CN114726564A - Security detection method, security detection device, electronic apparatus, and medium - Google Patents

Security detection method, security detection device, electronic apparatus, and medium Download PDF

Info

Publication number
CN114726564A
CN114726564A CN202110003804.7A CN202110003804A CN114726564A CN 114726564 A CN114726564 A CN 114726564A CN 202110003804 A CN202110003804 A CN 202110003804A CN 114726564 A CN114726564 A CN 114726564A
Authority
CN
China
Prior art keywords
transmission request
request
data
target transmission
security detection
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202110003804.7A
Other languages
Chinese (zh)
Other versions
CN114726564B (en
Inventor
郭晶
甘祥
郑兴
彭婧
刘羽
范宇河
唐文韬
申军利
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tencent Technology Shenzhen Co Ltd
Original Assignee
Tencent Technology Shenzhen Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tencent Technology Shenzhen Co Ltd filed Critical Tencent Technology Shenzhen Co Ltd
Priority to CN202110003804.7A priority Critical patent/CN114726564B/en
Publication of CN114726564A publication Critical patent/CN114726564A/en
Application granted granted Critical
Publication of CN114726564B publication Critical patent/CN114726564B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The embodiment of the disclosure provides a security detection method, a security detection device, an electronic device and a computer readable medium; relates to the technical field of network communication. The method comprises the following steps: performing light splitting processing on the flow between the client and the server, acquiring a transmission request sent by the client, and determining the protocol type of the transmission request; extracting a target transmission request with a protocol type of HTTP2, determining whether the target transmission request contains an end mark, and acquiring request data from the transmission request when the target transmission request contains the end mark; recombining the target transmission request and the request data to convert the target transmission request into a to-be-detected request with a protocol type of HTTP 1; and jointly performing security detection on the to-be-detected requests through the security detection rule of the HTTP1 to determine the security detection result of the client. In the embodiment of the disclosure, under the condition that the protocol type is HTTP2, security detection can still be performed on the transmission request, and security vulnerabilities are repaired, thereby improving security.

Description

Security detection method, security detection device, electronic apparatus, and medium
Technical Field
The present disclosure relates to the field of network communications, and in particular, to a security detection method, a security detection apparatus, an electronic device, and a computer-readable medium.
Background
Due to the characteristics of high latency, stateless connection, plaintext transmission and the like of the HTTP1, the communication based on the HTTP1 protocol has slow page loading speed, excessive waste cost of the header and insecurity. In order to overcome the problems of HTTP1, HTTP2 divides request and response data into smaller frames, which are transmitted in a binary manner; and the header is compressed, so that the data transmission performance is greatly improved.
Currently, security detection of an application firewall mainly aims at HTTP1, which can only detect a single packet, such as a request packet, a response packet, and the like, and since the HTTP2 protocol divides one HTTP request into multiple streams for distribution, a situation that detection is bypassed by using the HTTP2 characteristic occurs, which has a large potential safety hazard.
It is to be noted that the information disclosed in the above background section is only for enhancement of understanding of the background of the present disclosure, and thus may include information that does not constitute prior art known to those of ordinary skill in the art.
Disclosure of Invention
An object of the embodiments of the present disclosure is to provide a security detection method, a security detection apparatus, an electronic device, and a computer readable medium, which can still support security detection under the condition of the HTTP2 protocol type, thereby avoiding security holes and improving the security of network communication.
Additional features and advantages of the disclosure will be set forth in the detailed description which follows, or in part will be obvious from the description, or may be learned by practice of the disclosure.
According to a first aspect of the embodiments of the present disclosure, there is provided a security detection method, including: carrying out light splitting processing on flow between a client and a server to obtain a transmission request sent by the client and determine the protocol type of the transmission request; extracting a target transmission request with a protocol type of HTTP2 from the transmission request, determining whether the target transmission request contains an end mark, and acquiring request data from the transmission request when the target transmission request contains the end mark; recombining the target transmission request and the request data to convert the target transmission request into a to-be-detected request with a protocol type of HTTP 1; and performing security detection on the request to be detected through a security detection rule of HTTP1 to determine a security detection result of the client.
In an exemplary embodiment of the present disclosure, determining the protocol type of the transmission request includes: when the transmission request is encrypted, obtaining a secret key file of the transmission request; decrypting the transmission request with the key file to determine the protocol type.
In an exemplary embodiment of the present disclosure, before recombining the target transmission request, the method further includes: and decompressing the header data of the target transmission request to obtain the header data of the request to be detected.
In an exemplary embodiment of the present disclosure, decompressing header data of the target transfer request includes: acquiring an index table related to a compression rule of HTTP 2; and determining each field corresponding to the head data of the target transmission request through the index table so as to obtain the head data of the request to be detected.
In an exemplary embodiment of the present disclosure, the target transmission request includes a plurality of frames; recombining the target transmission request and the request data to convert the target transmission request into a to-be-detected request with a protocol type of HTTP1 includes: when the target transmission request contains an end mark, acquiring request data which is the same as the flow identification of the target transmission request from the transmission request; and combining the frames contained in each transmission request in the request data and the frames contained in the target transmission request according to the data types corresponding to the frames to obtain the request to be detected.
In an exemplary embodiment of the present disclosure, further comprising: when the target transmission request does not contain an end mark, waiting for the client to send other transmission requests with the same stream identification as the target transmission request, and recording the waiting time; and when the waiting time exceeds a preset time limit, discarding the target transmission request.
In an exemplary embodiment of the present disclosure, before recombining the target transmission request and the request data, the method further includes: calculating the byte number of each frame with the data type as entity data in the request data and the target transmission request; and when the byte number of the frame with the data type of entity data is a preset value, discarding the request data and the target transmission request.
According to a second aspect of the embodiments of the present disclosure, there is provided a security detection apparatus, which may include a message receiving module, a request data obtaining module, a data conversion module, and a security detection module.
The message receiving module is used for carrying out light splitting processing on the flow between the client and the server so as to obtain a transmission request sent by the client and determine the protocol type of the transmission request.
A request data obtaining module, configured to extract a target transmission request with a protocol type of HTTP2 from the transmission request, determine whether the target transmission request includes an end flag, and obtain request data from the transmission request when the target transmission request includes the end flag.
And the data conversion module is used for recombining the target transmission request and the request data so as to convert the target transmission request into a request to be detected with a protocol type of HTTP1.
And the security detection module is used for performing security detection on the request to be detected through a security detection rule of HTTP1 to determine a security detection result of the client.
In an exemplary embodiment of the present disclosure, the security detection apparatus may further include a data decryption module. The data decryption module may be configured to: when the transmission request is encrypted, obtaining a secret key file of the transmission request; decrypting the transmission request with the key file to determine the protocol type.
In an exemplary embodiment of the present disclosure, the security detection apparatus further includes a data decompression module. The data decompression module may be configured to: and decompressing the header data of the target transmission request to obtain the header data of the request to be detected.
In an exemplary embodiment of the present disclosure, the data decompression module specifically includes an index table obtaining unit and a field determining unit.
The index table acquiring unit is used for acquiring an index table associated with the compression rule of the HTTP2.
And the field determining unit is used for determining each field corresponding to the header data of the target transmission request through the index table so as to obtain the header data of the request to be detected.
In an exemplary embodiment of the present disclosure, the target transmission request includes a plurality of frames; the data conversion module specifically comprises an end mark detection unit and a data frame combination unit.
The end mark detection unit is used for acquiring the request data which is the same as the flow mark of the target transmission request from the transmission request when the target transmission request comprises an end mark.
And the data frame combination unit is used for combining the frames contained in each transmission request in the request data and the frames contained in the target transmission request according to the data types corresponding to the frames to obtain the request to be detected.
In an exemplary embodiment of the present disclosure, the apparatus further includes a timeout detecting module, and a data discarding module.
And the timeout detection module is used for waiting for the client to send other transmission requests with the same stream identification as the target transmission request when the target transmission request does not contain an end mark, and recording the waiting time.
And the data discarding module is used for discarding the target transmission request when the waiting time exceeds a preset time limit.
In an exemplary embodiment of the present disclosure, the security detection apparatus further includes a byte count detection module and a request discard module.
The byte number detection module is used for calculating the byte number of the frame of which each data type is entity data in the request data and the target transmission request.
And the request discarding module is used for discarding the request data and the target transmission request when the data type is that the number of bytes of the frame of the entity data is a preset value.
According to a third aspect of the embodiments of the present disclosure, there is provided an electronic apparatus including: one or more processors; storage means for storing one or more programs which, when executed by the one or more processors, cause the one or more processors to implement the security detection method as described in the first aspect of the embodiments above.
According to a fourth aspect of embodiments of the present disclosure, there is provided a computer-readable medium, on which a computer program is stored, which when executed by a processor, implements the security detection method as described in the first aspect of the embodiments above.
According to the security detection method, the security detection device, the electronic equipment and the computer readable medium provided by the embodiment of the disclosure, the protocol type of the transmission request is determined, the target transmission request with the protocol type of HTTP2 is recombined and converted into the transmission request of HTTP1 for security detection, so that the security vulnerability bypassing the security detection by using HTTP2 communication can be eliminated, and the security of network transmission is improved. Moreover, the security detection rule of the HTTP1 can be used for detecting the HTTP2, extra development cost is not needed, cost can be saved, and efficiency can be improved.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the disclosure.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the present disclosure and together with the description, serve to explain the principles of the disclosure. It is to be understood that the drawings in the following description are merely exemplary of the disclosure, and that other drawings may be derived from those drawings by one of ordinary skill in the art without the exercise of inventive faculty. In the drawings:
fig. 1 schematically illustrates an exemplary system architecture diagram of a security detection method applied to an embodiment of the present disclosure;
FIG. 2 schematically illustrates a flow diagram of a security detection method according to an embodiment of the present disclosure;
FIG. 3 schematically illustrates a flow diagram of a security detection method according to another embodiment of the present disclosure;
FIG. 4 schematically illustrates a flow diagram of a security detection method according to an embodiment of the present disclosure;
FIG. 5 schematically illustrates a flow diagram of a security detection method in accordance with another embodiment of the present disclosure;
fig. 6 schematically illustrates an application scenario of the security detection method according to an embodiment of the present disclosure;
FIG. 7 schematically illustrates a block diagram of a security detection apparatus according to an embodiment of the present disclosure;
FIG. 8 illustrates a schematic structural diagram of a computer system suitable for use with the electronic device implementing an embodiment of the present disclosure.
Detailed Description
Example embodiments will now be described more fully with reference to the accompanying drawings. Example embodiments may, however, be embodied in many different forms and should not be construed as limited to the examples set forth herein; rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the concept of example embodiments to those skilled in the art.
Furthermore, the described features, structures, or characteristics may be combined in any suitable manner in one or more embodiments. In the following description, numerous specific details are provided to give a thorough understanding of embodiments of the disclosure. One skilled in the relevant art will recognize, however, that the subject matter of the present disclosure can be practiced without one or more of the specific details, or with other methods, components, devices, steps, and so forth. In other instances, well-known methods, devices, implementations, or operations have not been shown or described in detail to avoid obscuring aspects of the disclosure.
The block diagrams shown in the figures are functional entities only and do not necessarily correspond to physically separate entities. I.e. these functional entities may be implemented in the form of software, or in one or more hardware modules or integrated circuits, or in different networks and/or processor means and/or microcontroller means.
The flow charts shown in the drawings are merely illustrative and do not necessarily include all of the contents and operations/steps, nor do they necessarily have to be performed in the order described. For example, some operations/steps may be decomposed, and some operations/steps may be combined or partially combined, so that the actual execution sequence may be changed according to the actual situation.
In this specification, the terms "a", "an", "the", "said" and "at least one" are used to indicate the presence of one or more elements/components/etc.; the terms "comprising," "including," and "having" are intended to be inclusive and mean that there may be additional elements/components/etc. other than the listed elements/components/etc.; the terms "first," "second," "third," and the like are used merely as labels, and are not limiting as to the number of objects.
The following detailed description of exemplary embodiments of the disclosure refers to the accompanying drawings.
Fig. 1 is a schematic diagram illustrating a system architecture of an exemplary application environment to which a security detection method or a security detection apparatus according to an embodiment of the present disclosure can be applied.
As shown in fig. 1, system architecture 100 may include one or more of end devices 101, 102, 103, network 104, switch 105, security device 106, server 107.
The network 104 is used to provide a medium for communication links between the terminal devices 101, 102, 103 and the security device 106, server 107. Network 104 may include various connection types, such as wired, wireless communication links, or fiber optic cables, to name a few.
Various client applications, such as a web browser application, a search-type application, an instant messaging tool, a mailbox client, social platform software, etc., may be installed on the terminal devices 101, 102, 103. The user may use the terminal devices 101, 102, 103 to interact with the server 107 via the network 104 to receive or send messages or the like. The terminal devices 101, 102, 103 may be various electronic devices having a display screen and supporting web browsing, including but not limited to desktop computers, portable computers, smart phones and tablets, wearable devices, virtual reality devices, smart homes, and so on.
The server 107 may be a server that provides various services, such as a background management server that provides support for devices operated by users using the terminal apparatuses 101, 102, 103. The background management server can analyze and process the received data such as the request and feed back the processing result to the terminal equipment.
The switch 105 is a device that performs information exchange, and is capable of performing information transfer between the terminal devices 101, 102, 103 and the security device 106, and providing information transfer between the server 107 and the security device 106. Switch 105 may distribute traffic between the end devices and the servers onto security device 106 to facilitate security detection of the traffic by security device 106.
The security device 106 may be an apparatus or an electronic device that executes the security detection method provided by the embodiment of the present disclosure, and an application program corresponding to the security detection method may be installed on the apparatus or the electronic device. For example, the security device 106 may, for example, receive a current transmission request sent by a client, determine a protocol type of the current transmission request, further obtain a target transmission request with a protocol type of HTTP2, obtain request data from the transmission request when the target transmission request includes an end flag, recombine the request data and the target transmission request, convert the target transmission request into a to-be-detected request with a protocol type of HTTP1, and perform security detection on all received transmission requests by using a security detection rule of HTTP1, thereby obtaining a security detection result.
It should be understood that the number of terminal devices, networks, and servers in fig. 1 is merely illustrative. There may be any number of terminal devices, networks, and servers, as desired for implementation. For example, server 105 may be a server cluster comprised of multiple servers, or the like.
The method provided by the embodiment of the present disclosure may be executed by the security device 106, and accordingly, the security detection apparatus may also be disposed in the security device 106. However, it is easily understood by those skilled in the art that the method provided in the embodiment of the present disclosure may also be executed by a server corresponding to the security device, and accordingly, the security detection apparatus may also be disposed in the corresponding server, which is not particularly limited in the exemplary embodiment.
Based on this, the embodiments of the present disclosure provide a technical solution of a security detection method, which may uniformly perform security detection on an HTTP1 protocol type and an HTTP2 protocol type by using a security detection rule of HTTP1, repair a security vulnerability, and improve security of network communication.
It should be understood that HTTP (hypertext transfer protocol) is an application layer protocol in the world wide web, and information interaction is performed between a client and a server in the form of requests and responses. The specification in the HTTP protocol defines a plurality of request methods, each of which specifies a different information exchange manner, such as a GET method, a POST method, and the like, and the server completes a corresponding operation according to a request from the client and responds a result to the client.
The HTTP1, the HTTP2 in the embodiment of the present disclosure refer to a version type of HTTP. HTTP1 refers to previous versions of HTTP2.0 and may include, for example, HTTP1.0, HTTP1.1, etc.; HTTP2 refers to HTTP version 2.0, which may also be referred to as h2, or h2 c.
As shown in fig. 2, the security detection method provided by the embodiment of the present disclosure may include step S21, step S22, step S23, and step S24.
In step S21, the traffic between the client and the server is split to obtain a transmission request sent by the client, and determine a protocol type of the transmission request.
The traffic refers to the access amount of the client to the server, and may be understood as the number of users of the website or the number of pages accessed by the user. When a user (client) accesses a website or a webpage, a request needs to be sent to a server, and after receiving the request, the server sends data requested by the client to the client in a response mode. That is, data is transmitted between the client and the server in the form of HTTP requests. In this embodiment, the transfer request refers to an HTTP request that the client sends to the server. The split processing may refer to copying the traffic, that is, when a user accesses a web page, copying the access of the user, so as to perform security detection through copied data, thereby avoiding affecting the normal access of the user.
Due to the large number of clients, different clients may use different protocol types to communicate with the server, and therefore the transmission request may include information of the HTTP1 protocol and may also include information of the HTTP2 protocol. Generally, a client establishes one connection with a server to send a plurality of transmission requests to a server, and the requests sent by the client to the server can be copied to a security device through a switch, an optical splitter and other devices. After receiving the plurality of transmission requests, the transmission requests can be stored in the security device according to the receiving sequence, so that the security device can conveniently perform security detection on the transmission requests.
After the security device receives the transmission request, the type of protocol it employs may be determined from the header data of the transmission request. The header data of the transmission request may include a protocol type field, and by performing character matching on the header data, if the header data includes identification characters corresponding to the HTTP1 protocol type, the protocol type of the transmission request is HTTP1, and if the header data includes the identification characters of HTTP, the protocol type of the transmission request is HTTP2. For example, if the header data of the transmission request includes fields such as "HTTP/1.1", "HTTP/1.0", etc., the protocol type of the transmission request is HTTP1, and if the header data of the transmission request includes fields such as "HTTP/2.0" or "h 2", the protocol type of the transmission request is HTTP2.
In an exemplary embodiment, when a transmission request is encrypted, a key file of the transmission request is obtained; the transmission request is decrypted through the key file, so that the protocol type of the decrypted transmission request is convenient to determine.
The client can request in an encryption mode, and if the transmission request is encrypted, the protocol type can be judged only by decrypting the transmission request. After the different encryption methods are encrypted, the header data may include a characteristic character string of the encryption method, and whether the header data of the transmission request is encrypted may be determined according to whether a corresponding character string exists. For example, when it is detected that the header of the transfer request contains a string corresponding to TLS encryption (Transport Layer Security protocol), it may be determined that the transfer request is encrypted, for example, "CDHE _ RSA _ WITH _ AES _128_ CBC _ SHA 256". When TLS encryption is detected, a TLS encrypted key file, for example, a "ssl-key" file on a server is pulled, may be obtained by the server, and the key file may be used to record a key "used for encryption. After the key file is obtained, the transmission request can be decrypted by using the key file, and then the protocol type is determined after the decrypted transmission request.
After the protocol type of the transmission request is determined, the connection session corresponding to the transmission request may be cached according to the protocol type, and a cache list is generated. The corresponding protocol type can be directly determined according to the cache list when other transmission requests are received next time. For example, a cache list may be generated for each of HTTP1 and HTTP2, after receiving a transmission request, it may be determined whether a session corresponding to the transmission request is in the cache list, if the session of the transmission request is in the cache list corresponding to HTTP1, the protocol type of the transmission request is HTTP1, and if the transmission request is not included in any cache list, it may be determined that the transmission request is a new session, the protocol type of the transmission request is determined according to header data of the transmission request, and the session is stored in the corresponding cache list according to the determined protocol type.
In step S22, a target transfer request with a protocol type of HTTP2 is extracted from the transfer request, it is determined whether the target transfer request includes an end flag, and request data is obtained from the transfer request when the end flag is included in the target transfer request.
After the protocol type of the transmission request is determined, the transmission requests may be classified according to the protocol type, and the transmission requests with the same protocol type are classified into the same class, for example, the transmission request with the protocol type of HTTP1 is classified into a class a, and the transmission request with the protocol type of HTTP2 is classified into B, so that the class B may be extracted as the target transmission request. Since there is currently no security detection for the features of HTTP2, malicious requests that bypass security detection using the HTTP2 feature are not effectively identified. Thus converting the target transmission request of HTTP2 into the to-be-detected request with protocol type of HTTP1.
The HTTP2 protocol divides a connection into several streams (streams), on each of which one or more messages (messages) can be transmitted, each Message consisting of one or more binary frames (frames). Where a flow refers to a bi-directional byte stream over an established TCP connection between a client and a server, each flow having a unique integer ID, i.e., a flow identification. The message may be a request, a response, etc. in HTTP2. A frame is the smallest unit of HTTP2 data traffic. The client and the server can decompose the data into independent frames, the frames can be sent out of order, and the frames sent by the same stream share the same stream identification.
A complete request from a client may be sent as multiple target transmission requests, each target transmission request may include multiple frames, and an end flag, such as an "end stream" character, may be added to a frame when all data transmissions included in the request end. The end mark may include a number, a character, and the like, and this embodiment is not limited thereto. Whether the data transmission of the stream is finished or not can be determined by detecting whether the current target transmission request comprises a finishing mark or not, if the current target transmission request does not comprise the finishing mark, the target transmission request can be stored, the client side continues to wait for sending the next transmission request until the target transmission request comprising the finishing mark is received, the complete data of one stream can be obtained, and the request data can be obtained. And if the currently received target transmission request contains the end mark, acquiring other previously stored transmission requests which are the same as the stream identification of the target transmission request, thereby obtaining the request data.
In step S23, the target transmission request and the request data are recombined to convert the target transmission request into a to-be-detected request with a protocol type of HTTP1.
If the target transmission request is a message of the HTTP2 protocol type, other transmission requests belonging to the same stream as the target transmission request can be obtained through the stream identifier of the target transmission request, and the request data is obtained. Specifically, the method may include step S31 and step S32, as shown in fig. 3. In step S31, when the end flag is included in the target transmission request, request data identical to the flow identification of the target transmission request is acquired from the transmission request. In step S32, the frames included in each transmission request in the request data and the frames included in the target transmission request are combined according to the data type corresponding to the frames to obtain the request to be detected.
When the client sends the request by using the protocol type of HTTP2, a complete request may be divided into multiple target transmission requests to be sent, and the request data identical to the stream identifier of the target transmission request may be extracted from the transmission request according to the stream identifier of the target transmission request. For example, if the stream identifier of the target transmission request is 1, the transmission request with the stream identifier of 1 may be extracted from all the transmission requests sent by the client as the request data. The transmission request included in the request data is the same as the target transmission request, and the protocol type is HTTP2. The target transmission request may include a plurality of frames, and the frames may be divided into two types, i.e., header data and entity data. After all data of the same stream are obtained, the header data and the entity data of the request can be completely combined according to the data type of each frame. For example, if the target transmission request includes a frame of type "HEADER", the frame is a HEADER data frame, and all frames of type "HEADER" in the request data are combined with the frame to obtain complete HEADER data as HEADER data of the request to be detected; similarly, combining frames of type "DATA" together can result in the entity DATA to be detected for the request. After the combination is completed, the header data and the entity data of the request to be detected can be determined, namely the complete request to be detected with the protocol type of HTTP1 is obtained.
The HTTP1 request header contains many duplicated fields, which not only consumes bandwidth but also increases latency as the number of requests increases, and therefore the HTTP2 applies compression coding to the header to provide transmission rates. For example, an HTTP2 type request may perform an HPACK compression on header data, where the compressed data is scrambled and cannot be subjected to security detection or other processing. Header data in a target transfer request of protocol type HTTP2 may be decompressed prior to reassembly. Specifically, when the protocol type of the target transmission request is HTTP2, decompressing header data of the target transmission request, and obtaining the decompressed header data, which is the header data of the request to be detected, so as to perform security detection on the request to be detected.
Specifically, during decompression, an index table associated with the compression rule of HTTP2 may be obtained first; and then determining each field corresponding to the header data of the target transmission request through the index table to obtain the decompressed header data. The destination transmission request may include a plurality of frames, each of which may have a different DATA type, and the DATA types may be classified into HEADER DATA "HEADER" and entity DATA ". Depending on the data type of the respective frame, HEADER data may be extracted from the target transmission request, the HEADER data referring to one or more frames of data type HEADER.
The compression rules are exemplified by the HPACK algorithm. In the HPACK, the client and the server can jointly maintain a static table and a dynamic table, wherein a plurality of fields are stored in the table in the form of key value pairs. Static fields may be included in the static table, and HTTP2 defines 61 fixed static fields. The dynamic table may be used to store fields that are dynamically added by the client or server. Through the static table and the dynamic table, each character in the header data of the target transmission request can be indexed to a field in the table to obtain a readable character string corresponding to the character. The header data may include a plurality of characters, and after each character is converted one by one into a character string in the table, the obtained character string may be used as decompressed header data. For example, if the index value is 2, and the static table is looked up, the corresponding field is method: GET.
In step S24, the to-be-detected request is subjected to security detection according to the security detection rule of HTTP1, so as to determine the security detection result of the client.
In this embodiment, the target transmission request with the protocol type of HTTP2 is recombined and converted into a to-be-detected request with the protocol type of HTTP1, and if the initial protocol type of the transmission request is HTTP1, the transmission request does not need to be recombined. The initial transmission request with the protocol type being HTTP1 and the converted to-be-detected request with the protocol type being HTTP1 can be used for carrying out unified security detection by utilizing the security detection rule of HTTP1. Therefore, the client can perform security detection on the transmitted request to obtain a security detection result no matter the client uses the HTTP1 protocol type or the HTTP2 protocol type. The Security inspection rule may be, for example, command injection inspection, sql injection inspection, or the like, or may perform Security inspection by using a Security inspection tool of the OWASP Top 10(Open Web Application Security Project), which contains the Security inspection rule that is common and dangerous in 10, or the like. After the security detection, a security detection result may be generated, and the security detection result may include whether each transmission request or request to be detected has a risk, and the type of the risk, for example, the transmission request a has a risk of "sensitive data leakage".
After the transmission requests are subjected to security detection, the security detection result of each transmission request can be recorded in a log file, so that data calculation and statistics are facilitated. Moreover, the safety detection result or the corresponding log file can be displayed to safety personnel, so that the safety personnel can monitor the client side conveniently.
In an exemplary embodiment, before security detection is performed on a request to be detected, a malicious packet may be identified and discarded. Specifically, the method may include step S41 and step S42, as shown in fig. 4.
In step S41, when the target transmission request does not include the end flag, the waiting client transmits another transmission request having the same stream id as the target transmission request, and records the waiting time.
If the current target transmission request does not contain the end mark, the stream corresponding to the target transmission request is not sent completely, so that the client needs to wait for continuing sending the request. For example, when a current target transmission request is received, the received time can be recorded, and the waiting time can be recorded by starting timing from the time.
In step S42, when the waiting time exceeds a preset time limit, the target transmission request is discarded.
When the current target transmission request is received, the target transmission request needs to be stored, and if the waiting time exceeds a preset time limit, the target transmission request can be determined to be a malicious message and discarded. And if the waiting time does not exceed the preset time limit, the next transmission request sent by the client is received, whether the transmission request contains an end mark or not is continuously determined, if not, the next transmission request is continuously waited, and the waiting time is updated until the transmission request containing the end mark and the same as the stream identifier of the target transmission request is received. The preset time limit may be a default time period of the client, or may also be a user-defined time period, for example, 30 seconds, 60 seconds, and the like, which is not limited in this embodiment.
For example, if the target transmission request a1 does not include an end flag, wait for the next transmission request that is the same as the flow id of a1, and record a waiting time T1, and discard the target transmission request when no other transmission request for the flow id is received within the preset time limit; if the flow identification transmission request a2 is received within the preset time limit, it is determined whether an end flag is included in a2, and if not included in a2, the waiting is continued, and the waiting time T2 is recalculated from the time a2 is received until a target transmission request including an end flag is received within the preset time limit.
In an exemplary embodiment, the malicious message may also be determined by the number of bytes of the target transmission request. Specifically, the number of bytes of a frame with the data type of entity data in the request data and the target transmission request is calculated; if the data type is that the byte number of the frame of the entity data is a preset value, the request data and the target transmission request can be discarded.
And if the target transmission request contains the end mark, acquiring other transmission requests which are the same as the stream mark according to the stream mark of the target transmission request containing the end mark, thereby obtaining the request data. And calculating the byte number of the entity data frame in the request data and the target transmission request, and if the byte number of each frame of the entity data is a preset value, determining that the request is a malicious message, and discarding the request data and the target transmission request. The preset value may be the maximum value of the HTTP2 request default stream, or may be another self-defined value, which is not particularly limited in this embodiment. In other embodiments, the malicious packets may be identified between the security detections by other manners, for example, when the number of bytes of each frame of the entity data is smaller than a threshold, the corresponding target transmission request and the request data may be determined as the malicious packets and discarded.
In an exemplary embodiment, as shown in fig. 5, the security detection method may include steps S501 to S512.
In step S501, a transmission request is acquired; and sending the transmission request between the current client and the server to the safety equipment through the switch. In step S502, the security device determines whether the current transmission request needs to be decrypted; if decryption is required, executing step S503; if no decryption is required, step S504 is performed. In step S503, the key file on the server is obtained, and the current transmission request is decrypted to obtain a decrypted transmission request. In step S504, it is determined whether the protocol type of the transmission request is HTTP 2; if yes, executing step S505; if not, step S506 is performed. In step S505, the transfer request with the protocol type of HTTP2 is used as a target transfer request, and the header data in the target transfer request is subjected to HPACK decompression to obtain decompressed header data. In step S507, it is determined whether the target transmission request includes an end flag; if yes, go to step S508; if not, step S509 is performed. In step S509, the next target transfer request is waited for, and the waiting time is recorded. In step S510, determining whether the waiting time exceeds a preset time limit; if not, go to step S507 to circulate until the target transmission request contains the end flag; if the waiting time exceeds the preset time limit, step S511 is performed. In step S511, the target transfer request is discarded. In step S508, it is determined whether the target transmission request and the number of bytes of each entity data frame in the request data satisfy the condition; firstly, acquiring request data of target transmission requests including a plurality of streams with the same identification, and then respectively confirming the byte number of each transmission request in the request data and the frame of entity data in the target transmission requests; if the number of bytes of each entity data frame is the same and is a preset value, the target transmission request meets the condition, and then step S511 is executed to discard the target transmission request and the request data; that is, each transfer request having the same flow identification is deleted. If the request data and each entity data frame in the target transmission request are different from each other, the target transmission request does not satisfy the condition, and step S512 is executed. In step S512, the target transmission request and the request data are recombined to obtain a request to be detected. In step S506, the security detection is performed on the request to be detected by using the security detection rule of HTTP1, a detection log is generated, and the detection log is displayed.
Fig. 6 shows an application scenario of the security detection method of the present disclosure. As shown in fig. 6, a user 61 and an attacker 62 may send a transmission request to a server via a network 63. An attacker may be understood as a client that sends a malicious attack. The router 64 may be configured to distribute the transmission requests a and B to the corresponding servers 65, and may split the transmission requests a and B to the security device 66 when the router receives them. When the secure device 66 receives the transmission requests a and B, the transmission requests a and B are processed in order of reception. The security device may include, for example, a decryption module 6601, an HTTP2 processing module 6602, and an attack detection module 6603. The decryption module 6601 is configured to decrypt the transmission request. HTTP2 processing module 6602 may be used to decompress the transfer request; it can also be used to group the decompressed transmission requests, i.e. to combine the frames contained in the transmission requests. The attack detection module 6603 may be configured to perform security detection on the transmission request, determine whether the transmission request has malicious attack behavior, and generate a log according to a result of the security detection. For example, the transmission request A is processed first, and the transmission request A is decrypted first through a decryption module; if the transmission request A is a request of an HTTP2 type, decompressing the transmission request A through a decompression module; after decompression, the decompressed transmission request A is recombined through a packet module and converted into a HTTP1 type request to be detected; if the transmission request A is a request of an HTTP1 type, decompression and recombination are not required; and finally, the request to be detected is subjected to security detection through the attack detection module 6603, and the security detection result is recorded as a log. And displaying the safety detection result in a display module 67 for safety personnel to check.
Further, the embodiment of the present disclosure also provides a security detection apparatus, which can be used to execute the security detection method of the present disclosure. Referring to fig. 7, a security detection apparatus 70 provided by an embodiment of the present disclosure may include: a message receiving module 71, a request data acquiring module 72, a data converting module 73 and a security detecting module 74.
The message receiving module 71 is configured to perform optical splitting on traffic between the client and the server to obtain a transmission request sent by the client, and determine a protocol type of the transmission request.
A request data obtaining module 72, configured to extract a target transmission request with a protocol type of HTTP2 from the transmission request, determine whether the target transmission request includes an end flag, and obtain request data from the transmission request when the target transmission request includes the end flag.
And the data conversion module 73 is configured to recombine the target transmission request and the request data, so as to convert the target transmission request into a to-be-detected request with a protocol type of HTTP1.
And the security detection module 74 is configured to perform security detection on the request to be detected through a security detection rule of the HTTP1, so as to determine a security detection result of the client.
In an exemplary embodiment of the present disclosure, the security detection device 70 may further include a data decryption module. The data decryption module may be configured to: when the transmission request is encrypted, obtaining a secret key file of the transmission request; decrypting the transmission request with the key file to determine the protocol type.
In an exemplary embodiment of the present disclosure, the security detection device 70 further includes a data decompression module. The data decompression module may be configured to: and decompressing the header data of the target transmission request to obtain the header data of the request to be detected.
In an exemplary embodiment of the present disclosure, the data decompression module specifically includes an index table obtaining unit and a field determining unit.
The index table acquisition unit is used for acquiring an index table associated with the compression rule of HTTP2.
And the field determining unit is used for determining each field corresponding to the header data of the target transmission request through the index table so as to obtain the header data of the request to be detected.
In an exemplary embodiment of the present disclosure, the target transmission request includes a plurality of frames; the data conversion module specifically comprises an end mark detection unit and a data frame combination unit.
The end mark detection unit is configured to, when the end mark is included in the target transmission request, acquire, from the transmission request, request data that is the same as the stream identifier of the target transmission request.
And the data frame combination unit is used for combining the frames contained in each transmission request in the request data and the frames contained in the target transmission request according to the data types corresponding to the frames to obtain the request to be detected.
In an exemplary embodiment of the present disclosure, the apparatus 70 further includes a timeout detecting module, and a data discarding module.
And the timeout detection module is used for waiting for the client to send other transmission requests with the same stream identification as the target transmission request when the target transmission request does not contain an end mark, and recording the waiting time.
And the data discarding module is used for discarding the target transmission request when the waiting time exceeds a preset time limit.
In an exemplary embodiment of the present disclosure, the security detection device 70 further includes a byte count detection module and a request discarding module.
The byte number detection module is used for calculating the byte number of the frame of which each data type is entity data in the request data and the target transmission request.
And the request discarding module is used for discarding the request data and the target transmission request when the data type is that the number of bytes of the frame of the entity data is a preset value.
For details that are not disclosed in the embodiments of the security detection apparatus of the present disclosure, please refer to the embodiments of the security detection method of the present disclosure for the details that are not disclosed in the embodiments of the apparatus of the present disclosure.
Referring now to FIG. 8, shown is a block diagram of a computer system 800 suitable for use in implementing the electronic devices of embodiments of the present disclosure. The computer system 800 of the electronic device shown in fig. 8 is only an example, and should not bring any limitations to the function and scope of use of the embodiments of the present disclosure.
As shown in fig. 8, a computer system 800 includes a Central Processing Unit (CPU)801 which can perform various appropriate actions and processes in accordance with a program stored in a Read Only Memory (ROM)802 or a program loaded from a storage section 808 into a Random Access Memory (RAM) 803. In the RAM 803, various programs and data necessary for system operation are also stored. The CPU 1201, the ROM 802, and the RAM 803 are connected to each other by a bus 804. An input/output (I/O) interface 805 is also connected to bus 804.
The following components are connected to the I/O interface 805: an input portion 806 including a keyboard, a mouse, and the like; an output section 807 including a signal such as a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), and the like, and a speaker; a storage portion 808 including a hard disk and the like; and a communication section 809 including a network interface card such as a LAN card, a modem, or the like. The communication section 809 performs communication processing via a network such as the internet. A drive 810 is also connected to the I/O interface 805 as necessary. A removable medium 811 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is mounted on the drive 810 as necessary, so that a computer program read out therefrom is mounted on the storage section 808 as necessary.
In particular, the processes described above with reference to the flow diagrams may be implemented as computer software programs, according to embodiments of the present disclosure. For example, embodiments of the present disclosure include a computer program product comprising a computer program embodied on a computer readable medium, the computer program comprising program code for performing the method illustrated in the flow chart. In such an embodiment, the computer program can be downloaded and installed from a network through the communication section 809 and/or installed from the removable medium 811. The computer program executes the above-described functions defined in the system of the present application when executed by the Central Processing Unit (CPU) 801.
It should be noted that the computer readable media shown in the present disclosure may be computer readable signal media or computer readable storage media or any combination of the two. A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples of the computer readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the present disclosure, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. In contrast, in the present disclosure, a computer-readable signal medium may include a propagated data signal with computer-readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to: wireless, wire, fiber optic cable, RF, etc., or any suitable combination of the foregoing.
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
The units described in the embodiments of the present disclosure may be implemented by software, or may be implemented by hardware, and the described units may also be disposed in a processor. Wherein the names of the elements do not in some way constitute a limitation on the elements themselves.
As another aspect, the present application also provides a computer-readable medium, which may be contained in the electronic device described in the above embodiment; or may exist separately without being assembled into the electronic device. The computer readable medium carries one or more programs, and when the one or more programs are executed by the electronic device, the electronic device implements the security detection method as described in the above embodiments.
For example, the electronic device may implement the following as shown in fig. 2: step S21, performing light splitting processing on the traffic between the client and the server to obtain a transmission request sent by the client, and determining the protocol type of the transmission request; step S22, extracting a target transmission request with a protocol type of HTTP2 from the transmission request, determining whether the target transmission request includes an end flag, and acquiring request data from the transmission request when the target transmission request includes the end flag; step S23, the target transmission request and the request data are recombined so as to convert the target transmission request into a request to be detected with a protocol type of HTTP 1; and step S24, performing security detection on the request to be detected through the security detection rule of the HTTP1 to determine the security detection result of the client.
As another example, the electronic device may implement the various steps shown in fig. 3-6.
It should be noted that although in the above detailed description several modules or units of the device for action execution are mentioned, such a division is not mandatory. Indeed, the features and functionality of two or more modules or units described above may be embodied in one module or unit, according to embodiments of the present disclosure. Conversely, the features and functions of one module or unit described above may be further divided into embodiments by a plurality of modules or units.
Through the above description of the embodiments, those skilled in the art will readily understand that the exemplary embodiments described herein may be implemented by software, or by software in combination with necessary hardware. Therefore, the technical solution according to the embodiments of the present disclosure may be embodied in the form of a software product, which may be stored in a non-volatile storage medium (which may be a CD-ROM, a usb disk, a removable hard disk, etc.) or on a network, and includes several instructions to enable a computing device (which may be a personal computer, a server, a touch terminal, or a network device, etc.) to execute the method according to the embodiments of the present disclosure.
Other embodiments of the disclosure will be apparent to those skilled in the art from consideration of the specification and practice of the disclosure disclosed herein. This application is intended to cover any variations, uses, or adaptations of the disclosure following, in general, the principles of the disclosure and including such departures from the present disclosure as come within known or customary practice within the art to which the disclosure pertains. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the disclosure being indicated by the following claims.
It will be understood that the present disclosure is not limited to the precise arrangements that have been described above and shown in the drawings, and that various modifications and changes may be made without departing from the scope thereof. The scope of the present disclosure is limited only by the appended claims.

Claims (10)

1. A security detection method, comprising:
performing light splitting processing on traffic between a client and a server to obtain a transmission request sent by the client and determine a protocol type of the transmission request;
extracting a target transmission request with a protocol type of HTTP2 from the transmission request, determining whether the target transmission request contains an end mark, and acquiring request data from the transmission request when the target transmission request contains the end mark;
recombining the target transmission request and the request data to convert the target transmission request into a to-be-detected request with a protocol type of HTTP 1;
and performing security detection on the request to be detected through a security detection rule of HTTP1 to determine a security detection result of the client.
2. The method of claim 1, wherein determining the protocol type of the transmission request comprises:
when the transmission request is encrypted, obtaining a secret key file of the transmission request;
decrypting the transmission request with the key file to determine the protocol type.
3. The method of claim 1, wherein before reassembling the target transmission request, further comprising:
and decompressing the header data of the target transmission request to obtain the header data of the request to be detected.
4. The method of claim 3, wherein decompressing header data of the target transfer request comprises:
acquiring an index table related to the compression rule of the HTTP 2;
and determining each field corresponding to the head data of the target transmission request through the index table so as to obtain the head data of the request to be detected.
5. The method of claim 1, wherein the target transmission request comprises a plurality of frames; recombining the target transmission request and the request data to convert the target transmission request into a to-be-detected request with a protocol type of HTTP1 includes:
and when the target transmission request contains an end mark, acquiring request data which is the same as the stream identifier of the target transmission request from the transmission request, and combining frames contained in each transmission request in the request data and frames contained in the target transmission request according to the data type corresponding to the frames to obtain the request to be detected.
6. The method of claim 1, further comprising:
when the target transmission request does not contain an end mark, waiting for the client to send other transmission requests with the same stream identification as the target transmission request, and recording the waiting time;
and when the waiting time exceeds a preset time limit, discarding the target transmission request.
7. The method of claim 5, wherein before recombining the target transmission request and the request data, further comprising:
calculating the byte number of each frame with the data type as entity data in the request data and the target transmission request;
and when the byte number of the frame with the data type of entity data is a preset value, discarding the request data and the target transmission request.
8. A security detection device, comprising:
the message receiving module is used for receiving a transmission request sent by a client and determining the protocol type of the transmission request;
a request data obtaining module, configured to extract a target transmission request with a protocol type of HTTP2 from the transmission request, determine whether the target transmission request includes an end flag, and obtain request data from the transmission request when the target transmission request includes the end flag;
the data conversion module is used for recombining the target transmission request and the request data so as to convert the target transmission request into a to-be-detected request with a protocol type of HTTP 1;
and the security detection module is used for performing security detection on the request to be detected through a security detection rule of HTTP1 to determine a security detection result of the client.
9. An electronic device, comprising:
one or more processors;
a storage device for storing one or more programs,
the one or more programs, when executed by the one or more processors, cause the one or more processors to implement the security detection method of any of claims 1 to 7.
10. A computer-readable medium, on which a computer program is stored, which, when being executed by a processor, carries out the security detection method according to any one of claims 1 to 7.
CN202110003804.7A 2021-01-04 2021-01-04 Security detection method, security detection device, electronic device, and medium Active CN114726564B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110003804.7A CN114726564B (en) 2021-01-04 2021-01-04 Security detection method, security detection device, electronic device, and medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110003804.7A CN114726564B (en) 2021-01-04 2021-01-04 Security detection method, security detection device, electronic device, and medium

Publications (2)

Publication Number Publication Date
CN114726564A true CN114726564A (en) 2022-07-08
CN114726564B CN114726564B (en) 2023-05-23

Family

ID=82233511

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110003804.7A Active CN114726564B (en) 2021-01-04 2021-01-04 Security detection method, security detection device, electronic device, and medium

Country Status (1)

Country Link
CN (1) CN114726564B (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105635064A (en) * 2014-10-31 2016-06-01 杭州华三通信技术有限公司 CSRF attack detection method and device
US20160285989A1 (en) * 2015-03-24 2016-09-29 Fortinet, Inc.. Http proxy
US20200162537A1 (en) * 2018-11-20 2020-05-21 International Business Machines Corporation Passive re-assembly of http2 fragmented segments
CN111740996A (en) * 2020-06-22 2020-10-02 四川长虹电器股份有限公司 Method for rapidly splitting HTTP request and response in flow analysis scene

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105635064A (en) * 2014-10-31 2016-06-01 杭州华三通信技术有限公司 CSRF attack detection method and device
US20160285989A1 (en) * 2015-03-24 2016-09-29 Fortinet, Inc.. Http proxy
US20200162537A1 (en) * 2018-11-20 2020-05-21 International Business Machines Corporation Passive re-assembly of http2 fragmented segments
CN111740996A (en) * 2020-06-22 2020-10-02 四川长虹电器股份有限公司 Method for rapidly splitting HTTP request and response in flow analysis scene

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
刘政等: "一种基于HTTP/2协议的隐蔽序列信道方法", 《计算机研究与发展》 *
石健等: "加密HTTP/2流中网页对象的识别研究", 《电脑知识与技术》 *

Also Published As

Publication number Publication date
CN114726564B (en) 2023-05-23

Similar Documents

Publication Publication Date Title
US11283778B2 (en) Data exchange system, method and device
CN111950030A (en) Data sharing storage method based on block chain, terminal equipment and storage medium
CN111181920A (en) Encryption and decryption method and device
CN114282233A (en) WEB performance optimization method and device, computer equipment and storage medium
WO2024060630A1 (en) Data transmission management method, and data processing method and apparatus
CN113761566A (en) Data processing method and device
CN116112172B (en) Android client gRPC interface security verification method and device
CN114726564B (en) Security detection method, security detection device, electronic device, and medium
CN112565156A (en) Information registration method, device and system
US10231004B2 (en) Network recording service
CN115086428B (en) Network request sending method and device and electronic equipment
CN111030930B (en) Decentralized network data fragment transmission method, device, equipment and medium
CN109218009A (en) It is a kind of to improve the method for device id safety, client and server
CN113672954A (en) Feature extraction method and device and electronic equipment
CN116318686B (en) Data encryption transmission method and device, electronic equipment and storage medium
CN114666315B (en) HTTP request processing method and device of load balancing equipment
CN110636374A (en) Method and device for searching information
CN117149888B (en) Method, apparatus, device and computer readable medium for data processing
US20240340175A1 (en) Efficient Length Preserving Encryption of Large Plaintexts
CN112118208B (en) Method and device for reporting data
US20230208618A1 (en) Image Model File Transmission
CN114500399A (en) Data transmission method, apparatus, medium and product
CN117978447A (en) System and method for cross-network and cross-domain transmission based on physical isolation
CN114448652A (en) Method, apparatus, device and storage medium for encrypted communication
Zaar Compression's effect on end-to-end latency in file upload systems that utilize encryption

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant