CN111740996B - Method for rapidly splitting HTTP request and response in flow analysis scene - Google Patents
Method for rapidly splitting HTTP request and response in flow analysis scene Download PDFInfo
- Publication number
- CN111740996B CN111740996B CN202010573606.XA CN202010573606A CN111740996B CN 111740996 B CN111740996 B CN 111740996B CN 202010573606 A CN202010573606 A CN 202010573606A CN 111740996 B CN111740996 B CN 111740996B
- Authority
- CN
- China
- Prior art keywords
- http
- tcp
- session
- request
- response
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/22—Parsing or analysis of headers
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/50—Network services
- H04L67/60—Scheduling or organising the servicing of application requests, e.g. requests for application data transmissions using the analysis and optimisation of the required network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/16—Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]
- H04L69/163—In-band adaptation of TCP data exchange; In-band control procedures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/18—Multiprotocol handlers, e.g. single devices capable of handling multiple protocols
Abstract
The invention discloses a method for rapidly splitting HTTP (hyper text transport protocol) requests and responses in a flow analysis scene, belonging to the technical field of network security. The method comprises the following specific steps: TCP flow preprocessing: processing TCP layer data recombination and extracting HTTP content, forming a fingerprint database aiming at HTTP protocol version and characteristics, and comparing fingerprints after TCP flow is received; HTTP traffic preprocessing: the HTTP request and response types under the same TCP session are quickly identified, and are associated with the direction of the TCP, and different stream processing is carried out according to different HTTP protocol versions; HTTP request and response quick processing: the method comprises the steps of preprocessing HTTP protocol request lines or response lines for HTTP packet contents, only rapidly searching the request lines or the response lines for TCP packets acquired by a probe aiming at HTTP long connection, and rapidly splitting a plurality of HTTP requests and HTTP responses by utilizing the characteristic of splitting different TCP packet contents by different requests. The invention solves the problems of splitting HTTP request and HTTP response under TCP session in a flow analysis scene and low efficiency of corresponding request and response.
Description
Technical Field
The invention belongs to the field of network security, is applied to a flow analysis direction, and particularly relates to a method for rapidly splitting HTTP requests and responses in a flow analysis scene.
Background
The method adopted in the technical field in the current flow analysis scene is to completely analyze HTTP request and response content, a specific flow is to put TCP flow into an HTTP flow analyzer for analysis after the TCP flow is obtained through a flow probe, and the technical scheme has the defects of low analysis efficiency and poor compatibility, and the defects are caused by the following reasons:
(1) analyzing all captured traffic analysis HTTP requests and response contents without preprocessing;
(2) after the HTTP request and the response flow are obtained, completely analyzing the HTTP request and the HTTP response, wherein the HTTP request and the HTTP response comprise an analysis request line, a request head, a request body, a response line, a response head and a response body;
(3) the related traffic cannot be resolved because the new technology is not adapted, such as tfo (tcp fast open) technology;
the second method adopted in the technical field in the current flow analysis scene is to analyze the different directions of the request and the response in the TCP session independently, the specific flow is to divide the TCP flow into two directions of the incoming and outgoing to split the request and the response directly after the TCP flow is obtained by a flow probe, and the specific HTTP content is not processed, the technical scheme has the defects that a plurality of HTTP requests and responses cannot be split and correspond to the session, and the defects are caused by the following reasons:
(1) complete analysis of HTTP request or response content is not carried out;
(2) the related traffic cannot be resolved because the new technology is not adapted, such as tfo (tcp fast open) technology;
the patent application aims at the problem that an HTTP request and an HTTP response under a TCP session need to be rapidly split and the request and the response need to be corresponded under an HTTP flow analysis scene so as to store and use the same HTTP request and response; the technical essence of the problem defect is that splitting of the HTTP request and the HTTP response and correspondence of the request and the response can be achieved under a scheme of performing complete HTTP request and response parsing, but parsing efficiency is extremely low.
Disclosure of Invention
The invention provides a method for rapidly splitting HTTP request and response under a flow analysis scene, aiming at solving the problems in the background technology that: by adopting the method of HTTP protocol characteristic preprocessing and TCP in-out direction identification, the problems that HTTP requests and HTTP responses under TCP sessions are split under a flow analysis scene and the corresponding efficiency of the requests and the responses is low are solved. The technical essence of the method for solving the problems in the patent application is that the HTTP request and the HTTP response can be split and the request and the response can be corresponding under the condition that the HTTP request and the response are not completely analyzed.
In order to achieve the purpose, the invention adopts the following technical scheme:
a method for rapidly splitting HTTP request and response under a traffic analysis scene comprises the following specific steps:
TCP flow preprocessing: processing TCP layer data recombination and extracting HTTP content, forming a fingerprint database aiming at HTTP protocol version and characteristics, and comparing fingerprints after TCP flow is received;
HTTP traffic preprocessing: the HTTP request and response types under the same TCP session are quickly identified, and are associated with the direction of the TCP, and different stream processing is carried out according to different HTTP protocol versions;
HTTP request and response quick processing: the method comprises the steps of preprocessing HTTP protocol request lines or response lines for HTTP packet contents, only rapidly searching the request lines or the response lines for TCP packets acquired by a probe aiming at HTTP long connection, and rapidly splitting a plurality of HTTP requests and HTTP responses by utilizing the characteristic of splitting different TCP packet contents by different requests.
The processing of TCP layer data recombination and extraction of HTTP content, forming a fingerprint database aiming at HTTP protocol version and characteristics, and performing fingerprint comparison after TCP traffic is received comprises the following steps:
capturing TCP flow;
and carrying out TCP packet recombination and TCP load extraction.
The capturing of the TCP traffic includes:
the method comprises the steps of realizing the capture of TCP flow through a Linux kernel AF _ PACKET;
the carrying out the TCP packet recombination and the TCP load extraction comprises the following steps:
extracting corresponding TCP messages through IP fragment recombination, and extracting TCP loads through the recombination of the TCP messages;
aiming at the Linux kernel TCP stop pen, checking whether a TCP syn packet carries a cookie of the TCP stop pen, if so, checking, and if the check is correct, extracting a TCP load;
by judging the initiator of the TCP three-way handshake, if the sync packet sip of the TCP three-way handshake is 10.0.0.1 and the sport is 8888, the receiving end is that the dip is 10.0.0.2 and the dport is 80, if the sync packet is the initiator of the TCP three-way handshake, HTTP request method feature preprocessing is performed, and if the sync packet is not the initiator of the TCP three-way handshake, HTTP response feature preprocessing is performed.
The HTTP traffic preprocessing further comprises: HTTP short connection does not need to split HTTP requests and responses, HTTP long connection only needs to split, and HTTP session recombination and storage are carried out on a plurality of HTTP requests and responses under TCP sessions.
The HTTP request method feature preprocessing comprises the following steps:
for the initiator sip of the TCP three-way handshake on the TCP session, 10.0.0.1 and sport 8888, it is detected whether the TCP payload is in the HTTP request method
GET/HEAD/POST/OPTIONS/PUT/DELETE/TRACE/CONNECT beginning;
if the TCP session is not the HTTP session, not analyzing;
generating the HTTP session proceeds if the characteristics of the HTTP request are met.
The generating of the HTTP session includes:
hashing is carried out through sip 10.0.0.1, sport 8888, dip 10.0.0.2, dport 80 and HTTP session counter count 1 on the TCP session, and the HTTP session sessionid 1 is obtained; and associates the request and response related meta information of the session and sets the current TCP payload to HTTP payload and performs HTTP0.9 request method feature preprocessing.
The HTTP0.9 request method feature preprocessing comprises the following steps:
judging whether the HTTP request method in the HTTP load is GET, if not, setting the HTTP session as long connection, and if the HTTP request method in the HTTP load is GET, carrying out the next step;
judging whether the first request line mark \ r \ n of the HTTP request in the HTTP load is at the end of the content, and if no HTTP version information exists before \ r \ n, the HTTP session is a short connection, otherwise, the HTTP session is set to be a long connection;
and after the HTTP session is set to be long connection, waiting for HTTP load and judging whether the HTTP session is long connection or not.
The HTTP response feature preprocessing comprises the following steps:
detecting whether the TCP load is started by HTTP/1, if so, considering the response content of the HTTP1.0/1.1 version;
whether a corresponding request is initiated or not is found through the hash of dip 10.0.0.1, dport 8888, sip 10.0.0.2 and sport 80, the request version is HTTP0.9, if yes, the response is considered as HTTP0.9 normal response, if the information is not found or the version content is not HTTP0.9, the TCP session is considered to have abnormity and is not analyzed, if the information is found out in the hash and the HTTP version information is normal, the current TCP load is set as HTTP load, the HTTP load is waited, and whether the HTTP session is long-connection or not is judged.
The step of waiting for the HTTP load and judging whether the HTTP session is long-connected comprises the following steps:
the HTTP session is a short connection: finding a corresponding storage position through an HTTP session sessionid 1, determining whether the current HTTP packet is a request or a response to be respectively stored according to the direction of the HTTP session, and judging whether the current TCP session is ended or not after the current HTTP packet is stored;
the HTTP session is a long connection: performing request line or response line mark \ r \ n search on the current HTTP load, wherein the request line or response line mark \ r \ n search is used for judging whether the current HTTP load is the request line or the response line of the next HTTP session, not performing full analysis on the HTTP request or response, only searching partial character strings, if the request line or response line mark \ r \ n is searched, the previous HTTP load is indicated to be the last TCP packet of the previous HTTP session, the previous HTTP session is processed, the previous HTTP session is stored into the corresponding session according to the HTTP request/response type, relevant information of the current HTTP session sessionond 1 is deleted in an HTTP session hash table, and a new session sessionond 2 is generated, the current HTTP load is the first TCP packet of the new session, and whether the current TCP session is ended is judged; if not, adding the current HTTP load to the current HTTP session data storage according to the HTTP request/response type, and then judging whether the current TCP session is finished.
The determining whether the current TCP session has ended includes:
if the current TCP session is finished, releasing the current TCP session and HTTP session related resources on the TCP session, and finishing the processing of the current TCP session;
and if the current TCP session is not finished, waiting for the HTTP load, judging whether the HTTP session is long-connected or not, and continuously waiting for the TCP packet to extract the HTTP load.
Compared with the prior art, the invention has the beneficial effects that:
through the three modules of the TCP flow preprocessing module, the HTTP flow preprocessing module and the HTTP request and response quick processing module in the technical scheme, the HTTP requests (including the request line, the request head and the request body) and the HTTP responses (including the response line, the response head and the response body) are not completely analyzed, a plurality of HTTP requests and responses under the same TCP session can be quickly split, and the analysis efficiency is improved for the original scheme.
Drawings
Fig. 1 is a flowchart of an implementation of a method for quickly splitting HTTP request and response in a traffic analysis scenario according to the present invention.
Detailed Description
The present invention will be further described with reference to the following examples, which are intended to illustrate only some, but not all, of the embodiments of the present invention. Based on the embodiments of the present invention, other embodiments used by those skilled in the art without any creative effort belong to the protection scope of the present invention.
Example 1:
as shown in figure 1 of the drawings, in which,
s1: and (3) capturing TCP traffic: the method comprises the steps of realizing the capture of TCP flow through a Linux kernel AF _ PACKET technology;
s2: carrying out TCP packet recombination and TCP load extraction:
s21: extracting corresponding TCP messages through IP fragment recombination, and extracting TCP loads through the recombination of the TCP messages;
s22: aiming at the Linux kernel TCP stop pen technology, checking whether a TCP syn packet carries a cookie of TCP stop pen, if so, checking, and if the check is correct, extracting a TCP load;
s23: by judging the initiator of the TCP three-way handshake, if the sync packet sip of the TCP three-way handshake is 10.0.0.1 and the sport is 8888, the receiving end is that the dip is 10.0.0.2 and the dport is 80, if the sync packet is the TCP three-way handshake initiator, S3 is performed, and if the sync packet is not the TCP three-way handshake initiator, S6 is performed; a syn packet is a packet with a syn flag inside a tcp packet.
S3: HTTP request method feature preprocessing: detecting whether the TCP load starts with an HTTP request method GET/HEAD/POST/OPTIONS/PUT/DELETE/TRACE/CONNECT or not for an initiator sip of the TCP three-way handshake on the TCP session being 10.0.0.1 and sport being 8888, and if not, not analyzing the TCP session if the TCP session is not an HTTP session; if the feature of the HTTP request is met, performing S4;
s4: generating an HTTP session: hashing is carried out through sip 10.0.0.1, sport 8888, dip 10.0.0.2, dport 80 and HTTP session counter on the TCP session 1 to obtain the HTTP session sessionid 1; and associating the request and response related meta information of the session, and setting the current TCP payload to the HTTP payload and proceeding to S5;
s5: HTTP0.9 request method feature preprocessing:
s51: firstly, judging whether the method of the HTTP request in the HTTP load is GET, if not, setting the HTTP session as long connection, and if so, carrying out the next step;
s52: judging whether the first request line mark \ r \ n of the HTTP request in the HTTP load is at the end of the content, and if no HTTP version information exists before \ r \ n, the HTTP session is a short connection, otherwise, the HTTP session is set to be a long connection;
s53: after the above processing, S7 is performed;
s6: HTTP response feature preprocessing:
s61: detecting whether the TCP load is started by HTTP/1, if so, considering the response content of the HTTP1.0/1.1 version;
s62: whether a corresponding request is initiated or not is found through the hash of dip 10.0.0.1, dport 8888, sip 10.0.0.2 and sport 80, the request version is HTTP0.9, if yes, the response is considered as HTTP0.9 normal response, if the information is not found or the version content is not HTTP0.9, the TCP session is considered to have abnormality and not to be analyzed, if the hash is found and the HTTP version information is normal, the current TCP load is set as HTTP load, and S7 is performed;
s7: waiting for HTTP load, judging whether HTTP session is long connected:
s71: the HTTP session is a short connection: finding a corresponding storage position through an HTTP session sessionid 1, determining whether the current HTTP packet is a request or a response to be respectively stored according to the direction of the HTTP session, and performing S10 after the current HTTP packet is stored;
s72: the HTTP session is a long connection: performing request line or response line mark \ r \ n search on the current HTTP load, judging whether the current HTTP load is the request line or the response line of the next HTTP session, not performing full analysis on HTTP requests or responses, only performing partial character string search, performing S8 if the request line or the response line mark \ r \ n is searched, and performing S9 if the request line or the response line mark \ r \ n is not searched;
s8: finding a request line or a response line mark \ r \ n to indicate that the previous HTTP load is the last TCP packet of the previous HTTP session, finishing the processing of the previous HTTP session, storing the previous HTTP session into the corresponding session according to the HTTP request/response type, deleting relevant information of the current HTTP session sessionid 1 in an HTTP session hash table, generating a new session sessionid 2, wherein the current HTTP load is the first TCP packet of the new session, and then conducting S10;
s9: the request line or the response line mark \ r \ n is not found, the current HTTP load is added to the current HTTP session data storage according to the HTTP request/response type, and then S10 is carried out;
s10: judging whether the current TCP session is ended:
s101: if the current TCP session is ended, S11 is performed;
s102: if the current TCP session is not finished, S7 is carried out, and the TCP packet is continuously waited for extracting the HTTP load;
s11: and releasing the current TCP session and the HTTP session related resources on the TCP session, and ending the processing of the current TCP session.
The invention provides a method for rapidly splitting HTTP requests and responses in a flow analysis scene, which is mainly used in the field of network flow analysis and aims to improve the high efficiency of HTTP protocol flow analysis aiming at the analysis of HTTP protocol flow. The invention belongs to a strategy of an HTTP protocol flow analysis efficiency method in the field of network flow analysis, which is used in a service product, and the strategy of the method is used for carrying out protocol pre-analysis on TCP flow through an HTTP protocol feature library, supporting TCP fastopen flow by judging a TCP fastopen mark and a cookie, quickly judging an attribution party of an HTTP request and a response through a TCP three-way handshake initiator, quickly searching HTTP session through a mode of combining the HTTP request direction and a quintuple, and quickly judging the contents of the HTTP request and the response through a character string searching HTTP request line and an HTTP response line ending mark.
The above description is only for the purpose of illustrating the preferred embodiments of the present invention and is not to be construed as limiting the invention, and any modifications, equivalents and improvements made within the spirit and principle of the present invention are intended to be included within the scope of the present invention.
Claims (5)
1. A method for rapidly splitting HTTP request and response under a traffic analysis scene is characterized by comprising the following specific steps:
TCP flow preprocessing: processing TCP layer data recombination and extracting HTTP content, forming a fingerprint database aiming at HTTP protocol version and characteristics, and comparing fingerprints after TCP flow is received;
HTTP traffic preprocessing: the HTTP request and response types under the same TCP session are quickly identified, and are associated with the direction of the TCP, and different stream processing is carried out according to different HTTP protocol versions;
HTTP request and response quick processing: preprocessing an HTTP (hyper text transport protocol) protocol request line or response line in HTTP packet contents, only rapidly searching the request line or the response line of a TCP (Transmission control protocol) packet acquired by using a probe aiming at HTTP long connection, and rapidly splitting a plurality of HTTP requests and HTTP responses by utilizing the characteristic of splitting different TCP packet contents by using different requests;
the HTTP traffic preprocessing further comprises: HTTP short connection does not need to split HTTP requests and responses, HTTP long connection only needs to split, and HTTP session recombination and storage are carried out on a plurality of HTTP requests and responses under TCP sessions;
the HTTP request method feature preprocessing comprises the following steps:
detecting whether the TCP load begins with HTTP request method GET/HEAD/POST/OPTIONS/PUT/DELETE/TRACE/CONNECT on the TCP session for initiator sip =10.0.0.1 and sport =8888 of TCP three-way handshake;
if the HTTP session which is not the TCP session is not analyzed;
if the characteristics accord with the HTTP request, generating an HTTP session;
the generating of the HTTP session includes:
hashing by sip =10.0.0.1, sport =8888, dip =10.0.0.2, dport =80, and HTTP session counter count =1 on the TCP session, resulting in the HTTP session sessionid = sid 1; and the request and response related meta information of the HTTP session are correlated, and the current TCP load is set as the HTTP load and the characteristic preprocessing of the HTTP0.9 request method is carried out;
the HTTP0.9 request method feature preprocessing comprises the following steps:
judging whether the HTTP request method in the HTTP load is GET, if not, setting the HTTP session as long connection, and if the HTTP request method in the HTTP load is GET, carrying out the next step;
judging whether the first request line mark \ r \ n of the HTTP request in the HTTP load is the tail of the HTTP request or not, and no HTTP version information exists before \ r \ n, if so, the HTTP session is a short connection, otherwise, the HTTP session is set as a long connection;
after the HTTP session is set to be in long connection, waiting for HTTP load and judging whether the HTTP session is in long connection or not;
the step of waiting for the HTTP load and judging whether the HTTP session is long-connected comprises the following steps:
the HTTP session is a short connection: finding a corresponding storage position through the HTTP session sessionid = sid1, determining whether the current HTTP packet is a request or a response to be stored respectively according to the direction of the HTTP session, and judging whether the current TCP session is ended or not after the current HTTP packet is stored;
the HTTP session is a long connection: performing request line or response line mark \ r \ n search on the current HTTP load, wherein the request line or response line mark \ r \ n search is used for judging whether the current HTTP load is the request line or the response line of the next HTTP session, not performing full analysis on the HTTP request or response, only searching partial character strings, if the request line or response line mark \ r \ n is searched, the previous HTTP load is indicated to be the last TCP packet of the previous HTTP session, the previous HTTP session is processed, the previous HTTP session is stored into the corresponding session according to the HTTP request/response type, relevant information of the current HTTP session sessionond = sid1 is deleted in an HTTP session hash table, and a new session sessionond = sid2 is generated, the current HTTP load is the first TCP packet of the new session, and whether the current TCP session is ended is judged; if not, adding the current HTTP load to the current HTTP session data storage according to the HTTP request/response type, and then judging whether the current TCP session is finished.
2. The method for rapidly splitting the HTTP request and response under the traffic analysis scenario according to claim 1, wherein the processing of the TCP layer data reassembly and the extraction of the HTTP content form a fingerprint library for the HTTP protocol version and the features, and the fingerprint comparison is performed after receiving the TCP traffic, comprising:
capturing TCP flow;
and carrying out TCP packet recombination and TCP load extraction.
3. The method according to claim 2, wherein the capturing of the TCP traffic comprises:
the method comprises the steps of realizing the capture of TCP flow through a Linux kernel AF _ PACKET;
the carrying out the TCP packet recombination and the TCP load extraction comprises the following steps:
extracting corresponding TCP messages through IP fragment recombination, and extracting TCP loads through the recombination of the TCP messages;
aiming at the Linux kernel TCP stop pen, checking whether a TCP syn packet carries a cookie of the TCP stop pen, if so, checking, and if the check is correct, extracting a TCP load;
by judging the initiator of the TCP three-way handshake, if the TCP three-way handshake syn packet sip =10.0.0.1 and sport =8888, the receiver is dip =10.0.0.2 and dport =80, if the syn packet is the initiator of the TCP three-way handshake, HTTP request method feature preprocessing is performed, and if the syn packet is not the initiator of the TCP three-way handshake, HTTP response feature preprocessing is performed.
4. The method of claim 3, wherein the HTTP response feature preprocessing comprises:
detecting whether the TCP load is started by HTTP/1, if so, considering the response content of the HTTP1.0/1.1 version;
whether a corresponding request is initiated or not is found through a dip =10.0.0.1, a dport =8888, a sip =10.0.0.2 and a sport =80 Hash, the request version is HTTP0.9, if yes, the response is considered as HTTP0.9 normal response, if corresponding information is not found or the version content is not HTTP0.9, the TCP session is considered to have abnormity and is not analyzed, if the Hash is found and the HTTP version information is normal, the current TCP load is set as HTTP load, the HTTP load is waited, and whether the HTTP session is long-connected or not is judged.
5. The method according to claim 1, wherein the determining whether the current TCP session has ended comprises:
if the current TCP session is finished, releasing the current TCP session and HTTP session related resources on the TCP session, and finishing the processing of the current TCP session;
and if the current TCP session is not finished, waiting for the HTTP load, judging whether the HTTP session is long-connected or not, and continuously waiting for the TCP packet to extract the HTTP load.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010573606.XA CN111740996B (en) | 2020-06-22 | 2020-06-22 | Method for rapidly splitting HTTP request and response in flow analysis scene |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010573606.XA CN111740996B (en) | 2020-06-22 | 2020-06-22 | Method for rapidly splitting HTTP request and response in flow analysis scene |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111740996A CN111740996A (en) | 2020-10-02 |
| CN111740996B true CN111740996B (en) | 2021-06-22 |
Family
ID=72650418
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010573606.XA Active CN111740996B (en) | 2020-06-22 | 2020-06-22 | Method for rapidly splitting HTTP request and response in flow analysis scene |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111740996B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114726564B (en) * | 2021-01-04 | 2023-05-23 | 腾讯科技(深圳)有限公司 | Security detection method, security detection device, electronic device, and medium |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106656920A (en) * | 2015-10-30 | 2017-05-10 | 北京国双科技有限公司 | HTTP service processing method and device |
| CN110460644A (en) * | 2019-07-17 | 2019-11-15 | 视联动力信息技术股份有限公司 | A kind of data processing method and streaming media server |
| CN111030999A (en) * | 2019-11-15 | 2020-04-17 | 广州辰河质检技术有限公司 | Method for extracting files based on network data packet |
Family Cites Families (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8443095B1 (en) * | 2005-12-21 | 2013-05-14 | Trend Micro Incorporated | User space data stream parsing using TCP/IP information |
| US9425973B2 (en) * | 2006-12-26 | 2016-08-23 | International Business Machines Corporation | Resource-based synchronization between endpoints in a web-based real time collaboration |
| CN102882703B (en) * | 2012-08-31 | 2015-08-19 | 赛尔网络有限公司 | A kind of system and method for the URL automatic classification classification based on HTTP analysis |
| US9811248B1 (en) * | 2014-07-22 | 2017-11-07 | Allstate Institute Company | Webpage testing tool |
| CN105306478A (en) * | 2015-11-11 | 2016-02-03 | 上海熙菱信息技术有限公司 | System and method for normalization of HTTP (Hyper Text Transport Protocol) protocol data |
| CN106506552B (en) * | 2016-12-28 | 2020-04-03 | 北京奇艺世纪科技有限公司 | HTTP request transmission method and device |
| CN108696488B (en) * | 2017-04-11 | 2022-04-15 | 腾讯科技(深圳)有限公司 | Uploading interface identification method, identification server and system |
-
2020
- 2020-06-22 CN CN202010573606.XA patent/CN111740996B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106656920A (en) * | 2015-10-30 | 2017-05-10 | 北京国双科技有限公司 | HTTP service processing method and device |
| CN110460644A (en) * | 2019-07-17 | 2019-11-15 | 视联动力信息技术股份有限公司 | A kind of data processing method and streaming media server |
| CN111030999A (en) * | 2019-11-15 | 2020-04-17 | 广州辰河质检技术有限公司 | Method for extracting files based on network data packet |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111740996A (en) | 2020-10-02 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| USRE49126E1 (en) | Real-time adaptive processing of network data packets for analysis | |
| US8626903B2 (en) | Method and device for identifying an SCTP packet | |
| CN103312565B (en) | A kind of peer-to-peer network method for recognizing flux based on autonomous learning | |
| CN111211980B (en) | Transmission link management method, transmission link management device, electronic equipment and storage medium | |
| US9210090B1 (en) | Efficient storage and flexible retrieval of full packets captured from network traffic | |
| CN110708250A (en) | Method for improving data forwarding performance, electronic equipment and storage medium | |
| CN108092913B (en) | Message distribution method and multi-core CPU network equipment | |
| CN112039904A (en) | Network traffic analysis and file extraction system and method | |
| WO2014187238A1 (en) | Application type identification method and network device | |
| EP2610767A1 (en) | Web page download time analysis | |
| CN102739457A (en) | Network flow recognition system and method based on DPI (Deep Packet Inspection) and SVM (Support Vector Machine) technology | |
| WO2021164261A1 (en) | Method for testing cloud network device, and storage medium and computer device | |
| WO2014094441A1 (en) | Virus detection method and device | |
| CN108462707B (en) | Mobile application identification method based on deep learning sequence analysis | |
| CN108229159B (en) | Malicious code detection method and system | |
| CN111740996B (en) | Method for rapidly splitting HTTP request and response in flow analysis scene | |
| CN110839060A (en) | HTTP multi-session file restoration method and device in DPI scene | |
| CN112672381A (en) | Data association method, device, terminal equipment and medium | |
| CN110784486A (en) | Industrial vulnerability scanning method and system | |
| CN107707549B (en) | Device and method for automatically extracting application characteristics | |
| CN114157607A (en) | Media stream transmission method and system | |
| CN111404768A (en) | DPI recognition realization method and equipment | |
| CN112436998A (en) | Data transmission method and electronic equipment | |
| CN115297447B (en) | Long short message merging method, system, equipment and storage medium | |
| CN111198855A (en) | Method and device for processing log data |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |