CN114726564B - Security detection method, security detection device, electronic device, and medium - Google Patents

Security detection method, security detection device, electronic device, and medium Download PDF

Info

Publication number
CN114726564B
CN114726564B CN202110003804.7A CN202110003804A CN114726564B CN 114726564 B CN114726564 B CN 114726564B CN 202110003804 A CN202110003804 A CN 202110003804A CN 114726564 B CN114726564 B CN 114726564B
Authority
CN
China
Prior art keywords
request
transmission request
data
target transmission
security detection
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202110003804.7A
Other languages
Chinese (zh)
Other versions
CN114726564A (en
Inventor
郭晶
甘祥
郑兴
彭婧
刘羽
范宇河
唐文韬
申军利
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tencent Technology Shenzhen Co Ltd
Original Assignee
Tencent Technology Shenzhen Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tencent Technology Shenzhen Co Ltd filed Critical Tencent Technology Shenzhen Co Ltd
Priority to CN202110003804.7A priority Critical patent/CN114726564B/en
Publication of CN114726564A publication Critical patent/CN114726564A/en
Application granted granted Critical
Publication of CN114726564B publication Critical patent/CN114726564B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer And Data Communications (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The embodiment of the disclosure provides a security detection method, a security detection device, electronic equipment and a computer readable medium; relates to the technical field of network communication. The method comprises the following steps: carrying out light splitting treatment on the flow between the client and the server, obtaining a transmission request sent by the client, and determining the protocol type of the transmission request; extracting a target transmission request with a protocol type of HTTP2, determining whether the target transmission request contains an end mark, and acquiring request data from the transmission request when the target transmission request contains the end mark; recombining the target transmission request and the request data to convert the target transmission request into a request to be detected with a protocol type of HTTP 1; and carrying out security detection on the request to be detected together through the security detection rule of HTTP1 so as to determine the security detection result of the client. According to the embodiment of the disclosure, under the condition that the protocol type is HTTP2, the transmission request can still be safely detected, the security hole is repaired, and the security is improved.

Description

Security detection method, security detection device, electronic device, and medium
Technical Field
The present disclosure relates to the field of network communications, and in particular, to a security detection method, a security detection apparatus, an electronic device, and a computer readable medium.
Background
Due to the characteristics of high latency, stateless connection, plaintext transmission and the like of HTTP1, the communication based on the HTTP1 protocol has the disadvantages of slow page loading speed, excessive waste of cost and unsafe. In order to overcome the problem of HTTP1, HTTP2 divides the request and response data into smaller frames, and adopts binary transmission; and compresses the head, thereby greatly improving the data transmission performance.
At present, security detection of an application firewall mainly aims at HTTP1, which can only detect single packets, such as request packets, response packets and the like, and because HTTP2 protocol divides one HTTP request into a plurality of streams for distribution, the condition that detection is bypassed by utilizing HTTP2 characteristics exists, and a large potential safety hazard exists.
It should be noted that the information disclosed in the above background section is only for enhancing understanding of the background of the present disclosure and thus may include information that does not constitute prior art known to those of ordinary skill in the art.
Disclosure of Invention
An object of an embodiment of the present disclosure is to provide a security detection method, a security detection apparatus, an electronic device, and a computer readable medium, which can still support security detection in the case of HTTP2 protocol type, so as to avoid security holes and improve security of network communication.
Other features and advantages of the present disclosure will be apparent from the following detailed description, or may be learned in part by the practice of the disclosure.
According to a first aspect of an embodiment of the present disclosure, there is provided a security detection method, including: carrying out light splitting treatment on the flow between the client and the server to obtain a transmission request sent by the client, and determining the protocol type of the transmission request; extracting a target transmission request with a protocol type of HTTP2 from the transmission request, determining whether the target transmission request contains an end mark, and acquiring request data from the transmission request when the target transmission request contains the end mark; recombining the target transmission request and the request data to convert the target transmission request into a request to be detected with a protocol type of HTTP 1; and carrying out security detection on the request to be detected through a security detection rule of HTTP1 so as to determine a security detection result of the client.
In an exemplary embodiment of the present disclosure, determining the protocol type of the transmission request includes: when the transmission request is encrypted, a key file of the transmission request is obtained; decrypting the transmission request through the key file to determine the protocol type.
In an exemplary embodiment of the present disclosure, before the reorganizing the target transmission request, the method further includes: decompressing the header data of the target transmission request to obtain the header data of the request to be detected.
In an exemplary embodiment of the present disclosure, decompressing the header data of the target transmission request includes: acquiring an index table associated with the compression rule of HTTP 2; and determining each field corresponding to the header data of the target transmission request through the index table so as to obtain the header data of the request to be detected.
In an exemplary embodiment of the present disclosure, the target transmission request includes a plurality of frames; recombining the target transmission request and the request data to convert the target transmission request into a request to be detected with a protocol type of HTTP1 includes: when the target transmission request contains an end mark, acquiring request data which is the same as the flow identifier of the target transmission request from the transmission request; and combining the frames contained in each transmission request in the request data and the frames contained in the target transmission request according to the data types corresponding to the frames to obtain the request to be detected.
In an exemplary embodiment of the present disclosure, further comprising: when the target transmission request does not contain an end mark, waiting for the client to send other transmission requests with the same flow identification as the target transmission request, and recording waiting time; and discarding the target transmission request when the waiting time exceeds a preset time limit.
In an exemplary embodiment of the present disclosure, before the reorganizing the target transmission request and the request data, the method further includes: calculating the byte number of frames of which the data types are entity data in the request data and the target transmission request; and discarding the request data and the target transmission request when the byte numbers of the frames with the data types being the entity data are all preset values.
According to a second aspect of embodiments of the present disclosure, a security detection apparatus is provided that may include a message receiving module, a request data obtaining module, a data converting module, and a security detection module.
The message receiving module is used for carrying out light splitting processing on the traffic between the client and the server so as to acquire a transmission request sent by the client and determine the protocol type of the transmission request.
And the request data acquisition module is used for extracting a target transmission request with the protocol type of HTTP2 from the transmission request, determining whether the target transmission request contains an end mark, and acquiring request data from the transmission request when the target transmission request contains the end mark.
And the data conversion module is used for reorganizing the target transmission request and the request data so as to convert the target transmission request into a request to be detected with a protocol type of HTTP 1.
And the security detection module is used for performing security detection on the request to be detected through the security detection rule of HTTP1 so as to determine the security detection result of the client.
In an exemplary embodiment of the present disclosure, the security detection device may further include a data decryption module. The data decryption module may be configured to: when the transmission request is encrypted, a key file of the transmission request is obtained; decrypting the transmission request through the key file to determine the protocol type.
In an exemplary embodiment of the present disclosure, the security detection device further includes a data decompression module. The data decompression module may be configured to: decompressing the header data of the target transmission request to obtain the header data of the request to be detected.
In an exemplary embodiment of the present disclosure, the data decompression module specifically includes an index table acquisition unit, and a field determination unit.
The index table acquisition unit is used for acquiring an index table associated with the compression rule of HTTP 2.
And the field determining unit is used for determining each field corresponding to the header data of the target transmission request through the index table so as to obtain the header data of the request to be detected.
In an exemplary embodiment of the present disclosure, the target transmission request includes a plurality of frames; the data conversion module specifically comprises an end mark detection unit and a data frame combination unit.
And the end mark detection unit is used for acquiring request data which are the same as the flow identification of the target transmission request from the transmission request when the target transmission request contains the end mark.
And the data frame combination unit is used for combining the frames contained in each transmission request in the request data and the frames contained in the target transmission request according to the data types corresponding to the frames to obtain the request to be detected.
In an exemplary embodiment of the present disclosure, the apparatus further includes a timeout detection module, and a data discard module.
And the timeout detection module is used for waiting for the client to send other transmission requests with the same flow identification as the target transmission request when the target transmission request does not contain the ending mark, and recording the waiting time.
And the data discarding module is used for discarding the target transmission request when the waiting time exceeds a preset time limit.
In an exemplary embodiment of the present disclosure, the security detection apparatus further includes a byte count detection module, and a request discard module.
And the byte number detection module is used for calculating the byte number of the frame with the data type of entity data in the request data and the target transmission request.
And the request discarding module is used for discarding the request data and the target transmission request when the byte numbers of the frames with the data types being the entity data are all preset values.
According to a third aspect of embodiments of the present disclosure, there is provided an electronic device, comprising: one or more processors; and storage means for storing one or more programs which, when executed by the one or more processors, cause the one or more processors to implement the security detection method as described in the first aspect of the embodiments above.
According to a fourth aspect of embodiments of the present disclosure, there is provided a computer readable medium having stored thereon a computer program which, when executed by a processor, implements the security detection method as described in the first aspect of the above embodiments.
According to the security detection method, the security detection device, the electronic equipment and the computer readable medium, the target transmission request with the protocol type of HTTP2 is recombined by determining the protocol type of the transmission request, and is converted into the transmission request of HTTP1 for security detection, so that security holes for bypassing the security detection by using HTTP2 communication can be eliminated, and the security of network transmission is improved. Moreover, the HTTP2 can be detected by utilizing the security detection rule of HTTP1, so that additional development cost is not needed, the cost can be saved, and the efficiency is improved.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the disclosure.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the disclosure and together with the description, serve to explain the principles of the disclosure. It will be apparent to those of ordinary skill in the art that the drawings in the following description are merely examples of the disclosure and that other drawings may be derived from them without undue effort. In the drawings:
FIG. 1 schematically illustrates an exemplary system architecture diagram of a security detection method applied to an embodiment of the present disclosure;
FIG. 2 schematically illustrates a flow chart of a security detection method according to an embodiment of the present disclosure;
FIG. 3 schematically illustrates a flow chart of a security detection method according to another embodiment of the present disclosure;
FIG. 4 schematically illustrates a flow chart of a security detection method according to an embodiment of the present disclosure;
FIG. 5 schematically illustrates a flow chart of a security detection method in another embodiment according to the present disclosure;
FIG. 6 schematically illustrates an application scenario diagram of a security detection method in an embodiment according to the present disclosure;
FIG. 7 schematically illustrates a block diagram of a security detection device according to an embodiment of the present disclosure;
fig. 8 shows a schematic diagram of a computer system suitable for use in implementing embodiments of the present disclosure.
Detailed Description
Example embodiments will now be described more fully with reference to the accompanying drawings. However, the exemplary embodiments may be embodied in many forms and should not be construed as limited to the examples set forth herein; rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the concept of the example embodiments to those skilled in the art.
Furthermore, the described features, structures, or characteristics may be combined in any suitable manner in one or more embodiments. In the following description, numerous specific details are provided to give a thorough understanding of embodiments of the disclosure. One skilled in the relevant art will recognize, however, that the disclosed aspects may be practiced without one or more of the specific details, or with other methods, components, devices, steps, etc. In other instances, well-known methods, devices, implementations, or operations are not shown or described in detail to avoid obscuring aspects of the disclosure.
The block diagrams depicted in the figures are merely functional entities and do not necessarily correspond to physically separate entities. That is, the functional entities may be implemented in software, or in one or more hardware modules or integrated circuits, or in different networks and/or processor devices and/or microcontroller devices.
The flow diagrams depicted in the figures are exemplary only, and do not necessarily include all of the elements and operations/steps, nor must they be performed in the order described. For example, some operations/steps may be decomposed, and some operations/steps may be combined or partially combined, so that the order of actual execution may be changed according to actual situations.
In the present specification, the terms "a," "an," "the," "said" and "at least one" are used to indicate the presence of one or more elements/components/etc.; the terms "comprising," "including," and "having" are intended to be inclusive and mean that there may be additional elements/components/etc., in addition to the listed elements/components/etc.; the terms "first," "second," "third," and the like are used merely as labels, and are not intended to limit the number of subjects.
The following describes example embodiments of the present disclosure in detail with reference to the accompanying drawings.
Fig. 1 shows a schematic diagram of a system architecture of an exemplary application environment to which a security detection method or security detection device of embodiments of the present disclosure may be applied.
As shown in fig. 1, the system architecture 100 may include one or more of the end devices 101, 102, 103, a network 104, a switch 105, a security device 106, a server 107.
The network 104 is a medium used to provide communication links between the terminal devices 101, 102, 103 and the security device 106, server 107. The network 104 may include various connection types, such as wired, wireless communication links, or fiber optic cables, among others.
Various client applications, such as a web browser application, a search class application, an instant messaging tool, a mailbox client, social platform software, etc., may be installed on the terminal devices 101, 102, 103. The user may interact with the server 107 via the network 104 using the terminal devices 101, 102, 103 to receive or send messages or the like. The terminal devices 101, 102, 103 may be various electronic devices having a display screen and supporting web browsing, including but not limited to desktop computers, portable computers, smartphones and tablet computers, wearable devices, virtual reality devices, smart homes, etc.
The server 107 may be a server providing various services, such as a background management server providing support for devices operated by users with the terminal devices 101, 102, 103. The background management server can analyze and process the received data such as the request and the like, and feed back the processing result to the terminal equipment.
The switch 105 is a device that performs information exchange, and is capable of performing information transfer between the terminal devices 101, 102, 103 and the secure device 106, and providing information transfer between the server 107 and the secure device 106. The switch 105 may distribute traffic between the terminal device and the server to the security device 106, facilitating security detection of the traffic by the security device 106.
The security device 106 may be an apparatus or an electronic device that performs the security detection method provided in the embodiments of the present disclosure, and may have an application program corresponding to the security detection method installed thereon. For example, the security device 106 may receive a current transmission request sent by the client, determine a protocol type of the current transmission request, and further obtain a target transmission request with a protocol type of HTTP2, obtain request data from the transmission request when the target transmission request includes an end flag, and convert the target transmission request into a request to be detected with a protocol type of HTTP1 by reorganizing the request data and the target transmission request, so as to perform security detection on all the received transmission requests by using a security detection rule of HTTP1, and obtain a security detection result.
It should be understood that the number of terminal devices, networks and servers in fig. 1 is merely illustrative. There may be any number of terminal devices, networks, and servers, as desired for implementation. For example, the server 105 may be a server cluster formed by a plurality of servers.
The method provided by the embodiments of the present disclosure may be performed by the security device 106, and accordingly, the security detection means may also be provided in the security device 106. However, it will be readily understood by those skilled in the art that the method provided in the embodiments of the present disclosure may be performed by a server corresponding to the security device, and accordingly, the security detection device may also be provided in the corresponding server, which is not particularly limited in the present exemplary embodiment.
Based on this, the embodiment of the disclosure provides a technical scheme of a security detection method, which can uniformly detect the HTTP1 protocol type and the HTTP2 protocol type by using the security detection rule of HTTP1, repair security holes, and improve the security of network communication.
It should be understood that HTTP (hypertext transfer protocol) is an application layer protocol in the world wide web, and performs information interaction between a client and a server in the form of a request and a response. The HTTP protocol defines a plurality of request methods, each of which defines a different information exchange manner, such as a GET method, a POST method, and the like, and the server side completes a corresponding operation according to a request of the client side and responds a result to the client side.
HTTP1, HTTP2 in the embodiments of the present disclosure refer to one version type of HTTP. HTTP1 refers to a previous version of HTTP2.0, and may include, for example, HTTP1.0, HTTP1.1, etc.; HTTP2 refers to version 2.0 of HTTP, which may also be referred to as h2, or h2c.
As shown in fig. 2, the security detection method provided by the embodiment of the present disclosure may include step S21, step S22, step S23, and step S24.
In step S21, the traffic between the client and the server is split to obtain a transmission request sent by the client, and a protocol type of the transmission request is determined.
The traffic refers to the access amount of the client to the server, and can be understood as the number of users of the website or the number of pages accessed by the users. When a user (client) accesses a website or a webpage, a request needs to be sent to a server, and the server receives the request and then sends data requested by the client to the client in a response mode. That is, data is transferred between the client and the server in the form of HTTP requests. In this embodiment, the transmission request refers to an HTTP request sent from the client to the server. The light splitting process may refer to copying the traffic, that is, when the user accesses the web page, copying the access of the user, so as to perform security detection through the copied data, thereby avoiding affecting the normal access of the user.
Because the number of clients is large, different clients can communicate with the server by adopting different protocol types, so that the transmission request can comprise information of the HTTP1 protocol and information of the HTTP2 protocol. In general, a client establishes a connection with a server to send multiple transmission requests to a server, and a request sent from the client to the server can be copied to a security device through a switch, a splitter and other devices. After receiving the multiple transmission requests, the multiple transmission requests can be stored in the security device according to the receiving sequence so as to be convenient for the security device to detect the security.
After the security device receives the transmission request, the type of protocol it adopts may be determined according to the header data of the transmission request. The header data of the transmission request may include a protocol type field, and by performing character matching on the header data, if the header data includes an identification character corresponding to the HTTP1 protocol type, the protocol type of the transmission request is HTTP1, and if the header data includes an identification character of HTTP, the protocol type of the transmission request is HTTP2. For example, if the header data of the transmission request includes fields such as "HTTP/1.1", "HTTP/1.0", the protocol type of the transmission request is HTTP1, and if the header data of the transmission request includes fields such as "HTTP/2.0" or "h2", the protocol type of the transmission request is HTTP2.
In an exemplary embodiment, when a transmission request is encrypted, a key file of the transmission request is obtained; the transmission request is decrypted through the key file, so that the protocol type of the decrypted transmission request is conveniently determined.
The client can request in an encrypted mode, and if the transmission request is encrypted, the transmission request needs to be decrypted first to judge the protocol type. After the encryption by the different encryption methods, the header data may include a characteristic string of the encryption method, and whether the header data of the transmission request is encrypted may be determined according to whether the corresponding string exists. For example, when it is detected that the header of the transmission request contains a string corresponding to TLS encryption (Transport Layer Security, transport layer security protocol), such as "cdhe_rsa_wit_aes_128_cbc_sha256", it may be determined that the transmission request is encrypted. When TLS encryption is detected, a key file of TLS encryption can be obtained through the server, for example, a "ssl-key" file on the server is pulled, and the key file can be used for recording a key used for encryption. After the key file is obtained, the transmission request can be decrypted by using the key file, and then the protocol type is determined after the decrypted transmission request.
After determining the protocol type of the transmission request, the connection session corresponding to the transmission request can be cached according to the protocol type to generate a cache list. The corresponding protocol type may be directly determined from the cache list when the next time other transmission requests are received. For example, a buffer list may be generated for HTTP1 and HTTP2, after a transmission request is received, it may be determined whether a session corresponding to the transmission request is in the buffer list, if the session of the transmission request is in the buffer list corresponding to HTTP1, the protocol type of the transmission request is HTTP1, if the transmission request is not included in any buffer list, it may be determined that the transmission request is a new session, then the protocol type of the transmission request is determined according to the header data of the transmission request, and the session is stored in the corresponding buffer list according to the determined protocol type.
In step S22, a target transmission request with a protocol type of HTTP2 is extracted from the transmission requests, it is determined whether the target transmission request includes an end flag, and request data is acquired from the transmission request when the end flag is included in the target transmission request.
After determining the protocol type of the transmission request, the transmission requests can be classified according to the protocol type, and the transmission requests with the same protocol type are classified into the same class, for example, the transmission request with the protocol type of HTTP1 is classified into class a, the transmission request with the protocol type of HTTP2 is classified into class B, and then class B can be extracted as the target transmission request. Since there is no security detection for the characteristics of HTTP2 at present, malicious requests that bypass the security detection with the HTTP2 characteristics cannot be effectively identified. The target transfer request of HTTP2 is thus converted into a request to be detected of protocol type HTTP 1.
The HTTP2 protocol divides a connection into several streams (streams) on each of which one or more messages (messages) can be transmitted, each Message consisting of one or more binary frames (frames). Where streams refer to bi-directional byte streams over an established TCP connection between a client and a server, each stream having a unique integer ID, i.e. stream identification. The message may be a request, a response, etc. in HTTP 2. The frame is the minimum unit of HTTP2 data communication. The client and the server can decompose the data into independent frames, and the frames can be sent out of order, and the frames sent through the same stream share the same stream identifier.
A complete request from a client may be sent in multiple target transmission requests, each of which may include multiple frames, and an end flag, such as an "end stream" character, may be added to a frame when all data transmissions contained in the request are over. The end mark may include numerals, letters, and the like, and this embodiment is not limited thereto. Whether the data of the stream is transmitted is determined to be finished by detecting whether the current target transmission request comprises a finishing mark or not, if the current target transmission request does not comprise the finishing mark, the target transmission request can be stored, and the client continues to wait for sending the next transmission request until the target transmission request comprising the finishing mark is received, the complete data of the stream can be obtained, and the request data is obtained. If the currently received target transmission request contains an end mark, acquiring other transmission requests which are stored before and have the same flow identification as the target transmission request, thereby obtaining request data.
In step S23, the target transmission request and the request data are reassembled to convert the target transmission request into a request to be detected with a protocol type of HTTP 1.
If the target transmission request is an HTTP2 protocol type message, other transmission requests belonging to the same stream with the target transmission request can be acquired through the stream identification of the target transmission request, and request data is obtained. Specifically, the method may include step S31 and step S32, as shown in fig. 3. In step S31, when the end flag is included in the target transmission request, request data identical to the flow identification of the target transmission request is acquired from the transmission request. In step S32, the frames included in each transmission request in the request data and the frames included in the target transmission request are combined according to the data types corresponding to the frames, so as to obtain the request to be detected.
When the client sends a request by adopting the protocol type of HTTP2, a complete request can be divided into a plurality of target transmission requests to be sent, and request data which is the same as the flow identification of the target transmission request can be extracted from the transmission requests according to the flow identification of the target transmission request. For example, if the stream identifier of the target transmission request is 1, the transmission request with the stream identifier of 1 may be extracted from all the transmission requests sent by the client as the request data. The transmission request included in the request data is the same as the target transmission request, and the protocol types are HTTP2. The target transmission request may include a plurality of frames, and the frames may be classified into two types of header data and entity data. After all the data of the same stream are obtained, the header data and the entity data of the request can be combined completely according to the data types of the frames. For example, if the target transmission request includes a frame with a type of "HEADER", the frame is a HEADER frame, and all frames with a type of "HEADER" in the request data are combined with the frame to obtain complete HEADER data as the HEADER data of the request to be detected; similarly, combining frames of type "DATA" together may result in the entity DATA of the request to be detected. And the header data and the entity data of the request to be detected can be determined after the combination is completed, and the complete request to be detected with the protocol type of HTTP1 is obtained.
There are many repeated fields in the HTTP1 request header, and as the number of requests increases, the header fields increase, not only consuming bandwidth, but also increasing latency, so HTTP2 applies compression encoding to the header to provide the transmission rate. For example, an HTTP2 type request may perform HPACK compression on header data, where the compressed data is scrambled, and security detection or other processing is not possible. The header data in the target transfer request with protocol type HTTP2 may be decompressed before reassembly. Specifically, when the protocol type of the target transmission request is HTTP2, decompressing header data of the target transmission request to obtain decompressed header data, which is header data of the request to be detected, so as to facilitate security detection of the request to be detected.
Specifically, the index table associated with the compression rule of HTTP2 may be obtained first during decompression; and then determining each field corresponding to the header data of the target transmission request through an index table to obtain decompressed header data. The target transmission request may include a plurality of frames, and each frame may have a different DATA type, and the DATA type may be classified into HEADER DATA "HEADER" and entity DATA ". Depending on the data type of each frame, HEADER data, which refers to one or more frames of the data type HEADER, may be extracted from the targeted transmission request.
The compression rule is exemplified by the HPACK algorithm. In HPACKs, the client and server may together maintain a static table and a dynamic table in which multiple fields are maintained in the form of key-value pairs. The static table may include static fields therein, and HTTP2 defines 61 fixed static fields. The dynamic table may be used to store fields that are dynamically added by the client or server. Through the static table and the dynamic table, each character in the header data of the target transmission request can be indexed to a field in the table, and a readable character string corresponding to the character is obtained. The header data may include a plurality of characters, and after each character is converted into a character string in a table, the obtained character string may be used as decompressed header data. For example, the index value is 2, and the corresponding field is method: GET as known from the query static table.
In step S24, the security detection is performed on the request to be detected according to the security detection rule of HTTP1, so as to determine the security detection result of the client.
In this embodiment, after the target transmission request with the protocol type of HTTP2 is reassembled, the target transmission request may be converted into a request to be detected with the protocol type of HTTP1, and if the initial protocol type of the transmission request is HTTP1, it is not required to reassemble the transmission request. The transmission request with the initial protocol type of HTTP1 and the request to be detected with the converted protocol type of HTTP1 can be subjected to unified security detection by utilizing the security detection rule of HTTP 1. Therefore, no matter the client uses the HTTP1 protocol type or the HTTP2 protocol type, the security detection can be carried out on the request sent by the client, and the security detection result is obtained. The security detection rules may be, for example, command injection detection, sql injection detection, etc., or may be performed using the security detection tool of OWASP Top 10 (Open Web Application Security Project ), which contains the security detection rules common to and at high risk in 10. The security detection may be followed by generating a security detection result, which may include whether there is a risk for each transmission request or request to be detected, and the type of risk present, e.g. that transmission request a is at risk of "sensitive data leakage", etc.
After the transmission requests are subjected to security detection, the security detection result of each transmission request can be recorded in a log file, so that data calculation and statistics are facilitated. And the security detection result or the corresponding log file can be displayed to security personnel so that the security personnel can monitor the client.
In an exemplary embodiment, a malicious message may be identified and discarded prior to security detection of a request to be detected. Specifically, the method may include step S41 and step S42, as shown in fig. 4.
In step S41, when the end flag is not included in the target transmission request, the waiting client transmits another transmission request having the same flow identifier as the target transmission request, and records the waiting time.
If the current target transmission request does not contain the end mark, the stream corresponding to the target transmission request is not sent completely, so that the client needs to wait for continuing to send the request. For example, when a current target transmission request is received, the time of reception may be recorded, and from this time, a timer may be started, and the waiting time may be recorded.
In step S42, when the waiting time exceeds a preset time limit, the target transmission request is discarded.
When a current target transmission request is received, the target transmission request needs to be stored, and if the waiting time exceeds a preset time limit, the target transmission request can be determined to be a malicious message and discarded. If the waiting time does not exceed the preset time limit, the next transmission request sent by the client is received, whether the transmission request contains an end mark is continuously determined, if not, the next transmission request is continuously waited, and the waiting time is updated until the transmission request which contains the end mark and is identical to the flow mark of the target transmission request is received. The preset time limit may be a default time period of the client, or may be a custom time period, for example, 30 seconds, 60 seconds, etc., which is not limited in this embodiment.
For example, if the target transmission request A1 does not include the end flag, waiting for the next transmission request identical to the flow id of A1, recording the waiting time T1, and discarding the target transmission request when no other transmission request with the flow id is received within the preset time limit; if the transmission request A2 of the flow identification is received within the preset time limit, judging whether the A2 contains an end mark, if the A2 does not contain the end mark, continuing waiting, and calculating the waiting time T2 again from the moment of receiving the A2 until the target transmission request containing the end mark is received within the preset time limit.
In an exemplary embodiment, the malicious message may also be determined by the number of bytes of the target transmission request. Specifically, the byte number of a frame with the entity data type in the request data and the target transmission request is calculated; if the number of bytes of the frame with the data type being the entity data is a preset value, the request data and the target transmission request can be discarded.
If the target transmission request contains the end mark, other transmission requests identical to the stream mark are acquired according to the stream mark of the target transmission request containing the end mark, so as to obtain request data. And calculating the byte numbers of the entity data frames in the request data and the target transmission request, and if the byte number of each frame of the entity data is a preset value, determining that the request is a malicious message, discarding the request data and the target transmission request. The preset value may be the maximum value of the default stream requested by HTTP2, or may be another customized value, which is not limited in this embodiment. In other embodiments, malicious messages may be identified between security detections in other manners, for example, when the size of the bytes of each frame of the entity data is smaller than a threshold, the corresponding target transmission request and the request data may be confirmed as malicious messages, and discarded.
In an exemplary embodiment, as shown in fig. 5, the security detection method may include steps S501 to S512.
In step S501, a transmission request is acquired; and sending the transmission request between the current client and the server to the security device through the switch. In step S502, the secure device determines whether the current transmission request needs decryption; if decryption is required, step S503 is performed; step S504 is performed if decryption is not required. In step S503, a key file on the server is obtained, and the current transmission request is decrypted, so as to obtain a decrypted transmission request. In step S504, it is determined whether the protocol type of the transmission request is HTTP2; if yes, go to step S505; if not, step S506 is performed. In step S505, the transmission request with the protocol type of HTTP2 is used as the target transmission request, and HPACK decompression is performed on the header data in the target transmission request, so as to obtain decompressed header data. In step S507, it is determined whether the end identifier is included in the target transmission request; if so, executing step S508; if not, step S509 is performed. In step S509, a next target transmission request is waited, and a wait time is recorded. In step S510, it is determined whether the waiting time exceeds a preset time limit; if not, turning to step S507 to circulate until the target transmission request contains an end mark; if the waiting time exceeds the preset time limit, step S511 is performed. In step S511, the target transmission request is discarded. In step S508, it is determined whether the target transmission request and the byte count of each entity data frame in the request data satisfy the condition; firstly, acquiring request data comprising a plurality of target transmission requests with the same stream identification, and then respectively confirming the byte numbers of frames of each transmission request in the request data and entity data in the target transmission requests; if the number of bytes of each physical data frame is the same and is the preset value, the target transmission request meets the condition, and then step S511 is executed to discard the target transmission request and the request data; that is, each transmission request with the same flow identification is deleted. If the request data and each entity data frame in the target transmission request are different from each other, the target transmission request does not satisfy the condition, and step S512 is performed. In step S512, the target transmission request and the request data are reassembled to obtain the request to be detected. In step S506, the security detection rule of HTTP1 is used to detect the request to be detected, and a detection log is generated and displayed.
Fig. 6 shows an application scenario of the security detection method of the present disclosure. As shown in fig. 6, a user 61 and an attacker 62 may send a transmission request to a server through a network 63. An attacker may be understood as a client that sends a malicious attack. The router 64 may be used to distribute the transmission requests a and B to the corresponding servers 65, which may be split to the security device 66 when received by the router. When the security device 66 receives the transmission requests a and B, the transmission requests a and B are sequentially processed in the order of reception. The security device may include, for example, a decryption module 6601, an HTTP2 processing module 6602, and an attack detection module 6603. Wherein, the decryption module 6601 is used for decrypting the transmission request. The HTTP2 processing module 6602 may be used to decompress the transmission request; it may also be used to pack the decompressed transmission request, i.e. to combine the frames contained in the transmission request. The attack detection module 6603 may be configured to perform security detection on the transmission request, determine whether a malicious attack exists in the transmission request, and generate a log based on the security detection result. For example, firstly processing the transmission request A, firstly decrypting the transmission request A through a decryption module; if the transmission request A is an HTTP2 type request, decompressing the transmission request A through a decompression module; after decompression, the decompressed transmission request A is recombined through a packet assembly module and converted into an HTTP1 type request to be detected; if the transmission request A is an HTTP1 type request, decompression and reorganization are not needed; and finally, carrying out security detection on the request to be detected through the attack detection module 6603, and recording the security detection result as a log. The security detection result is displayed at the display module 67 for viewing by security personnel.
Further, the embodiment of the disclosure also provides a safety detection device, which can be used for executing the safety detection method disclosed above. Referring to fig. 7, a security detection device 70 provided by an embodiment of the present disclosure may include: a message receiving module 71, a request data obtaining module 72, a data converting module 73 and a security detecting module 74.
The message receiving module 71 is configured to perform a beam splitting process on a traffic between the client and the server, so as to obtain a transmission request sent by the client, and determine a protocol type of the transmission request.
A request data obtaining module 72, configured to extract a target transmission request with a protocol type of HTTP2 from the transmission requests, determine whether the target transmission request includes an end flag, and obtain request data from the transmission request when the target transmission request includes the end flag.
The data conversion module 73 is configured to reassemble the target transmission request and the request data, so as to convert the target transmission request into a request to be detected with a protocol type of HTTP 1.
The security detection module 74 is configured to perform security detection on the request to be detected according to the security detection rule of HTTP1, so as to determine a security detection result of the client.
In an exemplary embodiment of the present disclosure, the security detection device 70 may further include a data decryption module. The data decryption module may be configured to: when the transmission request is encrypted, a key file of the transmission request is obtained; decrypting the transmission request through the key file to determine the protocol type.
In an exemplary embodiment of the present disclosure, the security detection device 70 further includes a data decompression module. The data decompression module may be configured to: decompressing the header data of the target transmission request to obtain the header data of the request to be detected.
In an exemplary embodiment of the present disclosure, the data decompression module specifically includes an index table acquisition unit, and a field determination unit.
The index table acquisition unit is used for acquiring an index table associated with the compression rule of HTTP 2.
And the field determining unit is used for determining each field corresponding to the header data of the target transmission request through the index table so as to obtain the header data of the request to be detected.
In an exemplary embodiment of the present disclosure, the target transmission request includes a plurality of frames; the data conversion module specifically comprises an end mark detection unit and a data frame combination unit.
And the end mark detection unit is used for acquiring request data which are the same as the flow identification of the target transmission request from the transmission request when the target transmission request contains the end mark.
And the data frame combination unit is used for combining the frames contained in each transmission request in the request data and the frames contained in the target transmission request according to the data types corresponding to the frames to obtain the request to be detected.
In an exemplary embodiment of the present disclosure, the apparatus 70 further includes a timeout detection module, and a data discard module.
And the timeout detection module is used for waiting for the client to send other transmission requests with the same flow identification as the target transmission request when the target transmission request does not contain the ending mark, and recording the waiting time.
And the data discarding module is used for discarding the target transmission request when the waiting time exceeds a preset time limit.
In an exemplary embodiment of the present disclosure, the security detection device 70 further includes a byte count detection module, and a request discard module.
And the byte number detection module is used for calculating the byte number of the frame with the data type of entity data in the request data and the target transmission request.
And the request discarding module is used for discarding the request data and the target transmission request when the byte numbers of the frames with the data types being the entity data are all preset values.
Since each functional module of the security detection device according to the exemplary embodiment of the present disclosure corresponds to a step of the foregoing exemplary embodiment of the security detection method, for details not disclosed in the embodiment of the device of the present disclosure, please refer to the foregoing embodiment of the security detection method of the present disclosure.
Referring now to FIG. 8, there is illustrated a schematic diagram of a computer system 800 suitable for use in implementing an electronic device of an embodiment of the present disclosure. The computer system 800 of the electronic device shown in fig. 8 is merely an example and should not be construed to limit the functionality and scope of use of embodiments of the present disclosure in any way.
As shown in fig. 8, the computer system 800 includes a Central Processing Unit (CPU) 801 that can perform various appropriate actions and processes according to a program stored in a Read Only Memory (ROM) 802 or a program loaded from a storage section 808 into a Random Access Memory (RAM) 803. In the RAM 803, various programs and data required for system operation are also stored. The CPU 1201, ROM 802, and RAM 803 are connected to each other through a bus 804. An input/output (I/O) interface 805 is also connected to the bus 804.
The following components are connected to the I/O interface 805: an input portion 806 including a keyboard, mouse, etc.; an output portion 807 including a display such as a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), and a speaker; a storage section 808 including a hard disk or the like; and a communication section 809 including a network interface card such as a LAN card, a modem, or the like. The communication section 809 performs communication processing via a network such as the internet. The drive 810 is also connected to the I/O interface 805 as needed. A removable medium 811 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is mounted on the drive 810 as needed so that a computer program read out therefrom is mounted into the storage section 808 as needed.
In particular, according to embodiments of the present disclosure, the processes described above with reference to flowcharts may be implemented as computer software programs. For example, embodiments of the present disclosure include a computer program product comprising a computer program embodied on a computer readable medium, the computer program comprising program code for performing the method shown in the flowcharts. In such an embodiment, the computer program may be downloaded and installed from a network via the communication section 809, and/or installed from the removable media 811. The above-described functions defined in the system of the present application are performed when the computer program is executed by a Central Processing Unit (CPU) 801.
It should be noted that the computer readable medium shown in the present disclosure may be a computer readable signal medium or a computer readable storage medium, or any combination of the two. The computer readable storage medium can be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or a combination of any of the foregoing. More specific examples of the computer-readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this disclosure, a computer-readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. In the present disclosure, however, the computer-readable signal medium may include a data signal propagated in baseband or as part of a carrier wave, with the computer-readable program code embodied therein. Such a propagated data signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination of the foregoing. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to: wireless, wire, fiber optic cable, RF, etc., or any suitable combination of the foregoing.
The flowcharts and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
The units involved in the embodiments of the present disclosure may be implemented by means of software, or may be implemented by means of hardware, and the described units may also be provided in a processor. Wherein the names of the units do not constitute a limitation of the units themselves in some cases.
As another aspect, the present application also provides a computer-readable medium that may be contained in the electronic device described in the above embodiment; or may exist alone without being incorporated into the electronic device. The computer-readable medium carries one or more programs which, when executed by the electronic device, cause the electronic device to implement the security detection method as described in the above embodiments.
For example, the electronic device may implement the method as shown in fig. 2: step S21, carrying out light splitting treatment on the flow between the client and the server to obtain a transmission request sent by the client, and determining the protocol type of the transmission request; step S22, extracting a target transmission request with a protocol type of HTTP2 from the transmission request, determining whether the target transmission request contains an end mark, and acquiring request data from the transmission request when the target transmission request contains the end mark; step S23, reorganizing the target transmission request and the request data to convert the target transmission request into a request to be detected with a protocol type of HTTP 1; and step S24, carrying out security detection on the request to be detected through a security detection rule of HTTP1 so as to determine a security detection result of the client.
As another example, the electronic device may implement the various steps shown in fig. 3-6.
It should be noted that although in the above detailed description several modules or units of a device for action execution are mentioned, such a division is not mandatory. Indeed, the features and functionality of two or more modules or units described above may be embodied in one module or unit in accordance with embodiments of the present disclosure. Conversely, the features and functions of one module or unit described above may be further divided into a plurality of modules or units to be embodied.
From the above description of embodiments, those skilled in the art will readily appreciate that the example embodiments described herein may be implemented in software, or may be implemented in software in combination with the necessary hardware. Thus, the technical solution according to the embodiments of the present disclosure may be embodied in the form of a software product, which may be stored in a non-volatile storage medium (may be a CD-ROM, a U-disk, a mobile hard disk, etc.) or on a network, and includes several instructions to cause a computing device (may be a personal computer, a server, a touch terminal, or a network device, etc.) to perform the method according to the embodiments of the present disclosure.
Other embodiments of the disclosure will be apparent to those skilled in the art from consideration of the specification and practice of the disclosure disclosed herein. This application is intended to cover any adaptations, uses, or adaptations of the disclosure following, in general, the principles of the disclosure and including such departures from the present disclosure as come within known or customary practice within the art to which the disclosure pertains. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the disclosure being indicated by the following claims.
It is to be understood that the present disclosure is not limited to the precise arrangements and instrumentalities shown in the drawings, and that various modifications and changes may be effected without departing from the scope thereof. The scope of the present disclosure is limited only by the appended claims.

Claims (14)

1. A security detection method for use with a security device, the method comprising:
acquiring a plurality of transmission requests and determining protocol types of the plurality of transmission requests; the plurality of transmission requests are obtained by copying the flow sent to the server by the client;
extracting a target transmission request with a protocol type of HTTP2 from the plurality of transmission requests, determining whether the target transmission request contains an end mark, and acquiring request data with the same flow identification as the target transmission request from other transmission requests except the target transmission request in the plurality of transmission requests when the target transmission request contains the end mark; the stream identifier characterizes a stream used for transmitting a request with a protocol type of HTTP2 between the client and the server, and different streams correspond to different stream identifiers;
Recombining the target transmission request and the request data to convert the target transmission request and the request data into a request to be detected with a protocol type of HTTP 1;
performing security detection on the request to be detected through a security detection rule of HTTP1 to determine a security detection result of a transmission request with a protocol type of HTTP2 sent by a client;
the target transmission request comprises a plurality of frames; recombining the target transmission request and the request data to convert the target transmission request and the request data into a request to be detected with a protocol type of HTTP1 comprises:
and combining the frames contained in each transmission request in the request data and the frames contained in the target transmission request according to the data types corresponding to the frames to obtain the request to be detected.
2. The method of claim 1, wherein determining the protocol type of the transmission request comprises:
when the transmission request is encrypted, a key file of the transmission request is obtained;
decrypting the transmission request through the key file to determine the protocol type.
3. The method of claim 1, further comprising, prior to reassembling the target transmission request:
Decompressing the header data of the target transmission request to obtain the header data of the request to be detected.
4. A method according to claim 3, wherein decompressing header data of the target transmission request comprises:
acquiring an index table associated with the compression rule of HTTP 2;
and determining each field corresponding to the header data of the target transmission request through the index table so as to obtain the header data of the request to be detected.
5. The method as recited in claim 1, further comprising:
when the target transmission request does not contain an end mark, waiting for the client to send other transmission requests with the same flow identification as the target transmission request, and recording waiting time;
and discarding the target transmission request when the waiting time exceeds a preset time limit.
6. The method of claim 1, further comprising, prior to reorganizing the target transmission request and the request data:
calculating the byte number of frames of which the data types are entity data in the request data and the target transmission request;
and discarding the request data and the target transmission request when the byte numbers of the frames with the data types being the entity data are all preset values.
7. A security detection device for use with a security apparatus, the device comprising:
the message receiving module is used for acquiring a plurality of transmission requests and determining the protocol types of the plurality of transmission requests; the plurality of transmission requests are obtained by copying the flow sent to the server by the client;
a request data acquisition module, configured to extract a target transmission request with a protocol type of HTTP2 from the plurality of transmission requests, determine whether the target transmission request includes an end flag, and acquire request data identical to a flow identifier of the target transmission request from other transmission requests except for the target transmission request in the plurality of transmission requests when the target transmission request includes the end flag; the stream identifier characterizes a stream used for transmitting a request with a protocol type of HTTP2 between the client and the server, and different streams correspond to different stream identifiers;
the data conversion module is used for reorganizing the target transmission request and the request data to convert the target transmission request and the request data into a request to be detected with a protocol type of HTTP 1;
The security detection module is used for performing security detection on the request to be detected through the security detection rule of HTTP1 so as to determine the security detection result of the transmission request with the protocol type of HTTP2 sent by the client;
the target transmission request comprises a plurality of frames, and the data conversion module comprises a data frame combination unit;
and the data frame combination unit is used for combining the frames contained in each transmission request in the request data and the frames contained in the target transmission request according to the data types corresponding to the frames to obtain the request to be detected.
8. The apparatus of claim 7, wherein the security detection device further comprises a data decryption module;
the data decryption module is used for acquiring a key file of the transmission request when the transmission request is encrypted; decrypting the transmission request through the key file to determine the protocol type.
9. The apparatus of claim 7, wherein the security detection device further comprises a data decompression module;
the data decompression module is used for decompressing the head data of the target transmission request to obtain the head data of the request to be detected.
10. The apparatus according to claim 9, wherein the data decompression module specifically includes an index table acquisition unit, and a field determination unit;
the index table acquisition unit is used for acquiring an index table associated with the compression rule of the HTTP 2;
the field determining unit is configured to determine, through the index table, each field corresponding to the header data of the target transmission request, so as to obtain the header data of the request to be detected.
11. The apparatus of claim 7, wherein the security detection apparatus further comprises a timeout detection module, and a data discard module;
the timeout detection module is used for waiting for the client to send other transmission requests with the same flow identification as the target transmission request when the target transmission request does not contain an end mark, and recording waiting time;
and the data discarding module is used for discarding the target transmission request when the waiting time exceeds a preset time limit.
12. The apparatus of claim 7, wherein the security detection means further comprises a byte count detection module, and a request discard module;
the byte number detection module is used for calculating the byte number of frames of which each data type is entity data in the request data and the target transmission request;
And the request discarding module is used for discarding the request data and the target transmission request when the byte numbers of the frames with the data types being the entity data are all preset values.
13. An electronic device, comprising:
one or more processors;
storage means for storing one or more programs,
the one or more programs, when executed by the one or more processors, cause the one or more processors to implement the security detection method of any of claims 1 to 6.
14. A computer readable medium on which a computer program is stored, characterized in that the computer program, when executed by a processor, implements the security detection method according to any one of claims 1 to 6.
CN202110003804.7A 2021-01-04 2021-01-04 Security detection method, security detection device, electronic device, and medium Active CN114726564B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110003804.7A CN114726564B (en) 2021-01-04 2021-01-04 Security detection method, security detection device, electronic device, and medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110003804.7A CN114726564B (en) 2021-01-04 2021-01-04 Security detection method, security detection device, electronic device, and medium

Publications (2)

Publication Number Publication Date
CN114726564A CN114726564A (en) 2022-07-08
CN114726564B true CN114726564B (en) 2023-05-23

Family

ID=82233511

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110003804.7A Active CN114726564B (en) 2021-01-04 2021-01-04 Security detection method, security detection device, electronic device, and medium

Country Status (1)

Country Link
CN (1) CN114726564B (en)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105635064A (en) * 2014-10-31 2016-06-01 杭州华三通信技术有限公司 CSRF attack detection method and device
CN111740996A (en) * 2020-06-22 2020-10-02 四川长虹电器股份有限公司 Method for rapidly splitting HTTP request and response in flow analysis scene

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9609078B2 (en) * 2015-03-24 2017-03-28 Fortinet, Inc. HTTP proxy
US10757166B2 (en) * 2018-11-20 2020-08-25 International Business Machines Corporation Passive re-assembly of HTTP2 fragmented segments

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105635064A (en) * 2014-10-31 2016-06-01 杭州华三通信技术有限公司 CSRF attack detection method and device
CN111740996A (en) * 2020-06-22 2020-10-02 四川长虹电器股份有限公司 Method for rapidly splitting HTTP request and response in flow analysis scene

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
一种基于HTTP/2协议的隐蔽序列信道方法;刘政等;《计算机研究与发展》;20180615(第06期);全文 *
加密HTTP/2流中网页对象的识别研究;石健等;《电脑知识与技术》;20180715(第20期);全文 *

Also Published As

Publication number Publication date
CN114726564A (en) 2022-07-08

Similar Documents

Publication Publication Date Title
US11283778B2 (en) Data exchange system, method and device
US20180124023A1 (en) Method, system and apparatus for storing website private key plaintext
CN108777685B (en) Method and apparatus for processing information
CN113221146B (en) Method and device for data transmission among block chain nodes
CN115146285A (en) File encryption and decryption method and device
WO2024060630A1 (en) Data transmission management method, and data processing method and apparatus
CN109710502A (en) Log transmission method, apparatus and storage medium
CN114726564B (en) Security detection method, security detection device, electronic device, and medium
CN111181920A (en) Encryption and decryption method and device
CN115459984A (en) Encryption and decryption method and device
CN107707528B (en) Method and device for isolating user information
CN112565156B (en) Information registration method, device and system
CN113761566A (en) Data processing method and device
CN114666315B (en) HTTP request processing method and device of load balancing equipment
CN110636374A (en) Method and device for searching information
CN116318686B (en) Data encryption transmission method and device, electronic equipment and storage medium
CN111526128B (en) Encryption management method and device
CN113449314B (en) Data processing method and device
CN118138643A (en) Method, apparatus, electronic device and computer readable medium for processing request
CN114500399A (en) Data transmission method, apparatus, medium and product
CN116305039A (en) Identity recognition method, identity recognition device, electronic equipment and computer readable medium
CN116860172A (en) Request processing method, data acquisition device and electronic equipment
CN117290892A (en) Method, apparatus, device and computer readable medium for securing data
CN114448652A (en) Method, apparatus, device and storage medium for encrypted communication
CN115037515A (en) Stateless verification code verification method and device in open data network and electronic equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant