CN113014454B - SSL and TLS protocol-based user agent identification and quantity detection method - Google Patents

SSL and TLS protocol-based user agent identification and quantity detection method Download PDF

Info

Publication number
CN113014454B
CN113014454B CN202110247029.XA CN202110247029A CN113014454B CN 113014454 B CN113014454 B CN 113014454B CN 202110247029 A CN202110247029 A CN 202110247029A CN 113014454 B CN113014454 B CN 113014454B
Authority
CN
China
Prior art keywords
ssl
tls
user agent
session
flow
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202110247029.XA
Other languages
Chinese (zh)
Other versions
CN113014454A (en
Inventor
张微
王瑜
张硕
王媛娣
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Jizhi Hainan Information Technology Co ltd
Original Assignee
Zhongdian Jizhi Hainan Information Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zhongdian Jizhi Hainan Information Technology Co ltd filed Critical Zhongdian Jizhi Hainan Information Technology Co ltd
Priority to CN202110247029.XA priority Critical patent/CN113014454B/en
Publication of CN113014454A publication Critical patent/CN113014454A/en
Application granted granted Critical
Publication of CN113014454B publication Critical patent/CN113014454B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0807Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/166Implementing security features at a particular protocol layer at the transport layer
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/56Provisioning of proxy services
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2101/00Indexing scheme associated with group H04L61/00
    • H04L2101/30Types of network names

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a SSL and TLS protocol-based user agent identification and quantity detection method, which comprises an SSL/TLS flow acquisition module, a user agent identification module and a user agent quantity detection module, and comprises the following steps: s1 SSL/TLS traffic acquisition: acquiring monitored flow through an SSL/TLS flow acquisition module, and identifying the SSL/TLS flow; s2 user agent identification: the input is passive flow, and the method relates to the technical field of network information security. The SSL and TLS protocol-based user agent identification and quantity detection method can be used for constructing the user agent identification from SSL/TLS flow, compared with a method for extracting the user agent identification from plaintext network flow through a deep packet inspection technology, the method can be applied to user agents with wider application range, all user agents adopting SSL/TLS encrypted flow can process the SSL/TLS encrypted flow, and the quantity of the existing user agents is judged through the quantity of the simultaneously-living Session packets in the Session packet sequence corresponding to the same user agent identification.

Description

SSL and TLS protocol-based user agent identification and quantity detection method
Technical Field
The invention relates to the technical field of network information security, in particular to a user agent identification and quantity detection method based on SSL and TLS protocols.
Background
The user agent:
a user agent refers to a program, a software agent, that represents the behavior of a user. For example, a web browser is a "user agent that helps a user to obtain, render, and interact with web content"; the e-mail client is a user agent for helping a user to edit and send and receive mails, and similarly, for a common IM tool such as WeChat, a Windows client, an Android client, an iOS client and a Web client can be regarded as user agents for users to use WeChat services.
In the application layer protocols such as HTTP, SIP, SMTP/NNTP, etc., when a User Agent makes a request to a server, information named "User Agent" is attached to the User Agent to identify information such as the model and version of the User Agent, i.e., a User Agent identifier, but for most services such as FTP, Telnet, and NFS, the User agents of these protocols do not attach information such as the model version of the User Agent, and in addition, more and more User agents choose to encrypt data using the SSL/TLS protocol in consideration of network security, so in many cases, the User Agent identifier of the User Agent cannot be obtained from plaintext network traffic through deep packet inspection technology.
JA3 fingerprint:
JA3 fingerprint is MD5 HASH value of fields such as encryption suite, extension and the like in a Client Hello message, and different user agents use different SSL/TLS protocols, so that a programmer can freely select which encryption suite to use and enable the extension according to an open source library such as OpenSSL and the like as long as the standard of the SSL/TLS protocol is met.
Information such as an encryption suite, an extension field and the like related to JA3 fingerprint can be contained in a Client Hello message sent by a user agent, and can form a basis for distinguishing different user agents.
SSL/TLS Session Ticket:
SSL/TLS Session Ticket is a SSL/TLS Session multiplexing mechanism, in the handshake phase of SSL/TLS, a user agent can attach Session Ticket to a Client Hello message, the Session Ticket contains information such as Session key of the last SSL/TLS connection, and the information is encrypted by a special key STEK of a server, so that the last TLS connection is tried to be recovered, and the time required by the TLS connection is reduced.
Because SSL/TLS Session packet contains random number components, the SSL/TLS Session multiplexing occurs as long as the same Session packet value appears in the SSL/TLS flow, the life cycle of an SSL/TLS Session can be deduced according to the time difference between the first appearance and the last appearance of the same Session packet in the SSL/TLS flow, and the invention provides a method for detecting the number of the same kind of user agents based on the life cycle of the SSL/TLS Session.
Disclosure of Invention
Technical problem to be solved
Aiming at the defects of the prior art, the invention provides a user agent identification and quantity detection method based on SSL and TLS protocols, which solves the problem that the user agent using SSL/TLS protocol encrypted flow is difficult to generate proper identification.
(II) technical scheme
In order to achieve the purpose, the invention is realized by the following technical scheme: a SSL and TLS protocol-based user agent identification and quantity detection method comprises an SSL/TLS flow acquisition module, a user agent identification module and a user agent quantity detection module, and comprises the following steps:
s1 SSL/TLS traffic acquisition: acquiring monitored flow through an SSL/TLS flow acquisition module, and identifying the SSL/TLS flow;
s2 user agent identification: the input is passive flow, and a user agent identifier, namely a triple JA3 fingerprint, a server domain name and a server IP are extracted from a TLS Client Hello message of the passive flow;
s3 user agent number detection: firstly, extracting a user agent identifier and a Session Ticket value in a Session Ticket expansion field from a TLS Client Hello message, recording a time stamp of each Client Hello message reaching an analysis module, and constructing a Session Ticket sequence with the time stamp for each user agent identifier;
then, analyzing the corresponding Session socket sequence of each user agent, and finding the lifetime of each Session socket, namely the time from the first occurrence of the same Session socket to the last occurrence of the same Session socket;
for each time point in the Session Ticket sequence, the number of Session tickets whose lifetime includes the time point is calculated, and the value is the number of the user agents existing at the time point.
Further, the SSL/TLS traffic obtained in step S1 is used as the input traffic to be processed by the user agent identifier and the user agent number detection module.
Further, the passive traffic in the step S2 is the identified SSL/TLS traffic in the step S1.
Further, in the step S2, the JA3 fingerprint is an MD5 Hash value of a decimal string concatenation result of each Support Group in the Extension field of the Support Group and each EC Point Format in the Extension field of the EC Point Format, and the SSL/TLS protocol version number in the SSL/TLS Client Hello message, each cipherer Suite, each Extension type number.
Further, the Server Name in the step S2 is the content of the Server Name Indication extension field in the Client Hello message.
Further, the user agent identification in step S2 can be applied to all user agents using SSL/TLS encrypted traffic, and SSL/TLS encrypted traffic can be processed.
Further, in step S3, the user agent may use the same TLS Session to initiate a TLS connection request for multiple times, that is, send out a Client Hello packet, and then all the Client Hello packets have Session sockets, and the Session sockets have the same value. The network behavior of the user agent may thus constitute a Session packet sequence.
Further, the Session Ticket lifetime in step S3 is the lifetime of a Session Ticket in the first and last time periods of the Session Ticket sequence.
Furthermore, the SSL/TLS flow needs to be used in the process of data transmission, the server and installation equipment thereof are required to be used, the installation equipment comprises a mounting frame and a server body, a mounting groove is formed in the bottom of the mounting frame, a radiating groove and a through hole are formed in the mounting frame, a connecting groove is formed in the top of the mounting frame, a radiating fan is fixedly connected to one side of the mounting frame, the input end of the radiating fan is mutually communicated with the inside of the radiating groove, a ventilation cover is arranged on the inner surface of the connecting groove, a connecting pipe is fixedly connected to the bottom of the ventilation cover, a drainage cover is fixedly connected to the inner surface of the ventilation cover, a filter screen cover is fixedly connected to the top of the drainage cover, the inside of the filter screen cover is mutually communicated with the inside of the drainage cover, a rotating cover is rotatably connected to the top of the filter screen cover, and a cleaning brush board is fixedly connected to the bottom of the rotating cover, the surface of the cleaning brush plate is matched with the outer surface of the filter screen cover, and the inner surface of the ventilation cover is fixedly connected with a baffle.
Further, the inside of radiating groove passes through the through-hole with the inside of mounting groove communicates with each other, the inside of spread groove with the inside of mounting groove communicates with each other, the surface mounting of server body in the inboard of mounting groove.
(III) advantageous effects
The invention has the following beneficial effects:
(1) according to the SSL and TLS protocol-based user agent identification and quantity detection method, the triple composed of JA3 fingerprint, the domain name of the server and the IP of the server is used as the identification of the user agent, and the method for constructing the user agent identification from the SSL/TLS flow can be applied to user agents with wider range, all the user agents adopting SSL/TLS encrypted flow and can process the SSL/TLS encrypted flow compared with the method for extracting the user agent identification from the plaintext network flow through the deep packet inspection technology.
(2) According to the SSL and TLS protocol-based user agent identification and quantity detection method, Session packets are carried in the Client Hello message, and the Session packets have the same value, so that the network behavior of the user agent can form a Session packet sequence, and the quantity of the existing user agents can be judged according to the quantity of the Session packets which exist at the same time in the Session packet sequence corresponding to the same user agent identification.
Of course, it is not necessary for any product to practice the invention to achieve all of the above-described advantages simultaneously
Drawings
FIG. 1 is a general framework diagram of a SSL/TLS protocol-based user agent identification and quantity detection method provided by the present invention;
FIG. 2 is the contents of Session Ticket in the Session Ticket extension field in the SSL/TLS Client Hello message provided by the present invention;
fig. 3 is a schematic structural diagram of an installation device of a server in use according to the SSL/TLS protocol-based user agent identification and quantity detection method provided in the present invention;
FIG. 4 is a schematic view of the structure of the portion of the ventilation hood of FIG. 3 according to the present invention;
FIG. 5 is an enlarged view of portion A of FIG. 4 in accordance with the present invention;
in the figure, 1-a mounting frame, 11-a mounting groove, 12-a radiating groove, 13-a through hole, 14-a connecting groove, 2-a server body, 3-a radiating fan, 4-a ventilating hood, 41-a connecting pipe, 5-a drainage hood, 51-a filter screen cover, 6-a rotating hood, 61-a cleaning brush plate and 7-a baffle plate.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
In the description of the present invention, it is to be understood that the terms "opening," "upper," "lower," "thickness," "top," "middle," "length," "inner," "peripheral," and the like are used in an orientation or positional relationship that is merely for convenience in describing and simplifying the description, and do not indicate or imply that the referenced component or element must have a particular orientation, be constructed and operated in a particular orientation, and thus should not be considered as limiting the present invention.
Referring to fig. 1-5, an embodiment of the present invention provides a technical solution: a SSL, TLS agreement based user agent mark and quantity detection method, including SSL/TLS flux obtaining module, user agent mark module and user agent quantity detection module, including the following steps:
s1 SSL/TLS traffic acquisition: acquiring monitored traffic through an SSL/TLS traffic acquisition module, and identifying the SSL/TLS traffic;
s2 user agent identification: the input is passive flow, and a user agent identifier, namely a triple JA3 fingerprint, a server domain name and a server IP are extracted from a TLS Client Hello message of the passive flow;
s3 user agent number detection: firstly, extracting a user agent identifier and a Session Ticket value in a Session Ticket expansion field from a TLS Client Hello message, recording a time stamp of each Client Hello message reaching an analysis module, and constructing a Session Ticket sequence with the time stamp for each user agent identifier;
then, analyzing the corresponding Session socket sequence of each user agent, and finding the lifetime of each Session socket, namely the time from the first occurrence of the same Session socket to the last occurrence of the same Session socket;
for each time point in the Session Ticket sequence, the number of Session tickets whose lifetime includes the time point is calculated, and the value is the number of the user agents existing at the time point.
The SSL/TLS traffic obtained in step S1 is used as the input traffic to be processed by the user agent identifier and the user agent number detection module.
The passive traffic in the step S2 is the identified SSL/TLS traffic in the step S1.
The JA3 fingerprint in the step S2 is an MD5 Hash value of a decimal string splicing result of each Support Group in a SSL/TLS Client Hello message, each Cipher Suite, each Extension type number, each Support Group in a Support Group Extension field and each EC Point Format in an EC Point Format Extension field.
The Server Name in the step S2 is the content of the Server Name Indication extension field in the Client Hello message.
The user agent identification in step S2 can apply to all user agents that use SSL/TLS encrypted traffic and can process SSL/TLS encrypted traffic.
In step S3, the user agent may use the same TLS Session to initiate a TLS connection request for multiple times, that is, send out a Client Hello packet, and then all the Client Hello packets have Session packets, and the Session packets have the same value. The network behavior of the user agent may thus constitute a Session packet sequence.
The Session Ticket lifetime in step S3 is the lifetime of a Session Ticket in the first and last time periods of the Session Ticket sequence.
Based on the user agent identification of the SSL/TLS protocol traffic, the service domain name or the service IP accessed by a general user agent is often fixed, and the service domain names or the service IPs accessed by different types of user agents are different: for example, the server domain name that the paupul application will access will be different from the server domain name that the wechat application will access;
a special case of such a setting is a browser, which can access any domain name existing in the internet, and for the browser, it can be considered that many kinds of user agents exist in one browser, and the browser accesses services corresponding to different domain names and is regarded as a user agent "dedicated" to the domain name.
The invention uses the triple composed of JA3 fingerprint, server domain name and server IP as the user agent mark, and this method constructs the user agent mark from SSL/TLS flux, compared with the method of extracting the user agent mark from the clear network flux by deep packet inspection technology, it can apply to wider user agent, all the user agents using SSL/TLS encrypted flux, and can process the SSL/TLS encrypted flux.
And constructing an SSL/TLS Session socket sequence for each user agent identifier according to a user agent identifier set obtained from the SSL/TLS flow, and judging the number of the same user agents in the monitored flow in the same time window according to the SSL/TLS Session socket sequence.
In the SSL/TLS Session socket-based user agent number detection method, under a general condition, a user agent can use the same TLS Session to initiate a TLS connection request for multiple times, namely, a Client Hello message is sent, then the Client Hello messages all have Session sockets, and the Session sockets have the same value, so that the network behavior of the user agent can form a Session socket sequence, and the number of the existing user agents can be judged through the number of the Session sockets which exist at the same time in the Session socket sequence corresponding to the same user agent identifier.
The SSL/TLS flow needs to be used in the process of data transmission, the server and the installation equipment thereof are required to be used, the installation equipment comprises an installation frame 1 and a server body 2, an installation groove 11 is formed in the bottom of the installation frame 1, a heat dissipation groove 12 and a through hole 13 are formed in the installation frame 1, a connection groove 14 is formed in the top of the installation frame 1, a heat dissipation fan 3 is fixedly connected to one side of the installation frame 1, the input end of the heat dissipation fan 3 is mutually communicated with the inside of the heat dissipation groove 12, a ventilation hood 4 is arranged on the inner surface of the connection groove 14, a connecting pipe 41 is fixedly connected to the bottom of the ventilation hood 4, a drainage hood 5 is fixedly connected to the inner surface of the ventilation hood 4, a filter screen cover 51 is fixedly connected to the top of the drainage hood 5, the inside of the filter screen cover 51 is mutually communicated with the inside of the drainage hood 5, and a rotating cover 6 is rotatably connected to the top end of the filter screen cover 51, the bottom fixedly connected with of rotatory cover 6 cleans brush board 61, the surface of cleaning brush board 61 with filter screen panel 51's surface looks adaptation, the internal surface fixedly connected with baffle 7 of draft hood 4.
The bottom is provided with supporting platform when mounting bracket 1 uses for support and spacing to server body 2, adopt the screw fixation together between the bottom of mounting bracket 1 and the supporting platform simultaneously, in order to make things convenient for server body 2 to install in the inside of mounting groove 11.
The heat dissipation groove 12 is of an annular structure and is positioned on the outer side of the mounting groove 11, the heat dissipation groove 12 is communicated with the inside of the mounting groove 11 through the through hole 13, heat generated by the server is conveniently discharged into the heat dissipation groove 12, and after the heat dissipation fan 3 is started, the outward flowing of gas in the heat dissipation groove 12 is accelerated, so that the heat dissipation of the server body is accelerated;
the internal surface of spread groove 14 is internal thread structure, the surface of connecting pipe 41 is the structure of external screw thread, the surface of connecting pipe 41 is through external screw thread structure convenient to install on the internal thread structure of spread groove 14, thereby make things convenient for the installation and the dismantlement of draft hood 4, the inboard of draft hood 4 is provided with arc structure's drainage cover 5, fixed mounting has filter screen panel 51 on the drainage cover 5, filter screen panel 51 filters the air that gets into, the dust after the filtration is cleaned and is maintained through rotatable regulation's rotatory cover 6 and clearance brush board 61 convenience to filter screen panel 51's surface, the dust after the clearance is conveniently concentrated to be collected to the below of baffle 7 through curved drainage cover 5, baffle 7 can the effectual influence that reduces the air that the top flows and collect the dust below, guarantee ventilation stability.
The inside of the heat dissipation groove 12 is communicated with the inside of the mounting groove 11 through the through hole 13, the inside of the connection groove 14 is communicated with the inside of the mounting groove 11, and the surface of the server body 2 is installed on the inner side of the mounting groove 11.
The through hole 13 facilitates the temperature inside the mounting groove 11 to be transferred to the inside of the heat dissipation groove 12, and guarantees are provided for heat dissipation and ventilation.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus.
The preferred embodiments of the invention disclosed above are intended to be illustrative only. The preferred embodiments are not intended to be exhaustive or to limit the invention to the precise embodiments disclosed. Obviously, many modifications and variations are possible in light of the above teaching. The embodiments were chosen and described in order to best explain the principles of the invention and the practical application, to thereby enable others skilled in the art to best utilize the invention. The invention is limited only by the claims and their full scope and equivalents.

Claims (10)

1. A SSL, TLS agreement based user agent mark and quantity detection method, including SSL/TLS flux acquisition module, user agent mark module and user agent quantity detection module, its character is: the method comprises the following steps:
s1 SSL/TLS traffic acquisition: acquiring monitored flow through an SSL/TLS flow acquisition module, and identifying the SSL/TLS flow;
s2 user agent identification: the input is passive flow, and a user agent identifier, namely a triple JA3 fingerprint, a server domain name and a server IP are extracted from a TLS Client Hello message of the passive flow;
s3 user agent number detection: firstly, extracting a user agent identifier and a Session Ticket value in a Session Ticket expansion field from a TLS Client Hello message, recording a time stamp of each Client Hello message reaching an analysis module, and constructing a Session Ticket sequence with the time stamp for each user agent identifier;
then, analyzing the corresponding Session socket sequence of each user agent, and finding the lifetime of each Session socket, namely the time from the first occurrence of the same Session socket to the last occurrence of the same Session socket;
for each time point in the Session Ticket sequence, the number of Session tickets whose lifetime includes the time point is calculated, and the value is the number of the user agents existing at the time point.
2. The method for detecting the identity and quantity of the user agent based on the SSL and TLS protocols as claimed in claim 1, wherein: the SSL/TLS traffic obtained in step S1 is used as the input traffic to be processed by the user agent identifier and the user agent number detection module.
3. The method for detecting the identity and quantity of the user agent based on the SSL and TLS protocols as claimed in claim 1, wherein: the passive traffic in the step S2 is the identified SSL/TLS traffic in the step S1.
4. The method for detecting the identity and quantity of the user agent based on the SSL and TLS protocols as claimed in claim 1, wherein: the JA3 fingerprint in the step S2 is an MD5 Hash value of a decimal string splicing result of each Support Group in a Support Group Extension field and each EC Point Format in an Extension field of the Support Group, each security sub, each Extension type number in an SSL/TLS Client Hello message, and each decimal string splicing result of each Support Group in the Extension field of the Support Group.
5. The method for detecting the identity and quantity of the user agent based on the SSL and TLS protocols as claimed in claim 1, wherein: the Server Name in the step S2 is the content of the Server Name Indication extension field in the Client Hello message.
6. The method for detecting the identity and quantity of the user agent based on the SSL and TLS protocols as claimed in claim 1, wherein: the user agent identification in step S2 can apply to all user agents that use SSL/TLS encrypted traffic and can process SSL/TLS encrypted traffic.
7. The method for detecting the identity and quantity of the user agent based on the SSL and TLS protocols as claimed in claim 1, wherein: in step S3, the user agent may use the same TLS Session to initiate a TLS connection request for multiple times, that is, send out a Client Hello packet, and then all the Client Hello packets have Session packets with the same Session packet value; the network behavior of this user agent may then form a sequence of Session ticks.
8. The method for detecting the identity and quantity of the user agent based on the SSL and TLS protocols as claimed in claim 1, wherein: the Session Ticket lifetime in step S3 is the lifetime of a Session Ticket in the first and last time periods of the Session Ticket sequence.
9. The method for detecting the identity and quantity of the user agent based on the SSL and TLS protocols as claimed in claim 1, wherein: the SSL/TLS flow needs to be used in a server and installation equipment thereof in the data transmission process, the installation equipment comprises an installation frame (1) and a server body (2), an installation groove (11) is formed in the bottom of the installation frame (1), a radiating groove (12) and a through hole (13) are formed in the installation frame (1), a connecting groove (14) is formed in the top of the installation frame (1), a radiating fan (3) is fixedly connected to one side of the installation frame (1), the input end of the radiating fan (3) is communicated with the inside of the radiating groove (12), a ventilation hood (4) is arranged on the inner surface of the connecting groove (14), a connecting pipe (41) is fixedly connected to the bottom of the ventilation hood (4), a drainage hood (5) is fixedly connected to the inner surface of the ventilation hood (4), and a mesh enclosure (51) is fixedly connected to the top of the drainage hood (5), the inside of filtering net cover (51) with the inside of drainage cover (5) communicates each other, the top of filtering net cover (51) is rotated and is connected with rotatory cover (6), the bottom fixedly connected with of rotatory cover (6) clears up brush board (61), the surface of clearance brush board (61) with the surface looks adaptation of filtering net cover (51), the internal surface fixed connection of ventilation hood (4) has baffle (7).
10. The method for detecting the identity and quantity of the user agent based on the SSL and TLS protocols as claimed in claim 9, wherein: the inside of radiating groove (12) is through-hole (13) with the inside of mounting groove (11) communicates with each other, the inside of spread groove (14) with the inside of mounting groove (11) communicates with each other, the surface mounting of server body (2) in the inboard of mounting groove (11).
CN202110247029.XA 2021-03-05 2021-03-05 SSL and TLS protocol-based user agent identification and quantity detection method Active CN113014454B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110247029.XA CN113014454B (en) 2021-03-05 2021-03-05 SSL and TLS protocol-based user agent identification and quantity detection method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110247029.XA CN113014454B (en) 2021-03-05 2021-03-05 SSL and TLS protocol-based user agent identification and quantity detection method

Publications (2)

Publication Number Publication Date
CN113014454A CN113014454A (en) 2021-06-22
CN113014454B true CN113014454B (en) 2022-06-14

Family

ID=76407319

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110247029.XA Active CN113014454B (en) 2021-03-05 2021-03-05 SSL and TLS protocol-based user agent identification and quantity detection method

Country Status (1)

Country Link
CN (1) CN113014454B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114172645A (en) * 2021-12-06 2022-03-11 北京天融信网络安全技术有限公司 Communication bypass auditing method and device, electronic equipment and storage medium

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1972306A (en) * 2006-12-01 2007-05-30 浙江大学 Implementation method of secure socket layer protocol secure proxy multiple authentication
CN103856524A (en) * 2012-12-04 2014-06-11 中山大学深圳研究院 Method and system for identifying legal content on basis of white list of user agent
CN108737328A (en) * 2017-04-14 2018-11-02 新浪网技术(中国)有限公司 A kind of browser client acts on behalf of recognition methods, system and device
CN109802928A (en) * 2017-11-17 2019-05-24 中兴通讯股份有限公司 A kind of SSL/TLS Proxy Method, device, equipment and storage medium
CN110622482A (en) * 2017-06-01 2019-12-27 国际商业机器公司 No cache session ticket support in TLS inspection
CN111464485A (en) * 2019-01-22 2020-07-28 北京金睛云华科技有限公司 Encrypted proxy flow detection method and device

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10681085B2 (en) * 2017-10-16 2020-06-09 International Business Machines Corporation Quick transport layer security/secure sockets layer connection for internet of things devices
US11019034B2 (en) * 2018-11-16 2021-05-25 Akamai Technologies, Inc. Systems and methods for proxying encrypted traffic to protect origin servers from internet threats

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1972306A (en) * 2006-12-01 2007-05-30 浙江大学 Implementation method of secure socket layer protocol secure proxy multiple authentication
CN103856524A (en) * 2012-12-04 2014-06-11 中山大学深圳研究院 Method and system for identifying legal content on basis of white list of user agent
CN108737328A (en) * 2017-04-14 2018-11-02 新浪网技术(中国)有限公司 A kind of browser client acts on behalf of recognition methods, system and device
CN110622482A (en) * 2017-06-01 2019-12-27 国际商业机器公司 No cache session ticket support in TLS inspection
CN109802928A (en) * 2017-11-17 2019-05-24 中兴通讯股份有限公司 A kind of SSL/TLS Proxy Method, device, equipment and storage medium
CN111464485A (en) * 2019-01-22 2020-07-28 北京金睛云华科技有限公司 Encrypted proxy flow detection method and device

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
Karthikeyan Bhargavan等."Triple Handsharks and Cookie Cutters: Breaking and Fixing Authentication over TLS".《2014 IEEE Symposium on Security and Privacy》.2014, *
mrpre."TLS/SSL协议详解(22)会话复用".《CSDN博客》.2017, *
张先勇."基于增益因子加权特征提取算法的移动应用流量识别系统设计".《中国优秀硕士学位论文全文数据库》.2020, *

Also Published As

Publication number Publication date
CN113014454A (en) 2021-06-22

Similar Documents

Publication Publication Date Title
US7917647B2 (en) Method and apparatus for rate limiting
US7047288B2 (en) Automated generation of an english language representation of a formal network security policy specification
Koike et al. SnortView: visualization system of snort logs
TW470879B (en) Information security analysis system
US7143439B2 (en) Efficient evaluation of rules
US7127743B1 (en) Comprehensive security structure platform for network managers
US20040030796A1 (en) Network monitor internals description
US20040103315A1 (en) Assessment tool
US20020053033A1 (en) Credential/condition assertion verification optimization
Lastovicka et al. Passive os fingerprinting methods in the jungle of wireless networks
US20040015579A1 (en) Method and apparatus for enterprise management
US20030061506A1 (en) System and method for security policy
CN111147305A (en) Network asset portrait extraction method
Lucas Network flow analysis
KR20040068365A (en) Method to automatically configure network routing device
CN113014454B (en) SSL and TLS protocol-based user agent identification and quantity detection method
JP2006505161A (en) Methods for collecting user network usage data
CN105007175A (en) Openflow-based flow depth correlation analysis method and system
Nawrocki et al. Industrial control protocols in the Internet core: Dismantling operational practices
Uhlig Non-stationarity and high-order scaling in TCP flow arrivals: a methodological analysis
Malek et al. A Study of Packet Sniffing as an Imperative Security Solution in Cybersecurity
JP2006229700A (en) Monitoring proxy service system of inter-network path information, its method and device and its program
CN101355564A (en) Method for implementing credible LAN and internet
Cisco Cisco Intrusion Detection System Signature Engines Version 3.1
Cisco Cisco Secure Intrusion Detection System Signature Engines Version 3.0

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CP01 Change in the name or title of a patent holder

Address after: 571924 Room 301, 3rd floor, building A09, Hainan Ecological Software Park, Laocheng hi tech Industrial Demonstration Zone, Chengmai County, Haikou City, Hainan Province

Patentee after: Jizhi (Hainan) Information Technology Co.,Ltd.

Address before: 571924 Room 301, 3rd floor, building A09, Hainan Ecological Software Park, Laocheng hi tech Industrial Demonstration Zone, Chengmai County, Haikou City, Hainan Province

Patentee before: Zhongdian Jizhi (Hainan) Information Technology Co.,Ltd.

CP01 Change in the name or title of a patent holder