CN111865877B - Internet access behavior control method and system, electronic equipment and storage medium - Google Patents
Internet access behavior control method and system, electronic equipment and storage medium Download PDFInfo
- Publication number
- CN111865877B CN111865877B CN201910355945.8A CN201910355945A CN111865877B CN 111865877 B CN111865877 B CN 111865877B CN 201910355945 A CN201910355945 A CN 201910355945A CN 111865877 B CN111865877 B CN 111865877B
- Authority
- CN
- China
- Prior art keywords
- ssl
- ssl session
- behavior
- data packet
- target website
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/16—Implementing security features at a particular protocol layer
- H04L63/166—Implementing security features at a particular protocol layer at the transport layer
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/30—Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/16—Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]
- H04L69/161—Implementation details of TCP/IP or UDP/IP stack architecture; Specification of modified or new header fields
- H04L69/162—Implementation details of TCP/IP or UDP/IP stack architecture; Specification of modified or new header fields involving adaptations of sockets based mechanisms
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Technology Law (AREA)
- Computer And Data Communications (AREA)
Abstract
The application discloses a method and a system for controlling internet surfing behavior, an electronic device and a computer readable storage medium, wherein the method comprises the following steps: when an SSL session initiated by an intranet client is received, determining a target website accessed by the SSL session; acquiring the data length corresponding to the application data packet in the SSL session; and comparing the data length with a threshold corresponding to the target website to obtain an internet behavior judgment result. In the method, the internet surfing behavior judgment result is obtained by comparing the threshold value with the data length of the application data packet in the SSL session, and the browsing behavior and the uploading behavior are distinguished under the condition that an SSL middle person is not used.
Description
Technical Field
The present application relates to the field of computer technologies, and in particular, to a method and a system for controlling internet access behavior, an electronic device, and a computer-readable storage medium.
Background
With the migration of business of enterprises to the internet, the business offices have been out of the internet. However, in order to protect the internal information of the enterprise from leakage, the enterprise has the following requirements: internal employees are allowed to browse web pages, but the employees are not allowed to upload internal information to the network through a browser or other tools, namely, the browsing behavior of the intranet client is allowed, and the uploading behavior is forbidden.
The prior website generally provides services to the outside through https (Chinese full name: hypertext Transfer Protocol over Secure Socket Layer or Hypertext Transfer Protocol Secure), all communications between a browser and an https server are encrypted, in the prior art, plaintext data communicated between the browser and the https server is obtained through an SSL (Chinese full name: secure Socket Layer) proxy method, and then subdivision control of browsing behaviors and uploading behaviors is performed on the plaintext data. However, according to the scheme, the client is required to import the originally untrusted certificate of the third party, manual intervention is required, and implementation difficulty is high. If a certificate which is not trusted by a third party is not imported, every time the client accesses a connection proxied by the SSL broker, the browser actively reports that the current SSL connection is not trusted and asks the user whether the user needs to continue, thereby causing unacceptable user experience.
Therefore, how to distinguish the browsing behavior from the uploading behavior without using SSL intermediaries is a technical problem that needs to be solved by those skilled in the art.
Disclosure of Invention
The application aims to provide a method and a system for controlling internet surfing behaviors, an electronic device and a computer readable storage medium, which distinguish browsing behaviors from uploading behaviors without using SSL (secure socket layer) intermediaries.
In order to achieve the above object, the present application provides a method for controlling an internet access behavior, including:
when an SSL session initiated by an intranet client is received, determining a target website accessed by the SSL session;
acquiring the data length corresponding to the application data packet in the SSL session;
and comparing the data length with a threshold corresponding to the target website to obtain an internet behavior judgment result.
Wherein, the comparing the data length with the threshold corresponding to the target website to obtain the internet behavior determination result includes:
when the data length is larger than a threshold value corresponding to the target website, judging the SSL session to be an uploading behavior;
and when the data length is smaller than or equal to the threshold corresponding to the target website, judging the SSL session to be a browsing behavior.
Wherein the determining the target website accessed by the SSL session comprises:
and acquiring a handshake data packet of the SSL session, and determining a target website accessed by the SSL session according to a server name field in the handshake data packet.
Wherein the acquiring the handshake data packet of the SSL session includes:
and determining a first SSL record protocol layer with a Content Type field of 22 in the SSL session, and taking a first data packet corresponding to the first SSL record protocol layer as the handshake data packet.
Wherein, the obtaining of the data length corresponding to the application data packet in the SSL session includes:
determining a second SSL recording protocol layer with a Content Type field of 23 in the SSL session, and taking a second data packet corresponding to the second SSL recording protocol layer as the application data packet;
and determining the data Length corresponding to the application data packet according to the Length field value in the second SSL record protocol layer.
Wherein, if the Length field value is a network endian, determining the data Length corresponding to the application data packet according to the Length field value in the second SSL recording protocol layer includes:
and converting the Length field value in the second SSL record protocol layer into a target value of a host endian, and determining the target value as the data Length corresponding to the application data packet.
Wherein the method further comprises:
when the SSL session is judged to be the uploading behavior, rejecting the uploading behavior;
when the SSL session is judged to be the browsing behavior, allowing the browsing behavior.
In order to achieve the above object, the present application provides an internet access behavior control system, including:
the system comprises a determining module, a processing module and a processing module, wherein the determining module is used for determining a target website accessed by an SSL session when the SSL session initiated by an intranet client is received;
the acquisition module is used for acquiring the data length corresponding to the application data packet in the SSL session;
and the comparison module is used for comparing the data length with a threshold value corresponding to the target website to obtain an internet behavior judgment result.
To achieve the above object, the present application provides an electronic device including:
a memory for storing a computer program;
and the processor is used for realizing the steps of the internet behavior control method when executing the computer program.
To achieve the above object, the present application provides a computer-readable storage medium, on which a computer program is stored, and the computer program, when executed by a processor, implements the steps of the above-mentioned internet behavior control method.
According to the scheme, the internet surfing behavior control method provided by the application comprises the following steps: when an SSL session initiated by an intranet client is received, determining a target website accessed by the SSL session; acquiring the data length corresponding to the application data packet in the SSL session; and comparing the data length with a threshold corresponding to the target website to obtain an internet behavior judgment result.
The http plain text protocol is added with an SSL layer, so that the safety of data transmission between the client side such as a browser and the like and the server is ensured. The characteristic uplink flow of the POST command uploaded in the http clear text protocol is large, and the downlink flow is small. Accordingly, the POST command after encryption also satisfies the above feature. In the method, a threshold value is set for each target website according to the characteristics, the internet surfing behavior judgment result is obtained by comparing the threshold value with the data length of an application data packet in the SSL session, and the browsing behavior and the uploading behavior are distinguished under the condition that an SSL middle person is not used. The application also discloses an internet behavior control system, an electronic device and a computer readable storage medium, which can also realize the technical effects.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the application.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present application, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts. The accompanying drawings, which are included to provide a further understanding of the disclosure and are incorporated in and constitute a part of this specification, illustrate embodiments of the disclosure and together with the description serve to explain the disclosure without limiting the disclosure. In the drawings:
fig. 1 is a flowchart illustrating a method for controlling internet behavior according to an exemplary embodiment;
fig. 2 is a flow diagram illustrating another method for controlling surfing behavior according to an exemplary embodiment;
fig. 3 is the SSL protocol after wireshark parsing;
FIG. 4 is a block diagram illustrating an online behavior control system according to an exemplary embodiment;
FIG. 5 is a block diagram illustrating an electronic device in accordance with an exemplary embodiment.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
In the prior art, the scheme of SSL man-in-the-middle is adopted to distinguish the internet surfing behaviors, so that the technical defects of complex implementation or poor user experience are caused. Therefore, in the present application, the SSL session of the SSL layer is analyzed without using an SSL broker, and is distinguished by the difference between the upstream traffic of the browsing behavior and the uploading behavior.
The embodiment of the application discloses a control method for internet surfing behaviors, which distinguishes browsing behaviors and uploading behaviors without SSL (secure socket layer) intermediaries.
Referring to fig. 1, a flowchart of a method for controlling an internet behavior according to an exemplary embodiment is shown, and as shown in fig. 1, the method includes:
s101: when an SSL session initiated by an intranet client is received, determining a target website accessed by the SSL session;
the http plain text protocol is added with the SSL layer, so that the security of data transmission between the client side such as a browser and the server is ensured, the security basis is the SSL protocol, and the execution main body of the embodiment is the SSL layer.
In a specific implementation, when the SSL layer receives an SSL session initiated by an intranet client, a target website accessed by the SSL layer is determined first. The embodiment does not specifically limit the manner of determining the target website, and for example, the target website accessed by the target website may be determined according to the destination address by obtaining the destination address in the internet behavior data of the SSL session. Certainly, the handshake data packet in the SSL session may also be used, that is, the handshake data packet of the SSL session is obtained, and the target website accessed by the SSL session is determined according to the server name field in the handshake data packet.
The SSL Protocol is a layered Protocol, the bottom Layer is an SSL Record Protocol Layer (SSL Record Protocol Layer), which is established on a TCP (Transmission Control Protocol, chinese full name, english full name: transmission Control Protocol), and provides functions of data encapsulation, compression, encryption and the like for a high-level Protocol. The high Layer is SSL HandShake Protocol Layer (SSL HandShake Protocol Layer), including SSL HandShake Protocol (SSL HandShake Protocol), SSL Cipher parameter modification Protocol (SSL Change Cipher Spec Protocol), SSL alarm Protocol (SSL Alert Protocol) and Application Data Protocol (Application Data Protocol). The SSL handshake protocol is responsible for performing identity authentication, negotiating an encryption algorithm, exchanging encryption keys, and the like on both communication parties, wherein a server name field is used for identifying a target website accessed by the SSL session. The SSL cryptographic parameter modification protocol is used to notify the client and server that subsequent messages will communicate using the newly negotiated encryption suite and key. The SSL alarm protocol is used for reporting alarm information to a communication opposite terminal, and the message contains the severity level and description of the alarm. The application data protocol is used to transmit encrypted message information, such as the common http protocol.
S102: acquiring the data length corresponding to the application data packet in the SSL session;
in this step, the uplink traffic of the SSL session needs to be obtained, that is, the data length corresponding to the application packet in the SSL session is obtained.
S103: and comparing the data length with a threshold corresponding to the target website to obtain an internet behavior judgment result.
For an http website, although an intranet client is encrypted in an interaction process with the intranet client, information obtained from the website is generally encrypted by a GET command of an http protocol, the GET command is characterized by small uplink request flow and large downlink response flow, and correspondingly, the encrypted GET command also meets the characteristics, namely the browsing behavior is characterized by small uplink flow and large downlink flow. On the contrary, the http protocol upload POST command has a characteristic that the uplink traffic is large and the downlink traffic is small, and the POST command after encryption also meets the characteristic, that is, the upload behavior is characterized by large uplink traffic and small downlink traffic. Therefore, a threshold value can be defined for each target website, a session with the uplink traffic length larger than the threshold value is identified as the uploading behavior of the target website, and correspondingly, a session with the uplink traffic length smaller than or equal to the threshold value is identified as the browsing behavior of the target website.
It can be understood that each target website has a corresponding threshold, and the threshold may be set manually according to experience, or may be collected to perform classification on a large number of internet surfing behaviors by using a deep learning model, and is automatically set by analyzing a classification result, which is not specifically limited herein.
In specific implementation, an internet surfing behavior judgment result is obtained by comparing the data length obtained in the previous step with a threshold value, and when the data length is larger than the threshold value corresponding to the target website, the SSL session is judged to be an uploading behavior; and when the data length is less than or equal to the threshold corresponding to the target website, judging the SSL session as a browsing behavior.
Preferably, after this step, the SSL session may be further controlled according to a security policy, specifically, when the security policy prohibits the uploading behavior while allowing the browsing behavior of the intranet client, the SSL session with the data length less than or equal to the threshold is allowed, and the SSL session with the data length greater than the threshold is prohibited. When the SSL session is judged to be the uploading behavior, the uploading behavior is refused; when the SSL session is determined to be a browsing behavior, the browsing behavior is allowed.
It should be noted that the threshold corresponding to the target website can distinguish the encrypted lengths of the GET request and the POST request sent by the intranet client, and for an uploading behavior within the threshold, it is considered that a substantial leakage cannot be caused due to a small number of bytes uploaded by the uploading behavior, and the behavior may also be allowed.
In the embodiment of the application, a threshold value is set for each target website according to the characteristics, and the internet surfing behavior judgment result is obtained by comparing the threshold value with the data length of the application data packet in the SSL session. Specifically, the session with the uplink traffic length larger than the threshold value can be identified as the uploading behavior of the target website, and correspondingly, the session with the uplink traffic length smaller than or equal to the threshold value is identified as the browsing behavior of the target website, so that the browsing behavior and the uploading behavior are distinguished without using an SSL broker.
The embodiment of the application discloses a control method for internet surfing behavior, and compared with the previous embodiment, the embodiment further explains and optimizes the technical scheme. Specifically, the method comprises the following steps:
referring to fig. 2, a flowchart of another internet behavior control method according to an exemplary embodiment is shown, and as shown in fig. 2, the method includes:
s201: when an SSL session initiated by an intranet client is received, determining a first SSL recording protocol layer with a Content Type field of 22 in the SSL session, and taking a first data packet corresponding to the first SSL recording protocol layer as the handshake data packet;
fig. 3 shows the SSL protocol after wireshark parsing, where the SSL record protocol layer includes Content Type, version, length and higher layer protocol data fields. The Content Type occupies 1 byte, the Type of a packaged high-level protocol is identified, the SSL handshake protocol is 22, the SSL password parameter modification protocol is 20, the SSL alarm protocol is 21, and the application data protocol is 23. The Version field takes 2 bytes indicating the major and minor Version numbers of the SSL protocol. The Length field takes 2 bytes, which indicates the Length of the upper layer protocol data carried by the SSL recording protocol layer. The high-level protocol data may be SSL handshake data, SSL password parameter modification data, SSL alarm data, or application layer data according to the difference of the Content Type field.
Therefore, in this embodiment, a packet corresponding to the SSL recording protocol layer with a Content Type field of 22 is obtained as a handshake packet.
S202: determining a target website accessed by the SSL session according to a server name field in the handshake data packet;
s203: determining a second SSL recording protocol layer with a Content Type field of 23 in the SSL session, and taking a second data packet corresponding to the second SSL recording protocol layer as the application data packet;
in this step, according to the above description, a packet corresponding to the SSL recording protocol layer with a Content Type field of 23 is obtained as an application packet.
S204: converting the Length field value in the second SSL record protocol layer into a target value of a host endian, and determining the target value as the data Length corresponding to the application data packet;
because the Length field in the SSL recording protocol layer is a network endian, it needs to be converted into a value of a host endian, which is convenient for the threshold comparison in the subsequent steps.
S205: judging whether the data length is larger than a threshold value corresponding to the target website or not; if yes, entering S206; if not, entering S207;
s206: judging the SSL session to be an uploading behavior, and rejecting the uploading behavior;
s207: and judging the SSL session as a browsing behavior, and allowing the browsing behavior.
In the following, taking a target website as a github website as an example, an application embodiment of the internet behavior control method provided by the present application is introduced, assuming that a threshold of an uploading behavior of the github website is 2KB, and specifically, the method may include the following steps:
the method comprises the following steps: and judging whether the current SSL session is identified as github uploading or not, if so, exiting, and otherwise, entering a step two.
The method comprises the following steps: and judging whether the current SSL session is identified as the session communicated with the github server or not, if not, entering a third step, and otherwise, entering a sixth step.
Step three: and judging whether the current SSL session is initiated by the intranet client and the Content Type field of the SSL protocol recording layer is 22, if not, quitting, if so, indicating that the current SSL session is an SSL handshake data packet initiated by the intranet PC terminal, and entering the fourth step.
Step four: and (5) taking out the server name field from the handshake data packet, and judging whether the server name is github. If not, exiting, if yes, indicating that the current SSL session is sent to the github website, and entering step five.
Step five: and marking the SSL session as a communication session with the github server, and entering a step six.
Step six: and judging whether the Content Type field of the SSL session SSL protocol recording layer is 23, if not, exiting, if so, indicating that the high-level protocol of the current SSL protocol recording layer is application layer data, and entering the step seven.
Step seven: and judging whether the host byte order of the Length field of the SSL session SSL protocol record layer is greater than 2KB, and if so, marking the current SSL session as github to be uploaded.
Step eight: upon identifying the current SSL session as a github upload behavior, the security gateway device may either pass or deny the github upload behavior according to the security policy of the enterprise.
In the following, an internet behavior control system provided by an embodiment of the present application is introduced, and an internet behavior control system described below and an internet behavior control method described above may be referred to each other.
Referring to fig. 4, a block diagram of an internet behavior control system according to an exemplary embodiment is shown, and as shown in fig. 4, the block diagram includes:
a determining module 401, configured to determine, when receiving an SSL session initiated by an intranet client, a target website visited by the SSL session;
an obtaining module 402, configured to obtain a data length corresponding to an application data packet in the SSL session;
and the comparison module 403 is configured to compare the data length with a threshold corresponding to the target website to obtain an internet access behavior determination result.
In the embodiment of the application, a threshold value is set for each target website according to the characteristics, the internet surfing behavior judgment result is obtained by comparing the threshold value with the data length of an application data packet in the SSL session, and the browsing behavior and the uploading behavior are distinguished under the condition of not using an SSL middle person.
On the basis of the above embodiment, as a preferable mode, the comparison module 403 includes:
the first judging unit is used for judging that the SSL session is an uploading behavior when the data length is larger than a threshold corresponding to the target website;
and the second judging unit is used for judging the SSL session to be a browsing behavior when the data length is less than or equal to the threshold corresponding to the target website.
On the basis of the foregoing embodiment, as a preferable mode, the determining module 401 includes:
the system comprises an acquisition handshake data packet unit, a processing unit and a processing unit, wherein the acquisition handshake data packet unit is used for acquiring a handshake data packet of an SSL (secure sockets layer) session when the SSL session initiated by an intranet client is received;
and the target website determining unit is used for determining a target website accessed by the SSL session according to the server name field in the handshake data packet.
On the basis of the foregoing embodiment, as a preferable foregoing manner, the handshake data packet obtaining unit specifically determines, when an SSL session initiated by an intranet client is received, a first SSL recording protocol layer whose Content Type field is 22 in the SSL session, and uses a first data packet corresponding to the first SSL recording protocol layer as a unit of the handshake data packet.
On the basis of the foregoing embodiment, as a preferable mode, the obtaining module 402 includes:
determining an application data packet unit, configured to determine a second SSL recording protocol layer with a Content Type field of 23 in the SSL session, and use a second data packet corresponding to the second SSL recording protocol layer as the application data packet;
a data Length obtaining unit, configured to determine a data Length corresponding to the application data packet according to a value of a Length field in the second SSL recording protocol layer;
and the threshold determining unit is used for determining a threshold corresponding to the target website.
On the basis of the foregoing embodiment, as a preferable mode, if the Length field value is network endian, the obtaining a data Length unit is specifically a unit that converts the Length field value in the second SSL recording protocol layer into a target value of host endian, and determines that the target value is a data Length corresponding to the application packet.
In addition to the above embodiment, as a preferable mode, the method further includes:
the first control module is used for refusing the uploading behavior when the SSL session is judged to be the uploading behavior;
and the second control module is used for allowing the browsing behavior when the SSL session is judged to be the browsing behavior.
With regard to the system in the above embodiment, the specific manner in which each module performs the operation has been described in detail in the embodiment related to the method, and will not be elaborated here.
The present application further provides an electronic device, and referring to fig. 5, a structure diagram of an electronic device 500 provided in an embodiment of the present application may include a processor 11 and a memory 12, as shown in fig. 5. The electronic device 500 may also include one or more of a multimedia component 13, an input/output (I/O) interface 14, and a communication component 15.
The processor 11 is configured to control the overall operation of the electronic device 500, so as to complete all or part of the steps in the above-mentioned internet behavior control method. The memory 12 is used to store various types of data to support operation at the electronic device 500, such as instructions for any application or method operating on the electronic device 500 and application-related data, such as contact data, messaging, pictures, audio, video, and the like. The Memory 12 may be implemented by any type of volatile or non-volatile Memory device or combination thereof, such as Static Random Access Memory (SRAM), electrically Erasable Programmable Read-Only Memory (EEPROM), erasable Programmable Read-Only Memory (EPROM), programmable Read-Only Memory (PROM), read-Only Memory (ROM), magnetic Memory, flash Memory, magnetic disk or optical disk. The multimedia component 13 may include a screen and an audio component. Wherein the screen may be, for example, a touch screen and the audio component is used for outputting and/or inputting audio signals. For example, the audio component may include a microphone for receiving external audio signals. The received audio signal may further be stored in the memory 12 or transmitted via the communication component 15. The audio assembly also includes at least one speaker for outputting audio signals. The I/O interface 14 provides an interface between the processor 11 and other interface modules, such as a keyboard, mouse, buttons, etc. These buttons may be virtual buttons or physical buttons. The communication component 15 is used for wired or wireless communication between the electronic device 500 and other devices. Wireless Communication, such as Wi-Fi, bluetooth, near Field Communication (NFC for short), 2G, 3G or 4G, or a combination of one or more of them, so that the corresponding Communication component 15 may comprise: wi-Fi module, bluetooth module, NFC module.
In an exemplary embodiment, the electronic Device 500 may be implemented by one or more Application Specific Integrated Circuits (ASICs), digital Signal Processors (DSPs), digital Signal Processing Devices (DSPDs), programmable Logic Devices (PLDs), field Programmable Gate Arrays (FPGAs), controllers, microcontrollers, microprocessors or other electronic components for executing the above-mentioned internet behavior control method.
In another exemplary embodiment, a computer readable storage medium including program instructions is further provided, and the program instructions, when executed by a processor, implement the steps of the above-mentioned internet behavior control method. For example, the computer readable storage medium may be the memory 12 including the program instructions, which are executable by the processor 11 of the electronic device 500 to implement the internet behavior control method described above.
The embodiments are described in a progressive manner in the specification, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other. For the system disclosed by the embodiment, the description is relatively simple because the system corresponds to the method disclosed by the embodiment, and the relevant points can be referred to the method part for description. It should be noted that, for those skilled in the art, it is possible to make several improvements and modifications to the present application without departing from the principle of the present application, and such improvements and modifications also fall within the scope of the claims of the present application.
It is further noted that, in the present specification, relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrases "comprising a," "8230," "8230," or "comprising" does not exclude the presence of additional like elements in a process, method, article, or apparatus that comprises the element.
Claims (10)
1. A method for controlling internet surfing behavior is characterized by comprising the following steps:
when an SSL session initiated by an intranet client is received, determining a target website accessed by the SSL session;
acquiring the data length corresponding to the application data packet in the SSL session;
comparing the data length with a threshold corresponding to the target website to obtain an internet behavior judgment result;
wherein, the comparing the data length with the threshold corresponding to the target website to obtain the internet behavior determination result includes:
and when the data length is larger than the threshold value corresponding to the target website, judging the SSL session to be an uploading behavior.
2. The internet behavior control method according to claim 1, wherein the comparing the data length with the threshold corresponding to the target website to obtain the internet behavior determination result further comprises:
and when the data length is smaller than or equal to the threshold corresponding to the target website, judging the SSL session to be a browsing behavior.
3. The internet behavior control method of claim 1, wherein the determining the target website accessed by the SSL session comprises:
and acquiring a handshake data packet of the SSL session, and determining a target website accessed by the SSL session according to a server name field in the handshake data packet.
4. The internet behavior control method of claim 3, wherein the obtaining of the handshake data packet of the SSL session comprises:
and determining a first SSL recording protocol layer with a Content Type field of 22 in the SSL session, and taking a first data packet corresponding to the first SSL recording protocol layer as the handshake data packet.
5. The internet behavior control method according to any one of claims 1 to 4, wherein the obtaining of the data length corresponding to the application data packet in the SSL session includes:
determining a second SSL recording protocol layer with a Content Type field of 23 in the SSL session, and taking a second data packet corresponding to the second SSL recording protocol layer as the application data packet;
and determining the data Length corresponding to the application data packet according to the Length field value in the second SSL record protocol layer.
6. The method according to claim 5, wherein if the Length field value is a network byte order, the determining, according to the Length field value in the second SSL recording protocol layer, the data Length corresponding to the application packet includes:
and converting the value of the Length field in the second SSL record protocol layer into a target value of a host endian, and determining the target value as the data Length corresponding to the application data packet.
7. The internet behavior control method of claim 2, further comprising:
rejecting the upload behavior when the SSL session is determined to be upload behavior;
when the SSL session is judged to be the browsing behavior, allowing the browsing behavior.
8. A network behavior control system is characterized by comprising:
the system comprises a determining module, a processing module and a processing module, wherein the determining module is used for determining a target website accessed by an SSL session when the SSL session initiated by an intranet client is received;
the acquisition module is used for acquiring the data length corresponding to the application data packet in the SSL session;
the comparison module is used for comparing the data length with a threshold value corresponding to the target website to obtain an internet behavior judgment result;
wherein the comparison module comprises:
and the first judging unit is used for judging that the SSL session is an uploading behavior when the data length is larger than a threshold corresponding to the target website.
9. An electronic device, comprising:
a memory for storing a computer program;
a processor, configured to implement the steps of the internet behavior control method according to any one of claims 1 to 7 when executing the computer program.
10. A computer-readable storage medium, having a computer program stored thereon, where the computer program is executed by a processor to implement the steps of the internet behavior control method according to any one of the claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910355945.8A CN111865877B (en) | 2019-04-29 | 2019-04-29 | Internet access behavior control method and system, electronic equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910355945.8A CN111865877B (en) | 2019-04-29 | 2019-04-29 | Internet access behavior control method and system, electronic equipment and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111865877A CN111865877A (en) | 2020-10-30 |
| CN111865877B true CN111865877B (en) | 2023-03-24 |
Family
ID=72965363
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910355945.8A Active CN111865877B (en) | 2019-04-29 | 2019-04-29 | Internet access behavior control method and system, electronic equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111865877B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114244731B (en) * | 2021-12-16 | 2024-02-27 | 湖南师范大学 | Terminal screen brightness detection method and device, server and electronic equipment |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN201563132U (en) * | 2009-07-03 | 2010-08-25 | 北京星网锐捷网络技术有限公司 | Network bandwidth control device and a router |
| CN101841465A (en) * | 2010-03-08 | 2010-09-22 | 北京网康科技有限公司 | Content stream control system based on information interaction and realization method thereof |
Family Cites Families (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP2009296190A (en) * | 2008-06-04 | 2009-12-17 | Panasonic Corp | Confidential communication method |
| CN105939317B (en) * | 2015-11-19 | 2019-11-12 | 杭州迪普科技股份有限公司 | The analysis method and device of SSL handshake message |
| CN106911527A (en) * | 2015-12-23 | 2017-06-30 | 北京奇虎科技有限公司 | A kind of flow monitoring device and method |
| CN107277018A (en) * | 2017-06-22 | 2017-10-20 | 重庆大学 | The method that a kind of utilization request/data aggregate improves WebServer https application performances |
| CN108965307A (en) * | 2018-07-26 | 2018-12-07 | 深信服科技股份有限公司 | Based on HTTPS agreement ciphertext Data Audit method, system and relevant apparatus |
| CN109508437B (en) * | 2018-11-21 | 2021-05-04 | 深信服科技股份有限公司 | Search website auditing method, system, gateway equipment and storage medium |
-
2019
- 2019-04-29 CN CN201910355945.8A patent/CN111865877B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN201563132U (en) * | 2009-07-03 | 2010-08-25 | 北京星网锐捷网络技术有限公司 | Network bandwidth control device and a router |
| CN101841465A (en) * | 2010-03-08 | 2010-09-22 | 北京网康科技有限公司 | Content stream control system based on information interaction and realization method thereof |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111865877A (en) | 2020-10-30 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11349874B2 (en) | Methods and systems for providing a secure connection to a mobile communications device with the level of security based on a context of the communication | |
| US20220292180A1 (en) | Systems and methods for offline usage of saas applications | |
| US11895096B2 (en) | Systems and methods for transparent SaaS data encryption and tokenization | |
| CA3112194C (en) | Systems and methods for integrated service discovery for network applications | |
| US11271972B1 (en) | Data flow logic for synthetic request injection for cloud security enforcement | |
| US20140089661A1 (en) | System and method for securing network traffic | |
| US10243953B2 (en) | Systems and methods for secure resource access and network communication | |
| US9813421B2 (en) | Systems and methods for secure resource access and network communication | |
| US20070143408A1 (en) | Enterprise to enterprise instant messaging | |
| US20220368689A1 (en) | Integrated identity provider | |
| US11647052B2 (en) | Synthetic request injection to retrieve expired metadata for cloud policy enforcement | |
| US20160119348A1 (en) | Systems and methods for secure resource access and network communication | |
| US10356050B1 (en) | Mitigation of data leakage in HTTP headers | |
| US11882125B2 (en) | Selection of session protocol based on policies | |
| US11811829B2 (en) | Header modification for endpoint-based security | |
| US10972580B1 (en) | Dynamic metadata encryption | |
| CN111865877B (en) | Internet access behavior control method and system, electronic equipment and storage medium | |
| CN111327634B (en) | Website access supervision method, secure socket layer agent device, terminal and system | |
| Dashtinejad | Security system for mobile messaging applications | |
| US11671430B2 (en) | Secure communication session using encryption protocols and digitally segregated secure tunnels | |
| JP7311780B2 (en) | router, control program, terminal device, communication system | |
| US11855871B1 (en) | Systems, methods, and storage media for analyzing authentication and authorization requirements in an identity infrastructure | |
| Sreekumar et al. | Lightweight Access Control Algorithm for Internet of Things | |
| Uda | Vulnerable web server protection by hash based url transformation | |
| Ahmed | Balancing security and usability in Web Single Sign-On |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |