CN116633581A - Data processing method, device, electronic equipment and storage medium - Google Patents
Data processing method, device, electronic equipment and storage medium Download PDFInfo
- Publication number
- CN116633581A CN116633581A CN202310226301.5A CN202310226301A CN116633581A CN 116633581 A CN116633581 A CN 116633581A CN 202310226301 A CN202310226301 A CN 202310226301A CN 116633581 A CN116633581 A CN 116633581A
- Authority
- CN
- China
- Prior art keywords
- ssl
- client
- server
- tcp
- packet
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000003672 processing method Methods 0.000 title abstract description 12
- 238000012545 processing Methods 0.000 claims abstract description 58
- 238000000034 method Methods 0.000 claims abstract description 54
- 230000003993 interaction Effects 0.000 claims abstract description 31
- 238000012544 monitoring process Methods 0.000 claims description 65
- 230000002452 interceptive effect Effects 0.000 claims description 9
- 238000004590 computer program Methods 0.000 claims description 7
- 238000004891 communication Methods 0.000 abstract description 40
- 238000001514 detection method Methods 0.000 abstract description 40
- 230000008569 process Effects 0.000 description 13
- 238000005516 engineering process Methods 0.000 description 6
- 238000010586 diagram Methods 0.000 description 4
- 230000005641 tunneling Effects 0.000 description 4
- 230000009471 action Effects 0.000 description 3
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 230000005540 biological transmission Effects 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 238000012546 transfer Methods 0.000 description 2
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000011664 signaling Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/46—Interconnection of networks
- H04L12/4633—Interconnection of networks using encapsulation techniques, e.g. tunneling
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/16—Implementing security features at a particular protocol layer
- H04L63/168—Implementing security features at a particular protocol layer above the transport layer
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/50—Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate
Abstract
The application provides a data processing method, a data processing device, electronic equipment and a storage medium, and relates to the technical field of communication. According to the method, SSL connection is monitored in the HTTP tunnel communication scene, so that when data interaction is carried out by equipment at two ends through the HTPP tunnel, data packets which are communicated by adopting the SSL protocol can be detected, further data packets which really need SSL proxy processing are detected, the data packets can be decrypted through SSL proxy and then attack detection can be carried out, the problem that an attacker escapes from the HTTP tunnel in an attack mode can be effectively reduced, and the data security is improved.
Description
Technical Field
The present application relates to the field of communications technologies, and in particular, to a data processing method, a data processing device, an electronic device, and a storage medium.
Background
The advent of hypertext transfer protocol (Hyper Text Transfer Protocol, HTTP) tunnels (i.e., HTTP tunnels) facilitates user access to the network, breaking through many network access restrictions. But also provides strong tools for the attackers to implement network attack, for example, the current popular Trojan horse technology basically uses tunneling technology to penetrate the safety protection facilities of users, so as to achieve the purpose of stealing private information of the users.
However, if the devices at both ends use other protocols to communicate, the HTTP tunnel detection technology cannot obtain the plaintext data and then perform attack detection, so that an attacker can easily use the method to perform attack escape, and the data security cannot be ensured.
Disclosure of Invention
An embodiment of the application aims to provide a data processing method, a device, electronic equipment and a storage medium, which are used for solving the problem that in the prior art, data which are communicated by adopting other protocols cannot be subjected to attack detection by utilizing an HTTP tunnel detection technology, so that the data security is low.
In a first aspect, an embodiment of the present application provides a data processing method, where the method includes:
after monitoring that the TCP data packet sent to a server by a client contains interaction information of an HTTP tunnel, monitoring a first data packet of an SSL handshake protocol sent to the server by the client;
if the first data packet of the SSL handshake protocol sent to the server by the client is monitored, the subsequent received TCP data packet needing SSL proxy processing is decrypted through SSL proxy.
In the implementation process, the SSL connection is monitored under the scene of HTTP tunnel communication, so that when the equipment at two ends performs data interaction through the HTPP tunnel, the data packets communicated by adopting the SSL protocol can be detected, the data packets really needing SSL proxy processing are detected, the data packets can be decrypted through the SSL proxy and then subjected to attack detection, the problem that an attacker escapes from the HTTP tunnel is effectively reduced, and the data security is improved.
Optionally, after monitoring that the TCP packet sent by the client to the server includes the interaction information of the HTTP tunnel, the method further includes:
and setting a mark for monitoring the SSL connection, wherein the mark is used for indicating to monitor the first data packet of the SSL handshake protocol sent to the server by the client.
In the implementation process, after the HTTP tunnel communication is monitored, the mark for monitoring the SSL connection is set, so that the network security equipment does not need to monitor each data packet from the beginning, and the detection efficiency is improved.
Optionally, after monitoring the first data packet of the SSL handshake protocol sent by the client to the server, the method further includes:
clearing the flag of monitoring SSL connection. Therefore, the network security equipment does not need to carry out SSL connection detection on each subsequent data packet, thereby reducing the occupation of resources and improving the detection efficiency.
Optionally, before monitoring that the TCP packet sent by the client to the server includes the interaction information of the HTTP tunnel, the method further includes:
receiving a TCP connection request packet sent by the client when the client establishes connection with the server;
judging whether the TCP connection request packet characterizes the connection established between the client and the server to expect SSL proxy processing;
if yes, setting a mark for monitoring SSL connection, wherein the mark is used for indicating to monitor the first data packet of the SSL handshake protocol sent to the server by the client.
In the implementation process, the SSL connection is detected by initially establishing the TCP connection, so that the accuracy of detecting the SSL connection can be increased through multiple times of detection, whether the SSL proxy is needed or not is truly judged, the attack is prevented from escaping by using the proxy, and the data security is improved.
Optionally, the determining whether the TCP connection request packet characterizes the connection established between the client and the server to desire SSL proxy processing includes:
and carrying out decryption policy information matching on the TCP connection request packet, and if so, determining that the TCP connection request packet characterizes the connection established between the client and the server to be expected to carry out SSL proxy processing, wherein the decryption policy information comprises at least one of the following: source ip address, destination ip address, source port, destination port, and protocol information.
Optionally, after setting the flag for monitoring the SSL connection, the method further includes:
detecting whether the first TCP data packet sent by the client is the first data packet of a non-SSL handshake protocol and is an HTTP packet;
if yes, detecting whether the TCP data packet sent to the server by the client contains the interactive information of the HTTP tunnel.
In the implementation process, the first TCP data packet is detected to detect whether the first TCP data packet is SSL connection or HTTP tunnel communication, if the first TCP data packet is SSL connection, the subsequent data packet is not required to be detected, and if the first TCP data packet is not SSL connection, the subsequent data packet is determined to be detected continuously, so that the detection can be performed when the first TCP data packet is required, and the detection efficiency is improved.
Optionally, the monitoring whether the TCP packet sent by the client to the server includes interaction information of the HTTP tunnel includes:
and monitoring whether the TCP data packet sent to the server by the client contains interaction information of the HTTP tunnel or not through a pre-configured HTTP tunnel detector. Thus, the network security equipment can vacate resources to process other tasks, and the resource utilization rate is higher.
Optionally, after monitoring that the first TCP packet sent by the client is the first packet of the non-SSL handshake protocol and is an HTTP packet, the method further includes:
clearing the flag of monitoring SSL connection.
In the implementation process, the first TCP data packet is not the first data packet of the SSL handshake protocol but is the HTTP packet, which indicates that the client side and the server side are in normal HTTP communication and are not SSL connection communication, so that the mark of the SSL connection can be cleared at the moment, the subsequent detection of the SSL connection of each TCP data packet is not needed, the detection efficiency can be effectively improved, and the resource occupation is reduced.
Optionally, determining a subsequently received TCP packet requiring SSL proxy processing by;
matching decryption policy information of a subsequent received TCP data packet, and if so, determining that the subsequent received TCP data packet needs SSL proxy processing, wherein the decryption policy information comprises at least one of the following: the SNI is indicated by the source ip address, destination ip address, source port, destination port, protocol information, and server name.
In a second aspect, an embodiment of the present application provides a data processing apparatus, including:
the monitoring module is used for monitoring the first data packet of the SSL handshake protocol sent to the server by the client after monitoring that the TCP data packet sent to the server by the client contains the interactive information of the HTTP tunnel;
and the processing module is used for decrypting the TCP data packet which is received subsequently and needs SSL proxy processing through SSL proxy if the first data packet of the SSL handshake protocol sent to the server by the client is monitored.
In a third aspect, an embodiment of the present application provides an electronic device comprising a processor and a memory storing computer readable instructions which, when executed by the processor, perform the steps of the method as provided in the first aspect above.
In a fourth aspect, embodiments of the present application provide a computer readable storage medium having stored thereon a computer program which when executed by a processor performs the steps of the method as provided in the first aspect above.
Additional features and advantages of the application will be set forth in the description which follows, and in part will be apparent from the description, or may be learned by practice of the embodiments of the application. The objectives and other advantages of the application will be realized and attained by the structure particularly pointed out in the written description and claims thereof as well as the appended drawings.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are needed in the embodiments of the present application will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present application and should not be considered as limiting the scope, and other related drawings can be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a flow chart of a data processing method according to an embodiment of the present application;
FIG. 2 is a block diagram of a data processing apparatus according to an embodiment of the present application;
fig. 3 is a schematic structural diagram of an electronic device for executing a data processing method according to an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application.
It should be noted that the terms "system" and "network" in embodiments of the present application may be used interchangeably. "plurality" means two or more, and "plurality" may also be understood as "at least two" in this embodiment of the present application. "and/or", describes an association relationship of an association object, and indicates that there may be three relationships, for example, a and/or B, and may indicate: a exists alone, A and B exist together, and B exists alone. The character "/", unless otherwise specified, generally indicates that the associated object is an "or" relationship.
The embodiment of the application provides a data processing method, which monitors the first data packet of an SSL handshake protocol sent to a server by a client after monitoring that the TCP data packet sent to the server by the client contains interaction information of an HTTP tunnel, if so, decrypts the subsequent TCP data packet needing SSL proxy through the SSL proxy, thus ensuring that the data packet really needing SSL proxy processing is detected under the scene of data interaction through the HTPP tunnel, and then the data packets can be decrypted through the SSL proxy and then subjected to attack detection, thereby effectively reducing the problem of attack escape by an attacker by utilizing the HTTP tunnel and improving the data security.
Referring to fig. 1, fig. 1 is a flowchart of a data processing method according to an embodiment of the present application, where the method includes the following steps:
step S110: after monitoring that the TCP data packet sent to the server by the client contains the interaction information of the HTTP tunnel, monitoring the first data packet of the SSL handshake protocol sent to the server by the client.
Before data communication is performed between the client and the server, connection needs to be established, for example, an HTTP Tunnel is established for data transmission, in the embodiment of the present application, the HTTP Tunnel is an HTTP Tunnel, which means that a Tunnel is established between the client to be communicated and the server by using the HTTP protocol, and then the communication between the client and the server is performed on the Tunnel.
When connection is established, the client needs to send a connection request, such as an HTTP connect request, to the server, and the HTTP tunneling technique encapsulates all data to be transmitted into the HTTP protocol for transmission, and after the HTTP tunnel is established between the client and the server, a TCP flow is established between the client and the server, so that any data can be transmitted.
In order to ensure data security, SSL connection communication can be adopted between the client and the server, and in order to detect whether network attack is contained in the communication, the SSL proxy technology is adopted to carry out attack detection after the data of the communication is decrypted. If the client and the server communicate through an HTTP tunnel, the network security device (such as a firewall) only performs decapsulation processing on the received data through an HTTP protocol, and if an attacker adopts data sent by a secure socket (Secure Sockets Layer, SSL) protocol, the data cannot be decapsulated, and specific data content cannot be obtained, so that the attacker can easily escape from the attack through the manner. Therefore, in order to improve the problem, in the embodiment of the present application, when the client and the server communicate through the HTTP tunnel, SSL connection between the client and the server is monitored to identify whether there is an SSL connection between the client and the server, and further identify whether SSL proxy processing is required.
After the client establishes TCP connection with the server, if the client needs to perform data interaction with the server, the client can send a TCP data packet to the server, and if the TCP data packet contains interaction information of the HTTP tunnel, the client is indicated to want to communicate with the server through the HTTP tunnel. Therefore, the network security device can monitor the data sent to the server by the client, so as to monitor whether the TCP data packet sent to the server by the client contains the interaction information of the HTTP tunnel.
The network security device is deployed between the client and the server, and the network security device can perform security management on data sent to the server by the client and data sent to the client by the server, so that the security of data interaction between the client and the server is ensured.
The interaction information of the HTTP tunnel may be understood as an identification of the HTTP tunnel, or other information characterizing the HTTP tunnel, such as an HTTP connect request sent by the client, where the request indicates that the client wants to perform data communication with the client through the HTTP tunnel.
Therefore, after the TCP connection is established between the client and the server, the network security device can monitor the TCP data packet sent by the client, and once the TCP data packet is monitored to contain the interaction information of the HTTP tunnel, the first data packet of the SSL handshake protocol sent by the monitoring client to the server can be started, wherein the first data packet of the SSL handshake protocol indicates that the client wants to establish the SSL connection with the server, and communication is carried out through the SSL connection.
Step S120: if the first data packet of the SSL handshake protocol sent to the server by the client is monitored, the subsequent received TCP data packet needing SSL proxy processing is decrypted through SSL proxy.
After the network security device monitors that the TCP data packet contains the interactive information of the HTTP tunnel, the TCP data packet sent to the server by the subsequent client can be detected so as to monitor whether the client sends the first data packet of the SSL handshake protocol to the server, for example, the first data packet of the SSL handshake protocol is a client hello packet of the SSL handshake protocol. If the network security device monitors that the data packet sent by the client to the server is the first data packet of the SSL handshake protocol, it indicates that the client wants to communicate with the server via an SSL connection, and the data packet communicated via the SSL connection needs to be processed by an SSL proxy service.
Here, the SSL proxy service may be deployed in the network security device, or may be deployed on other devices. After the network device monitors the first data packet of the SSL handshake protocol, the network device submits the subsequent received TCP data packet which needs SSL proxy processing to SSL proxy service processing, such as initializing an SSL protocol stack to perform SSL proxy processing. The SSL proxy service may decrypt the received TCP packet, extract the plaintext data therein, and perform security detection on the plaintext data by using the network security device or the SSL proxy service, if the attack information is included, the network security device or the SSL proxy service may perform corresponding processing on the packet, such as intercepting, discarding or outputting alarm information, and if the attack information is not included, may perform forwarding processing on the packet.
Wherein TCP packets requiring SSL proxy processing may be determined by:
and matching decryption policy information of the subsequently received TCP data packet, and if so, determining that the subsequently received TCP data packet needs SSL proxy processing, wherein the decryption policy information comprises at least one of the following: source ip address, destination ip address, source port, destination port, protocol information, server name indication (Server Name Indication, SNI) information, etc.
It will be appreciated that a plurality of pieces of decryption policy information are configured in the network security device, the decryption policy information being used to indicate that packets containing these decryption policy information need to be decrypted by the SSL proxy service.
As an example, the following decryption policy information is preconfigured in the network security device:
after the network security device receives the TCP data packet subsequently, the above decryption policy information is analyzed from the TCP data packet, then the analyzed decryption policy information is matched with the preset decryption policy information, if a certain piece of decryption policy information is matched, the TCP data packet is the data packet which needs SSL proxy processing, and the TCP data packet can be submitted to SSL proxy service for relevant processing.
Of course, if it is analyzed that the decryption policy information in a certain TCP packet does not match any one of the pre-configured decryption policy information, the SSL proxy processing is not required for characterizing the packet, and the packet may be processed according to processing logic pre-configured on the network security device, such as discarding or forwarding.
In the implementation process, the SSL connection is monitored under the scene of HTTP tunnel communication, so that when the equipment at two ends performs data interaction through the HTPP tunnel, the data packets communicated by adopting the SSL protocol can be detected, the data packets really needing SSL proxy processing are detected, the data packets can be decrypted through the SSL proxy and then subjected to attack detection, the problem that an attacker escapes from the HTTP tunnel is effectively reduced, and the data security is improved.
On the basis of the above embodiment, in order to facilitate the related process in the network security device to know when to monitor the SSL connection, after monitoring that the TCP packet sent by the client to the server includes the interaction information of the HTPP tunnel, a flag for monitoring the SSL connection may be set, where the flag is used to indicate the first packet of the SSL handshake protocol sent by the monitoring client to the server.
After the mark for monitoring the SSL connection is set, the network safety equipment can monitor the SSL connection according to the mark, and if the mark for monitoring the SSL connection is not set after HTTP tunnel communication is monitored, the network safety equipment can not monitor the SSL connection, and then SSL connection communication under the scene of HTTP tunnel communication can not be identified.
It is also the case that the network security device may default to SSL connection monitoring, but this is inefficient, so after HTTP tunneling is monitored, the flag for monitoring SSL connection is set, so that the network security device does not need to monitor every packet from the beginning, thereby improving detection efficiency.
On the basis of the above embodiment, after the first data packet of the SSL handshake protocol sent by the client to the server is detected, the flag for detecting the SSL connection may be cleared, i.e. the set flag is cleared.
If the flag for monitoring the SSL connection is not cleared, after detecting the first packet of the SSL handshake protocol, the network security device will also detect whether the subsequent packet is the first packet of the SSL handshake protocol, but it is not necessary to detect the first packet of the SSL handshake protocol for each packet at all, so it is inefficient if the flag is not cleared.
On the basis of the above embodiment, in order to improve the accuracy of detecting SSL connection, before monitoring whether the TCP packet sent by the client to the server includes the interaction information of the HTTP tunnel, the TCP connection request packet sent by the client when the client establishes a connection with the server may also be received, and then it is determined whether the TCP connection request packet characterizes that the connection established between the client and the server is expected to perform SSL proxy processing, if so, a flag for monitoring SSL connection is set, where the flag is used to indicate the first packet of the SSL handshake protocol sent by the client to the server.
When the client and the server initially establish a TCP connection, a TCP connection request packet, namely a syn packet of the TCP, is sent to the server, the TCP connection request packet is firstly intercepted by the network security device, the network security device firstly judges whether the connection is expected to be subjected to SSL proxy processing, and if so, the network security device sets a mark for monitoring the SSL connection.
The flag in the above embodiment is the same as the flag in the above embodiment, and is the first packet of the SSL handshake protocol for indicating that the monitoring client sends to the server, for convenience of distinguishing the description, the flag in the above embodiment may be referred to as the flag that is set at the time of the second detection, and the flag may be referred to as the flag that is set at the time of the first detection.
The first detection setting mark is when the TCP connection request packet is monitored, and the second detection setting mark is when the TCP data packet is monitored to contain interaction information of the HTTP tunnel. The first detection is to set a flag to detect whether SSL proxy processing is required for the initial connection, if yes, then follow-up monitoring is performed whether HTTP tunneling is required, if not, then this connection is not expected to be SSL proxy processed, and then the network security device may process according to its own original logic, such as not monitoring the first packet of the SSL handshake protocol. Therefore, the first detection setting flag can inform the network security device that the first data packet of the SSL handshake protocol needs to be detected on the subsequent data packet at this time, so as to determine the data packet actually needing SSL proxy processing.
In the above embodiment, it may be determined whether the TCP connection request packet characterizes that the connection established between the client and the server desires SSL proxy processing by:
and carrying out decryption policy information matching on the TCP connection request packet, and if so, determining that the TCP connection request packet characterizes the connection established between the client and the server to expect SSL proxy processing, wherein the decryption policy information comprises at least one of the following: source ip address, destination ip address, source port, destination port, and protocol information.
Wherein, when the decryption policy information is matched, a plurality of pieces of decryption policy information are preconfigured in the network security device, and as shown in the table in the above embodiment, the information matching is only the matching which does not contain the SNI information, and the matching of the rest information is the same. The TCP connection request packet is firstly analyzed, at least one of a source ip address, a destination ip address, a source port, a destination port and protocol information carried by the TCP connection request packet is obtained, then the TCP connection request packet is matched with each piece of decryption strategy information in the table, and if a certain piece of decryption strategy information is matched, the connection established between the client and the server is characterized in that SSL proxy processing is expected.
In the implementation process, the SSL connection is detected by initially establishing the TCP connection, so that the accuracy of detecting the SSL connection can be increased through multiple times of detection, whether the SSL proxy is needed or not is truly judged, the attack is prevented from escaping by using the proxy, and the data security is improved.
In the above embodiment, after setting the flag for monitoring SSL connection during the first detection, it may also be detected whether the first TCP packet sent by the client is the first packet of the non-SSL handshake protocol and is an HTTP packet, if so, whether the TCP packet sent by the client to the server includes the interaction information of the HTTP tunnel is detected.
That is, the flag set by the first detection is used to detect whether the first TCP packet is the first packet of the non-SSL handshake protocol and is an HTTP packet, and if the first TCP packet is not the first packet of the SSL handshake protocol but is an HTTP packet, it indicates that the client and the server are in normal HTTP communication, so that whether the first TCP packet is HTTP tunnel communication can be detected again. If the first TCP data packet is the first data packet of the SSL handshake protocol, which indicates that the client side and the server side need SSL connection communication, the subsequent data packet needing SSL proxy processing can be directly subjected to SSL proxy processing.
In the above embodiment, after it is monitored that the first TCP packet sent by the client to the server is the first packet of the non-SSL handshake protocol and is an HTTP packet, the set flag for monitoring the SSL connection may be cleared.
Because the first TCP data packet is not the first data packet of the SSL handshake protocol but is an HTTP packet, the client side and the server side are indicated to be in normal HTTP communication and not SSL connection communication, so that the marks of the SSL connection can be cleared at the moment, the subsequent detection of the SSL connection of each TCP data packet is not needed, the detection efficiency can be effectively improved, and the occupation of resources is reduced. Instead, after the following detection that the TCP packet contains the interactive information of the HTTP tunnel, the TCP packet is marked again, and at this time, the SSL connection can be detected again for the communication under the HTTP tunnel scene.
Of course, if the first TCP packet is the first packet of the SSL handshake protocol, the flag for monitoring the SSL connection may be cleared, and since the SSL connection is already determined at this time, it is not necessary to detect the SSL connection later, so that the detection efficiency may be improved.
It will be appreciated that if the first detection is that the flag set to monitor SSL connection is not cleared, then for each TCP packet, the first packet of SSL handshake protocol is detected, if it is detected that the TCP packet is the first packet of non-SSL handshake protocol and is an HTTP packet, the detection of HTTP tunnel communication is entered, and if it is detected that HTTP tunnel communication, then it may not be necessary to perform the flag again, since the flag has been already in the past, so that the monitoring of the first packet of SSL handshake protocol is also continued at this time.
That is, the marks set in the two detections in the foregoing embodiment may be cleared after the corresponding information is detected, so as to improve the detection efficiency. If the mark set in the first detection is not cleared, the mark is not required to be set again in the second detection, and of course, the mark can be set again in the second detection, and only the mark set twice is repeated, so that the execution logic of the whole method is not influenced.
On the basis of the embodiment, when detecting HTTP tunnel communication, it is also possible to monitor whether the TCP packet sent by the client to the server includes the interaction information of the HTTP tunnel through an HTTP tunnel detector preconfigured in the network security device.
For example, when the first TCP data packet is detected to be the first data packet of the non-SSL handshake protocol and is HTTP, the HTTP tunnel detector is started to detect HTTP tunnel communication through the HTTP tunnel detector, so that the network security equipment can vacate resources to process other tasks, and the resource utilization rate is higher.
Referring to fig. 2, fig. 2 is a block diagram illustrating a data processing apparatus 200 according to an embodiment of the present application, where the apparatus 200 may be a module, a program segment, or a code on an electronic device. It should be understood that the apparatus 200 corresponds to the above embodiment of the method of fig. 1, and is capable of performing the steps involved in the embodiment of the method of fig. 1, and specific functions of the apparatus 200 may be referred to in the above description, and detailed descriptions thereof are omitted herein as appropriate to avoid redundancy.
Optionally, the apparatus 200 includes:
the monitoring module 210 is configured to monitor, after monitoring that the TCP packet sent by the client to the server includes the interaction information of the HTTP tunnel, a first packet of the SSL handshake protocol sent by the client to the server;
and the processing module 220 is configured to, if the first data packet of the SSL handshake protocol sent by the client to the server is detected, decrypt the TCP data packet that needs to be subjected to SSL proxy processing and is subsequently received through SSL proxy.
Optionally, the apparatus 200 further includes:
and the marking module is used for setting a mark for monitoring the SSL connection after monitoring that the TCP data packet sent to the server by the client contains the interactive information of the HTTP tunnel, and the mark is used for indicating to monitor the first data packet of the SSL handshake protocol sent to the server by the client.
Optionally, the marking module is further configured to clear the mark for monitoring the SSL connection after monitoring the first data packet of the SSL handshake protocol sent by the client to the server.
Optionally, the apparatus 200 further includes:
the marking module is used for receiving a TCP connection request packet sent by the client when the client establishes connection with the server before monitoring that the TCP data packet sent by the client to the server contains the interactive information of the HTTP tunnel; judging whether the TCP connection request packet characterizes the connection established between the client and the server to expect SSL proxy processing; if yes, setting a mark for monitoring SSL connection, wherein the mark is used for indicating to monitor the first data packet of the SSL handshake protocol sent to the server by the client.
Optionally, the marking module is configured to match decryption policy information to the TCP connection request packet, and if so, determine that the TCP connection request packet characterizes that the connection established between the client and the server is expected to be subjected to SSL proxy processing, where the decryption policy information includes at least one of the following: source ip address, destination ip address, source port, destination port, and protocol information.
Optionally, the marking module is further configured to detect, after setting a mark for monitoring SSL connection, whether the first TCP packet sent by the client is the first packet of a non-SSL handshake protocol and is an HTTP packet; if yes, detecting whether the TCP data packet sent to the server by the client contains the interactive information of the HTTP tunnel.
Optionally, the marking module is further configured to monitor, through a preconfigured HTTP tunnel detector, whether the TCP packet sent by the client to the server includes interaction information of the HTTP tunnel.
Optionally, the marking module is further configured to clear the mark for monitoring SSL connection after monitoring that the first TCP packet sent by the client is the first packet of a non-SSL handshake protocol and is an HTTP packet.
Optionally, determining a subsequently received TCP packet requiring SSL proxy processing by;
matching decryption policy information of a subsequent received TCP data packet, and if so, determining that the subsequent received TCP data packet needs SSL proxy processing, wherein the decryption policy information comprises at least one of the following: the SNI is indicated by the source ip address, destination ip address, source port, destination port, protocol information, and server name.
It should be noted that, for convenience and brevity, a person skilled in the art will clearly understand that, for the specific working procedure of the apparatus described above, reference may be made to the corresponding procedure in the foregoing method embodiment, and the description will not be repeated here.
Referring to fig. 3, fig. 3 is a schematic structural diagram of an electronic device for executing a data processing method according to an embodiment of the present application, where the electronic device may include: at least one processor 310, such as a CPU, at least one communication interface 320, at least one memory 330, and at least one communication bus 340. Wherein the communication bus 340 is used to enable direct connection communication of these components. The communication interface 320 of the device in the embodiment of the present application is used for performing signaling or data communication with other node devices. The memory 330 may be a high-speed RAM memory or a nonvolatile memory (non-volatile memory), such as at least one disk memory. Memory 330 may also optionally be at least one storage device located remotely from the aforementioned processor. The memory 330 has stored therein computer readable instructions which, when executed by the processor 310, perform the method process described above in fig. 1.
It will be appreciated that the configuration shown in fig. 3 is merely illustrative, and that the electronic device may also include more or fewer components than shown in fig. 3, or have a different configuration than shown in fig. 3. The components shown in fig. 3 may be implemented in hardware, software, or a combination thereof.
Embodiments of the present application provide a computer readable storage medium having stored thereon a computer program which, when executed by a processor, performs a method process performed by an electronic device in the method embodiment shown in fig. 1.
The present embodiment discloses a computer program product comprising a computer program stored on a non-transitory computer readable storage medium, the computer program comprising program instructions which, when executed by a computer, are capable of performing the methods provided by the above-described method embodiments, for example, comprising:
after monitoring that the TCP data packet sent to a server by a client contains interaction information of an HTTP tunnel, monitoring a first data packet of an SSL handshake protocol sent to the server by the client;
if the first data packet of the SSL handshake protocol sent to the server by the client is monitored, the subsequent received TCP data packet needing SSL proxy processing is decrypted through SSL proxy.
In summary, the embodiments of the present application provide a data processing method, apparatus, electronic device, and storage medium, where in the method, SSL connection is monitored in a HTTP tunnel communication scenario, so that when devices at two ends perform data interaction through an HTPP tunnel, it can be ensured that data packets that use an SSL protocol to perform communication can be detected, and further data packets that really need SSL proxy processing are detected, and subsequently, after decryption of the data packets by an SSL proxy, attack detection can be performed, so that the problem that an attacker uses the HTTP tunnel to perform attack escape can be effectively reduced, and data security is improved.
In the embodiments provided in the present application, it should be understood that the disclosed apparatus and method may be implemented in other manners. The above-described apparatus embodiments are merely illustrative, for example, the division of the units is merely a logical function division, and there may be other manners of division in actual implementation, and for example, multiple units or components may be combined or integrated into another system, or some features may be omitted, or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be through some communication interface, device or unit indirect coupling or communication connection, which may be in electrical, mechanical or other form.
Further, the units described as separate units may or may not be physically separate, and units displayed as units may or may not be physical units, may be located in one place, or may be distributed over a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
Furthermore, functional modules in various embodiments of the present application may be integrated together to form a single portion, or each module may exist alone, or two or more modules may be integrated to form a single portion.
In this document, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions.
The above description is only an example of the present application and is not intended to limit the scope of the present application, and various modifications and variations will be apparent to those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present application should be included in the protection scope of the present application.
Claims (12)
1. A method of data processing, the method comprising:
after monitoring that the TCP data packet sent to a server by a client contains interaction information of an HTTP tunnel, monitoring a first data packet of an SSL handshake protocol sent to the server by the client;
if the first data packet of the SSL handshake protocol sent to the server by the client is monitored, the subsequent received TCP data packet needing SSL proxy processing is decrypted through SSL proxy.
2. The method according to claim 1, wherein after detecting that the TCP packet sent from the client to the server includes the interaction information of the HTTP tunnel, the method further comprises:
and setting a mark for monitoring the SSL connection, wherein the mark is used for indicating to monitor the first data packet of the SSL handshake protocol sent to the server by the client.
3. The method of claim 2, wherein upon monitoring a first packet of an SSL handshake protocol sent by the client to the server, the method further comprises:
clearing the flag of monitoring SSL connection.
4. The method according to claim 1, wherein before monitoring that the TCP packet sent from the client to the server includes the HTTP tunnel interaction information, the method further comprises:
receiving a TCP connection request packet sent by the client when the client establishes connection with the server;
judging whether the TCP connection request packet characterizes the connection established between the client and the server to expect SSL proxy processing;
if yes, setting a mark for monitoring SSL connection, wherein the mark is used for indicating to monitor the first data packet of the SSL handshake protocol sent to the server by the client.
5. The method of claim 4, wherein determining whether the TCP connection request packet characterizes the connection established by the client and the server as desiring SSL proxy processing comprises:
and carrying out decryption policy information matching on the TCP connection request packet, and if so, determining that the TCP connection request packet characterizes the connection established between the client and the server to be expected to carry out SSL proxy processing, wherein the decryption policy information comprises at least one of the following: source ip address, destination ip address, source port, destination port, and protocol information.
6. The method of claim 4, wherein after setting the flag to monitor the SSL connection, further comprising:
detecting whether the first TCP data packet sent by the client is the first data packet of a non-SSL handshake protocol and is an HTTP packet;
if yes, detecting whether the TCP data packet sent to the server by the client contains the interactive information of the HTTP tunnel.
7. The method of claim 6, wherein the monitoring whether the TCP packet sent by the client to the server includes the HTTP tunnel interaction information comprises:
and monitoring whether the TCP data packet sent to the server by the client contains interaction information of the HTTP tunnel or not through a pre-configured HTTP tunnel detector.
8. The method of claim 6, wherein upon detecting that the first TCP packet sent by the client is the first packet of a non-SSL handshake protocol and is an HTTP packet, the method further comprises:
clearing the flag of monitoring SSL connection.
9. The method according to any of claims 1-8, characterized by determining subsequently received TCP packets requiring SSL proxy processing by;
matching decryption policy information of a subsequent received TCP data packet, and if so, determining that the subsequent received TCP data packet needs SSL proxy processing, wherein the decryption policy information comprises at least one of the following: the SNI is indicated by the source ip address, destination ip address, source port, destination port, protocol information, and server name.
10. A data processing apparatus, the apparatus comprising:
the monitoring module is used for monitoring the first data packet of the SSL handshake protocol sent to the server by the client after monitoring that the TCP data packet sent to the server by the client contains the interactive information of the HTTP tunnel;
and the processing module is used for decrypting the TCP data packet which is received subsequently and needs SSL proxy processing through SSL proxy if the first data packet of the SSL handshake protocol sent to the server by the client is monitored.
11. An electronic device comprising a processor and a memory storing computer readable instructions that, when executed by the processor, perform the method of any of claims 1-9.
12. A computer readable storage medium, on which a computer program is stored, characterized in that the computer program, when being executed by a processor, performs the method according to any of claims 1-9.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310226301.5A CN116633581A (en) | 2023-03-03 | 2023-03-03 | Data processing method, device, electronic equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310226301.5A CN116633581A (en) | 2023-03-03 | 2023-03-03 | Data processing method, device, electronic equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116633581A true CN116633581A (en) | 2023-08-22 |
Family
ID=87637139
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310226301.5A Pending CN116633581A (en) | 2023-03-03 | 2023-03-03 | Data processing method, device, electronic equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116633581A (en) |
-
2023
- 2023-03-03 CN CN202310226301.5A patent/CN116633581A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110190955B (en) | Information processing method and device based on secure socket layer protocol authentication | |
| CN109413060B (en) | Message processing method, device, equipment and storage medium | |
| US8843747B2 (en) | Communication apparatus and communication system | |
| US8677474B2 (en) | Detection of rogue client-agnostic NAT device tunnels | |
| CN113067828B (en) | Message processing method, device, server, computer equipment and storage medium | |
| JP4107213B2 (en) | Packet judgment device | |
| CN107046495B (en) | Method, device and system for constructing virtual private network | |
| CN110166489B (en) | Data transmission method, system, equipment and computer medium in Internet of things | |
| CN114938312B (en) | Data transmission method and device | |
| CN110971616B (en) | Connection establishing method based on secure transport layer protocol, client and server | |
| CN108141353B (en) | Method and equipment for upgrading cryptographic algorithm | |
| KR101448866B1 (en) | Security apparatus for decrypting data encrypted according to the web security protocol and operating method thereof | |
| KR101971995B1 (en) | Method for decryping secure sockets layer for security | |
| CN116633581A (en) | Data processing method, device, electronic equipment and storage medium | |
| KR20120043364A (en) | High performance network equipment with a fuction of multi-decryption in ssl/tls sessions' traffic and data processing method of the same | |
| CN115801442A (en) | Encrypted traffic detection method, security system and agent module | |
| CN102571751B (en) | Relay processing device and control method therefor | |
| CN109587163B (en) | Protection method and device in DR mode | |
| CN117319088B (en) | Method, device, equipment and medium for blocking illegal external connection equipment | |
| CN111147344B (en) | Virtual private network implementation method, device, equipment and medium | |
| CN111770099B (en) | Data transmission method and device, electronic equipment and computer readable medium | |
| KR101503009B1 (en) | Method and apparatus for identifying application based on data size | |
| CN114978643B (en) | Communication method, network equipment and storage medium | |
| CN114513371B (en) | Attack detection method and system based on interactive data | |
| TWI721086B (en) | Anti-attack data transmission method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |