CN112615867B - Data packet detection method and device - Google Patents

Data packet detection method and device Download PDF

Info

Publication number
CN112615867B
CN112615867B CN202011529939.9A CN202011529939A CN112615867B CN 112615867 B CN112615867 B CN 112615867B CN 202011529939 A CN202011529939 A CN 202011529939A CN 112615867 B CN112615867 B CN 112615867B
Authority
CN
China
Prior art keywords
information table
data packet
detected
ssl
destination
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202011529939.9A
Other languages
Chinese (zh)
Other versions
CN112615867A (en
Inventor
张志良
范鸿雷
董伟刚
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Topsec Technology Co Ltd
Beijing Topsec Network Security Technology Co Ltd
Beijing Topsec Software Co Ltd
Original Assignee
Beijing Topsec Technology Co Ltd
Beijing Topsec Network Security Technology Co Ltd
Beijing Topsec Software Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Topsec Technology Co Ltd, Beijing Topsec Network Security Technology Co Ltd, Beijing Topsec Software Co Ltd filed Critical Beijing Topsec Technology Co Ltd
Priority to CN202011529939.9A priority Critical patent/CN112615867B/en
Publication of CN112615867A publication Critical patent/CN112615867A/en
Application granted granted Critical
Publication of CN112615867B publication Critical patent/CN112615867B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application provides a data packet detection method and a device, wherein the method comprises the following steps: acquiring a first quintuple of a data packet to be detected; under the condition that the first information table has no corresponding node, searching whether a second information table has a corresponding node according to the first destination IP and the first destination port; under the condition that the second information table has no corresponding node, processing the data packet to be detected by adopting an SSL proxy process, and creating a new node in the first information table according to the first quintuple and the SSL proxy process; and under the condition that the second information table has corresponding nodes, processing the data packet to be detected by adopting a fast forwarding process, and creating a new node in the first information table according to the first quintuple and the fast forwarding process. By adopting the method, the problem of possible bugs caused by manually setting the SSL agent strategy in the background technology can be avoided, and the automatic screening of the target IP and the target port without the agent process is realized by adopting the agent process.

Description

Data packet detection method and device
Technical Field
The present application relates to the field of network security technologies, and in particular, to a method and an apparatus for detecting a data packet.
Background
In order to ensure data security and prevent a man in the middle from stealing data or attacking, SSL (Secure Sockets Layer) encryption is often adopted between network devices, the SSL is deployed between a transport Layer (mainly a TCP/IP protocol) and an application Layer, and after data sent by the application Layer is encrypted to form encrypted data, the encrypted data is delivered to the transport Layer.
The security of enterprise confidential data is considered, the confidential data is prevented from being sent to an external client, and the enterprise local area network is provided with gateway equipment such as a firewall. Under the condition that an enterprise deploys gateway equipment such as a firewall and the like and under the condition that an SSL encrypted data packet needs to be adopted between the intranet equipment and the extranet equipment, the gateway equipment serves as a proxy server and establishes SSL connection with the intranet equipment and the extranet equipment respectively; after receiving the data packet encrypted by the SSL, the gateway device firstly carries out SSL unloading on the data packet to obtain the restored data, then tries to process the restored data by an application layer software program to obtain the restored file, and carries out security detection on the restored file.
At present, in order to effectively implement security detection on SSL encrypted data packets, only a destination IP and a destination port that need to perform SSL proxy are manually configured in advance, and the configured destination IP and destination port are used to determine whether SSL proxy needs to be performed on received data packets. However, in an application scenario where the destination IP and the destination port are variable, the foregoing method has a problem that the hit result is poor. At this time, only the SSL proxy policy with coarser granularity can be configured, for example, the destination IP is configured as any, and the destination port is configured as any, or the destination IP is configured as 10.10.0.0/16, and the destination port is 80-8080. Such a configuration policy may introduce data traffic that does not need to perform SSL proxy into proxy forwarding, resulting in low forwarding efficiency. From the foregoing table, it can be further determined that the foregoing configuration method may cause a problem that some SSL encryption traffic is missed without hit if the destination IP and the destination port are configured as a port of a certain section.
Disclosure of Invention
In order to solve the technical problem or at least partially solve the technical problem, the present application provides a data packet detection method and apparatus.
In one aspect, the present application provides a data packet detection method, applied to a gateway device, including:
acquiring a first quintuple of a data packet to be detected; the first quintuple comprises a first source IP, a first source port, a first destination IP, a first destination port and a first transport layer protocol;
inquiring whether a first information table has a corresponding node or not according to the first quintuple; the nodes of the first information table comprise quintuple of which the connection is established and a processing flow corresponding to the established connection;
under the condition that the first information table has corresponding nodes, processing the data packet to be detected by adopting a processing flow corresponding to the established connection;
under the condition that the first information table has no corresponding node, searching whether a second information table has a corresponding node according to the first destination IP and the first destination port; the nodes of the second information table comprise destination IP and destination ports without SSL proxy;
under the condition that no corresponding node exists in the second information table, processing the data packet to be detected by adopting an SSL proxy process; and creating a new node in the first information table according to the first quintuple and the SSL proxy process;
under the condition that the corresponding node exists in the second information table, processing the data packet to be detected by adopting a quick forwarding process; and creating a new node in the first information table according to the first quintuple combined with the fast forwarding flow.
Optionally, processing the data packet to be detected by using an SSL proxy process includes:
judging whether the data packet to be detected comprises handshake ACK information or not;
and under the condition that the data packet to be detected comprises handshake ACK information, establishing TCP connection with the equipment represented by the first source IP.
Optionally, processing the data packet to be detected by using an SSL proxy process includes:
judging whether the data packet to be detected comprises information related to SSL connection;
and under the condition that the data packet to be detected does not comprise information related to SSL connection, adding a new node in the second information table according to the first destination IP and the first destination port.
Optionally, the determining whether the to-be-detected packet includes information related to the SSL connection includes:
and judging whether the data packet to be detected comprises SSL connection establishment information or not, or judging whether the data packet to be detected comprises SSL encryption information or not.
Optionally, in a case that it is determined that the to-be-detected data packet includes SSL connection establishment information, the method further includes:
and establishing the SSL connection with the source equipment with the IP address being the first source IP.
Optionally, in a case that it is determined that the to-be-detected packet includes SSL encryption information, the method further includes:
performing SSL unloading processing on the data packet to be detected to obtain reduced data;
under the condition that whether the gateway equipment can obtain a restored file according to the restored data or not is uncertain, trying to analyze the restored data to obtain the restored file;
carrying out validity detection on the restored file under the condition that the restored file can be obtained;
and adding a new node in the second information table according to the first destination IP and the first destination port under the condition that the restored file cannot be obtained.
Optionally, the method further comprises:
each node in the second information table further comprises the last SSL unloading time and the number of times of unloading execution; the method further comprises the following steps:
updating the last SSL unloading time and/or the unloading execution times when the SSL unloading processing is carried out on the data packet to be detected;
judging whether the number of the nodes of the second information table exceeds a threshold value;
and deleting the nodes in the second information table according to the last SSL unloading time and/or the unloading execution times of the nodes in the second information table under the condition that the number of the nodes in the second information table exceeds a threshold value.
Optionally, the method further comprises:
and under the condition that the data packet to be detected comprises waving ACK information, deleting the nodes comprising the first quintuple in the first information table.
In another aspect, the present application provides a packet detection apparatus, applied to a gateway device, including:
the acquisition unit is used for acquiring a first quintuple of the data packet to be detected; the first quintuple comprises a first source IP, a first source port, a first destination IP, a first destination port and a first transport layer protocol;
the first query unit is used for querying whether a first information table has a corresponding node or not according to the first quintuple; the nodes of the first information table comprise quintuple of established connection and processing flows corresponding to the established connection;
a second query unit, configured to, when there is no corresponding node in the first information table, search, according to the first destination IP and the first destination port, whether there is a corresponding node in a second information table; the nodes of the second information table comprise destination IP and destination ports without SSL proxy;
the SSL proxy processing unit is used for processing the data packet to be detected by adopting an SSL proxy process under the condition that no corresponding node exists in the second information table; and creating a new node in the first information table according to the first quintuple and the SSL proxy process;
a fast forwarding processing unit, configured to process the to-be-detected data packet by using a fast forwarding process when the corresponding node is in the second information table; and creating a new node in the first information table according to the first quintuple combined with the fast forwarding flow.
In the data packet detection method and device provided in the embodiment of the application, the nodes representing the destination IP and the destination port which do not need SSL proxy are set in the second information table, and if there is no corresponding node in the second information table, the data packet to be detected is processed by using the proxy process, so that the policies of all the destination IP and the destination port can be verified, and the problem of vulnerability which may occur when the SSL proxy policy is manually set in the background art is avoided.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the present application and together with the description, serve to explain the principles of the application.
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly described below, and it is obvious for those skilled in the art to obtain other drawings without inventive exercise.
FIG. 1 is a flow chart of a method for packet inspection according to an embodiment of the present application;
fig. 2 is a flowchart of processing a to-be-detected data packet after establishing a TCP connection by using an established proxy process in the embodiment of the present application;
fig. 3 is a schematic structural diagram of a packet detection apparatus according to an embodiment of the present application;
fig. 4 is a schematic structural diagram of an electronic device provided in an embodiment of the present application;
wherein: 11-an obtaining unit, 12-a first query unit, 13-a second query unit, 14-an SSL proxy processing unit, and 15-a fast forwarding processing unit; 21-processor, 22-memory, 23-communication interface, 24-bus system.
Detailed Description
In order that the above objects, features and advantages of the present application may be more clearly understood, the scheme of the present application will be further described below. It should be noted that the embodiments and features of the embodiments of the present application may be combined with each other without conflict.
In the following description, numerous specific details are set forth in order to provide a thorough understanding of the present application, but the present application may be practiced other than as described herein; it is to be understood that the embodiments described in this specification are only some embodiments of the present application and not all embodiments.
The embodiment of the application provides a data packet detection method, which is deployed on gateway equipment and used for judging whether proxy flow processing is adopted on a received data packet to be detected.
Fig. 1 is a flowchart of a packet detection method according to an embodiment of the present application. As shown in fig. 1, the processing method provided by the embodiment of the present application includes steps S101 to S106.
S101: and acquiring a first quintuple of the data packet to be detected.
In the embodiment of the application, the data packet to be detected is a data packet sent to the gateway device by the intranet device or the extranet device. The first quintuple can be obtained by analyzing the data packet to be detected. The first quintuple includes a first source IP, a first source port, a first destination IP, a first destination port, and a first transport layer protocol of the packet to be detected.
S102: and inquiring whether the first information table has a corresponding node or not according to the first quintuple. If yes, executing S103; if not, step S104 is performed.
In the embodiment of the present application, each node of the first information table stores a quintuple that has been connected to the gateway device, and a processing procedure corresponding to each established connection.
If the first information table has a corresponding node according to the first five-tuple, it is determined that the source device (i.e., the application layer program characterized by the first source IP and the first source port) corresponding to the five-tuple has established a connection with the client (at this time, the source device may be an SSL proxy connection, or may be a connection in another form), and the gateway device has determined a processing flow of the packet corresponding to the first five-tuple, and at this time, the packet to be detected can only be processed according to the corresponding processing flow, so that the step S103 is executed to enter the corresponding processing flow, and the step S104 is no longer executed. It should be noted that the corresponding processing flow may be a proxy flow or a fast forwarding flow.
In a specific application, the number of nodes in the first information table can be dynamically changed. When the gateway equipment is just powered on and accesses to the network, the number of the nodes in the first information table is 0; along with the increase of the connection establishment, the number of nodes in the first information table is correspondingly increased; when a connection is disconnected, the corresponding node is also deleted.
S103: and processing the data packet to be detected by adopting the corresponding processing flow corresponding to the established connection.
S104: and searching whether the second information table has a corresponding node or not according to the first destination IP and the first destination port. If yes, executing S105; if not, step S106 is performed.
In this embodiment, each node in the second information table includes destination IP and destination port information that do not need SSL proxying.
In a specific application, the nodes in the second information table are not manually added, but are automatically obtained when the history data packet is processed (how to automatically obtain the nodes in the second information table is described later).
In practical applications, the number of nodes in the second information table may also change dynamically. When the gateway equipment just accesses the network, the number of the nodes in the second information table is 0; as the number of packets (i.e., history packets) processed by the gateway increases, the number of nodes in the second information table gradually increases. Some nodes in the second information table may also be deleted if an operation to delete nodes in the second information table or to initialize the second information table is set.
S105: processing the data packet to be detected by adopting a quick forwarding process; and creating a new node in the first information table according to the first quintuple and the fast forwarding flow.
In the embodiment of the present application, the fast forwarding process is a process of executing SSL proxy without using a gateway device as an SSL proxy server. It should be noted that, in the fast forwarding process, the packet to be detected does not adopt SSL encryption, so the gateway device may extract the application layer data in the packet. After obtaining the application layer data, the gateway device may attempt to parse the application layer data to obtain a restore file.
If the restored file is obtained, carrying out validity detection on the restored file, and forwarding the data packet to be detected under the condition that the restored file is legal; if the file is not legal, the gateway device blocks the forwarding of the data packet to be detected.
If the gateway device does not install the corresponding application layer program, the gateway device cannot obtain the restored file according to the application layer data, and at the moment, the gateway device can determine whether the data packet to be detected can be forwarded according to a preset security policy.
After a new node is created in the first information table according to the first five-tuple and the fast forwarding flow, the new node is used for directly processing a subsequent data packet to be forwarded according to the corresponding fast forwarding flow after the data packet to be forwarded corresponding to the first five-tuple is received again subsequently.
S106: processing the data packet to be detected by adopting an SSL proxy process; and creating a new node in the first information table according to the first quintuple and the SSL proxy flow.
In the embodiment of the present application, the proxy process is a process in which the gateway device serves as a proxy server to perform proxy processing on communication between the intranet device and the extranet device. By adopting the SSL waiting process, the gateway equipment can analyze the data packet to be detected encrypted by the SSL to obtain the restored data so as to try to carry out validity detection on the restored data.
According to the analysis, if the second information table has a corresponding node, it indicates that the proxy process does not need to be executed on the data packet to be detected. And if the second information table has no corresponding node, the second information table indicates that whether the data packet to be detected needs to be processed by the proxy process cannot be determined currently, and the data packet to be detected is processed by the proxy process in order to ensure that the validity detection is carried out as far as possible.
In the data packet detection method provided in the embodiment of the present application, a node representing a destination IP and a destination port that do not need to perform SSL proxying is set in the second information table; if the second information table has no corresponding node, the data packet to be detected is processed by adopting the proxy process, so that the strategies of all destination IPs and destination ports can be verified, and the problem of vulnerability possibly caused by manually setting the SSL proxy strategy in the background technology is avoided.
In the embodiment of the present application, the nodes in the second information table can be automatically obtained by processing the historical to-be-processed data packet when the proxy process is adopted, and the automatic screening of the destination IP and the destination port without the proxy process is realized by adopting the actual proxy process.
In this embodiment, the step S106 of processing the data packet to be detected by using the proxy process includes steps S1061 and S1062.
S1061: judging whether the data packet to be detected comprises handshake ACK information or not; if so, step S1062 is performed.
In practical applications, if the intranet device and the extranet device need to establish a communication connection, a connection establishment message (i.e., a to-be-detected data packet for connection establishment) for three-way handshake needs to be sent. After receiving the data packet to be detected, the gateway device extracts the information therein, and when determining that the information includes the link establishment information for the three-way handshake, it may determine that the information needs to be used as a proxy server, and execute step S1062.
S1062: a TCP connection is established for the source device.
After the data packet to be detected is determined to include handshake ACK information, it is indicated that the gateway device has passed three times of handshake, so that a first source IP identification is established at this time; it should be noted that if the data packet to be detected is sent with handshake ack information, the gateway device has previously received a data packet including handshake syn information, and the gateway device has also sent a data packet including handshake ack information to the source device.
Fig. 2 is a flowchart of processing a to-be-detected data packet after establishing a TCP connection by using an established proxy process in the embodiment of the present application. In the embodiment of the present application, in executing step S103, processing the data packet to be detected by using the proxy process that has established the TCP connection includes steps S1031 to S1033.
S1031: judging whether the data packet to be detected comprises information related to SSL connection; if so, go to S1032; if not, S1033 is performed.
In the embodiment of the present application, the information associated with the SSL connection includes: SSL connection information or SSL encryption information.
And judging whether the data packet to be detected comprises information associated with the SSL connection, namely judging whether the data packet to be detected comprises SSL connection establishment information or judging whether the data packet to be detected adopts SSL encryption information.
S1032: and executing the operation corresponding to the SSL connection related information.
And executing the operation corresponding to the SSL connection related information, wherein the corresponding operation is selected according to the specific type of the data packet to be detected.
And B, executing the step A under the condition that the data packet to be detected comprises SSL connection establishment information.
A: the method comprises the steps of establishing SSL connection with a source device with an IP address being a first source IP, and establishing SSL connection with a destination device with an IP address being a first target IP.
It should be noted that, during the execution of step a, according to the SSL connection establishment procedure, the packet to be detected may be various possible packets during the SSL connection establishment procedure, and the gateway device may also send a corresponding response packet to the source device.
In order to enable sending SSL encrypted data to the target device, the gateway device may also establish an SSL connection with the target device whose IP is the first target IP.
And executing the steps B-E under the condition that the data packet to be detected adopts SSL encryption.
B: and carrying out SSL unloading processing on the data packet to be detected to obtain the restored data.
The SSL unloading processing is carried out on the data packet to be detected, under the condition that the data packet to be detected is received and judged to be encrypted by SSL, the gateway device is used as a proxy server to carry out SSL unloading on a TCP message in the data packet to be detected by using a private key of the gateway device, and data (called as recovery data) generated by a corresponding application layer in the source device is obtained.
C: under the condition that whether the gateway equipment can obtain the restored file according to the restored data is uncertain, trying to analyze the restored data to obtain the restored file; if the restored file is obtained, executing the step D; if not, executing the step E.
In step C, it is determined whether the restored data can be analyzed to obtain the restored file, and the gateway device attempts to process the restored data to obtain the restored file by using the installed application layer program.
In the embodiment of the application, a third information table can be established, and header identification information of unrecognizable recovery data is stored in the third information table; after the restored data is obtained, the header identification information of the newly obtained restored data may be compared with the data in the third data table to determine whether the restored data can be restored. If the file cannot be restored after confirmation, the step C-E is not executed, and the restored data is directly forwarded after SSL re-encryption; and if it is not determined whether the restored file is available, performing step C.
D: and carrying out validity detection on the restored file.
In the embodiment of the application, the gateway equipment adopts a security engine to carry out validity detection on the restored file; if the file to be restored is detected to be illegal, blocking proxy forwarding of the data to be restored; if the file is not detected to be restored illegally, the restored data can be encrypted by the SSL encryption public key of the destination equipment and then is proxied and forwarded to the destination equipment.
E: and adding a new node on the second information table according to the first destination IP and the first destination port.
In the embodiment of the application, if the restored file cannot be obtained for the restored data, the gateway device does not have the capability of performing validity detection on the restored data; at this time, it is meaningless to perform SSL proxying on the to-be-detected packet sent to the first destination IP and the first destination port, so that the first destination IP and the first destination port are added to the second information table, so that when the step 104 is subsequently executed again for judgment, it is determined that the processing of the step S106 can be directly performed on the to-be-detected packet corresponding to the new connection. Therefore, the proxy forwarding process is not required to be executed for the data packet to be detected, and the forwarding efficiency is improved.
S1033: and adding a new node in the second information table according to the first destination IP and the first destination port.
In this embodiment of the present application, if the packet to be detected does not include information related to SSL connection, it is proved that the application layer data issued by the application layer program corresponding to the first destination IP and the first destination port does not need to be encrypted by SSL, and the packet to be detected may be a plaintext packet, so that the processing of step S106 may be performed on the packet to be detected corresponding to a new connection whose destination address is the first destination IP and whose destination port is the first destination port, and the proxy flow is not performed on such packet to be detected any more, thereby improving the forwarding efficiency.
In the embodiment of the present application, with the foregoing method, the number of nodes in the second information table is increasing, and when the number of nodes in the second information table is too large, executing the query step in step S104 consumes a large amount of resources. In addition, in practical applications, the application layer program corresponding to the first destination IP and the first destination port may be changed, or at least one of the first destination IP and the first destination port is discarded and is not used, and at this time, the corresponding node in the second information table no longer has significance.
In view of the foregoing problems, the data packet detection method provided in the embodiment of the present application further includes steps S107 and S108.
S107: judging whether the number of nodes in the second information table exceeds a threshold value or not; if yes, go to step S108.
S108: and deleting the nodes in the second information table.
In steps S107 and S108, if the number of nodes in the second information table exceeds the threshold, the nodes in the second information table are deleted, so that the number of nodes in the second information table is reduced, thereby increasing the processing speed in step S104.
It should be noted that steps S107 and S108 and steps S101-S106 in the foregoing are not limited in the order of execution, and may be executed at various possible points in time.
In this embodiment of the application, the deleting of the nodes in the second information table in step S108 may be deleting all the nodes in the second information table, or deleting some nodes in the second information table. Deleting part of the nodes in the second information table may be deleting part of the nodes according to at least one of the generation time of the nodes, the time of hit by the query, and the time of hit by the last query as a sorting criterion.
In this embodiment, each node in the second information table may further include the last SSL offload time and the number of times of offload execution, in addition to the aforementioned first destination IP and first destination port.
After determining that the number of nodes in the second information table exceeds the threshold in step S107, step S108 may be to delete the nodes in the second information table according to the last SSL offload time and offload execution times of the nodes in the second information table.
Specifically, the node corresponding to the difference between the last SSL uninstalling time and the current time exceeds the preset time duration may be deleted, and the node corresponding to the uninstalling execution time less than the set time may be deleted. Or screening out the SSL unloading time and the unloading execution times of the median according to the last SSL unloading time and the unloading execution times, and deleting nodes smaller than the middle-level data by using the SSL unloading time and the unloading execution times of the median.
In other embodiments of the present application, the nodes in the second information table may further include SSL establishment time, and when deleting the nodes in the second information table, the nodes in the second information table may be deleted according to the SSL establishment time, the last SSL uninstallation time, and the number of uninstallation executions.
In this embodiment of the application, in the execution process of step S103, a situation that the to-be-detected packet includes the waving ACK information may also occur, and at this time, the gateway device may further execute deleting the node including the first five-tuple in the first information table. After deleting the first quintuple, if the data including the quintuple is received again, the operations of steps S104-S106 may be performed, and particularly, in the case where the first destination IP and the first destination port in the quintuple are stored in the second information table, the operation of S106 is directly performed.
In addition to providing the foregoing data packet detection method, the present application also provides a data packet detection apparatus. Fig. 3 is a schematic structural diagram of a packet detection device according to an embodiment of the present application. As shown in fig. 3, the packet detection apparatus includes an acquisition unit 11, a first query unit 12, a second query unit 13, an SSL proxy processing unit 14, and a fast forwarding processing unit 15.
The obtaining unit 11 is configured to obtain a first quintuple of the data packet to be detected. In the embodiment of the application, the data packet to be detected is a data packet sent to the gateway device by the intranet device or the extranet device. The obtaining unit 11 analyzes the data packet to be detected, and may obtain a first quintuple. The first quintuple includes a first source IP, a first source port, a first destination IP, a first destination port, and a first transport layer protocol of the packet to be detected.
The first query unit 12 is configured to query whether the first information table has a corresponding node according to the fighting quintuple; the nodes of the first information table comprise the quintuple of the established connection and the processing flow corresponding to the established connection.
If the first information table has a corresponding node according to the first quintuple, it is determined that the source device (i.e., the application layer program represented by the first source IP and the first source port) corresponding to the quintuple has established a connection with the client (which may be an SSL proxy connection or a connection in other forms), and at this time, the packet to be detected can only be processed according to the corresponding processing flow.
In the embodiment of the present application, the number of nodes in the first information table may be dynamically changed. When the gateway equipment is just powered on and accesses to the network, the number of the nodes in the first information table is 0; along with the increase of the connection establishment, the number of nodes in the first information table is correspondingly increased; when a connection is disconnected, the corresponding node is also deleted.
The second querying unit 13 is configured to, in a case that there is no corresponding node in the first information table, find whether there is a corresponding node in the second information table according to the first destination IP and the first destination port.
Each node in the second information table includes destination IP and destination port information that need not perform SSL proxying.
In a specific application, the nodes in the second information table are not manually added, but are automatically obtained when the history data packet is processed.
In practical applications, the number of nodes in the second information table may also change dynamically. When the gateway equipment just accesses the network, the number of the nodes in the second information table is 0; as the number of packets (i.e., historical packets) handled by the gateway increases, the number of nodes in the second information table gradually increases. Some nodes in the second information table may also be deleted if an operation to delete nodes in the second information table or to initialize the second information table is set.
The SSL proxy processing unit 14 is configured to process the data packet to be detected by using a proxy process when there is a corresponding node in the first information table or there is no corresponding node in the second information table.
The fast forwarding processing unit 15 is configured to process the data packet to be detected by using a fast forwarding process when the first information table has a corresponding node.
In the embodiment of the present application, the fast forwarding process is a process of executing SSL proxy without using a gateway device as an SSL proxy server. It should be noted that in the fast forwarding process, the packet to be detected does not adopt SSL encryption, so the gateway device may extract the application layer data in the packet. After obtaining the application layer data, the gateway device may attempt to parse the application layer data to obtain a restore file.
If the restored file is obtained, carrying out validity detection on the restored file, and forwarding the data packet to be detected under the condition that the restored file is legal; if the file is not legal, the gateway device blocks the forwarding of the data packet to be detected.
If the gateway device does not install the corresponding application layer program, the gateway device cannot obtain the restored file according to the application layer data, and at the moment, the gateway device can determine whether the data packet to be detected can be forwarded according to a preset security policy.
If the second information table has the corresponding node, the analysis of the historical detection data packet indicates that the agent process is not required to be executed on the data packet to be detected. If the second information table has no corresponding node, it indicates that it is currently impossible to determine whether to process the data packet to be detected by the proxy process, and in order to ensure that validity detection is performed as much as possible, the data packet to be detected is processed by the proxy process.
By adopting the data packet detection device provided by the embodiment of the application, the nodes representing the destination IP and the destination port which do not need SSL proxy are arranged in the second information table, and the nodes in the second information table are not artificially set but are automatically obtained when the gateway equipment processes the historical data packet by adopting the proxy process.
If the second information table has no corresponding node, the data packet to be detected is processed by adopting the proxy process, so that the strategies of all destination IPs and destination ports can be verified, and the problem of vulnerability possibly caused by manually setting the SSL proxy strategy in the background technology is avoided.
In the embodiment of the present application, the SSL proxy processing unit 14 includes a first determining subunit and a connection establishing subunit.
The first judging subunit is configured to judge whether the data packet to be detected includes handshake ACK information; the connection establishing subunit is configured to establish a TCP connection with the source device when the packet to be detected includes handshake ACK information. The source device is a device that sends packets to be detected.
After a new node is established in the first information table according to the first quintuple and the proxy process, the role of the method is that after a subsequent data packet to be detected is received, the subsequent data packet to be detected is directly processed by adopting the proxy process.
In this embodiment of the present application, the SSL proxy processing unit 14 includes a second determining subunit, an SSL connection establishing subunit, and a node adding subunit.
The second judging subunit is used for judging whether the data packet to be detected comprises information related to the SSL connection.
The SSL processing subunit is used for executing corresponding operation related to the SSL connection according to the information related to the SSL connection under the condition that the second judging subunit judges that the data packet to be detected comprises the information related to the SSL connection; and adding a new node in the second information table according to the first destination IP and the first destination port under the condition that the second judging subunit judges that the data packet to be detected is not the data packet related to the SSL connection.
In the embodiment of the application, the determining whether the to-be-detected data packet includes information associated with the SSL connection may be determining whether the to-be-detected data packet includes SSL connection establishment information, or determining whether the to-be-detected data packet includes SSL encryption information.
And under the condition that the data packet to be detected comprises SSL connection establishment information, the SSL processing subunit establishes SSL connection with the source equipment represented by the first source IP and SSL connection with the equipment represented by the first target IP.
In the case that the packet to be detected is encrypted by SSL, the SSL processing subunit includes processing contents including steps S301 to S304.
S301: performing SSL unloading processing on the data packet to be detected to obtain reduction data;
s302: trying to analyze the reduction data to obtain a reduction file under the condition that whether the gateway equipment can obtain the reduction file according to the reduction data is uncertain; if the restored file is obtained, executing step S303; if not, go to step S304.
In step S302, it is determined whether the restored data can be analyzed to obtain the restored file, and the gateway device attempts to process the restored data to obtain the restored file by using the installed application layer program
In the embodiment of the application, a third information table can be established, and header identification information of unrecognizable recovery data is stored in the third information table; after the restored data is obtained, the header identification information of the newly obtained restored data may be compared with the data in the third data table to determine whether the restored data can be restored. If the restored file is not available, the steps S303 and S304 are not executed, and the restored data is directly subjected to SSL encryption and then forwarded.
It should be noted that the gateway device may not install the corresponding application layer program in the source device, and the gateway device may not obtain the restored file.
S303: and carrying out validity detection on the restored file.
In the embodiment of the application, the gateway equipment adopts a security engine to carry out validity detection on the restored file; if the file to be restored is detected to be illegal, blocking proxy forwarding of the data to be restored; if the file is not detected to be illegal, the restored data can be encrypted by the SSL encrypted public key of the destination device, and then the data is proxied and forwarded to the destination device.
S304: and adding a new node on the second information table according to the first destination IP and the first destination port.
In the embodiment of the application, if the restored file cannot be obtained for the restored data, the gateway device does not have the capability of performing validity detection on the restored data; at this time, it makes no sense to perform SSL proxying for a packet to be detected transmitted to the first destination IP and the first destination port, and therefore, this first destination IP and the first destination port are added to the second information table.
In one embodiment of the present application, the node in the second information table may further include a last SSL offload time and offload execution times. The SSL proxy processing unit may further include a data update subunit, a determination subunit, and a pruning subunit.
The data updating subunit is used for updating the last SSL unloading time and/or the unloading execution times when the SSL unloading processing is carried out on the data packet to be detected;
the judging subunit is used for judging whether the number of the nodes in the second information table exceeds a threshold value;
the pruning subunit is configured to prune the nodes in the second information table according to the last SSL offload time and/or offload execution times of the nodes in the second information table, if the number of nodes in the second information table exceeds the threshold.
In this embodiment of the application, the deleting unit of the SSL proxy processing unit may further delete the node including the first quintuple in the first information table when the TCP connection with the source device is already established and the packet to be detected includes the waving ACK information.
Based on the inventive concept, the application also provides an electronic device. Fig. 4 is a schematic structural diagram of an electronic device provided in an embodiment of the present application. As shown in fig. 4, the first server comprises at least one processor 21, at least one memory 22 and at least one communication interface 23. A communication interface 23 for information transmission with an external device.
The various components in the first server are coupled together by a bus system 24. Understandably, the bus system 24 is used to enable connective communication between these components. The bus system 24 includes a power bus, a control bus, and a status signal bus in addition to a data bus. For clarity of illustration, the various buses are labeled as bus system 24 in fig. 4.
It will be appreciated that the memory 22 in this embodiment may be either volatile memory or nonvolatile memory, or may include both volatile and nonvolatile memory. In some embodiments, memory 22 stores elements, executable units or data structures, or a subset thereof, or an expanded set thereof: an operating system and an application program.
The operating system includes various system programs, such as a framework layer, a core library layer, a driver layer, and the like, and is used for implementing various basic tasks and processing hardware-based tasks. The application programs include various application programs such as a media player (MediaPlayer), a Browser (Browser), etc. for implementing various application tasks. The program for implementing the packet detection method provided by the embodiment of the present disclosure may be included in an application program.
In the embodiment of the present disclosure, the processor 21 is configured to call a program or an instruction stored in the memory 22, specifically, the program or the instruction stored in the application program, and the processor 21 is configured to execute each step of the packet detection method provided by the embodiment of the present disclosure.
The packet detection method provided by the embodiment of the present disclosure may be applied to the processor 21, or implemented by the processor 21. The processor 21 may be an integrated circuit chip having signal processing capabilities. In implementation, the steps of the above method may be performed by instructions in the form of hardware integrated logic circuits or software in the processor 21. The Processor 21 may be a general-purpose Processor, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), an off-the-shelf Programmable Gate Array (FPGA) or other Programmable logic device, a discrete Gate or transistor logic device, or a discrete hardware component. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
The steps of the packet detection method provided by the embodiment of the present disclosure may be directly implemented by the hardware decoding processor, or implemented by the combination of hardware and software units in the hardware decoding processor. The software elements may be located in ram, flash, rom, prom, or eprom, registers, among other storage media that are well known in the art. The storage medium is located in a memory 22, and the processor 21 reads the information in the memory 22 and performs the steps of the method in combination with its hardware.
The embodiments of the present disclosure further provide a non-transitory computer-readable storage medium, where the non-transitory computer-readable storage medium stores a program or an instruction, and the program or the instruction causes a computer to perform the steps of the packet detection method in each embodiment, and in order to avoid repeated description, details are not repeated here.
It is noted that, in this document, relational terms such as "first" and "second," and the like, are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in the process, method, article, or apparatus that comprises the element.
The foregoing are merely exemplary embodiments of the present disclosure, which enable those skilled in the art to understand or practice the present disclosure. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the disclosure. Thus, the present disclosure is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.

Claims (11)

1. A data packet detection method is applied to gateway equipment and is characterized by comprising the following steps:
acquiring a first quintuple of a data packet to be detected; the first quintuple comprises a first source IP, a first source port, a first destination IP, a first destination port and a first transport layer protocol;
inquiring whether a first information table has a corresponding node or not according to the first quintuple; the nodes of the first information table comprise quintuple of which the connection is established and the processing flow corresponding to the established connection;
under the condition that the first information table has corresponding nodes, processing the data packet to be detected by adopting a processing flow corresponding to the established connection;
under the condition that the first information table has no corresponding node, searching whether a second information table has a corresponding node according to the first destination IP and the first destination port; the nodes of the second information table comprise destination IP and destination ports without SSL proxy;
under the condition that no corresponding node exists in the second information table, processing the data packet to be detected by adopting an SSL proxy process; and creating a new node in the first information table according to the first quintuple and the SSL proxy process;
under the condition that the corresponding node exists in the second information table, processing the data packet to be detected by adopting a fast forwarding process; and creating a new node in the first information table according to the first quintuple and the fast forwarding flow.
2. The method for detecting the data packet according to claim 1, wherein the processing of the data packet to be detected by using an SSL proxy process includes:
judging whether the data packet to be detected comprises handshake ACK information or not;
establishing TCP connection with source equipment under the condition that the data packet to be detected comprises handshake ACK information; the source device is a device for sending the data packet to be detected.
3. The method for detecting the data packet according to claim 1, wherein in a case of establishing a TCP connection with a source device, processing the data packet to be detected by using an SSL proxy process includes:
judging whether the data packet to be detected comprises information related to SSL connection;
and under the condition that the data packet to be detected does not comprise information related to SSL connection, adding a new node in the second information table according to the first destination IP and the first destination port.
4. The method of claim 3, wherein determining whether the packet to be detected includes information related to the SSL connection comprises:
and judging whether the data packet to be detected comprises SSL connection establishment information or not, or judging whether the data packet to be detected comprises SSL encryption information or not.
5. The method according to claim 4, wherein in case that it is determined that the packet to be detected includes SSL connection establishment information, the method further comprises:
and establishing SSL connection with the source equipment with the IP address being the first source IP.
6. The packet inspection method according to claim 4, wherein in a case where it is determined that the packet to be inspected includes SSL encryption information, the method further comprises:
performing SSL unloading processing on the data packet to be detected to obtain reduced data;
under the condition that whether the gateway equipment can obtain a restored file according to the restored data is uncertain, trying to analyze the restored data to obtain the restored file;
carrying out validity detection on the restored file under the condition that the restored file can be obtained;
and under the condition that the restored file cannot be obtained, adding a new node in the second information table according to the first destination IP and the first destination port.
7. The method of claim 6, further comprising:
each node in the second information table further comprises the last SSL unloading time and the number of times of unloading execution; the method further comprises the following steps:
updating the last SSL unloading time and/or the unloading execution times when the SSL unloading processing is carried out on the data packet to be detected;
judging whether the number of the nodes of the second information table exceeds a threshold value;
and deleting the nodes in the second information table according to the last SSL unloading time and/or the unloading execution times of the nodes in the second information table under the condition that the number of the nodes in the second information table exceeds a threshold value.
8. The packet inspection method according to claim 1, further comprising, in the case of establishing a TCP connection with the source device:
and under the condition that the data packet to be detected comprises waving ACK information, deleting the nodes comprising the first quintuple in the first information table.
9. A data packet detection device is applied to gateway equipment and is characterized by comprising:
the acquisition unit is used for acquiring a first quintuple of the data packet to be detected; the first quintuple comprises a first source IP, a first source port, a first destination IP, a first destination port and a first transport layer protocol;
the first query unit is used for querying whether a first information table has a corresponding node or not according to the first quintuple; the nodes of the first information table comprise quintuple of established connection and processing flows corresponding to the established connection;
a second query unit, configured to, when there is no corresponding node in the first information table, search, according to the first destination IP and the first destination port, whether there is a corresponding node in a second information table; the nodes of the second information table comprise destination IP and destination ports without SSL proxy;
the SSL proxy processing unit is used for processing the data packet to be detected by adopting an SSL proxy process under the condition that no corresponding node exists in the second information table; and creating a new node in the first information table according to the first quintuple and the SSL agent process;
a fast forwarding processing unit, configured to process the to-be-detected data packet by using a fast forwarding process when the corresponding node is in the second information table; and creating a new node in the first information table according to the first quintuple combined with the fast forwarding flow.
10. An electronic device comprising a processor and a memory;
the processor is adapted to perform the steps of the packet detection method of any of claims 1 to 8 by calling a program or instructions stored in the memory.
11. A computer-readable storage medium, characterized in that it stores a program or instructions for causing a computer to perform the steps of the packet detection method according to any one of claims 1 to 8.
CN202011529939.9A 2020-12-22 2020-12-22 Data packet detection method and device Active CN112615867B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011529939.9A CN112615867B (en) 2020-12-22 2020-12-22 Data packet detection method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011529939.9A CN112615867B (en) 2020-12-22 2020-12-22 Data packet detection method and device

Publications (2)

Publication Number Publication Date
CN112615867A CN112615867A (en) 2021-04-06
CN112615867B true CN112615867B (en) 2022-07-12

Family

ID=75245416

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011529939.9A Active CN112615867B (en) 2020-12-22 2020-12-22 Data packet detection method and device

Country Status (1)

Country Link
CN (1) CN112615867B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113810380B (en) * 2021-08-23 2023-08-01 杭州安恒信息安全技术有限公司 Agent level switching method, system, readable storage medium and computer device

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8782393B1 (en) * 2006-03-23 2014-07-15 F5 Networks, Inc. Accessing SSL connection data by a third-party
CN101515896B (en) * 2009-03-20 2011-01-19 成都市华为赛门铁克科技有限公司 Safe socket character layer protocol message forwarding method, device, system and exchange
CN102821032B (en) * 2011-06-10 2016-12-28 中兴通讯股份有限公司 A kind of method of fast-forwarding packet and three-layer equipment
US9477718B2 (en) * 2012-12-31 2016-10-25 Huawei Technologies Co., Ltd Application identification method, and data mining method, apparatus, and system
CN109587065B (en) * 2017-09-28 2021-02-23 北京金山云网络技术有限公司 Method, device, switch, equipment and storage medium for forwarding message
CN112055032B (en) * 2020-09-21 2022-05-17 迈普通信技术股份有限公司 Message processing method and device, electronic equipment and storage medium

Also Published As

Publication number Publication date
CN112615867A (en) 2021-04-06

Similar Documents

Publication Publication Date Title
US11089057B1 (en) System, apparatus and method for automatically verifying exploits within suspect objects and highlighting the display information associated with the verified exploits
US11082436B1 (en) System and method for offloading packet processing and static analysis operations
US11916933B2 (en) Malware detector
US9973531B1 (en) Shellcode detection
US9438623B1 (en) Computer exploit detection using heap spray pattern matching
US9954873B2 (en) Mobile device-based intrusion prevention system
EP4027604A1 (en) Security vulnerability defense method and device
US8631499B2 (en) Platform for analyzing the security of communication protocols and channels
US20100175134A1 (en) System and Method for Performing Remote Security Assessment of Firewalled Computer
JP2005506736A (en) A method and apparatus for providing node security in a router of a packet network.
CN113228585A (en) Network security system with feedback loop based enhanced traffic analysis
US20050091514A1 (en) Communication device, program, and storage medium
CA3159619C (en) Packet processing method and apparatus, device, and computer-readable storage medium
US11930036B2 (en) Detecting attacks and quarantining malware infected devices
US7346057B2 (en) Method and apparatus for inter-layer binding inspection to prevent spoofing
WO2018160413A1 (en) Managing data encrypting application
CN112615867B (en) Data packet detection method and device
CN114928564A (en) Function verification method and device of security component
CN114281547B (en) Data message processing method and device, electronic equipment and storage medium
US20210136103A1 (en) Control device, communication system, control method, and computer program
CN114050917A (en) Audio data processing method, device, terminal, server and storage medium
CN109474572B (en) Method and system for monitoring and capturing horse release sites based on cluster botnet
KR102571147B1 (en) Security apparatus and method for smartwork environment
CN110572372B (en) Method and device for detecting intrusion of Internet of things equipment
RU2695983C1 (en) Method of filtering secure network connections in a digital data network

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant