CN114051061A - Internet application protocol analysis method and system - Google Patents

Internet application protocol analysis method and system Download PDF

Info

Publication number
CN114051061A
CN114051061A CN202111320166.8A CN202111320166A CN114051061A CN 114051061 A CN114051061 A CN 114051061A CN 202111320166 A CN202111320166 A CN 202111320166A CN 114051061 A CN114051061 A CN 114051061A
Authority
CN
China
Prior art keywords
target
application program
information
protocol analysis
internet
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202111320166.8A
Other languages
Chinese (zh)
Inventor
保永武
袁冰洋
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
WUHAN HONGXU INFORMATION TECHNOLOGY CO LTD
Original Assignee
WUHAN HONGXU INFORMATION TECHNOLOGY CO LTD
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by WUHAN HONGXU INFORMATION TECHNOLOGY CO LTD filed Critical WUHAN HONGXU INFORMATION TECHNOLOGY CO LTD
Priority to CN202111320166.8A priority Critical patent/CN114051061A/en
Publication of CN114051061A publication Critical patent/CN114051061A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/22Parsing or analysis of headers
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/12Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/34Network arrangements or protocols for supporting network services or applications involving the movement of software or configuration parameters 

Abstract

The invention provides an internet application protocol analysis method and a system, wherein the method comprises the following steps: acquiring an installation package of an application program from the Internet; analyzing an installation package of a target application program in the installation package of the application program to acquire basic information of the target application program; running the target application program, executing each operation node based on the basic information of the target application program, recording the information of the operation nodes, and acquiring an application protocol analysis result of the target application program according to a target data packet generated by executing each operation node, the information of the operation nodes and the basic information of the target application program; and the target data packet is a network data packet which is synchronously acquired based on the mirror image network port and generated by executing each operation node. The method and the system for analyzing the internet application protocol can improve the efficiency and the accuracy of analyzing the internet application protocol.

Description

Internet application protocol analysis method and system
Technical Field
The invention relates to the technical field of information security, in particular to an internet application protocol analysis method and system.
Background
The flow audit analysis is based on a full-flow mirror image and a big data processing technology, and by analyzing the contents of all networks, sensitive information leakage of an internal computer through the internet can be prevented in time, a tracing source is quickly positioned, and illegal events are prevented. The system can also monitor the whole network and the internet surfing behavior and the network flow of the computer user, help the network to operate efficiently, stably and safely, and provide effective technical support for information construction and management.
By capturing network flow and carrying out detailed research in the auditing process, the application protocol in the Internet can be identified and analyzed. In the current application protocol analysis system, the characteristics of each application flow are mainly analyzed manually for the identification of the network application flow, and an auditing system adds a flow identification rule in a hard coding or configuration mode and the like. According to the traditional flow analysis working method, protocol analysis work is mainly completed through a whole set of flow of manual downloading, installation, operation, packet grabbing, analysis, recording and application, the process is long in time consumption and low in efficiency, and the generated output is not standard.
Disclosure of Invention
The invention provides an internet application protocol analysis method and system, which are used for solving the defect of low analysis efficiency in the prior art and realizing the improvement of the analysis efficiency of an application protocol.
The invention provides an internet application protocol analysis method, which comprises the following steps:
acquiring an installation package of an application program from the Internet;
analyzing based on an installation package of a target application program in the installation package of the application program to acquire basic information of the target application program;
running the target application program, executing each operation node based on the basic information of the target application program, recording the information of the operation nodes, and acquiring an application protocol analysis result of the target application program according to a target data packet generated by executing each operation node, the information of the operation nodes and the basic information of the target application program;
and the target data packet is a network data packet which is synchronously acquired based on the mirror image network port and generated by executing each operation node. According to an internet application protocol analysis method provided by the present invention, the running of the target application program, the execution of each operation node based on the basic information of the target application program, and the recording of the operation node information include:
in the running process of the target application program, acquiring node elements of the target application program based on basic information of the target application program;
and executing each operation node based on the node elements, and recording the operation node information.
According to the internet application protocol analysis method provided by the present invention, the obtaining an application protocol analysis result according to the target data packet generated by executing each operation node, the operation node information, and the basic information of the target application program includes:
acquiring a target protocol cell under the condition that the protocol type of the target data packet is a target type;
and associating the target protocol cell with the operation node information and the basic information of the target application program to obtain an application protocol analysis result.
According to the internet application protocol analysis method provided by the present invention, after acquiring the installation package of the application program from the internet, the method further comprises: and determining the installation package of each target application program and the priority of each target application program based on the installation packages of the application programs.
According to the internet application protocol analysis method provided by the invention, after the application protocol analysis result is obtained, the method further comprises the following steps: and outputting the analysis result of the application protocol in a target format.
The invention also provides an internet application protocol analysis system, comprising:
the acquisition module is used for acquiring the installation package of the application program from the Internet;
the analysis module is used for analyzing based on a target installation package in the installation packages of the application programs to acquire basic information of the target application programs;
the analysis module is used for running the target application program, executing each operation node based on the basic information of the target application program, recording the information of the operation nodes, and acquiring an application protocol analysis result of the target application program according to a target data packet generated by executing each operation node, the information of the operation nodes and the basic information of the target application program;
and the target data packet is a network data packet which is synchronously acquired based on the mirror image network port and generated by executing each operation node.
The internet application protocol analysis system provided by the invention further comprises:
the scheduling module is used for sequentially determining the priority of the installation package of each target application program based on the installation package of the application program;
and/or, the application protocol analysis result is output in a target format.
The present invention also provides an electronic device, comprising a memory, a processor and a computer program stored in the memory and executable on the processor, wherein the processor implements the steps of the internet application protocol analysis method as described in any of the above when executing the program.
The present invention also provides a non-transitory computer readable storage medium having stored thereon a computer program which, when executed by a processor, performs the steps of the internet application protocol analysis method as any one of the above.
The invention also provides a computer program product comprising a computer program which, when executed by a processor, performs the steps of the internet application protocol analysis method as described in any one of the above.
The Internet application protocol analysis method and the Internet application protocol analysis system statically analyze the basic information of the installation package of the target application program based on the installation package of the target application program obtained and determined from the Internet, dynamically execute each operation node to obtain the operation node information through the basic information of the target application program, collect the target data package through a mirror image network port to perform flow audit, and generate a protocol analysis result by combining the basic information operation node information of the target application program. The efficiency and the accuracy of internet application protocol analysis can be improved.
Drawings
In order to more clearly illustrate the technical solutions of the present invention or the prior art, the drawings needed for the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and those skilled in the art can also obtain other drawings according to the drawings without creative efforts.
FIG. 1 is a schematic flow chart of an Internet application protocol analysis method provided by the present invention;
FIG. 2 is a schematic diagram of an Internet application protocol analysis system according to the present invention;
FIG. 3 is a second schematic diagram of an Internet application protocol analysis system provided in the present invention;
fig. 4 is a schematic structural diagram of an electronic device provided in the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention clearer, the technical solutions of the present invention will be clearly and completely described below with reference to the accompanying drawings, and it is obvious that the described embodiments are some, but not all embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
It is to be understood that the terminology used in the description of the invention herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention. As used in the specification of the present invention and the appended claims, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise.
The terms "comprises" and "comprising" indicate the presence of the described features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof.
Fig. 1 is a schematic flow chart of an internet application protocol analysis method provided by the present invention. As shown in fig. 1, the internet application protocol analysis method provided in the embodiment of the present invention includes: step 101, obtaining an installation package of an application program from the Internet.
It should be noted that the execution subject of the internet application protocol analysis method provided by the embodiment of the present invention is an internet application protocol analysis system.
The analysis requirement of the internet application protocol analysis method provided by the embodiment of the invention is to perform protocol analysis on the generated application traffic and identify the content of the application traffic when any application program in the internet executes any action at any time, but is not limited to the analysis requirement.
The analysis object of the internet application protocol analysis system includes, but is not limited to, application traffic generated by various applications performing a certain action in the internet.
The embodiment of the present invention is not particularly limited thereto. According to different analysis requirements, an analysis object of the internet application protocol analysis system can also be application traffic generated by various application programs executing a certain action in the network such as the industrial internet or the internet of things.
Specifically, in step 101, the internet application protocol analysis system sets a corresponding crawling mode to collect an installation package of an application program in a web page according to web page architectures of different application malls.
The embodiment of the invention does not specifically limit the set crawling mode and the corresponding data acquisition mode.
Preferably, the internet application protocol analysis system adopts a crawler technology of Python coding to crawl webpage data, and the specific implementation process is as follows:
(1) utilizing cookie or authentication token to crawl webpage data;
(2) the method comprises the steps of establishing different extraction rules according to a page data format by adopting a Beautiful Soup module corresponding to different application malls, and synchronously acquiring task information including application program names, application program installation package names, development units and the like by adopting multithreading work.
(3) And acquiring installation packages of various application programs in each application mall according to the acquired task information.
And 102, analyzing the installation package of the target application program in the installation package of the application program to acquire basic information of the target application program.
The target application refers to an application to be subjected to protocol analysis. The target application is one or more of the installation packages of the applications acquired in step 101.
Specifically, in step 102, the internet application protocol analysis system decompresses the installation package of the target application program, extracts the specified file, and analyzes the specified file to obtain the basic information of the target application program.
The basic information of the target application refers to information that can characterize the target application. The basic information of the target application program comprises one or more types.
Optionally, the internet application protocol analysis system extracts and analyzes the android manifest file to obtain information such as an application installation package name, an application version number, an installation package hash digest, Activity component information, Service component information, and the like.
Optionally, the internet application protocol analysis system extracts a class.dex file for decompiling, and uses regular pattern matching, mainly uses an IP address, a domain name, and a Uniform Resource Locator (URL) as an identification target, searches for information globally, and associates a flow record with a subsequent flow analyzer.
103, running the target application program, executing each operation node based on the basic information of the target application program, recording the information of the operation nodes, and acquiring an application protocol analysis result of the target application program according to a target data packet, the information of the operation nodes and the basic information of the target application program, which are generated by executing each operation node;
the target data packet is a network data packet which is synchronously acquired based on the mirror image network port and generated by executing each operation node.
It should be noted that, initialization is performed based on the application installation package name, the application version number, and the installation package hash digest in the basic information of the target application analyzed in step 102, and the target application is installed and started in the internet application protocol analysis system.
And the operation node is a control node which can be operated in the component of the target application program.
Illustratively, in an Android Application Package (APK), information such as Activity component information and Service component information may be included, where:
activity components, which are windows where a user interacts with an application. Activity is used to display information and jump between each other.
The Service component, which is a program similar to Activity but without view, has no user interface and can run in the background for a long time, corresponding to a Service in the operating system.
The internet application protocol analysis system can acquire all operable controls in each view through the component information of the APK.
Specifically, in step 103, during the running process of the target application program, the internet application protocol analysis system analyzes an operation node in the target application program page according to the basic information of the target application program analyzed in step 102, and executes the operation node to generate the network data packet. Every time an operation node is executed, the Internet application protocol analysis system records relevant information of the operation node.
It should be noted that the internet application protocol analysis system is provided with a mirror network port, and can collect the target data packet in a mirror manner.
The target data packet refers to a network data packet generated in the execution time period of the operation node, which is synchronously acquired by the mirror image network port, every time the operation node is executed.
The Internet application protocol analysis system can perform flow audit according to the target data packet, acquire flow characteristics generated during the execution period of each operation node, and generate a protocol analysis result by combining corresponding operation node information and basic information of a target application program.
The protocol analysis result refers to the result of auditing and analyzing the flow generated by executing any action in the target application program. The embodiment of the present invention does not specifically limit the contents of the protocol analysis result.
Preferably, the protocol analysis result may include basic information of the target application to learn feature information that can be basically expressed, such as a name, a version number, a corresponding APP ID, an Activity ID, and the like of the target application.
The protocol analysis result can also comprise operation node information so as to know the operation content executed by the target application program.
The protocol analysis result can also comprise a flow characteristic corresponding to each operation node so as to know the flow content of the target application program in operation.
The flow characteristics are not particularly limited in the embodiments of the present invention.
Illustratively, the traffic characteristics include, but are not limited to, the protocol type of the target packet and the corresponding payload.
The embodiment of the invention is based on acquiring and determining the installation package of the target application program from the Internet, statically analyzing the basic information of the installation package of the target application program, dynamically executing each operation node to acquire the operation node information through the basic information of the target application program, acquiring the target data package through the mirror image network port to perform flow audit, and generating a protocol analysis result by combining the basic information operation node information of the target application program. The efficiency and the accuracy of internet application protocol analysis can be improved.
On the basis of any of the above embodiments, the running of the target application program, the execution of each operation node based on the basic information of the target application program, and the recording of the operation node information includes: and in the running process of the target application program, acquiring the node elements of the target application program based on the basic information of the target application program.
It should be noted that the basic information of the target application at least includes component information of the installation package of the target application. Illustratively, the base information of the target application includes at least Activity component information and Service component information.
Specifically, in step 103, in the running process of the target application program, the internet application protocol analysis system obtains all component elements in each Activity view according to the component information of the installation package, and obtains node elements according to whether the control corresponding to the component element is operable or not.
The node elements refer to component elements corresponding to controls which can perform operations such as clicking, inputting and the like in the Activity view.
Preferably, the plurality of node elements may be stored in the list in order of their execution precedence. The embodiment of the present invention does not specifically limit this process.
Exemplarily, in an internet application protocol analysis system, a uiautomator command is used to obtain a current interface element, traverse and obtain element attributes, record node elements as android, and form a correspondence list.
And executing each operation node based on the node elements, and recording the information of the operation nodes.
Specifically, in step 103, the internet application protocol analysis system traverses the list and records the operation node information every time the operation node corresponding to each node element is executed.
The operation node information refers to information describing a function or content of the operation node. The embodiment of the present invention is not particularly limited to this.
Illustratively, the operation node information includes text content of each node element and an encoded value of the node element.
According to the embodiment of the invention, the node elements are obtained through the basic information of the target application program, each operation node is dynamically executed through each node element, the operation node information is obtained, further, the target data packet is collected through the mirror image network port for flow audit, and the node information is operated in combination with the basic information of the target application program to generate the protocol analysis result. The efficiency and the accuracy of internet application protocol analysis can be improved.
On the basis of any of the above embodiments, obtaining an application protocol analysis result according to a target data packet generated by executing each operation node, operation node information, and basic information of a target application program, includes: and acquiring the target protocol cell under the condition that the protocol type of the target data packet is the target type.
Specifically, in step 103, the internet application protocol analysis system automatically collects a target data packet at the mirror network port, determines a corresponding protocol type according to the quintuple of the target data packet, and classifies the protocol type into the target type to obtain a corresponding target protocol cell.
The target protocol information element refers to the protocol content in the network data packet of the determined protocol type. Different target types correspond to different target cells. The embodiment of the present invention is not particularly limited thereto.
Preferably, the target type includes a base protocol type such as HTTP, DNS, HTTPs, TCP, UDP, and the like.
In the case that the protocol type of the target network packet belongs to HTTP, the corresponding target cells may be host, url, and ua.
In the case where the protocol type of the target network packet belongs to DNS, the corresponding target cell may be a request domain name and a response IP address.
HTTPS protocol certificate information and a client _ hello process server field; quintuple information of the TCP/UDP protocol and the first 10 data packets of the data stream.
Under the condition that the protocol type of the target network data packet belongs to the HTTPS, the corresponding target cell may be HTTPS protocol certificate information, a client _ hello process server field.
In case the protocol type of the target network packet belongs to TCP/UDP, the corresponding target cell may be quintuple information and the first 10 packets of the data stream.
And associating the target protocol cell with the operation node information and the basic information of the target application program to obtain an application protocol analysis result.
Specifically, in step 103, the internet application protocol analysis system associates the target protocol information element of the network packet generated during execution with the operation node according to the time information of the execution of each operation node.
And when the correlation is successful, the execution action corresponding to the target data packet is the effective function execution action in the operation node. On the basis that the target protocol cell is associated with the operation node, the target protocol cell is used as the flow characteristic of the target data packet, and then the basic information of the target application program generated in step 102 is combined to generate an application protocol analysis result.
And when the association between the operation node and the target data packet fails, the execution action corresponding to the target data packet is explained as a standby action in the operation node. And combining the IP address, the domain name and the URL which are used for expressing the whole network characteristic information of the target application program in the step 102 as the flow characteristic of the target data packet with other basic information in the step 102 to generate an application protocol analysis result.
The following describes a specific implementation process of the internet application protocol analysis method with reference to an example:
(1) the Internet application protocol analysis system adopts basic information such as distributed acquisition of APK original files, development units, download amount, versions and the like in each application mall to generate an application basic information base, and mysql is adopted for storage;
(2) the method comprises the steps that an internet application protocol analysis system is installed and starts an APK, APK interface elements are automatically analyzed, processes of clicking and quitting are automatically carried out, application basic information is correlated in the execution process, operation node time is recorded, and summary information is generated;
(3) the internet application protocol analysis system collects data flow according to the mirror image network port, restores the protocol stack, obtains flow information elements, and mainly collects and analyzes flow contents contained in DNS, HTTP, HTTPS and other TCP/UDP protocols. And (3) corresponding the flow content with the data abstract formed in the step (2), determining the flow content corresponding to the APK operation, generating associated information, and generating an application protocol analysis result by combining the basic information in the step (1).
The flow collection module finishes flow collection and settlement and associates the flow collection and settlement with the received abstract information sent by the actuator module, wherein the associated information comprises an APPID, an activiyID, an operation content keyword and flow characteristics. Wherein the traffic characteristics are divided into different traffic types according to the current flow, including various traffic generated during the occurrence of an action, associated traffic cells and operations,
the embodiment of the invention collects the target data packet through the mirror image network port to carry out flow audit, and generates a protocol analysis result by combining the basic information operation node information of the target application program. The efficiency and the accuracy of internet application protocol analysis can be improved.
On the basis of any one of the above embodiments, after obtaining the installation package of the application program from the internet, the method further includes: and determining the installation package of each target application program and the priority of each target application program based on the installation package of the application program.
Specifically, after step 101, the internet application protocol analysis system determines the installation package of each application program as the installation package of the target application program in sequence according to the sequence of the capturing time of the installation packages of the application programs in step 101.
Preferably, after step 101, the internet application protocol analysis system may preferentially determine the installation package with the more important application program as the installation package of the target application program according to the analysis requirement of the application program, and determine the analysis order of the installation packages of different target application programs according to the priorities of the analysis requirement degrees of different application programs.
The embodiment of the invention is based on the installation package of the application program obtained from the Internet, and the installation package of the target application program is determined according to different requirements. And then, statically analyzing the basic information of the installation package of the target application program, dynamically executing each operation node to acquire operation node information through the basic information of the target application program, acquiring a target data package through a mirror image network port to perform flow audit, and generating a protocol analysis result by combining the basic information operation node information of the target application program. The efficiency and the accuracy of internet application protocol analysis can be improved.
On the basis of any of the above embodiments, after obtaining the application protocol analysis result, the method further includes: and outputting the analysis result of the application protocol in a target format.
Specifically, after step 103, the internet application protocol analysis system outputs the information included in the application protocol analysis result in the corresponding target format according to the analysis requirement.
The target format is not particularly limited in the embodiments of the present invention.
Alternatively, the target format may be a form. The application protocol analysis result of a target application program corresponds to a form, each sheet in the form corresponds to an operation node, each line stores a field corresponding to the analysis dimension, and each column is the field content of each target data packet.
Alternatively, the target format may be an xml file. An application protocol analysis result of a target application corresponds to an xml file, wherein a set of tags < application > </application > can record basic information of the target application, and a set of tags < activity > </activity > can record operation node information and the like.
The embodiment of the invention is based on the installation package of the application program obtained from the Internet, and the installation package of the target application program is determined according to different requirements. And then, statically analyzing the basic information of the installation package of the target application program, dynamically executing each operation node to acquire operation node information through the basic information of the target application program, acquiring a target data package through a mirror image network port to perform flow audit, and generating a protocol analysis result by combining the basic information operation node information of the target application program. The efficiency and the accuracy of internet application protocol analysis can be improved, and output is standardized.
Fig. 2 is a schematic structural diagram of an internet application protocol analysis system provided in the present invention. As shown in fig. 2, an internet application protocol analysis system provided in an embodiment of the present invention includes: an obtaining module 210, a parsing module 220, and an analyzing module 230, wherein:
and the acquisition module is used for acquiring the installation package of the application program from the Internet.
And the analysis module is used for analyzing the target installation package in the installation package based on the application program to acquire the basic information of the target application program.
The analysis module is used for running the target application program, executing each operation node based on the basic information of the target application program, recording the information of the operation nodes, and acquiring an application protocol analysis result of the target application program according to a target data packet, the information of the operation nodes and the basic information of the target application program, which are generated by executing each operation node;
the target data packet is a network data packet which is synchronously acquired based on the mirror image network port and generated by executing each operation node.
Specifically, the acquisition module 210, the analysis module 220, and the analysis module 230 are electrically connected in sequence.
The obtaining module 210 sets a corresponding crawling mode according to the web page architecture of different application malls to collect the installation package of the application program in the web page.
The parsing module 220 decompresses the installation package of the target application, extracts the designated file, and parses it to obtain the basic information of the target application.
The basic information of the target application refers to information that can characterize the target application. The basic information of the target application program comprises one or more types.
During the running process of the target application program, the analysis module 230 analyzes the operation node in the target application program page based on the basic information of the target application program analyzed by the analysis module 220, and executes the operation node to generate the network data packet. Every time an operation node is executed, the Internet application protocol analysis system records relevant information of the operation node.
It should be noted that the internet application protocol analysis system is provided with a mirror network port, and can collect the target data packet in a mirror manner.
The target data packet refers to a network data packet generated in the execution time period of the operation node, which is synchronously acquired by the mirror image network port, every time the operation node is executed.
The analysis module 230 may perform traffic auditing according to the target data packet, obtain traffic characteristics generated during the execution of each operation node, and generate a protocol analysis result by combining corresponding operation node information and the basic information of the target application program.
The protocol analysis result refers to the result of auditing and analyzing the flow generated by executing any action in the target application program. The embodiment of the present invention does not specifically limit the contents of the protocol analysis result.
Optionally, the analysis module 230 includes an acquisition unit and a recording unit, wherein:
and the acquisition unit is used for acquiring the node elements of the target application program based on the basic information of the target application program in the running process of the target application program.
And the recording unit is used for executing each operation node based on the node elements and recording the information of the operation nodes.
Optionally, the analysis module 230 includes a second obtaining unit and an analysis unit, wherein:
and the second acquisition unit is used for acquiring the target protocol cell under the condition that the protocol type of the target data packet is the target type.
And the analysis unit is used for associating the target protocol cell with the operation node information and the basic information of the target application program to acquire an application protocol analysis result.
Optionally, the system further comprises a determination module, wherein:
and the determining module is used for determining the installation package of each target application program and the priority of each target application program based on the installation package of the application program.
Optionally, the system further comprises an output module, wherein:
and the output module is used for outputting the application protocol analysis result in a target format.
Preferably, the internet application protocol analysis system uses 1 general server in terms of hardware, an acquisition board card based on a RISC microprocessor chip (ARM), a switch with a port mirroring function and a Personal Computer (PC), and the software respectively installs a centros 7 operating system in the server, deploys a traffic capture handler for traffic auditing and a scheduler for analysis task scheduling. The acquisition board card is provided with an android7 operating system and an actuator APP for operating the APP to generate flow. And installing a windows system by the PC, and deploying an analytic analyzer for static analytic analysis of the application.
On the premise of not modifying the structure of the system, the analysis module 220 and the analysis module 230 are modified correspondingly, so that automatic analysis of application protocols such as the industrial internet, the internet of things and the like can be realized.
The embodiment of the invention is based on acquiring and determining the installation package of the target application program from the Internet, statically analyzing the basic information of the installation package of the target application program, dynamically executing each operation node to acquire the operation node information through the basic information of the target application program, acquiring the target data package through the mirror image network port to perform flow audit, and generating a protocol analysis result by combining the basic information operation node information of the target application program. The efficiency and the accuracy of internet application protocol analysis can be improved.
On the basis of any of the above embodiments, fig. 3 is a second schematic structural diagram of the internet application protocol analysis system provided by the present invention. As shown in fig. 3, an internet application protocol analysis system provided in an embodiment of the present invention includes: a scheduling module 320.
Specifically, the internet application protocol analysis system is composed of an acquisition module 310, a scheduling module 320, a parsing module 330, and an analysis module 340.
The scheduling module 320 is configured to determine priorities of the installation packages of the target applications in sequence based on the installation packages of the applications.
Specifically, the scheduling module 320 determines the installation package of each application program as the installation package of the target application program in sequence based on the sequence of the capturing time of the installation packages of the application programs output by the obtaining module 310.
So that the scheduling module 320 sends the installation packages of the target application programs to the parsing module 330 for parsing in a corresponding order.
And/or, the application protocol analysis result is output in a target format.
Specifically, the scheduling module 320 receives the application protocol analysis result output by the analysis module 340, and outputs the information included in the application protocol analysis result in a corresponding target format according to the analysis requirement.
The embodiment of the invention is based on acquiring and determining the installation package of the target application program from the Internet, statically analyzing the basic information of the installation package of the target application program, dynamically executing each operation node to acquire the operation node information through the basic information of the target application program, acquiring the target data package through the mirror image network port to perform flow audit, and generating a protocol analysis result by combining the basic information operation node information of the target application program. The efficiency and the accuracy of internet application protocol analysis can be improved, and output is standardized.
Fig. 4 illustrates a physical structure diagram of an electronic device, which may include, as shown in fig. 4: a processor (processor)410, a communication Interface 420, a memory (memory)430 and a communication bus 440, wherein the processor 410, the communication Interface 420 and the memory 430 are communicated with each other via the communication bus 440. Processor 410 may invoke logic instructions in memory 430 to perform an internet application protocol analysis method comprising: acquiring an installation package of an application program from the Internet; analyzing an installation package of a target application program in the installation package of the application program to acquire basic information of the target application program; the method comprises the steps of running a target application program, executing each operation node based on basic information of the target application program, recording operation node information, and obtaining an application protocol analysis result of the target application program according to a target data packet, the operation node information and the basic information of the target application program, wherein the target data packet, the operation node information and the basic information are generated by executing each operation node; the target data packet is a network data packet which is synchronously acquired based on the mirror image network port and generated by executing each operation node.
In addition, the logic instructions in the memory 830 may be implemented in software functional units and stored in a computer readable storage medium when the logic instructions are sold or used as independent products. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
In another aspect, the present invention also provides a computer program product, the computer program product comprising a computer program, the computer program being stored on a non-transitory computer-readable storage medium, wherein when the computer program is executed by a processor, a computer is capable of executing the internet application protocol analysis method provided by the above methods, the method comprising: acquiring an installation package of an application program from the Internet; analyzing an installation package of a target application program in the installation package of the application program to acquire basic information of the target application program; the method comprises the steps of running a target application program, executing each operation node based on basic information of the target application program, recording operation node information, and obtaining an application protocol analysis result of the target application program according to a target data packet, the operation node information and the basic information of the target application program, wherein the target data packet, the operation node information and the basic information are generated by executing each operation node; the target data packet is a network data packet which is synchronously acquired based on the mirror image network port and generated by executing each operation node.
In yet another aspect, the present invention also provides a non-transitory computer-readable storage medium, on which a computer program is stored, the computer program, when being executed by a processor, implementing an internet application protocol analysis method provided by the above methods, the method including: acquiring an installation package of an application program from the Internet; analyzing an installation package of a target application program in the installation package of the application program to acquire basic information of the target application program; the method comprises the steps of running a target application program, executing each operation node based on basic information of the target application program, recording operation node information, and obtaining an application protocol analysis result of the target application program according to a target data packet, the operation node information and the basic information of the target application program, wherein the target data packet, the operation node information and the basic information are generated by executing each operation node; the target data packet is a network data packet which is synchronously acquired based on the mirror image network port and generated by executing each operation node.
The above-described embodiments of the apparatus are merely illustrative, and the units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment. One of ordinary skill in the art can understand and implement it without inventive effort.
Through the above description of the embodiments, those skilled in the art will clearly understand that each embodiment can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware. With this understanding in mind, the above-described technical solutions may be embodied in the form of a software product, which can be stored in a computer-readable storage medium such as ROM/RAM, magnetic disk, optical disk, etc., and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the methods described in the embodiments or some parts of the embodiments.
Finally, it should be noted that: the above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.

Claims (10)

1. An internet application protocol analysis method, comprising:
acquiring an installation package of an application program from the Internet;
analyzing based on an installation package of a target application program in the installation package of the application program to acquire basic information of the target application program;
running the target application program, executing each operation node based on the basic information of the target application program, recording the information of the operation nodes, and acquiring an application protocol analysis result of the target application program according to a target data packet generated by executing each operation node, the information of the operation nodes and the basic information of the target application program;
and the target data packet is a network data packet which is synchronously acquired based on the mirror image network port and generated by executing each operation node.
2. The ip analysis method of claim 1, wherein the running the target application, executing each operation node based on the basic information of the target application, and recording the operation node information comprises:
in the running process of the target application program, acquiring node elements of the target application program based on basic information of the target application program;
and executing each operation node based on the node elements, and recording the operation node information.
3. The internet application protocol analysis method of claim 2, wherein the obtaining of the application protocol analysis result according to the target data packet generated by executing each operation node, the operation node information, and the basic information of the target application program comprises:
acquiring a target protocol cell under the condition that the protocol type of the target data packet is a target type;
and associating the target protocol cell with the operation node information and the basic information of the target application program to obtain an application protocol analysis result.
4. The internet application protocol analysis method of claim 1, wherein after obtaining the installation package of the application program from the internet, the method further comprises:
and determining the installation package of each target application program and the priority of each target application program based on the installation packages of the application programs.
5. The internet application protocol analysis method of any one of claims 1 to 4, wherein after obtaining the application protocol analysis result, the method further comprises:
and outputting the analysis result of the application protocol in a target format.
6. An internet application protocol analysis system, comprising:
the acquisition module is used for acquiring the installation package of the application program from the Internet;
the analysis module is used for analyzing based on a target installation package in the installation packages of the application programs to acquire basic information of the target application programs;
the analysis module is used for running the target application program, executing each operation node based on the basic information of the target application program, recording the information of the operation nodes, and acquiring an application protocol analysis result of the target application program according to a target data packet generated by executing each operation node, the information of the operation nodes and the basic information of the target application program;
and the target data packet is a network data packet which is synchronously acquired based on the mirror image network port and generated by executing each operation node.
7. The internet application protocol analysis system of claim 6, further comprising:
the scheduling module is used for sequentially determining the priority of the installation package of each target application program based on the installation package of the application program;
and/or, the application protocol analysis result is output in a target format.
8. An electronic device comprising a memory, a processor and a computer program stored on said memory and executable on said processor, wherein said processor when executing said program performs the steps of the internet application protocol analysis method according to any of claims 1-5.
9. A non-transitory computer readable storage medium having stored thereon a computer program, wherein the computer program when executed by a processor implements the steps of the internet application protocol analysis method according to any one of claims 1 to 5.
10. A computer program product comprising a computer program, wherein the computer program when executed by a processor performs the steps of the internet application protocol analysis method according to any one of claims 1 to 5.
CN202111320166.8A 2021-11-09 2021-11-09 Internet application protocol analysis method and system Pending CN114051061A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111320166.8A CN114051061A (en) 2021-11-09 2021-11-09 Internet application protocol analysis method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111320166.8A CN114051061A (en) 2021-11-09 2021-11-09 Internet application protocol analysis method and system

Publications (1)

Publication Number Publication Date
CN114051061A true CN114051061A (en) 2022-02-15

Family

ID=80207502

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111320166.8A Pending CN114051061A (en) 2021-11-09 2021-11-09 Internet application protocol analysis method and system

Country Status (1)

Country Link
CN (1) CN114051061A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114500309A (en) * 2022-04-13 2022-05-13 南京华飞数据技术有限公司 Network application flow automatic configuration recognition system

Citations (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2009181335A (en) * 2008-01-30 2009-08-13 Nippon Telegr & Teleph Corp <Ntt> Analysis system, analysis method, and analysis program
US20150220735A1 (en) * 2014-02-05 2015-08-06 Fireeye, Inc. Detection efficacy of virtual machine-based analysis with application specific events
US9215239B1 (en) * 2012-09-28 2015-12-15 Palo Alto Networks, Inc. Malware detection based on traffic analysis
US20160306981A1 (en) * 2015-04-17 2016-10-20 NowSecure, Inc. Methods and apparatuses for improved app security testing
WO2017084555A1 (en) * 2015-11-18 2017-05-26 中国银联股份有限公司 Method for generating and installing trusted application for use in a trusted execution environment
CN108804287A (en) * 2018-05-31 2018-11-13 中国电子科技集团公司电子科学研究院 Automatic obtaining method, device, system and the medium of mobile applications flow
US20190174319A1 (en) * 2017-12-01 2019-06-06 Seven Networks, Llc Detection and identification of potentially harmful applications based on detection and analysis of malware/spyware indicators
CN109995601A (en) * 2017-12-29 2019-07-09 中国移动通信集团上海有限公司 A kind of network flow identification method and device
CN111459774A (en) * 2019-01-21 2020-07-28 中国移动通信有限公司研究院 Method, device and equipment for acquiring flow of application program and storage medium
CN112131112A (en) * 2020-09-22 2020-12-25 腾讯科技(深圳)有限公司 Operation information acquisition method and device, storage medium and electronic equipment
CN112784194A (en) * 2021-01-28 2021-05-11 济南大学 Automatic traversal method and system for Android application page
CN112887388A (en) * 2021-01-20 2021-06-01 每日互动股份有限公司 Data processing system based on sandbox environment

Patent Citations (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2009181335A (en) * 2008-01-30 2009-08-13 Nippon Telegr & Teleph Corp <Ntt> Analysis system, analysis method, and analysis program
US9215239B1 (en) * 2012-09-28 2015-12-15 Palo Alto Networks, Inc. Malware detection based on traffic analysis
US20150220735A1 (en) * 2014-02-05 2015-08-06 Fireeye, Inc. Detection efficacy of virtual machine-based analysis with application specific events
US20160306981A1 (en) * 2015-04-17 2016-10-20 NowSecure, Inc. Methods and apparatuses for improved app security testing
WO2017084555A1 (en) * 2015-11-18 2017-05-26 中国银联股份有限公司 Method for generating and installing trusted application for use in a trusted execution environment
US20190174319A1 (en) * 2017-12-01 2019-06-06 Seven Networks, Llc Detection and identification of potentially harmful applications based on detection and analysis of malware/spyware indicators
CN109995601A (en) * 2017-12-29 2019-07-09 中国移动通信集团上海有限公司 A kind of network flow identification method and device
CN108804287A (en) * 2018-05-31 2018-11-13 中国电子科技集团公司电子科学研究院 Automatic obtaining method, device, system and the medium of mobile applications flow
CN111459774A (en) * 2019-01-21 2020-07-28 中国移动通信有限公司研究院 Method, device and equipment for acquiring flow of application program and storage medium
CN112131112A (en) * 2020-09-22 2020-12-25 腾讯科技(深圳)有限公司 Operation information acquisition method and device, storage medium and electronic equipment
CN112887388A (en) * 2021-01-20 2021-06-01 每日互动股份有限公司 Data processing system based on sandbox environment
CN112784194A (en) * 2021-01-28 2021-05-11 济南大学 Automatic traversal method and system for Android application page

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114500309A (en) * 2022-04-13 2022-05-13 南京华飞数据技术有限公司 Network application flow automatic configuration recognition system
CN114500309B (en) * 2022-04-13 2022-07-08 南京华飞数据技术有限公司 Network application flow automatic configuration recognition system

Similar Documents

Publication Publication Date Title
CN107317724B (en) Data acquisition system and method based on cloud computing technology
CN113240258B (en) Industrial asset detection method, equipment and device
CN106484611B (en) Fuzzy test method and device based on automatic protocol adaptation
US8631124B2 (en) Network analysis system and method utilizing collected metadata
CN108363662A (en) A kind of applied program testing method, storage medium and terminal device
US8661456B2 (en) Extendable event processing through services
CN102694817A (en) Method, device and system for identifying abnormality of network behavior of program
CN111740923A (en) Method and device for generating application identification rule, electronic equipment and storage medium
CN108228444B (en) Test method and device
US11019096B2 (en) Combining apparatus, combining method, and combining program
US10452730B2 (en) Methods for analyzing web sites using web services and devices thereof
JP6103325B2 (en) Method, apparatus and system for acquiring user behavior
CN106663171B (en) Browser simulator device, browser simulator building device, browser simulation method, and browser simulation building method
CN113014549B (en) HTTP-based malicious traffic classification method and related equipment
CN111770082A (en) Vulnerability scanning method, device, equipment and computer readable storage medium
CN107168844B (en) Performance monitoring method and device
WO2019184664A1 (en) Method, apparatus, and system for detecting malicious file
US9866466B2 (en) Simulating real user issues in support environments
CN114051061A (en) Internet application protocol analysis method and system
CN108985053B (en) Distributed data processing method and device
CN113468045A (en) Test system, method and assembly for server batch configuration software
CN111625837A (en) Method and device for identifying system vulnerability and server
CN108734007A (en) A kind of processing method and processing device of monitoring application program
CN110837612B (en) Uniform Resource Identifier (URI) data acquisition method and device and storage medium
CN114254218A (en) External link access acceleration method and device and computer storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination