CN110404267A - A kind of plug-in detection method of game based on HTTP flow HOST field feature - Google Patents
A kind of plug-in detection method of game based on HTTP flow HOST field feature Download PDFInfo
- Publication number
- CN110404267A CN110404267A CN201910765984.5A CN201910765984A CN110404267A CN 110404267 A CN110404267 A CN 110404267A CN 201910765984 A CN201910765984 A CN 201910765984A CN 110404267 A CN110404267 A CN 110404267A
- Authority
- CN
- China
- Prior art keywords
- host
- layer
- plug
- data stream
- blacklist
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Withdrawn
Links
Classifications
-
- A—HUMAN NECESSITIES
- A63—SPORTS; GAMES; AMUSEMENTS
- A63F—CARD, BOARD, OR ROULETTE GAMES; INDOOR GAMES USING SMALL MOVING PLAYING BODIES; VIDEO GAMES; GAMES NOT OTHERWISE PROVIDED FOR
- A63F13/00—Video games, i.e. games using an electronically generated display having two or more dimensions
- A63F13/70—Game security or game management aspects
- A63F13/75—Enforcing rules, e.g. detecting foul play or generating lists of cheating players
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Multimedia (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Business, Economics & Management (AREA)
- General Business, Economics & Management (AREA)
- Computer And Data Communications (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The present invention provides a kind of plug-in detection methods of game based on HTTP flow HOST field feature, and described method includes following steps: step S1, the client of Windows system application layer creates networks filter driver in driving layer;Step S2, a HOST blacklist is established, the HOST blacklist stores the HOST domain name character string that the HTTP packet of plug-in sending is included;Step S3, networks filter driver captures all TCP data packets in layer data stream, and judgement is compared with the HOST blacklist in the HOST domain name parameters of TCP data packet request analysis, if domain name parameters are identical as domain name character string any one in HOST blacklist, determine that game player has plug-in usage behavior;Step S4, the process id information for obtaining this plug-in process, process path information are established in the context data stream that layer reaches layer data stream from Windows system data flow, and these information is written in plug-in detection journal file;The present invention can efficiently detect the plug-in usage behavior of known HTTP traffic characteristic, and collect plug-in information.
Description
Technical field
The present invention relates to computer system field of communication technology, software security, the plug-in detection fields of game, especially a kind of
The means that the plug-in detection of game and plug-in information based on HTTP flow HOST field feature are collected, especially one kind are based on
The plug-in detection method of game of HTTP flow HOST field feature.
Background technique
Existing plug-in behavior monitoring module is usually using the detection method based on proceeding internal memory scanning, such as scan procedure
Memory headroom judges whether comprising plug-in condition code etc., existing temporarily without disclosed based on HTTP flow HOST field feature
Plug-in detection block usually using based on proceeding internal memory scanning detection method, as the memory headroom of scan procedure judge whether include
Plug-in condition code etc..
The above-mentioned existing plug-in behavior monitoring scheme of game may use hidden process, memory polymorphicization etc. by plug-in
Method is around detection.The scheme of this patent description can monitor such plug-in usage behavior.In addition this patent is being applied to
It detects in the plug-in scene for having HTTP flow HOST field feature and shows to obtain precise and high efficiency.
Technical term is explained:
The WFP filter frame that Microsoft provides delimit many layers in network packet transmission process, such as: FWPM_
LAYER_ALE_FLOW_ESTABLISHED_V4 layers (i.e. data flow foundation layer), FWPM_LAYER_STREAM_V4 layers of (i.e. data
Fluid layer) and FWPM_LAYER_DATAGRAM_DATA_V4 layers (i.e. layer data packet);Since data packet needs basis in system bottom
Different network protocols are packaged, therefore the data content that different layers capture is different.This patent scheme mentions FWPM_
LAYER_STREAM_V4 layers (layer data stream) can capture all TCP data packets for being free of IP, FWPM_LAYER_ALE_
FLOW_ESTABLISHED_V4 layers (i.e. data flow foundation layer), FWPM_LAYER_ALE_FLOW_ESTABLISHED_V4 layers can
To capture the authorization connection request of process transmission, transmitting-receiving progress information, the transmitting-receiving IP letter of data packet can be obtained in this layer
Breath, transmitting-receiving port information.
WFP (Windows Filter Platform), computerese are a kind of Windows filter stages, were used for
Filter network packet.
Basic filtering engine BFE is the included user mode services of a Windows operating system, coordinates WFP component, base
The main task that this filter engine BFE is executed is to add or remove filter, the configuration of stored filter device into system and strengthen
WFP configures safety.The communication of application program and basic filtering engine BFE pass through the WFP management functions such as FwpmEngineOpen
It carries out.
HOST field in HTTP data packet is used for the domain name of identification server.
Summary of the invention
In order to overcome the problems referred above, the object of the present invention is to provide outside a kind of game based on HTTP flow HOST field feature
Detection method is hung, is a kind of hidden plug-in behavior monitoring means, can efficiently detect the plug-in of known HTTP traffic characteristic
Usage behavior, and plug-in information is collected.
The present invention is realized using following scheme: a kind of plug-in detection side of game based on HTTP flow HOST field feature
Method, described method includes following steps: step S1, the client of Windows system application layer creates network filtering in driving layer
Driving;
Step S2, a HOST blacklist is established, the HTTP packet that the HOST blacklist stores plug-in sending is included
HOST domain name character string;
Step S3, networks filter driver captures all TCP data packets in layer data stream, and by TCP data packet request analysis
HOST domain name parameters judgement is compared with the HOST blacklist, if any one domain in domain name parameters and HOST blacklist
Name character string is identical, then determines that game player has plug-in usage behavior.;
Step S4, it establishes in the context data stream that layer reaches layer data stream and is obtained furthermore from Windows system data flow
The process id information of extension process, process path information, and these information are written in plug-in detection journal file.
Further, the step S2 is further specifically: during creation networks filter driver, carries out net for plug-in
The HOST domain name that can be accessed in network interactive process is written in the file of networks filter driver, and Windows system application adds
Carry simultaneously opening network filtration drive;After networks filter driver is opened successfully, HOST blacklist is initialized, in initialization blacklist
In the process, all HOST domain names being written in file are inserted into HOST blacklist by networks filter driver.
Further, between the step S2 and step S3 further include: step S21, networks filter driver uses
FwpmEngineOpen function obtains basic filtering engine BFE handle, the parameter as subsequent operation;
Step S22, networks filter driver is using FwpsCalloutRegister function registration in layer data stream, data flow
Establish the call back function of layer monitoring data;
Step S23, networks filter driver uses FwpmCalloutAdd function to basic filtering engine BFE application addition
The call back function of preceding registration;
Step S24, networks filter driver uses FwpmSubLayerAdd function, establishes layer wound in layer data stream, data flow
Sublayer is built, for capturing data;
Step S25, networks filter driver uses FwpmFilterAdd function, by basic filtering engine BFE in data flow
Layer, data flow establish layer data packet creation filter, and call back function is associated with sublayer;After completing association, when sublayer captures
When to network packet, system can call the corresponding call back function network data packet of sublayer;The readjustment of the layer data stream
Function is for handling TCP data packet;Data flow establish layer call back function be used for extract data packet transmitting-receiving process id information, into
Journey routing information;
Step S26, the call back function that data flow establishes layer first parses the process road of network packet when being called by system
Diameter, process id information, and then these information preservations are used into context data stream
Context data stream is associated with binding with layer data stream by FwpsFlowAssociateContext function;Filter can be by context
Data flow cross-layer transmission is to layer data stream.
Further, the step S3 is further specifically: when step S31, the call back function of layer data stream is called, returns
Letter of transfer number judges whether the remote port of data packet is 80, is that then, data packet is the TCP data packet an of http protocol and enters
Step S32;Otherwise call back function execution terminates;
Step S32, the call back function of layer data stream parses packet content according to HTTP message format, from http protocol
HOST field character string is extracted in TCP data packet, HOST blacklist is then traversed, by HOST field character string and the black name of HOST
Each blacklist item carries out character string comparison in list, the HOST field word extracted in blacklist item and TCP data packet if it exists
Symbol string is identical, then determines that player has plug-in usage behavior.
Further, the step S4 is further specifically: establishes layer from Windows system data flow and reaches layer data stream
Context data stream when, data flow establish layer call back function extract context data stream in process path, process ID letter
Then far-end IP, remote port, process ID, process path these information are written to plug-in by breath using ZwWirteFile function
It detects in journal file.
Further, the call back function parses packet content according to HTTP message format, from the TCP number of http protocol
Specifically comprise the following steps: according to HOST field character string is extracted in packet
Step 1, using string matching algorithm, whether search in the TCP data packet of http protocol comprising character string
" Host: ", if not including, this process terminates;If including character string " Host: ", it records and occurs character string for the first time
The memory address of " Host: ", the address that the latter byte of this memory address is arranged is Start;
Step 2, the mode compared using character, using Start as starting point, the TCP data packet penultimate of http protocol
Byte is terminal, search " x0d x0a ", i.e., continuous two bytes, front and back store respectively ' x0d ' and ' x0a ', if searched for
Less than, then exit HOST extraction process;Otherwise the previous byte that the memory address searched is arranged is End;
Step 3, the data of this section of memory storage in centre are exactly the HOST of the TCP data packet of http protocol from Start to End
Field contents.
The beneficial effects of the present invention are: 1. usage behavior blacklist mechanisms can efficiently monitor known HTTP flow
The plug-in usage behavior of feature, and collect plug-in information.
2. plug-in to bypass this by traditional application layer API hook technology using the network filtering technology of inner nuclear layer
Detection greatly increases plug-in reverse-examination and surveys and instead monitor difficulty.
Include login module, therefore this programme application surface is extremely wide 3. plug-in major part is all charge, can be applied to big
Measure plug-in detection.
4. the plug-in behavior monitoring method of the game of this patent is a kind of hidden plug-in behavior monitoring means, detection is improved
Ability.
5. being improved the present invention provides a kind of technical solution for extracting HOST field from HTTP data packet in inner nuclear layer
The accuracy of detection.
Detailed description of the invention
Fig. 1 is method flow schematic diagram of the invention.
Specific embodiment
The present invention will be further described with reference to the accompanying drawing.
Refering to Figure 1, a kind of plug-in detection method of game based on HTTP flow HOST field feature of the invention,
The present invention is based on the WFP networks filter driver frames of Microsoft to capture plug-in net by installing network filter in system bottom
Network requests behavior.Described method includes following steps: step S1, the client of Windows system application layer is in driving layer creation
Networks filter driver;
Step S2, a HOST blacklist is established, the HTTP packet that the HOST blacklist stores plug-in sending is included
HOST domain name character string;The step S2 is further specifically: during creation networks filter driver, by plug-in carry out network
The HOST domain name that can be accessed in interactive process is written in the file of networks filter driver, the load of Windows system application
And opening network filtration drive;After networks filter driver is opened successfully, HOST blacklist is initialized, in the mistake of initialization blacklist
All HOST domain names being written in file are inserted into HOST blacklist by Cheng Zhong, networks filter driver.In addition, being deposited in blacklist
The blacklist item of storage must be plug-in distinctive feature, i.e., in addition to this remaining plug-in program does not have this network access row
For or probability it is extremely low, otherwise exist wrong report risk.
Step S3, networks filter driver is in (i.e. FWPM_LAYER_STREAM_V4 layers) of layer data stream all TCP numbers of capture
Judgement is compared with the HOST blacklist according to packet, and by the HOST domain name parameters of TCP data packet request analysis, if domain name
Parameter is identical as domain name character string any one in HOST blacklist, then determines that game player has plug-in usage behavior.
Step S4, it establishes in the context data stream that layer reaches layer data stream and is obtained furthermore from Windows system data flow
The process id information of extension process, process path information, and these information are written in plug-in detection journal file.
Between the step S2 and step S3 further include: step S21, networks filter driver uses FwpmEngineOpen letter
Number obtains basic filtering engine BFE handle, the parameter as subsequent operation;
Step S22, networks filter driver is using FwpsCalloutRegister function registration in layer data stream, data flow
Establish the call back function of layer monitoring data;
Step S23, networks filter driver uses FwpmCalloutAdd function to basic filtering engine BFE application addition
The call back function of preceding registration;
Step S24, networks filter driver uses FwpmSubLayerAdd function, in FWPM_LAYER_STREAM_V4 (number
According to fluid layer), FWPM_LAYER_ALE_FLOW_ESTABLISHED_V4 layers (data flow foundation layer) creation sublayers, for capturing number
According to;
Step S25, networks filter driver uses FwpmFilterAdd function, by basic filtering engine BFE in data flow
Layer, data flow establish layer creation filter, and call back function is associated with sublayer;After completing association, when sublayer captures network
When data packet, system can call the corresponding call back function network data packet of sublayer;The call back function of the layer data stream is used
In processing TCP data packet;The call back function that data flow establishes layer is used to extract transmitting-receiving process id information, the process path of data packet
Information;
Step S26, the call back function that data flow establishes layer first parses the process road of network packet when being called by system
Diameter, process id information, and then these information preservations are used into context data stream
Context data stream is associated with binding with layer data stream by FwpsFlowAssociateContext function;Filter can be by context
Data flow cross-layer transmission is to layer data stream.Wherein, at FWPM_LAYER_ALE_FLOW_ESTABLISHED_V4 layers, (data flow is built
Vertical layer) call back function processing sublayer capture data packet when, this data packet can be obtained by parsing context data stream
Process path, process id information.
The step S3 is further specifically: when step S31, the call back function of layer data stream is called, call back function is sentenced
Whether the remote port of disconnected data packet is 80, is that then, data packet is the TCP data packet an of http protocol and enters step S32;
Otherwise call back function execution terminates;
Step S32, the call back function of layer data stream parses packet content according to HTTP message format, from http protocol
HOST field character string is extracted in TCP data packet, HOST blacklist is then traversed, by HOST field character string and the black name of HOST
Each blacklist item carries out character string comparison in list, the HOST field word extracted in blacklist item and TCP data packet if it exists
Symbol string is identical, then determines that player has plug-in usage behavior.
The step S4 is further specifically: establishes the context that layer reaches layer data stream from Windows system data flow
When data flow, the call back function that data flow establishes layer extracts process path, process id information in context data stream, then makes
Far-end IP, remote port, process ID, process path these information are written to plug-in detection log with ZwWirteFile function
In file.
The call back function parses packet content according to HTTP message format, from the TCP data Bao Zhongti of http protocol
HOST field character string is taken out to specifically comprise the following steps:
Step 1, using string matching algorithm, whether search in the TCP data packet of http protocol comprising character string
" Host: ", if not including, this process terminates;If including character string " Host: ", it records and occurs character string for the first time
The memory address of " Host: ", the address that the latter byte of this memory address is arranged is Start;
Step 2, the mode compared using character, using Start as starting point, the TCP data packet penultimate of http protocol
Byte is terminal, search " x0d x0a ", i.e., continuous two bytes, front and back store respectively ' x0d ' and ' x0a ', if searched for
Less than, then exit HOST extraction process;Otherwise the previous byte that the memory address searched is arranged is End;
Step 3, the data of this section of memory storage in centre are exactly the HOST of the TCP data packet of http protocol from Start to End
Content of parameter.Such as: HOST content of parameter is referring to such as the following table 1
Table 1
Other data | “Host:” | HOST parameter | “\x0d\x0a” | Other data |
Wherein, string matching algorithm can use KMP algorithm, can also use other algorithms in practical application.This is specially
" HOST field " can also be illustrated with " HOST parameter " in benefit, i.e., " HOST field " and " HOST parameter " states identical number
According to object (for describing the data segment of HOST domain name in HTTP data packet), in order to facilitate local read and understanding, in part text
" HOST parameter " replacement " HOST field " is used in section.
Below with reference to a specific embodiment, to further describe the specific implementation of this patent scheme:
Assuming that the plug-in A of game is the externally hung software for destroying the network game client C of game company B product.Plug-in A
" tools.cheat.com/key.txt " being accessed after process initiation, (the HOST parameter of this network address is
" tools.cheat.com "), in addition to the plug-in A of game, other processes not will do it identical network request.Game company B makes
Plug-in A whether is run during detecting player with the networks filter driver D developed based on this programme, and scheme protection trip whereby
Play client C.
1. after player's running game client C, game client C can automatic load networks filtration drive D, network filtering drives
Dynamic D initializes HOST blacklist after loading successfully, and is inserted into HOST blacklist dedicated for the black of the detection plug-in A of game
Name individual event " tools.cheat.com ".
2. networks filter driver D is in FWPM_LAYER_ALE_FLOW_ESTABLISHED_V4 layers, FWPM_LAYER_
Start to play network data after the sequence of operations such as STREAM_V4 layers of completion registered callbacks function, creation sublayer, opening filter
Packet filtering function.
3. assuming in game client C operational process, player brings into operation the plug-in A of game.Game plug-in A starting at
Access " tools.cheat.com/key.txt " is attempted after function, is first sent out to the network address that domain name is " tools.cheat.com "
One is sent for requesting the data packet of connection server, the plug-in A of game sends one after server confirms connection request
HOST parameter is the TCP data packet of the http protocol of " tools.cheat.com ".
The filters trap of 4.FWPM_LAYER_ALE_FLOW_ESTABLISHED_V4 layers (data flow foundation layer) to use
After the data packet of request connection server, the information of transmission process, the i.e. process of the plug-in A of game are extracted from incoming parameter
Then ID, process path information, then use these information preservations into context data stream
Context data stream is associated with binding with FWPM_LAYER_STREAM_V4 layers by FwpsFlowAssociateContext function.Extremely
This can be from when FWPM_LAYER_STREAM_V4 layers (layer data streams) capture the data packet of game plug-in A transmitting-receiving
The progress information of the plug-in A of game is extracted in context data stream.
After 5.FWPM_LAYER_STREAM_V4 layers of filters trap to this TCP data packet, this data packet is judged
Distal end slogan whether be 80, if port numbers be equal to 80 if be a http protocol TCP data packet, it is assumed that http protocol report
The content of text is " xxxHost:tools.cheat.com ' 0d ' ' 0a ' xxxxxx ", enters step 7.Otherwise call back function is held
Row terminates.(x represents extraneous data)
6.WPM_LAYER_STREAM_V4 layers of call back function parses packet content according to HTTP message format.Parsing
HTTP data packet obtains HOST parameter character string " tools.cheat.com ".
7.WPM_LAYER_STREAM_V4 layers of call back function traverses HOST blacklist, by HOST parameter character string
" tools.cheat.com " and each blacklist item carry out character string comparison, arrive blacklist item when comparing
When " tools.cheat.com ", two character strings are equal, determine that this HTTP data packet meets HOST blacklist rule, thus determine
The process for sending this data packet is the process of the plug-in A creation of game.
8.FWPM_LAYER_ALE_FLOW_ESTABLISHED_V4 layers are extracted the plug-in A's of game in context data stream
Then process ID, process path information are written to plug-in inspection using ZwWirteFile function by process path, process id information
It surveys in journal file.So far, the primary plug-in detection of game for being successfully directed to the plug-in A of game is completed.
The foregoing is merely presently preferred embodiments of the present invention, all equivalent changes done according to scope of the present invention patent with
Modification, is all covered by the present invention.
Claims (6)
1. a kind of plug-in detection method of game based on HTTP flow HOST field feature, it is characterised in that: the method includes
Following steps: step S1, the client of Windows system application layer creates networks filter driver in driving layer;
Step S2, a HOST blacklist is established, the HOST blacklist stores the domain HOST that the HTTP packet of plug-in sending is included
Name character string;
Step S3, networks filter driver captures all TCP data packets in layer data stream, and by TCP data packet request analysis
Judgement is compared with the HOST blacklist in HOST domain name parameters, if any one domain name in domain name parameters and HOST blacklist
Character string is identical, then determines that game player has plug-in usage behavior;
Step S4, established in the context data stream that layer reaches layer data stream from Windows system data flow obtain this it is plug-in into
The process id information of journey, process path information, and these information are written in plug-in detection journal file.
2. a kind of plug-in detection method of game based on HTTP flow HOST field feature according to claim 1, special
Sign is: the step S2 is further specifically: during creation networks filter driver, by plug-in carry out network interaction process
The middle HOST domain name that can be accessed is written in the file of networks filter driver, and Windows system application loads and opens net
Network filtration drive;After networks filter driver is opened successfully, HOST blacklist, during initializing blacklist, net are initialized
All HOST domain names being written in file are inserted into HOST blacklist by network filtration drive.
3. a kind of plug-in detection method of game based on HTTP flow HOST field feature according to claim 1, special
Sign is: between the step S2 and step S3 further include: step S21, networks filter driver uses FwpmEngineOpen letter
Number obtains basic filtering engine BFE handle, the parameter as subsequent operation;
Step S22, networks filter driver is established using FwpsCalloutRegister function registration in layer data stream, data flow
The call back function of layer monitoring data;
Step S23, networks filter driver is infused using FwpmCalloutAdd function to basic filtering engine BFE application addition before
The call back function of volume;
Step S24, networks filter driver uses FwpmSubLayerAdd function, establishes layer creation in layer data stream, data flow
Layer, for capturing data;
Step S25, networks filter driver use FwpmFilterAdd function, by basic filtering engine BFE layer data stream,
Data flow establishes layer creation filter, and call back function is associated with sublayer;After completing association, when sublayer captures network data
Bao Shi, system can call the corresponding call back function network data packet of sublayer;The call back function of the layer data stream is for locating
Manage TCP data packet;The call back function that data flow establishes layer is used to extract the transmitting-receiving process id information of data packet, process path letter
Breath;
Step S26, data flow establishes the call back function of layer when being called by system, first parse network packet process path,
Process id information, and by these information preservations into context data stream, then use FwpsFlowAssociateContext
Context data stream is associated with binding with layer data stream by function;Filter can be by context data stream cross-layer transmission to data flow
Layer.
4. a kind of plug-in detection method of game based on HTTP flow HOST field feature according to claim 3, special
Sign is: the step S3 is further specifically: when step S31, the call back function of layer data stream is called, call back function judgement
Whether the remote port of data packet is 80, is that then, data packet is the TCP data packet an of http protocol and enters step S32;It is no
Then call back function execution terminates;
Step S32, the call back function of layer data stream parses packet content according to HTTP message format, from the TCP of http protocol
HOST field character string is extracted in data packet, HOST blacklist is then traversed, by HOST field character string and HOST blacklist
In each blacklist item carry out character string comparison, the HOST field character extracted in blacklist item and TCP data packet if it exists
It goes here and there identical, then determines that player has plug-in usage behavior.
5. a kind of plug-in detection method of game based on HTTP flow HOST field feature according to claim 3, special
Sign is: the step S4 is further specifically: establishes the context number that layer reaches layer data stream from Windows system data flow
When according to stream, the call back function that data flow establishes layer extracts process path, process id information in context data stream, then uses
Far-end IP, remote port, process ID, process path these information are written to plug-in detection log text by ZwWirteFile function
In part.
6. a kind of plug-in detection method of game based on HTTP flow HOST field feature according to claim 4, special
Sign is: the call back function parses packet content according to HTTP message format, extracts from the TCP data packet of http protocol
HOST field character string specifically comprises the following steps: out
Step 1, using string matching algorithm, whether search in the TCP data packet of http protocol comprising character string " Host: ",
If not including, this process terminates;If including character string " Host: ", it records and occurs the memory of character string " Host: " for the first time
Address, the address that the latter byte of this memory address is arranged is Start;
Step 2, the mode compared using character, using Start as starting point, the TCP data packet penultimate byte of http protocol
For terminal, search " x0d x0a ", i.e., continuous two bytes, front and back store respectively ' x0d ' and ' x0a ', if search for less than,
Then exit the process of HOST extraction;Otherwise the previous byte that the memory address searched is arranged is End;
Step 3, the data of this section of memory storage in centre are exactly the HOST field of the TCP data packet of http protocol from Start to End
Content.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910765984.5A CN110404267A (en) | 2019-08-19 | 2019-08-19 | A kind of plug-in detection method of game based on HTTP flow HOST field feature |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910765984.5A CN110404267A (en) | 2019-08-19 | 2019-08-19 | A kind of plug-in detection method of game based on HTTP flow HOST field feature |
Publications (1)
Publication Number | Publication Date |
---|---|
CN110404267A true CN110404267A (en) | 2019-11-05 |
Family
ID=68368017
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201910765984.5A Withdrawn CN110404267A (en) | 2019-08-19 | 2019-08-19 | A kind of plug-in detection method of game based on HTTP flow HOST field feature |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN110404267A (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111722979A (en) * | 2020-06-10 | 2020-09-29 | 北京百度网讯科技有限公司 | Quality monitoring method, quality monitoring device, server and storage medium |
CN112995145A (en) * | 2021-02-05 | 2021-06-18 | 中国科学院信息工程研究所 | HTTP traffic analysis processing method and system for DPI application and storage medium |
-
2019
- 2019-08-19 CN CN201910765984.5A patent/CN110404267A/en not_active Withdrawn
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111722979A (en) * | 2020-06-10 | 2020-09-29 | 北京百度网讯科技有限公司 | Quality monitoring method, quality monitoring device, server and storage medium |
CN111722979B (en) * | 2020-06-10 | 2024-02-13 | 北京百度网讯科技有限公司 | Quality monitoring method, quality monitoring device, server and storage medium |
CN112995145A (en) * | 2021-02-05 | 2021-06-18 | 中国科学院信息工程研究所 | HTTP traffic analysis processing method and system for DPI application and storage medium |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN101437032B (en) | System for monitoring VOIP voice quality based on SIP protocol and detection method thereof | |
US8065722B2 (en) | Semantically-aware network intrusion signature generator | |
CN106330584B (en) | A kind of recognition methods of Business Stream and identification device | |
CN103139315A (en) | Application layer protocol analysis method suitable for home gateway | |
KR20000057209A (en) | Method and apparatus for automated network-wide surveillance and security breach intervention | |
CN101360019A (en) | Detection method, system and apparatus of zombie network | |
CN112039904A (en) | Network traffic analysis and file extraction system and method | |
CN105103496A (en) | System and method for extracting and preserving metadata for analyzing network communications | |
CN110404267A (en) | A kind of plug-in detection method of game based on HTTP flow HOST field feature | |
WO2009115034A1 (en) | Method, system and apparatus for detecting protocol message | |
CN110768875A (en) | Application identification method and system based on DNS learning | |
CN107666486A (en) | A kind of network data flow restoration methods and system based on message protocol feature | |
CN109818970A (en) | A kind of data processing method and device | |
CN106789242A (en) | A kind of identification application intellectual analysis engine based on mobile phone client software behavioral characteristics storehouse | |
CN109474485A (en) | Method, system and storage medium based on network traffic information detection Botnet | |
CN100493065C (en) | Method for using immediate information software by data detection network address switching equipment | |
CN110368695A (en) | A kind of plug-in detection method of game based on HTTP flow URI feature | |
CN101321097A (en) | Tencent network living broadcast business recognition method based on payload depth detection | |
CN113542311B (en) | Method for detecting and backtracking defect host in real time | |
CN101582880B (en) | Method and system for filtering messages based on audited object | |
CN110507995A (en) | A kind of plug-in behavior monitoring method of game based on HTTP flow HOST field feature | |
CN105792265B (en) | Malicious traffic stream detection method and system, monitor supervision platform | |
CN111865724B (en) | Information acquisition control implementation method for video monitoring equipment | |
CN110465094A (en) | A kind of plug-in detection method of game based on IP port diagnostic | |
JP3648520B2 (en) | Network communication monitoring / control method, monitoring / control apparatus using the same, and computer-readable recording medium recording network communication monitoring / control program |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
WW01 | Invention patent application withdrawn after publication | ||
WW01 | Invention patent application withdrawn after publication |
Application publication date: 20191105 |