CN115549980A - Network flow auditing device and method for protocol re-editing - Google Patents
Network flow auditing device and method for protocol re-editing Download PDFInfo
- Publication number
- CN115549980A CN115549980A CN202211108789.3A CN202211108789A CN115549980A CN 115549980 A CN115549980 A CN 115549980A CN 202211108789 A CN202211108789 A CN 202211108789A CN 115549980 A CN115549980 A CN 115549980A
- Authority
- CN
- China
- Prior art keywords
- flow
- traffic
- protocol
- module
- editing
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 78
- 230000008569 process Effects 0.000 claims abstract description 53
- 238000007639 printing Methods 0.000 claims abstract description 23
- 230000006870 function Effects 0.000 claims description 27
- 230000006978 adaptation Effects 0.000 claims description 19
- 239000008186 active pharmaceutical agent Substances 0.000 claims description 18
- 238000012544 monitoring process Methods 0.000 claims description 14
- 238000012216 screening Methods 0.000 claims description 10
- 238000005206 flow analysis Methods 0.000 claims description 9
- 238000007726 management method Methods 0.000 claims description 8
- 238000012550 audit Methods 0.000 claims description 6
- 238000002347 injection Methods 0.000 claims description 6
- 239000007924 injection Substances 0.000 claims description 6
- 230000008859 change Effects 0.000 claims description 3
- 230000005540 biological transmission Effects 0.000 claims 1
- 230000007613 environmental effect Effects 0.000 abstract description 4
- 238000005516 engineering process Methods 0.000 description 14
- 238000010586 diagram Methods 0.000 description 11
- 238000004590 computer program Methods 0.000 description 7
- 238000004891 communication Methods 0.000 description 5
- 238000012545 processing Methods 0.000 description 5
- 238000004458 analytical method Methods 0.000 description 4
- 239000003795 chemical substances by application Substances 0.000 description 4
- 238000010276 construction Methods 0.000 description 4
- 238000012986 modification Methods 0.000 description 4
- 239000000306 component Substances 0.000 description 3
- 230000007547 defect Effects 0.000 description 3
- 238000011161 development Methods 0.000 description 3
- 230000003044 adaptive effect Effects 0.000 description 2
- 238000012423 maintenance Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000011330 nucleic acid test Methods 0.000 description 2
- 238000013519 translation Methods 0.000 description 2
- 230000001133 acceleration Effects 0.000 description 1
- 230000009471 action Effects 0.000 description 1
- 230000003321 amplification Effects 0.000 description 1
- 230000004888 barrier function Effects 0.000 description 1
- 230000006399 behavior Effects 0.000 description 1
- 230000008901 benefit Effects 0.000 description 1
- 238000006243 chemical reaction Methods 0.000 description 1
- 239000008358 core component Substances 0.000 description 1
- 230000007123 defense Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 230000007717 exclusion Effects 0.000 description 1
- 238000002513 implantation Methods 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 239000000463 material Substances 0.000 description 1
- 230000006855 networking Effects 0.000 description 1
- 238000003199 nucleic acid amplification method Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 239000000243 solution Substances 0.000 description 1
- 230000009466 transformation Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/22—Parsing or analysis of headers
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/16—Implementing security features at a particular protocol layer
- H04L63/168—Implementing security features at a particular protocol layer above the transport layer
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/50—Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a network flow auditing device and method for protocol re-editing, belonging to the technical field of flow auditing, wherein the device comprises a uniform management module, a system API redirection module, a flow property judgment module, an inbound flow copying and printing module and an outbound flow editing and rewriting module; the unified management module manages other modules in a full life cycle, the system API redirection module is used for carrying out flow hijacking in an operating system, and the flow judgment module, the inbound flow copying and printing module and the outbound flow editing and rewriting module form the whole service logic for judging whether relevant flow meets the standard or not so as to carry out subsequent service execution work. The method and the device can solve the problems of poor environmental adaptability, low bearing performance, serious data distortion and the like in the conventional flow auditing process.
Description
Technical Field
The invention relates to the technical field of flow audit, in particular to a network flow audit device and a network flow audit method for protocol re-editing.
Background
The network flow auditing technology is a core component of a network security defense system, and network attack behaviors can be accurately found by collecting network flow and carrying out security analysis. The existing network flow auditing technology mainly comprises the following three technologies: the method comprises the steps of carrying out flow mirroring through a physical switch, carrying out flow mirroring through a Vouter inside a cloud platform SDN node and carrying out flow mirroring on a server network card through an Agent plug-in. And finally, after the data export is finished, the related data is sent to a safety analysis system for analysis and study.
In the existing network flow auditing technology, due to the limitation of a network protocol, the change of an application system architecture and the rapid development of a cloud computing technology, a plurality of technical defects occur, effective auditing work is difficult to perform in the real environment of the existing network, and the main defects are the following 3 aspects:
(1) Poor environmental adaptability
At present, china is in a rapid informatization infrastructure iteration updating stage, and cloud is the current mainstream construction direction in application. However, due to many reasons such as technical routes and national regulations, a coexistence state in which a cloud computing environment is the main environment and a traditional environment is the auxiliary environment is certainly used in the future, and therefore the selected technical route needs to have strong environmental adaptability.
Related data in a traditional environment can be acquired by carrying out traffic mirroring through a physical switch, but due to the fact that an SDN technology is used in the construction of a cloud platform, real network traffic is packaged in a Vxlan bag body, and unless the SDN technology is abandoned, the real data cannot be acquired in a mode of carrying out traffic mirroring through the physical switch.
Partial real data can be obtained by carrying out flow mirroring through a router in a cloud platform SDN node, the method is limited by the design of the whole cloud platform architecture, and the phenomenon that the exchange flow of a server in a VPC cannot be collected, so that a relatively serious monitoring blind area exists in the whole auditing system is caused.
Although all real data can be acquired by carrying out mirror image flow on the server network card through the Agent plug-in, a developer needs to carry out iterative update aiming at different operating systems, and the problem of compatibility is solved. Especially for the Windows operating system, the updating frequency is once a week, a large amount of manpower, financial resources and material resources are consumed, and the geometric-level amplification maintenance cost is reduced.
(2) Low bearing performance
The modern application systems have high-capacity and high-concurrency service scenes, and the technical scheme firstly needs to break the limitation of performance bottleneck and ensure the basic operation environment of the application systems, so that the foundation of popularization and trial operation is provided.
Mirror image flow of the server network card through the Agent plug-in unit needs to replace an official native network card drive in an operating system, and developers need to have extremely high bottom layer software research and development capacity and conduct targeted development on network cards of different brands. However, the method is limited by the limitations of technical capability and capital cost, almost all developers adopt compatible modes for development, and as a result, it is difficult to call the built-in acceleration modules in the network cards, and a serious performance bottleneck exists.
The performance bottleneck can not be solved by carrying out flow mirroring through the Vreuter in the SDN nodes of the cloud platform, the SDN nodes bear the network flow dispatching pressure of the whole cloud platform, the Vreuter cluster formed by the virtualized physical server is not good at mirroring flow, and the performance burden pressure can be increased by more than 50% after mirroring.
(3) The data distortion is serious
With the popularity of the hybrid networking of the cloud computing environment and the traditional environment, various in-network networks are formed inside the data center under the action of various network capabilities such as NAT, ELB, VPC and the like, and the original target IP is lost by network traffic. Meanwhile, the encrypted communication among various applications is more common, and the auditing difficulty is increased. The final result is that the network safety monitoring and early warning and emergency response work cannot be effectively supported by the network flow auditing data obtained at great cost.
The real data outside the cloud platform can be obtained by carrying out flow mirroring through the physical switch, various network limitations are bypassed through a multi-node access mode, but data inside the cloud platform are lost, and encrypted flow cannot be processed.
The traffic mirroring can be sent together with NAT and ELB logs through the Vreuter in the cloud platform SDN node, the problem of target IP loss caused by part of address translation is solved, but the requirement on operation and maintenance personnel is high, the application deployment architecture and other specifications need to be concerned in real time, and the data encryption problem cannot be solved by the technology.
The method has the advantages that all traffic of an application system can be obtained by carrying out mirror image traffic on a server network card through an Agent plug-in, but for the application system using cloud platform IaaS layer components, a real IP address cannot be obtained due to the fact that relevant conversion operation is carried by the cloud platform, and the technology has no proper solution for encrypted traffic.
The information disclosed in this background section is only for enhancement of understanding of the general background of the invention and should not be taken as an acknowledgement or any form of suggestion that this information forms the prior art already known to a person skilled in the art.
Disclosure of Invention
The invention aims to provide a network flow auditing device and method for protocol re-editing, which can solve the problems of poor environment adaptability, low bearing performance, serious data distortion and the like in the conventional flow auditing process.
In order to achieve the above purpose, the invention provides a network flow auditing device for protocol re-editing, which comprises a uniform management module, a system API redirection module, a flow property judgment module, an inbound flow copying and printing module and an outbound flow editing and re-writing module;
the unified management module checks the operating system running process, screens out the process using the application layer private protocol, and injects the system API redirection module, the flow property judgment module, the inbound flow copying and printing module and the outbound flow editing and rewriting module into the screened process in a DLL injection mode;
the system API redirection module is used for rewriting the address of the PLT table in the screened process through system initialization, and calling reading and writing functions of the Socket library to change the reading and writing functions into a custom-compiled DLL library;
the flow property judging module is used for guiding flow data into a buffer area, redirecting the flow by judging whether the flow is outbound flow or inbound flow, and sending the flow to the inbound flow copying and printing module, the outbound flow editing and rewriting module or directly releasing the flow;
the inbound traffic copying and printing module is used for acquiring inbound traffic from the buffer area, copying the inbound traffic in a memory copying mode, converting inbound traffic data into a traffic log, and sending the traffic log to an external log auditing server for auditing in a Syslog protocol mode;
the outbound flow editing and rewriting module is used for acquiring outbound flow from the buffer area, and writing process information, IP information, port information and session ID in an outbound flow data packet header by utilizing the expandability of an application layer protocol after calling a local network card and configuration file information.
In an embodiment of the present invention, the custom compiled DLL library is a monitoring library, and the screening process is forwarded to the original DLL library of the system after being monitored by the custom compiled DLL library.
In an embodiment of the present invention, the traffic property determination module is configured to analyze a traffic protocol, determine whether the traffic protocol is within an adaptation range, forward the traffic protocol to the inbound traffic copy printing module or the outbound traffic edit rewriting module if the traffic protocol is within the adaptation range, and directly release the traffic protocol if the traffic protocol is not within the adaptation range to execute an original traffic function of the traffic; the adaptation range refers to a range of a flow analysis rule built in a custom DLL library.
In an embodiment of the present invention, the inbound traffic copy printing module is further configured to rewrite the data packet of the inbound traffic into the buffer, and wait for the service application to read and use the data packet.
In an embodiment of the present invention, the outbound traffic editing and rewriting module is further configured to rewrite a packet of the outbound traffic into a buffer, and send the packet to a destination address by the system Socket.
The invention also provides a network flow auditing method for protocol re-editing, which comprises the following steps:
s1: checking the operating system running process, screening out the process using the application layer private protocol, and executing the steps S2-S5 in the screened process in a DLL injection mode;
s2: address rewriting is carried out on a PLT table in a screened process through system initialization, and reading and writing functions of a Socket library are called to be changed into a custom-compiled DLL library;
s3: the flow data is guided to a buffer area, the flow is redirected by judging whether the flow is outbound flow or inbound flow, and the steps S4 and S5 are carried out or the flow is directly released;
s4: obtaining inbound traffic from a buffer, copying the inbound traffic in a memory copy mode, converting inbound traffic data into a traffic log, and sending the traffic log to an external log audit server for auditing in a Syslog protocol mode;
s5: and acquiring outbound flow from the buffer area, and writing process information, IP information, port information and session ID in an outbound flow data packet header by utilizing the expandability of an application layer protocol after calling the local network card and the configuration file information.
In an embodiment of the present invention, the custom compiled DLL library is a monitoring library, and the screening process is forwarded to the original DLL library of the system after being monitored by the custom compiled DLL library.
In an embodiment of the present invention, the step S3 further includes: analyzing the protocol of the flow, judging whether the protocol of the flow is in an adaptation range, if so, forwarding the protocol to the inbound flow copying and printing module or the outbound flow editing and rewriting module, and if not, directly releasing the protocol to execute the original service function of the flow; the adaptation range refers to a range of a flow analysis rule built in a custom DLL library.
In an embodiment of the present invention, after the step S4 is completed, the data packet of the inbound traffic is rewritten into the buffer and waits for the service application to read and use.
In an embodiment of the present invention, after the step S5 is completed, the outbound traffic packet is rewritten and written into the buffer, and is sent to the destination address by the system Socket.
Compared with the prior art, the network flow auditing device and method for protocol re-editing provided by the invention solve the problem of difficult construction of a network security system in the national digital transformation process, acquire accurate, real and perfect network flow data by developing a new generation of network flow auditing technology, overcome the defects of poor environmental adaptability, low bearing performance, serious data distortion and the like in the prior art, and provide high-efficiency supporting capability for the construction of the network security system of a modern mixed type data center.
Drawings
FIG. 1 is a schematic diagram of a network traffic auditing apparatus for protocol re-editing according to an embodiment of the present invention;
FIG. 2 is a flow diagram of a method for network traffic auditing for protocol re-editing according to an embodiment of the present invention;
fig. 3 is a flow data diagram of a network traffic auditing method for protocol re-editing according to an embodiment of the invention.
Detailed Description
The following detailed description of the present invention is provided in conjunction with the accompanying drawings, but it should be understood that the scope of the present invention is not limited to the specific embodiments.
Throughout the specification and claims, unless explicitly stated otherwise, the word "comprise", or variations such as "comprises" or "comprising", will be understood to imply the inclusion of a stated element or component but not the exclusion of any other element or component.
As shown in fig. 1-2, a network traffic auditing apparatus for protocol re-editing according to a preferred embodiment of the present invention includes a unified management module 1, a system API redirection module 2, a traffic property determination module 3, an inbound traffic copy printing module 4, and an outbound traffic edit re-writing module 5. The inbound traffic refers to traffic received by the network traffic auditing device edited by the protocol, and the outbound traffic refers to traffic sent by the network traffic auditing device edited by the protocol.
The unified management module 1 manages other modules in a full life cycle, the system API redirection module 2 is used for carrying out flow hijacking in an operating system, and the flow judgment module 3, the inbound flow copying and printing module 4 and the outbound flow editing and rewriting module 5 form the whole service logic for judging whether relevant flows meet the standard or not so as to carry out subsequent service execution work.
The unified management module 1 is used for being responsible for the work of keeping alive, initializing and the like of the whole business program, checking process names, monitoring ports, process types, process version numbers and the like aiming at all running processes in an operating system after running, screening out processes using an Http protocol, a database protocol and other application layer private protocols, and injecting the system API redirection module 2, the flow property judgment module 3, the inbound flow copying and printing module 4 and the outbound flow editing and rewriting module 5 into the screened processes in a DLL injection mode.
After the system API redirection module 2 is injected into the screening process, address rewriting is performed on the PLT table in the process screened by the unified management module 1 through system initialization, and the read and write functions of the Socket library in the Windows and Linux systems are called to be a custom-compiled DLL library for performing the related functions of the execution flow property determination module 3, the inbound flow copying and printing module 4 and the outbound flow editing and rewriting module 5.
The invention relates to a system, which comprises a user-defined compiled DLL library, a system function and a program management server, wherein the original DLL library of the system provides a communication function, and the user-defined compiled DLL library is a layer of monitoring library, namely a screened process directly calls the system function, and after a PLT is rewritten, the user-defined compiled DLL library is forwarded to the original DLL library of the system through monitoring. Specifically, after processes meeting content conditions are screened out, custom-compiled DLL is injected into a target process, and data can pass through the custom-compiled DLL and then are forwarded to an original DLL library of the system.
The flow property judging module 3 is used for guiding the flow data to the buffer area, redirecting the flow by judging whether the flow is outbound flow or inbound flow, and sending the flow to the inbound flow copying and printing module 4 and the outbound flow editing and rewriting module 5 or directly releasing the flow. The drainage flow refers to a flow generated by communication, and includes actively initiated or passively received flow. The flow is firstly stored in the buffer area and then processed, and the data is exchanged by the buffer area, so that the multithreading parallel operation is realized.
Specifically, the flow property determination module 3 analyzes the flow protocol, determines whether the flow protocol is in an adaptation range, and determines whether the adaptation range refers to a range of a flow analysis rule built in a custom DLL library, wherein the adaptation range refers to a range of the flow analysis rule, and because flow editing (re-modification) is involved, the flow content must be identified first, and whether the type of flow analysis is supported or not is determined; if the protocol is in the adaptive range (such as the Http protocol), the protocol is forwarded to the inbound traffic copy printing module 4 or the outbound traffic edit rewriting module 5, if the protocol is not in the adaptive range, the protocol is directly released, and the original service function of the traffic is executed by the original DLL library of the system.
The inbound traffic copying and printing module 4 is configured to obtain inbound traffic from the buffer, copy the inbound traffic in a memory copy manner, convert inbound traffic data into a traffic log using a traffic parsing engine, send the traffic log to an external log auditing server in a Syslog protocol form for auditing, rewrite a data packet of the inbound traffic into the buffer after completion, and wait for a service application to read and use the data packet.
The specific operation of converting inbound traffic data into a traffic log requires looking at the data type, for example, the HTTP protocol needs to analyze an original address, a destination address, a port number, and the like, and the SQL protocol needs to analyze an SQL statement. The Syslog protocol employed is a standard for delivering record messages over a network of internet protocols (TCP/IP).
The outbound flow editing rewriting module 5 is configured to acquire outbound flow from the buffer, add a parameter value to an outbound flow data Header (Header) by using extensibility of an application layer protocol after calling a local network card and configuration file information, and write process information, IP information, port information, and a session ID into the parameter value. And after the completion, rewriting the data packet of the outbound flow into the buffer area, and sending the data packet to a destination address by the system Socket.
The operation of adding the parameter value in the outbound traffic data packet header comprises the following two operations:
1: in the protocol, the original protocol is not destroyed, and the parameter value is written in by utilizing the self expansibility of the protocol, for example, the HTTP protocol can add the desired data in the data packet header.
2: outside the protocol (whole data packet), it may be that the original protocol cannot provide extensibility, for example, the format is limited, a custom data segment cannot be inserted, and only the protocol is encapsulated, so that in this case, the opposite end needs to be unpacked (unpacked).
The invention is mainly based on the flow editing technology of application layer protocol extension and the user-defined API implanting technology based on system API redirection, and the specific contents are as follows:
(1) The flow editing technology based on the application layer protocol extension comprises the following steps: in a hybrid data center, due to external reasons (cloud platform traffic and log are difficult to derive) and internal reasons (address translation caused by a system and a network architecture), various means and methods through a network layer are difficult to solve the problem of data fracture. The network layer protocol is naturally limited by protocol limitation, and is difficult to expand and reform in any mode, but the application layer has certain expansibility. The invention finds out the extension mode of the application layer protocol by independently researching different types of application layer protocols, writes local information in the Header or Body, and passes through network layer barriers and limits by taking the application layer protocol as a carrier.
(2) A customized API implantation technology based on system API redirection: the method for loading the network card drive relates to large later-stage cost in all aspects and has the problems of unstable system, poor performance and the like, and by deeply researching the architecture and the characteristics of the operating system, various application layer protocol processing modules developed by the method are packaged into the custom API which is suitable for the operating system, and the original public API is replaced. The service module can be redirected to the user-defined API when calling the public API, so that operations such as protocol expansion, log printing and the like are executed, data distortion caused by network fracture is finally avoided, and the full real data in the data center is obtained.
As shown in fig. 3, a protocol re-editing network traffic auditing method according to a preferred embodiment of the present invention includes the following steps:
s1: and checking the operating system running process, and screening out the process using the application layer private protocol.
The step S1 is also responsible for the operations of keeping alive, initializing, and the like of the whole service program. After running, checking the process names, the monitoring ports, the types of the processes, the process version numbers and the like of all running processes in the operating system, screening out the processes using the Http protocol, the database protocol and other application layer private protocols, and then executing the steps S2-S5 in the processes in a DLL injection mode.
S2: address rewriting is carried out on the PLT table in the process screened in the step S1 through system initialization, and reading and writing functions for calling Socket libraries in Windows and Linux systems are changed into a custom-compiled DLL library.
The original DLL library of the system provides a communication function, and the custom-compiled DLL library is a layer of monitoring library, namely the original process communication directly calls a system function, and the system function is forwarded to the original DLL library of the system through the custom-compiled DLL library after the PLT is rewritten through monitoring. Specifically, after processes meeting content conditions are screened out, custom-compiled DLL is injected into a target process, and data can pass through the custom-compiled DLL and then are forwarded to an original DLL library of the system.
S3: and (4) guiding the flow data into a buffer area, redirecting the flow by judging whether the flow is outbound flow or inbound flow, and executing the steps S4 and S5 or directly releasing the flow.
Specifically, a flow protocol is analyzed, whether the flow protocol is in an adaptation range or not is judged, and the adaptation range refers to a range of a flow analysis rule built in a custom DLL library, and because flow editing (re-modification) is involved, flow content must be identified first, and whether the type of flow analysis is supported or not is judged; if the protocol is in the adaptation range (such as the Http protocol), step S4 or S5 is performed, and if the protocol is not in the adaptation range, the protocol is directly released, and the original DLL library of the system executes the original traffic function of the traffic.
S4: and acquiring inbound traffic from the buffer, copying the inbound traffic in a memory copy mode, converting related data into a traffic log by using a traffic analysis engine, and sending the traffic log to an external log audit server for auditing in a Syslog mode.
After completion, the data packet of the inbound traffic is rewritten into the buffer and waits for the service application to read.
Specifically, the specific operation of converting inbound traffic data into a traffic log needs to look at the data type, for example, the HTTP protocol needs to resolve an original address, a destination address, a port number, and the like, and the SQL protocol needs to resolve an SQL statement. The Syslog protocol employed is a standard for delivering record messages over a network of internet protocols (TCP/IP).
S5: and acquiring outbound flow from the buffer area, adding parameter values in an outbound flow data packet Header (Header) by utilizing the expandability of an application layer protocol after calling a local network card and configuration file information, and writing the process information, the IP information, the port information and the session ID into the parameter values.
After the completion, the outbound traffic data packet is rewritten and written into the buffer, and is sent to the destination address by the system Socket.
The operation of adding the parameter value in the outbound traffic data packet header comprises the following two operations:
1: in the protocol, the original protocol is not destroyed, and the parameter value is written in by utilizing the self expansibility of the protocol, for example, the HTTP protocol can add the desired data in the data packet header.
2: outside the protocol (whole data packet), it may be that the original protocol cannot provide extensibility, for example, the format is limited, a custom data segment cannot be inserted, and only the protocol can be encapsulated, so that in this case, the opposite end needs to be unpacked (unpacked).
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
The foregoing descriptions of specific exemplary embodiments of the present invention have been presented for purposes of illustration and description. It is not intended to limit the invention to the precise form disclosed, and obviously many modifications and variations are possible in light of the above teaching. The exemplary embodiments were chosen and described in order to explain certain principles of the invention and its practical application to enable one skilled in the art to make and use various exemplary embodiments of the invention and various alternatives and modifications as are suited to the particular use contemplated. It is intended that the scope of the invention be defined by the claims and their equivalents.
Claims (10)
1. A network flow auditing device for protocol re-editing is characterized by comprising a unified management module, a system API redirection module, a flow property judgment module, an inbound flow copying and printing module and an outbound flow editing and rewriting module;
the unified management module checks the operating system running process, screens out the process using the application layer private protocol, and injects the system API redirection module, the flow property judgment module, the inbound flow copying and printing module and the outbound flow editing and rewriting module into the screened process in a DLL injection mode;
the system API redirection module is used for rewriting the address of the PLT table in the screened process through system initialization, and calling reading and writing functions of the Socket library to change the reading and writing functions into a custom-compiled DLL library;
the flow property judging module is used for guiding flow data into a buffer area, redirecting the flow by judging whether the flow is outbound flow or inbound flow, and sending the flow to the inbound flow copying and printing module, the outbound flow editing and rewriting module or directly releasing the flow;
the inbound traffic copying and printing module is used for acquiring inbound traffic from the buffer area, copying the inbound traffic in a memory copying mode, converting inbound traffic data into a traffic log, and sending the traffic log to an external log auditing server for auditing in a Syslog protocol mode;
the outbound flow editing and rewriting module is used for acquiring outbound flow from the buffer area, and writing process information, IP information, port information and session ID in an outbound flow data packet header by utilizing the expandability of an application layer protocol after calling a local network card and configuration file information.
2. The protocol re-editing network traffic auditing apparatus of claim 1 where the custom compiled DLL library is a monitoring library and the screening process is forwarded to the system's native DLL library after monitoring of the custom compiled DLL library.
3. The apparatus according to claim 1, wherein the traffic property determination module is configured to analyze a traffic protocol, determine whether the traffic protocol is within an adaptation range, forward the traffic protocol to the inbound traffic copy printing module or the outbound traffic editing and rewriting module if the traffic protocol is within the adaptation range, and directly release the traffic function if the traffic protocol is not within the adaptation range to execute an original traffic function of the traffic; the adaptation range refers to a range of a flow analysis rule built in a custom DLL library.
4. The protocol re-editing network traffic auditing apparatus of claim 1 where the inbound traffic copy print module is further to re-write packets of inbound traffic into a buffer, awaiting read use by a business application.
5. The protocol re-editing network traffic auditing device of claim 1, wherein the outbound traffic editing re-writing module is further configured to re-write packets of outbound traffic into a buffer for transmission by a system Socket to a destination address.
6. A network flow auditing method for protocol re-editing is characterized by comprising the following steps:
s1: checking the operating system running process, screening out the process using the application layer private protocol, and executing the steps S2-S5 in the screened process in a DLL injection mode;
s2: address rewriting is carried out on a PLT table in a screened process through system initialization, and a reading function and a writing function of a Socket library are called to be changed into a user-defined compiled DLL library;
s3: the flow data is guided to a buffer area, the flow is redirected by judging whether the flow is outbound flow or inbound flow, and steps S4 and S5 are carried out or the flow is directly released;
s4: obtaining inbound traffic from a buffer, copying the inbound traffic in a memory copy mode, converting inbound traffic data into a traffic log, and sending the traffic log to an external log audit server for auditing in a Syslog protocol mode;
s5: and acquiring outbound flow from the buffer area, and writing process information, IP information, port information and session ID in an outbound flow data packet header by utilizing the expandability of an application layer protocol after calling the local network card and the configuration file information.
7. The method for network traffic auditing of protocol re-editing of claim 6 where the custom compiled DLL library is a monitoring library and the screening process is forwarded to the system's native DLL library after monitoring of the custom compiled DLL library.
8. The protocol reediting network traffic auditing method of claim 6 in which step S3 further comprises: analyzing the protocol of the flow, judging whether the protocol of the flow is in an adaptation range, if so, forwarding the protocol to the inbound flow copying and printing module or the outbound flow editing and rewriting module, and if not, directly releasing the protocol to execute the original service function of the flow; the adaptation range refers to a range of a flow analysis rule built in a custom DLL library.
9. The method for auditing network traffic for protocol re-editing according to claim 6, where after step S4 is completed, packets of inbound traffic are re-written into the buffer, waiting for read use by the service application.
10. The protocol reediting network traffic auditing method of claim 6 where after step S5 is completed, the outbound traffic packet is rewritten and written into a buffer and sent by the system Socket to the destination address.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211108789.3A CN115549980B (en) | 2022-09-13 | 2022-09-13 | Network flow auditing device and method for protocol re-editing |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211108789.3A CN115549980B (en) | 2022-09-13 | 2022-09-13 | Network flow auditing device and method for protocol re-editing |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN115549980A true CN115549980A (en) | 2022-12-30 |
| CN115549980B CN115549980B (en) | 2023-04-18 |
Family
ID=84725029
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211108789.3A Active CN115549980B (en) | 2022-09-13 | 2022-09-13 | Network flow auditing device and method for protocol re-editing |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115549980B (en) |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103634306A (en) * | 2013-11-18 | 2014-03-12 | 北京奇虎科技有限公司 | Security detection method and security detection server for network data |
| CN106709325A (en) * | 2016-11-11 | 2017-05-24 | 腾讯科技(深圳)有限公司 | Method and device for monitoring program |
| CN109347817A (en) * | 2018-10-12 | 2019-02-15 | 厦门安胜网络科技有限公司 | A kind of method and device that network security redirects |
| CN110198297A (en) * | 2018-10-08 | 2019-09-03 | 腾讯科技(深圳)有限公司 | Data on flows monitoring method, device, electronic equipment and computer-readable medium |
| US20190319927A1 (en) * | 2018-04-13 | 2019-10-17 | Cisco Technology, Inc. | Layer 7 proxy for immutable application audit trails |
-
2022
- 2022-09-13 CN CN202211108789.3A patent/CN115549980B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103634306A (en) * | 2013-11-18 | 2014-03-12 | 北京奇虎科技有限公司 | Security detection method and security detection server for network data |
| CN106709325A (en) * | 2016-11-11 | 2017-05-24 | 腾讯科技(深圳)有限公司 | Method and device for monitoring program |
| US20190319927A1 (en) * | 2018-04-13 | 2019-10-17 | Cisco Technology, Inc. | Layer 7 proxy for immutable application audit trails |
| CN110198297A (en) * | 2018-10-08 | 2019-09-03 | 腾讯科技(深圳)有限公司 | Data on flows monitoring method, device, electronic equipment and computer-readable medium |
| CN109347817A (en) * | 2018-10-12 | 2019-02-15 | 厦门安胜网络科技有限公司 | A kind of method and device that network security redirects |
Also Published As
| Publication number | Publication date |
|---|---|
| CN115549980B (en) | 2023-04-18 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10680961B2 (en) | Using headerspace analysis to identify flow entry reachability | |
| US20140233564A1 (en) | Packet Modification to Facilitate Use of Network Tags | |
| US9305055B2 (en) | Method and apparatus for analysing data packets | |
| CN112131115B (en) | Intelligent contract fuzzy test method, device and storage medium | |
| US20120047492A1 (en) | Deployment of a tool for testing migrated applications | |
| US20070006153A1 (en) | Extensible testing framework | |
| CN111881102A (en) | Method, device and readable medium for collecting audit logs based on AOP (automatic optical plane protocol) section | |
| CN112035216B (en) | Communication method for Kubernetes cluster network and OpenStack network | |
| CN109905457A (en) | Master-slave server data synchronization method and device, computer equipment and storage medium | |
| CN108614702B (en) | Byte code optimization method and device | |
| CN108304269A (en) | A kind of sending, receiving method of data, device and communications framework | |
| CN100428171C (en) | Communication method between data plane and control plane | |
| CN110795091B (en) | Modularized route decoupling method, storage medium, electronic equipment and system | |
| CN112688885B (en) | Message processing method and device | |
| CN110598419B (en) | Block chain client vulnerability mining method, device, equipment and storage medium | |
| CN110177100B (en) | Data communication protocol of security equipment for cooperative network defense | |
| CN102195887B (en) | Message processing method, device and network security equipment | |
| CN115549980B (en) | Network flow auditing device and method for protocol re-editing | |
| US11645211B2 (en) | Augmenting storage functionality using emulation of storage characteristics | |
| CN102035847A (en) | User access behavior processing method and system and client | |
| CN102104609B (en) | Method for analyzing safety defect of network protocol | |
| JP2023078080A (en) | Programmable implementation method of data plane for supporting definable message load encryption | |
| US8335215B2 (en) | Process data for a data packet | |
| CN105610639A (en) | Total log grabbing method and device | |
| CN114625397A (en) | JAVA code hot updating device and method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |