CN115801442A - Encrypted traffic detection method, security system and agent module - Google Patents

Encrypted traffic detection method, security system and agent module Download PDF

Info

Publication number
CN115801442A
CN115801442A CN202211582751.XA CN202211582751A CN115801442A CN 115801442 A CN115801442 A CN 115801442A CN 202211582751 A CN202211582751 A CN 202211582751A CN 115801442 A CN115801442 A CN 115801442A
Authority
CN
China
Prior art keywords
access control
module
strategy
agent
encrypted
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202211582751.XA
Other languages
Chinese (zh)
Inventor
张聪
李恺
晏尉
范鸿雷
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Topsec Technology Co Ltd
Beijing Topsec Network Security Technology Co Ltd
Beijing Topsec Software Co Ltd
Original Assignee
Beijing Topsec Technology Co Ltd
Beijing Topsec Network Security Technology Co Ltd
Beijing Topsec Software Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Topsec Technology Co Ltd, Beijing Topsec Network Security Technology Co Ltd, Beijing Topsec Software Co Ltd filed Critical Beijing Topsec Technology Co Ltd
Priority to CN202211582751.XA priority Critical patent/CN115801442A/en
Publication of CN115801442A publication Critical patent/CN115801442A/en
Pending legal-status Critical Current

Links

Images

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application provides a detection method, a security system and an agent module of encrypted traffic, and relates to the technical field of network security. According to the encryption flow detection method, the proxy strategy and the access control strategy are hit through the encryption flow, and when the deep packet detection strategy is quoted in the access control strategy, the proxy module can interact with the deep packet detection module according to the access control strategy ID, so that deep packet detection is achieved. That is to say, the agent module can match with the security configuration according to the access control policy ID, and complete the matching between the decrypted flow and the access control policy through one-time configuration dynamic query process, thereby avoiding introducing the decrypted message into the security system to perform repeated matching of the agent policy and the access control policy, accelerating the processing speed, improving the efficiency, and because the number of occupied session connections of the security system is small, the number of concurrence of the security system is increased, and a large number of system resources are saved.

Description

Encrypted traffic detection method, security system and agent module
Technical Field
The present application relates to the field of network security technologies, and in particular, to a method for detecting encrypted traffic, a security system, and an agent module.
Background
With the rapid development of the internet, the public network security awareness is steadily improved, the awareness of data protection is also increasingly strong, and in order to ensure the security and privacy, the network traffic generally needs to be transmitted by using SSL encryption. Encryption traffic has become the main traffic in the internet at the present stage, encryption is a double-edged sword, lawless persons can take advantage of the encryption while protecting user privacy, and the reason is that encryption can hide malicious traffic like hiding other information, thereby bringing a series of worms, trojans and viruses. In order to deal with malicious network attacks by illegal users by utilizing the encryption characteristic of the SSL, the firewall introduces an SSL encryption flow detection function, the function can decrypt SSL encryption flow, and then perform content security check and audit on the decrypted flow.
At present, most firewalls decrypt encrypted traffic by using an agent function and then perform deep packet inspection on the decrypted traffic by using various security engines integrated in the firewalls. Because the function relates to interaction among a plurality of security modules, although many firewalls have the function of deep message detection on SSL encrypted traffic, the existing detection method for the encrypted traffic has the disadvantages of low processing speed, low efficiency, low concurrency and large consumption of system resources.
Disclosure of Invention
An object of the embodiments of the present application is to provide a method, a security system, and an agent module for detecting encrypted traffic, so as to solve the problems of slow processing speed, low efficiency, low concurrency, and large consumption of system resources in the existing method for detecting encrypted traffic.
The embodiment of the application provides a detection method of encrypted flow, which is applied to a security system, and comprises the following steps:
receiving encrypted traffic sent by a client, performing agent strategy matching on the encrypted traffic, and judging whether the encrypted traffic hits an agent strategy;
if the encryption flow is judged to hit the proxy strategy, the hit proxy strategy is notified to a proxy module, access control strategy matching is carried out on the encryption flow, and whether the access control strategy is hit or not is judged;
if the encrypted flow is judged to hit the access control strategy, recording the corresponding access control strategy ID in the message of the encrypted flow;
and sending the encrypted traffic recorded with the access control strategy ID to the proxy module.
In the technical scheme, the encrypted flow hits an agent strategy, namely the encrypted flow needs to be decrypted, the encrypted flow hits an access control strategy, and the access control strategy may be an access control strategy which refers to a deep packet inspection strategy, so that the access control strategy ID and the encrypted flow are sent to the agent module together, and when the access control strategy refers to the deep packet inspection strategy, the agent module can interact with the deep packet inspection module according to the access control strategy ID to realize deep packet inspection. That is to say, the agent module can match with the security configuration according to the access control policy ID, and complete the matching between the decrypted flow and the access control policy through one-time configuration dynamic query process, thereby avoiding introducing the decrypted message into the security system to perform repeated matching between the agent policy and the access control policy, accelerating the processing speed and improving the efficiency.
In some optional embodiments, after determining whether the encrypted traffic hits in the proxy policy, the method further includes:
if the encrypted flow is judged to miss the proxy strategy, performing access control strategy matching;
and forwarding the encrypted flow according to the matched access control strategy.
In the above technical solution, if the encrypted traffic does not hit the proxy policy, the encrypted traffic does not need to be decrypted, and then the access control policy is normally matched and forwarded according to the access control policy.
In some optional embodiments, after determining whether the encrypted traffic hits in the access control policy, the method further includes:
and if the encrypted flow is judged to miss the access control strategy, sending the encrypted flow to the agent module.
In the technical scheme, the encrypted traffic hits the proxy strategy, but does not hit the access control strategy, that is, the encrypted traffic needs to be decrypted, but deep packet detection after decryption is not needed.
In some optional embodiments, after sending the encrypted traffic in which the access control policy ID is recorded to the agent module, the method further includes:
and receiving the message which passes the deep message detection and is sent by the agent module, and forwarding the message to the server.
In some optional embodiments, before receiving the encrypted traffic sent by the client, the method further includes:
acquiring a deep packet inspection strategy, an access control strategy and an agent strategy;
generating a deep message detection configuration file according to the deep message detection strategy, and sharing the deep message detection configuration file to the agent module;
generating an access control configuration file according to the access control strategy, and sharing the access control configuration file to the agent module; generating an agent configuration file according to an agent strategy, and sharing the agent configuration file to an agent module;
and the deep packet inspection configuration file is configured to be referenced by the access control configuration file.
In the technical scheme, a user can input a deep packet detection strategy, an access control strategy and an agent strategy into a security system through an interactive interface, the security system respectively generates a deep packet detection configuration file, an access control strategy file and an agent strategy file correspondingly according to the deep packet detection strategy, the access control strategy and the agent strategy, the deep packet detection configuration file, the access control strategy file and the agent strategy file are shared to an agent module, and the deep packet detection configuration file is configured to be referenced by the access control configuration file.
The method for detecting the encrypted flow, provided by the embodiment of the application, is applied to the proxy module and comprises the following steps:
according to the agent configuration corresponding to the agent strategy hit by the security system, receiving the encrypted flow sent by the security system, decrypting the encrypted flow to obtain a decrypted message, and judging whether the decrypted message has an access control strategy ID or not;
if the decrypted message has an access control strategy ID, searching for a corresponding security configuration according to the access control strategy ID;
sending the decrypted message to a deep message detection module according to the searched security configuration;
receiving a detection result returned by the deep packet detection module; wherein, the detection result comprises the permission of sending and the prohibition of sending;
and determining whether to forward the decrypted message or not according to the detection result.
In the technical scheme, when the access control strategy is hit, the agent module acquires the access control strategy ID, and if the access control strategy refers to the deep packet inspection strategy, the agent module can interact with the deep packet inspection module according to the access control strategy ID so as to realize deep packet inspection. That is to say, the agent module can match with the security configuration according to the access control policy ID, and complete the matching between the decrypted flow and the access control policy through one-time configuration dynamic query process, thereby avoiding introducing the decrypted message into the security system to perform repeated matching of the agent policy and the access control policy, accelerating the processing speed, improving the efficiency, and because the number of occupied session connections of the security system is small, the number of concurrence of the security system is increased, and a large number of system resources are saved.
In some optional embodiments, before receiving the encrypted traffic sent by the security system, the method further includes:
acquiring a deep message detection configuration file, an access control configuration file and an agent configuration file generated by a security system; the deep packet inspection configuration file is configured to be referred by an access control configuration file;
generating corresponding security configuration according to the access control configuration file; and generating corresponding agent configuration according to the agent configuration file.
In the above technical solution, the agent module maintains a total configuration, and the configuration includes an agent configuration and a security configuration. If the agent policy is configured, an agent configuration file corresponding to the policy is generated, and the configuration file specifies information such as an IP (Internet protocol), a port, an encryption mode of SSL (secure sockets layer) handshake negotiation, a certificate, a key and the like which need to be monitored by an agent module, and is mainly used for providing SSL (secure sockets layer) encryption and decryption services. If the proxy strategy is not configured, proxy configuration cannot be generated, and SSL encryption and decryption services cannot be completed. The security configuration is contained in the total configuration maintained by the agent module, and is used for judging whether the decrypted traffic needs to be subjected to deep security detection by the agent module, if the access control policy is not configured or does not refer to the deep packet detection policy, the corresponding security configuration cannot be generated, and therefore the service of performing security detection on the decrypted traffic cannot be realized.
In some optional embodiments, determining whether to forward the decrypted packet according to the detection result includes:
if the detection result is that the transmission is allowed, the decryption message is sent to the forwarding module according to the proxy configuration, or the decryption message is sent to the forwarding module after being encrypted.
An embodiment of the present application provides a security system, including:
the first judgment module is used for receiving the encrypted flow sent by the client, carrying out proxy strategy matching on the encrypted flow and judging whether the encrypted flow hits a proxy strategy or not;
the second judgment module is used for notifying the agent module of the hit agent strategy if the encryption flow is determined to hit the agent strategy, performing access control strategy matching on the encryption flow and judging whether the access control strategy is hit or not;
the recording module is used for recording the corresponding access control strategy ID in the message of the encrypted flow if the encrypted flow is judged to hit the access control strategy;
and the sending module is used for sending the encrypted flow recorded with the access control strategy ID to the agent module.
An agent module provided in an embodiment of the present application includes:
the third judgment module is used for receiving the encrypted flow sent by the security system according to the proxy configuration corresponding to the proxy strategy hit by the security system, decrypting the encrypted flow to obtain a decrypted message and judging whether the access control strategy ID exists in the decrypted message or not;
the configuration module is used for searching corresponding security configuration according to the access control strategy ID if the decrypted message has the access control strategy ID;
the sending detection module is used for sending the decrypted message to the deep message detection module according to the searched security configuration;
the receiving result module is used for receiving the detection result returned by the deep packet detection module; wherein, the detection result comprises permission to send and prohibition to send;
and the processing module is used for determining whether to forward the decrypted message or not according to the detection result.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are required to be used in the embodiments of the present application will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present application and therefore should not be considered as limiting the scope, and that those skilled in the art can also obtain other related drawings based on the drawings without inventive efforts.
FIG. 1 is a flowchart illustrating steps of a detection method applied to a security system according to an embodiment of the present disclosure;
FIG. 2 is a flowchart illustrating steps of a detection method applied to an agent module according to an embodiment of the present disclosure;
fig. 3 is a schematic workflow diagram of a security system and an agent module according to an embodiment of the present application;
fig. 4 is a schematic diagram of a relationship between policy profiles provided in this embodiment.
Icon: the system comprises a client, a server, a 3-security system, a 4-proxy module and a 5-deep message detection module.
Detailed Description
The technical solutions in the embodiments of the present application will be described below with reference to the drawings in the embodiments of the present application.
Referring to fig. 1, fig. 1 is a flowchart illustrating steps of a detection method applied to a security system according to an embodiment of the present application, where the method includes:
step 110, receiving the encrypted traffic sent by the client, performing proxy strategy matching on the encrypted traffic, and judging whether the encrypted traffic hits a proxy strategy;
step 120, if it is determined that the encrypted traffic hits the proxy policy, notifying the proxy module of the hit proxy policy, performing access control policy matching on the encrypted traffic, and determining whether the access control policy is hit;
step 130, if the encrypted flow is judged to hit the access control strategy, recording the corresponding access control strategy ID in the message of the encrypted flow;
and step 140, sending the encrypted traffic recorded with the access control policy ID to the agent module.
In the embodiment of the application, the encrypted traffic hits the proxy policy, that is, the encrypted traffic needs to be decrypted, and the encrypted traffic hits the access control policy, which may be an access control policy that refers to a deep packet inspection policy, so that the access control policy ID and the encrypted traffic are sent to the proxy module together, so that when the access control policy refers to the deep packet inspection policy, the proxy module can interact with the deep packet inspection module according to the access control policy ID to implement deep packet inspection. That is to say, the agent module can match with the security configuration according to the access control policy ID, and complete the matching between the decrypted flow and the access control policy through one-time configuration dynamic query process, thereby avoiding introducing the decrypted message into the security system to perform repeated matching of the agent policy and the access control policy, accelerating the processing speed, improving the efficiency, and because the number of occupied session connections of the security system is small, the number of concurrence of the security system is increased, and a large number of system resources are saved.
In some optional embodiments, after determining whether the encrypted traffic hits in the proxy policy, the method further includes: if the encrypted flow is judged to miss the proxy strategy, performing access control strategy matching; and forwarding the encrypted flow according to the matched access control strategy.
In the embodiment of the application, if the encrypted traffic does not hit the proxy policy, the encrypted traffic does not need to be decrypted, and the access control policy is subsequently and normally matched and forwarded according to the access control policy.
In some optional embodiments, after determining whether the encrypted traffic hits in the access control policy, the method further includes: and if the encrypted flow is not hit in the access control strategy, sending the encrypted flow to the proxy module.
In the embodiment of the application, the encrypted traffic hits the proxy policy but does not hit the access control policy, that is, the encrypted traffic needs to be decrypted but does not need to be subjected to the deep packet inspection after decryption.
In some optional embodiments, after sending the encrypted traffic in which the access control policy ID is recorded to the agent module, the method further includes: and receiving the message which is sent by the agent module and passes the deep message detection, and forwarding the message to the server.
In some optional embodiments, before receiving the encrypted traffic sent by the client, the method further includes: acquiring a deep packet inspection strategy, an access control strategy and an agent strategy; generating a deep packet inspection configuration file according to the deep packet inspection strategy, and sharing the deep packet inspection configuration file to the agent module; generating an access control configuration file according to the access control strategy, and sharing the access control configuration file to the agent module; generating an agent configuration file according to an agent strategy, and sharing the agent configuration file to an agent module; wherein the deep packet inspection configuration file is configured to be referenced by the access control configuration file.
In the embodiment of the application, a user can input a deep packet inspection strategy, an access control strategy and an agent strategy into a security system through an interactive interface, the security system respectively and correspondingly generates a deep packet inspection configuration file, an access control strategy file and an agent strategy file according to the deep packet inspection strategy, the access control strategy and the agent strategy, the deep packet inspection configuration file, the access control strategy file and the agent strategy file can be shared to an agent module, and the deep packet inspection configuration file is configured to be referenced by the access control configuration file.
Referring to fig. 2, fig. 2 is a flowchart illustrating steps of a detection method applied to an agent module according to an embodiment of the present application, where the method includes:
step 210, receiving encrypted traffic sent by the security system according to the agent configuration corresponding to the agent policy hit by the security system, decrypting the encrypted traffic to obtain a decrypted message, and judging whether an access control policy ID exists in the decrypted message;
step 220, if the decrypted message has an access control strategy ID, searching for a corresponding security configuration according to the access control strategy ID;
step 230, sending the decrypted message to the deep message detection module according to the searched security configuration;
step 240, receiving a detection result returned by the deep packet inspection module; wherein, the detection result comprises the permission of sending and the prohibition of sending;
and step 250, determining whether to forward the decrypted message or not according to the detection result.
In the embodiment of the application, when the access control strategy is hit, the agent module acquires the access control strategy ID, and if the access control strategy refers to the deep packet inspection strategy, the agent module can interact with the deep packet inspection module according to the access control strategy ID to realize deep packet inspection. That is to say, the agent module can match with the security configuration according to the access control policy ID, and complete the matching between the decrypted flow and the access control policy through one-time configuration dynamic query process, thereby avoiding introducing the decrypted message into the security system to perform repeated matching between the agent policy and the access control policy, accelerating the processing speed and improving the efficiency.
In some optional embodiments, before receiving the encrypted traffic sent by the security system, the method further includes: acquiring a deep message detection configuration file, an access control configuration file and an agent configuration file generated by a security system; the deep packet inspection configuration file is configured to be referred by the access control configuration file; generating corresponding security configuration according to the access control configuration file; and generating corresponding agent configuration according to the agent configuration file.
In the embodiment of the application, the agent module maintains a total configuration, and the configuration comprises agent configuration and security configuration. If the agent policy is configured, an agent configuration file corresponding to the policy is generated, and the configuration file specifies information such as an IP (Internet protocol), a port, an encryption mode of SSL (secure sockets layer) handshake negotiation, a certificate, a key and the like which need to be monitored by an agent module, and is mainly used for providing SSL (secure sockets layer) encryption and decryption services. If the proxy strategy is not configured, proxy configuration cannot be generated, and SSL encryption and decryption services cannot be completed. The security configuration is contained in the total configuration maintained by the agent module, and is used for judging whether the decrypted traffic needs to be subjected to deep security detection by the agent module, if the access control policy is not configured or does not refer to the deep packet detection policy, the corresponding security configuration cannot be generated, and therefore the service of performing security detection on the decrypted traffic cannot be realized.
In some optional embodiments, determining whether to forward the decrypted packet according to the detection result includes: if the detection result is that the transmission is allowed, the decryption message is sent to the forwarding module according to the proxy configuration, or the decryption message is sent to the forwarding module after being encrypted.
Referring to fig. 3, fig. 3 is a schematic view of a workflow of the security system 3 and the agent module 4 according to the embodiment of the present application. The agent module 4 and the deep packet inspection module 5 both exist in the form of a third-party independent process in the fire wall, that is, are independent of the security system 3. The specific work flow is as follows:
client 1 sends SSL encrypted traffic to server 2, which first reaches the firewall.
After receiving the SSL encrypted traffic, the firewall introduces the traffic into the security system 3 for proxy policy matching. If the agent strategy is not hit, the flow is proved to be not required to be subjected to SSL decryption, and then access control strategy matching is normally carried out and forwarding is carried out according to the strategy; if the proxy strategy is hit, the flow is proved to need SSL decryption, at this time, the flow is subjected to access control strategy matching once, if the access control strategy is hit, the access control strategy ID is recorded in a proper position of the message, and then the encrypted flow is introduced into the proxy module 4 for SSL decryption.
After the agent module 4 decrypts the traffic, it will obtain the ID of the access control policy, i.e. fw _ ID, from the packet. If the fw _ id does not exist, the message only needs SSL decryption, and the decrypted deep message detection is not needed; if the fw _ id exists, it indicates that the message hits the access control strategy which refers to the deep message detection strategy, and the deep message detection needs to be performed on the decrypted message.
The agent module 4 searches the security configuration corresponding to the fw _ id in the configuration file according to the fw _ id, and analyzes the configuration item in the configuration and stores the configuration item in the data structure.
The agent module 4 introduces the decrypted message into the deep message detection module 5 according to the security configuration, the module performs content security check and audit on the message and returns the detection result to the agent module 4, the agent module 4 determines whether to encrypt the message according to the agent configuration and determines whether to forward the message according to the message security detection result.
As shown in fig. 3, in the security system 3 of the firewall in this embodiment, one encrypted traffic detection service only occupies two session connections of the security system 3, where one session connection is "client 1-proxy policy-access control policy-proxy module 4", and the other session connection is "proxy module 4-forwarding module-server 2". For the proxy module 4 of the firewall, one encrypted flow detection service only occupies two session connections of the proxy module 4, one session connection is "the access control policy of the security system 3 — the proxy module 4", and the other session connection is "the proxy module 4 — the forwarding module of the security system 3".
In the program design, the configuration of the corresponding strategy of different modules is unique, the configuration file is static, if a plurality of deep packet inspection strategies, access control strategies and proxy strategies exist, a plurality of corresponding configuration files can be generated, and as the proxy service and the security service are in different and independent processes, if the corresponding relation among the configuration files cannot be determined, the purpose of the expected security inspection cannot be achieved. The invention mainly utilizes the unique identifier fw _ id of the access control strategy as a matching keyword between service configurations, so that the proxy module 4 can obtain the fw _ id hit by the message after decryption, and searches the corresponding security configuration through the identifier, namely, completes the dynamic configuration inquiry process, and then introduces the message into the deep message detection module 5 according to the security configuration, and the module carries out security detection on the decrypted message, thereby realizing the mapping between the security service and the proxy service.
Specifically, referring to fig. 4, fig. 4 is a schematic diagram of a relationship between policy configuration files provided in this embodiment.
In the firewall device, the agent module 4 maintains a total configuration, which includes agent configuration, security configuration. If the agent policy is configured, an agent configuration file corresponding to the policy is generated, and the configuration file specifies information such as an ip, a port, and an SSL handshake negotiation encryption mode, a certificate, and a key that the agent module 4 needs to monitor, and is mainly used for providing SSL encryption and decryption services. If the proxy strategy is not configured, proxy configuration cannot be generated, and SSL encryption and decryption services cannot be completed.
And configuring a deep packet inspection strategy to generate a deep packet inspection configuration file.
And configuring an access control strategy and referring to the configured deep packet inspection strategy, and generating a configuration file corresponding to the access control strategy at the moment, wherein the configuration file comprises the relevant configuration of the referred deep packet inspection strategy. Meanwhile, a security configuration is generated, which is included in the total configuration maintained by the agent module 4 and used by the agent module 4 to determine whether the decrypted traffic needs deep security inspection. If the access control strategy is not configured or the access control strategy does not refer to the deep packet inspection strategy, the corresponding security configuration cannot be generated, so that the service of security inspection on the decrypted traffic cannot be realized.
Under the condition that the strategy is configured correctly, the agent module 4 firstly decrypts the SSL of the flow according to the agent configuration, finds the corresponding security configuration according to the fw _ id acquired in the flow processing process, introduces the decrypted flow into the deep packet inspection process according to the configuration, and performs security inspection on the decrypted flow.
In a specific embodiment, the detection method of the encrypted traffic is applied to a scene of filtering an encrypted traffic file, and the method includes the following steps:
an agent policy is configured in the firewall and an access control policy is configured that references a file filtering policy.
When the encrypted data packet passing through the device is matched with the agent policy and the access control policy referring to the file filtering policy, the access control policy ID is first recorded in the packet, and then the packet is introduced into the agent module 4.
The agent module 4 performs SSL decryption on the encrypted data packet, and then obtains an access control policy ID through a data socket.
The agent module 4 searches the corresponding configuration block in the security configuration of the configuration file by using the acquired access control ID, and acquires the security configuration related to the file filtering policy.
The agent module 4 identifies that the decrypted message needs to be subjected to file filtering according to the acquired security configuration information, and then sends a request for file filtering detection, file information and other related data to the deep message detection module 5.
After receiving the request, the deep packet inspection module 5 analyzes the inspection type specified in the request, calls the file filtering module to inspect, and then returns the inspection result to the agent module 4.
And the agent module 4 receives the file filtering detection result and processes the flow message according to the action specified in the configuration.
An embodiment of the present application further provides a security system, which includes a first determining module, a second determining module, a recording module, and a sending module.
The first judgment module is used for receiving encrypted traffic sent by a client, performing proxy strategy matching on the encrypted traffic, and judging whether the encrypted traffic hits a proxy strategy; the second judgment module is used for notifying the agent module of the hit agent strategy if the encryption flow is hit by the agent strategy, carrying out access control strategy matching on the encryption flow and judging whether the access control strategy is hit or not; the recording module is used for recording the corresponding access control strategy ID in the message of the encrypted flow if the encrypted flow is judged to hit the access control strategy; and the sending module is used for sending the encrypted flow recorded with the access control strategy ID to the agent module.
An embodiment of the present application further provides a device, including a third determining module, a configuring module, a sending and detecting module, a receiving result module, and a processing module.
The third judging module is used for receiving the encrypted traffic sent by the security system according to the agent configuration corresponding to the agent policy hit by the security system, decrypting the encrypted traffic to obtain a decrypted message, and judging whether the decrypted message has the access control policy ID. And the configuration module is used for searching the corresponding security configuration according to the access control strategy ID if the decrypted message has the access control strategy ID. And the sending detection module is used for sending the decrypted message to the deep message detection module according to the searched security configuration. The receiving result module is used for receiving the detection result returned by the deep packet detection module; wherein, the detection result comprises permission of sending and prohibition of sending. And the processing module is used for determining whether to forward the decrypted message or not according to the detection result.
In the embodiments provided in the present application, it should be understood that the disclosed apparatus and method may be implemented in other ways. The above-described embodiments of the apparatus are merely illustrative, and for example, the division of the units is only one logical division, and there may be other divisions when actually implemented, and for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed coupling or direct coupling or communication connection between each other may be through some communication interfaces, indirect coupling or communication connection between devices or units, and may be in an electrical, mechanical or other form.
In addition, units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
Furthermore, the functional modules in the embodiments of the present application may be integrated together to form an independent part, or each module may exist separately, or two or more modules may be integrated to form an independent part.
In this document, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions.
The above description is only an example of the present application and is not intended to limit the scope of the present application, and various modifications and changes may be made by those skilled in the art. Any modification, equivalent replacement, improvement and the like made within the spirit and principle of the present application shall be included in the protection scope of the present application.

Claims (10)

1. A method for detecting encrypted traffic, applied to a security system, the method comprising:
receiving encrypted traffic sent by a client, performing proxy strategy matching on the encrypted traffic, and judging whether the encrypted traffic hits a proxy strategy or not;
if the encryption flow is judged to hit the proxy strategy, the hit proxy strategy is notified to a proxy module, access control strategy matching is carried out on the encryption flow, and whether the access control strategy is hit or not is judged;
if the encrypted flow is judged to hit the access control strategy, recording the corresponding access control strategy ID in the message of the encrypted flow;
and sending the encrypted traffic recorded with the access control strategy ID to the proxy module.
2. The method of claim 1, wherein after determining whether the encrypted traffic hits in a proxy policy, the method further comprises:
if the encrypted flow is judged to miss the proxy strategy, performing access control strategy matching;
and forwarding the encrypted flow according to the matched access control strategy.
3. The method of claim 1, wherein after determining whether the encrypted traffic hits in an access control policy, the method further comprises:
and if the encrypted flow is judged to miss the access control strategy, sending the encrypted flow to the agent module.
4. The method of claim 1, wherein after sending the encrypted traffic having the access control policy ID recorded thereto to the proxy module, the method further comprises:
and receiving the message which is sent by the agent module and passes the deep message detection, and forwarding the message to the server.
5. The method of claim 1, wherein prior to receiving the encrypted traffic sent by the client, the method further comprises:
acquiring a deep packet inspection strategy, an access control strategy and an agent strategy;
generating a deep packet inspection configuration file according to the deep packet inspection strategy, and sharing the deep packet inspection configuration file to the agent module;
generating an access control configuration file according to the access control strategy, and sharing the access control configuration file to the agent module; generating an agent configuration file according to an agent strategy, and sharing the agent configuration file to an agent module;
wherein the deep packet inspection configuration file is configured to be referenced by the access control configuration file.
6. A detection method for encrypted traffic is applied to a proxy module, and is characterized by comprising the following steps:
according to the agent configuration corresponding to the agent strategy hit by the security system, receiving the encrypted flow sent by the security system, decrypting the encrypted flow to obtain a decrypted message, and judging whether the decrypted message has an access control strategy ID or not;
if the decrypted message has an access control strategy ID, searching for a corresponding security configuration according to the access control strategy ID;
sending the decrypted message to a deep message detection module according to the searched security configuration;
receiving a detection result returned by the deep packet detection module; wherein, the detection result comprises the permission of sending and the prohibition of sending;
and determining whether to forward the decrypted message or not according to the detection result.
7. The method of claim 6, wherein prior to receiving the encrypted traffic sent by the security system, the method further comprises:
acquiring a deep message detection configuration file, an access control configuration file and an agent configuration file generated by a security system; the deep packet inspection configuration file is configured to be referred by an access control configuration file;
generating corresponding security configuration according to the access control configuration file; and generating corresponding agent configuration according to the agent configuration file.
8. The method of claim 7, wherein said determining whether to forward the decrypted packet based on the detection comprises:
and if the detection result is that the transmission is allowed, transmitting the decrypted message to the forwarding module according to the proxy configuration, or encrypting the decrypted message and transmitting the encrypted decrypted message to the forwarding module.
9. A security system, comprising:
the first judgment module is used for receiving encrypted traffic sent by a client, performing agent policy matching on the encrypted traffic, and judging whether the encrypted traffic hits an agent policy;
the second judgment module is used for notifying the agent module of the hit agent strategy if the encrypted flow is determined to hit the agent strategy, performing access control strategy matching on the encrypted flow and judging whether the access control strategy is hit or not;
the recording module is used for recording the corresponding access control strategy ID in the message of the encrypted flow if the encrypted flow is judged to hit the access control strategy;
and the sending module is used for sending the encrypted flow recorded with the access control strategy ID to the agent module.
10. A proxy module, comprising:
the third judgment module is used for receiving the encrypted flow sent by the security system according to the agent configuration corresponding to the agent strategy hit by the security system, decrypting the encrypted flow to obtain a decrypted message, and judging whether the decrypted message has an access control strategy ID or not;
the configuration module is used for searching corresponding security configuration according to the access control strategy ID if the access control strategy ID exists in the decrypted message;
the sending detection module is used for sending the decrypted message to the deep message detection module according to the searched security configuration;
the receiving result module is used for receiving the detection result returned by the deep packet detection module; wherein, the detection result comprises the permission of sending and the prohibition of sending;
and the processing module is used for determining whether to forward the decrypted message or not according to the detection result.
CN202211582751.XA 2022-12-08 2022-12-08 Encrypted traffic detection method, security system and agent module Pending CN115801442A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211582751.XA CN115801442A (en) 2022-12-08 2022-12-08 Encrypted traffic detection method, security system and agent module

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211582751.XA CN115801442A (en) 2022-12-08 2022-12-08 Encrypted traffic detection method, security system and agent module

Publications (1)

Publication Number Publication Date
CN115801442A true CN115801442A (en) 2023-03-14

Family

ID=85418609

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211582751.XA Pending CN115801442A (en) 2022-12-08 2022-12-08 Encrypted traffic detection method, security system and agent module

Country Status (1)

Country Link
CN (1) CN115801442A (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116471125A (en) * 2023-06-19 2023-07-21 杭州美创科技股份有限公司 Encryption database flow auditing method, device, computer equipment and storage medium
CN117938544A (en) * 2024-03-19 2024-04-26 杭州海康威视数字技术股份有限公司 Flow control method, device and equipment
CN117938544B (en) * 2024-03-19 2024-06-07 杭州海康威视数字技术股份有限公司 Flow control method, device and equipment

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116471125A (en) * 2023-06-19 2023-07-21 杭州美创科技股份有限公司 Encryption database flow auditing method, device, computer equipment and storage medium
CN116471125B (en) * 2023-06-19 2023-09-08 杭州美创科技股份有限公司 Encryption database flow auditing method, device, computer equipment and storage medium
CN117938544A (en) * 2024-03-19 2024-04-26 杭州海康威视数字技术股份有限公司 Flow control method, device and equipment
CN117938544B (en) * 2024-03-19 2024-06-07 杭州海康威视数字技术股份有限公司 Flow control method, device and equipment

Similar Documents

Publication Publication Date Title
US9794235B2 (en) Systems and methods for encrypted communication in a secure network
US9043587B1 (en) Computer security threat data collection and aggregation with user privacy protection
US9838434B2 (en) Creating and managing a network security tag
JP6188832B2 (en) Method, computer program product, data processing system, and database system for processing database client requests
Radivilova et al. Decrypting SSL/TLS traffic for hidden threats detection
CN101141244B (en) Network enciphered data virus detection and elimination system and proxy server and method
US7590844B1 (en) Decryption system and method for network analyzers and security programs
TWI424726B (en) Method and system for defeating the man in the middle computer hacking technique
JP2016500207A (en) Encrypted data inspection in network environment
JP2008146660A (en) Filtering device, filtering method, and program for carrying out the method in computer
JP2002342279A (en) Filtering device, filtering method and program for making computer execute the method
CN113347072B (en) VPN resource access method, device, electronic equipment and medium
US20060156400A1 (en) System and method for preventing unauthorized access to computer devices
Mani et al. An extensive evaluation of the internet's open proxies
CN115801442A (en) Encrypted traffic detection method, security system and agent module
CN114125027A (en) Communication establishing method and device, electronic equipment and storage medium
CN109495522A (en) Data encryption and transmission method and device
KR101858207B1 (en) System for security network
JP2006094258A (en) Terminal device, its policy forcing method, and its program
KR20130085473A (en) Encryption system for intrusion detection system of cloud computing service
KR101425726B1 (en) Linked network security system and method based on virtualization in the separate network environment
US9419800B2 (en) Secure network systems and methods
CN106972928B (en) Bastion machine private key management method, device and system
CN110995717B (en) Message processing method and device, electronic equipment and vulnerability scanning system
KR20190062115A (en) ICAP protocol extension method for providing network forensic service of encrypted traffic, network forensic device supporting it and web proxy

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination