CN110198297B - Flow data monitoring method and device, electronic equipment and computer readable medium - Google Patents

Flow data monitoring method and device, electronic equipment and computer readable medium Download PDF

Info

Publication number
CN110198297B
CN110198297B CN201811166760.4A CN201811166760A CN110198297B CN 110198297 B CN110198297 B CN 110198297B CN 201811166760 A CN201811166760 A CN 201811166760A CN 110198297 B CN110198297 B CN 110198297B
Authority
CN
China
Prior art keywords
certificate
traffic data
server
data
packets
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201811166760.4A
Other languages
Chinese (zh)
Other versions
CN110198297A (en
Inventor
郭晶
胡珀
郑兴
杨勇
范宇河
唐文韬
曾智洋
董志成
罗喜军
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tencent Technology Shenzhen Co Ltd
Original Assignee
Tencent Technology Shenzhen Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tencent Technology Shenzhen Co Ltd filed Critical Tencent Technology Shenzhen Co Ltd
Priority to CN201811166760.4A priority Critical patent/CN110198297B/en
Publication of CN110198297A publication Critical patent/CN110198297A/en
Application granted granted Critical
Publication of CN110198297B publication Critical patent/CN110198297B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/16Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]

Abstract

The disclosure relates to an abnormal flow data monitoring method, an abnormal flow data monitoring device, an electronic device and a computer readable medium. The method comprises the following steps: recombining data packets in the flow data to generate a plurality of types of packet packets; extracting a first type group package from the multiple types of group packages; extracting certificate and server name indication information from the first type group packet; and determining whether the traffic data is abnormal traffic data or not through the certificate and the server name indication information. The abnormal traffic data monitoring method, the abnormal traffic data monitoring device, the electronic equipment and the computer readable medium can detect advanced persistent threats in traffic data.

Description

Flow data monitoring method and device, electronic equipment and computer readable medium
Technical Field
The present disclosure relates to the field of computer information processing, and in particular, to a method and an apparatus for monitoring abnormal traffic data, an electronic device, and a computer readable medium.
Background
The threat faced by network information systems comes from many aspects and may change over time. The hacker can destroy, deceive and steal data information in an unauthorized manner by searching for the weakness of the network system. There are many artificial attack means for network, among them, APT attack (Advanced Persistent Threat) refers to an attack form of long-term Persistent network attack on a specific target by using Advanced attack means, and the principle of APT attack is more Advanced and Advanced than other attack forms, and its high level is mainly reflected in that APT needs to accurately collect the service flow of an attack object and a target system before attack is initiated. In the collecting process, the attack actively excavates the vulnerabilities of the trusted system and the application programs of the attacked objects, builds a network required by an attacker by utilizing the vulnerabilities, and attacks against the vulnerabilities which are not patched.
Therefore, a new abnormal flow data monitoring method, apparatus, electronic device and computer readable medium are needed.
The above information disclosed in this background section is only for enhancement of understanding of the background of the disclosure and therefore it may contain information that does not constitute prior art that is already known to a person of ordinary skill in the art.
Disclosure of Invention
In view of the above, the present disclosure provides a method, an apparatus, an electronic device, and a computer readable medium for monitoring abnormal traffic data, which can detect advanced persistent threats in the traffic data.
Additional features and advantages of the disclosure will be set forth in the detailed description which follows, or in part will be obvious from the description, or may be learned by practice of the disclosure.
According to an aspect of the present disclosure, a method for monitoring abnormal traffic data is provided, the method including: recombining data packets in the flow data to generate a plurality of types of packet packets; extracting a first type group package from the multiple types of group packages; extracting certificate and server name indication information from the first type group packet; and determining whether the traffic data is abnormal traffic data or not through the certificate and the server name indication information.
In an exemplary embodiment of the present disclosure, further comprising: and acquiring the flow data from the gateway in a mirror image light splitting mode.
In an exemplary embodiment of the present disclosure, the reassembly of the packets in the traffic data to generate the multi-type packet includes: and recombining the transmission control protocol data packets in the traffic data to generate a plurality of types of packet packets.
In an exemplary embodiment of the present disclosure, extracting the first type group package from the plurality of types of group packages includes: the secure transport layer protocol session group package is extracted from the plurality of types of package packages.
In an exemplary embodiment of the present disclosure, extracting a secured transport layer protocol session group package from a plurality of types of group packages comprises: extracting packet header information of various types of packets; and extracting the secure transport layer protocol session group package according to the packet header information.
In an exemplary embodiment of the present disclosure, extracting the certificate and the server name indication information from the first type group package includes: determining a customer greeting message in the first type group package through a predetermined document; and extracting server name indication information in the client hello message.
In an exemplary embodiment of the present disclosure, extracting the certificate and the server name indication information from the group package of the first type further includes: obtaining a server hello message associated with the client hello message; and extracting the certificate in the server hello message.
In an exemplary embodiment of the present disclosure, determining whether the traffic data is abnormal traffic data by the certificate and the server name indication information includes at least one of: when the certificate and the server name indication information are invalid fields, determining that the traffic data are abnormal traffic data; when the certificate chain verification of the certificate fails, determining that the traffic data is abnormal traffic data; and when the domain name in the server name indication information is not contained in the preset position, determining that the traffic data is abnormal traffic data.
In an exemplary embodiment of the present disclosure, when the certificate chain verification of the certificate fails, determining that the traffic data is abnormal traffic data includes: sequentially verifying each level of certificate in the certificate chain until a root certificate in the certificate chain; and when any stage of certificate fails to be verified in the verification process, determining that the traffic data is abnormal traffic data.
In an exemplary embodiment of the present disclosure, when the server name indication information is not contained in the predetermined location, determining that the traffic data is abnormal traffic data includes: and when the domain name in the server name indication information is not contained in the root certificate in the certificate chain, determining that the traffic data is abnormal traffic data.
According to an aspect of the present disclosure, an abnormal flow data monitoring apparatus is provided, the apparatus including: the recombination module is used for recombining the data packets in the flow data to generate a plurality of types of packet packets; the package extracting module is used for extracting a first type package from the multiple types of packages; the information extraction module is used for extracting the certificate and the server name indication information from the first type group package; and the abnormal judgment module is used for determining whether the flow data is abnormal flow data or not according to the certificate and the server name indication information.
According to an aspect of the present disclosure, an electronic device is provided, the electronic device including: one or more processors; storage means for storing one or more programs; when executed by one or more processors, cause the one or more processors to implement a method as above.
According to an aspect of the disclosure, a computer-readable medium is proposed, on which a computer program is stored, which program, when being executed by a processor, carries out the method as above.
According to the abnormal traffic data monitoring method, the abnormal traffic data monitoring device, the electronic equipment and the computer readable medium, advanced persistent threats in traffic data can be detected.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the disclosure.
Drawings
The above and other objects, features and advantages of the present disclosure will become more apparent by describing in detail exemplary embodiments thereof with reference to the attached drawings. The drawings described below are merely some embodiments of the present disclosure, and other drawings may be derived from those drawings by those of ordinary skill in the art without inventive effort.
Fig. 1 is a schematic diagram of an abnormal traffic data monitoring method in the prior art.
Fig. 2 is a system diagram illustrating a method and apparatus for monitoring abnormal traffic data according to an exemplary embodiment.
Fig. 3 is a schematic view of an application scenario of a method and an apparatus for monitoring abnormal traffic data according to an exemplary embodiment.
FIG. 4 is a flow chart illustrating a method of abnormal flow data monitoring in accordance with an exemplary embodiment.
FIG. 5 is a flow chart illustrating a method of abnormal flow data monitoring according to another exemplary embodiment.
Fig. 6 is a schematic diagram illustrating an abnormal flow data monitoring method according to another exemplary embodiment.
Fig. 7 is a flowchart illustrating a method of abnormal flow data monitoring according to another exemplary embodiment.
Fig. 8 is a block diagram illustrating an abnormal flow data monitoring apparatus according to an exemplary embodiment.
FIG. 9 is a block diagram illustrating an electronic device in accordance with an example embodiment.
FIG. 10 is a schematic diagram illustrating a computer-readable storage medium according to an example embodiment.
Detailed Description
Example embodiments will now be described more fully with reference to the accompanying drawings. Example embodiments may, however, be embodied in many different forms and should not be construed as limited to the embodiments set forth herein; rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the concept of example embodiments to those skilled in the art. The same reference numerals denote the same or similar parts in the drawings, and thus, a repetitive description thereof will be omitted.
Furthermore, the described features, structures, or characteristics may be combined in any suitable manner in one or more embodiments. In the following description, numerous specific details are provided to give a thorough understanding of embodiments of the disclosure. One skilled in the relevant art will recognize, however, that the subject matter of the present disclosure can be practiced without one or more of the specific details, or with other methods, components, devices, steps, and so forth. In other instances, well-known methods, devices, implementations, or operations have not been shown or described in detail to avoid obscuring aspects of the disclosure.
The block diagrams shown in the figures are functional entities only and do not necessarily correspond to physically separate entities. I.e. these functional entities may be implemented in the form of software, or in one or more hardware modules or integrated circuits, or in different networks and/or processor means and/or microcontroller means.
The flow charts shown in the drawings are merely illustrative and do not necessarily include all of the contents and operations/steps, nor do they necessarily have to be performed in the order described. For example, some operations/steps may be decomposed, and some operations/steps may be combined or partially combined, so that the actual execution sequence may be changed according to the actual situation.
It will be understood that, although the terms first, second, third, etc. may be used herein to describe various components, these components should not be limited by these terms. These terms are used to distinguish one element from another. Thus, a first component discussed below may be termed a second component without departing from the teachings of the disclosed concept. As used herein, the term "and/or" includes any and all combinations of one or more of the associated listed items.
It is to be understood by those skilled in the art that the drawings are merely schematic representations of exemplary embodiments, and that the blocks or processes shown in the drawings are not necessarily required to practice the present disclosure and are, therefore, not intended to limit the scope of the present disclosure.
The inventor of the present application finds that, as shown in fig. 1, the current APT attack detection strategy based on network traffic is mainly to actively scan vulnerabilities to discover the APT attack, and enterprises generally deploy firewalls and IDS at office gateways and server outlets to prevent the APT attack. And auditing the flow of the incoming and outgoing traffic, and judging whether malicious behaviors exist or not. Such as: auditing the log of surfing the Internet, setting an accessible white list, setting a flow strategy, setting a domain name blacklist, setting a black IP (Internet protocol) and the like, and judging whether the current network is abnormal or not. The method can be divided into the following means:
IDS (Intrusion-detection system, TCP layer traffic blacklist mode). An IDS is a network security device or application that can monitor network traffic or systems to check for suspicious activity or violations of corporate policies. When the detection result is detected, an alarm is sent out or active reaction measures are taken. The IDS method mainly creates a malware traffic policy blacklist by analyzing malware traffic behavior, such as a TCP (Transmission Control Protocol) packet that contains a certain character, a certain identifier, a certain segment of text, and the like. And (4) detecting whether malicious attack behaviors exist or not by analyzing the network flow of the TCP layer, and giving an alarm if a strategy is hit.
The method comprises the steps of threat intelligence IOC (Indicator of compliance mode), wherein the IOC is an Internet Data Center and provides a machine room environment, an Internet communication line and bandwidth resource, server hosting or leasing and related value added services, and the threat intelligence IOC is in a mode that APT strategy detection is carried out by analyzing malicious software or intelligence of various manufacturers, such as a black domain name, a black IP, a black URL or a file hash, and whether the known APT attack exists or not is judged by dynamically setting a domain name for monitoring access of a user or an IDC machine.
Firewall (white list mode). By setting an Access Control List (ACL), white List Control is performed, which only allows Access to a trusted website, preventing any possible threats, but causing inconvenience for users to Access the internet.
The implementation schemes for discovering the APT attack by the active scanning loopholes can not audit encrypted flow data. This is because the traditional IDS and firewall are directed to plaintext traffic, which can monitor plaintext or specially marked traffic, but cannot monitor and audit after encryption;
the several implementation schemes for actively scanning vulnerabilities to discover the APT attack belong to delayed and delayed detection, so that new attack behaviors cannot be discovered in time, because monitoring and detecting strategies depend on updating of security manufacturers, the updating has certain delay, and after a certain event is known, details of the monitoring and detecting strategies are published, and then the strategies are updated.
In view of the technical defects, the present application provides a method for monitoring abnormal traffic data, which aims at the characteristic that an SSL (Secure Sockets Layer) communication encryption channel is used in an APT attack process, and when an SSL encryption communication protocol is obtained in network traffic, corresponding SNI (Server Name Indication) and a certificate are obtained at the same time, and abnormal traffic monitoring is performed by checking the validity of the certificate and the matching condition of the SNI and the content in the certificate.
FIG. 2 is a system diagram illustrating a method of abnormal flow data monitoring, according to an exemplary embodiment.
As shown in fig. 2, the system architecture 200 may include terminal devices 201, 202, 203, a network 204, a traffic monitoring device 205, and a server 206. The network 204 serves as a medium for providing communication links between the terminal devices 201, 202, 203 and the traffic monitoring device 205, as well as the server 206. Network 204 may include various connection types, such as wired, wireless communication links, or fiber optic cables, to name a few.
The user may use the terminal devices 201, 202, 203 to interact with the traffic monitoring device 205, and the server 206, via the network 204, to receive or send messages, etc. The terminal devices 201, 202, 203 may have various communication client applications installed thereon, such as shopping applications, web browser applications, search applications, instant messaging tools, mailbox clients, social platform software, and the like.
The terminal devices 201, 202, 203 may be various electronic devices having a display screen and supporting web browsing, including but not limited to smart phones, tablet computers, laptop portable computers, desktop computers, and the like.
The traffic monitoring device 205 may be, for example, a device having traffic mirroring and traffic splitting, and the traffic monitoring device 205 is configured to obtain traffic data of the terminal devices 201, 202, and 203.
The server 206 may obtain traffic data, for example, by the traffic monitoring device 205; server 206 may, for example, reassemble packets in the traffic data to generate multiple types of packets; the server 206 may extract a first type of group package, for example, from a plurality of types of group packages; the server 206 may extract the certificate and server name indication information, for example, from the first type group package; the server 206 may determine whether the traffic data is anomalous traffic data, e.g., from the certificate and the server name indication information.
The server 206 may be a physical server, or may be composed of a plurality of servers, for example, it should be noted that the abnormal traffic data monitoring method provided by the embodiment of the present disclosure may be executed by the server 206, and accordingly, the abnormal traffic data monitoring apparatus may be disposed in the server 206. And the web page end for providing web page browsing to the user is generally located in the terminal equipment 201, 202, 203.
Fig. 3 is a schematic view of an application scenario of a method and an apparatus for monitoring abnormal traffic data according to an exemplary embodiment.
The user accesses the network through the electronic equipment, and the network data of the user is transmitted to the Ethernet through the gateway. The abnormal flow data monitoring device can acquire flow data of users in the gateway in a mirror image light splitting mode and then process the flow data. And sending the processed data to a strategy center for judging abnormal flow, and further generating safety alarm information when judging that the flow book contains abnormality.
For example, according to the user identification information in the abnormal traffic data, further security protection processing may be performed on the electronic device used by the user, for example, temporarily cutting off the network behavior of the user, and the like, which is not limited in this application.
According to the abnormal traffic data monitoring method and device disclosed by the invention, the data packets in the traffic data are recombined to generate various types of packet packages; a first type group packet is extracted from a plurality of types of group packets, whether APT attack behavior exists in the network is judged in a mode that whether the traffic data is abnormal traffic data is determined through certificates and server name indication information in the first type group packet, and high-level persistent threat in the traffic data can be detected.
FIG. 4 is a flow chart illustrating a method of abnormal flow data monitoring in accordance with an exemplary embodiment. The abnormal flow data monitoring method 40 includes at least steps S402 to S408.
As shown in fig. 4, in S402, the packets in the traffic data are reassembled to generate packet packets of multiple types. The traffic data can be acquired from the gateway by means of traffic mirroring and traffic splitting.
In one embodiment, the traffic mirroring mode may be implemented by a gateway port mirroring mode, where port mirroring is a mode of copying a packet of a designated port (source port) to another port (destination port), the destination port is connected to other data monitoring devices, and the packet copied to the destination port is analyzed by the data monitoring devices to perform network monitoring and troubleshooting. In the embodiment of the present application, the direction bidirectional mirror image of the flow mirror image is an incoming direction flow mirror image and an outgoing direction flow mirror image. Ingress direction traffic mirroring refers to mirroring a message received from a source port; outbound direction traffic mirroring refers to mirroring only messages sent from a source port.
In one embodiment, the flow splitting mode can be realized by an optical splitter, which is a passive device and is also called an optical splitter. An optical splitter is a fiber-optic splicing device having multiple inputs and multiple outputs and is commonly used for coupling, branching, and distributing optical signals. In the network of the embodiment of the application, the optical splitter is used as a special probe for signaling monitoring, can collect original flow data, and is matched with a subsequent data processing system to assist in real-time monitoring and deep fault location of the network.
In one embodiment, reassembling the packets in the traffic data to generate the multi-type packets comprises: and recombining transmission control protocol data (TCP) packets in the traffic data to generate a plurality of types of packet packets. Since the data in the network is in the form of TCP packets, TCP is a connection-oriented, reliable, byte-stream-based transport-layer communication protocol. When data in the network is transmitted by the TCP protocol, the data is divided into data blocks that the TCP considers to be most suitable for transmission. Therefore, in the embodiment of the present application, after the network data is obtained, the TCP data packet in the network data needs to be reassembled first to recover the original data information.
General procedure for transmitting data according to TCP: after TCP sends a data block, it starts a timer to wait for the destination to acknowledge the data block. If an acknowledgement is not received in time, the data block is retransmitted. When TCP receives data sent from the other end of the TCP connection, it will send an acknowledgement. TCP will maintain a checksum of header and data, which is an end-to-end checksum, in order to detect any changes in the data during transmission. If the checksum of the received segment is in error, TCP will discard the segment and not acknowledge receipt of the segment. In the embodiment of the application, after the flow data is received, the data blocks received through the TCP protocol are reordered, the received data are ordered and recombined in a correct order, and the data after ordered and recombined are subjected to subsequent data analysis.
In one embodiment, the TCP underlying packets may be reassembled, for example. After the TCP packets are reassembled, for example, different types of packets can be generated, where the packets mainly include "destination IP address", "source IP address", and "payload data", and the packets include a packet header and a packet body, where the packet header is fixed, the length of the packet body is variable, the lengths of the fields are fixed, and the packet header structures of both request packets and reply packets are identical, and the difference is the definition of the packet body. The destination IP address is to specify to whom the packet is intended; the source IP address is where this packet originates; and payload data corresponds to specific content. Because the data packet has such a structure, the computers installed with the TCP/IP protocol can communicate with each other. Various users or network protocol parties have their own grouping rules, which should not be construed as a limitation in the present application.
As shown in fig. 4, in S404, a first type group packet is extracted from the plurality of types of group packets. The first type of group package may be, for example, a TLS group package.
According to the above, the characteristics of SSL for data encryption are utilized in the APT attack process, and the TLS packet containing SSL encryption related information is extracted for subsequent processing. SSL is a security protocol that provides security and data integrity for network communications. The SSL protocol is positioned between the TCP/IP protocol and various application layer protocols and provides safety support for data communication. The SSL protocol can be divided into two layers: SSL recording Protocol (SSL Record Protocol): the method is built on a reliable transmission protocol (such as TCP), and provides support for basic functions of data encapsulation, compression, encryption and the like for a higher-layer protocol. SSL Handshake Protocol (SSL Handshake Protocol): the method is established on an SSL recording protocol and used for carrying out identity authentication, encryption algorithm negotiation, encryption key exchange and the like on two communication parties before actual data transmission starts.
In one embodiment, extracting the secured transport layer protocol session group package from the plurality of types of group packages comprises: extracting packet header information of various types of packets; and extracting the secure transport layer protocol session group package according to the packet header information. A group package beginning with 1603 in the TCP file may be determined, for example, as a TLS group package.
Among them, the tls (transport Layer Security protocol) protocol aims to provide three basic guarantees for information transmission: encryption, authentication, and data integrity, TLS is an updated version of SSL.
As shown in fig. 4, in S406, the certificate and the server name indication information are extracted from the first type group package. The method comprises the following steps: determining a customer greeting message in the first type group package through a predetermined document; and extracting server name indication information in the client hello message.
The client and server need to negotiate the establishment of an encrypted channel before exchanging data via TLS. The negotiation content comprises: TLS version, encryption suite, and certificate verification if necessary. Each negotiation needs to be carried out back and forth between the client and the server, and the process of specifically establishing the encrypted channel is as follows:
a server authentication stage: 1) the client sends a start message 'client Hello' to the server to start a new session connection; 2) the server determines whether a new master key needs to be generated according to the information of the client, if so, the server responds to the information of the client Hello of the client through the server Hello, and the server contains the information required for generating the master key when responding to the information; 3) the client generates a master key according to the received server response information, encrypts the master key by using the public key of the server and transmits the encrypted master key to the server; 4) the server replies to the master key and returns a message to the client for authentication with the master key, thereby enabling the client to authenticate the server.
And a user authentication stage: before that, the server has passed the client authentication, which is mainly done for the client. The authenticated server sends a challenge to the client, which returns a (digitally) signed challenge and its public key, thereby providing authentication to the server.
In one embodiment, the client hello message in the first type group package is determined by a predetermined document, and the server name indication information is extracted from the client hello message, and the "client hello" packet can be identified by rfc (request For comments)5246 document. And according to the TLS packet structure, the Server Name Indication information (SIN) is taken out from the extensions _ Server _ Name field.
In one embodiment, extracting the certificate and server name indication information from the group package of the first type further comprises: obtaining a server hello message associated with the client hello message; and extracting the certificate in the server hello message. Through the access association, the server hello packet returned by the server is identified, and the certificate related information in the handshake can be extracted according to an RFC document.
As shown in fig. 4, in S408, it is determined whether the traffic data is abnormal traffic data by the certificate and the server name indication information. The traffic data may be determined to be abnormal traffic data, for example, when the certificate and the server name indication information are invalid fields; when the certificate chain verification of the certificate fails, determining that the traffic data is abnormal traffic data; and when the domain name in the server name indication information is not contained in the preset position, determining that the traffic data is abnormal traffic data.
In one embodiment, the certificate may be verified by detecting whether the certificate is valid, including whether the certificate is expired; it may also be possible to verify, for example, whether the destination server name is consistent with the certificate principal, in the domain name contained in the certificate subject; whether the traffic data is abnormal traffic data can also be judged by judging whether malicious characters exist in the certificate field or not.
In one embodiment, based on the above conditions, it is determined whether the destination address is an accessible domain name certificate list, or whether the destination address is malicious, such as by manual follow-up.
According to the abnormal traffic data monitoring method disclosed by the invention, by extracting the certificate and the server name indication information in the TLS package, whether the traffic data is the abnormal traffic data or not is further determined, whether APT (advanced persistent threat) attack behavior exists in the network or not can be judged, and high-level persistent threat in the traffic data can also be detected.
It should be clearly understood that this disclosure describes how to make and use particular examples, but the principles of this disclosure are not limited to any details of these examples. Rather, these principles can be applied to many other embodiments based on the teachings of the present disclosure.
In one embodiment, according to the TCP data reassembly protocol, the TCP layer receives the upper layer bulk message and then decomposes the upper layer bulk message into segments to be sent out. Except for the ethernet header value area, the Maximum Transmission Unit of the IP datagram is MTU (Maximum Transmission Unit, Effect of short board), which is 1500 for most local area networks using ethernet. In order to achieve the best transmission performance, the two parties negotiate the MSS value when establishing the TCP connection, and for example, the minimum value of the MSS values provided by the two parties may be determined as the maximum MSS value of the connection.
FIG. 5 is a flow chart illustrating a method of abnormal flow data monitoring according to another exemplary embodiment. The abnormal traffic data monitoring method 50 is a detailed description of "determining whether the traffic data is abnormal traffic data by the certificate and the server name indication information" in the abnormal traffic data monitoring method 40. The abnormal flow data monitoring method 50 may include steps S502 to S508.
In S502, the certificate and the server name indication information extracted from the first type group package are acquired. The TLS session group package may be extracted in the traffic data, for example, based on the header information.
In S504, when the certificate and the server name indication information are invalid fields, it is determined that the traffic data is abnormal traffic data. A certificate may be considered a valid field, for example, if the certificate field length is greater than 0, and an SNI may be considered a valid field if the SNI field length is greater than 0.
In one embodiment, the traffic data is considered as abnormal traffic data when the certificate field length is less than 0 or the SNI field length is less than 0.
In S506, when the certificate chain verification of the certificate fails, it is determined that the traffic data is abnormal traffic data. The method comprises the following steps: sequentially verifying each level of certificate in the certificate chain until a root certificate in the certificate chain; and when any stage of certificate fails to be verified in the verification process, determining that the traffic data is abnormal traffic data.
Authentication is an important component of establishing each TLS connection. After all, TLS can communicate with any end through an encrypted tunnel, including an attacker, all encryption work being invalid unless we can be sure that the party communicating with us is trusted. A certain host may be certified as authentic, for example by means of a certificate. A Certificate Authority (CA) is a trusted third party authority (owner) whose certificates are trustworthy. The Certificate Chains (The Certificate Chains) are a structure composed of a plurality of certificates in a hierarchy, The generation of digital certificates in The Certificate Chains is hierarchical, and a Certificate at a lower level needs a private key signature of a Certificate at an upper level. The latter is the certificate issuer of the former, that is, the subject name of the superior certificate is the issue name of the inferior certificate.
In one embodiment, a root certificate list may be maintained by data consolidation to a certificate authority, which may need to revoke or revoke the certificate, perhaps because the private key of the certificate is compromised, the certificate authority itself is compromised, or some other normal reason such as a certificate replacement, a change in the certificate issuing authority, etc. To address this problem, the certificate itself contains logic to check whether it has been revoked. Thus, to ensure that the chain of trust is not affected by an attack, each node may check the state of each certificate, along with the signature information.
As shown in fig. 6, in one embodiment, certificate chain verification requires the CA public key (public key) of the superior certificate to verify that there is a signature given to this certificate by the issuer. If the verification shows that the layer certificate is really issued by the upper CA, then whether the upper CA certificate is credible or not is continuously verified, and the multi-stage verification is carried out until the root certificate is credible.
In the specific certificate verification process, after some necessary information (object name, public key and private key) of a certificate applicant is obtained, a certificate issuer obtains a summary of the certificate content through decryption, and then encrypts the summary by using the own private key to obtain a digital signature. Existing information is synthesized to generate two certificates respectively comprising a public key and a private key.
For example, when verifying the validity of a certificate, the issuer's certificate can be searched layer by layer according to the contents in the certificate chain until the self-signed root certificate, and then the correctness of the next-stage digital signature is verified in turn by the corresponding public key.
In S508, when the domain name in the server name indication information is not included in the predetermined location, it is determined that the traffic data is abnormal traffic data.
In one embodiment, when the domain name in the server name indication information is not included in the root certificate in the certificate chain, the traffic data is determined to be abnormal traffic data. The method specifically comprises the following steps: according to the method, the certificate chain is split, and the information of the certificate fields of the user, the validity period, the issuer and the like of the first certificate is taken out. And judging whether the domain name of the SNI is in the domain names contained by the users of the top certificate, and if the domain name of the SNI is not in the domain names contained by the users of the top certificate, determining that the traffic data is abnormal traffic data.
Fig. 7 is a flowchart illustrating a method of abnormal flow data monitoring according to another exemplary embodiment. The abnormal flow data monitoring method 70 is an exemplary illustration of the overall process of the abnormal flow data monitoring method in the present application.
In S702, a TCP packet is acquired.
In S704, data processing acquires a TLS package.
In S706, the extraction certificate and the server name indication information are extracted.
In S708, it is determined whether or not the data traffic is abnormal traffic.
In S710, if the traffic is abnormal, push information is generated.
In S712, if the flow rate is normal, the subsequent processing is performed.
In S714, the detection is ended.
The network traffic data preprocessing can include data calculation, baseline processing, invalid data screening, encrypted data screening and the like.
The baseline processing is to compare the current internet traffic with historical contemporaneous internet traffic so as to preliminarily judge whether the current internet traffic has abnormal conditions.
The encrypted data screening may, for example, extract TLS session group packets.
In the face of malicious APT (android package) attack behaviors of SSL (secure socket layer) encryption, according to the abnormal traffic data monitoring method disclosed by the invention, suspicious APT attack behaviors in traffic can be analyzed by analyzing SSL encrypted traffic.
According to the abnormal traffic data monitoring method disclosed by the invention, abnormal access conditions in encrypted traffic can be actively discovered, the behaviors of using self-signed certificates or invalid and expired certificates in APT (android package) attack events can be identified, and in addition, the traffic of forged SSL (secure socket layer) communication can also be identified.
Those skilled in the art will appreciate that all or part of the steps implementing the above embodiments are implemented as computer programs executed by a CPU. When executed by the CPU, performs the functions defined by the above-described methods provided by the present disclosure. The program may be stored in a computer readable storage medium, which may be a read-only memory, a magnetic or optical disk, or the like.
Furthermore, it should be noted that the above-mentioned figures are only schematic illustrations of the processes involved in the methods according to exemplary embodiments of the present disclosure, and are not intended to be limiting. It will be readily understood that the processes shown in the above figures are not intended to indicate or limit the chronological order of the processes. In addition, it is also readily understood that these processes may be performed synchronously or asynchronously, e.g., in multiple modules.
The following are embodiments of the disclosed apparatus that may be used to perform embodiments of the disclosed methods. For details not disclosed in the embodiments of the apparatus of the present disclosure, refer to the embodiments of the method of the present disclosure.
Fig. 8 is a block diagram illustrating an abnormal flow data monitoring apparatus according to an exemplary embodiment. The abnormal flow data monitoring device 80 includes: a reorganization module 802, a package extraction module 804, an information extraction module 806, and an anomaly determination module 808.
The reassembly module 802 is configured to reassemble the data packets in the traffic data to generate multiple types of packet packets; the traffic data can be acquired from the gateway through a traffic mirror image and a traffic light splitting mode, and a Transmission Control Protocol (TCP) packet in the traffic data is recombined to generate a plurality of types of packet packets.
The group package extracting module 804 is used for extracting a first type group package from the multiple types of group packages; the first type of group package may be, for example, a TLS group package.
The information extraction module 806 is configured to extract the certificate and the server name indication information from the first type group package; the method comprises the following steps: determining a customer greeting message in the first type group package through a predetermined document; and extracting server name indication information in the client hello message.
The exception determining module 808 is configured to determine whether the traffic data is an exception traffic data according to the certificate and the server name indication information. The traffic data may be determined to be abnormal traffic data, for example, when the certificate and the server name indication information are invalid fields; when the certificate chain verification of the certificate fails, determining that the traffic data is abnormal traffic data; and when the domain name in the server name indication information is not contained in the preset position, determining that the traffic data is abnormal traffic data.
According to the abnormal traffic data monitoring device disclosed by the invention, by extracting the certificate and the server name indication information in the TLS package, whether the traffic data is the abnormal traffic data or not is further determined, whether APT (advanced persistent threat) attack behavior exists in the network or not can be judged, and high-level persistent threat in the traffic data can also be detected.
FIG. 9 is a block diagram illustrating an electronic device in accordance with an example embodiment.
An electronic device 900 according to this embodiment of the disclosure is described below with reference to fig. 9. The electronic device 900 shown in fig. 9 is only an example and should not bring any limitations to the functionality or scope of use of the embodiments of the present disclosure.
As shown in fig. 9, the electronic device 900 is embodied in the form of a general purpose computing device. Components of electronic device 900 may include, but are not limited to: at least one processing unit 910, at least one storage unit 920, a bus 930 connecting different system components (including the storage unit 920 and the processing unit 910), a display unit 940, and the like.
Wherein the storage unit stores program codes, which can be executed by the processing unit 910, so that the processing unit 910 performs the steps according to various exemplary embodiments of the present disclosure described in the above-mentioned electronic prescription flow processing method section of this specification. For example, the processing unit 910 may perform the steps shown in fig. 4, 5, and 7.
The storage unit 920 may include a readable medium in the form of a volatile storage unit, such as a random access memory unit (RAM)9201 and/or a cache memory unit 9202, and may further include a read only memory unit (ROM) 9203.
The memory unit 920 may also include a program/utility 9204 having a set (at least one) of program modules 9205, such program modules 9205 including but not limited to: an operating system, one or more application programs, other program modules, and program data, each of which, or some combination thereof, may comprise an implementation of a network environment.
Bus 930 can be any of several types of bus structures including a memory unit bus or memory unit controller, a peripheral bus, an accelerated graphics port, a processing unit, or a local bus using any of a variety of bus architectures.
The electronic device 900 may also communicate with one or more external devices 900' (e.g., keyboard, pointing device, bluetooth device, etc.), with one or more devices that enable a user to interact with the electronic device 900, and/or with any devices (e.g., router, modem, etc.) that enable the electronic device 900 to communicate with one or more other computing devices. Such communication may occur via input/output (I/O) interface 950. Also, the electronic device 900 may communicate with one or more networks (e.g., a Local Area Network (LAN), a Wide Area Network (WAN) and/or a public network, such as the Internet) via the network adapter 960. The network adapter 960 may communicate with other modules of the electronic device 900 via the bus 930. It should be appreciated that although not shown, other hardware and/or software modules may be used in conjunction with the electronic device 900, including but not limited to: microcode, device drivers, redundant processing units, external disk drive arrays, RAID systems, tape drives, and data backup storage systems, among others.
Through the above description of the embodiments, those skilled in the art will readily understand that the exemplary embodiments described herein may be implemented by software, or by software in combination with necessary hardware. Therefore, the technical solution according to the embodiments of the present disclosure may be embodied in the form of a software product, which may be stored in a non-volatile storage medium (which may be a CD-ROM, a usb disk, a removable hard disk, etc.) or on a network, and includes several instructions to enable a computing device (which may be a personal computer, a server, or a network device, etc.) to execute the above method according to the embodiments of the present disclosure.
FIG. 10 schematically illustrates a computer-readable storage medium in an exemplary embodiment of the disclosure.
Referring to fig. 10, a program product 1000 for implementing the above method according to an embodiment of the present disclosure is described, which may employ a portable compact disc read only memory (CD-ROM) and include program code, and may be run on a terminal device, such as a personal computer. However, the program product of the present disclosure is not limited thereto, and in this document, a readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
Program code for carrying out operations for the present disclosure may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, C + + or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computing device, partly on the user's device, as a stand-alone software package, partly on the user's computing device and partly on a remote computing device, or entirely on the remote computing device or server. In the case of a remote computing device, the remote computing device may be connected to the user computing device through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computing device (e.g., through the internet using an internet service provider).
The computer readable medium carries one or more programs which, when executed by a device, cause the computer readable medium to perform the functions of: recombining data packets in the flow data to generate a plurality of types of packet packets; extracting a first type group package from the multiple types of group packages; extracting certificate and server name indication information from the first type group packet; and determining whether the traffic data is abnormal traffic data or not through the certificate and the server name indication information.
Exemplary embodiments of the present disclosure are specifically illustrated and described above. It is to be understood that the present disclosure is not limited to the precise arrangements, instrumentalities, or instrumentalities described herein; on the contrary, the disclosure is intended to cover various modifications and equivalent arrangements included within the spirit and scope of the appended claims.
In addition, the structures, the proportions, the sizes, and the like shown in the drawings of the present specification are only used for matching with the contents disclosed in the specification, so as to be understood and read by those skilled in the art, and are not used for limiting the limit conditions which the present disclosure can implement, so that the present disclosure has no technical essence, and any modification of the structures, the change of the proportion relation, or the adjustment of the sizes, should still fall within the scope which the technical contents disclosed in the present disclosure can cover without affecting the technical effects which the present disclosure can produce and the purposes which can be achieved. In addition, the terms "above", "first", "second" and "a" as used in the present specification are for the sake of clarity only, and are not intended to limit the scope of the present disclosure, and changes or modifications of the relative relationship may be made without substantial changes in the technical content.

Claims (10)

1. An abnormal flow data monitoring method is characterized by comprising the following steps:
recombining data packets in the flow data to generate a plurality of types of packet packets;
extracting a secure transport layer protocol session group package from the various types of group packages;
extracting server name indication information from a client hello message in the secure transport layer protocol session group package, wherein the client hello message is used for initiating a session connection in a server authentication phase;
identifying a server hello message associated with said secure transport layer protocol session group packet and said client hello message, and extracting credentials from said server hello message, wherein said server hello message is used to respond to said client hello message during a server authentication phase;
splitting the certificate chain of the certificate to obtain a root certificate of the certificate chain, and determining that the traffic data is abnormal traffic data when the domain name in the server name indication information is not included in the root certificate.
2. The method of claim 1, further comprising:
and acquiring the flow data from the gateway in a mirror image light splitting mode.
3. The method of claim 1, wherein reassembling the packets in the traffic data to generate the set of packets of multiple types comprises:
and recombining the transmission control protocol data packets in the traffic data to generate a plurality of types of packet packets.
4. The method of claim 1, wherein extracting secured transport layer protocol session group packets from group packets of multiple types comprises:
extracting packet header information of various types of packets; and
and extracting the secure transport layer protocol session group package according to the packet header information.
5. The method of claim 1, wherein extracting server name indication information from the client hello message in the secured transport layer protocol session group package comprises:
determining a customer greeting message in the first type group package through a predetermined document; and
server name indication information is extracted in the client hello message.
6. The method of claim 1, wherein the method further comprises:
when the certificate and the server name indication information are invalid fields, determining that the traffic data are abnormal traffic data;
or when the certificate chain verification of the certificate fails, determining that the traffic data is abnormal traffic data.
7. The method of claim 6, wherein upon a certificate chain validation failure of the certificate, determining that the traffic data is anomalous traffic data comprises:
sequentially verifying each level of certificate in the certificate chain until a root certificate in the certificate chain; and
and when the authentication of any stage of certificate fails in the authentication process, determining that the traffic data is abnormal traffic data.
8. An abnormal flow data monitoring apparatus, comprising:
the recombination module is used for recombining the data packets in the flow data to generate a plurality of types of packet packets;
the package extraction module is used for extracting the safe transport layer protocol session package from the various packages;
a first information extraction module, configured to extract server name indication information from a client hello message in the secure transport layer protocol session group package, where the client hello message is used to initiate a session connection in a server authentication phase;
a second information extraction module configured to identify a server hello message associated with the client hello message by the secure transport layer protocol session group package and extract a certificate from the server hello message, wherein the server hello message is used to respond to the client hello message during a server authentication phase;
and the abnormal judgment module is used for splitting the certificate chain of the certificate to obtain a root certificate of the certificate chain, and determining that the traffic data is abnormal traffic data when the domain name in the server name indication information is not contained in the root certificate.
9. An electronic device, comprising:
one or more processors;
storage means for storing one or more programs;
when executed by the one or more processors, cause the one or more processors to implement the method of any one of claims 1-7.
10. A computer-readable medium, on which a computer program is stored, which, when being executed by a processor, carries out the method according to any one of claims 1-7.
CN201811166760.4A 2018-10-08 2018-10-08 Flow data monitoring method and device, electronic equipment and computer readable medium Active CN110198297B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811166760.4A CN110198297B (en) 2018-10-08 2018-10-08 Flow data monitoring method and device, electronic equipment and computer readable medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811166760.4A CN110198297B (en) 2018-10-08 2018-10-08 Flow data monitoring method and device, electronic equipment and computer readable medium

Publications (2)

Publication Number Publication Date
CN110198297A CN110198297A (en) 2019-09-03
CN110198297B true CN110198297B (en) 2022-02-22

Family

ID=67751150

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811166760.4A Active CN110198297B (en) 2018-10-08 2018-10-08 Flow data monitoring method and device, electronic equipment and computer readable medium

Country Status (1)

Country Link
CN (1) CN110198297B (en)

Families Citing this family (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111291369B (en) * 2020-01-20 2022-05-20 北京无限光场科技有限公司 Information detection method and electronic equipment
CN113645176B (en) * 2020-05-11 2023-08-08 北京观成科技有限公司 Method and device for detecting fake flow and electronic equipment
CN113992410B (en) * 2021-10-28 2022-07-15 北京永信至诚科技股份有限公司 Private encrypted data identification method and system
CN113992699A (en) * 2021-10-28 2022-01-28 上海格尔安全科技有限公司 Cross-network full-flow data supervision method based on network card mirror image
CN114449064B (en) * 2022-01-26 2023-12-29 普联技术有限公司 Application identification method and device for TLS encrypted traffic and application identification equipment
CN115549980B (en) * 2022-09-13 2023-04-18 应急管理部大数据中心 Network flow auditing device and method for protocol re-editing
CN116471125B (en) * 2023-06-19 2023-09-08 杭州美创科技股份有限公司 Encryption database flow auditing method, device, computer equipment and storage medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102571770A (en) * 2011-12-27 2012-07-11 北京神州绿盟信息安全科技股份有限公司 Man-in-the-middle attack detection method, device, server and system
CN103825887A (en) * 2014-02-14 2014-05-28 深信服网络科技(深圳)有限公司 Hypertext transfer protocol over secure socket layer (HTTPS) encryption-based web filtering method and system
CN104954315A (en) * 2014-03-24 2015-09-30 北京奇虎科技有限公司 Method and device capable of improving access security of secure socket layer
CN106603519A (en) * 2016-12-07 2017-04-26 中国科学院信息工程研究所 SSL/TLS encrypted malicious service discovery method based on certificate characteristic generalization and server change behavior
CN108156160A (en) * 2017-12-27 2018-06-12 杭州迪普科技股份有限公司 Connect method for building up and device

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102571770A (en) * 2011-12-27 2012-07-11 北京神州绿盟信息安全科技股份有限公司 Man-in-the-middle attack detection method, device, server and system
CN103825887A (en) * 2014-02-14 2014-05-28 深信服网络科技(深圳)有限公司 Hypertext transfer protocol over secure socket layer (HTTPS) encryption-based web filtering method and system
CN104954315A (en) * 2014-03-24 2015-09-30 北京奇虎科技有限公司 Method and device capable of improving access security of secure socket layer
CN106603519A (en) * 2016-12-07 2017-04-26 中国科学院信息工程研究所 SSL/TLS encrypted malicious service discovery method based on certificate characteristic generalization and server change behavior
CN108156160A (en) * 2017-12-27 2018-06-12 杭州迪普科技股份有限公司 Connect method for building up and device

Also Published As

Publication number Publication date
CN110198297A (en) 2019-09-03

Similar Documents

Publication Publication Date Title
CN110198297B (en) Flow data monitoring method and device, electronic equipment and computer readable medium
CN111567014B (en) Man-in-the-middle detection in HTTPS transactions
US7039713B1 (en) System and method of user authentication for network communication through a policy agent
CN109413201B (en) SSL communication method, device and storage medium
US8776238B2 (en) Verifying certificate use
EP3340566B1 (en) Identifying self-signed certificates using http access logs for malware detection
US10382562B2 (en) Verification of server certificates using hash codes
US20040098620A1 (en) System, apparatuses, methods, and computer-readable media using identification data in packet communications
US10715547B2 (en) Detecting “man-in-the-middle” attacks
CA2506418A1 (en) Systems and apparatuses using identification data in network communication
CN112699374A (en) Integrity checking vulnerability security protection method and system
El‐Hajj The most recent SSL security attacks: origins, implementation, evaluation, and suggested countermeasures
JP5186648B2 (en) System and method for facilitating secure online transactions
US11784993B2 (en) Cross site request forgery (CSRF) protection for web browsers
CN112968910B (en) Replay attack prevention method and device
CN110892695A (en) Method, device and computer program product for checking connection parameters of a password-protected communication connection during the establishment of a connection
Liu Next generation SSH2 implementation: securing data in motion
Joshi Network security: know it all
Sathyadevan et al. Portguard-an authentication tool for securing ports in an IoT gateway
Alturfi et al. A combination techniques of intrusion prevention and detection for cloud computing
KR20170096780A (en) System and method for interlocking of intrusion information
CN114448706A (en) Single package authorization method and device, electronic equipment and storage medium
Anderson Securing embedded linux
Vitale et al. Inmap-t: Leveraging TTCN-3 to test the security impact of intra network elements
Zaman et al. A Study of the Effects of Heartbleed Vulnerability in Bangladesh

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant