CN112804251A - Android application traffic filtering method and system based on userId - Google Patents
Android application traffic filtering method and system based on userId Download PDFInfo
- Publication number
- CN112804251A CN112804251A CN202110136774.7A CN202110136774A CN112804251A CN 112804251 A CN112804251 A CN 112804251A CN 202110136774 A CN202110136774 A CN 202110136774A CN 112804251 A CN112804251 A CN 112804251A
- Authority
- CN
- China
- Prior art keywords
- userid
- nflog
- label
- message pool
- flow
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
An Android application traffic filtering method and system based on userId belongs to the technical field of network security. The invention comprises the following steps: reading a user Id of a specified application from Android equipment; secondly, using iptables to mark an upstream label on the appointed userId; writing an iptables rule, putting INPUT and OUTPUT data packets with userId of the flow label into an NFLOG message pool, and assigning a label to the NFLOG message pool; and step four, acquiring a pure flow set corresponding to the target userId from the NFLOG message pool. The invention solves the problem that the application network flow cannot be accurately analyzed due to the fact that the application flow is mixed in one network.
Description
Technical Field
The invention relates to the technical field of network security, in particular to a method and a system for filtering Android application traffic based on userId.
Background
With the rapid development of the internet, various internet applications are continuously generated, the scale of network traffic is increased, a large part of the network traffic is Android application traffic, the network traffic generated by Android equipment is identified and analyzed, and the method has important significance for network traffic management and malicious traffic detection.
When the Android device runs, network traffic generated by all applications is mixed into one network, so that the network traffic of a single application mixed into one network cannot be accurately analyzed.
There are several methods for traditional network application traffic filtering. One is port-based application traffic filtering, but with the rapid increase in various internet applications, the method of port filtering may miss some dynamically changing traffic on the ports. The other method is to perform network traffic purification by a manual method, namely, to analyze data traffic by using human knowledge and experience, but the method depends on the knowledge structure and experience of people, is time-consuming and labor-consuming, and is difficult to perform effective analysis directly by human for some private protocols or encrypted traffic.
Therefore, when the network application traffic needs to be identified and detected, it is necessary to obtain the pure traffic of the specified network application.
Disclosure of Invention
The present invention has been developed in order to solve the above-mentioned technical problems, and a brief summary of the present invention is given below in order to provide a basic understanding of some aspects of the present invention. It should be understood that this summary is not an exhaustive overview of the invention. It is not intended to determine the key or critical elements of the present invention, nor is it intended to limit the scope of the present invention.
The technical scheme of the invention is as follows:
an Android application traffic filtering method based on userId comprises the following steps:
reading a user Id of a specified application from Android equipment;
secondly, using iptables to mark an upstream label on the appointed userId;
writing an iptables rule, putting INPUT and OUTPUT data packets with userId of the flow label into an NFLOG message pool, and assigning a label to the NFLOG message pool;
and step four, acquiring a pure flow set corresponding to the target userId from the NFLOG message pool.
Preferably, in the step one, the userld acquisition path is/data/system/packages.
Preferably, the flow label in step two is set by means of a connlabel of iptables.
Preferably, the iptables rule in step three is as follows:
rule 1: streaming tagged packets in an inbound stream,Putting the NFLOG message into an NFLOG message pool with a specified label;
rule 2: data packet with flow label in outbound flow,Put into the NFLOG message pool with the assigned label.
Preferably, a reference number in the NFLOG message pool is a userID of a specific application.
Preferably, the step of obtaining the pure flow set in the fourth step is as follows:
step four, firstly: sending the data in the NFLOG message pool to a virtual network card;
step four, step two: and grabbing the data packet from the step four through tcpdump on the virtual network card and storing the data packet.
Preferably, the file format stored when the data packet captured from the virtual network card is stored is "nfog: reference numeral ".
Preferably, the data in the data packet includes a link layer, a network layer, a transport layer, and an application layer.
Preferably, in the step two, when the data packet is grabbed, the header of the link layer is changed into the log header of the Linux kernel network filter of the NFLOG.
An Android application traffic filtering system based on userId comprises a userId acquiring unit, an iptables rule setting unit and a traffic acquiring and storing unit; the userId acquiring unit is used for acquiring the userId of the specified application; the iptables rule setting unit is used for setting iptables rules, marking the stream of the userId with a stream label, putting a data packet carrying the stream label into an NFLOG message pool, and setting a label for the message pool; and the traffic acquiring and storing unit is used for acquiring and storing the data packet from the NFLOG message pool.
The invention has the following beneficial effects:
1. rapidly filtering each application flow;
2. the application flow data is filtered more quickly and accurately;
3. the manual operation cost is saved;
4. direct and efficient analysis of proprietary protocol or encrypted traffic is performed.
Drawings
Fig. 1 is a flowchart of an Android application traffic filtering method based on userId.
FIG. 2 is a structural diagram of a userId-based Android application traffic filtering system.
Detailed Description
In order that the objects, aspects and advantages of the invention will become more apparent, the invention will be described by way of example only, and in connection with the accompanying drawings. It is to be understood that such description is merely illustrative and not intended to limit the scope of the present invention. Moreover, in the following description, descriptions of well-known structures and techniques are omitted so as to not unnecessarily obscure the concepts of the present invention.
The first embodiment is as follows: referring to fig. 1, the embodiment is described, and the Android application traffic filtering method based on userId includes the following steps:
reading a user Id (dialect code of a user) of a specified application from Android equipment;
the userId is obtained from the/data/system/packages.xml file of the Android device. Xml is generated by packagemanagerservice java, and records all the attributes, authority and other information of APK installed in the system. When the APK in the system is installed, deleted and upgraded, the file is updated: the information in the file is divided into the following parts:
1) a permission block, which contains the information of all defined permissions in the system;
2) a package block: the method comprises the steps of (1) containing detailed information of all installed apps in the system;
3) shared-user block: the method comprises the steps of including information of shareuser defined by all systems;
4) keyset-settings block: public key information with the installed app signature contained therein;
the required userId information can be found in the package block.
Secondly, using iptables to mark an upstream label on the appointed userId;
the flow label is set through the CONNMARK of iptables, and the flow label is the userId of the specified application in the step 1. The steps for labeling userId flow are as follows:
and labeling the application flow:
iptables-A OUTPUT-m owner--uid-owner 10246-j CONNMARK--set-mark 10246
according to the tag filter application part:
iptables-A INPUT-m connmark--mark 10246-j NFLOG--nflog-group 10246
iptables-A OUTPUT-m connmark--mark 10246-j NFLOG--nflog-gro up 10246
wherein 10246 is the userId of the application, and can be replaced with a different userId.
Writing an iptables rule, putting INPUT and OUTPUT data packets with userId of the flow label into an NFLOG message pool, and assigning a label to the NFLOG message pool;
the iptables rules comprise the following rules:
rule 1, put the data packet with flow label in the inbound flow into the NFLOG message pool with assigned label; the message pool is numbered userId of the specified application as described in step 1.
Rule 2, put the packet with the flow label in the outbound flow into the NFLOG message pool with the specified label. The number of the message pool is the userId of the designated application in step 1.
And step four, acquiring a pure flow set corresponding to the target userId from the NFLOG message pool.
The step of obtaining the pure flow comprises the following steps:
step 401, sending the data of the NFLOG message pool to a virtual network card;
and step 402, grabbing and storing the data packet from the virtual network card through tcpdump.
In step 401, the name of the virtual network card is "nfog: label";
in step 402, the head of the link layer of the captured packet is the log head of the Linux kernel network filter of the NFLOG, and the network layer, the transport layer, and the application layer are not changed.
In a second specific embodiment, the embodiment is described with reference to fig. 2, and an Android application traffic filtering system based on userId includes a userId acquisition unit, an iptables rule setting unit, and a traffic acquisition and storage unit; the userId acquiring unit is used for acquiring the userId of the specified application; the iptables rule setting unit is used for setting iptables rules, marking the stream of the userId with a stream label, putting a data packet carrying the stream label into an NFLOG message pool, and setting a label for the message pool; and the flow acquiring and storing unit is used for acquiring a data packet from the NFLOG message pool and storing the data packet as a pcap file.
It should be noted that, in the above embodiments, as long as the technical solutions can be aligned and combined without contradiction, those skilled in the art can exhaust all possibilities according to the mathematical knowledge of the alignment and combination, and therefore, the present invention does not describe the technical solutions after alignment and combination one by one, but it should be understood that the technical solutions after alignment and combination have been disclosed by the present invention.
This embodiment is only illustrative of the patent and does not limit the scope of protection thereof, and those skilled in the art can make modifications to its part without departing from the spirit of the patent.
Claims (10)
1. An Android application traffic filtering method based on userId is characterized by comprising the following steps:
reading a user Id of a specified application from Android equipment;
secondly, using iptables to mark an upstream label on the appointed userId;
writing an iptables rule, putting INPUT and OUTPUT data packets with userId of the flow label into an NFLOG message pool, and assigning a label to the NFLOG message pool;
and step four, acquiring a pure flow set corresponding to the target userId from the NFLOG message pool.
2. The method for filtering Android application traffic based on userId as claimed in claim 1, wherein: the userId obtaining path in the step one is obtained from an/data/system/packages.
3. The method for filtering Android application traffic based on userId as claimed in claim 1, wherein: and setting the flow label in the step two through CONNMARK of iptables.
4. The method for filtering Android application traffic based on userId as claimed in claim 1, wherein the iptables rule in step three is as follows:
rule 1: putting a data packet with a flow label in an inbound flow into an NFLOG message pool with a specified label;
rule 2: and putting the data packet with the flow label in the outbound flow into the NFLOG message pool with the specified label.
5. The Android application traffic filtering method based on userId according to claim 1 or 4, characterized in that: the reference number in the NFLOG message pool is the userID of the specified application.
6. The Android application traffic filtering method based on userId according to claim 1, wherein the step of obtaining the pure traffic set in the step four is as follows:
step four, firstly: sending the data in the NFLOG message pool to a virtual network card;
step four, step two: and C, capturing the data packet from the virtual network card in the step four through tcpdump and storing the data packet.
7. The method for filtering Android application traffic based on userId as claimed in claim 6, wherein: the file format stored when the data packet captured from the virtual network card is stored is' nfog: reference numeral ".
8. The Android application traffic filtering method based on userId as claimed in claim 6 or 7, wherein: the data in the data packet comprises a link layer, a network layer, a transmission layer and an application layer.
9. The method for filtering Android application traffic based on userId as claimed in claim 8, wherein: and step two, changing the head of the link layer into the log head of the Linux kernel network filter of the NFLOG when capturing the data packet.
10. The utility model provides an Android application flow filtration system based on userId which characterized in that: the system comprises a userId acquisition unit, an iptables rule setting unit and a flow acquisition and storage unit; the userId acquiring unit is used for acquiring the userId of the specified application; the iptables rule setting unit is used for setting iptables rules, marking the stream of the userId with a stream label, putting a data packet carrying the stream label into an NFLOG message pool, and setting a label for the message pool; and the traffic acquiring and storing unit is used for acquiring and storing the data packet from the NFLOG message pool.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110136774.7A CN112804251B (en) | 2021-02-01 | 2021-02-01 | Android application traffic filtering method and system based on userId |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110136774.7A CN112804251B (en) | 2021-02-01 | 2021-02-01 | Android application traffic filtering method and system based on userId |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112804251A true CN112804251A (en) | 2021-05-14 |
| CN112804251B CN112804251B (en) | 2022-04-15 |
Family
ID=75813405
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110136774.7A Active CN112804251B (en) | 2021-02-01 | 2021-02-01 | Android application traffic filtering method and system based on userId |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112804251B (en) |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102355667A (en) * | 2011-06-30 | 2012-02-15 | 北京邮电大学 | Method and system for controlling network connection of application programs in mobile intelligent terminal system |
| EP3445010A1 (en) * | 2016-10-10 | 2019-02-20 | Wangsu Science & Technology Co., Ltd. | Application program traffic management method, system and terminal device having the system |
| US10419351B1 (en) * | 2013-04-04 | 2019-09-17 | Narus, Inc. | System and method for extracting signatures from controlled execution of applications and application codes retrieved from an application source |
| US20200092346A1 (en) * | 2016-03-04 | 2020-03-19 | Samsung Electronics Co., Ltd. | Data buffering method and apparatus in adaptive streaming service |
| CN111222547A (en) * | 2019-12-30 | 2020-06-02 | 中国人民解放军国防科技大学 | Traffic feature extraction method and system for mobile application |
| CN111224893A (en) * | 2019-12-30 | 2020-06-02 | 中国人民解放军国防科技大学 | VPN-based android mobile phone traffic collection and labeling system and method |
| US20200259797A1 (en) * | 2016-06-30 | 2020-08-13 | Wangsu Science & Technology Co., Ltd. | Method and device for directing traffic |
-
2021
- 2021-02-01 CN CN202110136774.7A patent/CN112804251B/en active Active
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102355667A (en) * | 2011-06-30 | 2012-02-15 | 北京邮电大学 | Method and system for controlling network connection of application programs in mobile intelligent terminal system |
| US10419351B1 (en) * | 2013-04-04 | 2019-09-17 | Narus, Inc. | System and method for extracting signatures from controlled execution of applications and application codes retrieved from an application source |
| US20200092346A1 (en) * | 2016-03-04 | 2020-03-19 | Samsung Electronics Co., Ltd. | Data buffering method and apparatus in adaptive streaming service |
| US20200259797A1 (en) * | 2016-06-30 | 2020-08-13 | Wangsu Science & Technology Co., Ltd. | Method and device for directing traffic |
| EP3445010A1 (en) * | 2016-10-10 | 2019-02-20 | Wangsu Science & Technology Co., Ltd. | Application program traffic management method, system and terminal device having the system |
| US20190173799A1 (en) * | 2016-10-10 | 2019-06-06 | Wangsu Science & Technology Co., Ltd. | Method and system for managing traffic of application programs, and terminal device containing the system |
| CN111222547A (en) * | 2019-12-30 | 2020-06-02 | 中国人民解放军国防科技大学 | Traffic feature extraction method and system for mobile application |
| CN111224893A (en) * | 2019-12-30 | 2020-06-02 | 中国人民解放军国防科技大学 | VPN-based android mobile phone traffic collection and labeling system and method |
Non-Patent Citations (2)
| Title |
|---|
| SUMIT KUMAR等: "Understanding the Behaviour of Privacy in Mobile Apps and Detecting Privacy Leaks", 《2019 2ND INTERNATIONAL CONFERENCE ON INTELLIGENT COMPUTING, INSTRUMENTATION AND CONTROL TECHNOLOGIES (ICICICT)》 * |
| 黄丽云: "网络流量识别控制系统的设计与实现", 《中国优秀硕士学位论文全文数据库(信息科技辑)》 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112804251B (en) | 2022-04-15 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101924757B (en) | Method and system for reviewing Botnet | |
| CN110677381B (en) | Penetration test method and device, storage medium and electronic device | |
| CN101639879B (en) | Database security monitoring method, device and system | |
| CN110505235A (en) | A kind of detection system and method for the malicious requests around cloud WAF | |
| CN110401624A (en) | The detection method and system of source net G system mutual message exception | |
| CN101635730A (en) | Method and system for safe management of internal network information of small and medium-sized enterprises | |
| CN111277598B (en) | Traffic-based application attack identification method and system | |
| CN115883236A (en) | Power grid intelligent terminal cooperative attack monitoring system | |
| CN106155882B (en) | A kind of path cognitive method in Android software dynamic behaviour analysis | |
| KR101262446B1 (en) | Apparatus and Method for Preventing Leakage of Individual Information | |
| CN112688932A (en) | Honeypot generation method, honeypot generation device, honeypot generation equipment and computer readable storage medium | |
| CN117313122A (en) | Data sharing and exchanging management system based on block chain | |
| CN112422486B (en) | SDK-based safety protection method and device | |
| CN112804251B (en) | Android application traffic filtering method and system based on userId | |
| CN114285769B (en) | Shared internet surfing detection method, device, equipment and storage medium | |
| Saifei et al. | Analysis and testing of network security for China railway communication networks and proposed architecture based on trusted computing | |
| Mohiddin et al. | Role of cloud forensics in cloud computing | |
| CN118018332B (en) | Machine learning-based network data leakage early warning system and method thereof | |
| CN114244727A (en) | Instant generation method and system for power Internet of things communication panorama | |
| KR101453487B1 (en) | A contents distribution log agent for the protection of authoring content provided as an online service, and management method thereof | |
| Bača et al. | Using DEMF in process of collecting volatile digital evidence | |
| CN118013512B (en) | App personal information uploading behavior detection method, equipment and product | |
| CN118410093B (en) | Multi-protocol data integrated control method, device, system and storage medium | |
| CN116527303B (en) | Industrial control equipment information extraction method and device based on marked flow comparison | |
| JP2002199024A (en) | Method for monitoring illegal access and internal communication network |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |