CN114900360B - Method for detecting DoH flow in HTTPS flow - Google Patents
Method for detecting DoH flow in HTTPS flow Download PDFInfo
- Publication number
- CN114900360B CN114900360B CN202210512158.1A CN202210512158A CN114900360B CN 114900360 B CN114900360 B CN 114900360B CN 202210512158 A CN202210512158 A CN 202210512158A CN 114900360 B CN114900360 B CN 114900360B
- Authority
- CN
- China
- Prior art keywords
- doh
- traffic
- flow
- https
- public
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/50—Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate
Abstract
The invention is suitable for the technical field of domain name resolution service, has provided a method for detecting DoH flow in HTTPS flow, through setting up the IP address base that the public DoH domain name corresponds to, discern the public DoH flow, then discern the DoH flow of the non-public address, the invention is through utilizing the strong characteristic of the network data packet, look for the different points from HTTPS and network data message of DoH; the identification relies on the network data message, so that the detection range is wide, more network scenes are adapted, and the false alarm rate is low.
Description
Technical Field
The invention belongs to the technical field of domain name resolution service, and particularly relates to a method for detecting DoH flow in HTTPS flow.
Background
In recent years, domain name resolution service (DNS) protocols implemented based on UDP are increasingly emphasized due to the security problem caused by their natural security shortboards, and the demand for a secure and reliable domain name resolution service is also increasing. The advent of DoH (DNS-over-HTTPS) is just to solve this problem. Compared with the conventional DNS service, the method has the advantages that the DNS data packet hijacking occurs, and two major security problems are caused in clear text transmission. The data transmission of domain name resolution service is carried out by the HTTPS (HyperText Transfer Protocol over Secure Socket Layer) protocol based on TCP, so that the problem of stateless and clear text transmission of the communication protocol can be well solved.
The popularity of DoH also brings the difficulty of increasing the domain name resolution service data detection capability of the full-flow monitoring/detecting device. The DoH has extremely high privacy, so that the existing full-traffic monitoring/detecting device cannot identify traffic data of domain name resolution service in full traffic. The prior art has great limitation, and the DoH flow is judged by depending on the DoH service address of the public service, so that the private DoH service cannot be screened.
Disclosure of Invention
The invention provides a method for detecting DoH flow in HTTPS flow, which aims to solve the problems existing in the prior art.
The invention is realized in such a way that a method for detecting the DoH flow in the HTTPS flow comprises the following steps:
s1, establishing an IP address library corresponding to a public DoH domain name, and identifying public DoH flow;
s2, identifying DoH traffic of the non-public address.
Preferably, the DoH traffic identifying the non-public address specifically includes:
a) Establishing a private DoH domain name corresponding database, wherein the database stores DoH data which is judged to be a non-public address in the step S2;
b) Utilizing the DoH database asset in the step a, utilizing the SNI field to identify private DoH traffic, if the SNI matches the domain name in the DoH domain name library, the IP traffic belongs to the DoH traffic;
c) Checking a private DoH server certificate by utilizing the DoH database asset in the step a, storing encryption mode and public key information, and if the encryption mode and the public key in the HTTPS traffic matched with a certain IP are the same, the traffic of the IP belongs to the DoH traffic;
d) If the default DoH flow is 443 ports, entering a first step to inquire whether the service is public DoH service, and if the service is not inquired or entering a step e to judge;
e) The request flow characteristic in unit time, content-type field in TLS protocol in HTTPS protocol is 23, and judge whether it is DoH flow according to the following points;
the variance of the length data set of length is smaller than a preset threshold;
the weighted average of length data sets of length is less than a preset threshold;
judging the traffic conforming to the step e as DoH traffic, and storing information such as IP, certificate, SNI and the like into a database of the step a;
f) The return flow characteristic in unit time, the Content-type field in the TLS protocol in the HTTPS protocol is 23, and whether the flow is the DoH flow is judged according to the following points;
the variance of the length data set of length is smaller than a preset threshold;
the weighted average of length data sets of length is less than a preset threshold;
judging the traffic conforming to the step f as DoH traffic, and storing information such as IP, certificate, SNI and the like into a database of the step a;
the flow characteristic in unit time, the HTTPS flow under the same destination IP, the Content-type field in the TLS protocol in the HTTPS protocol is 23, and under the premise of non-same TCP session; and c, if the number of the IP with the data packet length difference within the allowable error range exceeds a preset threshold, the destination IP is considered to be the DoH service, and the information such as the IP, the certificate, the SNI and the like is stored in the database in the step a.
Compared with the prior art, the invention has the beneficial effects that: the invention relates to a method for detecting DoH flow in HTTPS flow, which is characterized in that a public DoH flow is identified by establishing an IP address library corresponding to a public DoH domain name, and then the DoH flow of a non-public address is identified; the identification relies on the network data message, so that the detection range is wide, more network scenes are adapted, and the false alarm rate is low.
Drawings
FIG. 1 is a schematic flow chart of a method for detecting DoH traffic in HTTPS traffic according to the present invention;
Detailed Description
The present invention will be described in further detail with reference to the drawings and examples, in order to make the objects, technical solutions and advantages of the present invention more apparent. It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the scope of the invention.
Referring to fig. 1, the present invention provides a technical solution: a method of detecting DoH traffic in HTTPS traffic, comprising the steps of:
s1, establishing an IP address library corresponding to a public DoH domain name, and identifying public DoH flow;
s2, identifying DoH traffic of a non-public address;
specifically, the DoH traffic identifying the non-public address specifically includes:
a) Establishing a private DoH domain name corresponding database, wherein the database stores DoH data which is judged to be a non-public address in the step S2;
b) Utilizing the DoH database asset in the step a, utilizing the SNI field to identify private DoH traffic, if the SNI matches the domain name in the DoH domain name library, the IP traffic belongs to the DoH traffic;
c) Checking a private DoH server certificate by utilizing the DoH database asset in the step a, storing encryption mode and public key information, and if the encryption mode and the public key in the HTTPS traffic matched with a certain IP are the same, the traffic of the IP belongs to the DoH traffic;
d) If the default DoH flow is 443 ports, entering a first step to inquire whether the service is public DoH service, and if the service is not inquired or entering a step e to judge;
e) The request flow characteristic in unit time, content-type field in TLS protocol in HTTPS protocol is 23, and judge whether it is DoH flow according to the following points;
the variance of the length data set of length is smaller than a preset threshold;
the weighted average of length data sets of length is less than a preset threshold;
judging the traffic conforming to the step e as DoH traffic, and storing information such as IP, certificate, SNI and the like into a database of the step a;
f) The return flow characteristic in unit time, the Content-type field in the TLS protocol in the HTTPS protocol is 23, and whether the flow is the DoH flow is judged according to the following points;
the variance of the length data set of length is smaller than a preset threshold;
the weighted average of length data sets of length is less than a preset threshold;
judging the traffic conforming to the step f as DoH traffic, and storing information such as IP, certificate, SNI and the like into a database of the step a;
the flow characteristic in unit time, the HTTPS flow under the same destination IP, the Content-type field in the TLS protocol in the HTTPS protocol is 23, and under the premise of non-same TCP session; and c, if the number of the IP with the data packet length difference within the allowable error range exceeds a preset threshold, the destination IP is considered to be the DoH service, and the information such as the IP, the certificate, the SNI and the like is stored in the database in the step a.
In summary, according to the method for detecting the DoH traffic in the HTTPS traffic, the public DoH traffic is identified by establishing the IP address library corresponding to the public DoH domain name, and then the DoH traffic of the non-public address is identified; the identification relies on the network data message, so that the detection range is wide, more network scenes are adapted, and the false alarm rate is low.
The foregoing description of the preferred embodiments of the invention is not intended to be limiting, but rather is intended to cover all modifications, equivalents, and alternatives falling within the spirit and principles of the invention.
Claims (1)
1. A method for detecting DoH traffic in HTTPS traffic, comprising: the method comprises the following steps:
s1, establishing an IP address library corresponding to a public DoH domain name, and identifying public DoH flow;
s2, identifying DoH traffic of a non-public address; the DoH traffic for identifying the non-public address specifically comprises the following steps:
a) Establishing a private DoH domain name corresponding database, wherein the database stores DoH data which is judged to be a non-public address in the step S2;
b) Utilizing the DoH database assets in the step a, utilizing SNI fields to identify private DoH traffic, and if SNI is matched with a domain name in a DoH domain name library, belonging to the DoH traffic;
c) Checking a private DoH server certificate by utilizing the DoH database asset in the step a, storing encryption mode and public key information, and if the encryption mode and the public key in the HTTPS traffic matched with a certain IP are the same, the traffic of the IP belongs to the DoH traffic;
d) If the default DoH flow is 443 ports, entering a first step to inquire whether the service is public DoH service, and if the service is not inquired or is not 443 ports, entering a step e to judge;
e) The request flow characteristic in unit time, content-type field in TLS protocol in HTTPS protocol is 23, and judge whether it is DoH flow according to the following points;
the variance of the length data set of length is smaller than a preset threshold;
the weighted average of length data sets of length is less than a preset threshold;
judging the traffic conforming to the step e as DoH traffic, and storing IP, certificate and SNI information into a database of the step a;
f) The return flow characteristic in unit time, the Content-type field in the TLS protocol in the HTTPS protocol is 23, and whether the flow is the DoH flow is judged according to the following points;
the variance of the length data set of length is smaller than a preset threshold;
the weighted average of length data sets of length is less than a preset threshold;
judging the traffic conforming to the step f as DoH traffic, and storing IP, certificate and SNI information into a database of the step a;
and b, regarding the flow characteristics in unit time, HTTPS flow under the same destination IP, wherein Content-type field in TLS protocol in HTTPS protocol is 23, and if the number of the IPs with the data packet length difference within the allowable error range exceeds a preset threshold value on the premise of non-same TCP session, the destination IP is considered to be DoH service, and the IP, certificate and SNI information are stored in the database in the step a.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202210512158.1A CN114900360B (en) | 2022-05-12 | 2022-05-12 | Method for detecting DoH flow in HTTPS flow |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202210512158.1A CN114900360B (en) | 2022-05-12 | 2022-05-12 | Method for detecting DoH flow in HTTPS flow |
Publications (2)
Publication Number | Publication Date |
---|---|
CN114900360A CN114900360A (en) | 2022-08-12 |
CN114900360B true CN114900360B (en) | 2023-09-22 |
Family
ID=82721918
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202210512158.1A Active CN114900360B (en) | 2022-05-12 | 2022-05-12 | Method for detecting DoH flow in HTTPS flow |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN114900360B (en) |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110113349A (en) * | 2019-05-15 | 2019-08-09 | 北京工业大学 | A kind of malice encryption traffic characteristics analysis method |
CN110290188A (en) * | 2019-06-13 | 2019-09-27 | 四川大学 | A kind of HTTPS stream service online identification method suitable for large-scale network environment |
CN110913036A (en) * | 2019-12-01 | 2020-03-24 | 杭州云缔盟科技有限公司 | Method for identifying terminal position based on authoritative DNS |
CN113395367A (en) * | 2020-03-13 | 2021-09-14 | 中国移动通信集团山东有限公司 | HTTPS service identification method and device, storage medium and electronic equipment |
CN113438332A (en) * | 2021-05-21 | 2021-09-24 | 中国科学院信息工程研究所 | DoH service identification method and device |
CN113923042A (en) * | 2021-10-26 | 2022-01-11 | 南京邮电大学 | Malicious software abuse DoH detection and identification system and method |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US10164846B2 (en) * | 2014-03-28 | 2018-12-25 | Fortinet, Inc. | Network flow analysis |
-
2022
- 2022-05-12 CN CN202210512158.1A patent/CN114900360B/en active Active
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110113349A (en) * | 2019-05-15 | 2019-08-09 | 北京工业大学 | A kind of malice encryption traffic characteristics analysis method |
CN110290188A (en) * | 2019-06-13 | 2019-09-27 | 四川大学 | A kind of HTTPS stream service online identification method suitable for large-scale network environment |
CN110913036A (en) * | 2019-12-01 | 2020-03-24 | 杭州云缔盟科技有限公司 | Method for identifying terminal position based on authoritative DNS |
CN113395367A (en) * | 2020-03-13 | 2021-09-14 | 中国移动通信集团山东有限公司 | HTTPS service identification method and device, storage medium and electronic equipment |
CN113438332A (en) * | 2021-05-21 | 2021-09-24 | 中国科学院信息工程研究所 | DoH service identification method and device |
CN113923042A (en) * | 2021-10-26 | 2022-01-11 | 南京邮电大学 | Malicious software abuse DoH detection and identification system and method |
Also Published As
Publication number | Publication date |
---|---|
CN114900360A (en) | 2022-08-12 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN107404465B (en) | Network data analysis method and server | |
US7672283B1 (en) | Detecting unauthorized wireless devices in a network | |
CN109587179B (en) | SSH (Single sign indicating) protocol behavior pattern recognition and alarm method based on bypass network full flow | |
CN107124434B (en) | Method and system for discovering DNS malicious attack traffic | |
KR101088852B1 (en) | System for detecting toll fraud attack for internet telephone and method for the same | |
CN113098878B (en) | Industrial Internet intrusion detection method based on support vector machine and implementation system | |
CN110336896B (en) | Local area network equipment type identification method | |
CN101009706B (en) | Method for protecting application based on sip | |
CN102655509B (en) | Network attack identification method and device | |
CN113973059A (en) | Passive industrial internet asset identification method and device based on network protocol fingerprint | |
CN113630409B (en) | Abnormal flow identification method based on DNS analysis flow and IP flow fusion analysis | |
CN111917706A (en) | Method for identifying NAT equipment and determining number of terminals behind NAT | |
CN111628994A (en) | Industrial control environment anomaly detection method, system and related device | |
CN109474540B (en) | Method and device for identifying OPC (optical proximity correction) flow | |
CN114900360B (en) | Method for detecting DoH flow in HTTPS flow | |
CN111478925B (en) | Port scanning detection method and system applied to industrial control environment | |
CN114221804B (en) | Honeypot identification method based on feature identification and interactive verification | |
CN115396218A (en) | Enterprise API (application program interface) safety control method and system based on flow analysis | |
CN114996689A (en) | Method for cloud platform to self-identify information transmission system | |
CN111510443B (en) | Terminal monitoring method and terminal monitoring device based on equipment portrait | |
CN113722740A (en) | Interface portrait-based method for detecting risk of horizontally unauthorized access to sensitive data | |
CN109450927B (en) | System and method for quickly identifying access camera | |
CN110830605A (en) | Self-discovery client, communication terminal equipment and automatic discovery method thereof | |
CN111865724A (en) | Information acquisition control implementation method for video monitoring equipment | |
CN111147523A (en) | Comprehensive application protocol identification method based on service camouflage detection technology |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |