CN115037537A - Abnormal traffic interception and abnormal domain name identification method, device, equipment and medium - Google Patents
Abnormal traffic interception and abnormal domain name identification method, device, equipment and medium Download PDFInfo
- Publication number
- CN115037537A CN115037537A CN202210630220.7A CN202210630220A CN115037537A CN 115037537 A CN115037537 A CN 115037537A CN 202210630220 A CN202210630220 A CN 202210630220A CN 115037537 A CN115037537 A CN 115037537A
- Authority
- CN
- China
- Prior art keywords
- website
- information
- abnormal
- domain name
- terminal
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 190
- 230000002159 abnormal effect Effects 0.000 title claims abstract description 187
- 230000008569 process Effects 0.000 claims abstract description 100
- 230000000903 blocking effect Effects 0.000 claims abstract description 89
- 230000004044 response Effects 0.000 claims description 63
- 230000005540 biological transmission Effects 0.000 claims description 25
- 238000004590 computer program Methods 0.000 claims description 18
- 230000006399 behavior Effects 0.000 claims description 13
- 238000001514 detection method Methods 0.000 claims description 6
- 238000012546 transfer Methods 0.000 claims description 5
- 230000003362 replicative effect Effects 0.000 claims description 3
- 238000010586 diagram Methods 0.000 description 11
- 238000004891 communication Methods 0.000 description 10
- 238000012545 processing Methods 0.000 description 8
- 230000006870 function Effects 0.000 description 7
- 230000003993 interaction Effects 0.000 description 5
- 230000002547 anomalous effect Effects 0.000 description 4
- 230000002452 interceptive effect Effects 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 3
- 238000004458 analytical method Methods 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 239000013307 optical fiber Substances 0.000 description 2
- 238000009877 rendering Methods 0.000 description 2
- 230000010076 replication Effects 0.000 description 2
- 238000012795 verification Methods 0.000 description 2
- 238000003491 array Methods 0.000 description 1
- 238000013473 artificial intelligence Methods 0.000 description 1
- 238000013475 authorization Methods 0.000 description 1
- 230000001413 cellular effect Effects 0.000 description 1
- 238000013480 data collection Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 230000002950 deficient Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 239000000284 extract Substances 0.000 description 1
- 239000011521 glass Substances 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 238000010801 machine learning Methods 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 230000006855 networking Effects 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 230000001953 sensory effect Effects 0.000 description 1
- 238000004088 simulation Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 238000011144 upstream manufacturing Methods 0.000 description 1
- 230000000007 visual effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/14—Session management
- H04L67/141—Setup of application sessions
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a method, a device, equipment and a medium for identifying an abnormal domain name and intercepting abnormal traffic. The method for intercepting the abnormal traffic is executed by an intercepting device connected with the network switching device in parallel, and comprises the following steps: collecting the copy data flow from the bypass of the network switching equipment, and identifying the connection establishment process information for establishing the TCP connection; in the process information, identifying a first handshake message sent by the terminal to the website; identifying domain name information of a website to be accessed by the terminal in a key field of the first handshake message, and detecting an abnormal website; when a target website which a target terminal needs to visit is determined to be an abnormal website, generating TCP connection terminal blocking information matched with the target terminal; and sending the blocking information to the target terminal to intercept the behavior of the target terminal accessing the target website. By adopting the technical scheme, the identification and connection blocking of the HTTPS abnormal website are realized.
Description
Technical Field
The invention relates to the technical field of internet, in particular to a method, a device, equipment and a medium for intercepting abnormal traffic and identifying abnormal domain names.
Background
With the development of internet technology, obtaining information by using a network has become a common information obtaining method at present. However, when the user acquires the required information through the network, the user may mistakenly enter some abnormal websites, and the abnormal websites may not only propagate some illegal information, but also cause economic loss for the user.
However, in order to ensure that a website can continuously run, a method of building a website based on HTTPS (hypertext Transfer Protocol over Secure Socket Layer) is often used for some abnormal websites, so as to avoid detection and blocking of the abnormal website by network security administrators.
At present, most of existing methods for blocking access to an abnormal website are directed at blocking of an HTTP (Hyper Text Transfer Protocol) website, and methods for analyzing and blocking the HTTPs website are deficient.
Disclosure of Invention
The invention provides a method, a device, equipment and a medium for intercepting abnormal traffic and identifying an abnormal domain name, which are used for identifying and blocking an HTTPS (hypertext transfer protocol secure) abnormal website.
According to an aspect of the present invention, there is provided an abnormal traffic intercepting method, performed by an intercepting device connected in parallel to a network switching device, including:
collecting copy data flow from a bypass on network switching equipment, and identifying connection establishment process information used for establishing a Transmission Control Protocol (TCP) connection in the copy data flow, wherein the connection establishment process information is encrypted information;
in the connection establishment process information, identifying a first handshake message sent by a terminal to a website;
identifying domain name information of a website to be accessed by the terminal in a key field of the first handshake message, and detecting an abnormal website according to the domain name information;
when a target website which a target terminal needs to access is determined to be an abnormal website according to the target first handshake message, generating TCP connection terminal blocking information matched with the target terminal;
and sending the TCP connection terminal blocking information to the target terminal so as to intercept the behavior of the target terminal accessing the target website.
According to another aspect of the present invention, there is provided a method for identifying an abnormal domain name, the method being performed by a collecting device connected in parallel with a network switching device, and including:
collecting the copy data flow from a bypass on the network switching equipment, and identifying connection establishment process information used for establishing TCP connection in the copy data flow, wherein the connection establishment process information is encrypted information;
in each connection establishing process information, identifying a first handshake message sent by a terminal to a website, and analyzing a key field of the first handshake message to obtain domain name information of the website;
detecting whether the domain name information is stored in a known domain name library, if not, performing simulated access on the domain name information of the website, and acquiring a response message fed back by the website;
and if the website is determined to be an abnormal website according to the response message, storing the domain name information in an abnormal domain name library.
According to another aspect of the present invention, there is provided an abnormal traffic intercepting apparatus, including:
the connection establishment process information identification module is used for collecting the copy data flow from a bypass on the network switching equipment and identifying the connection establishment process information used for establishing the TCP connection in the copy data flow, wherein the connection establishment process information is encrypted information;
the first handshake message identification module is used for identifying a first handshake message sent by the terminal to a website in the connection establishment process information;
the abnormal website detection module is used for identifying the domain name information of the website to be accessed by the terminal in the key field of the first handshake message and detecting the abnormal website according to the domain name information;
the terminal blocking information generating module is used for generating TCP connection terminal blocking information matched with the target terminal when the target website required to be accessed by the target terminal is determined to be an abnormal website according to the target first handshake message;
and the terminal blocking information sending module is used for sending the TCP connection terminal blocking information to the target terminal so as to intercept the behavior of the target terminal accessing the target website.
According to another aspect of the present invention, there is provided an apparatus for identifying an abnormal domain name, including:
the connection establishment process information identification module is used for collecting the copy data flow from a bypass on the network switching equipment and identifying the connection establishment process information used for establishing the TCP connection in the copy data flow, wherein the connection establishment process information is encrypted information;
a domain name information analysis module, configured to identify a first handshake message sent by a terminal to a website in each connection establishment process information, and analyze a key field of the first handshake message to obtain domain name information of the website;
the response message acquisition module is used for detecting whether the domain name information is stored in a known domain name library, if not, carrying out simulation access on the domain name information of the website to acquire a response message fed back by the website;
and the abnormal domain name storage module is used for storing the domain name information into an abnormal domain name library if the website is determined to be an abnormal website according to the response message.
According to another aspect of the present invention, there is provided a computer apparatus comprising:
a memory, a processor, and a computer program stored on the memory and executable on the processor.
When the processor executes the computer program, the method for intercepting an abnormal traffic executed by the intercepting device according to the first embodiment and the third embodiment of the present invention can be implemented, or the method for identifying an abnormal domain name executed by the collecting device according to the second embodiment and the fourth embodiment of the present invention can be implemented.
According to another aspect of the present invention, there is provided a computer-executable instruction storage medium storing a computer program, which when executed by a processor, is capable of implementing the method for intercepting an abnormal traffic performed by an intercepting device according to any embodiment of the present invention, or implementing the method for identifying an abnormal domain name performed by a collecting device according to any embodiment of the present invention.
According to the technical scheme of the embodiment of the invention, the interception equipment is connected to the bypass of the network switching equipment in parallel, the connection establishment process information between the terminal and the website in the copied data flow is collected, the first handshake message sent to the website by the terminal is identified in the connection establishment process information, and the domain name information is extracted and identified in the first handshake message, so that whether the terminal accesses an abnormal website can be judged in the process of establishing TCP three-way handshake between the terminal and the website, the access of the terminal to the abnormal HTTPS website can be blocked before TCP connection is established in a way of blocking the normal TCP handshake establishment flow, a new way of effectively blocking the abnormal HTTPS website in a parallel connection way is provided, and the original service flow of the network switching equipment is not influenced while the effective blocking effect is ensured.
According to the technical scheme of the embodiment of the invention, the interception equipment is connected to a bypass of the network switching equipment in parallel, the connection establishment process information between the terminal and the website in the copied data flow is collected, the first handshake message sent to the website by the terminal is identified in the connection establishment process information, the identified domain name information is extracted from the first handshake message, whether the domain name information is known domain name information or not is detected, the unknown website domain name information is subjected to simulated access, whether the website is an abnormal website or not is judged according to the response message obtained after the access, the domain name information of the abnormal website is stored in an abnormal domain name library, the abnormal website is accurately detected, and the iterative update of the abnormal domain name library is completed.
It should be understood that the statements in this section do not necessarily identify key or critical features of the embodiments of the present invention, nor do they necessarily limit the scope of the invention. Other features of the present invention will become apparent from the following description.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings required to be used in the description of the embodiments are briefly introduced below, and it is obvious that the drawings in the description below are only some embodiments of the present invention, and it is obvious for those skilled in the art that other drawings can be obtained according to the drawings without creative efforts.
Fig. 1 is a flowchart of an intercepting method for abnormal traffic according to an embodiment of the present invention;
fig. 2 is a flowchart of a method for identifying an abnormal domain name according to a second embodiment of the present invention;
fig. 3a is a flowchart of an abnormal traffic intercepting method according to a third embodiment of the present invention;
fig. 3b is a network architecture diagram of a specific application scenario to which the technical solution of the embodiment of the present invention is applied;
fig. 3c is an interaction structure diagram of a specific application scenario to which the technical solution of the embodiment of the present invention is applied;
fig. 4 is a flowchart of a method for identifying an abnormal domain name according to a fourth embodiment of the present invention;
fig. 5 is a schematic structural diagram of an intercepting apparatus for abnormal network traffic according to a fifth embodiment of the present invention;
fig. 6 is a schematic structural diagram of an apparatus for identifying an abnormal domain name according to a sixth embodiment of the present invention;
fig. 7 is a schematic structural diagram of an intercepting device that implements the method for intercepting abnormal network traffic according to the embodiment of the present invention.
Detailed Description
In order to make those skilled in the art better understand the technical solutions of the present invention, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
It should be noted that the terms "comprises" and "comprising," and any variations thereof, in the description and claims of the present invention and the above-described drawings, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
Example one
Fig. 1 is a flowchart of an abnormal traffic intercepting method according to an embodiment of the present invention, where this embodiment is applicable to a situation that when a terminal initiates access to an HTTPS website, whether an access website is an abnormal website is identified, and the access determined as the abnormal website is intercepted, and the method may be executed by an abnormal traffic intercepting apparatus, which may be implemented in a form of hardware and/or software and may be generally configured in an intercepting device with a network data processing function. Wherein, in the internet, the intercepting equipment is connected in parallel with the network switching equipment. As shown in fig. 1, the method includes:
s110, collecting the copy data flow from the bypass of the network switching equipment, and identifying the connection establishment process information for establishing the TCP connection in the copy data flow, wherein the connection establishment process information is encrypted information.
In this embodiment, the network switching device is a networking device in the internet, and is configured to transmit the transmission data packet between the terminal and the website in the internet in a store-and-forward manner. Generally, the network switching device is generally a switch or a router that is connected (directly or indirectly) in close proximity to the terminal. The intercepting equipment is connected with the network switching equipment in parallel and is used for acquiring a backup version of data traffic transmitted in two directions through the network switching equipment, namely, copying the data traffic, and analyzing the behavior of the terminal for accessing the abnormal website based on the copied data traffic.
The specific method for collecting the copy data traffic from the network switching device by-pass may include: and collecting and copying data flow from the network switching equipment in a bypass mode by adopting link light splitting or a mode of switch mirroring. The method for collecting and copying data traffic adopts a traffic parallel connection handling mode, and cannot influence network communication while acquiring the copy traffic.
The link light splitting can copy and distribute energy to the accessed optical fiber transmission signals through the light splitter, and the flow can be reasonably collected under the condition that the original link transmission is not influenced; the switch mirror image can copy the message passing through the appointed port to another appointed port under the condition of not influencing the normal processing of the message by the equipment. Specifically, when the network switching device is directly connected to a designated port of the switch, the replicated data traffic may be obtained from the designated port.
The duplicated data traffic may be duplicated data traffic collected by a bypass from a network switching device and based on HTTPS, where the duplicated data traffic includes connection establishment procedure information for establishing a TCP connection.
The HTTPS is an HTTP channel which takes safety as a target, and the safety of a transmission process is ensured through transmission encryption and identity authentication on the basis of the HTTP. The HTTPS adds an SSL (Secure Socket Layer) encryption Layer on the basis of the HTTP, and has a default port different from the HTTP and an encryption/identity authentication Layer between the HTTP and the TCP.
Wherein, in the replicating data traffic, identifying connection establishment procedure information for establishing a TCP connection specifically includes: and acquiring connection establishment process information which is sent by the terminal and/or the website and is matched with the TCP three-way handshake process in the copy data flow.
By analyzing the TCP connection establishment process information, it is possible to identify a sender and a receiver corresponding to the TCP connection establishment process information, for example, connection establishment process information sent from a certain terminal to a certain website, or connection establishment process information sent from a certain website to a certain terminal.
The connection establishment process information for establishing the TCP connection is the connection establishment process information which is sent by at least one of the terminal and the website and is matched with the TCP three-way handshake process in the copy data flow.
In a specific example, a three-way TCP handshake is performed between a client and a server. First handshake: when establishing connection, a client sends a SYN (synchronization Sequence number) packet (seq ═ x) to a server, enters a SYN _ send state, and waits for the server to confirm; second handshake: the server receives the SYN packet, and must confirm the SYN (seq ═ y) of the client, and at the same time, it also sends an ACK (Acknowledgement character) packet (ACK ═ x +1), that is, SYN + ACK packet, and at this time, the server enters into SYN _ RECV state; third handshake: the client receives the SYN + ACK packet from the server, and sends an acknowledgement packet ACK (ACK + y +1) to the server, and after the packet is sent, the client and the server enter an ESTABLISHED (TCP connection successful) state, and the three-way handshake is completed. The lowercase words seq, ack in the above embodiments represent sequence numbers; the uppercase words SYN, ACK represent flag bits, whose values are only 1 or 0.
The seq is a serial number, occupies 4 bytes, and is used for marking the sequence of the data segments, the TCP codes a serial number for all data bytes sent in the connection, the serial number of the first byte is generated locally at random, after the serial number is coded for the bytes, a serial number is assigned to each segment, and the seq is the data number of the first byte in the segment; the ack is an acknowledgement number, occupies 4 bytes, specifically refers to a sequence number of a first data byte of a next segment expected to be received by the opposite party, and the number of a last byte of the current segment plus 1 is the acknowledgement number; the acknowledgement character ACK occupies 1 bit, the acknowledgement number field is valid only when ACK is 1, and the acknowledgement number is invalid when ACK is 0; the synchronization sequence number SYN is used for a synchronization sequence number when a connection is established, and indicates that it is a connection request segment when SYN is 1 and ACK is 0, and indicates that it is a connection request segment when the connection is granted, and indicates that it is a connection request or a connection acceptance message because SYN is 1 and ACK is 1 in a response segment, and the flag bit of SYN is set to 1 only when TCP establishes a connection, and the flag bit of SYN is set to 0 after handshake is completed.
In this embodiment, by means of collecting and copying the data traffic by the bypass, it is possible to avoid the influence on the normal forwarding service in the network switching device during the identification process of the abnormal website, and ensure the normal network transmission quality while providing the function of detecting the abnormal website.
Meanwhile, the abnormal website is identified based on the first handshake message in the connection establishment process information for establishing the TCP connection, so that the abnormal website can be identified in advance to be blocked before the terminal establishes the TCP connection with the abnormal website, namely, the access of the terminal to the abnormal website is blocked before the terminal receives the webpage content sent by the abnormal website.
And S120, identifying a first handshake message sent to the website by the terminal in the connection establishment process information.
In the connection establishment process information, identifying a first handshake message sent by a terminal to a website specifically includes:
in the connection establishment process information, a Client Hello message matched with a first-stage handshake of a Transport Layer Security (TLS) is identified.
Because the connection establishment process information is encrypted information, the information at the receiving end and the transmitting end is transmitted in the network in a key encryption transmission mode. Although the information at the transmitting end and the receiving end is transmitted in the network in a key encryption transmission mode, the domain name information of the website can still be analyzed in the Client Hello message, and the domain name information of the website can only be obtained by analyzing the Client Hello message.
S130, identifying domain name information of the website which the terminal needs to access in the key field of the first handshake message, and detecting abnormal websites according to the domain name information.
The specific method for identifying the domain name information of the website to be accessed by the terminal may include: in the key field of the first handshake message, by adopting a mode of identifying a domain name information identification field, the domain name information of a website which a terminal needs to access can be extracted from the first handshake message.
The specific method for detecting the abnormal website according to the domain name information may include: and comparing the domain name information with a pre-established abnormal website domain name library, and detecting whether the domain name information is stored in the abnormal website domain name library.
The method comprises the steps that a plurality of pre-labeled abnormal website domain names are stored in an abnormal website domain name library, and if domain name information of a website to be accessed by a terminal is matched with any abnormal website domain name in the abnormal website domain name library, the website is determined to be an abnormal website; and if the domain name information of the website required to be accessed by the terminal is determined not to be matched with all the domain names of the abnormal websites in the domain name library of the abnormal websites, determining the website to be a normal website.
S140, when the target website which the target terminal needs to access is determined to be an abnormal website according to the target first handshake message, generating TCP connection terminal blocking information matched with the target terminal.
The TCP connection terminal blocking information is generated aiming at the target terminal and used for blocking the TCP connection establishing process of the target terminal and the target website. Specifically, the TCP connection terminal blocking information may be information having a significant difference from connection establishment procedure information transmitted in the TCP three-way handshake.
When the target terminal receives the TCP connection terminal blocking information, since the information is obviously different from the connection establishment process information sent by the target website that the target terminal expects to receive, the target terminal does not try to establish the TCP connection with the target website any more, and from the perspective of the user, the target terminal directly receives a blank page which prompts that the webpage cannot be opened.
In an optional implementation manner of this embodiment, a specific method for generating TCP connection terminal blocking information matched with the target terminal may include: and constructing denial-of-service information pointed to the target terminal by the target website as the TCP connection terminal blocking information according to the identification information of the target terminal and the target website.
S150, the TCP connection terminal blocking information is sent to the target terminal so as to intercept the behavior of the target terminal for accessing the target website.
It should be emphasized that, in order to ensure that the TCP connection terminal blocking information can be successfully sent to the target terminal, it is required to ensure that a port of the target terminal closes a URPF (Unicast Reverse Path Forwarding) function.
Further, after intercepting the behavior of the target terminal accessing the target website, the effect that the method can be used for simulating can be further expanded according to different states of the webpage, for example, a webpage return state code is displayed in the webpage of the terminal, and the main webpage return state code can include: 200. the request is successful, and the response header or data body expected by the request is returned with the response; 201. the request has been fulfilled, and a new Resource has been established according to the request, and its URI (Uniform Resource Identifier) has been returned with the Location header; 202. the server has accepted the request but has not yet processed it; 301 (permanent move), the requested web page has been permanently moved to a new location, and when the server returns this response (response to GET or HEAD request), the requester is automatically moved to the new location; 302 (temporarily moved), the server currently responds to the request from a web page in a different location, but the requester should continue to use the original location for subsequent requests; 303 (view other locations), the server returns this code when the requestor should retrieve responses using separate GET requests for different locations; 304 (unmodified), the requested web page is unmodified since the last request, and when the server returns the response, the web page content is not returned; 305 (using the proxy), the requester can only access the requested web page using the proxy, and if the server returns this response, it also indicates that the requester should use the proxy; 307 (temporary redirect), the server currently responds to the request from a web page in a different location, but the requester should continue to use the original location for future requests; 401. the current request requires user authentication, if the current request already contains Authorization credentials, then the 401 response is on behalf of the server verifying that those credentials have been rejected; 403. the server has understood the request but refused to perform it, unlike the 401 response, authentication does not provide any assistance, nor should the request be submitted repeatedly; 404. the request fails, and the resource desired by the request is not discovered on the server; 500. the server encounters an unexpected condition that results in its failure to complete the processing of the request; 501. the server does not support a certain function required by the current request, and when the server cannot identify a request method and cannot support the request of the server on any resource; 502. receiving an invalid response from an upstream server when a server operating as a gateway or a proxy attempts to execute a request; 503. the server is currently unable to process requests due to temporary server maintenance or overloading, a condition that is temporary and will recover after a period of time.
Further, after the TCP connection blocking information is sent to the target terminal to intercept the behavior of the target terminal accessing the target website, the method further includes:
generating TCP connection website blocking information matched with the target website; and sending the TCP connection website blocking information to the target website so as to intercept the behavior of the target website feeding back response information to a target terminal.
The TCP connection website blocking information is generated aiming at the target website and is used for blocking the target website from continuously feeding back response information to the target terminal. Specifically, the TCP connection website blocking information may be information indicating that the target terminal disconnects TCP from the target website. When the target website receives the TCP connection website blocking information, no response information is fed back to any request information sent by the target terminal.
The reason for this is that the manner of transmitting the TCP connection terminal blocking information to the destination terminal is only to avoid the behavior of the destination terminal to continue accessing the destination web site from the destination terminal side. However, the target website cannot be prevented from feeding back request information that has been sent by the target terminal before the target terminal receives the TCP connection terminal blocking information, and then the TCP connection website blocking information can be synchronously sent to the target website, so as to ensure the success rate of blocking.
Generating TCP connection website blocking information matched with the target website may include:
and according to the identification information of the target terminal and the target website, constructing disconnection information pointed to the target website by the target terminal as TCP connection website blocking information.
Based on the embodiment, the protocol standard of three-way session handshake transmitted by TCP is used as a core, the message matched with the TLS first-time session handshake is extracted and analyzed, the three-way session handshake is interfered, the link of the access link is disconnected, and the information of the return packet pointing to the target terminal is modified, so that the aim of blocking the target terminal from accessing an abnormal HTTPS website can be fulfilled.
The embodiment of the invention creatively provides that in the information of the TCP connection establishment process, a Client Hello message matched with the first-stage handshake of TLS is identified, the domain name information of the target website is extracted from the Client Hello message, and then the abnormal domain name is identified for the domain name information. Meanwhile, according to the identification information of the target terminal and the target website, the method also provides a mode of constructing denial of service information of the target website pointing to the target terminal and disconnection information of the target terminal pointing to the target website, and playing a role of directly blocking TCP transmission between the target terminal and the target website by using the information so as to intervene the access of the target terminal to the abnormal HTTPS website.
According to the technical scheme of the embodiment of the invention, the interception equipment is connected to the bypass of the network switching equipment in parallel, the connection establishment process information between the terminal and the website in the copied data flow is collected, the first handshake message sent to the website by the terminal is identified in the connection establishment process information, and the domain name information is extracted and identified in the first handshake message, so that whether the terminal accesses an abnormal website can be judged in the process of establishing TCP three-way handshake between the terminal and the website, the access of the terminal to the abnormal HTTPS website can be blocked before TCP connection is established in a way of blocking the normal TCP handshake establishment flow, a new way of effectively blocking the abnormal HTTPS website in a parallel connection way is provided, and the original service flow of the network switching equipment is not influenced while the effective blocking effect is ensured.
Example two
Fig. 2 is a flowchart of an abnormal domain name recognition method according to a second embodiment of the present invention, where this embodiment is applicable to extracting domain name information of a website when a terminal initiates access to an HTTPS website, performs simulated access to the website, obtains a response packet, and determines whether the abnormal website is a case of the abnormal website, and the method may be executed by an abnormal domain name recognition device, where the abnormal domain name recognition device may be implemented in a hardware and/or software form and may generally be configured in a collection device having a network data collection function. Wherein, in the internet, the acquisition equipment is connected in parallel with the network switching equipment. As shown in fig. 2, the method includes:
s210, collecting the copy data flow from the network switching equipment by a bypass, and identifying the connection establishment process information for establishing the TCP connection in the copy data flow, wherein the connection establishment process information is encrypted information.
S220, in the information of each connection establishing process, identifying a first handshake message sent to the website by the terminal, and analyzing the key field of the first handshake message to obtain the domain name information of the website.
S230, detecting whether the domain name information is stored in a known domain name library, if not, performing simulated access on the domain name information of the website, and acquiring a response message fed back by the website.
The known domain name library is a domain name library composed of domain name information which is recorded or artificially added and really considers normal websites, and in a relative sense, the known domain name library can contain most website domain name information which can be accessed by a user.
The performing of the simulated access to the domain name information of the website may specifically include: sending an access request to the website server; establishing normal TCP connection with the website, and carrying out TCP three-way handshake; and after the TCP connection is successful, acquiring a response message fed back by the website.
The response message mainly comprises a state line, a response header and response data. The status line mainly includes a protocol version, a status code and a status code description, which are used to indicate the current status of the server, and in a specific example, may include a response success or a server error. The response header is mainly used to add some additional information to the response message. The response data is mainly used for storing data information needing to be returned to the client.
According to the technical scheme of the embodiment, by acquiring the response message fed back by the website and judging whether the website is an abnormal website according to the content of the response message, the accurate judgment of the abnormal website can be realized, and the abnormal data contained in the abnormal website can be acquired.
S240, if the website is determined to be an abnormal website according to the response message, storing the domain name information in an abnormal domain name library.
Specifically, whether response data in the response message is abnormal data or not is judged, and if the response data is abnormal data, the website is an abnormal website.
Further, after the website is judged to be an abnormal website, the domain name information of the abnormal website is stored in an abnormal domain name library, iterative updating of the abnormal domain name library is completed, and when abnormal traffic is intercepted in the subsequent process, whether the domain name information extracted from the copied data traffic is abnormal domain name information or not can be judged according to the abnormal domain name library.
According to the technical scheme of the embodiment, the interception equipment is connected to a bypass of the network switching equipment in parallel, connection establishment process information between the terminal and the website in the copied data flow is collected, a first handshake message sent to the website by the terminal is identified in the connection establishment process information, domain name identification information is extracted from the first handshake message, whether the domain name information is known domain name information is detected, unknown website domain name information is subjected to simulated access, whether the website is an abnormal website is judged according to a response message obtained after the access, the domain name information of the abnormal website is stored in an abnormal domain name library, the abnormal website is accurately detected, and iterative updating of the abnormal domain name library is completed.
EXAMPLE III
Fig. 3 is a flowchart of an intercepting method of abnormal network traffic according to a third embodiment of the present invention, and this embodiment further embodies an intercepting process of network traffic on the basis of the foregoing embodiment. As shown in fig. 3, the method includes:
s310, bypass collection of replication data traffic based on HTTPS from the network switching equipment.
S320, in the duplicated data traffic, identifying connection establishment procedure information for establishing the TCP connection.
S330, in the connection establishment process information, identifying a Client Hello message matched with the first-stage handshake of the TLS.
S340, analyzing the key field of the Client Hello message to obtain the domain name information of the website which the terminal needs to access.
The analyzing to obtain the domain name information of the website to be accessed by the terminal specifically includes: reading a key field of the Client Hello message; and detecting the domain name information contained in the connection establishment process information in a mode of identifying a domain name information identification field in a key field of the Client Hello message.
And S350, comparing the extracted domain name information with a pre-established abnormal website domain name library.
The abnormal website domain name library is an information library which is collected in advance and contains all the domain names determined to be abnormal website domain names. Specifically, the abnormal domain name may be identified by the method for identifying an abnormal domain name described in the second embodiment of the present invention and stored in the abnormal website domain name library, or the abnormal labels added to the abnormal websites visited by different users may be collected to identify and obtain the abnormal domain name information.
S360, judging whether the domain name information is the domain name information of the abnormal website: if yes, go to S370; if not, returning to execute the step S310 to continue monitoring the subsequent copied data traffic without interfering with the normal website access.
S370, according to the identification information of the target terminal and the target website, constructing denial of service information which points to the target terminal by the target website, and using the denial of service information as the TCP connection terminal blocking information; and constructing disconnection information pointed to the target website by the target terminal to serve as TCP connection website blocking information.
And S380, sending the TCP connection terminal blocking information to a target terminal, and sending the TCP connection website blocking information to the target website.
Specifically, the TCP connection terminal blocking information is sent to the target terminal, and the TCP connection website blocking information is sent to the target website, which may be performed simultaneously, as long as at least one of the target terminal and the target website receives and responds to the corresponding blocking information before the normal service request is ended, so that access blocking to the abnormal website may be implemented.
And S390, reading the corresponding blocking information and responding by any party of the target terminal and the target website, and determining that the interception is successful.
In a specific embodiment, after receiving the TCP connection terminal blocking information, the target terminal reads information that the target website cannot respond or provide request service, and the like, and at this time, the target terminal determines that the access request is failed, and suspends the access; similarly, after the target website receives the TCP connection website blocking information, the read information may be information such as a target terminal terminating access request or a target terminal browser disconnecting, and at this time, the target website determines that the access request is failed, and suspends the response request; if the target website has already performed access response and data transmission before any party reads the corresponding blocking information, the response is terminated after any party reads the corresponding blocking information, and the page in the target terminal stops rendering.
And S3100, after intercepting the target website accessed by the target terminal, displaying matched access failure description information on the target terminal according to different states of the webpage.
The method has the advantages that the webpage return state code can be displayed in the webpage of the terminal, the information of access failure can be fed back to the user in time by displaying the webpage return state code, user experience is improved, and seamless interference is achieved.
According to the technical scheme of the embodiment of the invention, the flow parallel connection mode is adopted, the copy data flow is obtained under the condition of not influencing normal network communication, the TCP connection terminal blocking information and the TCP connection website blocking information are respectively sent to the target terminal and the target website, and the matched access failure description information is displayed on the target terminal after the interception is successful, so that the access of the traceless interference target terminal to the abnormal website is realized.
Application specific scenarios
1. Intercepting abnormal traffic:
fig. 3b shows a network architecture diagram of a specific application scenario to which the technical solution of the embodiment of the present invention is applied. As shown in fig. 3b, the terminal sends an access request to the website server, the network switching device splits the traffic to the intercepting device while requesting access, and the intercepting device extracts and determines whether the website accessed by the terminal is an abnormal website. For the access request of the normal website, the interception equipment does not interfere, and the network server directly sends a response packet of the request to the terminal; if the website is judged to be an abnormal website, the interception equipment sends a terminal return packet to the terminal and simultaneously sends a server return packet to the website server, and the network server cannot normally send a requested response packet to the terminal by the above mode so as to realize abnormal network flow interception.
The method aims to realize link disconnection of the access link by interfering three-way dialogue handshake of TCP transmission, and can achieve the purpose of blocking the target terminal from accessing the abnormal website by modifying information of a return packet.
Specifically, a user inputs a URL (Uniform Resource Locator) in an address bar through a browser on the terminal, parses the URL, and detects whether the URL address is legal; the browser checks whether records exist in browser cache, system cache and router cache, if the records exist in the cache, page content is directly displayed, and if the records do not exist in the cache, domain name resolution is carried out and a corresponding IP address is obtained; the browser initiates TCP connection to a server of a target website and establishes three-way session handshake; carrying out parallel light splitting on the flow, and collecting and copying data flow; identifying connection establishment process information for establishing a TCP connection in the replicated data traffic; identifying a Client Hello message matched with the first-stage handshake of the TLS in the connection establishment process information; analyzing the key field of the Client Hello message to obtain domain name information of a website to be accessed by the terminal; comparing the extracted domain name information with a domain name library of an abnormal website established in advance, if the domain name information is the domain name of the normal website, not interfering the normal interaction of the terminal and the server, if the domain name information is the domain name of the abnormal website, modifying the information of a return packet according to the identification information of the target terminal and the target website, generating a new terminal return packet and a new server return packet, and respectively sending the modified terminal return packet and the modified server return packet to the terminal and the abnormal website server; after the terminal reads the package returned by the terminal, the server can be considered to be incapable of providing the service, the access request is closed, and after the abnormal website server reads the package returned by the server, the access request of the equipment requesting the access can be considered to be stopped, and the response to the access request is stopped; if the abnormal website has already performed access response and data transmission before any party reads the corresponding modified return packet, stopping response after any party reads the corresponding modified return packet, and stopping rendering of a page in the browser, wherein the interception is regarded as successful; and displaying a webpage return status code in the webpage to remind the user of the access failure.
HTTPS data transmission:
fig. 3c shows an interaction structure diagram of a specific application scenario of a user performing data transmission with an HTTPS website. As shown in fig. 3c, the main process of data transmission between the user and the HTTPS website includes two phases of certificate verification and data transmission.
In the certificate verification stage, a user initiates a request for website access, after receiving the request, a website server returns a returned certificate containing a public key, the user terminal judges whether the returned certificate is legal or not, if not, an alarm is prompted, and if so, the data transmission stage is entered.
In the data transmission stage, after the returned certificate is judged to be a legal certificate, a random number is locally generated, the random number is encrypted through a public key and transmitted to the website server, the website server decrypts the random number through a private key, encrypts transmitted data through symmetric encryption of the random number and sends the encrypted data to the user terminal again, and the user terminal decrypts the encrypted data through the locally stored random number to realize transmission of all encrypted data.
Example four
Fig. 4 is a flowchart of an abnormal domain name identification method according to a third embodiment of the present invention. On the basis of the above embodiments, the present embodiment further embodies the process of identifying an abnormal domain name. As shown in fig. 4, the method includes:
s410, bypass collection of replication data traffic based on HTTPS from the network switching equipment.
In replicating the data traffic, connection establishment procedure information for establishing the TCP connection is identified S420.
S430, in the connection establishment process information, identifying a Client Hello message matched with the first-stage handshake of the TLS.
And S440, analyzing the key field of the first handshake message to obtain domain name information of a website which the terminal needs to access.
The analyzing to obtain the domain name information of the website to be accessed by the terminal specifically includes: reading a key field of a first handshake message; and detecting the domain name information contained in the connection establishment process information by utilizing a mode of identifying a domain name information identification field in the key field of the first handshake message.
S450, detecting whether the domain name information is stored in a known domain name library, and if not, executing S460; if yes, the process returns to the step S410.
It can be understood that, if the domain name information is stored in the known domain name library, it indicates that the domain name information is a known domain name, and further, whether the domain name is a normal or abnormal detection result is determined, and further, without performing subsequent operations of performing simulated access on the domain name information, the operation may be returned to perform S410, and new copied data traffic is continuously obtained to perform resolution of new domain name information.
And S460, performing simulated access on the domain name information of the website, acquiring a response message fed back by the website, and executing S470.
S470, judging whether the response data in the response message is abnormal data, if not, returning to execute S410; if yes, go to S480.
And S480, determining that the website is an abnormal website, and storing the domain name information in an abnormal domain name library.
According to the technical scheme of the embodiment of the invention, the interception equipment is connected to the bypass of the network switching equipment in parallel, the connection establishment process information between the terminal and the website in the copied data flow is collected, the first handshake message sent to the website by the terminal is identified in the connection establishment process information, the identified domain name information is extracted from the first handshake message, whether the domain name information is known domain name information or not is detected, the unknown website domain name information is subjected to simulated access, whether the website is an abnormal website or not is judged according to response data in the response message obtained after the access, the domain name information of the abnormal website is stored in an abnormal domain name library, the abnormal website is accurately detected, and the iterative update of the abnormal domain name library is completed.
EXAMPLE five
Fig. 5 is a schematic structural diagram of an abnormal traffic intercepting apparatus according to a third embodiment of the present invention. As shown in fig. 5, the apparatus includes: a connection establishment process information identification module 510, a first handshake message identification module 520, an abnormal website detection module 530, a terminal blocking information generation module 540, and a terminal blocking information transmission module 550.
A connection establishment procedure information identification module 510, configured to bypass-collect the duplicate data traffic from the network switching device, and identify connection establishment procedure information used for establishing a TCP connection in the duplicate data traffic, where the connection establishment procedure information is encrypted information;
a first handshake message identification module 520, configured to identify a first handshake message sent by the terminal to the website in the connection establishment process information;
an abnormal website detection module 530, configured to identify, in the key field of the first handshake packet, domain name information of a website that the terminal needs to access, and detect an abnormal website according to the domain name information;
a terminal blocking information generating module 540, configured to generate TCP connection terminal blocking information matched with the target terminal when it is determined that the target website that the target terminal needs to access is an abnormal website according to the target first handshake message;
a terminal blocking information sending module 550, configured to send the TCP connection terminal blocking information to the target terminal, so as to intercept 450 a behavior of the target terminal accessing the target website.
According to the technical scheme of the embodiment of the invention, the interception equipment is connected to the bypass of the network switching equipment in parallel, the connection establishment process information between the terminal and the website in the copied data flow is acquired, the first handshake message sent to the website by the terminal is identified in the connection establishment process information, and the domain name information is extracted from the first handshake message, so that whether the terminal accesses an abnormal website or not can be judged in the process of establishing TCP three-way handshake between the terminal and the website, the normal TCP handshake establishment flow can be blocked, the access of the terminal to the abnormal HTTPS website is blocked before TCP connection is established, a new way for effectively blocking the connection of the abnormal HTTPS website in a parallel connection mode is provided, the effective blocking effect is ensured, and the original service flow of the network switching equipment is not influenced.
On the basis of the foregoing embodiments, the connection establishment procedure information identification module 510 may be specifically configured to:
collecting copy data flow based on a hypertext transfer secure protocol (HTTPS) from a bypass on network switching equipment;
and acquiring connection establishment process information which is sent by the terminal and/or the website and is matched with the TCP three-way handshake process in the copy data flow.
On the basis of the foregoing embodiments, the first handshake packet identification module 520 may be specifically configured to:
in the connection establishment process information, identifying a first handshake message sent by the terminal to the website includes:
and identifying a Client Hello message matched with the first-stage handshake of the security transport layer protocol TLS in the connection establishing process information.
On the basis of the foregoing embodiments, the terminal blocking information generating module 540 may specifically be configured to: and constructing denial of service information which points to the target terminal by the target website according to the identification information of the target terminal and the target website, wherein the denial of service information is used as the TCP connection terminal blocking information.
On the basis of the above embodiments, the method may further include: the website response information intercepting module comprises:
the website blocking information generating unit is used for generating TCP connection website blocking information matched with the target website;
and the website blocking information sending unit is used for sending the TCP connection website blocking information to the target website so as to intercept the behavior of the target website for feeding back response information to a target terminal.
On the basis of the foregoing embodiments, the website blocking information generating unit may be specifically configured to: and according to the identification information of the target terminal and the target website, constructing disconnection information pointed to the target website by the target terminal, and using the disconnection information as the TCP connection website blocking information.
The abnormal traffic intercepting device provided by the embodiment of the invention can execute the abnormal traffic intercepting method provided by any embodiment of the invention, and has the corresponding functional modules and beneficial effects of the execution method.
EXAMPLE six
Fig. 6 is a schematic structural diagram of an abnormal domain name recognition apparatus according to a third embodiment of the present invention. As shown in fig. 6, the apparatus includes: a connection establishment process information identification module 610, a domain name information analysis module 620, a response message acquisition module 630 and an abnormal domain name storage module 640.
A connection establishment process information identification module 610, configured to collect the duplicated data traffic from the network switching device by-pass, and identify, in the duplicated data traffic, connection establishment process information used for establishing a TCP connection, where the connection establishment process information is encrypted information;
a domain name information analyzing module 620, configured to identify a first handshake packet sent by a terminal to a website in each connection establishment process information, and analyze a key field of the first handshake packet to obtain domain name information of the website;
a response packet obtaining module 630, configured to detect whether the domain name information is stored in a known domain name library, and if not, perform analog access on the domain name information of the website to obtain a response packet fed back by the website;
and the abnormal domain name storage module 640 is configured to store the domain name information in an abnormal domain name library if the website is determined to be an abnormal website according to the response packet.
According to the technical scheme of the embodiment, the interception equipment is connected to a bypass of the network switching equipment in parallel, connection establishment process information between the terminal and the website in the copied data flow is collected, a first handshake message sent to the website by the terminal is identified in the connection establishment process information, domain name identification information is extracted from the first handshake message, whether the domain name information is known domain name information is detected, unknown website domain name information is subjected to simulated access, whether the website is an abnormal website is judged according to a response message obtained after the access, the domain name information of the abnormal website is stored in an abnormal domain name library, the abnormal website is accurately detected, and iterative updating of the abnormal domain name library is completed.
The device for identifying the abnormal domain name provided by the embodiment of the invention can execute the method for identifying the abnormal domain name provided by any embodiment of the invention, and has the corresponding functional modules and beneficial effects of the execution method.
EXAMPLE seven
FIG. 7 illustrates a schematic diagram of an electronic device 70 that may be used to implement an embodiment of the present invention. Electronic devices are intended to represent various forms of digital computers, such as laptops, desktops, workstations, personal digital assistants, servers, blade servers, mainframes, and other appropriate computers. The electronic device may also represent various forms of mobile devices, such as personal digital assistants, cellular phones, smart phones, wearable devices (e.g., helmets, glasses, watches, etc.), and other similar computing devices. The components shown herein, their connections and relationships, and their functions, are meant to be exemplary only, and are not meant to limit implementations of the inventions described and/or claimed herein.
As shown in fig. 7, the electronic device 70 includes at least one processor 71, and a memory communicatively connected to the at least one processor 71, such as a Read Only Memory (ROM)72, a Random Access Memory (RAM)73, and the like, wherein the memory stores computer programs executable by the at least one processor, and the processor 71 may perform various appropriate actions and processes according to the computer programs stored in the Read Only Memory (ROM)72 or the computer programs loaded from the storage unit 78 into the Random Access Memory (RAM) 73. In the RAM 73, various programs and data necessary for the operation of the electronic apparatus 70 can also be stored. The processor 71, the ROM 72, and the RAM 73 are connected to each other by a bus 74. An input/output (I/O) interface 75 is also connected to bus 74.
A number of components in the electronic device 70 are connected to the I/O interface 75, including: an input unit 76 such as a keyboard, a mouse, etc.; an output unit 77 such as various types of displays, speakers, and the like; a storage unit 78, such as a magnetic disk, optical disk, or the like; and a communication unit 79 such as a network card, modem, wireless communication transceiver, etc. The communication unit 79 allows the electronic device 70 to exchange information/data with other devices via a computer network such as the internet and/or various telecommunication networks.
In some embodiments, the method of identifying anomalous domain names and the method of intercepting anomalous traffic may be implemented as a computer program tangibly embodied in a computer-readable storage medium, such as storage unit 78. In some embodiments, part or all of the computer program may be loaded and/or installed onto the electronic device 70 via the ROM 72 and/or the communication unit 79. When the computer program is loaded into the RAM 73 and executed by the processor 71, one or more steps of the above-described identification method of an abnormal domain name and interception method of abnormal traffic may be performed. Alternatively, in other embodiments, processor 71 may be configured to perform the identification method of the anomalous domain name and the interception method of the anomalous traffic by any other suitable means (e.g., by means of firmware).
Various implementations of the systems and techniques described here above may be implemented in digital electronic circuitry, integrated circuitry, Field Programmable Gate Arrays (FPGAs), Application Specific Integrated Circuits (ASICs), Application Specific Standard Products (ASSPs), system on a chip (SOCs), load programmable logic devices (CPLDs), computer hardware, firmware, software, and/or combinations thereof. These various embodiments may include: implemented in one or more computer programs that are executable and/or interpretable on a programmable system including at least one programmable processor, which may be special or general purpose, receiving data and instructions from, and transmitting data and instructions to, a storage system, at least one input device, and at least one output device.
A computer program for implementing the methods of the present invention may be written in any combination of one or more programming languages. These computer programs may be provided to a processor of a general purpose computer, special purpose computer, or other programmable data processing apparatus, such that the computer programs, when executed by the processor, cause the functions/acts specified in the flowchart and/or block diagram block or blocks to be performed. A computer program can execute entirely on a machine, partly on the machine, as a stand-alone software package, partly on the machine and partly on a remote machine or entirely on the remote machine or server.
In the context of the present invention, a computer-readable storage medium may be a tangible medium that can contain, or store a computer program for use by or in connection with an instruction execution system, apparatus, or device. A computer readable storage medium may include, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. Alternatively, the computer readable storage medium may be a machine readable signal medium. More specific examples of a machine-readable storage medium would include an electrical connection based on one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
To provide for interaction with a user, the systems and techniques described here can be implemented on an electronic device having: a display device (e.g., a CRT (cathode ray tube) or LCD (liquid crystal display) monitor) for displaying information to a user; and a keyboard and a pointing device (e.g., a mouse or a trackball) by which a user can provide input to the electronic device. Other kinds of devices may also be used to provide for interaction with a user; for example, feedback provided to the user can be any form of sensory feedback (e.g., visual feedback, auditory feedback, or tactile feedback); and input from the user may be received in any form, including acoustic, speech, or tactile input.
The systems and techniques described here can be implemented in a computing system that includes a back-end component (e.g., as a data server), or that includes a middleware component (e.g., an application server), or that includes a front-end component (e.g., a user computer having a graphical user interface or a web browser through which a user can interact with an implementation of the systems and techniques described here), or any combination of such back-end, middleware, or front-end components. The components of the system can be interconnected by any form or medium of digital data communication (e.g., a communication network). Examples of communication networks include: local Area Networks (LANs), Wide Area Networks (WANs), blockchain networks, and the internet.
The computing system may include clients and servers. A client and server are generally remote from each other and typically interact through a communication network. The relationship of client and server arises by virtue of computer programs running on the respective computers and having a client-server relationship to each other. The server can be a cloud server, also called a cloud computing server or a cloud host, and is a host product in a cloud computing service system, so that the defects of high management difficulty and weak service expansibility in the traditional physical host and VPS service are overcome.
It should be understood that various forms of the flows shown above may be used, with steps reordered, added, or deleted. For example, the steps described in the present invention may be executed in parallel, sequentially, or in different orders, and are not limited herein as long as the desired results of the technical solution of the present invention can be achieved.
The above-described embodiments should not be construed as limiting the scope of the invention. It should be understood by those skilled in the art that various modifications, combinations, sub-combinations and substitutions may be made in accordance with design requirements and other factors. Any modification, equivalent replacement, and improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.
Claims (10)
1. An interception method of abnormal traffic, characterized by being executed by an interception device connected in parallel with a network switching device, the method comprising:
collecting the copy data flow from a bypass on the network switching equipment, and identifying connection establishment process information used for establishing a Transmission Control Protocol (TCP) connection in the copy data flow, wherein the connection establishment process information is encrypted information;
in the connection establishment process information, identifying a first handshake message sent by a terminal to a website;
identifying domain name information of a website which a terminal needs to access in a key field of the first handshake message, and detecting an abnormal website according to the domain name information;
when a target website which a target terminal needs to access is determined to be an abnormal website according to the target first handshake message, generating TCP connection terminal blocking information matched with the target terminal;
and sending the TCP connection terminal blocking information to the target terminal so as to intercept the behavior of the target terminal accessing the target website.
2. The method of claim 1, wherein bypassing the collection of replicated data traffic from the network switching device comprises:
and bypassing the copied data traffic based on the hypertext transfer security protocol (HTTPS) from the network switching equipment.
3. The method of claim 1, wherein identifying connection establishment procedure information for establishing a TCP connection in replicating data traffic comprises:
acquiring connection establishment process information which is sent by a terminal and/or a website and matched with a TCP three-way handshake process in the copy data flow;
in the connection establishment process information, identifying a first handshake message sent by the terminal to the website includes:
and identifying a Client Hello message matched with the first-stage handshake of the security transport layer protocol TLS in the connection establishing process information.
4. The method according to any one of claims 1 to 3, wherein, while generating TCP connection terminal blocking information matching the target terminal, the method further comprises:
generating TCP connection website blocking information matched with the target website;
and sending the TCP connection website blocking information to the target website so as to intercept the behavior of the target website for feeding back response information to a target terminal.
5. The method according to any one of claims 1-3, wherein generating TCP connection termination blocking information matching the target termination comprises:
according to the identification information of the target terminal and the target website, constructing denial of service information which points to the target terminal by the target website and is used as the TCP connection terminal blocking information;
generating TCP connection website blocking information matched with the target website, including:
and according to the identification information of the target terminal and the target website, constructing disconnection information pointed to the target website by the target terminal, and using the disconnection information as the TCP connection website blocking information.
6. A method for identifying an abnormal domain name, wherein the method is performed by a collecting device connected in parallel with a network switching device, and the method comprises the following steps:
collecting the copy data flow from a bypass on the network switching equipment, and identifying the connection establishment process information for establishing a Transmission Control Protocol (TCP) connection in the copy data flow, wherein the connection establishment process information is encrypted information;
in each connection establishing process information, identifying a first handshake message sent by a terminal to a website, and analyzing a key field of the first handshake message to obtain domain name information of the website;
detecting whether the domain name information is stored in a known domain name library, if not, performing simulated access on the domain name information of the website to obtain a response message fed back by the website;
and if the website is determined to be an abnormal website according to the response message, storing the domain name information in an abnormal domain name library.
7. An apparatus for intercepting abnormal traffic, performed by an intercepting device connected in parallel to a network switching device, the apparatus comprising:
the connection establishment process information identification module is used for collecting the copy data flow from a bypass on the network switching equipment and identifying the connection establishment process information used for establishing the Transmission Control Protocol (TCP) connection in the copy data flow, wherein the connection establishment process information is encrypted information;
the first handshake message identification module is used for identifying a first handshake message sent by the terminal to a website in the connection establishment process information;
the abnormal website detection module is used for identifying the domain name information of the website to be accessed by the terminal in the key field of the first handshake message and detecting the abnormal website according to the domain name information;
the terminal blocking information generating module is used for generating TCP connection terminal blocking information matched with the target terminal when the target website required to be accessed by the target terminal is determined to be an abnormal website according to the target first handshake message;
and the terminal blocking information sending module is used for sending the TCP connection terminal blocking information to the target terminal so as to intercept the behavior of the target terminal accessing the target website.
8. An apparatus for identifying an abnormal domain name, which is executed by a collecting device connected in parallel with a network switching device, the apparatus comprising:
the connection establishment process information identification module is used for collecting the copy data flow from a bypass on the network switching equipment and identifying the connection establishment process information used for establishing Transmission Control Protocol (TCP) connection in the copy data flow, wherein the connection establishment process information is encrypted information;
a domain name information analyzing module, configured to identify a first handshake message sent by a terminal to a website in each connection establishment process information, and analyze a key field of the first handshake message to obtain domain name information of the website;
a response message acquisition module, configured to detect whether the domain name information is stored in a known domain name library, and if not, perform simulated access on the domain name information of the website to acquire a response message fed back by the website;
and the abnormal domain name storage module is used for storing the domain name information into an abnormal domain name library if the website is determined to be an abnormal website according to the response message.
9. A computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor implements the method for intercepting abnormal traffic by an intercepting device according to any one of claims 1 to 5 or implements the method for identifying an abnormal domain name by a collecting device according to claim 6 when executing the computer program.
10. A storage medium having computer-executable instructions stored thereon, the program being characterized in that when being executed by a processor, the program implements the method for intercepting abnormal traffic by an intercepting device according to any one of claims 1 to 5, or implements the method for identifying abnormal domain names performed by a collecting device according to claim 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210630220.7A CN115037537A (en) | 2022-06-06 | 2022-06-06 | Abnormal traffic interception and abnormal domain name identification method, device, equipment and medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210630220.7A CN115037537A (en) | 2022-06-06 | 2022-06-06 | Abnormal traffic interception and abnormal domain name identification method, device, equipment and medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115037537A true CN115037537A (en) | 2022-09-09 |
Family
ID=83123950
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210630220.7A Pending CN115037537A (en) | 2022-06-06 | 2022-06-06 | Abnormal traffic interception and abnormal domain name identification method, device, equipment and medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115037537A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115834256A (en) * | 2023-02-17 | 2023-03-21 | 北京浩瀚深度信息技术股份有限公司 | QuIC flow blocking method based on parallel connection network |
Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105721233A (en) * | 2014-12-03 | 2016-06-29 | 北京奇虎科技有限公司 | Website survival detection method, apparatus and system |
| CN107294918A (en) * | 2016-03-31 | 2017-10-24 | 阿里巴巴集团控股有限公司 | A kind of fishing webpage detection method and device |
| CN109347882A (en) * | 2018-11-30 | 2019-02-15 | 深信服科技股份有限公司 | Webpage Trojan horse monitoring method, device, equipment and storage medium |
| CN109450945A (en) * | 2018-12-26 | 2019-03-08 | 成都西维数码科技有限公司 | A kind of web page access method for safety monitoring based on SNI |
| CN109672651A (en) * | 2017-10-17 | 2019-04-23 | 阿里巴巴集团控股有限公司 | Intercepting processing method, system and the data processing method of website visiting |
| CN110535806A (en) * | 2018-05-24 | 2019-12-03 | 中国移动通信集团重庆有限公司 | Monitor method, apparatus, equipment and the computer storage medium of abnormal website |
| CN112187804A (en) * | 2020-09-29 | 2021-01-05 | 北京金山云网络技术有限公司 | Communication method and device of server, computer equipment and storage medium |
| CN113315678A (en) * | 2021-05-26 | 2021-08-27 | 深圳市纽创信安科技开发有限公司 | Encrypted TCP (Transmission control protocol) traffic acquisition method and device |
| CN114422200A (en) * | 2021-12-28 | 2022-04-29 | 中国电信股份有限公司 | Domain name interception method and device and electronic equipment |
-
2022
- 2022-06-06 CN CN202210630220.7A patent/CN115037537A/en active Pending
Patent Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105721233A (en) * | 2014-12-03 | 2016-06-29 | 北京奇虎科技有限公司 | Website survival detection method, apparatus and system |
| CN107294918A (en) * | 2016-03-31 | 2017-10-24 | 阿里巴巴集团控股有限公司 | A kind of fishing webpage detection method and device |
| CN109672651A (en) * | 2017-10-17 | 2019-04-23 | 阿里巴巴集团控股有限公司 | Intercepting processing method, system and the data processing method of website visiting |
| CN110535806A (en) * | 2018-05-24 | 2019-12-03 | 中国移动通信集团重庆有限公司 | Monitor method, apparatus, equipment and the computer storage medium of abnormal website |
| CN109347882A (en) * | 2018-11-30 | 2019-02-15 | 深信服科技股份有限公司 | Webpage Trojan horse monitoring method, device, equipment and storage medium |
| CN109450945A (en) * | 2018-12-26 | 2019-03-08 | 成都西维数码科技有限公司 | A kind of web page access method for safety monitoring based on SNI |
| CN112187804A (en) * | 2020-09-29 | 2021-01-05 | 北京金山云网络技术有限公司 | Communication method and device of server, computer equipment and storage medium |
| CN113315678A (en) * | 2021-05-26 | 2021-08-27 | 深圳市纽创信安科技开发有限公司 | Encrypted TCP (Transmission control protocol) traffic acquisition method and device |
| CN114422200A (en) * | 2021-12-28 | 2022-04-29 | 中国电信股份有限公司 | Domain name interception method and device and electronic equipment |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115834256A (en) * | 2023-02-17 | 2023-03-21 | 北京浩瀚深度信息技术股份有限公司 | QuIC flow blocking method based on parallel connection network |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11122067B2 (en) | Methods for detecting and mitigating malicious network behavior and devices thereof | |
| US10728216B2 (en) | Web application security architecture | |
| US11425047B2 (en) | Traffic analysis method, common service traffic attribution method, and corresponding computer system | |
| WO2016006520A1 (en) | Detection device, detection method and detection program | |
| US8935419B2 (en) | Filtering device for detecting HTTP request and disconnecting TCP connection | |
| US8448233B2 (en) | Dealing with web attacks using cryptographically signed HTTP cookies | |
| US8392963B2 (en) | Techniques for tracking actual users in web application security systems | |
| US10326730B2 (en) | Verification of server name in a proxy device for connection requests made using domain names | |
| US10097530B2 (en) | Security authentication method and bidirectional forwarding detection BFD device | |
| JP6686033B2 (en) | Method and apparatus for pushing messages | |
| EP2895981B1 (en) | System and method for sharing login status between an application platform and an application | |
| JP5980968B2 (en) | Information processing apparatus, information processing method, and program | |
| CN111314381A (en) | Safety isolation gateway | |
| WO2022257226A1 (en) | Cyberspace mapping-based honeypot recognition method and apparatus, device, and medium | |
| US20170331855A1 (en) | Detection and warning of imposter web sites | |
| CN111726328B (en) | Method, system and related device for remotely accessing a first device | |
| CN115037537A (en) | Abnormal traffic interception and abnormal domain name identification method, device, equipment and medium | |
| Xiong et al. | A distributed security SDN cluster architecture for smart grid based on blockchain technology | |
| CN112491836B (en) | Communication system, method, device and electronic equipment | |
| US10320784B1 (en) | Methods for utilizing fingerprinting to manage network security and devices thereof | |
| CN113709136B (en) | Access request verification method and device | |
| CN113778709B (en) | Interface calling method, device, server and storage medium | |
| CN114760083B (en) | Method, device and storage medium for issuing attack detection file | |
| JP5925287B1 (en) | Information processing apparatus, method, and program | |
| CN114793180A (en) | Method and device for intercepting abnormal network traffic, intercepting equipment and medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |