated.
In S712, subsequent processing is then carried out if it is normal discharge.
In S714, terminate detection.
Wherein, network flow data pre-processes, it may include data calculate, Baseline Survey, invalid data screening, encryption data Selection etc..
Wherein, Baseline Survey is to compare current surfing flow and history same period surfing flow, tentatively to judge on current It whether there is abnormal conditions in net flow.
Encryption data selection can for example extract TLS conversation group packet.
In face of the malice APT attack of SSL encryption, according to the abnormal flow data monitoring method of the disclosure, Neng Goutong Analysis SSL encryption flow is crossed, APT attack suspicious in outflow is analyzed.
According to the abnormal flow data monitoring method of the disclosure, access feelings abnormal in encryption flow can be actively discovered Condition can recognize using self signed certificate or invalid, the behavior of expired certificate in APT attack, in addition also can recognize that forgery SSL is logical The flow of letter.
It will be appreciated by those skilled in the art that realizing that all or part of the steps of above-described embodiment is implemented as being executed by CPU Computer program.When the computer program is executed by CPU, above-mentioned function defined by the above method that the disclosure provides is executed Energy.The program can store in a kind of computer readable storage medium, which can be read-only memory, magnetic Disk or CD etc..
Further, it should be noted that above-mentioned attached drawing is only the place according to included by the method for disclosure exemplary embodiment Reason schematically illustrates, rather than limits purpose.It can be readily appreciated that above-mentioned processing shown in the drawings is not indicated or is limited at these The time sequencing of reason.In addition, be also easy to understand, these processing, which can be, for example either synchronously or asynchronously to be executed in multiple modules.
Following is embodiment of the present disclosure, can be used for executing embodiments of the present disclosure.It is real for disclosure device Undisclosed details in example is applied, embodiments of the present disclosure is please referred to.
Fig. 8 is a kind of block diagram of abnormal flow data monitoring device shown according to an exemplary embodiment.Abnormal flow Data monitoring device 80 includes: recombination module 802, organizes packet extraction module 804, information extraction modules 806, and exception and judges mould Block 808.
Recombination module 802 is for recombinating the data packet in data on flows to generate a plurality of types of groups of packets;It can lead to Inflow-rate of water turbine mirror image and the mode of flow light splitting are controlled the transmission in the data on flows by obtaining the data on flows in gateway Protocol data (TCP) packet is recombinated to generate a plurality of types of groups of packets.
Group packet extraction module 804 is used for by extracting first kind group packet in a plurality of types of groups of packets;First kind group packet can For example, TLS group is wrapped.
Information extraction modules 806 are used to indicate information by extracting certificate and server name in the first kind group packet; It include: the Client Hello message determined by predetermined document in first kind group packet;And it is mentioned in the Client Hello message Server name is taken to indicate information.
Abnormal judgment module 808 is used to indicate that information determines the flow number by the certificate and the server name According to whether saving as abnormal flow data.Can for example, the certificate and the server name instruction information be invalid field when, Determine that the data on flows is abnormal flow data;In the certificate chain authentication failed of the certificate, the data on flows is determined For abnormal flow data;And when the server name indicates that the domain name in information is not included in predetermined position, determine institute Stating data on flows is abnormal flow data.
According to the abnormal flow data monitoring device of the disclosure, by extracting certificate and server name in TLS group packet Indicate information, so determine the data on flows whether be abnormal flow data mode, can judge to whether there is in network APT attack can also threaten the advanced duration in data on flows and detect.
Fig. 9 is the block diagram of a kind of electronic equipment shown according to an exemplary embodiment.
The electronic equipment 900 of this embodiment according to the disclosure is described referring to Fig. 9.The electronics that Fig. 9 is shown Equipment 900 is only an example, should not function to the embodiment of the present disclosure and use scope bring any restrictions.
As shown in figure 9, electronic equipment 900 is showed in the form of universal computing device.The component of electronic equipment 900 can wrap It includes but is not limited to: at least one processing unit 910, at least one storage unit 920, (including the storage of the different system components of connection Unit 920 and processing unit 910) bus 930, display unit 940 etc..
Wherein, the storage unit is stored with program code, and said program code can be held by the processing unit 910 Row, so that the processing unit 910 executes described in this specification above-mentioned electronic prescription circulation processing method part according to this The step of disclosing various illustrative embodiments.For example, the processing unit 910 can be executed such as Fig. 4, Fig. 5, shown in Fig. 7 The step of.
The storage unit 920 may include the readable medium of volatile memory cell form, such as random access memory Unit (RAM) 9201 and/or cache memory unit 9202 can further include read-only memory unit (ROM) 9203.
The storage unit 920 can also include program/practical work with one group of (at least one) program module 9205 Tool 9204, such program module 9205 includes but is not limited to: operating system, one or more application program, other programs It may include the realization of network environment in module and program data, each of these examples or certain combination.
Bus 930 can be to indicate one of a few class bus structures or a variety of, including storage unit bus or storage Cell controller, peripheral bus, graphics acceleration port, processing unit use any bus structures in a variety of bus structures Local bus.
Electronic equipment 900 can also be with one or more external equipments 900 ' (such as keyboard, sensing equipment, bluetooth equipment Deng) communication, can also be enabled a user to one or more equipment interact with the electronic equipment 900 communicate, and/or with make Any equipment (such as the router, modulation /demodulation that the electronic equipment 900 can be communicated with one or more of the other calculating equipment Device etc.) communication.This communication can be carried out by input/output (I/O) interface 950.Also, electronic equipment 900 can be with By network adapter 960 and one or more network (such as local area network (LAN), wide area network (WAN) and/or public network, Such as internet) communication.Network adapter 960 can be communicated by bus 930 with other modules of electronic equipment 900.It should Understand, although not shown in the drawings, other hardware and/or software module can be used in conjunction with electronic equipment 900, including but unlimited In: microcode, device driver, redundant processing unit, external disk drive array, RAID system, tape drive and number According to backup storage system etc..
Through the above description of the embodiments, those skilled in the art is it can be readily appreciated that example described herein is implemented Mode can also be realized by software realization in such a way that software is in conjunction with necessary hardware.Therefore, according to the disclosure The technical solution of embodiment can be embodied in the form of software products, which can store non-volatile at one Property storage medium (can be CD-ROM, USB flash disk, mobile hard disk etc.) in or network on, including some instructions are so that a calculating Equipment (can be personal computer, server or network equipment etc.) executes the above method according to disclosure embodiment.
Figure 10 schematically shows a kind of computer readable storage medium schematic diagram in disclosure exemplary embodiment.
Refering to what is shown in Fig. 10, describing the program product for realizing the above method according to embodiment of the present disclosure 1000, can using portable compact disc read only memory (CD-ROM) and including program code, and can in terminal device, Such as it is run on PC.However, the program product of the disclosure is without being limited thereto, in this document, readable storage medium storing program for executing can be with To be any include or the tangible medium of storage program, the program can be commanded execution system, device or device use or It is in connection.
Can with any combination of one or more programming languages come write for execute the disclosure operation program Code, described program design language include object oriented program language-Java, C++ etc., further include conventional Procedural programming language-such as " C " language or similar programming language.Program code can be fully in user It calculates and executes in equipment, partly executes on a user device, being executed as an independent software package, partially in user's calculating Upper side point is executed on a remote computing or is executed in remote computing device or server completely.It is being related to far Journey calculates in the situation of equipment, and remote computing device can pass through the network of any kind, including local area network (LAN) or wide area network (WAN), it is connected to user calculating equipment, or, it may be connected to external computing device (such as utilize ISP To be connected by internet).
Above-mentioned computer-readable medium carries one or more program, when said one or multiple programs are by one The equipment execute when so that the computer-readable medium implements function such as: by the data packet in data on flows recombinate with Generate a plurality of types of groups of packets;By extracting first kind group packet in a plurality of types of groups of packets;By the first kind group Bao Zhongti Evidence obtaining book and server name indicate information;And indicate that information determines the stream by the certificate and the server name Measure whether data are abnormal flow data.
It is particularly shown and described the exemplary embodiment of the disclosure above.It should be appreciated that the present disclosure is not limited to Detailed construction, set-up mode or implementation method described herein;On the contrary, disclosure intention covers included in appended claims Various modifications and equivalence setting in spirit and scope.
In addition, structure shown by this specification Figure of description, ratio, size etc., only to cooperate specification institute Disclosure, for skilled in the art realises that be not limited to the enforceable qualifications of the disclosure with reading, therefore Do not have technical essential meaning, the modification of any structure, the change of proportionate relationship or the adjustment of size are not influencing the disclosure Under the technical effect and achieved purpose that can be generated, it should all still fall in technology contents disclosed in the disclosure and obtain and can cover In the range of.Meanwhile cited such as "upper" in this specification, " first ", " second " and " one " term, be also only and be convenient for Narration is illustrated, rather than to limit the enforceable range of the disclosure, relativeness is altered or modified, without substantive change Under technology contents, when being also considered as the enforceable scope of the disclosure.

Claims (13)

1. a kind of abnormal flow data monitoring method characterized by comprising
Data packet in data on flows is recombinated to generate a plurality of types of groups of packets;
By extracting first kind group packet in a plurality of types of groups of packets;
Information is indicated by extracting certificate and server name in the first kind group packet;And
Indicate that information determines whether the data on flows is abnormal flow data by the certificate and the server name.
2. the method as described in claim 1, which is characterized in that further include:
By obtaining the data on flows in gateway in such a way that mirror image is divided.
3. the method as described in claim 1, which is characterized in that recombinate the data packet in data on flows a variety of to generate The group packet of type includes:
Transmission control protocol data packet in the data on flows is recombinated to generate a plurality of types of groups of packets.
4. the method as described in claim 1, which is characterized in that by extracting first kind group packet in a plurality of types of groups of packets It includes:
By extracting secure transport layer protocol conversation group packet in a plurality of types of groups of packets.
5. method as claimed in claim 4, which is characterized in that by extracting secure transport layer protocol meeting in a plurality of types of groups of packets Words group packet includes:
Extract the header packet information of a plurality of types of groups of packets;And
Secure transport layer protocol conversation group packet is extracted according to header packet information.
6. the method as described in claim 1, which is characterized in that by extracting certificate and server name in the first kind group packet Claim to indicate that information includes:
The Client Hello message in first kind group packet is determined by predetermined document;And
Server name is extracted in the Client Hello message indicates information.
7. method as claimed in claim 6, which is characterized in that by extracting certificate and server in the group packet of the first kind Title indicates information further include:
It obtains and the associated Server Hello message of the Client Hello message;And
The certificate is extracted in the Server Hello message.
8. the method as described in claim 1, which is characterized in that indicate that information is true by the certificate and the server name The fixed data on flows whether be abnormal flow data include following situations at least one:
When the certificate and server name instruction information are invalid field, determine that the data on flows is abnormal flow Data;
In the certificate chain authentication failed of the certificate, determine that the data on flows is abnormal flow data;And
When domain name in server name instruction information is not included in predetermined position, determine that the data on flows is abnormal Data on flows.
9. method according to claim 8, which is characterized in that in the certificate chain authentication failed of the certificate, described in determination Data on flows is that abnormal flow data include:
Until successively being verified the root certificate into certificate chain to every first class certificate in certificate chain;And
When any level certification authentication fails in verification process, determine that the data on flows is abnormal flow data.
10. method according to claim 8, which is characterized in that be not included in server name instruction information predetermined When position, determine that the data on flows is that abnormal flow data include:
When domain name in server name instruction information is not included in the root certificate in certificate chain, the flow is determined Data are abnormal flow data.
11. a kind of abnormal flow data monitoring device characterized by comprising
Recombination module, for recombinating the data packet in data on flows to generate a plurality of types of groups of packets;
Group packet extraction module, for by extracting first kind group packet in a plurality of types of groups of packets;
Information extraction modules, for indicating information by extracting certificate and server name in the first kind group packet;And
Abnormal judgment module, for indicating whether information determines the data on flows by the certificate and the server name Save as abnormal flow data.
12. a kind of electronic equipment characterized by comprising
One or more processors;
Storage device, for storing one or more programs;
When one or more of programs are executed by one or more of processors, so that one or more of processors are real The now method as described in any in claim 1-10.
13. a kind of computer-readable medium, is stored thereon with computer program, which is characterized in that described program is held by processor The method as described in any in claim 1-10 is realized when row.
CN201811166760.4A 2018-10-08 2018-10-08 Flow data monitoring method and device, electronic equipment and computer readable medium Active CN110198297B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811166760.4A CN110198297B (en) 2018-10-08 2018-10-08 Flow data monitoring method and device, electronic equipment and computer readable medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811166760.4A CN110198297B (en) 2018-10-08 2018-10-08 Flow data monitoring method and device, electronic equipment and computer readable medium

Publications (2)

Publication Number Publication Date
CN110198297A true CN110198297A (en) 2019-09-03
CN110198297B CN110198297B (en) 2022-02-22

Family

ID=67751150

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811166760.4A Active CN110198297B (en) 2018-10-08 2018-10-08 Flow data monitoring method and device, electronic equipment and computer readable medium

Country Status (1)

Country Link
CN (1) CN110198297B (en)

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111291369A (en) * 2020-01-20 2020-06-16 北京无限光场科技有限公司 Information detection method and electronic equipment
CN113645176A (en) * 2020-05-11 2021-11-12 北京观成科技有限公司 Method and device for detecting counterfeit flow and electronic equipment
CN113992410A (en) * 2021-10-28 2022-01-28 北京永信至诚科技股份有限公司 Private encrypted data identification method and system
CN113992699A (en) * 2021-10-28 2022-01-28 上海格尔安全科技有限公司 Cross-network full-flow data supervision method based on network card mirror image
CN114449064A (en) * 2022-01-26 2022-05-06 普联技术有限公司 Application identification method and device for TLS encrypted traffic and application identification equipment
CN115549980A (en) * 2022-09-13 2022-12-30 应急管理部大数据中心 Network flow auditing device and method for protocol re-editing
CN116471125A (en) * 2023-06-19 2023-07-21 杭州美创科技股份有限公司 Encryption database flow auditing method, device, computer equipment and storage medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102571770A (en) * 2011-12-27 2012-07-11 北京神州绿盟信息安全科技股份有限公司 Man-in-the-middle attack detection method, device, server and system
CN103825887A (en) * 2014-02-14 2014-05-28 深信服网络科技(深圳)有限公司 Hypertext transfer protocol over secure socket layer (HTTPS) encryption-based web filtering method and system
CN104954315A (en) * 2014-03-24 2015-09-30 北京奇虎科技有限公司 Method and device capable of improving access security of secure socket layer
CN106603519A (en) * 2016-12-07 2017-04-26 中国科学院信息工程研究所 SSL/TLS encrypted malicious service discovery method based on certificate characteristic generalization and server change behavior
CN108156160A (en) * 2017-12-27 2018-06-12 杭州迪普科技股份有限公司 Connect method for building up and device

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102571770A (en) * 2011-12-27 2012-07-11 北京神州绿盟信息安全科技股份有限公司 Man-in-the-middle attack detection method, device, server and system
CN103825887A (en) * 2014-02-14 2014-05-28 深信服网络科技(深圳)有限公司 Hypertext transfer protocol over secure socket layer (HTTPS) encryption-based web filtering method and system
CN104954315A (en) * 2014-03-24 2015-09-30 北京奇虎科技有限公司 Method and device capable of improving access security of secure socket layer
CN106603519A (en) * 2016-12-07 2017-04-26 中国科学院信息工程研究所 SSL/TLS encrypted malicious service discovery method based on certificate characteristic generalization and server change behavior
CN108156160A (en) * 2017-12-27 2018-06-12 杭州迪普科技股份有限公司 Connect method for building up and device

Cited By (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111291369A (en) * 2020-01-20 2020-06-16 北京无限光场科技有限公司 Information detection method and electronic equipment
CN111291369B (en) * 2020-01-20 2022-05-20 北京无限光场科技有限公司 Information detection method and electronic equipment
CN113645176A (en) * 2020-05-11 2021-11-12 北京观成科技有限公司 Method and device for detecting counterfeit flow and electronic equipment
CN113645176B (en) * 2020-05-11 2023-08-08 北京观成科技有限公司 Method and device for detecting fake flow and electronic equipment
CN113992410A (en) * 2021-10-28 2022-01-28 北京永信至诚科技股份有限公司 Private encrypted data identification method and system
CN113992699A (en) * 2021-10-28 2022-01-28 上海格尔安全科技有限公司 Cross-network full-flow data supervision method based on network card mirror image
CN114449064A (en) * 2022-01-26 2022-05-06 普联技术有限公司 Application identification method and device for TLS encrypted traffic and application identification equipment
CN114449064B (en) * 2022-01-26 2023-12-29 普联技术有限公司 Application identification method and device for TLS encrypted traffic and application identification equipment
CN115549980A (en) * 2022-09-13 2022-12-30 应急管理部大数据中心 Network flow auditing device and method for protocol re-editing
CN115549980B (en) * 2022-09-13 2023-04-18 应急管理部大数据中心 Network flow auditing device and method for protocol re-editing
CN116471125A (en) * 2023-06-19 2023-07-21 杭州美创科技股份有限公司 Encryption database flow auditing method, device, computer equipment and storage medium
CN116471125B (en) * 2023-06-19 2023-09-08 杭州美创科技股份有限公司 Encryption database flow auditing method, device, computer equipment and storage medium

Also Published As

Publication number Publication date
CN110198297B (en) 2022-02-22

Similar Documents

Publication Publication Date Title
Volkova et al. Security challenges in control network protocols: A survey
Hong P2P networking based internet of things (IoT) sensor node authentication by Blockchain
CN110198297A (en) Data on flows monitoring method, device, electronic equipment and computer-readable medium
Strand Adaptive distributed firewall using intrusion detection
Šarac et al. Increasing privacy and security by integrating a blockchain secure interface into an IoT device security gateway architecture
Masoodi et al. Security & privacy threats, attacks and countermeasures in Internet of Things
Xiao et al. A survey of accountability in computer networks and distributed systems
Mishra et al. Software defined internet of things security: Properties, state of the art, and future research
Badra et al. Phishing attacks and solutions
Mohammed A hybrid framework for securing data transmission in Internet of Things (IoTs) environment using blockchain approach
Kloibhofer et al. LoRaWAN with HSM as a security improvement for agriculture applications
Liu Next generation SSH2 implementation: securing data in motion
US8583913B1 (en) Securely determining internet connectivity between networks
Joshi Network security: know it all
Narula et al. Novel Defending and Prevention Technique for Man‐in‐the‐Middle Attacks in Cyber‐Physical Networks
Yasinsac An environment for security protocol intrusion detection
Anderson Securing embedded linux
Furuya et al. Secure Web-based monitoring and control system
CN108881484A (en) A method of whether detection terminal can access internet
Badih et al. A Blockchain and Defensive Deception Co-design for Webcam Spyware Detection
Selvaraj et al. Security Vulnerabilities, Threats, and Attacks in IoT and Big Data: Challenges and Solutions
Al-Ibrahim et al. Cookie-less browsing
Paul et al. Denial of Service Attacks in the Internet of Things
Ullah et al. IoT security using Blockchain
Lau et al. Blockchain-Based Authentication for Network Infrastructure Security

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant