CN112491909B - DOH protocol-based traffic identification method, device, equipment and storage medium - Google Patents

DOH protocol-based traffic identification method, device, equipment and storage medium Download PDF

Info

Publication number
CN112491909B
CN112491909B CN202011385899.5A CN202011385899A CN112491909B CN 112491909 B CN112491909 B CN 112491909B CN 202011385899 A CN202011385899 A CN 202011385899A CN 112491909 B CN112491909 B CN 112491909B
Authority
CN
China
Prior art keywords
doh
user
request
data
client
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202011385899.5A
Other languages
Chinese (zh)
Other versions
CN112491909A (en
Inventor
叶圣安
高祎玮
赵盛先
邹勇
钟建军
贺基贵
张岳震
李冰冰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
360 Digital Security Technology Group Co Ltd
Original Assignee
360 Digital Security Technology Group Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 360 Digital Security Technology Group Co Ltd filed Critical 360 Digital Security Technology Group Co Ltd
Priority to CN202011385899.5A priority Critical patent/CN112491909B/en
Publication of CN112491909A publication Critical patent/CN112491909A/en
Application granted granted Critical
Publication of CN112491909B publication Critical patent/CN112491909B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/45Network directories; Name-to-address mapping
    • H04L61/4505Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
    • H04L61/4511Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/22Parsing or analysis of headers
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/50Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a traffic identification method, a device, equipment and a storage medium based on DOH protocol, which relate to the technical field of networks, and the method comprises the following steps: when a DOH request sent by a client is received, acquiring a port number corresponding to the DOH request; determining an analysis rule corresponding to the DOH request according to the port number; analyzing the DOH request based on the analysis rule to obtain an analysis result, and determining a user ID corresponding to the client according to the analysis result; and acquiring the flow data generated by the client and identifying the flow data according to the user ID. According to the method and the device, the user ID is added in the DOH request in advance, and when the DOH request sent by the client is received, the client is identified by extracting the user ID from the DOH request, so that the traffic data generated by the client is identified.

Description

DOH protocol-based traffic identification method, device, equipment and storage medium
Technical Field
The present invention relates to the field of network technologies, and in particular, to a method, an apparatus, a device, and a storage medium for traffic identification based on a DOH protocol.
Background
DNS (Domain Name System ) is the first node of the user equipment to surf the internet, and uses TCP and UDP ports 53, meaning that DNS data is transmitted in plain text, which presents a security risk. Generally, in order to ensure the security and privacy of the ue, the DOH protocol may be used to encrypt the DNS when the ue is surfing the internet, so as to improve security. However, the encrypted DNS data presents difficulties for DNS data resolution of the client. In the prior art, it is difficult to identify traffic data of a user equipment in a network based on the DOH protocol.
The foregoing is provided merely for the purpose of facilitating understanding of the technical solutions of the present invention and is not intended to represent an admission that the foregoing is prior art.
Disclosure of Invention
The invention mainly aims to provide a DOH protocol-based flow identification method, a DOH protocol-based flow identification device, DOH protocol-based flow identification equipment and a DOH protocol-based storage medium, and aims to solve the technical problem that in the prior art, flow data of user equipment cannot be accurately identified.
In order to achieve the above object, the present invention provides a traffic identification method based on a DOH protocol, the traffic identification method based on the DOH protocol comprising the steps of:
when a DOH request sent by a client is received, acquiring a port number corresponding to the DOH request;
determining an analysis rule corresponding to the DOH request according to the port number;
analyzing the DOH request based on the analysis rule to obtain an analysis result, and determining a user ID corresponding to the client according to the analysis result;
and acquiring the flow data generated by the client and identifying the flow data according to the user ID.
Optionally, resolving the DOH request based on the resolving rule to obtain a resolving result, and determining the user ID corresponding to the client according to the resolving result, including:
determining a target data type based on the parsing rule;
and extracting target data corresponding to the target data type from the DOH request, and determining the user ID corresponding to the client according to the target data.
Optionally, the target data type includes request header data, extracting target data corresponding to the target data type from the DOH request, and determining a user ID corresponding to the client according to the target data, including:
extracting request header data from the DOH request;
and extracting a target character string from the request header data according to the preset field name, and taking the target character string as a user ID corresponding to the client.
Optionally, the target data type includes URL data, extracting target data corresponding to the target data type from the DOH request, and determining a user ID corresponding to the client according to the target data, including:
extracting URL data from the DOH request;
and extracting a target character string from the URL data according to the preset domain name segment, and taking the target character string as a user ID corresponding to the client.
Optionally, the target data type includes certificate data, extracting target data corresponding to the target data type from the DOH request, and determining a user ID corresponding to the client according to the target data, including:
extracting credential data from the DOH request;
and searching the corresponding user number from a preset authentication table according to the certificate data, and taking the user number as the user ID corresponding to the client.
Optionally, after obtaining the traffic data generated by the client and identifying the traffic data according to the user ID, the method further includes:
searching a corresponding target management strategy from a preset management strategy table according to the user ID;
judging whether the flow data is illegal or not based on a target management strategy;
if the flow data is illegal, the flow data is blocked.
Optionally, determining whether the traffic data is illegal based on the target management policy includes:
determining the characteristics of the illegal traffic based on the target management policy;
performing feature analysis on the flow data to obtain actual flow features corresponding to the flow data;
and comparing the illegal flow characteristics with the actual flow characteristics to judge whether the flow data is illegal or not.
Optionally, after determining whether the traffic data is illegal based on the target management policy, the method further includes:
generating a flow analysis report according to the actual flow characteristics;
and searching a corresponding user record table according to the user ID, and writing the flow analysis report into the user record table.
Optionally, if the traffic data violates, the method further includes, after intercepting the transmission of the traffic data:
determining a target violation flow characteristic in the actual flow characteristics;
deleting target data corresponding to the target illegal flow characteristics in the flow data to obtain corrected flow data;
and transmitting the corrected flow data to a corresponding target terminal.
Optionally, after transmitting the corrected traffic data to the corresponding target terminal, the method further includes:
generating a threat report according to the target violation flow characteristics;
and searching a corresponding user record table according to the user ID, and writing the threat report into the user record table.
Optionally, before the port number corresponding to the DOH request is obtained when the DOH request sent by the client is received, the method further includes:
when receiving a registration request sent by a client, generating a user ID according to the registration request;
and sending the user ID to the client so that the client initiates the DOH request according to the user ID.
Optionally, when receiving a registration request sent by the client, after generating the user ID according to the registration request, the method further includes:
based on the preset domain name, generating a generic domain name corresponding to the preset domain name according to the user ID;
and sending the universal domain name to the client so that the client initiates a DOH request according to the universal domain name.
In addition, in order to achieve the above objective, the present invention further provides a traffic identification device based on the DOH protocol, which includes:
the receiving module is used for acquiring a port number corresponding to the DOH request when the DOH request sent by the client is received;
the analysis module is used for determining an analysis rule corresponding to the DOH request according to the port number;
the ID confirmation module is used for analyzing the DOH request based on the analysis rule, obtaining an analysis result, and determining a user ID corresponding to the client according to the analysis result;
and the identification module is used for acquiring the flow data generated by the client and identifying the flow data according to the user ID.
Optionally, the parsing module is further configured to determine a target data type based on the parsing rule;
the analysis module is also used for extracting target data corresponding to the target data type from the DOH request and determining a user ID corresponding to the client according to the target data.
Optionally, the traffic identification device based on the DOH protocol further includes a management module;
the management module is used for searching a corresponding target management strategy from a preset management strategy table according to the user ID;
the management module is also used for judging whether the flow data is illegal or not based on the target management strategy;
and the management module is also used for blocking the flow data if the flow data is illegal.
Optionally, the management module is further configured to determine a traffic violation characteristic based on the target management policy;
the management module is also used for carrying out characteristic analysis on the flow data to obtain actual flow characteristics corresponding to the flow data;
and the management module is also used for comparing the violation flow characteristics with the actual flow characteristics so as to judge whether the flow data is violating.
Optionally, the traffic identification device based on the DOH protocol further includes a registration module;
the registration module is used for generating a user ID according to the registration request when receiving the registration request sent by the client;
and the registration module is also used for sending the user ID to the client so that the client initiates a DOH request according to the user ID.
Optionally, the registration module is further configured to generate a generic domain name corresponding to the preset domain name according to the user ID based on the preset domain name;
and the registration module is also used for sending the universal domain name to the client so that the client initiates a DOH request according to the universal domain name.
In addition, in order to achieve the above objective, the present invention further provides a traffic identification device based on the DOH protocol, where the traffic identification device based on the DOH protocol includes: the method comprises a memory, a processor and a DOH protocol-based traffic identification program stored on the memory and executable on the processor, wherein the DOH protocol-based traffic identification program, when executed by the processor, implements the steps of the DOH protocol-based traffic identification method as described above.
In addition, in order to achieve the above object, the present invention further provides a storage medium, on which a traffic identification program based on the DOH protocol is stored, which implements the steps of the traffic identification method based on the DOH protocol as described above when executed by a processor.
In the invention, when receiving a DOH request sent by a client, a port number corresponding to the DOH request is obtained; determining an analysis rule corresponding to the DOH request according to the port number; analyzing the DOH request based on the analysis rule to obtain an analysis result, and determining a user ID corresponding to the client according to the analysis result; and acquiring the flow data generated by the client and identifying the flow data according to the user ID. According to the method and the device, the user ID is added in the DOH request in advance, and when the DOH request sent by the client is received, the client is identified by extracting the user ID from the DOH request, so that the traffic data generated by the client is identified.
Drawings
FIG. 1 is a schematic structural diagram of a DOH protocol-based traffic identification device of a hardware operating environment according to an embodiment of the present invention;
fig. 2 is a schematic flow chart of a first embodiment of a traffic identification method based on DOH protocol according to the present invention;
FIG. 3 is a flow chart of a second embodiment of the DOH protocol-based traffic identification method of the present invention;
FIG. 4 is a flow chart of a third embodiment of a DOH protocol-based traffic identification method according to the present invention;
fig. 5 is a block diagram of a first embodiment of a traffic identification device based on DOH protocol according to the present invention.
The achievement of the objects, functional features and advantages of the present invention will be further described with reference to the accompanying drawings, in conjunction with the embodiments.
Detailed Description
It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the scope of the invention.
Referring to fig. 1, fig. 1 is a schematic structural diagram of a traffic identification device based on DOH protocol in a hardware running environment according to an embodiment of the present invention.
As shown in fig. 1, the DOH protocol-based traffic identification device may include: a processor 1001, such as a central processing unit (Central Processing Unit, CPU), a communication bus 1002, a user interface 1003, a network interface 1004, a memory 1005. Wherein the communication bus 1002 is used to enable connected communication between these components. The user interface 1003 may include a Display (Display), and the optional user interface 1003 may also include a standard wired interface, a wireless interface, and the wired interface for the user interface 1003 may be a USB interface in the present invention. The network interface 1004 may optionally include a standard wired interface, a WIreless interface (e.g., a WIreless-FIdelity (WI-FI) interface). The Memory 1005 may be a high-speed random access Memory (Random Access Memory, RAM) Memory or a stable Memory (NVM), such as a disk Memory. The memory 1005 may also optionally be a storage device separate from the processor 1001 described above.
Those skilled in the art will appreciate that the structure shown in fig. 1 does not constitute a limitation of the DOH protocol based flow identification device, and may include more or fewer components than shown, or certain components may be combined, or a different arrangement of components.
As shown in fig. 1, an operating system, a network communication module, a user interface module, and a DOH protocol-based traffic identification program may be included in a memory 1005, which is considered to be a computer storage medium.
In the traffic identification device based on the DOH protocol shown in fig. 1, the network interface 1004 is mainly used for connecting to a background server and performing data communication with the background server; the user interface 1003 is mainly used for connecting user equipment; the DOH protocol-based traffic identification device invokes the DOH protocol-based traffic identification program stored in the memory 1005 through the processor 1001, and executes the DOH protocol-based traffic identification method provided by the embodiment of the present invention.
Based on the hardware structure, the embodiment of the traffic identification method based on DOH protocol is provided.
Referring to fig. 2, fig. 2 is a schematic flow chart of a first embodiment of a traffic identification method based on the DOH protocol according to the present invention, and the first embodiment of the traffic identification method based on the DOH protocol according to the present invention is provided.
In a first embodiment, a traffic identification method based on the DOH protocol includes the steps of:
step S10: and when the DOH request sent by the client is received, acquiring a port number corresponding to the DOH request.
It should be understood that the implementation subject of this embodiment is a traffic identification device based on the DOH protocol, which has functions of image processing, data communication, program running, etc., and may be a computer device such as a server, etc., or may be another device having a similar function, which is not limited in this embodiment.
It should be noted that the client may be a mobile phone, a tablet, a PC, or other devices. When a client is surfing the internet, DNS analysis is needed first. In general, for the security of DNS resolution, a client initiates a DOH request in an encrypted manner, and packages DNS information through an HTTP request, so as to improve security. The client achieves this by installing proxy software or configuring the encrypted DNS service directly.
It can be understood that, in order to distinguish the initiation modes of the client, different access interfaces are set for different initiation modes in this embodiment. When receiving the DOH request sent by the client, the client can directly inquire the corresponding port number according to the DOH request. For example, the DOH request initiated by proxy software may be configured as UDP53 port and the DOH request initiated by client configuration encrypted DNS service may be configured as 443 port. Of course, the port setting manner may be set according to the requirement, which is not limited in this embodiment.
In this embodiment, when the client initiates the DOH request, the user ID is clamped in the DOH request, so that the server can parse the user ID from the DOH request, and identify the traffic data of the client.
When receiving a registration request sent by a client, the method generates a user ID according to the registration request; and sending the user ID to the client so that the client initiates the DOH request according to the user ID.
It should be noted that, the user may log in to the registration page through the client, and apply for the user ID by clicking the registration control on the registration page. The user ID may be composed of numbers or letters, and the generation of the user ID may be generated in a homeopathic manner. For example, if the last user ID is a1000003, the currently-generated user ID may be a1000004.
In order to enable the user to initiate the DOH request in more ways, in this embodiment, after generating the user ID according to the registration request when receiving the registration request sent by the client, the method further includes: based on the preset domain name, generating a generic domain name corresponding to the preset domain name according to the user ID; and sending the universal domain name to the client so that the client initiates a DOH request according to the universal domain name.
It can be appreciated that by registering a domain, domain name resolution can be performed by user configuration settings accessing https:// id.org. domain/dns-querydns = xxxx based on the domain name of the domain where the domain name is generated from the user ID.
Step S20: and determining an analysis rule corresponding to the DOH request according to the port number.
It should be noted that, when the client initiates the DOH request in different ways, the embedding ways of the user ID are also different. For example, if the client initiates a DOH request through proxy software, the user ID may be embedded in the DOH request header data. If the client gateway configuration encryption DNS service initiates a DOH request, the user ID is embedded in the URL data.
It can be understood that, in order to distinguish the initiation modes of the client, different access interfaces are set for different initiation modes in this embodiment. Therefore, the embodiment determines the corresponding parsing rule according to different port numbers, thereby accurately extracting the user ID. For example, if the port is a UDP53 port, the parsing rule is to parse the request header; if 443 is port, the parsing rule is parsing the URL.
Step S30: and analyzing the DOH request based on the analysis rule to obtain an analysis result, and determining the user ID corresponding to the client according to the analysis result.
It will be appreciated that after determining the parsing rules, the user ID may be obtained by parsing the data in the DOH request. The parsing may be extracting part of the data, such as request header data or URL data. The parsing result may be the extracted data or character string. The user ID may directly use the extracted character string, or further search the corresponding number according to the extracted data.
Step S40: and acquiring the flow data generated by the client and identifying the flow data according to the user ID.
It may be understood that the traffic data refers to data generated by the internet surfing behavior of the client, where the traffic data may include accessed website information, received or transmitted files, and the like. After the DNS analysis is completed, the client can exchange data with the server to be accessed to generate corresponding flow data.
It should be noted that, the server may detect traffic data of multiple clients at the same time. Therefore, it is necessary to distinguish between different traffic data and determine traffic data generated by each client, so as to facilitate subsequent processing.
In the first embodiment, when a DOH request sent by a client is received, a port number corresponding to the DOH request is obtained; determining an analysis rule corresponding to the DOH request according to the port number; analyzing the DOH request based on the analysis rule to obtain an analysis result, and determining a user ID corresponding to the client according to the analysis result; and acquiring the flow data generated by the client and identifying the flow data according to the user ID. In the embodiment, the user ID is added in the DOH request in advance, and when the DOH request sent by the client is received, the client is identified by extracting the user ID from the DOH request, so that the traffic data generated by the client is identified.
Referring to fig. 3, fig. 3 is a schematic flow chart of a second embodiment of a traffic identification method based on the DOH protocol according to the present invention, and based on the first embodiment, the second embodiment of the traffic identification method based on the DOH protocol according to the present invention is proposed.
In the second embodiment, step S30 includes:
step S301: the target data type is determined based on the parsing rules.
It will be appreciated that after determining the parsing rules, the user ID may be obtained by extracting part of the data in the DOH request. Referring to the content of the first embodiment, the extracted data type is different according to the parsing rule. The target data type may be request header data, URL data, or certificate data, among others.
The parsing may be extracting part of the data, such as request header data or URL data. The parsing result may be the extracted data or character string. The user ID may directly use the extracted character string, or further search the corresponding number according to the extracted data. .
Step S302: and extracting target data corresponding to the target data type from the DOH request, and determining the user ID corresponding to the client according to the target data.
It should be noted that the target data may be a character string, etc., and the user ID may directly use the extracted character string, or further search the corresponding number according to the extracted data.
In a specific implementation, if the target data type is request header data, step S302 may specifically be: extracting request header data from the DOH request; and extracting a target character string from the request header data according to the preset field name, and taking the target character string as a user ID corresponding to the client.
It should be noted that, if the client initiates a DOH request through proxy software, the user ID exists in the request header. When the user ID is extracted, the user ID can be accurately extracted by locating through a preset field name.
If the target data type is URL data, step S302 may specifically be: extracting URL data from the DOH request; and extracting a target character string from the URL data according to the preset domain name segment, and taking the target character string as a user ID corresponding to the client.
It should be noted that, if the client initiates a DOH request through the configured domain name, the user ID may be extracted from URL data. For example, if the domain name accessed by the client configuration is a123.Org. Pan, the extracted user ID is a123.
If the target data type is certificate data, step S302 may specifically be: extracting credential data from the DOH request; and searching the corresponding user number from a preset authentication table according to the certificate data, and taking the user number as the user ID corresponding to the client.
It should be noted that, identity authentication and verification can also be completed between the client and the server through a bidirectional certificate authentication mode. After the identity verification is completed, the server generates a corresponding user ID for the client, and stores the certificate and the user ID into a preset authentication table. When the client initiates the DOH request, the corresponding certificate is attached. When the server analyzes the DOH, the certificate can be extracted, and the corresponding user ID is searched from a preset authentication table.
In a second embodiment, a target data type is determined based on an parsing rule, target data corresponding to the target data type is extracted from the DOH request, and a user ID corresponding to the client is determined according to the target data. According to the embodiment, the position of the data to be extracted in the DOH request can be determined according to different DOH request initiating modes of the client, so that the user ID is accurately extracted, and the traffic data generated by the client can be accurately identified.
Referring to fig. 4, fig. 4 is a schematic flow chart of a third embodiment of a traffic identification method based on the DOH protocol according to the present invention, and based on the first embodiment and the second embodiment, the third embodiment of the traffic identification method based on the DOH protocol according to the present invention is proposed. The present embodiment is described based on the first embodiment.
In the third embodiment, after step S40, further includes:
step S50: and searching a corresponding target management strategy from a preset management strategy table according to the user ID.
It will be appreciated that the user can be exposed to a lot of data while conducting the surfing activity, but only a part of the data actually concerned by the user. For example, when a user browses a web page, advertisements may be included in the web page, and the advertisements may be non-interesting to the user. In addition, for some private websites, only a portion of the users are open and no random access is allowed. Thus, corresponding management policies may be specified for data generated by different users.
The management policy includes access prohibition, data restriction, traffic restriction, and the like. Wherein, the forbidden access can be specified to different forbidden access websites according to different users. The data restrictions may also specify different data types based on different users.
It can be understood that the preset management policy table stores the correspondence between the user ID and the management policy. The server can obtain the corresponding target management strategy by inquiring the preset management strategy table.
Step S60: and judging whether the flow data is illegal or not based on the target management strategy.
It will be appreciated that the server may detect traffic data based on the content of the target management policy to determine whether there is a violation. In specific implementation, step S60 may include: determining the characteristics of the illegal traffic based on the target management policy; performing feature analysis on the flow data to obtain actual flow features corresponding to the flow data; and comparing the illegal flow characteristics with the actual flow characteristics to judge whether the flow data is illegal or not.
It should be noted that, the offending traffic feature refers to a specific management item in the target management policy. Such as the name of the network station where access is prohibited, the type of data restriction, or the upper limit of the flow restriction, etc. For example, if the flow limit to the user A is 10M/s, if the transmission speed of the flow data is greater than 10M/s, then the violation is judged; if not, no rule is violated. Of course, the determination mode may be set according to the requirement, which is not limited in this embodiment.
Step S70: if the flow data is illegal, the flow data is blocked.
It can be understood that if the traffic data violates the rule, the current internet surfing behavior of the user is abnormal, and the control is needed to avoid loss. For example, if the user accesses a web site that is prohibited from accessing, it is not responsive to the current user's access behavior. Of course, the blocking can be followed by subsequent processing according to the type of violation.
When the method is specifically implemented, the target illegal flow characteristics in the actual flow characteristics can be further determined; deleting target data corresponding to the target illegal flow characteristics in the flow data to obtain corrected flow data; and transmitting the corrected flow data to a corresponding target terminal.
It can be understood that if the user has advertisement data in the returned data when accessing the website and the user is configured with a restriction policy for the advertisement data, the advertisement data portion may be deleted, so that the data after deleting the advertisement is sent to the user terminal. The target terminal refers to a receiving terminal corresponding to the original flow data.
Further, in order to monitor the internet surfing behavior of the user, the embodiment may further include generating a threat report according to the target traffic violation characteristics; and searching a corresponding user record table according to the user ID, and writing the threat report into the user record table.
It will be appreciated that the offending data may be recorded for subsequent querying in order to fully understand the user's behavioral information. For example, if the user accesses website a and the user has no authority to website a, the user is identified that the traffic data currently generated by the user is illegal, and website a is recorded. Meanwhile, in order to facilitate subsequent inquiry, the embodiment is just to independently establish a user record list for different users and is used for recording the internet surfing behavior of the users.
In addition, the non-illegal data can be recorded, and the online behavior of the user can be monitored more comprehensively. Specifically, a flow analysis report may be generated from the actual flow characteristics; and searching a corresponding user record table according to the user ID, and writing the flow analysis report into the user record table.
In a third embodiment, a corresponding target management policy is searched for from a preset management policy table according to a user ID; judging whether the flow data is illegal or not based on a target management strategy; if the flow data is illegal, the flow data is blocked. According to the method and the device, different management strategies can be formulated according to different users, flow data generated by the client side are analyzed and detected, and behavior management and control on the self-defined security strategy of the user equipment are achieved.
In addition, the embodiment of the invention also provides a storage medium, wherein the storage medium stores a traffic identification program based on the DOH protocol, and the traffic identification program based on the DOH protocol realizes the steps of the traffic identification method based on the DOH protocol when being executed by a processor.
Because the storage medium adopts all the technical schemes of all the embodiments, the storage medium has at least all the beneficial effects brought by the technical schemes of the embodiments, and the description is omitted here.
Further, referring to fig. 5, fig. 5 is a block diagram illustrating a first embodiment of a traffic identification device according to the DOH protocol of the present invention. The embodiment of the invention also provides a traffic identification device based on the DOH protocol.
In this embodiment, the traffic identification device based on the DOH protocol includes:
and the receiving module 10 is used for acquiring the port number corresponding to the DOH request when the DOH request sent by the client is received.
And the parsing module 20 is configured to determine parsing rules corresponding to the DOH request according to the port number.
The ID confirmation module 30 is configured to parse the DOH request based on the parsing rule, obtain a parsing result, and determine a user ID corresponding to the client according to the parsing result.
The identification module 40 obtains the traffic data generated by the client and identifies the traffic data according to the user ID.
In this embodiment, when a DOH request sent by a client is received, a port number corresponding to the DOH request is obtained; determining an analysis rule corresponding to the DOH request according to the port number; analyzing the DOH request based on the analysis rule to obtain an analysis result, and determining a user ID corresponding to the client according to the analysis result; and acquiring the flow data generated by the client and identifying the flow data according to the user ID. In the embodiment, the user ID is added in the DOH request in advance, and when the DOH request sent by the client is received, the client is identified by extracting the user ID from the DOH request, so that the traffic data generated by the client is identified.
In one embodiment, the ID validation module 30 is further configured to determine the target data type based on the parsing rule; and extracting target data corresponding to the target data type from the DOH request, and determining the user ID corresponding to the client according to the target data.
In one embodiment, the ID validation module 30 is further configured to extract request header data from the DOH request; and extracting a target character string from the request header data according to the preset field name, and taking the target character string as a user ID corresponding to the client.
In one embodiment, the ID validation module 30 is further configured to extract URL data from the DOH request; and extracting a target character string from the URL data according to the preset domain name segment, and taking the target character string as a user ID corresponding to the client.
In one embodiment, the ID validation module 30 is further configured to extract credential data from the DOH request; and searching the corresponding user number from a preset authentication table according to the certificate data, and taking the user number as the user ID corresponding to the client.
In an embodiment, the traffic identification device based on the DOH protocol further includes a management module, where the management module is configured to search a corresponding target management policy from a preset management policy table according to the user ID; judging whether the flow data is illegal or not based on a target management strategy; if the flow data is illegal, the flow data is blocked.
In an embodiment, the management module is further configured to determine the offending traffic characteristics based on a target management policy; performing feature analysis on the flow data to obtain actual flow features corresponding to the flow data; and comparing the illegal flow characteristics with the actual flow characteristics to judge whether the flow data is illegal or not.
In an embodiment, the management module is further configured to generate a flow analysis report according to the actual flow characteristics; and searching a corresponding user record table according to the user ID, and writing the flow analysis report into the user record table.
In an embodiment, the management module is further configured to determine a target offending traffic feature of the actual traffic features; deleting target data corresponding to the target illegal flow characteristics in the flow data to obtain corrected flow data; and transmitting the corrected flow data to a corresponding target terminal.
In one embodiment, the management module is further configured to generate a threat report according to the target offending traffic characteristics; and searching a corresponding user record table according to the user ID, and writing the flow analysis report into the user record table.
In an embodiment, the traffic identification device based on the DOH protocol further includes a registration module, where the registration module is configured to generate a user ID according to the registration request when receiving the registration request sent by the client; and sending the user ID to the client so that the client initiates the DOH request according to the user ID.
In an embodiment, the registration module is further configured to generate a generic domain name corresponding to the preset domain name according to the user ID based on the preset domain name; and sending the universal domain name to the client so that the client initiates a DOH request according to the universal domain name.
Other embodiments or specific implementation manners of the DOH protocol-based flow identification device of the present invention may refer to the above method embodiments, and are not described herein.
It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or system that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or system. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or system that comprises the element.
The foregoing embodiment numbers of the present invention are merely for the purpose of description, and do not represent the advantages or disadvantages of the embodiments. In the unit claims enumerating several means, several of these means may be embodied by one and the same item of hardware. The use of the terms first, second, third, etc. do not denote any order, but rather the terms first, second, third, etc. are used to interpret the terms as names.
From the above description of the embodiments, it will be clear to those skilled in the art that the above-described embodiment method may be implemented by means of software plus a necessary general hardware platform, but of course may also be implemented by means of hardware, but in many cases the former is a preferred embodiment. Based on such understanding, the technical solution of the present invention may be embodied essentially or in a part contributing to the prior art in the form of a software product stored in a storage medium (e.g. read only memory mirror (Read Only Memory image, ROM)/random access memory (Random Access Memory, RAM), magnetic disk, optical disk), comprising instructions for causing a terminal device (which may be a mobile phone, a computer, a server, an air conditioner, or a network device, etc.) to perform the method of the embodiments of the present invention.
The foregoing description is only of the preferred embodiments of the present invention, and is not intended to limit the scope of the invention, but rather is intended to cover any equivalents of the structures or equivalent processes disclosed herein or in the alternative, which may be employed directly or indirectly in other related arts.

Claims (20)

1. The traffic identification method based on the DOH protocol is characterized by comprising the following steps of:
when a DOH request sent by a client is received, acquiring a port number corresponding to the DOH request;
determining an analysis rule corresponding to the DOH request according to the port number, if the port number is UDP53 port, the DOH request is initiated by proxy software, the analysis rule is to analyze a request header, if the port number is 443 port, the DOH request is initiated by configuring an encryption DNS service, and the analysis rule is to analyze a URL;
analyzing the DOH request based on the analysis rule to obtain an analysis result, and determining a user ID corresponding to the client according to the analysis result;
and acquiring the flow data generated by the client and identifying the flow data according to the user ID.
2. The method for traffic identification based on DOH protocol according to claim 1, wherein the parsing the DOH request based on the parsing rule to obtain a parsing result, and determining the user ID corresponding to the client according to the parsing result, includes:
determining a target data type based on the parsing rule;
and extracting target data corresponding to the target data type from the DOH request, and determining a user ID corresponding to the client according to the target data.
3. The DOH protocol-based traffic identification method according to claim 2, wherein the target data type includes request header data, the extracting target data corresponding to the target data type from the DOH request, and determining the user ID corresponding to the client according to the target data, includes:
extracting request header data from the DOH request;
and extracting a target character string from the request header data according to a preset field name, and taking the target character string as a user ID corresponding to the client.
4. The DOH protocol-based traffic identification method according to claim 2, wherein the target data type includes URL data, the extracting target data corresponding to the target data type from the DOH request, and determining the user ID corresponding to the client according to the target data, includes:
extracting URL data from the DOH request;
and extracting a target character string from the URL data according to a preset domain name segment, and taking the target character string as a user ID corresponding to the client.
5. The DOH protocol-based traffic identification method according to claim 2, wherein the target data type includes certificate data, the extracting target data corresponding to the target data type from the DOH request, and determining the user ID corresponding to the client according to the target data, includes:
extracting credential data from the DOH request;
and searching a corresponding user number from a preset authentication table according to the certificate data, and taking the user number as a user ID corresponding to the client.
6. A DOH protocol based traffic identification method according to any of claims 1 to 5, wherein after said obtaining traffic data generated by said client and identifying said traffic data according to said user ID, further comprising:
searching a corresponding target management strategy from a preset management strategy table according to the user ID;
judging whether the flow data is illegal or not based on the target management strategy;
and if the flow data is illegal, blocking the flow data.
7. The DOH protocol-based traffic identification method according to claim 6, wherein the determining whether the traffic data is illegal based on the target management policy comprises:
determining a violation traffic feature based on the target management policy;
performing feature analysis on the flow data to obtain actual flow features corresponding to the flow data;
and comparing the violation flow characteristics with the actual flow characteristics to judge whether the flow data is violating.
8. The DOH protocol-based traffic identification method according to claim 7, wherein after the determining whether the traffic data is illegal based on the target management policy, further comprising:
generating a flow analysis report according to the actual flow characteristics;
and searching a corresponding user record table according to the user ID, and writing the flow analysis report into the user record table.
9. The DOH protocol-based traffic identification method according to claim 7, wherein if the traffic data is illegal, blocking the traffic data further comprises:
determining a target offending flow characteristic in the actual flow characteristics;
deleting target data corresponding to the target violation flow characteristics in the flow data to obtain corrected flow data;
and transmitting the corrected flow data to a corresponding target terminal.
10. The DOH protocol-based traffic identification method according to claim 9, wherein after the transmitting the corrected traffic data to the corresponding target terminal, the method further comprises:
generating a threat report according to the target violation flow characteristics;
and searching a corresponding user record table according to the user ID, and writing the threat report into the user record table.
11. The traffic identification method based on the DOH protocol according to any one of claims 1 to 5, further comprising, before receiving a DOH request sent by a client, obtaining a port number corresponding to the DOH request:
when receiving a registration request sent by a client, generating a user ID according to the registration request;
and sending the user ID to the client so that the client initiates a DOH request according to the user ID.
12. The DOH protocol-based traffic identification method according to claim 11, further comprising, upon receiving a registration request sent by a client, after generating a user ID according to the registration request:
based on a preset domain name, generating a generic domain name corresponding to the preset domain name according to the user ID;
and sending the domain name to the client so that the client initiates a DOH request according to the domain name.
13. A DOH protocol-based traffic identification device, comprising:
the receiving module is used for acquiring a port number corresponding to the DOH request when the DOH request sent by the client is received;
the analysis module is used for determining an analysis rule corresponding to the DOH request according to the port number, if the port number is a UDP53 port, the DOH request is initiated by proxy software, the analysis rule is to analyze a request head, if the port number is 443 port, the DOH request is initiated by configuring an encryption DNS service, and the analysis rule is to analyze a URL;
the ID confirmation module is used for analyzing the DOH request based on the analysis rule to obtain an analysis result, and determining a user ID corresponding to the client according to the analysis result;
and the identification module is used for acquiring the flow data generated by the client and identifying the flow data according to the user ID.
14. The DOH protocol based traffic identification device of claim 13, the ID validation module further configured to determine a target data type based on the parsing rules;
the ID confirmation module is further configured to extract target data corresponding to a target data type from the DOH request, and determine a user ID corresponding to the client according to the target data.
15. A DOH protocol based traffic identification device according to claim 13 or 14 and also comprising a management module;
the management module is used for searching a corresponding target management strategy from a preset management strategy table according to the user ID;
the management module is further used for judging whether the flow data is illegal or not based on the target management policy;
and the management module is also used for blocking the flow data if the flow data is illegal.
16. The DOH protocol based traffic identification device of claim 15, the management module further configured to determine a offending traffic feature based on the target management policy;
the management module is further used for carrying out feature analysis on the flow data to obtain actual flow features corresponding to the flow data;
and the management module is also used for comparing the illegal flow characteristics with the actual flow characteristics so as to judge whether the flow data is illegal or not.
17. A DOH protocol based traffic identification device according to claim 13 or 14 and also comprising a registration module;
the registration module is used for generating a user ID according to the registration request when receiving the registration request sent by the client;
the registration module is further configured to send the user ID to the client, so that the client initiates a DOH request according to the user ID.
18. The DOH protocol-based traffic identification device according to claim 17, wherein the registration module is further configured to generate a generic domain name corresponding to a preset domain name according to the user ID based on the preset domain name;
and the registration module is also used for sending the universal domain name to the client so that the client initiates a DOH request according to the universal domain name.
19. A DOH protocol-based traffic identification device, the DOH protocol-based traffic identification device comprising: memory, a processor and a DOH protocol based traffic identification program stored on the memory and executable on the processor, which when executed by the processor implements the steps of the DOH protocol based traffic identification method according to any of claims 1 to 12.
20. A storage medium, wherein a DOH protocol based traffic identification program is stored on the storage medium, and wherein the DOH protocol based traffic identification program, when executed by a processor, implements the steps of the DOH protocol based traffic identification method according to any one of claims 1 to 12.
CN202011385899.5A 2020-12-01 2020-12-01 DOH protocol-based traffic identification method, device, equipment and storage medium Active CN112491909B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011385899.5A CN112491909B (en) 2020-12-01 2020-12-01 DOH protocol-based traffic identification method, device, equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011385899.5A CN112491909B (en) 2020-12-01 2020-12-01 DOH protocol-based traffic identification method, device, equipment and storage medium

Publications (2)

Publication Number Publication Date
CN112491909A CN112491909A (en) 2021-03-12
CN112491909B true CN112491909B (en) 2023-09-01

Family

ID=74938504

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011385899.5A Active CN112491909B (en) 2020-12-01 2020-12-01 DOH protocol-based traffic identification method, device, equipment and storage medium

Country Status (1)

Country Link
CN (1) CN112491909B (en)

Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103763149A (en) * 2013-12-27 2014-04-30 北京集奥聚合科技有限公司 Real-time statistical method for network user number
CN105357212A (en) * 2015-11-23 2016-02-24 北京天地互连信息技术有限公司 DNS end-to-end analysis method capable of ensuring safety and privacy
CN107547310A (en) * 2017-08-24 2018-01-05 杭州安恒信息技术有限公司 A kind of user behavior association analysis method and system based on bypass audit device
CN108270731A (en) * 2016-12-30 2018-07-10 中兴通讯股份有限公司 A kind of data flow transmission method, device and relevant device
CN110209583A (en) * 2019-06-03 2019-09-06 中国银联股份有限公司 Safety detecting method, device, system, equipment and storage medium
CN110545335A (en) * 2018-05-29 2019-12-06 阿里巴巴集团控股有限公司 Internet protocol address acquisition method, server and system
CN110912782A (en) * 2019-12-17 2020-03-24 锐捷网络股份有限公司 Data acquisition method, device and storage medium
CN110913036A (en) * 2019-12-01 2020-03-24 杭州云缔盟科技有限公司 Method for identifying terminal position based on authoritative DNS
CN111917694A (en) * 2019-05-09 2020-11-10 中兴通讯股份有限公司 TLS encrypted traffic identification method and device
CN111953681A (en) * 2020-08-11 2020-11-17 福州职业技术学院 DNS identity authentication method and terminal

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109802924B (en) * 2017-11-17 2022-05-17 华为技术有限公司 Method and device for identifying encrypted data stream
RU2726879C2 (en) * 2018-12-28 2020-07-16 Акционерное общество "Лаборатория Касперского" System and method of connecting secure dns resolution protocol

Patent Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103763149A (en) * 2013-12-27 2014-04-30 北京集奥聚合科技有限公司 Real-time statistical method for network user number
CN105357212A (en) * 2015-11-23 2016-02-24 北京天地互连信息技术有限公司 DNS end-to-end analysis method capable of ensuring safety and privacy
CN108270731A (en) * 2016-12-30 2018-07-10 中兴通讯股份有限公司 A kind of data flow transmission method, device and relevant device
CN107547310A (en) * 2017-08-24 2018-01-05 杭州安恒信息技术有限公司 A kind of user behavior association analysis method and system based on bypass audit device
CN110545335A (en) * 2018-05-29 2019-12-06 阿里巴巴集团控股有限公司 Internet protocol address acquisition method, server and system
CN111917694A (en) * 2019-05-09 2020-11-10 中兴通讯股份有限公司 TLS encrypted traffic identification method and device
CN110209583A (en) * 2019-06-03 2019-09-06 中国银联股份有限公司 Safety detecting method, device, system, equipment and storage medium
CN110913036A (en) * 2019-12-01 2020-03-24 杭州云缔盟科技有限公司 Method for identifying terminal position based on authoritative DNS
CN110912782A (en) * 2019-12-17 2020-03-24 锐捷网络股份有限公司 Data acquisition method, device and storage medium
CN111953681A (en) * 2020-08-11 2020-11-17 福州职业技术学院 DNS identity authentication method and terminal

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
DNS隐私保护安全性分析;孟德超等;《通信技术》;20200228;全文 *

Also Published As

Publication number Publication date
CN112491909A (en) 2021-03-12

Similar Documents

Publication Publication Date Title
CN109309657B (en) Unauthorized access point detection system and method, user terminal used for same, and computer program
WO2022057000A1 (en) Data proxy method and system and proxy server
US9900346B2 (en) Identification of and countermeasures against forged websites
US9307036B2 (en) Web access using cross-domain cookies
CN107046544B (en) Method and device for identifying illegal access request to website
CN107800678B (en) Method and device for detecting abnormal registration of terminal
WO2011089788A1 (en) Classified information leakage prevention system, classified information leakage prevention method and classified information leakage prevention programme
CN109413000B (en) Anti-stealing-link method and anti-stealing-link network relation system
US20200082108A1 (en) Determining the relative risk for using an originating ip address as an identifying factor
CN110557358A (en) Honeypot server communication method, SSLStrip man-in-the-middle attack perception method and related device
CN108632221B (en) Method, equipment and system for positioning controlled host in intranet
CN108156270B (en) Domain name request processing method and device
CN112311722B (en) Access control method, device, equipment and computer readable storage medium
CN106790073B (en) Blocking method and device for malicious attack of Web server and firewall
CN111935123A (en) Method, equipment and storage medium for detecting DNS spoofing attack
RU2601147C2 (en) System and method for detection of target attacks
CN112491836B (en) Communication system, method, device and electronic equipment
KR20050100143A (en) System and method for blocking p2p data communication
CN112491909B (en) DOH protocol-based traffic identification method, device, equipment and storage medium
CN112491910B (en) DOT protocol-based flow identification method, DOT protocol-based flow identification device, DOT protocol-based flow identification equipment and storage medium
García et al. Large scale analysis of doh deployment on the internet
JP5743822B2 (en) Information leakage prevention device and restriction information generation device
CN114006724B (en) Method and system for discovering and authenticating encryption DNS resolver
KR101005093B1 (en) Method and device for identifying of client
CN112260991B (en) Authentication management method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
CB02 Change of applicant information

Address after: 100020 1773, 15 / F, 17 / F, building 3, No.10, Jiuxianqiao Road, Chaoyang District, Beijing

Applicant after: Sanliu0 Digital Security Technology Group Co.,Ltd.

Address before: 100020 1773, 15 / F, 17 / F, building 3, No.10, Jiuxianqiao Road, Chaoyang District, Beijing

Applicant before: Beijing Hongteng Intelligent Technology Co.,Ltd.

CB02 Change of applicant information
GR01 Patent grant
GR01 Patent grant