CN114338126A - Network application identification method and device - Google Patents
Network application identification method and device Download PDFInfo
- Publication number
- CN114338126A CN114338126A CN202111598440.8A CN202111598440A CN114338126A CN 114338126 A CN114338126 A CN 114338126A CN 202111598440 A CN202111598440 A CN 202111598440A CN 114338126 A CN114338126 A CN 114338126A
- Authority
- CN
- China
- Prior art keywords
- traffic
- identified
- network
- network traffic
- information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 25
- 238000012545 processing Methods 0.000 claims abstract description 5
- 230000005540 biological transmission Effects 0.000 claims description 21
- 238000001514 detection method Methods 0.000 description 4
- 238000005516 engineering process Methods 0.000 description 4
- 238000004891 communication Methods 0.000 description 3
- 238000010586 diagram Methods 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 2
- 238000012546 transfer Methods 0.000 description 2
- 230000006978 adaptation Effects 0.000 description 1
- 238000013473 artificial intelligence Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application provides a network application identification method and a network application identification device, which comprise the following steps: acquiring network traffic to be identified, wherein the network traffic to be identified comprises a plurality of load packets; detecting a load packet of the network traffic to be identified, and determining the traffic type of the network traffic to be identified; when detecting that the network traffic to be identified is encrypted traffic, acquiring domain name information or certificate information of the network traffic to be identified according to a load packet of the network traffic to be identified; and acquiring the network application name corresponding to the network traffic to be identified according to the domain name information or the certificate information by using a preset encrypted traffic identification algorithm. According to the method and the device, the encrypted flow and the non-encrypted flow are distinguished, and application identification is respectively carried out, so that the length of the inquired load packet and the number of the load packets can be reduced, the consumption performance of a CPU (Central processing Unit) is reduced, and the identification efficiency is greatly improved.
Description
Technical Field
The present application relates to the field of network security technologies, and in particular, to a method and an apparatus for identifying a network application.
Background
With the rapid development of network communication technology, the functions of various network applications are more and more diversified. The number of applications in the current network is increased, the scale is large, the architecture is complex, the applications are updated very fast, and the safety problem of the internet is increasingly severe. Application recognition refers to determining the application that generates the traffic by analyzing the traffic data of the user. By application identification, suspicious application programs can be found in time, and the safety of a user network is effectively ensured. Therefore, application identification is an important link for ensuring network security.
Due to the enhancement of the security and privacy protection of user information, more and more network applications in the PC and the mobile terminals use the encrypted traffic to protect the data content when transmitting data, and Secure socket Layer protocol (SSL) is the most widely used network data security transmission protocol at present, for example: when the information is sent out from the Google server, the data flow encrypted by the SSL protocol is adopted. Whether the encrypted traffic or the non-encrypted traffic is used, application identification is performed on the network traffic to identify a corresponding application program, which becomes an important means in the field of network security.
However, the inventors of the present application have found that, in the existing application identification technology, it is not possible to distinguish whether encryption or non-encryption is performed when network traffic is transmitted, and by sequentially querying load packets of traffic, an application program corresponding to the traffic is identified. In the prior art, during identification, the length of the inquired load packets is large, the number of the inquired load packets is large, the CPU consumption performance is high, and the identification efficiency is low.
Disclosure of Invention
The application provides a network application identification method and device, and aims to solve the problems that in the prior art, when an application is identified, CPU consumption performance is high, and identification efficiency is low.
In order to solve the technical problem, the embodiment of the application discloses the following technical scheme:
in a first aspect, the present application provides a network application identification method, including:
acquiring network traffic to be identified, wherein the network traffic to be identified comprises a plurality of load packets;
detecting the load packet of the network traffic to be identified, and determining the traffic type of the network traffic to be identified;
when the network traffic to be identified is detected to be encrypted traffic, acquiring domain name information or certificate information of the network traffic to be identified according to a load packet of the network traffic to be identified;
and acquiring the network application name corresponding to the network traffic to be identified according to the domain name information or the certificate information by using a preset encrypted traffic identification algorithm.
In some implementations, detecting the payload packet of the network traffic to be identified includes:
inputting a first load packet of the network traffic to be identified into a preset traffic identification algorithm, and determining the characteristic type of traffic characteristics in the first load packet; if the characteristic type of the flow characteristic is an encryption characteristic, the network flow to be identified is an encryption flow; and if the characteristic type of the flow characteristic is the non-encryption characteristic, the network flow to be identified is the non-encryption flow.
In some implementation manners, obtaining domain name information or certificate information of the to-be-identified network traffic according to the load packet of the to-be-identified network traffic includes:
detecting the first load packet of the network traffic to be identified;
when the first load packet is a Client Hello message, decoding the Client Hello message and extracting domain name information, wherein the domain name information comprises domain name length;
and when the first load packet is a Certificate message, decoding the Certificate message and extracting Certificate information, wherein the Certificate information comprises the Certificate length.
In some implementation manners, if domain name information or certificate information is acquired according to the first load packet, the step of acquiring the network application name corresponding to the network traffic to be identified is performed;
if the domain name information or the certificate information is not obtained according to the first load packet, obtaining the domain name information or the certificate information of the network traffic to be identified according to a second load packet, and obtaining a network application name according to the domain name information or the certificate information of the network traffic to be identified;
and if the domain name information or the certificate information of the network traffic to be identified is not obtained according to the second load packet, continuing to obtain the domain name information or the certificate information of the network traffic to be identified according to the next load packet until reaching a preset Nth load packet.
In some implementations, before the first payload packet is input into a preset traffic identification algorithm, a transmission protocol of the first payload packet is detected;
if the transmission protocol of the first load packet is UDP, determining that the network traffic to be identified is non-encrypted traffic; and if the transmission protocol of the first load packet is TCP, inputting the first load packet into a preset flow identification algorithm.
In some implementation manners, when it is detected that the network traffic to be identified is unencrypted traffic, the first load packet is identified based on a preset unencrypted traffic identification algorithm, so as to obtain a network application name corresponding to the network traffic to be identified.
In some implementation manners, obtaining a network application name corresponding to the network traffic to be identified according to the domain name information or the certificate information by using a preset encrypted traffic identification algorithm includes:
inputting the domain name information or the certificate information into a preset encryption flow identification algorithm to obtain a matching result;
if the matching result is the network application name, determining the matching result as the network application name corresponding to the network traffic to be identified; and if the matching result is not the network application name, not processing.
In some implementation manners, a first corresponding relation between a network application name and a traffic characteristic of an encrypted traffic network application is counted in advance, and the preset encrypted traffic identification algorithm is generated according to the first corresponding relation;
and counting a second corresponding relation between the network application name and the traffic characteristics of the non-confidential traffic network application in advance, and generating the preset non-encrypted traffic identification algorithm according to the second corresponding relation.
In a second aspect, the present application provides a network application identification apparatus, including:
the traffic acquisition module is configured to acquire network traffic to be identified, and the network traffic to be identified comprises a plurality of load packets;
the traffic type determination module is configured to detect a load packet of the network traffic to be identified and determine a traffic type of the network traffic to be identified;
the information acquisition module is configured to acquire domain name information or certificate information of the network traffic to be identified according to a load packet of the network traffic to be identified when the network traffic to be identified is detected to be encrypted traffic;
and the identification module is configured to acquire the network application name corresponding to the network traffic to be identified according to the domain name information or the certificate information by using a preset encrypted traffic identification algorithm.
In some implementations, the traffic type determination module is configured to:
inputting a first load packet of the network traffic to be identified into a preset traffic identification algorithm, and determining the characteristic type of traffic characteristics in the first load packet; if the characteristic type of the flow characteristic is an encryption characteristic, the network flow to be identified is an encryption flow; if the characteristic type of the flow characteristic is the non-encryption characteristic, the network flow to be identified is the non-encryption flow
According to the technical scheme, the application provides a network application identification method and device, and the method comprises the following steps: acquiring network traffic to be identified, wherein the network traffic to be identified comprises a plurality of load packets; detecting a first load packet of the network traffic to be identified, and determining the traffic type of the network traffic to be identified; when detecting that the network traffic to be identified is encrypted traffic, acquiring domain name information or certificate information in a first load packet; and acquiring the network application name corresponding to the network traffic to be identified according to the domain name information or the certificate information by using a preset encrypted traffic identification algorithm. By distinguishing encrypted traffic from non-encrypted traffic, application identification is performed separately. When the encrypted flow is identified, the domain name information and the certificate information of the flow can be acquired as encrypted flow identification detection data, and the number of encrypted flow detection messages is defined, so that the length of encrypted flow detection load packets and the number of the encrypted flow detection load packets are reduced, the CPU consumption is reduced, and the identification efficiency is greatly improved.
Drawings
In order to more clearly explain the technical solution of the present application, the drawings needed to be used in the embodiments will be briefly described below, and it is obvious to those skilled in the art that other drawings can be obtained according to the drawings without any creative effort.
Fig. 1 is an overall flowchart of a network application identification method according to an embodiment of the present application;
FIG. 2 illustrates a flow diagram for generating an application matching algorithm in some embodiments;
fig. 3 is an overall schematic diagram of a network application identification apparatus according to an embodiment of the present application.
Detailed Description
Reference will now be made in detail to embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, like numbers in different drawings represent the same or similar elements unless otherwise indicated. The embodiments described in the following examples do not represent all embodiments consistent with the present application. But merely as exemplifications of systems and methods consistent with certain aspects of the application, as recited in the claims.
All other embodiments, which can be derived by a person skilled in the art from the exemplary embodiments described herein without inventive step, are intended to be within the scope of the claims appended hereto. In addition, while the disclosure herein has been presented in terms of one or more exemplary examples, it should be appreciated that aspects of the disclosure may be implemented solely as a complete embodiment.
It should be noted that the brief descriptions of the terms in the present application are only for the convenience of understanding the embodiments described below, and are not intended to limit the embodiments of the present application. These terms should be understood in their ordinary and customary meaning unless otherwise indicated.
The terms "first," "second," "third," and the like in the description and claims of this application and in the above-described drawings are used for distinguishing between similar or analogous objects or entities and are not necessarily intended to limit the order or sequence of any particular one, Unless otherwise indicated. It is to be understood that the terms so used are interchangeable under appropriate circumstances such that the embodiments described herein are, for example, capable of operation in sequences other than those illustrated or otherwise described herein.
Furthermore, the terms "comprises" and "comprising," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a product or device that comprises a list of elements is not necessarily limited to those elements explicitly listed, but may include other elements not expressly listed or inherent to such product or device.
The term "module," as used herein, refers to any known or later developed hardware, software, firmware, artificial intelligence, fuzzy logic, or combination of hardware and/or software code that is capable of performing the functionality associated with that element.
Due to the enhancement of the protection of the information security and privacy of the user, more and more network applications in the PC and the mobile terminals use the encrypted traffic to protect the data content when transmitting data, for example: when the information is sent out from the Google server, the data flow encrypted by the SSL protocol is adopted. Whether the encrypted traffic or the non-encrypted traffic is used, application identification is performed on the network traffic to identify a corresponding application program, which becomes an important means in the field of network security. However, the inventors of the present application have found that, in the existing application identification technology, it is not possible to distinguish whether encryption or non-encryption is performed when network traffic is transmitted, and by sequentially querying load packets of traffic, an application program corresponding to the traffic is identified. In the prior art, during identification, the length of the inquired load packets is large, the number of the inquired load packets is large, the CPU consumption performance is high, and the identification efficiency is low.
The user terminal is installed with a plurality of network applications, when the user uses the applications, network traffic is generated, the network traffic is sent out in the form of traffic messages, and the traffic messages can be sent to a server or other user terminals.
The network traffic may be transmitted in an encrypted form or in a non-confidential form. When the transmission modes are different, the adopted transmission protocols are also different.
When the network traffic is transmitted in an encrypted form, SSL (Secure Sockets Layer) may be used, which is the most widely used network data Secure transmission protocol at present.
TLS (Transport Layer Security) acts as a successor to SSL and is used to provide confidentiality and data integrity between two communicating applications.
SSL and TLS are security protocols that provide security and data integrity for network communications. TLS and SSL encrypt the network connection between the transmission layer and the application layer, and realize the encrypted transmission of the network flow.
When the network traffic is transmitted in an unencrypted form, UDP (User data packet Protocol), which is a connectionless transport layer Protocol in an OSI (Open System Interconnection) reference model, may be used to provide a transaction-oriented simple unreliable information transfer service.
TCP (Transmission Control Protocol) is a connection-oriented, reliable transport layer communication Protocol based on a byte stream, and is also an unencrypted transport Protocol.
Referring to fig. 1, an overall flowchart of a network application identification method provided in the embodiment of the present application is shown.
For network traffic, it may be transmitted in the form of several payload packets. The amount of data contained in each payload packet may be the same, and each network traffic may have a different number of payload packets depending on the amount of data it contains.
Network traffic is identified, that is, a payload packet included in each network traffic is identified.
In the embodiment of the present application, an application program that transmits network traffic in an encrypted form may be referred to as an encrypted traffic network application. Such traffic characteristics in network traffic transmitted by encrypted traffic network applications may be referred to as encryption characteristics. In particular, the traffic characteristics in the network traffic may be understood as a combination of strings for confirming the application, for example, a Baidu search traffic characteristic (host), a com & url, a domain name of the traffic, and so on.
Applications where network traffic is transmitted in an unencrypted form may be referred to as unencrypted traffic network applications. Traffic characteristics in network traffic transmitted by unencrypted traffic network applications may be referred to as unencrypted characteristics.
In some embodiments, the network application may be counted in advance. Specifically, the traffic characteristics of the network traffic corresponding to a plurality of application programs and each application program may be obtained in the network, or may be obtained by a person skilled in the relevant art.
Statistics may be made on these applications to distinguish between encrypted and unencrypted applications.
Specifically, all encrypted traffic network applications may be screened out, the network application names and traffic characteristics of the encrypted traffic network applications may be counted, and a corresponding relationship may be generated, which is referred to as a first corresponding relationship in this embodiment of the present application. It should be noted that, for the encrypted traffic network application, the transport protocol may be TLS/SSL, and therefore, the encrypted traffic identification algorithm may be generated according to the first corresponding relationship.
For the unencrypted traffic network applications, the network application name and the traffic characteristics of each unencrypted traffic network application may be counted, and a correspondence may be generated. It should be noted that, since the protocol of the non-confidential traffic may be UDP or TCP during transmission, in order to distinguish between the two transmission protocols, the transmission protocol corresponding to the network traffic applied to each non-encrypted traffic network may be counted. Each transmission protocol can be distinguished, a second corresponding relation of the network application name and the traffic characteristic of the non-confidential traffic network application is generated at the same time, and a preset non-encrypted traffic identification algorithm is generated according to the second corresponding relation.
FIG. 2 illustrates a flow diagram for generating an application matching algorithm in some embodiments. Or, the encrypted traffic network application is not screened, all the application programs are directly counted, and the corresponding relation between the network application name, the traffic characteristics and the transmission protocol of each application program is determined. While classifying the applications according to the transport protocol. For example: application program A-traffic characteristic a-transport protocol TLS/SSL; application program B-flow characteristic B-transfer protocol UDP; and the application program C-flow characteristic C-transmission protocol TCP represents the corresponding relation of the application programs corresponding to the three transmission protocols.
After classification according to the transmission protocol, the traffic characteristics under the same transmission protocol can be compiled into a matching algorithm, which is used for application recognition. For example, a TCP application matching algorithm may be generated based on traffic characteristics under the TCP transport protocol. When the network application name corresponding to a certain TCP transmission protocol is input into the matching algorithm, the flow characteristics corresponding to the application can be obtained. When a certain flow characteristic is input into the matching algorithm, the network application name corresponding to the flow characteristic can be obtained.
Thus, a TLS/SSL application matching algorithm, a TCP application matching algorithm, and a UDP application matching algorithm may be available. The TLS/SSL application matching algorithm can be used as a preset encryption traffic identification algorithm, and the TCP application matching algorithm and the UDP application matching algorithm can be used as a preset non-encryption traffic identification algorithm.
In some embodiments, application identification may be performed on network traffic. Specifically, the network traffic to be identified may be obtained first. It should be noted that the network traffic to be identified includes a plurality of load packets, and the number of load packets is determined according to the data volume of the network traffic.
And the application identification of the network flow is to identify the load packet of the network flow.
In some embodiments, when determining the network traffic to be identified, in order to prevent a large number of queried load packets and a large CPU consumption performance, a traffic type of the network traffic to be identified may be determined first, that is, whether the network traffic to be identified is encrypted traffic or unencrypted traffic. The load packet of the network traffic to be identified can be detected, so that the traffic type of the network traffic to be identified is determined.
Specifically, the first load packet of the network traffic to be identified may be detected, so as to determine the traffic type of the network traffic to be identified. It should be noted that, when the first payload packet includes the encryption feature, the entire network traffic may be considered as the encrypted traffic. Therefore, the traffic characteristics included in the first payload packet may be determined, and then the characteristic type of the traffic characteristics may be detected. If the characteristic type of the flow characteristic is the encryption characteristic, the network flow to be identified is the encryption flow; and if the characteristic type of the traffic characteristic is the non-encrypted characteristic, the network traffic to be identified is non-encrypted traffic.
When the first load packet is detected, the first load packet may be input into a preset traffic identification algorithm, so as to determine traffic characteristics in the first load packet.
In some embodiments, the first payload packet may be directly input into a predetermined unencrypted traffic identification algorithm. It should be noted that, because it is not determined whether the network traffic to be identified is encrypted traffic or unencrypted traffic at all, the network traffic to be identified may be regarded as unencrypted traffic first, and the traffic characteristics may be determined by an unencrypted traffic identification algorithm.
For a network traffic, whether it is encrypted or unencrypted, it is transmitted in TCP or UDP. Therefore, whether the protocol related to the network traffic to be identified is TCP or UDP can be directly determined.
When the UDP is involved, the network traffic to be identified can be determined as the non-encrypted traffic without any doubt, and the first load packet does not need to be detected.
When it relates to TCP, the network traffic to be identified may be encrypted traffic or may be unencrypted traffic, so the first payload packet may be first input into the TCP application matching algorithm. It should be noted that, the encrypted feature and the unencrypted feature are different in expression form, and it can be determined whether the encrypted feature or the unencrypted feature is the encrypted feature or the unencrypted feature by analyzing the bytes in the payload packet. Therefore, the first load packet can be analyzed by applying a matching algorithm through the TCP, and the characteristic type of the flow characteristic contained in the first load packet is determined. When the encryption characteristic is hit, the network traffic to be identified can be determined to be encryption traffic, and when the non-encryption characteristic is hit, the network traffic to be identified is non-encryption traffic.
In some embodiments, when it is detected that the network traffic to be identified is encrypted traffic, an identification method for the encrypted traffic may be further adopted to determine an application program corresponding to the network traffic to be identified. The domain name information or the certificate information of the network traffic to be identified can be obtained according to the load packet of the network traffic to be identified.
It should be noted that, for a payload package, it may not include domain name information and certificate information, may include only domain name information, or may include only certificate information. One load packet may be a Client Hello message, a Certificate message, or a message in other forms. The Client Hello message contains domain name information of traffic, and the Certificate message contains Certificate information of the traffic. Therefore, the domain name information or the certificate information of the traffic can be acquired through the load packet.
Specifically, the domain name information or the certificate information may be obtained according to the first load packet of the network traffic to be identified. The first load packet of the network traffic to be identified may be detected first, and whether the first load packet is a Client Hello packet or a Certificate packet is determined.
When the first payload packet is a Client Hello packet, the Client Hello packet may be decoded, and domain name information may be extracted, where the domain name information may include a domain name length, specific domain name content of an application, and the like, for example www.baidu.com.
When the first load packet is a Certificate message, the Certificate message may be decoded, and Certificate information may be extracted, where the Certificate information may include a Certificate length, and may also include a Certificate issuer, a Certificate owner, and the like.
If the domain name information or the certificate information can be acquired in the first load packet, the domain name information or the certificate information can be used as a reference for application matching search by using a preset encryption traffic identification algorithm. If the domain name information or the certificate information is not acquired in the first load package, the domain name information or the certificate information can be acquired in the subsequent load packages.
Specifically, if the domain name information or the Certificate information is not obtained according to the first load packet, it may be that the first load packet is not a Client Hello packet or a Certificate packet, where the domain name information or the Certificate information does not exist. At this time, domain name information or certificate information may be acquired from the second payload packet. And if the second load packet does not have the domain name information or the Certificate information, namely the second load packet is not the Client Hello message or the Certificate message, continuously acquiring the domain name information or the Certificate information in the next load packet until the preset Nth load packet. Where N may be a technician set threshold, such as 6. That is, if the domain name information or the certificate information is not acquired, the domain name information or the certificate information is continuously acquired in the next load packet until the 6 th load packet is not acquired, the processing is not performed, and the application identification is not required. By setting the query threshold of the load packet for acquiring domain name information or certificate information, the consumption of the CPU can be reduced.
In some embodiments, when the domain name information or the certificate information is obtained, a preset encryption traffic identification algorithm may be used to obtain a network application name corresponding to the network traffic to be identified according to the domain name information or the certificate information.
Specifically, the domain name information or the certificate information may be used as an input parameter and input into a preset encryption traffic identification algorithm to obtain a matching result.
Further, the matching result may be analyzed.
If the matching result is a specific network application name, the matching result can be determined as the network application name corresponding to the network traffic to be identified, that is, the matched network application name is the network application name corresponding to the network traffic to be identified. If the matching result is not the specific network application name, the matching result can be preset prompting information used for prompting that the result is not matched, at this time, the processing is not carried out, and the application identification is not required to be carried out.
In some embodiments, when it is detected that the network traffic to be identified is non-encrypted traffic, the first load packet may be identified based on a preset non-encrypted traffic identification algorithm, so as to obtain a network application name corresponding to the network traffic to be identified.
The first load packet is directly used as an input parameter and is input into a non-encryption flow identification algorithm, so that application matching is carried out, and a corresponding network application name is obtained.
An embodiment of the present application further provides a network application identification apparatus, as shown in fig. 3, including:
the traffic acquiring module 10 is configured to acquire network traffic to be identified, where the network traffic to be identified includes a number of load packets.
And the traffic type determining module 20 is configured to detect the load packet of the network traffic to be identified, and determine the traffic type of the network traffic to be identified.
The information obtaining module 30 is configured to, when it is detected that the network traffic to be identified is encrypted traffic, obtain domain name information or certificate information of the network traffic to be identified according to a load packet of the network traffic to be identified.
And the identification module 40 is configured to acquire the network application name corresponding to the network traffic to be identified according to the domain name information or the certificate information by using a preset encrypted traffic identification algorithm.
Embodiments of the present application further provide a computer storage medium, where the computer storage medium may store a program, and the program may perform some or all of the steps in the embodiments of the network application identification method provided in the embodiments of the present application. The storage medium may be a magnetic disk, an optical disk, a read-only memory (ROM) or a Random Access Memory (RAM).
Since the above embodiments are all described by referring to and combining with other embodiments, the same portions are provided between different embodiments, and the same and similar portions between the various embodiments in this specification may be referred to each other. And will not be described in detail herein.
Those skilled in the art will readily appreciate that the techniques of the embodiments of the present invention may be implemented as software plus a required general purpose hardware platform. Based on such understanding, the technical solutions in the embodiments of the present invention may be essentially or partially implemented in the form of software products, which may be stored in a storage medium, such as ROM/RAM, magnetic disk, optical disk, etc., and include instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the method in the embodiments or some parts of the embodiments of the present invention.
Finally, it should be noted that: the above embodiments are only used for illustrating the technical solutions of the present application, and not for limiting the same; although the present application has been described in detail with reference to the foregoing embodiments, it should be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some or all of the technical features may be equivalently replaced; and the modifications or the substitutions do not make the essence of the corresponding technical solutions depart from the scope of the technical solutions of the embodiments of the present application.
The foregoing description, for purposes of explanation, has been presented in conjunction with specific embodiments. However, the illustrative discussions above are not intended to be exhaustive or to limit the embodiments to the precise forms disclosed above. Many modifications and variations are possible in light of the above teaching. The embodiments were chosen and described in order to best explain the principles and the practical application, to thereby enable others skilled in the art to best utilize the embodiments and various embodiments with various modifications as are suited to the particular use contemplated. This application is intended to cover any variations, uses, or adaptations of the invention following, in general, the principles of the application and including such departures from the present disclosure as come within known or customary practice within the art to which the invention pertains. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the application being indicated by the following claims. The above-described embodiments of the present application do not limit the scope of the present application.
Claims (10)
1. A method for identifying a network application, the method comprising:
acquiring network traffic to be identified, wherein the network traffic to be identified comprises a plurality of load packets;
detecting the load packet of the network traffic to be identified, and determining the traffic type of the network traffic to be identified;
when the network traffic to be identified is detected to be encrypted traffic, acquiring domain name information or certificate information of the network traffic to be identified according to a load packet of the network traffic to be identified;
and acquiring the network application name corresponding to the network traffic to be identified according to the domain name information or the certificate information by using a preset encrypted traffic identification algorithm.
2. The method for identifying network applications according to claim 1, wherein detecting the load packets of the network traffic to be identified comprises:
inputting a first load packet of the network traffic to be identified into a preset traffic identification algorithm, and determining the characteristic type of traffic characteristics in the first load packet; if the characteristic type of the flow characteristic is an encryption characteristic, the network flow to be identified is an encryption flow; and if the characteristic type of the flow characteristic is the non-encryption characteristic, the network flow to be identified is the non-encryption flow.
3. The method according to claim 1, wherein obtaining domain name information or certificate information of the network traffic to be identified according to the load packet of the network traffic to be identified comprises:
detecting the first load packet of the network traffic to be identified;
when the first load packet is a Client Hello message, decoding the Client Hello message and extracting domain name information, wherein the domain name information comprises domain name length;
and when the first load packet is a Certificate message, decoding the Certificate message and extracting Certificate information, wherein the Certificate information comprises the Certificate length.
4. The method according to claim 3, wherein if domain name information or certificate information is obtained according to the first load packet, the step of obtaining the network application name corresponding to the network traffic to be identified is performed;
if the domain name information or the certificate information is not obtained according to the first load packet, obtaining the domain name information or the certificate information of the network traffic to be identified according to a second load packet, and obtaining a network application name according to the domain name information or the certificate information of the network traffic to be identified;
and if the domain name information or the certificate information of the network traffic to be identified is not obtained according to the second load packet, continuing to obtain the domain name information or the certificate information of the network traffic to be identified according to the next load packet until reaching a preset Nth load packet.
5. The network application recognition method of claim 2, wherein, before inputting the first payload packet into a preset traffic recognition algorithm,
detecting a transport protocol of the first load packet;
if the transmission protocol of the first load packet is UDP, determining that the network traffic to be identified is non-encrypted traffic; and if the transmission protocol of the first load packet is TCP, inputting the first load packet into a preset flow identification algorithm.
6. The network application identification method of claim 1,
and when the network traffic to be identified is detected to be non-encrypted traffic, identifying the first load packet based on a preset non-encrypted traffic identification algorithm to obtain a network application name corresponding to the network traffic to be identified.
7. The method for identifying the network application according to claim 1, wherein obtaining the network application name corresponding to the network traffic to be identified according to the domain name information or the certificate information by using a preset encrypted traffic identification algorithm comprises:
inputting the domain name information or the certificate information into a preset encryption flow identification algorithm to obtain a matching result;
if the matching result is the network application name, determining the matching result as the network application name corresponding to the network traffic to be identified; and if the matching result is not the network application name, not processing.
8. The network application identification method of claim 6,
counting a first corresponding relation between a network application name and a flow characteristic of an encrypted flow network application in advance, and generating a preset encrypted flow identification algorithm according to the first corresponding relation;
and counting a second corresponding relation between the network application name and the traffic characteristics of the non-confidential traffic network application in advance, and generating the preset non-encrypted traffic identification algorithm according to the second corresponding relation.
9. A network application recognition apparatus, comprising:
the traffic acquisition module is configured to acquire network traffic to be identified, and the network traffic to be identified comprises a plurality of load packets;
the traffic type determination module is configured to detect a load packet of the network traffic to be identified and determine a traffic type of the network traffic to be identified;
the information acquisition module is configured to acquire domain name information or certificate information of the network traffic to be identified according to a load packet of the network traffic to be identified when the network traffic to be identified is detected to be encrypted traffic;
and the identification module is configured to acquire the network application name corresponding to the network traffic to be identified according to the domain name information or the certificate information by using a preset encrypted traffic identification algorithm.
10. The device of claim 9, wherein the traffic type determination module is configured to:
inputting a first load packet of the network traffic to be identified into a preset traffic identification algorithm, and determining the characteristic type of traffic characteristics in the first load packet; if the characteristic type of the flow characteristic is an encryption characteristic, the network flow to be identified is an encryption flow; and if the characteristic type of the flow characteristic is the non-encryption characteristic, the network flow to be identified is the non-encryption flow.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111598440.8A CN114338126A (en) | 2021-12-24 | 2021-12-24 | Network application identification method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111598440.8A CN114338126A (en) | 2021-12-24 | 2021-12-24 | Network application identification method and device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114338126A true CN114338126A (en) | 2022-04-12 |
Family
ID=81012242
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111598440.8A Pending CN114338126A (en) | 2021-12-24 | 2021-12-24 | Network application identification method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114338126A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116366503A (en) * | 2023-06-02 | 2023-06-30 | 腾讯科技(深圳)有限公司 | Data processing method and related device |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101741644A (en) * | 2009-12-16 | 2010-06-16 | 成都市华为赛门铁克科技有限公司 | Flow detection method and apparatus |
| CN109639655A (en) * | 2018-11-30 | 2019-04-16 | 南京中新赛克科技有限责任公司 | A kind of intelligent depth resolution system and analytic method |
| CN110012029A (en) * | 2019-04-22 | 2019-07-12 | 中国科学院声学研究所 | A kind of method and system for distinguishing encryption and non-encrypted compression flow |
| CN110768933A (en) * | 2018-07-27 | 2020-02-07 | 深信服科技股份有限公司 | Network flow application identification method, system and equipment and storage medium |
| CN112235160A (en) * | 2020-10-14 | 2021-01-15 | 福建奇点时空数字科技有限公司 | Flow identification method based on protocol data deep layer detection |
| CN113595967A (en) * | 2020-04-30 | 2021-11-02 | 深信服科技股份有限公司 | Data identification method, equipment, storage medium and device |
-
2021
- 2021-12-24 CN CN202111598440.8A patent/CN114338126A/en active Pending
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101741644A (en) * | 2009-12-16 | 2010-06-16 | 成都市华为赛门铁克科技有限公司 | Flow detection method and apparatus |
| CN110768933A (en) * | 2018-07-27 | 2020-02-07 | 深信服科技股份有限公司 | Network flow application identification method, system and equipment and storage medium |
| CN109639655A (en) * | 2018-11-30 | 2019-04-16 | 南京中新赛克科技有限责任公司 | A kind of intelligent depth resolution system and analytic method |
| CN110012029A (en) * | 2019-04-22 | 2019-07-12 | 中国科学院声学研究所 | A kind of method and system for distinguishing encryption and non-encrypted compression flow |
| CN113595967A (en) * | 2020-04-30 | 2021-11-02 | 深信服科技股份有限公司 | Data identification method, equipment, storage medium and device |
| CN112235160A (en) * | 2020-10-14 | 2021-01-15 | 福建奇点时空数字科技有限公司 | Flow identification method based on protocol data deep layer detection |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116366503A (en) * | 2023-06-02 | 2023-06-30 | 腾讯科技(深圳)有限公司 | Data processing method and related device |
| CN116366503B (en) * | 2023-06-02 | 2023-08-08 | 腾讯科技(深圳)有限公司 | Data processing method and related device |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11399288B2 (en) | Method for HTTP-based access point fingerprint and classification using machine learning | |
| Wang et al. | Seeing through network-protocol obfuscation | |
| US7835390B2 (en) | Network traffic identification by waveform analysis | |
| CN112738039B (en) | Malicious encrypted flow detection method, system and equipment based on flow behavior | |
| Sija et al. | A survey of automatic protocol reverse engineering approaches, methods, and tools on the inputs and outputs view | |
| RU2680736C1 (en) | Malware files in network traffic detection server and method | |
| US20210211369A1 (en) | System and method for extracting identifiers from traffic of an unknown protocol | |
| CN112468520B (en) | Data detection method, device and equipment and readable storage medium | |
| CN110012005B (en) | Method and device for identifying abnormal data, electronic equipment and storage medium | |
| CN111866024B (en) | Network encryption traffic identification method and device | |
| CA3159619C (en) | Packet processing method and apparatus, device, and computer-readable storage medium | |
| CN107016074B (en) | Webpage loading method and device | |
| CN112104570A (en) | Traffic classification method and device, computer equipment and storage medium | |
| CN113676348A (en) | Network channel cracking method, device, server and storage medium | |
| CN109450895A (en) | A kind of method for recognizing flux, device, server and storage medium | |
| CN112839083A (en) | Data transmission method and device and readable storage medium | |
| CN113595967A (en) | Data identification method, equipment, storage medium and device | |
| Kebande et al. | Functional requirements for adding digital forensic readiness as a security component in IoT environments | |
| CN114338126A (en) | Network application identification method and device | |
| Jain et al. | Towards mining latent client identifiers from network traffic | |
| CN105100246A (en) | Network flow management and control method based on downloaded resource name | |
| CN115051874B (en) | Multi-feature CS malicious encrypted traffic detection method and system | |
| KR20200056029A (en) | Anonymous network analysis system using passive fingerprinting and method thereof | |
| CN114640519A (en) | Encrypted traffic detection method and device and readable storage medium | |
| Yang et al. | A multi-level feature extraction technique to detect moble botnet |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |