CN114172980A

CN114172980A - Method, system, device, equipment and medium for identifying type of operating system

Info

Publication number: CN114172980A
Application number: CN202111493749.0A
Authority: CN
Inventors: 娄扬; 张思民
Original assignee: Beijing Topsec Technology Co Ltd; Beijing Topsec Network Security Technology Co Ltd; Beijing Topsec Software Co Ltd
Current assignee: Beijing Topsec Technology Co Ltd; Beijing Topsec Network Security Technology Co Ltd; Beijing Topsec Software Co Ltd
Priority date: 2021-12-08
Filing date: 2021-12-08
Publication date: 2022-03-11

Abstract

The embodiment of the application provides a method, a system, a device, equipment and a medium for identifying the type of an operating system, wherein the method comprises the following steps: acquiring a target type message sent by a client by monitoring network flow data; analyzing application layer message information to obtain application layer message content, wherein the application layer message information is information corresponding to an application layer of a message; and determining the type of the target operating system of the client according to the message content of the application layer. According to some embodiments of the application, the step of sending the acquisition packet can be omitted by actively monitoring the network traffic data, so that the efficiency of acquiring the message is improved; the type of the operating system can be accurately identified through the message content of the application layer, so that the problem of inaccurate identification caused by using other message content for identification in the related technology is solved.

Description

Method, system, device, equipment and medium for identifying type of operating system

Technical Field

The embodiment of the application relates to the field of network security, in particular to a method, a system, a device, equipment and a medium for identifying the type of an operating system.

Background

In the related art, as the internet is developed, more and more devices are connected through the internet. In some application scenarios, it is necessary to obtain the operating systems of the clients accessing the internet immediately, for example, a network administrator needs to know the operating system types of the clients in an area in which the network administrator is responsible, and the existing method for identifying the operating systems of the clients generally identifies the operating systems by using the protocol field features of the network layer protocol and the transport layer protocol, but the specific types of the operating systems cannot be accurately identified when the technical implementation scheme is directed to the same operating system type and the version numbers are relatively close to each other.

Therefore, how to accurately identify the type of the operating system becomes an urgent problem to be solved.

Disclosure of Invention

Some embodiments of the present application can effectively improve the step that a related technology needs to send a probe packet separately when acquiring the type of the operating system, thereby improving the efficiency of acquiring a packet, and in addition, some embodiments of the present application can also accurately identify the type of the operating system through the content of an application layer packet, thereby solving the problem of inaccurate identification caused by using other content of the packet to identify in the related technology.

In a first aspect, an embodiment of the present application provides a method for identifying an operating system type, where the method includes: acquiring a target type message sent by a client by monitoring network flow data; analyzing message information of an application layer to obtain message content of the application layer, wherein the message information of the application layer is information corresponding to the application layer of the message; and determining the type of the target operating system of the client according to the message content of the application layer.

Therefore, different from the prior art that the operating system type is identified by using the contents of the transport layer and the network layer, on one hand, the step of sending the acquisition packet can be omitted by actively monitoring the network traffic data in the embodiments of the present application, so that the efficiency of acquiring the packet is improved, and on the other hand, the operating system type can be accurately identified by using the contents of the packet in the application layer in some embodiments of the present application, so that the problem of inaccurate identification in the prior art is solved.

With reference to the first aspect, in some embodiments of the present application, before analyzing the application layer packet information to obtain application layer packet content, the method further includes screening the monitored network traffic data to obtain the packet of the target type.

Therefore, the embodiment of the application can select the target type message which is valuable for identifying the type of the operating system from the multiple messages in the protocol stack by screening the target type message, so that the target information carried in the target type message can be directly acquired in the subsequent steps, and the running speed is accelerated.

With reference to the first aspect, in some embodiments of the present application, the determining a target operating system type of the client according to at least the application layer packet content includes: acquiring transmission layer message content and network layer message content from the message, and determining the type of the operating system of the client as a first reference operating system according to the transmission layer message content and the network layer message content; determining the type of the operating system of the client as a second reference operating system according to the application layer message content; if the types of the first reference operating system and the second reference operating system are consistent, taking the first reference operating system or the second reference operating system as the type of the target operating system; or, if it is determined that the types of the first reference operating system and the second reference operating system are not consistent, taking the type of the second reference operating system as the type of the target operating system.

Therefore, the target operating system type can be accurately obtained by verifying the first reference operating system by using the second reference operating system after the first reference operating system is obtained, so that the problem of inaccurate identification in the related art is solved.

With reference to the first aspect, in some embodiments of the present application, the determining, according to the content of the application layer packet, that the operating system type of the client is a second reference operating system includes: extracting at least one piece of target information carried by the application layer message according to the type of the content of the application layer message, wherein the type comprises a DNS message, an HTTP message or an HTTPS message; and searching a target information and operating system mapping table according to the at least one piece of target information, and determining that the operating system type of the client is the second reference operating system, wherein the target information and operating system mapping table is used for recording the corresponding relation between a plurality of pieces of target information and the types of reference operating systems.

With reference to the first aspect, in some embodiments of the present application, the type of the content of the application layer packet is a DNS packet, and the target information and operating system mapping table is a domain name mapping table; the extracting at least one target information carried by the application layer message includes: extracting a first request domain name in the DNS message; the searching the target information and the operating system mapping table according to the at least one target information and determining that the operating system type of the client is the second reference operating system includes: searching the first request domain name in the domain name mapping table, and confirming a corresponding second reference operating system; the domain name mapping table is used for representing the corresponding relation between the domain name and the type of the second reference operating system.

Therefore, the second reference operating system is obtained by extracting the first request domain name in the DNS message, and the corresponding mapping table can be obtained for the target information carried by the DNS message, and the type of the operating system is identified, so that the messages of different types are identified in a targeted manner, and the identification efficiency is improved.

With reference to the first aspect, in some embodiments of the present application, the type of the content of the application layer packet is an HTTP packet, and the target information and operating system mapping table is a domain name mapping table and a resource location mapping table; the extracting at least one target information carried by the application layer message includes: extracting a second request domain name and a resource positioning mark from a request line and a header of the HTTP message; the searching the target information and the operating system mapping table according to the at least one target information and determining that the operating system type of the client is the second reference operating system includes: searching the second request domain name and the resource positioning mark in the domain name mapping table and the resource positioning mapping table, and confirming the corresponding second reference operating system; the resource positioning mapping table is used for representing the corresponding relation between the resource positioning website and the second reference operating system.

Therefore, in the embodiment of the application, the second reference operating system is obtained by extracting the second request domain name and the resource positioning mark in the HTTP message, and the corresponding mapping table can be obtained for the target information carried in the HTTP message to identify the type of the operating system, so that the different types of messages are identified in a targeted manner, and the identification efficiency is improved.

With reference to the first aspect, in some embodiments of the present application, the type of the application layer packet content is an HTTPS packet, and the target information and operating system mapping table is a domain name mapping table; the extracting at least one target information carried by the application layer message includes: extracting a third request domain name from the certificate information of the HTTPS message; the searching the target information and the operating system mapping table according to the at least one target information and determining that the operating system type of the client is the second reference operating system includes: and searching the third request domain name in the domain name mapping table, and confirming the corresponding second reference operating system.

With reference to the first aspect, in some embodiments of the present application, the type of the application layer packet content is an HTTPS packet, and the target information and operating system mapping table is an encrypted information mapping table; the extracting at least one target information carried by the application layer message includes: extracting information to be encrypted in the HTTPS message, wherein the information to be encrypted at least comprises a security protocol; encrypting the information to be encrypted to generate encrypted information; the searching the target information and the operating system mapping table according to the at least one target information and determining that the operating system type of the client is the second reference operating system includes: searching the encrypted information in an encrypted information mapping table, and confirming the corresponding second reference operating system; the encryption information mapping table is used for representing the mapping relation between the encryption information and the second reference operating system.

Therefore, according to the embodiment of the application, the third reference operating system is obtained by extracting the third request domain name in the HTTPS message, the corresponding mapping table can be obtained for the target information carried in the HTTPS message, and the type of the operating system can be identified, so that the targeted identification of different types of messages is realized, and the identification efficiency is improved.

With reference to the first aspect, in some embodiments of the present application, the determining a target operating system type of the client according to at least the application layer packet content includes: acquiring a network flow characteristic value of the client; searching a network information and operating system type mapping table according to the network traffic characteristic value, wherein the operating system of the client is searched to be a third reference operating system, and the network information and operating system type mapping table is used for representing the corresponding relation between various network information and a plurality of operating system types; if the third reference operating system is consistent with the target operating system type, taking the third reference operating system as a final target operating system type; or, if the third reference operating system is not consistent with the target operating system type, determining that the operating system type of the client is the final target operating system type.

With reference to the first aspect, in some embodiments of the present application, the network traffic characteristic value includes a domain name of a website accessed by an application program in the client during an update operation; the obtaining of the network traffic characteristic value of the client includes: extracting the domain name of the website accessed by the application program in the message content of the application layer in the updating operation process; the searching for the operating system of the client in the mapping table of the network information and the operating system type according to the network traffic characteristic value is a third reference operating system, and includes: and searching a domain name in the network information and operating system type mapping table, and confirming that the operating system of the client is the third reference operating system.

With reference to the first aspect, in some embodiments of the present application, the network traffic characteristic value is a response field triggered in a process of sending a packet by a client; the obtaining of the network traffic characteristic value of the client includes: extracting a response field in the message content of the application layer; the searching for the operating system of the client in the mapping table of the network information and the operating system type according to the network traffic characteristic value is a third reference operating system, and includes: searching the response field in the network information and operating system type mapping table, and confirming the corresponding application name; and searching the application name in an application name and operating system type mapping table, and confirming that the operating system of the client is the third reference operating system, wherein the application name and operating system type mapping table is used for representing the mapping relation between the application name and the operating system type.

Therefore, the third reference operating system is determined by acquiring the domain name of the update access and the name of the application software in the network traffic characteristic value, and the type of the operating system can be further confirmed from different aspects in the network traffic characteristic, so that the accuracy of identification is improved.

With reference to the first aspect, in some embodiments of the present application, after determining the target operating system type of the client according to at least the application layer packet content, the method further includes: and binding the client and an operating system according to the representation information of the client, wherein the operating system is represented by the type of the final target operating system.

Therefore, the operating system and the client are bound, unified management and operation and maintenance can be conveniently carried out by operation and maintenance personnel, the equipment needing operation and maintenance can be clearly mastered, and management efficiency is improved.

In a second aspect, an embodiment of the present application provides an apparatus for identifying an operating system type, where the apparatus includes: the message monitoring module is configured to acquire a message of a target type sent by the client by monitoring network traffic data; the message analysis module is configured to analyze application layer message information to obtain application layer message content, wherein the application layer message information is information corresponding to an application layer of a message; and the type confirmation module is configured to determine the type of the target operating system of the client according to the application layer message content.

With reference to the second aspect, in some embodiments of the present application, the message parsing module is further configured to: and screening the network flow data obtained by monitoring to obtain the message of the target type.

In combination with the second aspect, in some embodiments of the present application, the type confirmation module is further configured to: acquiring transmission layer message content and network layer message content from the message, and determining the type of the operating system of the client as a first reference operating system according to the transmission layer message content and the network layer message content; determining the type of the operating system of the client as a second reference operating system according to the application layer message content; if the types of the first reference operating system and the second reference operating system are consistent, taking the first reference operating system or the second reference operating system as the type of the target operating system; or, if it is determined that the types of the first reference operating system and the second reference operating system are not consistent, taking the type of the second reference operating system as the type of the target operating system.

In combination with the second aspect, in some embodiments of the present application, the type confirmation module is further configured to: extracting at least one piece of target information carried by the application layer message according to the type of the application layer message content, wherein the type of the application layer message content comprises a DNS message, an HTTP message or an HTTPS message; and searching a target information and operating system mapping table according to at least one piece of target information, and determining that the operating system type of the client is the second reference operating system, wherein the target information and operating system mapping table is used for recording the corresponding relation between a plurality of pieces of target information and the types of reference operating systems.

With reference to the second aspect, in some embodiments of the present application, the type of the application layer packet content is a DNS packet, and the target information and operating system mapping table is a domain name mapping table; the message parsing module is further configured to: extracting a first request domain name in the DNS message; the type validation module is further configured to: searching the first request domain name in the domain name mapping table, and confirming the type of the corresponding second reference operating system; the domain name mapping table is used for representing the corresponding relation between the domain name and the type of the second reference operating system.

With reference to the second aspect, in some embodiments of the present application, the type of the content of the application layer packet is an HTTP packet, and the target information and operating system mapping table is a domain name mapping table and a resource location mapping table; the message parsing module is further configured to: extracting the second request domain name and the resource positioning mark from the request line and the header of the HTTP message; the type validation module is further configured to: searching the second request domain name and the resource positioning mark in the domain name mapping table and the resource positioning mapping table, and confirming the type of the corresponding second reference operating system; the resource positioning mapping table is used for representing the corresponding relation between the resource positioning website and the type of the second reference operating system.

With reference to the second aspect, in some embodiments of the present application, the type of the application layer packet content is an HTTPS packet, and the target information and operating system mapping table is a domain name mapping table; the message parsing module is further configured to: extracting a third request domain name from the certificate information of the HTTPS message; the type validation module is further configured to: and searching a third request domain name in the domain name mapping table, and confirming the type of the corresponding second reference operating system.

With reference to the second aspect, in some embodiments of the present application, the type of the application layer packet content is an HTTPS packet, and the target information and operating system mapping table is an encrypted information mapping table; the message parsing module is further configured to: extracting information to be encrypted in the HTTPS message, wherein the information to be encrypted at least comprises a security protocol; encrypting the information to be encrypted to generate encrypted information; the type validation module is further configured to: searching a mapping value in the encrypted information mapping table, and confirming the type of the corresponding second reference operating system; the encryption information mapping table is used for representing the mapping relation between the encryption information and the type of the second reference operating system.

In combination with the second aspect, in some embodiments of the present application, the type confirmation module is further configured to: acquiring a network flow characteristic value of a client; searching a network information and operating system type mapping table according to the network traffic characteristic value, wherein the operating system of the client is searched to be a third reference operating system, and the network information and operating system type mapping table is used for representing the corresponding relation between various network information and a plurality of operating system types; if the type of the third reference operating system is consistent with that of the target operating system, taking the type of the third reference operating system as a final target operating system type; or, if the types of the third reference operating system and the target operating system are not consistent, determining that the operating system type of the client is the final target operating system type.

With reference to the second aspect, in some embodiments of the present application, the network traffic characteristic value includes a domain name of a website accessed by an application program in the client during an update operation; the message monitoring module is configured to: extracting the domain name of the website accessed by the application program in the message content of the application layer in the updating operation process; the type validation module is further configured to: and searching the domain name in the network information and operating system type mapping table, and confirming that the operating system of the client is the third reference operating system.

With reference to the second aspect, in some embodiments of the present application, the network traffic characteristic value is a response field triggered in a process of sending a packet by the client; the message monitoring module is configured to: extracting a response field in the message content of the application layer; the type validation module is further configured to: searching a response field in a network information and operating system type mapping table, and confirming a corresponding application name; and searching an application name in the mapping table of the application name and the type of the operating system, and confirming that the operating system of the client is a third reference operating system, wherein the mapping table of the application name and the type of the operating system is used for representing the mapping relation between the application name and the type of the operating system.

In combination with the second aspect, in some embodiments of the present application, the type confirmation module is further configured to: and binding the client and an operating system according to the representation information of the client, wherein the operating system is represented by the type of a target operating system.

In a third aspect, a system for identifying a type of operating system, the system comprising:

a client configured to transmit network traffic data; a gateway device configured to monitor the network traffic data of the client and perform the method of identifying an operating system type as in the first aspect and any embodiments thereof based on a monitoring result.

In a fourth aspect, an electronic device includes: a processor, a memory, and a bus; the processor is connected to the memory via the bus, and the memory stores computer readable instructions for implementing the method for identifying an operating system type according to the first aspect and any embodiments thereof when the computer readable instructions are executed by the processor.

In a fifth aspect, a computer-readable storage medium having stored thereon a computer program which, when executed, implements a method of identifying an operating system type as in the first aspect and any embodiment thereof.

Drawings

FIG. 1 is a schematic diagram illustrating a system configuration for identifying an operating system according to an embodiment of the present application;

FIG. 2 is a flowchart illustrating a method for identifying an operating system according to an embodiment of the present disclosure;

FIG. 3 is a second flowchart of a method for identifying an operating system according to an embodiment of the present application;

FIG. 4 is a third flowchart illustrating a method for identifying an operating system according to an embodiment of the present application;

FIG. 5 is a block diagram illustrating an apparatus for identifying an operating system according to an embodiment of the present disclosure;

fig. 6 is a schematic diagram illustrating a composition of an electronic device according to an embodiment of the present application.

Detailed Description

In order to make the objects, technical solutions and advantages of the embodiments of the present application clearer, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all the embodiments. The components of the embodiments of the present application, generally described and illustrated in the figures herein, can be arranged and designed in a wide variety of different configurations. Thus, the following detailed description of the embodiments of the present application, as presented in the figures, is not intended to limit the scope of the claimed application, but is merely representative of selected embodiments of the application. All other embodiments, which can be derived by a person skilled in the art from the embodiments of the present application without making any creative effort, shall fall within the protection scope of the present application.

In some embodiments of the present application, a message is obtained by actively monitoring network traffic data of a client, and a target operating system type of the client is confirmed through application layer content in the message. For example: in some embodiments of the present application, first, the gateway device obtains a packet sent by the client by monitoring network traffic data, then, parses at least the packet to obtain application layer packet content, and obtains the type of the operating system adopted by the client according to the application layer packet content. Transport layer and network layer messages may also be combined in some embodiments of the present application to assist in identifying client operating system types.

It should be noted that the client is a device that generates network traffic data and sends a message. As an embodiment of the present application, the client may be a mobile phone, a computer, a tablet computer, or the like. As another embodiment of the present application, the client may be a server, a processor, or the like. The embodiments of the present application are not limited thereto.

The method steps in the embodiments of the present application are described in detail below with reference to the accompanying drawings.

FIG. 1 provides a block diagram of a system for identifying operating system types in some embodiments of the present application, including a client 110, a gateway device 120, and a network 130. Specifically, the client 110 generates network traffic data during access to the network 130 and is intercepted by the gateway device 120. After obtaining the packet corresponding to the network traffic data, the gateway device 120 parses the application layer packet content in the packet, then obtains the second reference operating system of the client 110 according to at least one piece of target information carried in the application layer packet content, obtains the third reference operating system of the client 110 according to the network traffic characteristic value in the application layer packet content, and obtains the first reference operating system of the client 110 according to the transmission layer packet content and the network layer packet content. And finally, confirming that the first reference operating system, the second reference operating system and the third reference operating system are consistent, and confirming the final target operating system type of the client 110.

Different from the embodiment of the application, in the related art, the method for identifying the type of the client operating system is usually only identified through the protocol field characteristics of the network layer protocol and the transport layer protocol, but the type of the client operating system cannot be accurately identified under the condition that the type of the client operating system is the same and the version numbers are relatively different. The embodiment of the application identifies the type of the operating system by using the message content of the application layer on the basis of judging through a network layer protocol and a transport layer protocol, so that the identification result of the embodiment of the application is more accurate.

In addition, the gateway device in the related art sends the message to the client side at the same time by sending the acquisition packet to the client side, and the embodiment of the application obtains the message in a mode of actively monitoring network traffic data, so that the step of sending the acquisition packet is saved, the operation efficiency of the gateway device is improved, and the efficient operation of the gateway device is further ensured on the basis of accurate identification.

The following describes an exemplary scheme for identifying the operating system type according to some embodiments of the present application, taking a gateway device as an example. It can be understood that the technical solution of the method for identifying the operating system type according to the embodiment of the present application may be applied to any security device, for example, a firewall product.

At least to solve the above problem, as shown in fig. 2, some embodiments of the present application provide a method for identifying an operating system type, the method including:

s210, the message of the target type sent by the client is obtained by monitoring the network flow data.

S220, analyzing the message information of the application layer to obtain the message content of the application layer.

In some embodiments of the present application, the application layer packet information may also be parsed to obtain the transport layer packet content and the network layer packet content.

S230, determining the target operating system type of the client according to the application layer message content at least.

In some embodiments of the present application, a first reference operating system is first determined according to transport layer packet content and network layer packet content, a second reference operating system is then determined by identifying different types of application layer packet content, and finally, the first reference operating system and the second reference operating system are compared to determine a target operating system type.

In some embodiments of the present application, S220 further comprises: and screening the network flow data obtained by monitoring to obtain a message of a target type.

That is, after monitoring network traffic data of the client and obtaining the message, the message identifying the target type for the operating system type is screened out. Specifically, in the embodiment of the present application, the target type messages are DNS messages, HTTP messages, and HTTPs messages, and application layer message information, transport layer message information, and network layer message information in a TCP/IP protocol stack are screened.

The implementation process of the above steps is exemplarily set forth below.

The network traffic data of S210 refers to data generated by the client during the process of accessing the network. As a specific embodiment of the present application, the network traffic data may be traffic data generated in a process of accessing a website; as another specific example of the present application, the network traffic data may be traffic data generated in a process of updating the system. The embodiments of the present application are not limited thereto.

The client referred to in S210 refers to a device capable of accessing the network. As some specific embodiments of the present application, the client may be a mobile phone, a server, a computer, or other devices; as other specific embodiments of the present application, the client may be an embedded device such as an intelligent electric meter or an intelligent water meter. The embodiments of the present application are not limited thereto.

The application layer message information related to S220 refers to information corresponding to an application layer in a protocol stack in which the gateway device obtains the message. The application layer message content refers to the message content obtained after the message information of the application layer is analyzed. As a specific embodiment of the present application, the application layer message content may be a file transfer protocol, a hypertext transfer protocol, or the like.

In some embodiments of the present application, S230 further comprises:

the method comprises the following steps: and acquiring the transmission layer message content and the network layer message content from the message, and determining the type of the operating system of the client as a first reference operating system according to the transmission layer message content and the network layer message content.

That is, after the message is acquired, the transport layer message information and the network layer message information in the protocol stack are acquired, then the transport layer message information is analyzed to acquire the transport layer message content, and the network layer message information is analyzed to acquire the network layer message content. And then acquiring the transmission layer message content and each option field carried in the network layer message content, wherein each option field comprises version information of IPV4/6, a TTL value (time to live value), MSS maximum segment size (namely maximum message length) and Windows size window size in an IP header and a TCP header, acquiring a memory address according to each option field, and inquiring the memory address in a memory address and operating system mapping table to acquire a corresponding first reference operating system.

Step two: and determining the type of the operating system of the client as a second reference operating system according to the message content of the application layer.

In an embodiment of the present application, at least one piece of target information carried in an application layer packet is extracted according to a type of the application layer packet content, where the type of the application layer packet content includes a DNS packet, an HTTP packet, or an HTTPs packet. And then, searching the target information and the operating system mapping table according to the at least one piece of target information, and determining that the operating system type of the client is a second reference operating system.

That is, different types of application layer packet contents (i.e., DNS packets, HTTP packets, or HTTPs packets) carry different types of target information, and after the target information corresponding to each type is obtained, a second reference operating system corresponding to each target information is determined in a mapping table corresponding to each target information.

As a specific embodiment of the present application, when the type of the content of the application layer packet is a DNS packet and the target information and operating system mapping table is a domain name mapping table, first, a first request domain name in the DNS packet is extracted. Then, the first request domain name is looked up in the domain name mapping table, and the corresponding second reference operating system is confirmed.

That is, a mapping table (i.e., a domain name mapping table) between a domain name and an operating system is preset, and then after a message is obtained, after the message information of an application layer is analyzed according to different application layer protocols (e.g., http, ftp, etc.), and if the type of the message is determined to be a DNS message, a first request domain name in the DNS message is extracted. And then, reading a preset domain name mapping table, finding the first request domain name in the domain name mapping table, and confirming the corresponding second reference operating system.

For example: extracting that the first request domain name in the DNS message is "baidu.com", finding out that the operating system type corresponding to "baidu.com" is win10 in the domain name mapping table, and confirming that the second reference operating system is win 10.

It should be noted that the domain name mapping table is used to characterize a corresponding relationship between the domain name and the type of the second reference operating system. For example: com "in the domain name mapping table, the operating system type corresponding to the domain name" applet "is an IOS system, and the version number is 11.

As another specific embodiment of the present application, the content type of the application layer packet is an HTTP packet, and the mapping table of the target information and the operating system is a domain name mapping table and a resource location mapping table. Firstly, extracting a second request domain name and a resource positioning mark from a request line and a header of an HTTP message, then, searching the second request domain name and the resource positioning mark in a domain name mapping table and a resource positioning mapping table, and confirming a corresponding second reference operating system.

That is, a mapping table between a domain name and an operating system (i.e., a domain name mapping table) and a mapping table between a resource locator and the operating system (i.e., a resource locator mapping table) are preset, and then after a message is obtained, the message information of an application layer is analyzed, and if the type of the message is determined to be an HTTP message, a second request domain name and a resource locator in the HTTP message are extracted from a request line and a header of the HTTP. And then, reading a preset domain name mapping table and a resource positioning mapping table, finding a second request domain name in the domain name mapping table, finding a resource positioning mark in the resource positioning mapping table, and confirming a corresponding second reference operating system.

For example: if the website accessed by the resource locator in the HTTP message is a microsoft upgrade website, it is determined in the resource locator mapping table that the second reference operating system is win 10.

As another specific embodiment of the present application, the type of the application layer packet content is an HTTPS packet, and the target information and operating system mapping table is a domain name mapping table. First, a third request domain name is extracted from the certificate information of the HTTPS packet. Then, the third request domain name is looked up in the domain name mapping table, and the corresponding second reference operating system is confirmed.

That is, a mapping table between the domain name and the operating system (i.e., a domain name mapping table) is preset, then after the packet is obtained, the application layer packet information is analyzed, and if the type of the packet is judged to be an HTTPS packet, the third request domain name in the HTTPS packet is extracted according to the certificate information in the HTTPS packet. And then, reading a preset domain name mapping table, finding a third request domain name in the domain name mapping table, and confirming a corresponding second reference operating system.

For example: and extracting a third request domain name "baidu.com" in the HTTPS message, finding the operating system type corresponding to the "baidu.com" in the domain name mapping table as win10, and determining that the second reference operating system is win 10.

As another specific embodiment of the present application, the type of the application layer packet content is an HTTPS packet, and the target information and operating system mapping table is an encrypted information mapping table. Firstly, information to be encrypted in an HTTPS message is extracted, wherein the information to be encrypted comprises a TLS version number (namely a security protocol), an acceptable encryption algorithm, an expansion list and elliptic curve parameters. Then, the information to be encrypted is encrypted to generate encrypted information. And finally, searching the encrypted information in an encrypted information mapping table, and confirming a corresponding second reference operating system, wherein the encrypted information mapping table is used for representing the mapping relation between the encrypted information and the second reference operating system.

It should be noted that, during HTTPS communication, the client and the gateway device negotiate an encryption algorithm that is supported by both devices, where the acceptable encryption algorithm includes: MD5 (message digest algorithm), AES (advanced encryption standard)/DES (data encryption standard)/3 DES (triple data encryption algorithm) algorithm, RSA algorithm, ECC (elliptic curve encryption algorithm), and the like.

The extension list is used for declaring the support of the protocol to some new functions for a security transport layer protocol (TLS) or carrying extra data required in the process of handshaking, so that the Client and the Server can obtain the new functions on the basis of not updating the TLS.

The elliptic curve parameters are parameters that are carried in the interaction process between the client and the gateway device after the negotiated ECC algorithm (elliptic encryption algorithm) is completed.

That is, a mapping table between encryption information and an operating system (i.e., an encryption information mapping table) is preset, then after a message is acquired, the message information of an application layer is analyzed, and if the type of the message is judged to be an HTTPS message, a TLS version number, an acceptable encryption algorithm, an extended list, and elliptic curve parameters in the HTTPS message are extracted. And then, the information to be encrypted is connected in series to obtain a string of numbers, and the numbers are encrypted through MD5 to generate a value of JA3, wherein JA3 generated by each client is different. And finally, reading a preset encryption information mapping table, finding the JA3 value in the encryption information mapping table, and confirming the corresponding second reference operating system.

For example: the JA3 values extracted in the HTTPS message are:

“b32309a26951912be7dba376398abc3bMozilla/5.0”

finding the value of JA3 in the encryption information mapping table, and if the corresponding operating system type is win10, determining that the second reference operating system is win 10.

For example: the JA3 values extracted in the HTTPS message are:

“b32309a26951912be7dba376398abc3bMozilla/5.0”

finding the value of JA3 in the encryption information mapping table, and if the corresponding operating system type is Linux x86_64, determining that the second reference operating system is Linux x86_ 64.

Step three: and if the types of the first reference operating system and the second reference operating system are consistent, taking the first reference operating system or the second reference operating system as the type of the target operating system.

Or

And if the types of the first reference operating system and the second reference operating system are not consistent, taking the type of the second reference operating system as the type of the target operating system.

That is, in the case where the types of the first reference operating system obtained in step one and the second reference operating system obtained in step two are identical, one reference operating system is arbitrarily selected as the target operating system type. For example, if the first reference os is win10 and the second reference os is win10, the target os type is win 10.

And in the case that the types of the first reference operating system obtained in the step one and the second reference operating system obtained in the step two are not consistent, taking the second reference operating system obtained in the step two as the type of the target operating system. For example, if the first reference os is win8 and the second reference os is win10, the target os type is win 10.

In some embodiments of the present application, after obtaining the target operating system type, S230 further comprises:

the method comprises the following steps: and acquiring a network flow characteristic value of the client.

That is, after obtaining the target operating system type, the gateway device continues to verify the correctness of the target operating system type through the network traffic characteristic value.

It should be noted that the network traffic characteristic value is a response field triggered in the process of sending a message by the client. For example, during the process of sending the message, the client responds to the server field character of the message by HTTP.

Step two: and searching the operating system of the client in the mapping table of the network information and the operating system type according to the network flow characteristic value to be a third reference operating system.

As a specific embodiment of the present application, the network traffic characteristic value includes a domain name of a website accessed by an application program in the client during an update operation. Firstly, extracting the domain name of the website accessed by the application program in the message content of the application layer in the updating operation process. And then, searching the domain name in the mapping table of the network information and the type of the operating system, and confirming that the operating system of the client is a third reference operating system.

That is to say, under the condition that the extracted network traffic characteristic value is the domain name of the website accessed by the client in the updating process, the extracted domain name is queried in the network information and operating system type mapping table to obtain the corresponding third reference operating system.

For example, in the case of upgrading application software in the client, a specific website may be accessed for version upgrading, the windows operating system may access an upgrade website of microsoft, the android operating system may access an upgrade website of google, and an IE browser of the windows operating system may access an upgrade website corresponding to the IE browser. Therefore, if the domain name accessed by the client during the updating process is "google", the corresponding third reference operating system is android.

As another specific embodiment of the present application, the network traffic characteristic value is a response field triggered in the process of sending a packet by the client. First, the response field in the application layer message content is extracted. Then, the response field is searched in the mapping table of the network information and the type of the operating system, and the corresponding application name is confirmed. And finally, searching the application name in the mapping table of the application name and the type of the operating system, and confirming that the operating system of the client is the third reference operating system.

That is, under the condition that the obtained network traffic characteristic value is the response field, the response field is extracted, then the response field is searched in the network information and operating system type mapping table, the application name corresponding to the application of the message sent by the client corresponding to the corresponding field is confirmed, and then the third reference operating system corresponding to the application name is inquired.

For example: and when the extracted response field is a server character segment, finding the application name IIS corresponding to the server character segment in a network information and operating system type mapping table, and determining that the third reference operating system is windows.

Step three: and if the third reference operating system is consistent with the target operating system type, taking the third reference operating system as the final target operating system type.

Or

And if the third reference operating system is not consistent with the target operating system type, confirming that the operating system type of the client is the final target operating system type.

That is, in the case where the obtained third reference operating system is identical to the obtained target operating system type, one reference operating system is arbitrarily selected as the final target operating system type. For example, if the third reference os is win10 and the target os type is win10, the final target os type is win 10.

And in the case that the obtained third reference operating system is inconsistent with the obtained target operating system type, taking the target operating system type as the final target operating system type. For example, if the third reference os is win8 and the target os type is win10, the final target os type is win 10.

In one embodiment of the present application, S230 further includes: and binding the client and the operating system according to the representation information of the client, wherein the operating system is represented by the type of the final target operating system.

That is to say, the final target operating system type obtained by using the method may represent the operating system, and the operating system and the client are bound and stored, so that the operation and maintenance personnel can obtain the operating system type corresponding to the client, thereby performing the operation and maintenance operation. The characterizing information of the client may be an IP address, a device number, and the like.

For example: the client is characterized by using the IP address (the IP address of the client is 192.106.1.1), and the obtained final target operating system type is win10, the IP address is bound with win10 and stored.

The foregoing describes a method for identifying an operating system type in an embodiment of the present application, and the following describes a specific embodiment of identifying an operating system type in the present application.

In the related art, the operation and maintenance personnel need to know the operating system type of the responsible area equipment. Therefore, by using the operating system identification technology, the operation and maintenance personnel can clearly grasp the operating system type of the equipment. However, the operating system type cannot be accurately identified in the prior art, and therefore, the embodiment of the present application provides a method for identifying an operating system type, which can solve the problems in the prior art.

In an embodiment of the present application, by monitoring traffic data in a network, mainly focusing on data traffic of an application layer, on one hand, a corresponding operating system type is obtained through different message types of the application layer; on the other hand, the application software is identified through the message characteristics of the application layer, and the type of the operating system is obtained through the mapping table relationship between the application software and the operating system; yet another aspect is to determine the operating system type by the particular network traffic generated during the application software update. For example, windows will access microsoft's upgrade web site; and the http flow of the application layer identifies that the client application program is IIS, and the type of the operating system is windows can be obtained through the mapping table.

As shown in fig. 3, fig. 3 shows a specific embodiment of the method for identifying the type of the operating system shown in fig. 2, which includes S310, monitoring network traffic data; s320, screening to obtain a message of a target type; s330, acquiring an IP; s340, analyzing the message to obtain the message content of the application layer; s350, inquiring a mapping table; and S360, binding the client with the operating system.

Firstly, S310 is executed, flow data in a local area network is monitored and captured, the message is analyzed, then the message with application layer data is screened out through S320, and then S330 is executed, and the IP address of the client is counted and stored. The content of the application layer message is obtained through analysis in S340, and the type of the operating system is obtained through S350 according to various mapping tables. Finally, a mapping relation is formed between the IP address of the client and the type of the operating system through S360.

Specifically, in the stage of collecting features, the following steps are performed:

the method comprises the following steps: fingerprint characteristics of each application name are collected, for example, the characteristics of the IIS are server field characters of http response messages.

Step two: the content of the fingerprint features is described by an application name, a matching target (such as a server field character) and a feature regular expression, and if the matching target in the message accords with the regular expression, the application name is confirmed.

Step three: and establishing a mapping relation between the application name and the operating system type. For example, IIS corresponds to windows.

Step four: the traffic generated by the application software is further collected. For example: the client accesses the domain name of the website when updating the software, namely windows accesses the upgrading website of microsoft.

Step five: according to the traffic generated by the collection application software, the mapping relation between the domain name and the operating system type, the mapping relation between the resource locator (namely url) and the operating system type and the mapping relation between the encryption information (namely JA3) and the operating system type are established.

Step six: and merging all the mapping relations with the fingerprint library identified by the type of the existing operating system.

In the matching stage, as shown in fig. 4, after S410 is executed, the fingerprint database containing the mapping relationship is first read, and the hash table is built according to the mapping relationship. For example: the key is an application name, the value is an operating system type, then S420 is executed to capture the packet, and the packet capture program is used to obtain the traffic data passing through the gateway device, where the packet above the link layer may be obtained.

Then, the message is analyzed to obtain the IP address of the client sending the message, and then, when confirming the application layer message information in the message through S430, S440 is executed, the operating system type of the client is determined to be a first reference operating system according to the transmission layer message content and the network layer message content, and then S450 is executed, the operating system type of the client is determined to be a second reference operating system according to the application layer message content, and the first reference operating system and the second reference operating system are compared to confirm the target operating system type.

Finally, S460 is executed, and a third reference operating system of the operating system type of the client is determined according to the network traffic characteristic value, for example: and finding a third reference operating system according to the hash table, and then executing S470 to determine the final target operating system type of the client, namely comparing the third reference operating system with the target operating system type to obtain the final target operating system type. And binding the final target operating system type with the IP address of the client to obtain an identification result. If it is determined in S430 that the application layer packet information is not included, the execution of S480 is terminated.

Therefore, the method for accurately identifying the operating system is provided, and the problems of inaccurate identification or wrong identification result are solved. Specifically, the network application name is identified according to the application layer message sent by the client, the flow of the application software is collected on the basis of the mapping relation between the network application and the operating system type, and the operating system type of the client is confirmed through the relation between the domain name, url, JA3 and the operating system type.

While a specific embodiment of a method of identifying an operating system type has been described above, an apparatus for identifying an operating system type will be described.

As shown in fig. 5, some embodiments of the present application provide an apparatus 500 for identifying an operating system type, the apparatus comprising: a message monitoring module 510, a message parsing module 520 and a type confirmation module 530.

In some embodiments of the present application, an apparatus 500 for identifying an operating system type, comprises: a message monitoring module 510 configured to obtain a target type message sent by a client by monitoring network traffic data; a message parsing module 520 configured to parse application layer message information to obtain application layer message content, where the application layer message information is information corresponding to an application layer of a message; a type validation module 530 configured to determine a type of a target operating system of the client based at least on the application layer message content.

In some embodiments of the present application, the message parsing module 520 is further configured to: and screening the network flow data obtained by monitoring to obtain a message of a target type.

In some embodiments of the present application, the type confirmation module 530 is further configured to: acquiring transmission layer message content and network layer message content from the message, and determining the type of an operating system of the client as a first reference operating system according to the transmission layer message content and the network layer message content; determining the type of the operating system of the client as a second reference operating system according to the message content of the application layer; if the types of the first reference operating system and the second reference operating system are consistent, taking the first reference operating system or the second reference operating system as a target operating system type; or if the types of the first reference operating system and the second reference operating system are not consistent, taking the second reference operating system type as the target operating system type.

In some embodiments of the present application, the type confirmation module 530 is further configured to: extracting at least one piece of target information carried by the application layer message according to the type of the content of the application layer message, wherein the type comprises a DNS message, an HTTP message or an HTTPS message; and searching a target information and operating system mapping table according to at least one piece of target information, and determining that the operating system type of the client is a second reference operating system, wherein the target information and operating system mapping table is used for recording the corresponding relation between a plurality of pieces of target information and the reference operating system types of all types.

In some embodiments of the present application, the type is a DNS packet, and the target information and operating system mapping table is a domain name mapping table; the message parsing module 520 is further configured to: extracting a first request domain name in the DNS message; the type validation module 530 is further configured to: searching the first request domain name in the domain name mapping table, and confirming the type of the corresponding second reference operating system; the domain name mapping table is used for representing the corresponding relation between the domain name and the type of the second reference operating system.

In some embodiments of the present application, the type is an HTTP message, and the target information and operating system mapping table is a domain name mapping table and a resource location mapping table; the message parsing module 520 is further configured to: extracting a second request domain name and a resource positioning mark from a request line and a header of the HTTP message; the type validation module 530 is further configured to: searching a second request domain name and a resource positioning mark in the domain name mapping table and the resource positioning mapping table, and confirming the type of a corresponding second reference operating system; the resource positioning mapping table is used for representing the corresponding relation between the resource positioning website and the type of the second reference operating system.

In some embodiments of the present application, the type of the application layer information is an HTTPS packet, and the mapping table between the target information and the operating system is a domain name mapping table; the message parsing module 520 is further configured to: extracting a third request domain name from the certificate information of the HTTPS message; the type validation module 530 is further configured to: and searching the domain name mapping table for the third request domain name, and confirming the type of the corresponding second reference operating system.

In some embodiments of the present application, the type of the application layer information is an HTTPS packet, and the target information and operating system mapping table is an encrypted information mapping table; the message parsing module 520 is further configured to: extracting information to be encrypted in the HTTPS message, wherein the information to be encrypted at least comprises a security protocol; encrypting information to be encrypted to generate encrypted information; the type validation module 530 is further configured to: searching a mapping value in the encrypted information mapping table, and confirming the type of the corresponding second reference operating system; and the encryption information mapping table is used for representing the mapping relation between the encryption information and the type of the second reference operating system.

In some embodiments of the present application, the type confirmation module 530 is further configured to: acquiring a network flow characteristic value of a client; searching an operating system of a client in a network information and operating system type mapping table as a third reference operating system according to the network traffic characteristic value, wherein the network information and operating system type mapping table is used for representing the corresponding relation between various network information and a plurality of operating system types; if the type of the third reference operating system is consistent with that of the target operating system, taking the type of the third reference operating system as the final target operating system type; or, if the type of the third reference operating system is not consistent with that of the target operating system, determining that the operating system type of the client is the final target operating system type.

In some embodiments of the present application, the network traffic characteristic value includes a domain name of a website accessed by an application program in the client during an update operation; the message monitoring module 510 is configured to: extracting a domain name of a website accessed by an application program in the message content of the application layer in the updating operation process; the type validation module is further configured to: and searching the domain name in the network information and operating system type mapping table, and confirming that the operating system of the client is a third reference operating system.

In some embodiments of the present application, the network traffic characteristic value is a response field triggered in a process of sending a message by a client; the message monitoring module 510 is configured to: extracting a response field in the message content of the application layer; the type validation module is further configured to: searching a response field in a network information and operating system type mapping table, and confirming a corresponding application name; and searching the application name in an application name and operating system type mapping table, and determining that the operating system of the client is a third reference operating system, wherein the application name and operating system type mapping table is used for representing the mapping relation between the application name and the operating system type.

In some embodiments of the present application, the type confirmation module 530 is further configured to: and binding the client and the operating system according to the representation information of the client, wherein the operating system is represented by the type of the target operating system.

In the embodiment of the present application, the module shown in fig. 5 can implement each process in the method embodiments of fig. 1 to 4. The operations and/or functions of the respective modules in fig. 5 are respectively for implementing the corresponding flows in the method embodiments in fig. 1 to 4. Reference may be made specifically to the description of the above method embodiments, and a detailed description is appropriately omitted herein to avoid redundancy.

As shown in fig. 6, an embodiment of the present application provides an electronic device 600, including: a processor 610, a memory 620 and a bus 630, wherein the processor is connected to the memory through the bus, the memory stores computer readable instructions, and when the computer readable instructions are executed by the processor, the method is implemented in any of the above embodiments.

Wherein the bus is used for realizing direct connection communication of the components. The processor in the embodiment of the present application may be an integrated circuit chip having signal processing capability. The Processor may be a general-purpose Processor, and includes a Central Processing Unit (CPU), a Network Processor (NP), and the like; but may also be a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), an off-the-shelf programmable gate array (FPGA) or other programmable logic device, discrete gate or transistor logic, discrete hardware components. The various methods, steps, and logic blocks disclosed in the embodiments of the present application may be implemented or performed. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.

The Memory may be, but is not limited to, a Random Access Memory (RAM), a Read Only Memory (ROM), a Programmable Read Only Memory (PROM), an Erasable Read Only Memory (EPROM), an electrically Erasable Read Only Memory (EEPROM), and the like. The memory has stored therein computer readable instructions that, when executed by the processor, may perform the methods of the embodiments described above.

It will be appreciated that the configuration shown in fig. 6 is merely illustrative and may include more or fewer components than shown in fig. 6 or have a different configuration than shown in fig. 6. The components shown in fig. 6 may be implemented in hardware, software, or a combination thereof.

Embodiments of the present application further provide a computer-readable storage medium, where a computer program is stored on the computer-readable storage medium, and when the computer program is executed, the method in any of the above-mentioned all embodiments is implemented, in particular, refer to the description in the above-mentioned method embodiments, and a detailed description is appropriately omitted here to avoid redundancy.

The above description is only a preferred embodiment of the present application and is not intended to limit the present application, and various modifications and changes may be made by those skilled in the art. Any modification, equivalent replacement, improvement and the like made within the spirit and principle of the present application shall be included in the protection scope of the present application. It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, it need not be further defined and explained in subsequent figures.

The above description is only for the specific embodiments of the present application, but the scope of the present application is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present application, and shall be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.

Claims

1. A method of identifying an operating system type, the method comprising:

acquiring a target type message sent by a client by monitoring network flow data;

analyzing message information of an application layer to obtain message content of the application layer, wherein the message information of the application layer is information corresponding to the application layer of the message;

and determining the type of the target operating system of the client according to the message content of the application layer.

2. The method of claim 1, wherein prior to said parsing application layer packet information to obtain application layer packet content, the method further comprises:

and screening the network flow data obtained by monitoring to obtain the message of the target type.

3. The method of claim 2, wherein determining the target operating system type of the client based at least on the application layer packet content comprises:

acquiring transmission layer message content and network layer message content from the message, and determining the type of the operating system of the client as a first reference operating system according to the transmission layer message content and the network layer message content;

determining the type of the operating system of the client as a second reference operating system according to the application layer message content;

if the types of the first reference operating system and the second reference operating system are consistent, taking the first reference operating system or the second reference operating system as the type of the target operating system; or, if it is determined that the types of the first reference operating system and the second reference operating system are not consistent, taking the second reference operating system as the target operating system type.

4. The method of claim 3, wherein the determining the operating system type of the client as a second reference operating system according to the application layer packet content comprises:

extracting at least one piece of target information carried by the application layer message according to the type of the application layer message content, wherein the type of the application layer message content comprises a DNS message, an HTTP message or an HTTPS message;

and searching a target information and operating system mapping table according to the at least one piece of target information, and determining that the operating system type of the client is the second reference operating system, wherein the target information and operating system mapping table is used for recording the corresponding relation between a plurality of pieces of target information and the types of reference operating systems.

5. The method according to claim 4, wherein the type of the application layer packet content is a DNS packet, and the target information and operating system mapping table is a domain name mapping table;

the extracting at least one target information carried by the application layer message includes:

extracting a first request domain name in the DNS message;

the searching the target information and the operating system mapping table according to the at least one target information and determining that the operating system type of the client is the second reference operating system includes:

searching the first request domain name in the domain name mapping table, and confirming a corresponding second reference operating system;

the domain name mapping table is used for representing the corresponding relation between the domain name and the type of the second reference operating system.

6. The method according to claim 4, wherein the type of the application layer packet content is an HTTP packet, and the target information and operating system mapping table is a domain name mapping table and a resource location mapping table;

extracting a second request domain name and a resource positioning mark from a request line and a header of the HTTP message;

searching the second request domain name and the resource positioning mark in the domain name mapping table and the resource positioning mapping table, and confirming the corresponding second reference operating system;

the resource positioning mapping table is used for representing the corresponding relation between the resource positioning website and the second reference operating system.

7. The method according to claim 4, wherein the type of the application layer packet content is an HTTPS packet, and the target information to operating system mapping table is a domain name mapping table;

extracting a third request domain name from the certificate information of the HTTPS message;

and searching the third request domain name in the domain name mapping table, and confirming the corresponding second reference operating system.

8. The method according to claim 4, wherein the type of the application layer packet content is an HTTPS packet, and the target information to operating system mapping table is an encryption information mapping table;

extracting information to be encrypted in the HTTPS message, wherein the information to be encrypted at least comprises a security protocol;

encrypting the information to be encrypted to generate encrypted information;

searching the encrypted information in an encrypted information mapping table, and confirming the corresponding second reference operating system;

the encryption information mapping table is used for representing the mapping relation between the encryption information and the second reference operating system.

9. The method according to any of claims 1-8, wherein said determining a target operating system type of the client based at least on the application layer packet content comprises:

acquiring a network flow characteristic value of the client;

searching a network information and operating system type mapping table according to the network traffic characteristic value, wherein the operating system of the client is searched to be a third reference operating system, and the network information and operating system type mapping table is used for representing the corresponding relation between various network information and a plurality of operating system types;

if the third reference operating system is consistent with the target operating system type, taking the third reference operating system as a final target operating system type; or, if the third reference operating system is not consistent with the target operating system type, determining that the operating system type of the client is the final target operating system type.

10. The method of claim 9, wherein the network traffic characteristic value comprises a domain name of a website address accessed by an application program in the client during an update operation;

the obtaining of the network traffic characteristic value of the client includes:

extracting the domain name of the website accessed by the application program in the message content of the application layer in the updating operation process;

the searching for the operating system of the client in the mapping table of the network information and the operating system type according to the network traffic characteristic value is a third reference operating system, and includes:

and searching a domain name in the network information and operating system type mapping table, and confirming that the operating system of the client is the third reference operating system.

11. The method according to claim 9, wherein the network traffic characteristic value is a response field triggered during the process of sending a message by the client;

extracting a response field in the message content of the application layer;

searching the response field in the network information and operating system type mapping table, and confirming the corresponding application name;

and searching the application name in an application name and operating system type mapping table, and confirming that the operating system of the client is the third reference operating system, wherein the application name and operating system type mapping table is used for representing the mapping relation between the application name and the operating system type.

12. The method of claim 11, wherein after determining the target operating system type for the client based at least on the application layer packet content, the method further comprises:

and binding the client and an operating system according to the representation information of the client, wherein the operating system is represented by the type of the final target operating system.

13. A system for identifying a type of operating system, the system comprising:

a client configured to transmit network traffic data;

a gateway device configured to monitor the network traffic data of the client and perform the method of identifying the operating system type according to any one of claims 1 to 12 based on the monitoring result.

14. An apparatus for identifying operating system information, the apparatus comprising:

the message monitoring module is configured to acquire a message of a target type sent by the client by monitoring network traffic data;

the message analysis module is configured to analyze application layer message information to obtain application layer message content, wherein the application layer message information is information corresponding to an application layer of the message;

a type confirmation module configured to determine a target operating system type of the client based at least on the application layer packet content.

15. An electronic device, comprising: a processor, a memory, and a bus;

the processor is connected to the memory via the bus, the memory storing computer readable instructions for implementing the method of any one of claims 1-12 when the computer readable instructions are executed by the processor.

16. A computer-readable storage medium, having stored thereon a computer program which, when executed, implements the method of any one of claims 1-12.