CN115664739A - Active user identity attribute detection method and system based on flow characteristic matching - Google Patents
Active user identity attribute detection method and system based on flow characteristic matching Download PDFInfo
- Publication number
- CN115664739A CN115664739A CN202211266240.7A CN202211266240A CN115664739A CN 115664739 A CN115664739 A CN 115664739A CN 202211266240 A CN202211266240 A CN 202211266240A CN 115664739 A CN115664739 A CN 115664739A
- Authority
- CN
- China
- Prior art keywords
- target
- flow
- text message
- message
- length
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 76
- 238000012360 testing method Methods 0.000 claims abstract description 71
- 238000013507 mapping Methods 0.000 claims abstract description 19
- 238000000605 extraction Methods 0.000 claims abstract description 15
- 238000000034 method Methods 0.000 claims description 29
- 238000013528 artificial neural network Methods 0.000 claims description 16
- 230000000875 corresponding effect Effects 0.000 claims description 9
- 230000006854 communication Effects 0.000 claims description 8
- 238000012549 training Methods 0.000 claims description 8
- 238000004422 calculation algorithm Methods 0.000 claims description 5
- 230000002596 correlated effect Effects 0.000 claims description 4
- 238000010276 construction Methods 0.000 claims description 2
- 230000005540 biological transmission Effects 0.000 claims 1
- 238000010586 diagram Methods 0.000 description 6
- 230000000694 effects Effects 0.000 description 5
- 238000004891 communication Methods 0.000 description 4
- 238000005065 mining Methods 0.000 description 3
- 208000001613 Gambling Diseases 0.000 description 2
- 238000001914 filtration Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000004088 simulation Methods 0.000 description 2
- 238000009412 basement excavation Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000002474 experimental method Methods 0.000 description 1
- 239000000284 extract Substances 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
- 238000013179 statistical model Methods 0.000 description 1
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a user identity attribute active detection method and a system based on flow characteristic matching, which are used for acquiring IP addresses of a target group and a target user client to be detected; constructing a first test user account and a second test user account, and adding the two test user accounts into a target group; sending a detection text message to a target group through a first test user account; respectively capturing the flow generated by the target user client and the flow generated by the second user account; carrying out encrypted flow extraction on the instant messaging application program; according to the mapping relation between the text message length and the flow length, respectively constructing message flow event queues for encrypted flows extracted by a target user client and a second test user account; calculating the optimal correlation degree of the message flow event queues of the target user client and the second test user account; and comparing the optimal association degree with a set threshold value to obtain whether the target user client side has the attribute of the target group.
Description
Technical Field
The invention relates to the technical field of identity authentication, in particular to a user identity attribute active detection method and system based on flow characteristic matching.
Background
The statements in this section merely provide background information related to the present disclosure and may not constitute prior art.
Popular Instant Messaging (IM) applications essentially deploy encryption schemes (end-to-end or end-to-middle-to-end) to secure communications for users. The existing method for detecting the user identity attribute on the IM application program is a detection method based on vulnerability mining or a passive detection method based on flow characteristic matching, and has the problems of higher difficulty in implementation, poorer effect and the like.
(1) As the IM application programs are all provided with encryption schemes, vulnerability mining mainly aims at vulnerabilities of encryption protocols and artificially-caused BUG in the protocol implementation process. Because the encryption schemes of the main IM application programs all adopt the most advanced encryption technology, the excavation of the protocol vulnerability is often very difficult to analyze and has little effect; while the BUG artificially caused in the protocol implementation needs knowledge bases such as solid code analysis, reverse analysis and the like, and is influenced by various unstable factors. Meanwhile, once discovered, the vulnerability can be quickly fixed by the IM provider.
(2) IM applications are large in number of users and have different client environments. The passive detection method based on the flow characteristic matching is limited by various factors, and although a certain effect can be achieved in a simulation environment, the actual effect is often unsatisfactory, and the actual environment of a target user is often more complicated than the simulation environment, the detection time is longer, the success difficulty is larger, and the like.
The inventor finds that in the prior art, the authentication of the user identity attribute cannot be realized under the condition of not revealing the user privacy.
Disclosure of Invention
In order to solve the defects of the prior art, the invention provides a method and a system for actively detecting the user identity attribute based on flow characteristic matching; the method comprises the steps of collecting information and flow of a target group and a channel which are added through an account of an IM application program, analyzing and obtaining the corresponding relation of the information and the channel, constructing and sending an active detection text message, and carrying out flow characteristic matching on encrypted communication flow of a target user and the target group, so that whether the target user has the identity attribute of the target group is judged, and the problems of high detection difficulty, long time consumption, unstable accuracy and the like in a passive detection method are solved.
In a first aspect, the invention provides a user identity attribute active detection method based on flow characteristic matching;
a user identity attribute active detection method based on flow characteristic matching is applied to an instant messaging application program server, and comprises the following steps:
acquiring IP addresses of a target group and a target user client to be detected, wherein the attribute of the target group is a known quantity; constructing a first test user account and a second test user account, and adding the two test user accounts into a target group; sending a detection text message to a target group through a first test user account;
in the process of sending the detection text message, respectively capturing the flow generated by the target user client and the flow generated by the second user account; respectively carrying out instant messaging application program encrypted flow extraction on flows captured by the target user client and the second test user account;
according to the mapping relation between the text message length and the flow length, respectively constructing message flow event queues for encrypted flows extracted by a target user client and a second test user account; calculating the optimal correlation degree of the message flow event queues of the target user client and the second test user account;
and comparing the optimal association degree with a set threshold value to obtain whether the target user client has the attribute of the target group.
In a second aspect, the invention provides a user identity attribute active detection system based on flow characteristic matching;
a user identity attribute active detection system based on flow characteristic matching is applied to an instant messaging application program server, and comprises:
an acquisition module configured to: acquiring IP addresses of a target group and a target user client to be detected, wherein the attribute of the target group is a known quantity; constructing a first test user account and a second test user account, and adding the two test user accounts into a target group;
a detect text messaging module configured to: sending a detection text message to a target group through a first test user account;
an encrypted traffic extraction module configured to: in the process of detecting the sending of the text message, respectively capturing the flow generated by the target user client and the flow generated by the second user account; respectively carrying out instant messaging application program encrypted flow extraction on flows captured by the target user client and the second test user account;
an event queue build module configured to: according to the mapping relation between the text message length and the flow length, respectively constructing message flow event queues for encrypted flows extracted by a target user client and a second test user account; calculating the optimal correlation degree of the message flow event queues of the target user client and the second test user account;
an attribute detection module configured to: and comparing the optimal association degree with a set threshold value to obtain whether the target user client has the attribute of the target group.
Compared with the prior art, the invention has the beneficial effects that:
(1) Compared with a method based on vulnerability discovery, the method solves the problems of high vulnerability discovery difficulty, multiple influence factors and the like, and improves the stability of the detection method to a great extent;
(2) Compared with a passive detection method based on flow characteristic matching, the method has the advantages that through constructing and detecting the text message and actively sending the text message, the excellent detection effect can be achieved within a short time, and the problems of complex environment, long detection time consumption, unstable accuracy and the like of a target user are solved.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, are included to provide a further understanding of the invention, and are incorporated in and constitute a part of this specification, illustrate exemplary embodiments of the invention and together with the description serve to explain the invention and not to limit the invention.
FIG. 1 is a block diagram of the system of the present invention;
FIG. 2 is a diagram of messages and flow structure according to the present invention;
FIG. 3 is a block diagram of an algorithm for the flow characteristic matching module of the present invention;
FIG. 4 is a flowchart of the overall process of the present invention.
Detailed Description
It is to be understood that the following detailed description is exemplary and is intended to provide further explanation of the invention as claimed. Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs.
It is noted that the terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of exemplary embodiments according to the invention. As used herein, the singular forms "a", "an", and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise, and it should be understood that the terms "comprises" and "comprising", and any variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
The embodiments and features of the embodiments of the present invention may be combined with each other without conflict.
All data are obtained according to the embodiment and are legally applied on the data on the basis of compliance with laws and regulations and user consent.
Interpretation of terms: internet Protocol Address (english: internet Protocol Address, translated to Internet Protocol Address) is abbreviated as IP Address (IP Address). The IP address is a uniform address format provided by the IP protocol, and it allocates a logical address to each network and each host on the internet, so as to mask the difference of physical addresses.
Example one
The embodiment provides a user identity attribute active detection method based on flow characteristic matching;
a user identity attribute active detection method based on flow characteristic matching is applied to an instant messaging application program server, and comprises the following steps:
s101: acquiring IP addresses of a target group and a target user client to be detected, wherein the attribute of the target group is a known quantity; constructing a first test user account and a second test user account, and adding the two test user accounts into a target group;
s102: sending a detection text message to a target group through a first test user account;
s103: in the process of sending the detection text message, respectively capturing the flow generated by the target user client and the flow generated by the second user account; respectively carrying out instant messaging application program encrypted flow extraction on flows captured by the target user client and the second test user account;
s104: according to the mapping relation between the text message length and the flow length, respectively constructing message flow event queues for encrypted flows extracted by a target user client and a second test user account; calculating the optimal correlation degree of the message flow event queues of the target user client and the second test user account;
s105: and comparing the optimal association degree with a set threshold value to obtain whether the target user client has the attribute of the target group.
Further, after the adding the two test user accounts into the target group and before the sending the detection text message to the target group through the first test user account, the method further includes: acquiring historical text messages generated in the target group communication process and flow corresponding to the historical text messages through a first test user account, acquiring the mapping relation between the lengths of the text messages and the flow lengths, counting the occurrence frequency of the text messages with different lengths, and constructing a detection text message according to the occurrence frequency of the text messages with different lengths.
The technical scheme can assist a supervision department to judge the identity attribute of the target user client with the known IP address of the target group with the known attribute, judge whether the target user client joins the current target group or not and judge whether the target user client has the attribute of the current target group or not. And the supervision department is helped to carry out identity judgment on the target user client.
The technical scheme can also assist a supervision department in judging the identity attributes of users with all IP addresses of a target group with known attributes, judging whether user clients of all IP addresses are added into the current target group or not, and judging whether the user clients have the attributes of the current target group or not. And the supervision department is helped to carry out identity judgment on the target user client.
For example, a certain group of targets has attributes of a nature suspected of being "gambling," "telco-fraud," etc. The instant messaging application program server can not provide basic information and chat content of the user for the supervision department in order to protect the privacy of the user, but can provide auxiliary analysis on whether some user client IP (Internet protocol) is added into the group for the supervision department so as to help the supervision department to realize the purpose of reminding the target user client of safe fund use.
Further, the historical text message generated in the target group communication process and the traffic corresponding to the historical text message are acquired through the first test user account, and specifically, an Application Programming Interface (API) function and a network data packet capture program tcpdump tool are adopted for acquisition.
It should be understood that, the mapping relationship between the obtained text message length and the traffic length is fixed, and the sent message structure is fixed, and the encryption algorithm is embedded in the program and is not changed, so that the text message length and the encrypted traffic length have a certain corresponding relationship.
Further, the obtaining of the mapping relationship between the text message length and the traffic length may be performed at the same time point, where the corresponding relationship between the text message length and the traffic length is obtained.
Further, the counting of the occurrence frequency of the text messages with different lengths, and constructing the detection text message according to the occurrence frequency of the text messages with different lengths specifically include:
and searching the text message length with the lowest occurrence frequency according to the occurrence frequency of the text messages with different lengths, and constructing a detection text message which accords with the target group chat scene according to the text message length with the lowest occurrence frequency.
Further, constructing a detection text message according with the target group chat scene according to the text message length with the lowest occurrence frequency, and realizing the detection text message through the trained neural network; wherein, the training process of the trained neural network comprises the following steps:
constructing a training set; the training set is a target group historical text message of a known text message theme and a target text length; taking the text message theme and the target text length as input values of a neural network, and taking the historical text message as an output value of the neural network; and training the neural network to obtain the trained neural network, wherein the length of the output value of the neural network is the length of the target text.
Illustratively, the text message topic includes: "gambling," "telecommunications fraud," and the like.
Further, the constructing a detection text message conforming to the target group chat scene according to the text message length with the lowest frequency of occurrence specifically means:
taking the subject of the target group text message and the text message with the lowest occurrence frequency as input values of a neural network, and outputting a detection text message conforming to the target group chat scene; the length of the detected text message conforming to the target group chat scenario is the length of the text message with the lowest frequency of occurrence.
Further, the capturing the traffic generated by the target user client and the traffic generated by the second user account during the sending process of the detection text message respectively means that: in the process of sending the detection text message, capturing the flow generated by the target user client and the flow generated by the second user account by using a network data packet capturing program tcpdump tool according to the sending time of the detection text message.
It should be understood that the present invention assumes that the second user account only joins one group, the target group; and the target user client is allowed to join the group of the target group, not join the target group or join other groups besides the target group.
And further, sending a detection text message to the target group, and actively sending the detection text message by adopting methods such as an API (application program interface) function of the IM application program or a software daemon script and the like.
Further, the traffic captured by the target user client and the second test user account is respectively subjected to instant messaging application program encrypted traffic extraction, wherein the encrypted traffic refers to traffic which is sent to the internet after all contents needing to be encrypted are encrypted through an encryption algorithm according to protocol regulations of the instant messaging application program; all content that needs to be encrypted, including: a text message, a message attachment header, and a message length.
Further, the instant messaging application program encrypted traffic extraction is respectively performed on the traffic captured by the target user client and the second test user account, wherein the encrypted traffic extraction process comprises the following steps:
determining the length of the encrypted flow of the instant messaging application program according to the length of the detected text message and the mapping relation between the length of the text message and the length of the flow;
and extracting the encryption flow of the instant messaging application program according to the length of the encryption flow of the instant messaging application program.
Further, the encrypted traffic extracted by the target user client and the second test user account is respectively constructed with a message traffic event queue, wherein each message traffic event refers to a traffic packet with two attributes of time and length, and the message traffic event queue refers to a plurality of message traffic events arranged according to a time precedence relationship.
The message flow event queue is constructed by the following steps: and converting the time and length attributes of each network data packet in the encrypted flow into message flow events one by one, and arranging according to the time sequence to obtain a message flow event queue.
Further, the calculating the optimal association degree of the message traffic event queues of the target user client and the second test user account specifically includes:
setting an upper limit and a lower limit of a time difference of two message flow event queues, then setting the time of each step of sliding, gradually sliding the two text event queues, detecting the number of events which can be correlated in a second test user account event queue in a target user client event queue, and comparing the number with the total number of events of the second test user account event queue to obtain a correlation degree, wherein the obtained correlation degree is the optimal correlation degree; wherein, the two events can be correlated, that is, the time difference and the length difference of the two events are both within a set range.
Illustratively, encrypted traffic packets of a target user and a target group are traversed, time, length and other key features of the traffic packets which accord with the mapping relation of the length of the detected text message are extracted to obtain message traffic event queues of the target user and the target group, window sliding is carried out on the two queues to a certain extent in front and back with 0.1s as a span, interference factors of network jitter are removed, and the optimal association degree of the two queues is obtained.
Further, the comparing the optimal association degree with a set threshold to obtain whether the target user client has the attribute of the target group specifically includes:
if the optimal association degree is smaller than the set threshold, representing that the target user is not in the target group; if the threshold value is larger than the threshold value, the target user is in the target group.
Or, the comparing the optimal association degree with a set threshold to obtain whether the target user client has the attribute of the target group specifically includes:
judging whether the target user has the identity attribute of the target group, wherein the hypothesis test based on reality is as follows:
considering G as the target group, for any IM user U, the goal of the test is to decide which of the following assumptions is true:
h0: the user U is not associated with the target group G, namely the user U is not a member of the group G, and the association degree is smaller than a judgment threshold value;
h1: and the user U is associated with the target group G, namely the user U is a member in the group G, and the association degree is greater than the judgment threshold value.
Fig. 1 is a block diagram of the system of the present invention.
The message and encrypted flow mapping modeling part of the system adds an IM application program account into a target group and a channel through an API function, calls the API function to obtain a message record in the target group and the channel, simultaneously utilizes a tcpdump tool to capture encrypted communication flow of the IM application program, analyzes the mapping relation between the obtained message and a flow packet, and counts the length, time, occurrence frequency and other characteristics of the message and the flow packet.
The statistical model is established by the following steps:
inputting: a json file and a traffic pcap file are recorded in the message;
and (3) outputting: a model feature mod file;
(1) reading a message structure body messages from a message record json file;
(2) reading the packets of the flow packet structure from the flow pcap file; obtaining the message length in messages;
(3) traversing messages [ ] to extract the length and time information of each text message;
(4) traversing packets [ ] and extracting the length and time information of the encrypted flow packet;
(5) traversing messages and packets, and acquiring the mapping relation between the messages and the packets according to the time sequence and the length characteristics;
(6) counting the frequency of occurrence of each length;
(7) a mod file is created and each feature node is written.
The detection text message construction and active sending part is further designed and constructed to detect the text message, and the text message is actively sent to the target group by using methods such as an API function of an IM application program or a software wizard script and the like.
And a traffic acquiring and filtering part, which respectively captures the traffic of a target user and a target group by using a tcpdump tool, traverses all traffic packets, and filters and extracts the IM encrypted communication traffic in the traffic packets according to the length characteristics.
And a flow characteristic matching part filters and screens redundant packets such as an IM application program heartbeat flow packet and the like in the encrypted flow packet according to the length characteristic of the encrypted flow packet, analyzes the encrypted flow of the target user and the encrypted flow of the target group to respectively obtain message flow event queues of the target user and the target group, performs window sliding of a certain limit in the front and back directions on the two queues by taking 0.1s as a span, removes interference factors of network jitter, and obtains the optimal correlation degree of the two queues.
An assumption judging section sets a judgment threshold value based on an experimental result of a large number of experiments, and judges whether or not the matching degree is greater than the threshold value by using the obtained optimal correlation degree in combination with a realistic assumption test. If the number of the target users is larger than the threshold value, the target users are associated with the target group and have the identity attribute of the target group; if the user number is less than the threshold value, the target user is not associated with the target group and does not have the identity attribute of the target group.
Fig. 2 is a diagram showing the structure of messages and traffic according to the present invention. Among the linked lists, the list of linked lists,
a node [ "Text _ Length" ] stores Length information of a Text message;
the node [ "Packet _ Length" ] stores the Length of the encrypted traffic Packet corresponding to the message;
the node [ Time _ Diff ] is the Time difference value between the sending Time of the text message and the Time when the encrypted flow packet forwarded by the server reaches the client, and the value is used for judging the Time error influence of the active detection text message;
the node [ "Num _ length" ] stores information on how often these text message lengths and their corresponding encrypted traffic packet lengths appear.
Fig. 3 is a diagram showing an algorithm structure of the flow characteristic matching module according to the present invention. T is min And T max Respectively representing the lower and upper time difference limits, N, of the network jitter G Total number of message traffic events for target group, N max Is the maximum number of associated events.
Fig. 4 is a flowchart of the overall procedure of the present invention.
Performing message collection and flow capture according to the account number of the instant messaging application program, counting the occurrence frequency of text messages with different lengths, and establishing a mapping relation between the length of the text message and the length of the flow; constructing and detecting text messages according to the occurrence frequency of the text messages with different lengths and actively sending the text messages; capturing and detecting the traffic of a target user and a target group in the message sending process, and filtering and extracting the encrypted traffic of an IM application program in the traffic; analyzing the encrypted flow of the IM application program, extracting message flow event queues of a target user and a target group, and obtaining the optimal association degree between the two queues; and judging whether the target user is associated with the target group or not according to the set judgment threshold value and the association degree obtained by combining the hypothesis test sum based on reality. The invention solves the problems of high detection difficulty, long time consumption, unstable accuracy and the like of a detection method based on vulnerability mining and a passive detection method based on flow characteristic matching, and is more suitable for active detection of user identity attributes based on a real scene.
Example two
The embodiment provides a user identity attribute active detection system based on flow characteristic matching;
a user identity attribute active detection system based on flow characteristic matching is applied to an instant messaging application program server, and the system comprises:
an acquisition module configured to: acquiring IP addresses of a target group and a target user client to be detected, wherein the attribute of the target group is a known quantity; constructing a first test user account and a second test user account, and adding the two test user accounts into a target group;
a detect text messaging module configured to: sending a detection text message to a target group through a first test user account;
an encrypted traffic extraction module configured to: in the process of sending the detection text message, respectively capturing the flow generated by the target user client and the flow generated by the second user account; respectively carrying out instant messaging application program encrypted flow extraction on flows captured by the target user client and the second test user account;
an event queue build module configured to: according to the mapping relation between the text message length and the flow length, respectively constructing message flow event queues for encrypted flows extracted by a target user client and a second test user account; calculating the optimal correlation degree of the message flow event queues of the target user client and the second test user account;
an attribute detection module configured to: and comparing the optimal association degree with a set threshold value to obtain whether the target user client side has the attribute of the target group.
Further, the detecting text message sending module further includes: acquiring historical text messages generated in the target group communication process and flow corresponding to the historical text messages through a first test user account, acquiring the mapping relation between the lengths of the text messages and the flow lengths, counting the occurrence frequency of the text messages with different lengths, and constructing a detection text message according to the occurrence frequency of the text messages with different lengths.
The above description is only a preferred embodiment of the present invention and is not intended to limit the present invention, and various modifications and changes may be made by those skilled in the art. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.
Claims (10)
1. A user identity attribute active detection method based on flow characteristic matching is characterized by being applied to an instant messaging application program server, and comprises the following steps:
acquiring IP addresses of a target group and a target user client to be detected, wherein the attribute of the target group is a known quantity; constructing a first test user account and a second test user account, and adding the two test user accounts into a target group; sending a detection text message to a target group through a first test user account;
in the process of detecting the sending of the text message, respectively capturing the flow generated by the target user client and the flow generated by the second user account; respectively carrying out instant messaging application program encrypted flow extraction on flows captured by the target user client and the second test user account;
according to the mapping relation between the text message length and the flow length, respectively constructing message flow event queues for encrypted flows extracted by a target user client and a second test user account; calculating the optimal correlation degree of the message flow event queues of the target user client and the second test user account;
and comparing the optimal association degree with a set threshold value to obtain whether the target user client side has the attribute of the target group.
2. The active detection method for user identity attribute based on traffic characteristic matching according to claim 1, wherein after adding two test user account numbers into the target group, before sending the detection text message to the target group through the first test user account number, further comprises: obtaining historical text messages generated in the target group communication process and flow corresponding to the historical text messages through a first test user account, obtaining the mapping relation between the lengths of the text messages and the flow lengths, counting the occurrence frequency of the text messages with different lengths, and constructing a detection text message according to the occurrence frequency of the text messages with different lengths.
3. The active detection method for user identity attribute based on traffic characteristic matching according to claim 2, wherein the counting of the occurrence frequency of text messages with different lengths and the construction of the detection text message according to the occurrence frequency of text messages with different lengths specifically comprises:
and searching the text message length with the lowest occurrence frequency according to the occurrence frequency of the text messages with different lengths, and constructing a detection text message which accords with the target group chat scene according to the text message length with the lowest occurrence frequency.
4. The active detection method for user identity attribute based on traffic characteristic matching according to claim 3, characterized in that the detection text message conforming to the target group chat scene is constructed according to the text message length with the lowest occurrence frequency, and is realized by a trained neural network; wherein, the training process of the trained neural network comprises the following steps:
constructing a training set; the training set is a target group historical text message of a known text message theme and a target text length; taking the text message theme and the target text length as input values of a neural network, and taking the historical text message as an output value of the neural network; training the neural network to obtain the trained neural network, wherein the length of an output value of the neural network is the length of a target text;
the method for constructing the detection text message according with the target group chat scene according to the text message with the lowest occurrence frequency specifically comprises the following steps:
taking the subject of the target group text message and the text message with the lowest occurrence frequency as input values of the neural network, and outputting a detection text message conforming to the target group chat scene; the length of the detected text message conforming to the target group chat scene is the length of the text message with the lowest frequency of occurrence.
5. The active detection method for user identity attribute based on traffic feature matching as claimed in claim 1, wherein capturing traffic generated by a target user client and traffic generated by a second user account during the transmission of the detection text message respectively means: in the process of sending the detection text message, capturing the flow generated by the target user client and the flow generated by the second user account by using a network data packet capturing program tcpdump tool according to the sending time of the detection text message.
6. The active detection method for user identity attribute based on traffic characteristic matching according to claim 1, characterized in that the traffic captured by the target user client and the second test user account is respectively subjected to instant messaging application program encrypted traffic extraction, wherein the encrypted traffic refers to traffic which is sent to the internet after all contents to be encrypted are encrypted by an encryption algorithm according to protocol regulations of the instant messaging application program; all content that needs to be encrypted, including: a text message, a message attachment header, and a message length;
the extraction process of the encrypted traffic comprises the following steps: determining the length of the encrypted flow of the instant messaging application program according to the length of the detected text message and the mapping relation between the length of the text message and the length of the flow; and extracting the encryption flow of the instant messaging application program according to the length of the encryption flow of the instant messaging application program.
7. The active detection method for user identity attribute based on traffic characteristic matching according to claim 1, characterized in that, the encrypted traffic extracted from the target user client and the second test user account is respectively constructed with message traffic event queues, wherein each message traffic event refers to a traffic packet with two attributes of time and length, and the message traffic event queues refer to a plurality of message traffic events arranged according to time precedence relationship; the message flow event queue is constructed by the following steps: and converting the time and length attributes of each network data packet in the encrypted flow into message flow events one by one, and arranging according to the time sequence to obtain a message flow event queue.
8. The active detection method for user identity attribute based on traffic characteristic matching according to claim 1, wherein the calculating of the optimal correlation degree of the message traffic event queue of both the target user client and the second test user account specifically comprises:
setting the upper limit and the lower limit of the time difference of the two message flow event queues, then setting the time of each step of sliding, gradually sliding the two text event queues, detecting the number of events which can be correlated to the second test user account event queue in the target user client event queue, and obtaining the correlation degree by comparing with the total number of the events of the second test user account event queue, wherein the obtained correlation degree is the optimal correlation degree; wherein, the two events can be correlated, that is, the time difference and the length difference of the two events are both within a set range.
9. The active detection method for user identity attribute based on traffic feature matching as claimed in claim 1, wherein the comparing the optimal association degree with a set threshold to obtain whether the target user client has the attribute of the target group specifically comprises: if the optimal association degree is smaller than the set threshold, representing that the target user is not in the target group; greater than the threshold indicates that the target user is in the target group.
10. A user identity attribute active detection system based on flow characteristic matching is characterized in that the system is applied to an instant messaging application program server, and the system comprises:
an acquisition module configured to: acquiring IP addresses of a target group and a target user client to be detected, wherein the attribute of the target group is a known quantity; constructing a first test user account and a second test user account, and adding the two test user accounts into a target group;
a detect text messaging module configured to: sending a detection text message to a target group through a first test user account;
an encrypted traffic extraction module configured to: in the process of detecting the sending of the text message, respectively capturing the flow generated by the target user client and the flow generated by the second user account; respectively carrying out instant messaging application program encrypted flow extraction on flows captured by the target user client and the second test user account;
an event queue build module configured to: according to the mapping relation between the text message length and the flow length, respectively constructing message flow event queues for encrypted flows extracted by a target user client and a second test user account; calculating the optimal correlation degree of the message flow event queues of the target user client and the second test user account;
an attribute detection module configured to: and comparing the optimal association degree with a set threshold value to obtain whether the target user client has the attribute of the target group.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211266240.7A CN115664739B (en) | 2022-10-17 | 2022-10-17 | User identity attribute active detection method and system based on flow characteristic matching |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211266240.7A CN115664739B (en) | 2022-10-17 | 2022-10-17 | User identity attribute active detection method and system based on flow characteristic matching |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN115664739A true CN115664739A (en) | 2023-01-31 |
| CN115664739B CN115664739B (en) | 2024-05-07 |
Family
ID=84988076
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211266240.7A Active CN115664739B (en) | 2022-10-17 | 2022-10-17 | User identity attribute active detection method and system based on flow characteristic matching |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115664739B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116455632B (en) * | 2023-04-14 | 2023-10-13 | 郑州大学 | Target identification method based on active and passive data fusion analysis |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110458182A (en) * | 2019-06-24 | 2019-11-15 | 中国科学院信息工程研究所 | Based on the matched online vest detection method of similar subgraph |
| CN110998588A (en) * | 2017-08-22 | 2020-04-10 | 微软技术许可有限责任公司 | Reducing text length while preserving meaning |
| US20200236131A1 (en) * | 2019-01-18 | 2020-07-23 | Cisco Technology, Inc. | Protecting endpoints with patterns from encrypted traffic analytics |
| CN113312560A (en) * | 2021-06-16 | 2021-08-27 | 百度在线网络技术(北京)有限公司 | Group detection method and device and electronic equipment |
| CN113420230A (en) * | 2020-12-31 | 2021-09-21 | 深圳市镜玩科技有限公司 | Matching consultation pushing method based on group chat, related device, equipment and medium |
| CN113521749A (en) * | 2021-07-15 | 2021-10-22 | 珠海金山网络游戏科技有限公司 | Abnormal account detection model training method and abnormal account detection method |
| WO2022148050A1 (en) * | 2021-01-05 | 2022-07-14 | 华为云计算技术有限公司 | Traffic management method and apparatus, traffic management strategy configuration method and apparatus, and device and medium |
| CN114818974A (en) * | 2022-05-23 | 2022-07-29 | 北京航空航天大学 | Inference attack method and system for monitoring user activities in intelligent information system |
-
2022
- 2022-10-17 CN CN202211266240.7A patent/CN115664739B/en active Active
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110998588A (en) * | 2017-08-22 | 2020-04-10 | 微软技术许可有限责任公司 | Reducing text length while preserving meaning |
| US20200236131A1 (en) * | 2019-01-18 | 2020-07-23 | Cisco Technology, Inc. | Protecting endpoints with patterns from encrypted traffic analytics |
| CN110458182A (en) * | 2019-06-24 | 2019-11-15 | 中国科学院信息工程研究所 | Based on the matched online vest detection method of similar subgraph |
| CN113420230A (en) * | 2020-12-31 | 2021-09-21 | 深圳市镜玩科技有限公司 | Matching consultation pushing method based on group chat, related device, equipment and medium |
| WO2022148050A1 (en) * | 2021-01-05 | 2022-07-14 | 华为云计算技术有限公司 | Traffic management method and apparatus, traffic management strategy configuration method and apparatus, and device and medium |
| CN113312560A (en) * | 2021-06-16 | 2021-08-27 | 百度在线网络技术(北京)有限公司 | Group detection method and device and electronic equipment |
| CN113521749A (en) * | 2021-07-15 | 2021-10-22 | 珠海金山网络游戏科技有限公司 | Abnormal account detection model training method and abnormal account detection method |
| CN114818974A (en) * | 2022-05-23 | 2022-07-29 | 北京航空航天大学 | Inference attack method and system for monitoring user activities in intelligent information system |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116455632B (en) * | 2023-04-14 | 2023-10-13 | 郑州大学 | Target identification method based on active and passive data fusion analysis |
Also Published As
| Publication number | Publication date |
|---|---|
| CN115664739B (en) | 2024-05-07 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106034056B (en) | Method and system for analyzing business safety | |
| CN112019574B (en) | Abnormal network data detection method and device, computer equipment and storage medium | |
| KR101070614B1 (en) | Malicious traffic isolation system using botnet infomation and malicious traffic isolation method using botnet infomation | |
| CN109818970B (en) | Data processing method and device | |
| CN101911614A (en) | Systems and processes of identifying p2p applications based on behavioral signatures | |
| CN106789242B (en) | Intelligent identification application analysis method based on mobile phone client software dynamic feature library | |
| CN111222019B (en) | Feature extraction method and device | |
| CN110611640A (en) | DNS protocol hidden channel detection method based on random forest | |
| CN107204965B (en) | Method and system for intercepting password cracking behavior | |
| US20080291912A1 (en) | System and method for detecting file | |
| CN112788064B (en) | Encryption network abnormal flow detection method based on knowledge graph | |
| CN114629718A (en) | Hidden malicious behavior detection method based on multi-model fusion | |
| CN110691007A (en) | Method for accurately measuring QUIC connection packet loss rate | |
| KR101210622B1 (en) | Method for detecting ip shared router and system thereof | |
| Yang et al. | Modelling Network Traffic and Exploiting Encrypted Packets to Detect Stepping-stone Intrusions. | |
| Oujezsky et al. | Botnet C&C traffic and flow lifespans using survival analysis | |
| CN109309679B (en) | Network scanning detection method and detection system based on TCP flow state | |
| CN115664739B (en) | User identity attribute active detection method and system based on flow characteristic matching | |
| JP3648520B2 (en) | Network communication monitoring / control method, monitoring / control apparatus using the same, and computer-readable recording medium recording network communication monitoring / control program | |
| Swinnen et al. | ProtoLeaks: A reliable and protocol-independent network covert channel | |
| Langthasa et al. | Classification of network traffic in LAN | |
| Oujezsky et al. | Modeling botnet C&C traffic lifespans from NetFlow using survival analysis | |
| Ding et al. | Machine learning for cybersecurity: Network-based botnet detection using time-limited flows | |
| Albadri | Development of a network packet sniffing tool for internet protocol generations | |
| CN111200543A (en) | Encryption protocol identification method based on active service detection engine technology |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |