CN114900360B - Method for detecting DoH flow in HTTPS flow - Google Patents

Method for detecting DoH flow in HTTPS flow Download PDF

Info

Publication number
CN114900360B
CN114900360B CN202210512158.1A CN202210512158A CN114900360B CN 114900360 B CN114900360 B CN 114900360B CN 202210512158 A CN202210512158 A CN 202210512158A CN 114900360 B CN114900360 B CN 114900360B
Authority
CN
China
Prior art keywords
doh
traffic
flow
https
public
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202210512158.1A
Other languages
Chinese (zh)
Other versions
CN114900360A (en
Inventor
秦志鹏
朱杰
刘泳锐
李华
杨朝晖
陈解元
范广
吕志梅
王鹏
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shanxi Branch Of National Computer Network And Information Security Management Center
Original Assignee
Shanxi Branch Of National Computer Network And Information Security Management Center
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shanxi Branch Of National Computer Network And Information Security Management Center filed Critical Shanxi Branch Of National Computer Network And Information Security Management Center
Priority to CN202210512158.1A priority Critical patent/CN114900360B/en
Publication of CN114900360A publication Critical patent/CN114900360A/en
Application granted granted Critical
Publication of CN114900360B publication Critical patent/CN114900360B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/50Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate

Abstract

The invention is suitable for the technical field of domain name resolution service, has provided a method for detecting DoH flow in HTTPS flow, through setting up the IP address base that the public DoH domain name corresponds to, discern the public DoH flow, then discern the DoH flow of the non-public address, the invention is through utilizing the strong characteristic of the network data packet, look for the different points from HTTPS and network data message of DoH; the identification relies on the network data message, so that the detection range is wide, more network scenes are adapted, and the false alarm rate is low.

Description

Method for detecting DoH flow in HTTPS flow
Technical Field
The invention belongs to the technical field of domain name resolution service, and particularly relates to a method for detecting DoH flow in HTTPS flow.
Background
In recent years, domain name resolution service (DNS) protocols implemented based on UDP are increasingly emphasized due to the security problem caused by their natural security shortboards, and the demand for a secure and reliable domain name resolution service is also increasing. The advent of DoH (DNS-over-HTTPS) is just to solve this problem. Compared with the conventional DNS service, the method has the advantages that the DNS data packet hijacking occurs, and two major security problems are caused in clear text transmission. The data transmission of domain name resolution service is carried out by the HTTPS (HyperText Transfer Protocol over Secure Socket Layer) protocol based on TCP, so that the problem of stateless and clear text transmission of the communication protocol can be well solved.
The popularity of DoH also brings the difficulty of increasing the domain name resolution service data detection capability of the full-flow monitoring/detecting device. The DoH has extremely high privacy, so that the existing full-traffic monitoring/detecting device cannot identify traffic data of domain name resolution service in full traffic. The prior art has great limitation, and the DoH flow is judged by depending on the DoH service address of the public service, so that the private DoH service cannot be screened.
Disclosure of Invention
The invention provides a method for detecting DoH flow in HTTPS flow, which aims to solve the problems existing in the prior art.
The invention is realized in such a way that a method for detecting the DoH flow in the HTTPS flow comprises the following steps:
s1, establishing an IP address library corresponding to a public DoH domain name, and identifying public DoH flow;
s2, identifying DoH traffic of the non-public address.
Preferably, the DoH traffic identifying the non-public address specifically includes:
a) Establishing a private DoH domain name corresponding database, wherein the database stores DoH data which is judged to be a non-public address in the step S2;
b) Utilizing the DoH database asset in the step a, utilizing the SNI field to identify private DoH traffic, if the SNI matches the domain name in the DoH domain name library, the IP traffic belongs to the DoH traffic;
c) Checking a private DoH server certificate by utilizing the DoH database asset in the step a, storing encryption mode and public key information, and if the encryption mode and the public key in the HTTPS traffic matched with a certain IP are the same, the traffic of the IP belongs to the DoH traffic;
d) If the default DoH flow is 443 ports, entering a first step to inquire whether the service is public DoH service, and if the service is not inquired or entering a step e to judge;
e) The request flow characteristic in unit time, content-type field in TLS protocol in HTTPS protocol is 23, and judge whether it is DoH flow according to the following points;
the variance of the length data set of length is smaller than a preset threshold;
the weighted average of length data sets of length is less than a preset threshold;
judging the traffic conforming to the step e as DoH traffic, and storing information such as IP, certificate, SNI and the like into a database of the step a;
f) The return flow characteristic in unit time, the Content-type field in the TLS protocol in the HTTPS protocol is 23, and whether the flow is the DoH flow is judged according to the following points;
the variance of the length data set of length is smaller than a preset threshold;
the weighted average of length data sets of length is less than a preset threshold;
judging the traffic conforming to the step f as DoH traffic, and storing information such as IP, certificate, SNI and the like into a database of the step a;
the flow characteristic in unit time, the HTTPS flow under the same destination IP, the Content-type field in the TLS protocol in the HTTPS protocol is 23, and under the premise of non-same TCP session; and c, if the number of the IP with the data packet length difference within the allowable error range exceeds a preset threshold, the destination IP is considered to be the DoH service, and the information such as the IP, the certificate, the SNI and the like is stored in the database in the step a.
Compared with the prior art, the invention has the beneficial effects that: the invention relates to a method for detecting DoH flow in HTTPS flow, which is characterized in that a public DoH flow is identified by establishing an IP address library corresponding to a public DoH domain name, and then the DoH flow of a non-public address is identified; the identification relies on the network data message, so that the detection range is wide, more network scenes are adapted, and the false alarm rate is low.
Drawings
FIG. 1 is a schematic flow chart of a method for detecting DoH traffic in HTTPS traffic according to the present invention;
Detailed Description
The present invention will be described in further detail with reference to the drawings and examples, in order to make the objects, technical solutions and advantages of the present invention more apparent. It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the scope of the invention.
Referring to fig. 1, the present invention provides a technical solution: a method of detecting DoH traffic in HTTPS traffic, comprising the steps of:
s1, establishing an IP address library corresponding to a public DoH domain name, and identifying public DoH flow;
s2, identifying DoH traffic of a non-public address;
specifically, the DoH traffic identifying the non-public address specifically includes:
a) Establishing a private DoH domain name corresponding database, wherein the database stores DoH data which is judged to be a non-public address in the step S2;
b) Utilizing the DoH database asset in the step a, utilizing the SNI field to identify private DoH traffic, if the SNI matches the domain name in the DoH domain name library, the IP traffic belongs to the DoH traffic;
c) Checking a private DoH server certificate by utilizing the DoH database asset in the step a, storing encryption mode and public key information, and if the encryption mode and the public key in the HTTPS traffic matched with a certain IP are the same, the traffic of the IP belongs to the DoH traffic;
d) If the default DoH flow is 443 ports, entering a first step to inquire whether the service is public DoH service, and if the service is not inquired or entering a step e to judge;
e) The request flow characteristic in unit time, content-type field in TLS protocol in HTTPS protocol is 23, and judge whether it is DoH flow according to the following points;
the variance of the length data set of length is smaller than a preset threshold;
the weighted average of length data sets of length is less than a preset threshold;
judging the traffic conforming to the step e as DoH traffic, and storing information such as IP, certificate, SNI and the like into a database of the step a;
f) The return flow characteristic in unit time, the Content-type field in the TLS protocol in the HTTPS protocol is 23, and whether the flow is the DoH flow is judged according to the following points;
the variance of the length data set of length is smaller than a preset threshold;
the weighted average of length data sets of length is less than a preset threshold;
judging the traffic conforming to the step f as DoH traffic, and storing information such as IP, certificate, SNI and the like into a database of the step a;
the flow characteristic in unit time, the HTTPS flow under the same destination IP, the Content-type field in the TLS protocol in the HTTPS protocol is 23, and under the premise of non-same TCP session; and c, if the number of the IP with the data packet length difference within the allowable error range exceeds a preset threshold, the destination IP is considered to be the DoH service, and the information such as the IP, the certificate, the SNI and the like is stored in the database in the step a.
In summary, according to the method for detecting the DoH traffic in the HTTPS traffic, the public DoH traffic is identified by establishing the IP address library corresponding to the public DoH domain name, and then the DoH traffic of the non-public address is identified; the identification relies on the network data message, so that the detection range is wide, more network scenes are adapted, and the false alarm rate is low.
The foregoing description of the preferred embodiments of the invention is not intended to be limiting, but rather is intended to cover all modifications, equivalents, and alternatives falling within the spirit and principles of the invention.

Claims (1)

1. A method for detecting DoH traffic in HTTPS traffic, comprising: the method comprises the following steps:
s1, establishing an IP address library corresponding to a public DoH domain name, and identifying public DoH flow;
s2, identifying DoH traffic of a non-public address; the DoH traffic for identifying the non-public address specifically comprises the following steps:
a) Establishing a private DoH domain name corresponding database, wherein the database stores DoH data which is judged to be a non-public address in the step S2;
b) Utilizing the DoH database assets in the step a, utilizing SNI fields to identify private DoH traffic, and if SNI is matched with a domain name in a DoH domain name library, belonging to the DoH traffic;
c) Checking a private DoH server certificate by utilizing the DoH database asset in the step a, storing encryption mode and public key information, and if the encryption mode and the public key in the HTTPS traffic matched with a certain IP are the same, the traffic of the IP belongs to the DoH traffic;
d) If the default DoH flow is 443 ports, entering a first step to inquire whether the service is public DoH service, and if the service is not inquired or is not 443 ports, entering a step e to judge;
e) The request flow characteristic in unit time, content-type field in TLS protocol in HTTPS protocol is 23, and judge whether it is DoH flow according to the following points;
the variance of the length data set of length is smaller than a preset threshold;
the weighted average of length data sets of length is less than a preset threshold;
judging the traffic conforming to the step e as DoH traffic, and storing IP, certificate and SNI information into a database of the step a;
f) The return flow characteristic in unit time, the Content-type field in the TLS protocol in the HTTPS protocol is 23, and whether the flow is the DoH flow is judged according to the following points;
the variance of the length data set of length is smaller than a preset threshold;
the weighted average of length data sets of length is less than a preset threshold;
judging the traffic conforming to the step f as DoH traffic, and storing IP, certificate and SNI information into a database of the step a;
and b, regarding the flow characteristics in unit time, HTTPS flow under the same destination IP, wherein Content-type field in TLS protocol in HTTPS protocol is 23, and if the number of the IPs with the data packet length difference within the allowable error range exceeds a preset threshold value on the premise of non-same TCP session, the destination IP is considered to be DoH service, and the IP, certificate and SNI information are stored in the database in the step a.
CN202210512158.1A 2022-05-12 2022-05-12 Method for detecting DoH flow in HTTPS flow Active CN114900360B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210512158.1A CN114900360B (en) 2022-05-12 2022-05-12 Method for detecting DoH flow in HTTPS flow

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210512158.1A CN114900360B (en) 2022-05-12 2022-05-12 Method for detecting DoH flow in HTTPS flow

Publications (2)

Publication Number Publication Date
CN114900360A CN114900360A (en) 2022-08-12
CN114900360B true CN114900360B (en) 2023-09-22

Family

ID=82721918

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210512158.1A Active CN114900360B (en) 2022-05-12 2022-05-12 Method for detecting DoH flow in HTTPS flow

Country Status (1)

Country Link
CN (1) CN114900360B (en)

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110113349A (en) * 2019-05-15 2019-08-09 北京工业大学 A kind of malice encryption traffic characteristics analysis method
CN110290188A (en) * 2019-06-13 2019-09-27 四川大学 A kind of HTTPS stream service online identification method suitable for large-scale network environment
CN110913036A (en) * 2019-12-01 2020-03-24 杭州云缔盟科技有限公司 Method for identifying terminal position based on authoritative DNS
CN113395367A (en) * 2020-03-13 2021-09-14 中国移动通信集团山东有限公司 HTTPS service identification method and device, storage medium and electronic equipment
CN113438332A (en) * 2021-05-21 2021-09-24 中国科学院信息工程研究所 DoH service identification method and device
CN113923042A (en) * 2021-10-26 2022-01-11 南京邮电大学 Malicious software abuse DoH detection and identification system and method

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10164846B2 (en) * 2014-03-28 2018-12-25 Fortinet, Inc. Network flow analysis

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110113349A (en) * 2019-05-15 2019-08-09 北京工业大学 A kind of malice encryption traffic characteristics analysis method
CN110290188A (en) * 2019-06-13 2019-09-27 四川大学 A kind of HTTPS stream service online identification method suitable for large-scale network environment
CN110913036A (en) * 2019-12-01 2020-03-24 杭州云缔盟科技有限公司 Method for identifying terminal position based on authoritative DNS
CN113395367A (en) * 2020-03-13 2021-09-14 中国移动通信集团山东有限公司 HTTPS service identification method and device, storage medium and electronic equipment
CN113438332A (en) * 2021-05-21 2021-09-24 中国科学院信息工程研究所 DoH service identification method and device
CN113923042A (en) * 2021-10-26 2022-01-11 南京邮电大学 Malicious software abuse DoH detection and identification system and method

Also Published As

Publication number Publication date
CN114900360A (en) 2022-08-12

Similar Documents

Publication Publication Date Title
CN107404465B (en) Network data analysis method and server
US7672283B1 (en) Detecting unauthorized wireless devices in a network
CN109587179B (en) SSH (Single sign indicating) protocol behavior pattern recognition and alarm method based on bypass network full flow
CN107124434B (en) Method and system for discovering DNS malicious attack traffic
KR101088852B1 (en) System for detecting toll fraud attack for internet telephone and method for the same
CN113098878B (en) Industrial Internet intrusion detection method based on support vector machine and implementation system
CN110336896B (en) Local area network equipment type identification method
CN101009706B (en) Method for protecting application based on sip
CN102655509B (en) Network attack identification method and device
CN113973059A (en) Passive industrial internet asset identification method and device based on network protocol fingerprint
CN113630409B (en) Abnormal flow identification method based on DNS analysis flow and IP flow fusion analysis
CN111917706A (en) Method for identifying NAT equipment and determining number of terminals behind NAT
CN111628994A (en) Industrial control environment anomaly detection method, system and related device
CN109474540B (en) Method and device for identifying OPC (optical proximity correction) flow
CN114900360B (en) Method for detecting DoH flow in HTTPS flow
CN111478925B (en) Port scanning detection method and system applied to industrial control environment
CN114221804B (en) Honeypot identification method based on feature identification and interactive verification
CN115396218A (en) Enterprise API (application program interface) safety control method and system based on flow analysis
CN114996689A (en) Method for cloud platform to self-identify information transmission system
CN111510443B (en) Terminal monitoring method and terminal monitoring device based on equipment portrait
CN113722740A (en) Interface portrait-based method for detecting risk of horizontally unauthorized access to sensitive data
CN109450927B (en) System and method for quickly identifying access camera
CN110830605A (en) Self-discovery client, communication terminal equipment and automatic discovery method thereof
CN111865724A (en) Information acquisition control implementation method for video monitoring equipment
CN111147523A (en) Comprehensive application protocol identification method based on service camouflage detection technology

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant