CN111371700A - Traffic identification method and device applied to forward proxy environment - Google Patents

Traffic identification method and device applied to forward proxy environment Download PDF

Info

Publication number
CN111371700A
CN111371700A CN202010166361.9A CN202010166361A CN111371700A CN 111371700 A CN111371700 A CN 111371700A CN 202010166361 A CN202010166361 A CN 202010166361A CN 111371700 A CN111371700 A CN 111371700A
Authority
CN
China
Prior art keywords
traffic
target
port
proxy
destination port
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202010166361.9A
Other languages
Chinese (zh)
Inventor
刘娜
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Wuhan Sipuleng Technology Co Ltd
Wuhan Sipuling Technology Co Ltd
Original Assignee
Wuhan Sipuling Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Wuhan Sipuling Technology Co Ltd filed Critical Wuhan Sipuling Technology Co Ltd
Priority to CN202010166361.9A priority Critical patent/CN111371700A/en
Publication of CN111371700A publication Critical patent/CN111371700A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L47/00Traffic control in data switching networks
    • H04L47/10Flow control; Congestion control
    • H04L47/24Traffic characterised by specific attributes, e.g. priority or QoS
    • H04L47/2483Traffic characterised by specific attributes, e.g. priority or QoS involving identification of individual flows
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L47/00Traffic control in data switching networks
    • H04L47/10Flow control; Congestion control
    • H04L47/24Traffic characterised by specific attributes, e.g. priority or QoS
    • H04L47/2475Traffic characterised by specific attributes, e.g. priority or QoS for supporting traffic characterised by the type of applications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/56Provisioning of proxy services

Abstract

The embodiment of the application discloses a flow identification method and a device applied to a forward proxy environment. The method can extract the port number of the server really accessed by the client aiming at the HTTP proxy flow, so that the internet behavior management equipment can accurately identify the application corresponding to the flow under the HTTP forward proxy environment.

Description

Traffic identification method and device applied to forward proxy environment
Technical Field
The present application relates to the field of network security technologies, and in particular, to a traffic identification method and apparatus applied to a forward proxy environment.
Background
Enterprises generally use internet behavior management devices to monitor the internet behavior of employees. The internet behavior management device can identify what application the client is using according to the characteristics of the current flow, and further monitor the internet behavior of the client. The internet behavior management device stores an application feature library in advance, and the application feature library comprises various applications and flow features corresponding to the applications. In the identification process, the quintuple information and the message characteristics in the current flow characteristics are matched with the application characteristic library to obtain the application corresponding to the flow characteristics, so that the identification can be completed. The quintuple information comprises a source IP address, a source port, a destination IP address, a destination port and a transport layer protocol, wherein the destination port is a server port to be accessed by a client.
At present, in order to ensure the security of intranet users, an enterprise usually only allows a client to access an extranet in a forward proxy manner through HTTP (hyper text transfer protocol, HTTP), and in this case, if the client wants to access the content of an original server, the client needs to send a request pointing to the original server to the proxy server, and then the proxy server forwards the request, and forwards the request to the client after acquiring the content, so as to achieve access to the extranet.
When the client accesses the external network by adopting an HTTP forward proxy mode, the traffic flowing through the Internet access behavior management equipment is encapsulated into HTTP proxy traffic, and a destination port of the HTTP proxy traffic points to a proxy server, so that the Internet access behavior management equipment cannot accurately identify the traffic, namely identify the application corresponding to the traffic.
Disclosure of Invention
In order to solve the problem that the internet behavior management device cannot accurately identify traffic due to the fact that a destination port of the HTTP proxy traffic points to a proxy server, the present application discloses a traffic identification method and apparatus applied to a forward proxy environment through the following embodiments.
The application discloses a traffic identification method applied to a forward proxy environment in a first aspect, which comprises the following steps:
acquiring target traffic, wherein the target traffic is HTTP proxy traffic flowing through the Internet behavior management equipment;
extracting HOST information from the message of the target flow;
acquiring a real destination port of the target flow according to the HOST information, wherein the real destination port is a real port of a server to be accessed by a client;
and identifying the application corresponding to the target flow according to the real target port and the message characteristics of the target flow.
Optionally, the obtaining a true destination port of the target traffic according to the HOST information includes:
extracting numbers behind a preset symbol in the HOST information by using a regular expression;
setting the number as the true destination port for the target traffic.
Optionally, the obtaining the target flow includes:
extracting TCP traffic from all traffic flowing through the Internet behavior management equipment;
and filtering the target flow from the TCP flow according to preset general HTTP proxy protocol characteristics, wherein the target flow is the TCP flow conforming to the general HTTP proxy protocol characteristics, and the general HTTP proxy protocol characteristics comprise HTTP proxy message format characteristics and HTTP proxy keyword characteristics.
Optionally, before the acquiring, according to the HOST information, a real destination port of the target traffic, the method further includes:
and acquiring and storing quintuple information of the target flow, wherein the quintuple information comprises a source IP address, a source port, a proxy destination IP address, a proxy destination port and a transport layer protocol.
Optionally, after the acquiring, according to the HOST information, a real destination port of the target traffic, the method further includes:
and updating the quintuple information according to the real destination port, wherein the updated quintuple information comprises the source IP address, the source port, the proxy destination IP address, the real destination port and the transport layer protocol.
The second aspect of the present application discloses a traffic identification apparatus applied in a forward proxy environment, where the apparatus is applied in a traffic identification method applied in a forward proxy environment according to the first aspect of the present application, and the apparatus includes:
the traffic acquisition module is used for acquiring target traffic, wherein the target traffic is HTTP proxy traffic flowing through the Internet behavior management equipment;
the HOST extraction module is used for extracting HOST information from the message of the target flow;
a port obtaining module, configured to obtain a true destination port of the target traffic according to the HOST information, where the true destination port is a true port of a server to be accessed by a client;
and the identification module is used for identifying the application corresponding to the target flow according to the real destination port and the message characteristics of the target flow.
Optionally, the port obtaining module includes:
the regular extraction unit is used for extracting numbers behind preset symbols in the HOST information by using a regular expression;
and the port acquisition unit is used for setting the number as a real destination port of the target flow.
Optionally, the flow acquiring module includes:
a TCP traffic extraction unit, configured to extract TCP traffic from all traffic flowing through the internet behavior management device;
and the filtering unit is used for filtering the target flow from the TCP flow according to preset general HTTP proxy protocol characteristics, wherein the target flow is the TCP flow conforming to the general HTTP proxy protocol characteristics, and the general HTTP proxy protocol characteristics comprise HTTP proxy message format characteristics and HTTP proxy keyword characteristics.
Optionally, the apparatus further comprises:
and a quintuple storage module, configured to obtain and store quintuple information of the target traffic before obtaining a real destination port of the target traffic according to the HOST information, where the quintuple information includes a source IP address, a source port, a proxy destination IP address, a proxy destination port, and a transport layer protocol.
Optionally, the apparatus further comprises:
and a quintuple updating module, configured to update the quintuple information according to the real destination port after the real destination port of the target traffic is acquired according to the HOST information, where the updated quintuple information includes the source IP address, the source port, the proxy destination IP address, the real destination port, and the transport layer protocol.
The embodiment of the application discloses a flow identification method and a device applied to a forward proxy environment, wherein the method comprises the steps of firstly obtaining target flow, namely HTTP proxy flow flowing through an internet behavior management device, then extracting HOST information from a message of the target flow, then obtaining a real destination port of the target flow according to the HOST information, wherein the real destination port is a real port of a server to be accessed by a client, and finally identifying an application corresponding to the target flow according to the real destination port and the message characteristics of the target flow. The method can extract the port number of the server really accessed by the client aiming at the HTTP proxy flow, so that the internet behavior management equipment can accurately identify the application corresponding to the flow under the HTTP forward proxy environment.
Drawings
In order to more clearly explain the technical solution of the present application, the drawings needed to be used in the embodiments will be briefly described below, and it is obvious to those skilled in the art that other drawings can be obtained according to the drawings without creative efforts.
Fig. 1 is a schematic workflow diagram of a traffic identification method applied to a forward proxy environment according to an embodiment of the present application;
fig. 2 is a schematic view of a workflow for acquiring a target traffic in a traffic identification method applied to a forward proxy environment according to an embodiment of the present application;
fig. 3 is a schematic view of a workflow of acquiring a real destination port of a target traffic in a traffic identification method applied to a forward proxy environment according to an embodiment of the present application;
fig. 4 is a schematic workflow diagram of another traffic identification method applied to a forward proxy environment according to an embodiment of the present application;
fig. 5 is a schematic structural diagram of a traffic identification apparatus applied in a forward proxy environment according to an embodiment of the present application;
fig. 6 is a schematic structural diagram of another traffic identification apparatus applied to a forward proxy environment according to an embodiment of the present application;
fig. 7 is a schematic structural diagram of another traffic identification apparatus applied to a forward proxy environment according to an embodiment of the present application.
Detailed Description
In order to solve the problem that the internet behavior management device cannot accurately identify traffic due to the fact that a destination port of the HTTP proxy traffic points to a proxy server, the present application discloses a traffic identification method and apparatus applied to a forward proxy environment through the following embodiments.
A first embodiment of the present application discloses a traffic identification method applied in a forward proxy environment, referring to a workflow diagram shown in fig. 1, the method includes:
step S101, obtaining a target flow, wherein the target flow is an HTTP proxy flow flowing through the Internet behavior management device.
In practical applications, the traffic flowing through the internet behavior management device generally includes TCP traffic and UDP traffic. Since the HTTP protocol belongs to one of the TCP protocols, in the embodiment of the present application, the HTTP proxy traffic is obtained only for the TCP traffic.
Referring to fig. 2, the step S101 of acquiring the target flow rate includes:
step S1011, extracting TCP traffic from all traffic flowing through the internet behavior management device.
In practical application, according to respective message characteristics of the TCP flow and the UDP flow, the two flows are easily distinguished, and thus the TCP flow can be extracted from all the flows.
Step S1012, according to a preset general HTTP proxy protocol feature, filtering out the target traffic from the TCP traffic, where the target traffic is the TCP traffic conforming to the general HTTP proxy protocol feature, and the general HTTP proxy protocol feature includes an HTTP proxy message format feature and an HTTP proxy keyword feature.
When the client accesses the external network in an HTTP forward proxy mode, the generated flow can be packaged into HTTP proxy flow according to a fixed HTTP message format and a mode of inserting HTTP proxy keywords, wherein the HTTP proxy message format and the HTTP proxy keywords are universal and can be preset according to the current HTTP protocol. Thus, target traffic can be filtered from TCP traffic according to the generic HTTP proxy protocol features.
And step S102, HOST information is extracted from the message of the target flow.
Typically, the request header of the HTTP protocol will have a HOST field. According to the method and the device, the HOST information can be extracted from the first request data packet of the message by analyzing the message content of the target flow.
Step S103, acquiring a real destination port of the target flow according to the HOST information, wherein the real destination port is a real port of a server to be accessed by a client.
The HOST information generally includes a domain name and a port number, the port number is the port number of the server to be accessed by the client, and the port number is extracted from the HOST information, so that the real destination port of the target traffic can be obtained.
Referring to fig. 3, in step S103, the step of acquiring the true destination port of the target traffic according to the HOST information includes:
and step S1031, extracting numbers behind preset symbols in the HOST information by using a regular expression.
The regular expression is a logical formula operating on a character string, and is generally used to retrieve and replace texts conforming to a certain pattern (rule), and a "regular character string" is formed by using specific characters defined in advance and a combination of the specific characters, and is used to express a filtering logic on the character string. In the embodiment of the application, the HOST information is filtered based on the preset symbol by using the regular expression, and the number behind the preset symbol is obtained, wherein the preset symbol is a colon.
Step S1032, set the number as the true destination port of the target traffic.
As an example, assuming that the HOST information is www.baidu.com:80, according to the protocol specification, the content before the colon is the domain name, and the content after the colon is the port number, the regular expression is used to extract the number after the colon, so as to obtain the true destination port of the target traffic.
And step S104, identifying the application corresponding to the target flow according to the real target port and the message characteristics of the target flow.
In one implementation, the application corresponding to the target traffic can be identified by matching the second request packet in the target traffic packet with a preset application feature library according to the message features of the real destination port and the target traffic, where the application feature library includes multiple applications and traffic features corresponding to each application.
The application feature library also comprises preset universal HTTP proxy protocol features. Based on this, in step S1012, the target traffic may be filtered from all TCP traffic by matching the TCP traffic with the generic HTTP proxy protocol feature in the application feature library.
Therefore, referring to fig. 4, in the embodiment of the present application, before obtaining the target flow rate, the method further includes:
step S100, an application feature library is preset, wherein the application feature library comprises general HTTP proxy protocol features, multiple applications and flow features corresponding to the applications.
The embodiment of the application discloses a flow identification method applied to a forward proxy environment, which comprises the steps of firstly obtaining target flow, namely HTTP proxy flow flowing through an internet behavior management device, then extracting HOST information from messages of the target flow, then obtaining a real destination port of the target flow according to the HOST information, wherein the real destination port is a real port of a server to be accessed by a client, and finally identifying application corresponding to the target flow according to the real destination port and message characteristics of the target flow. The method can extract the port number of the server which the client really needs to access aiming at the HTTP proxy flow, so that the internet behavior management equipment can accurately identify the application corresponding to the flow under the HTTP forward proxy environment, and further monitor the internet behavior of the client.
Further, before the acquiring a real destination port of the target traffic according to the HOST information, the method further includes:
and acquiring and storing quintuple information of the target flow, wherein the quintuple information comprises a source IP address, a source port, a proxy destination IP address, a proxy destination port and a transport layer protocol.
Further, after the acquiring a real destination port of the target traffic according to the HOST information, the method further includes:
and updating the quintuple information according to the real destination port, wherein the updated quintuple information comprises the source IP address, the source port, the proxy destination IP address, the real destination port and the transport layer protocol.
By storing and updating quintuple information of HTTP proxy flow, the internet access behavior management equipment can acquire detailed information of the flow, and monitoring of internet access behaviors of the client is facilitated.
The following are embodiments of the apparatus of the present application for performing embodiments of the method of the present application. For details which are not disclosed in the device embodiments, reference is made to the method embodiments.
The second embodiment of the present application discloses a traffic identification apparatus applied to a forward proxy environment, where the apparatus is applied to a traffic identification method applied to a forward proxy environment according to the first embodiment of the present application, and referring to an apparatus structure diagram shown in fig. 5, the apparatus includes:
the traffic obtaining module 10 is configured to obtain a target traffic, where the target traffic is an HTTP proxy traffic flowing through the internet behavior management device.
And the HOST extraction module 20 is configured to extract HOST information from the target traffic message.
A port obtaining module 30, configured to obtain a true destination port of the target traffic according to the HOST information, where the true destination port is a true port of a server to be accessed by a client.
And the identifying module 40 is configured to identify, according to the real destination port and the packet feature of the target traffic, an application corresponding to the target traffic.
Further, referring to fig. 6, the port obtaining module 30 includes:
a regular extraction unit 301, configured to extract, using a regular expression, a number located after a preset symbol in the HOST information.
A port obtaining unit 302, configured to set the number as a true destination port of the target traffic.
The flow rate obtaining module 10 includes:
a TCP traffic extracting unit 101, configured to extract TCP traffic from all traffic flowing through the internet behavior management device.
The filtering unit 102 is configured to filter the target traffic from the TCP traffic according to a preset general HTTP proxy protocol feature, where the target traffic is the TCP traffic conforming to the general HTTP proxy protocol feature, and the general HTTP proxy protocol feature includes an HTTP proxy message format feature and an HTTP proxy keyword feature.
Further, the apparatus further comprises:
and a quintuple storage module, configured to obtain and store quintuple information of the target traffic before obtaining a real destination port of the target traffic according to the HOST information, where the quintuple information includes a source IP address, a source port, a proxy destination IP address, a proxy destination port, and a transport layer protocol.
Further, the apparatus further comprises:
and a quintuple updating module, configured to update the quintuple information according to the real destination port after the real destination port of the target traffic is acquired according to the HOST information, where the updated quintuple information includes the source IP address, the source port, the proxy destination IP address, the real destination port, and the transport layer protocol.
In the embodiment of the present application, referring to fig. 7, the apparatus further includes:
the feature library establishing module 50 is configured to preset an application feature library before obtaining the target traffic, where the application feature library includes a general HTTP proxy protocol feature, multiple applications, and a traffic feature corresponding to each application.
The present application has been described in detail with reference to specific embodiments and illustrative examples, but the description is not intended to limit the application. Those skilled in the art will appreciate that various equivalent substitutions, modifications or improvements may be made to the presently disclosed embodiments and implementations thereof without departing from the spirit and scope of the present disclosure, and these fall within the scope of the present disclosure. The protection scope of this application is subject to the appended claims.

Claims (10)

1. A traffic identification method applied to a forward proxy environment is characterized by comprising the following steps:
acquiring target traffic, wherein the target traffic is HTTP proxy traffic flowing through the Internet behavior management equipment;
extracting HOST information from the message of the target flow;
acquiring a real destination port of the target flow according to the HOST information, wherein the real destination port is a real port of a server to be accessed by a client;
and identifying the application corresponding to the target flow according to the real target port and the message characteristics of the target flow.
2. The method of claim 1, wherein the obtaining the true destination port of the target traffic according to the HOST information comprises:
extracting numbers behind a preset symbol in the HOST information by using a regular expression;
setting the number as the true destination port for the target traffic.
3. The method of claim 1, wherein obtaining the target flow rate comprises:
extracting TCP traffic from all traffic flowing through the Internet behavior management equipment;
and filtering the target flow from the TCP flow according to preset general HTTP proxy protocol characteristics, wherein the target flow is the TCP flow conforming to the general HTTP proxy protocol characteristics, and the general HTTP proxy protocol characteristics comprise HTTP proxy message format characteristics and HTTP proxy keyword characteristics.
4. The method of claim 1, wherein before said obtaining a true destination port of said target traffic based on said HOST information, said method further comprises:
and acquiring and storing quintuple information of the target flow, wherein the quintuple information comprises a source IP address, a source port, a proxy destination IP address, a proxy destination port and a transport layer protocol.
5. The method of claim 4, wherein after said obtaining a true destination port of said target traffic according to said HOST information, said method further comprises:
and updating the quintuple information according to the real destination port, wherein the updated quintuple information comprises the source IP address, the source port, the proxy destination IP address, the real destination port and the transport layer protocol.
6. A traffic identification device applied to a forward proxy environment, wherein the device is applied to a traffic identification method applied to the forward proxy environment according to any one of claims 1 to 5, and the device comprises:
the traffic acquisition module is used for acquiring target traffic, wherein the target traffic is HTTP proxy traffic flowing through the Internet behavior management equipment;
the HOST extraction module is used for extracting HOST information from the message of the target flow;
a port obtaining module, configured to obtain a true destination port of the target traffic according to the HOST information, where the true destination port is a true port of a server to be accessed by a client;
and the identification module is used for identifying the application corresponding to the target flow according to the real destination port and the message characteristics of the target flow.
7. The apparatus of claim 6, wherein the port acquisition module comprises:
the regular extraction unit is used for extracting numbers behind preset symbols in the HOST information by using a regular expression;
and the port acquisition unit is used for setting the number as a real destination port of the target flow.
8. The apparatus of claim 6, wherein the flow acquisition module comprises:
a TCP traffic extraction unit, configured to extract TCP traffic from all traffic flowing through the internet behavior management device;
and the filtering unit is used for filtering the target flow from the TCP flow according to preset general HTTP proxy protocol characteristics, wherein the target flow is the TCP flow conforming to the general HTTP proxy protocol characteristics, and the general HTTP proxy protocol characteristics comprise HTTP proxy message format characteristics and HTTP proxy keyword characteristics.
9. The apparatus of claim 6, further comprising:
and a quintuple storage module, configured to obtain and store quintuple information of the target traffic before obtaining a real destination port of the target traffic according to the HOST information, where the quintuple information includes a source IP address, a source port, a proxy destination IP address, a proxy destination port, and a transport layer protocol.
10. The apparatus of claim 9, further comprising:
and a quintuple updating module, configured to update the quintuple information according to the real destination port after the real destination port of the target traffic is acquired according to the HOST information, where the updated quintuple information includes the source IP address, the source port, the proxy destination IP address, the real destination port, and the transport layer protocol.
CN202010166361.9A 2020-03-11 2020-03-11 Traffic identification method and device applied to forward proxy environment Pending CN111371700A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010166361.9A CN111371700A (en) 2020-03-11 2020-03-11 Traffic identification method and device applied to forward proxy environment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010166361.9A CN111371700A (en) 2020-03-11 2020-03-11 Traffic identification method and device applied to forward proxy environment

Publications (1)

Publication Number Publication Date
CN111371700A true CN111371700A (en) 2020-07-03

Family

ID=71207235

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010166361.9A Pending CN111371700A (en) 2020-03-11 2020-03-11 Traffic identification method and device applied to forward proxy environment

Country Status (1)

Country Link
CN (1) CN111371700A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112003869A (en) * 2020-08-28 2020-11-27 国网重庆市电力公司电力科学研究院 Vulnerability identification method based on flow

Citations (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7161947B1 (en) * 2002-07-30 2007-01-09 Cisco Technology, Inc. Methods and apparatus for intercepting control and data connections
CN102938764A (en) * 2012-11-09 2013-02-20 北京神州绿盟信息安全科技股份有限公司 Application identification processing method and device
CN102984243A (en) * 2012-11-20 2013-03-20 杭州迪普科技有限公司 Automatic identification method and device applied to secure socket layer (SSL)
CN103051725A (en) * 2012-12-31 2013-04-17 华为技术有限公司 Application identification method, data mining method, device and system
US20140036697A1 (en) * 2012-07-31 2014-02-06 Sprint Communications Company L.P. Traffic Management of Third Party Applications
US20140188837A1 (en) * 2012-12-31 2014-07-03 Huawei Technologies Co., Ltd. Application Identification Method, and Data Mining Method, Apparatus, and System
US20140321290A1 (en) * 2013-04-30 2014-10-30 Hewlett-Packard Development Company, L.P. Management of classification frameworks to identify applications
US20150358171A1 (en) * 2014-06-06 2015-12-10 Cisco Technology, Inc. Dynamic Configuration of a Conference System with Distributed Media Agents
CN106534145A (en) * 2016-11-28 2017-03-22 北京天行网安信息技术有限责任公司 Application identification method and equipment
CN109104381A (en) * 2018-06-26 2018-12-28 东南大学 A kind of mobile application recognition methods based on third party's flow HTTP message
CN109617762A (en) * 2018-12-14 2019-04-12 南京财经大学 A method of mobile application is identified using network flow
CN110768933A (en) * 2018-07-27 2020-02-07 深信服科技股份有限公司 Network flow application identification method, system and equipment and storage medium
CN110784383A (en) * 2019-12-05 2020-02-11 南京邮电大学 Shadowclocks proxy network flow detection method, storage medium and terminal

Patent Citations (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7161947B1 (en) * 2002-07-30 2007-01-09 Cisco Technology, Inc. Methods and apparatus for intercepting control and data connections
US20140036697A1 (en) * 2012-07-31 2014-02-06 Sprint Communications Company L.P. Traffic Management of Third Party Applications
CN102938764A (en) * 2012-11-09 2013-02-20 北京神州绿盟信息安全科技股份有限公司 Application identification processing method and device
CN102984243A (en) * 2012-11-20 2013-03-20 杭州迪普科技有限公司 Automatic identification method and device applied to secure socket layer (SSL)
US20140188837A1 (en) * 2012-12-31 2014-07-03 Huawei Technologies Co., Ltd. Application Identification Method, and Data Mining Method, Apparatus, and System
WO2014101402A1 (en) * 2012-12-31 2014-07-03 华为技术有限公司 Application identification method, and data mining method, device and system
CN103051725A (en) * 2012-12-31 2013-04-17 华为技术有限公司 Application identification method, data mining method, device and system
US20140321290A1 (en) * 2013-04-30 2014-10-30 Hewlett-Packard Development Company, L.P. Management of classification frameworks to identify applications
US20150358171A1 (en) * 2014-06-06 2015-12-10 Cisco Technology, Inc. Dynamic Configuration of a Conference System with Distributed Media Agents
CN106534145A (en) * 2016-11-28 2017-03-22 北京天行网安信息技术有限责任公司 Application identification method and equipment
CN109104381A (en) * 2018-06-26 2018-12-28 东南大学 A kind of mobile application recognition methods based on third party's flow HTTP message
CN110768933A (en) * 2018-07-27 2020-02-07 深信服科技股份有限公司 Network flow application identification method, system and equipment and storage medium
CN109617762A (en) * 2018-12-14 2019-04-12 南京财经大学 A method of mobile application is identified using network flow
CN110784383A (en) * 2019-12-05 2020-02-11 南京邮电大学 Shadowclocks proxy network flow detection method, storage medium and terminal

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
TOPONEDISON CSDN: "HTTP正向代理的两种实现方式_toponedison的博客-CSDN博客_http正向隧道", pages 1 *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112003869A (en) * 2020-08-28 2020-11-27 国网重庆市电力公司电力科学研究院 Vulnerability identification method based on flow

Similar Documents

Publication Publication Date Title
JP4977888B2 (en) Web application attack detection method
US11818151B2 (en) Identification of malicious domain campaigns using unsupervised clustering
CN105321108A (en) System and method for creating a list of shared information on a peer-to-peer network
CN102724317A (en) Network data flow classification method and device
US11314761B1 (en) Method and system for centralized multi-instance deployment consolidation
CN107534690A (en) Gather domain name system flow
CN101378396A (en) Phishing notification service
US10313377B2 (en) Universal link to extract and classify log data
CN104639391A (en) Method for generating network flow record and corresponding flow detection equipment
CN108900554B (en) HTTP asset detection method, system, device and computer medium
US11178160B2 (en) Detecting and mitigating leaked cloud authorization keys
CN104239353B (en) WEB classification control and log audit method
CN103731429A (en) Method and device for web application vulnerability detection
CN108632219A (en) A kind of website vulnerability detection method, detection service device and system
CN108063833A (en) HTTP dns resolutions message processing method and device
CN110313161B (en) IPFIX-based detection of amplification attacks on databases
CN114338600B (en) Equipment fingerprint selection method and device, electronic equipment and medium
CN116634046A (en) Message processing method and device, electronic equipment and storage medium
CN114143086B (en) Web application identification method and device, electronic equipment and storage medium
CN111371700A (en) Traffic identification method and device applied to forward proxy environment
CN106850349B (en) Feature information extraction method and device
CN101184002A (en) Point-to-point flux deepness monitoring method and equipment
CN114793204B (en) Network asset detection method
CN109194756A (en) Application features information extracting method and device
CN109791563A (en) Information Collection System, formation gathering method and recording medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination