CN111200666A - Method and system for identifying access domain name - Google Patents
Method and system for identifying access domain name Download PDFInfo
- Publication number
- CN111200666A CN111200666A CN201811381022.1A CN201811381022A CN111200666A CN 111200666 A CN111200666 A CN 111200666A CN 201811381022 A CN201811381022 A CN 201811381022A CN 111200666 A CN111200666 A CN 111200666A
- Authority
- CN
- China
- Prior art keywords
- domain name
- name
- cache entry
- dns cache
- server
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/45—Network directories; Name-to-address mapping
- H04L61/4505—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
- H04L61/4511—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
Abstract
The disclosure provides a method and a system for identifying an access domain name, and relates to the technical field of communication. In this method, a server name in an SNI in an HTTPS message is parsed. And if the SNI has the server name, taking the server name as an access domain name, otherwise, inquiring a DNS cache entry, and matching the DNS cache entry by using an IP five-tuple in the IP message. And if the domain name matched with the IP five-tuple exists in the DNS cache entry, selecting the domain name with the smallest difference value between the timestamp of the DNS cache entry and the timestamp of the HTTPS message from the matched domain name as the access domain name. And if the DNS cache entry does not have a domain name matched with the IP five-tuple, searching the domain name in the Connect field in the HTTPS message. And under the condition that the domain name in the Connect field is found, taking the found domain name as an access domain name. The present disclosure may obtain a domain name accessed by a user.
Description
Technical Field
The present disclosure relates to the field of communications technologies, and in particular, to a method and a system for identifying an access domain name.
Background
Currently, HTTPS (Hyper Text Transfer Protocol over Secure Socket Layer ) employs SSL (Secure Sockets Layer)/TLS (Transport Layer Security) encryption. HTTPS encrypts both the request and response messages, resulting in DPI (Deep Packet Inspection) being unable to obtain the domain name accessed by the user by identifying the HTTPS header fields. This results in a lower value of utilization of currently identified HTTPS traffic.
Disclosure of Invention
One technical problem that embodiments of the present disclosure solve is: a method for identifying a domain name for access is provided to obtain a domain name for access by a user.
According to an aspect of an embodiment of the present disclosure, there is provided a method for identifying an access domain name, including: resolving a server name in the HTTPS message indicating the SNI; if the SNI has a server name, the server name is used as an access domain name, otherwise, a Domain Name System (DNS) cache entry is inquired, and an IP five-tuple in an IP message is matched with the DNS cache entry; if the domain name matched with the IP quintuple exists in the DNS cache entry, selecting the domain name with the smallest difference value between the timestamp of the DNS cache entry and the timestamp of the HTTPS message from the matched domain name as an access domain name; if the DNS cache entry does not have a domain name matched with the IP five-tuple, searching a domain name in a connection Connect field in the HTTPS message; and under the condition that the domain name in the Connect field is found, taking the found domain name as an access domain name.
In some embodiments, the method further comprises: and under the condition that the domain name in the Connect field is not found, acquiring a corresponding access domain name according to the destination IP address in the HTTPS message and the corresponding relation between the IP address and the domain name.
In some embodiments, the step of looking up the domain name in the Connect field in the HTTPS message comprises: and intercepting the HTTPS message and reading the domain name in the Connect field of the HTTPS message in the handshake stage of the client and the server.
In some embodiments, the IP quintuple comprises: source IP address, source port, destination IP address, destination port, and transport layer protocol.
According to another aspect of an embodiment of the present disclosure, there is provided a system for identifying an access domain name, including: the analyzing unit is used for analyzing a server name in an HTTPS message and indicating a server name in the SNI, and taking the server name as an access domain name under the condition that the server name exists in the SNI; a matching unit, configured to query a domain name system DNS cache entry when a server name does not exist in the SNI, match the DNS cache entry with an IP quintuple in an IP packet, and select, from the matched domain names, a domain name having a smallest difference between a timestamp of the DNS cache entry and a timestamp of the HTTPS packet as an access domain name when a domain name matching the IP quintuple exists in the DNS cache entry; and the searching unit is used for searching the domain name in the connection field in the HTTPS message under the condition that the DNS cache entry does not have the domain name matched with the IP five-tuple, and taking the searched domain name as the access domain name under the condition that the domain name in the connection field is searched.
In some embodiments, the system further comprises: and the obtaining unit is used for obtaining a corresponding access domain name according to the destination IP address in the HTTPS message and the corresponding relation between the IP address and the domain name under the condition that the domain name in the Connect field is not found.
In some embodiments, the lookup unit is configured to intercept the HTTPS packet and read a domain name in a Connect field of the HTTPS packet in a handshake phase between a client and a server.
In some embodiments, the IP quintuple comprises: source IP address, source port, destination IP address, destination port, and transport layer protocol.
According to another aspect of an embodiment of the present disclosure, there is provided a system for identifying an access domain name, including: a memory; and a processor coupled to the memory, the processor configured to perform the method as previously described based on instructions stored in the memory.
According to another aspect of embodiments of the present disclosure, there is provided a computer readable storage medium having stored thereon computer program instructions which, when executed by a processor, implement the steps of the method as previously described.
In the above method, the server name in the SNI in the HTTPS message is parsed. And if the SNI has the server name, taking the server name as an access domain name, otherwise, inquiring a DNS cache entry, and matching the DNS cache entry by using an IP five-tuple in the IP message. And if the domain name matched with the IP five-tuple exists in the DNS cache entry, selecting the domain name with the minimum difference value between the timestamp of the DNS cache entry and the timestamp of the HTTPS message from the matched domain names as an access domain name. And if the DNS cache entry does not have the domain name matched with the IP five-tuple, searching the domain name in the Connect field in the HTTPS message. And under the condition that the domain name in the Connect field is found, taking the found domain name as an access domain name. By the method, the domain name accessed by the user can be obtained.
Other features of the present disclosure and advantages thereof will become apparent from the following detailed description of exemplary embodiments thereof, which proceeds with reference to the accompanying drawings.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments of the disclosure and together with the description, serve to explain the principles of the disclosure.
The present disclosure may be more clearly understood from the following detailed description, taken with reference to the accompanying drawings, in which:
FIG. 1 is a flow diagram illustrating a method for identifying an access domain name according to some embodiments of the present disclosure;
FIG. 2 is a flow diagram illustrating a method for identifying an access domain name according to further embodiments of the present disclosure;
FIG. 3 is a block diagram illustrating a system for identifying access domain names according to some embodiments of the present disclosure;
FIG. 4 is a block diagram illustrating a system for identifying visited domain names in accordance with further embodiments of the present disclosure;
fig. 5 is a block diagram illustrating a system for identifying visited domain names according to further embodiments of the present disclosure.
Detailed Description
Various exemplary embodiments of the present disclosure will now be described in detail with reference to the accompanying drawings. It should be noted that: the relative arrangement of the components and steps, the numerical expressions, and numerical values set forth in these embodiments do not limit the scope of the present disclosure unless specifically stated otherwise.
Meanwhile, it should be understood that the sizes of the respective portions shown in the drawings are not drawn in an actual proportional relationship for the convenience of description.
The following description of at least one exemplary embodiment is merely illustrative in nature and is in no way intended to limit the disclosure, its application, or uses.
Techniques, methods, and apparatus known to those of ordinary skill in the relevant art may not be discussed in detail but are intended to be part of the specification where appropriate.
In all examples shown and discussed herein, any particular value should be construed as merely illustrative, and not limiting. Thus, other examples of the exemplary embodiments may have different values.
It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, further discussion thereof is not required in subsequent figures.
Fig. 1 is a flow diagram illustrating a method for identifying an access domain name according to some embodiments of the present disclosure. As shown in fig. 1, the method may include steps S102 to S110.
In step S102, the Server Name (Server Name) in the SNI (Server Name Indication) in the HTTPS message is analyzed.
For example, the DPI system may obtain the HTTPS message and parse the server name in the SNI in the HTTPS message. Here, the SNI is a set of fields (or referred to as a subset) in the HTTPS message. The SNI is interacted during the handshake phase, which has not yet started encryption, so the SNI in the HTTPS message can be parsed. If the server name exists in the SNI (i.e., in the flow, if yes), the process proceeds to step S104; otherwise the process proceeds to step S106.
In step S104, the server name is used as the access domain name. That is, when a server name exists in the SNI, the server name is used as the access domain name.
In step S106, a DNS (Domain Name System) cache entry is queried, and an IP (Internet Protocol) quintuple in an IP packet is used to match the DNS cache entry.
For example, in the process of detecting traffic data of a network, the DPI system may intercept a DNS query packet, and may generate a DNS cache entry according to the DNS query packet. The DNS cache entry may include a correspondence of an IP address to a domain name. The DPI system can acquire the IP message in the network. The IP packet includes an IP quintuple. For example, the IP quintuple includes: source IP address, source port, destination IP address, destination port, and transport layer protocol.
The DPI system can query the DNS cache entry and use the IP five tuple in the IP packet to match the DNS cache entry. If so, i.e., if a domain name matching the IP five tuple exists in the DNS cache entry (e.g., a domain name matching the destination IP address in the IP five tuple), the process proceeds to step S108. Otherwise (i.e., if the DNS cache entry does not have a domain name that matches the IP five tuple), the process proceeds to step S110.
In step S108, a domain name with the smallest difference between the timestamp of the DNS cache entry and the timestamp of the HTTPS packet is selected from the matched domain names as an access domain name.
The DPI system may set a timestamp to the DNS cache entry, which may act as a timer. Beyond which the entry may be considered invalid. Thus, each DNS cache entry is of "time to live". Such an arrangement may prevent a large number of invalid DNS cache entries from tying up system resources. The timestamp of the DPI setting is typically a statistically derived optimal or empirical value.
In some embodiments, the same IP address may correspond to multiple domain names, and the IP address corresponding to the same domain name may also change. Therefore, in this step S108, a domain name with the smallest difference between the timestamp of the DNS cache entry and the timestamp of the HTTPS packet is selected from the plurality of matched domain names as the access domain name. That is, the timestamp of the selected DNS cache entry of the domain name is closest to the timestamp of the HTTPS packet, and the domain name is used as the access domain name. The inventor of the present disclosure finds that the selected matching domain name closest to the timestamp of the HTTPS packet is generally the access domain name.
In step S110, the domain name in the Connect field in the HTTPS message is searched. And under the condition that the domain name in the Connect field is found, taking the found domain name as an access domain name.
In some embodiments, this step S110 may include: in the handshake phase between the client and the server, an HTTPS message (alternatively referred to as an HTTPS message) is intercepted and a domain name in a Connect field of the HTTPS message is read.
During the HTTPS interaction, the client and server need to go through a handshake phase at the start. Information such as keys is exchanged in the handshake phase, which uses plaintext. The message in the handshake phase may contain information of the Connect field. The DPI system can directly intercept the HTTPS packet, and since the domain name in the Connect field is plaintext in the handshake phase, the domain name can be directly read. The domain name may be used as the access domain name.
To this end, a method for identifying an access domain name according to some embodiments of the present disclosure is provided. In this method, a server name in an SNI in an HTTPS message is parsed. And if the SNI has the server name, taking the server name as an access domain name, otherwise, inquiring a DNS cache entry, and matching the DNS cache entry by using an IP five-tuple in the IP message. And if the domain name matched with the IP five-tuple exists in the DNS cache entry, selecting the domain name with the minimum difference value between the timestamp of the DNS cache entry and the timestamp of the HTTPS message from the matched domain names as an access domain name. And if the DNS cache entry does not have the domain name matched with the IP five-tuple, searching the domain name in the Connect field in the HTTPS message. And under the condition that the domain name in the Connect field is found, taking the found domain name as an access domain name. By the method, the domain name accessed by the user can be obtained.
In addition, the method can acquire the domain name in real time by utilizing the message analysis function and the caching mechanism of the DPI, and avoids the problems of poor real-time performance and easy error caused by post analysis.
In some embodiments, the method may further comprise: and under the condition that the domain name in the Connect field is not found, acquiring a corresponding access domain name according to the destination IP address in the HTTPS message and the corresponding relation between the IP address and the domain name.
For example, the DPI system may pre-store or learn a correspondence list of IP addresses and domain names. The DPI system compares the destination IP address with the list, and if the destination IP address exists in the list, the domain name corresponding to the destination IP address can be obtained, and the domain name is the access domain name. In this embodiment, the access domain name may also be obtained by matching the correspondence between the IP address and the domain name.
Fig. 2 is a flow diagram illustrating methods for identifying an access domain name according to further embodiments of the present disclosure. As shown in FIG. 2, the method may include steps S202-S214.
In step S202, the server name in the SNI in the HTTPS message is parsed. I.e., if a server name exists in the SNI, the process proceeds to step S204. Otherwise the process proceeds to step S206.
In step S204, in the case where a server name exists in the SNI, the server name is taken as an access domain name.
In step S206, the DNS cache entry is queried and matched with the DNS cache entry using the IP five-tuple in the IP packet. If the DNS cache entry has a domain name matching the IP five tuple, the process proceeds to step S208; otherwise the process proceeds to step S110.
In step S208, a domain name with the smallest difference between the timestamp of the DNS cache entry and the timestamp of the HTTPS packet is selected from the matched domain names as an access domain name.
In step S210, the domain name in the Connect field in the HTTPS message is searched. If yes, i.e. if the domain name in the Connect field is found, the process goes to step S212; otherwise the process proceeds to step S214.
In step S212, the found domain name is used as the access domain name.
In step S214, when the domain name in the Connect field is not found, the corresponding access domain name is obtained according to the destination IP address in the HTTPS message and the correspondence between the IP address and the domain name.
It should be noted that the HTTPS encrypted is application layer information, and the IP address belongs to network layer information, which is not encrypted, so that the DPI system can obtain the destination IP address in the HTTPS message.
To this end, methods for identifying access domain names according to further embodiments of the present disclosure are provided. The method can acquire the domain name in real time by utilizing the message analysis function and the cache mechanism of the DPI, and avoids the problems of poor real-time performance and easy error caused by post analysis. The method does not need to analyze the original flow and additionally introduce other modules such as decryption and the like. Therefore, the method is simple and easy to implement.
Fig. 3 is a block diagram illustrating a system for identifying access domain names according to some embodiments of the present disclosure. For example, the system may be a DPI system.
In some embodiments, as shown in FIG. 3, the system may include a parsing unit 302, a matching unit 304, and a lookup unit 306.
The parsing unit 302 may be configured to parse a server name in an SNI in the HTTPS message, where the server name is used as an access domain name when the server name exists in the SNI.
The matching unit 304 may be configured to query a DNS cache entry when a server name does not exist in the SNI, match the DNS cache entry with an IP five-tuple in the IP packet, and select a domain name with a smallest difference between a timestamp of the DNS cache entry and a timestamp of the HTTPS packet from the matched domain names as an access domain name when a domain name matching the IP five-tuple exists in the DNS cache entry. For example, the IP quintuple may include: source IP address, source port, destination IP address, destination port, and transport layer protocol.
The searching unit 306 may be configured to search a domain name in a Connect field in the HTTPS message when the DNS cache entry does not have a domain name matching the IP five tuple, and use the searched domain name as the access domain name when the domain name in the Connect field is found.
To this end, a system for identifying access domain names according to some embodiments of the present disclosure is provided. Through the system, the domain name accessed by the user can be obtained. In addition, the system can acquire the domain name in real time by utilizing a message analysis function and a cache mechanism, and the problems of poor real-time performance and high error probability caused by post analysis are solved.
In some embodiments, the lookup unit 306 may be configured to intercept an HTTPS message and read a domain name in a Connect field of the HTTPS message during a handshake phase between a client and a server.
In some embodiments, as shown in fig. 3, the system may further include an acquisition unit 308. The obtaining unit 308 may be configured to, when the domain name in the Connect field is not found, obtain a corresponding access domain name according to the destination IP address in the HTTPS message and the correspondence between the IP address and the domain name.
Fig. 4 is a block diagram illustrating a system for identifying visited domain names according to further embodiments of the present disclosure. The system includes a memory 410 and a processor 420. Wherein:
the memory 410 may be a magnetic disk, flash memory, or any other non-volatile storage medium. The memory is used for storing instructions in the embodiments corresponding to fig. 1 and/or fig. 2.
In some embodiments, as also shown in FIG. 5, the system 500 includes a memory 510 and a processor 520. Processor 520 is coupled to memory 510 by a BUS 530. The system 500 may also be coupled to an external storage device 550 via a storage interface 540 for facilitating retrieval of external data, and may also be coupled to a network or another computer system (not shown) via a network interface 560, which will not be described in detail herein.
In this embodiment, the data instructions are stored in the memory and processed by the processor so that the domain name accessed by the user can be obtained.
In other embodiments, the present disclosure also provides a computer-readable storage medium on which computer program instructions are stored, the instructions implementing the steps of the method in the embodiment corresponding to fig. 1 and/or fig. 2 when executed by a processor. As will be appreciated by one skilled in the art, embodiments of the present disclosure may be provided as a method, apparatus, or computer program product. Accordingly, the present disclosure may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present disclosure may take the form of a computer program product embodied on one or more computer-usable non-transitory storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present disclosure is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the disclosure. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
Thus far, the present disclosure has been described in detail. Some details that are well known in the art have not been described in order to avoid obscuring the concepts of the present disclosure. It will be fully apparent to those skilled in the art from the foregoing description how to practice the presently disclosed embodiments.
The method and system of the present disclosure may be implemented in a number of ways. For example, the methods and systems of the present disclosure may be implemented by software, hardware, firmware, or any combination of software, hardware, and firmware. The above-described order for the steps of the method is for illustration only, and the steps of the method of the present disclosure are not limited to the order specifically described above unless specifically stated otherwise. Further, in some embodiments, the present disclosure may also be embodied as programs recorded in a recording medium, the programs including machine-readable instructions for implementing the methods according to the present disclosure. Thus, the present disclosure also covers a recording medium storing a program for executing the method according to the present disclosure.
Although some specific embodiments of the present disclosure have been described in detail by way of example, it should be understood by those skilled in the art that the foregoing examples are for purposes of illustration only and are not intended to limit the scope of the present disclosure. It will be appreciated by those skilled in the art that modifications may be made to the above embodiments without departing from the scope and spirit of the present disclosure. The scope of the present disclosure is defined by the appended claims.
Claims (10)
1. A method for identifying an access domain name, comprising:
resolving a server name in the HTTPS message indicating the SNI;
if the SNI has a server name, the server name is used as an access domain name, otherwise, a Domain Name System (DNS) cache entry is inquired, and an IP five-tuple in an IP message is matched with the DNS cache entry;
if the domain name matched with the IP quintuple exists in the DNS cache entry, selecting the domain name with the smallest difference value between the timestamp of the DNS cache entry and the timestamp of the HTTPS message from the matched domain name as an access domain name;
if the DNS cache entry does not have a domain name matched with the IP five-tuple, searching a domain name in a connection Connect field in the HTTPS message; and
and under the condition that the domain name in the Connect field is found, taking the found domain name as an access domain name.
2. The method of claim 1, further comprising:
and under the condition that the domain name in the Connect field is not found, acquiring a corresponding access domain name according to the destination IP address in the HTTPS message and the corresponding relation between the IP address and the domain name.
3. The method of claim 1, wherein the step of looking up a domain name in a Connect field in the HTTPS message comprises:
and intercepting the HTTPS message and reading the domain name in the Connect field of the HTTPS message in the handshake stage of the client and the server.
4. The method of claim 1, wherein,
the IP quintuple includes: source IP address, source port, destination IP address, destination port, and transport layer protocol.
5. A system for identifying an access domain name, comprising:
the analyzing unit is used for analyzing a server name in an HTTPS message and indicating a server name in the SNI, and taking the server name as an access domain name under the condition that the server name exists in the SNI;
a matching unit, configured to query a domain name system DNS cache entry when a server name does not exist in the SNI, match the DNS cache entry with an IP quintuple in an IP packet, and select, from the matched domain names, a domain name having a smallest difference between a timestamp of the DNS cache entry and a timestamp of the HTTPS packet as an access domain name when a domain name matching the IP quintuple exists in the DNS cache entry; and
a searching unit, configured to search a domain name in a connection field in the HTTPS message when the DNS cache entry does not have a domain name matching the IP quintuple, and use the searched domain name as an access domain name when the domain name in the connection field is found.
6. The system of claim 5, further comprising:
and the obtaining unit is used for obtaining a corresponding access domain name according to the destination IP address in the HTTPS message and the corresponding relation between the IP address and the domain name under the condition that the domain name in the Connect field is not found.
7. The system of claim 5, wherein,
the searching unit is used for intercepting the HTTPS message and reading a domain name in a Connect field of the HTTPS message in a handshake stage of a client and a server.
8. The system of claim 5, wherein,
the IP quintuple includes: source IP address, source port, destination IP address, destination port, and transport layer protocol.
9. A system for identifying an access domain name, comprising:
a memory; and
a processor coupled to the memory, the processor configured to perform the method of any of claims 1-4 based on instructions stored in the memory.
10. A computer-readable storage medium having stored thereon computer program instructions which, when executed by a processor, implement the steps of the method of any one of claims 1 to 4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811381022.1A CN111200666A (en) | 2018-11-20 | 2018-11-20 | Method and system for identifying access domain name |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811381022.1A CN111200666A (en) | 2018-11-20 | 2018-11-20 | Method and system for identifying access domain name |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN111200666A true CN111200666A (en) | 2020-05-26 |
Family
ID=70746730
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811381022.1A Pending CN111200666A (en) | 2018-11-20 | 2018-11-20 | Method and system for identifying access domain name |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111200666A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114244846A (en) * | 2021-12-15 | 2022-03-25 | 山石网科通信技术股份有限公司 | Flow message forwarding method and device, intermediate device and storage medium |
| CN114401246A (en) * | 2021-12-27 | 2022-04-26 | 中国电信股份有限公司 | Method and device for accessing domain name |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8326920B1 (en) * | 2010-02-08 | 2012-12-04 | Google Inc. | Connection sharing |
| US20160006693A1 (en) * | 2014-07-01 | 2016-01-07 | Sophos Limited | Deploying a security policy based on domain names |
| US20160255047A1 (en) * | 2015-02-26 | 2016-09-01 | Citrix Systems, Inc. | Methods and systems for determining domain names and organization names associated with participants involved in secured sessions |
| US20170272470A1 (en) * | 2016-03-16 | 2017-09-21 | Affirmed Networks, Inc. | Systems and methods for intelligent transport layer security |
| US20170374017A1 (en) * | 2016-06-27 | 2017-12-28 | Cisco Technology, Inc. | Verification of server name in a proxy device for connection requests made using domain names |
-
2018
- 2018-11-20 CN CN201811381022.1A patent/CN111200666A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8326920B1 (en) * | 2010-02-08 | 2012-12-04 | Google Inc. | Connection sharing |
| US20160006693A1 (en) * | 2014-07-01 | 2016-01-07 | Sophos Limited | Deploying a security policy based on domain names |
| US20160255047A1 (en) * | 2015-02-26 | 2016-09-01 | Citrix Systems, Inc. | Methods and systems for determining domain names and organization names associated with participants involved in secured sessions |
| US20170272470A1 (en) * | 2016-03-16 | 2017-09-21 | Affirmed Networks, Inc. | Systems and methods for intelligent transport layer security |
| US20170374017A1 (en) * | 2016-06-27 | 2017-12-28 | Cisco Technology, Inc. | Verification of server name in a proxy device for connection requests made using domain names |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114244846A (en) * | 2021-12-15 | 2022-03-25 | 山石网科通信技术股份有限公司 | Flow message forwarding method and device, intermediate device and storage medium |
| CN114244846B (en) * | 2021-12-15 | 2024-02-09 | 山石网科通信技术股份有限公司 | Flow message forwarding method and device, intermediate equipment and storage medium |
| CN114401246A (en) * | 2021-12-27 | 2022-04-26 | 中国电信股份有限公司 | Method and device for accessing domain name |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9489426B2 (en) | Distributed feature collection and correlation engine | |
| WO2018107784A1 (en) | Method and device for detecting webshell | |
| US20180287920A1 (en) | Intercepting application traffic monitor and analyzer | |
| US10225231B2 (en) | Method and server of remote information query | |
| US20110125749A1 (en) | Method and Apparatus for Storing and Indexing High-Speed Network Traffic Data | |
| US11178114B2 (en) | Data processing method, device, and system | |
| CN106126383B (en) | A kind of log processing method and device | |
| CA2947325A1 (en) | Protocol type identification method and apparatus | |
| WO2020199603A1 (en) | Server vulnerability detection method and apparatus, device, and storage medium | |
| US20140280778A1 (en) | Tracking Network Packets Across Translational Boundaries | |
| CN109510738B (en) | Communication link test method and device | |
| EP3841505A1 (en) | Nonce injection and observation system for detecting eavesdroppers | |
| US11178160B2 (en) | Detecting and mitigating leaked cloud authorization keys | |
| WO2017054578A1 (en) | Message forwarding method, service chain proxy apparatus and proxy device | |
| CN111200666A (en) | Method and system for identifying access domain name | |
| CN114449064B (en) | Application identification method and device for TLS encrypted traffic and application identification equipment | |
| CN114020734A (en) | Flow statistics duplication removing method and device | |
| CN113055420B (en) | HTTPS service identification method and device and computing equipment | |
| US11233703B2 (en) | Extending encrypted traffic analytics with traffic flow data | |
| CN116962348A (en) | Domain name resolution-based video flow processing method, system and electronic equipment | |
| CN110830416A (en) | Network intrusion detection method and device | |
| CN111988271B (en) | Communication flow processing method and device | |
| CN115379026B (en) | Message header domain identification method, device, equipment and storage medium | |
| US11451569B1 (en) | File extraction from network data to artifact store files and file reconstruction | |
| US11438166B2 (en) | System and method for use of a suffix tree to control blocking of blacklisted encrypted domains |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20200526 |