CN118368080A - Enterprise privacy analysis and anomaly discovery method, device, equipment and storage medium - Google Patents

Enterprise privacy analysis and anomaly discovery method, device, equipment and storage medium Download PDF

Info

Publication number
CN118368080A
CN118368080A CN202311615606.1A CN202311615606A CN118368080A CN 118368080 A CN118368080 A CN 118368080A CN 202311615606 A CN202311615606 A CN 202311615606A CN 118368080 A CN118368080 A CN 118368080A
Authority
CN
China
Prior art keywords
certificate
handshake
session
certificates
relation
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202311615606.1A
Other languages
Chinese (zh)
Inventor
尹亮
张宏杰
宁志言
王放
郑铁军
李勃
贺建伟
张志军
梁野
彭嘉宁
何纪成
马骁
高英建
施佳锋
多志林
王景
卢楷
王坤
王春艳
李航
王昊
赵兴文
于浩洋
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
State Grid Corp of China SGCC
Xidian University
Beijing Kedong Electric Power Control System Co Ltd
State Grid Ningxia Electric Power Co Ltd
Electric Power Research Institute of State Grid Ningxia Electric Power Co Ltd
State Grid Electric Power Research Institute
Original Assignee
State Grid Corp of China SGCC
Xidian University
Beijing Kedong Electric Power Control System Co Ltd
State Grid Ningxia Electric Power Co Ltd
Electric Power Research Institute of State Grid Ningxia Electric Power Co Ltd
State Grid Electric Power Research Institute
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by State Grid Corp of China SGCC, Xidian University, Beijing Kedong Electric Power Control System Co Ltd, State Grid Ningxia Electric Power Co Ltd, Electric Power Research Institute of State Grid Ningxia Electric Power Co Ltd, State Grid Electric Power Research Institute filed Critical State Grid Corp of China SGCC
Publication of CN118368080A publication Critical patent/CN118368080A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention relates to an enterprise privacy analysis and anomaly discovery method, device, equipment and storage medium, wherein the method comprises the following steps: collecting certificate traffic in a target network, capturing a handshake data packet from the certificate traffic, and taking the handshake data packet as a target file; sequentially extracting certificates, IP addresses and certificate chains of both parties of a session, and recording the relation between a handshake session id and the certificates and the relation between the handshake session id and the IP addresses in a target file in a target time period; analyzing the certificate data in the certificate chain based on the relation between the handshake session id and the certificate and the relation between the handshake session id and the IP address; and verifying the corresponding flow section according to the certificate data with the abnormal analysis, and confirming whether the corresponding flow section is abnormal according to the verification result. The method can timely detect potentially dangerous abnormal certificate behaviors by collecting and monitoring the certificate flow data among enterprises to obtain the certificate information.

Description

Enterprise privacy analysis and anomaly discovery method, device, equipment and storage medium
Technical Field
The invention belongs to the technical field of information security, and particularly relates to an enterprise privacy analysis and anomaly discovery method, device, equipment and storage medium.
Background
To ensure security, the distribution of enterprise data involves identification, and such stable communication between enterprises typically relies on certificate authentication. Each enterprise has its own Certificate Authority (CA), many enterprises use Public Key Infrastructure (PKI) based on the x.509 standard to implement SSL/TLS protocols and encryption techniques, and many typical network systems use PKI to protect data.
Two enterprises find the shared secret key through a secret key exchange protocol before establishing secure communication, and then use symmetric passwords for encrypted transmission. In this process, to prevent man-in-the-middle attacks, enterprises use digital certificates to protect public keys, which can only be mutually authenticated in the PKI infrastructure if they trust each other. Thus, secure communication between enterprises relies on trust with the CA.
In data monitoring and acquisition, there are some prior art methods: 1) The first n bytes of each branch are sampled using a sampling method to manage a large amount of snoop data. Since the x.509 certificates are exchanged in handshake messages at the beginning of TLS/SSL connection establishment, sufficient interception data can be collected. 2) The intrusion detection and protocol resolution system Bro is adopted as a TLS/SSL processing tool to carry out monitoring operation. Bro is a flow analysis tool with powerful open source function, and is mainly used for protocol analysis, anomaly detection, behavior analysis and the like. 3) With the dynamic protocol identification function of the Bro, the port can independently identify TLS/SSL, thereby obtaining information of the certificate. 4) The run is monitored by recording the start-up of each observed bi-directional stream and writing all packets of samples, one file per sample, to disk. When the current file reaches 10GB, a new file is started. After the dump file is completed, the TLS/SSL connection will be extracted offline.
In x.509 certificates, the Certificate Authority (CA) of the corporation verifies the identity and public key of other entities. The CA must perform a limited identity check before issuing the certificate. However, these internal CA operations are difficult to evaluate from the outside, so the user must have confidence in the CA's function. Variables such as carelessness and malicious intent may raise security concerns because the intermediate processes require personnel to operate. Communication between enterprises will generate a large amount of certificate traffic data, and because problems occurring in the CA are difficult to find by people, abnormal situations and illegal actions may occur in the case of formally issuing the certificates. In addition, in the process of using the conventional certificate, sensitive information of enterprises may be revealed. For example, credential data traffic in a smart grid may expose important nodes and current security management levels of a grid-related network, resulting in leakage of enterprise privacy. Therefore, in the existing grid-related network, a detection scheme for privacy disclosure and abnormal data problems which may occur is lacking.
Disclosure of Invention
In order to solve the problems in the prior art, the invention provides an enterprise privacy analysis and anomaly discovery method, device, equipment and storage medium. The technical problems to be solved by the invention are realized by the following technical scheme:
the embodiment of the invention provides an enterprise privacy analysis and anomaly discovery method, which comprises the following steps:
Collecting certificate traffic in a target network, capturing a handshake data packet from the certificate traffic, and taking the handshake data packet as a target file;
Sequentially extracting certificates, IP addresses and certificate chains of both parties of a session, and recording the relation between a handshake session id and the certificates and the relation between the handshake session id and the IP addresses in a target file in a target time period;
analyzing the certificate data in the certificate chain based on the relation between the handshake session id and the certificate and the relation between the handshake session id and the IP address;
And verifying the corresponding flow section according to the certificate data with the abnormal analysis, and confirming whether the corresponding flow section is abnormal according to the verification result.
In one embodiment of the present invention, collecting certificate traffic in a target network, and capturing a handshake packet from the certificate traffic, and taking the handshake packet as a target file, including:
Collecting certificate traffic in the target network with an quarantine collector and a Flume tool, and grabbing handshake data packets of a TLS/SSL connection from the certificate traffic with a Bro tool;
Sending the handshake data packet of the TLS/SSL connection to an aggregation server, wherein the aggregation server generates a file with a Kafka message queue from the handshake data packet of the TLS/SSL connection, and stores the file with the Kafka message queue as a PCAP file as the target file;
and storing the target file in the large database.
In one embodiment of the present invention, extracting the certificate, the IP address and the certificate chain of both parties of the session in order from the target file in the target time period, and recording the relationship between the handshake session id and the certificate, and the relationship between the handshake session id and the IP address, includes:
Reading PCAP files of the target time period from the catalogue of the large database;
Recording the number of encrypted transmissions by analyzing the session in the PCAP file of the target time period and extracting an encrypted transmission session according to the number of encrypted transmissions;
Extracting a certificate from the encrypted transmission session by using a pkcs tool of OpenSSL, and recording the relation between the handshake session id and the certificate in the large database; extracting IP addresses of both parties of the session from the encrypted transmission session by using a pkcs tool of OpenSSL, and recording the relation between the handshake session id and the IP address in the large database; a chain of certificates is extracted from the encrypted transport session using OpenSSL's pkcs tool.
In one embodiment of the present invention, analyzing the certificate data in the certificate chain based on the relationship between the handshake session id and the certificate, and the relationship between the handshake session id and the IP address, includes:
And analyzing the repetition frequency of the certificates among the plurality of hosts in the certificate chain, the validity of the certificates, the correctness of the host names, the public key attribute, the validity period of the certificates, the correctness of the intermediate certificates and the certificates of the certificate chain and the correctness of the serial numbers in the valid certificates based on the relation between the handshake session id and the certificates and the relation between the handshake session id and the IP addresses, and judging whether the certificate data are correct.
In one embodiment of the present invention, analyzing the repetition frequency of the certificates between the plurality of hosts in the certificate chain, the validity of the certificates, the correctness of the host names, the public key attribute, the validity period of the certificates, the correctness of the intermediate certificates and the certificate of the certificate chain, and the correctness of the serial numbers in the valid certificates, and judging whether the certificate data is correct, including:
Judging whether a plurality of hosts use the same certificate at the same time;
Judging whether an authentication process provided by the CA is correct, wherein the authentication process provided by the CA comprises whether the correct and complete storage certificate is pointed, whether the certificate is in a validity period and whether a signature is correct; verifying the identity verification chain and judging whether the identity verification chain is correct or not;
verifying whether the CN in the certificate entity corresponds to the host name of the server, and determining whether the certificate entity selection name is matched with the host name of the server;
analyzing the encryption algorithm, the key length and the key repeatability of the certificate;
judging whether the certificate is in the validity period or not;
Judging whether an issuing organization of the advanced CA certificate, the intermediate certificate and the low-grade certificate is correct or not;
The analysis server examines the serial numbers in the valid certificates and looks up the duplicate serial numbers issued by the same organization.
In one embodiment of the present invention, verifying an authentication chain, determining whether the authentication chain is correct, comprises:
and verifying the identity verification chain by using a verify tool in the OpenSSL library, and judging whether the identity verification chain is correct or not.
In one embodiment of the present invention, verifying a corresponding flow segment according to certificate data analyzed to be abnormal, and confirming whether the corresponding flow segment is abnormal according to a verification result, includes:
when abnormal certificate data are analyzed, returning an error code according to the fault reason of the abnormal certificate data, and verifying the corresponding abnormal flow section;
If verification is successful, the corresponding flow section is not abnormal, an authentication code of the handshake session id is set to be 1, and a verification record is recorded;
if the verification fails, the corresponding flow section is abnormal, and the handshake session id verification and the error code are saved.
Another embodiment of the present invention provides an apparatus for business privacy analysis and anomaly discovery, including:
The collecting module is used for collecting the certificate traffic in the target network, capturing a handshake data packet from the certificate traffic and taking the handshake data packet as a target file;
The extraction module is used for sequentially extracting the certificate, the IP address and the certificate chain of both sides of the session, and recording the relation between the handshake session id and the certificate and the relation between the handshake session id and the IP address in the target file in the target time period;
the analysis module is used for analyzing the certificate data in the certificate chain based on the relation between the handshake session id and the certificate and the relation between the handshake session id and the IP address;
And the verification module is used for verifying the corresponding flow section according to the certificate data with the abnormal analysis, and confirming whether the corresponding flow section is abnormal according to the verification result.
Yet another embodiment of the present invention provides an enterprise privacy analysis and anomaly discovery apparatus comprising a collector, a memory, and a processor, the memory storing a computer program, characterized in that,
The collector implements the following steps when executing the computer program: collecting certificate traffic in a target network, capturing a handshake data packet from the certificate traffic, and taking the handshake data packet as a target file;
the processor, when executing the computer program, performs the steps of: sequentially extracting certificates, IP addresses and certificate chains of both parties of a session, and recording the relation between a handshake session id and the certificates and the relation between the handshake session id and the IP addresses in a target file in a target time period; analyzing the certificate data in the certificate chain based on the relation between the handshake session id and the certificate and the relation between the handshake session id and the IP address; and verifying the corresponding flow section according to the certificate data with the abnormal analysis, and confirming whether the corresponding flow section is abnormal according to the verification result.
Yet another embodiment of the invention provides a computer-readable storage medium having stored thereon a computer program which, when executed by a processor, implements the steps of the method of any of the above-described method embodiments.
Compared with the prior art, the invention has the beneficial effects that:
The method of the invention extracts the certificate, the IP address and the certificate chain from the handshake data packet in the target time period, analyzes the data in the certificate chain, judges whether the data in the certificate chain is correct, then further verifies the corresponding flow period according to the abnormal certificate data, confirms whether the abnormality occurs according to the verification result, acquires the certificate information by the method of collecting and monitoring the flow data among enterprises, timely detects the abnormal certificate behaviors which are potentially dangerous, and after summarizing the harmful abnormal conditions in a period of time, the enterprises can modify the certificate authentication structure of the enterprises according to the data, increase the monitoring of the abnormal high-point flow in a specific time period, effectively identify the non-smooth nodes in the certificate authentication chain, gradually optimize the certificate authentication structure and adjust the whole certificate level, ensure the safe and uninterrupted operation of the enterprises, thereby ensuring the data and communication safety of the enterprises.
Drawings
Fig. 1 is a schematic flow chart of a certificate-based enterprise privacy analysis and anomaly discovery method according to an embodiment of the present invention;
FIG. 2 is a flowchart of another certificate-based enterprise privacy analysis and anomaly discovery method according to an embodiment of the present invention;
FIG. 3 is a schematic diagram of an enterprise privacy analysis and anomaly discovery apparatus according to an embodiment of the present invention;
fig. 4 is a schematic structural diagram of an enterprise privacy analysis and anomaly discovery device according to an embodiment of the present invention.
Detailed Description
The present invention will be described in further detail with reference to specific examples, but embodiments of the present invention are not limited thereto.
Example 1
The embodiment provides a privacy analysis and anomaly detection method which can be realized in a power grid related network, and the method adopts an SSL/TLS protocol and an X.509 protocol as standards, and extracts effective certificate information by collecting certificate data flow and analyzing certificate data between enterprise networks. The method monitors and analyzes certificate data streams in a network, identifies suspected abnormal behavior and invalid certificates, and warns dangerous behavior. By monitoring the certificate data flow, the enterprise authentication framework and the business communication method can be improved, and leakage of enterprise privacy data is prevented.
Referring to fig. 1 and fig. 2, fig. 1 is a schematic flow chart of an enterprise privacy analysis and anomaly discovery method according to an embodiment of the present invention, and fig. 2 is a schematic flow chart of another enterprise privacy analysis and anomaly discovery method according to an embodiment of the present invention.
Taking the example that the system collects the certificate flow of the power grid related network in a week and performs abnormality detection, the enterprise privacy analysis and abnormality discovery method comprises the following steps:
s101, collecting certificate traffic in a target network, capturing a handshake data packet from the certificate traffic, and taking the handshake data packet as a target file.
Specifically, first, collecting certificate traffic in a target network by using an isolated collector and a jump tool; the handshake packets of the TLS/SSL connection are then grabbed from all of said certificate traffic using a Bro tool, because they contain the certificate data required for the analysis.
The handshake packets of the TLS/SSL connection are then sent to the aggregation server. Further, the aggregation server generates a file with a Kafka message queue from the handshake data packet of the TLS/SSL connection; specifically, since the number of handshake packets of the TLS/SSL connection is huge, kafka is used in the aggregation server to queue the handshake packets of the TLS/SSL connection, so as to prevent missing packets.
Then, the aggregation server saves the handshake data packet of the TLS/SSL connection, namely the file with the Kafka message queue, as a PCAP file to be a target file; and further saves the target file in a large database.
S102, sequentially extracting certificates, IP addresses of both sides of the session and certificate chains from the target file in the target time period, and recording the relation between the handshake session id and the certificates and the relation between the handshake session id and the IP addresses.
Specifically, the certificate extraction includes: reading a PCAP file of a target time period from a catalog of the large database according to the target time period designated by a user; recording the number of encrypted transmissions by analyzing the session in the PCAP file of the target time period and extracting an encrypted transmission session according to the number of encrypted transmissions; certificates are then extracted from the encrypted transport session using OpenSSL's pkcs tool and the relationship of the handshake session id and certificate is recorded in the large database.
The address extraction includes: reading a PCAP file of a target time period from a catalog of the large database according to the target time period designated by a user; recording the number of encrypted transmissions by analyzing the session in the PCAP file of the target time period and extracting an encrypted transmission session according to the number of encrypted transmissions; and then extracting the IP addresses of both parties of the session from the encrypted transmission session by using a pkcs tool of OpenSSL, and recording the relation between the handshake session id and the IP address in the large database.
Certificate chain extraction includes: reading a PCAP file of a target time period from a catalog of the large database according to the target time period designated by a user; recording the number of encrypted transmissions by analyzing the session in the PCAP file of the target time period and extracting an encrypted transmission session according to the number of encrypted transmissions; certificate chains are then extracted from the encrypted transport session using the pkcs tool of OpenSSL.
S103, analyzing the certificate data in the certificate chain based on the relation between the handshake session id and the certificate and the relation between the handshake session id and the IP address.
Specifically, based on the relationship between the handshake session id and the certificate and the relationship between the handshake session id and the IP address, analysis, authentication and negotiation are performed on the repetition frequency of the certificates between the plurality of hosts in the certificate chain, the validity of the certificates, the correctness of the host names, the public key attribute, the correctness of the intermediate certificates and the certificates of the authentication chain, and the correctness of the serial numbers in the valid certificates, so as to judge whether the certificate data are correct.
The repetition frequency analysis of certificates between a plurality of hosts includes: it is determined whether the same certificate is used by multiple hosts at the same time. In particular, if the certificate is used on multiple physical devices, the attack surface may rise because the private key must also be kept with the public key. Therefore, it is necessary to check the frequency of certificate repetition between a plurality of hosts. Although the probability that a plurality of hosts use the same certificate at the same time is very small, it is necessary to judge whether or not a plurality of hosts use the same certificate at the same time to exclude such possibility.
Analyzing the validity of the certificate includes: and judging whether the authentication process provided by the CA is correct or not, and verifying the identity verification chain to judge whether the identity verification chain is correct or not. In particular, one of the elements that determines whether a company accepts a correct certificate is whether the authentication process provided by the CA is correct, i.e. whether it points to a correct and complete stored certificate, whether the certificate has not expired (whether the certificate is within the validity period), and whether all signatures are correct. In addition, verifying the identity verification chain by using a verify tool in the OpenSSL library, and judging whether the identity verification chain is correct or not; once the validation chain has a problem, the scenario may issue relevant alerts to enterprise users.
The correctness analysis of the hostname includes: verifying whether the CN in the certificate entity corresponds to the host name of the server, and determining whether the certificate entity selection name matches the host name of the server. Specifically, in x.509, the entity must have a unique distinguished name (DIFFERENT NAME, DN); the sequence number contains CN (Common Name, CN); typically the domain name will appear in the CN or certificate entity select name (Subject ALTERNATIVE NAME, SAN), so it is necessary to verify if the CN in the certificate entity corresponds to the server's hostname and then determine if the SAN matches the server's hostname. Certificates with a valid chain that matches a CN or SAN are considered "completely legitimate".
Analyzing the public key attributes includes: and (5) analyzing the encryption algorithm, the key length and the key repeatability of the certificate. In particular, the encryption algorithm used in the certificate has to be complex and the length of the key has to be appropriate, not allowing the certificate holder to set a relatively simple public key, so that the security requirements are met and the performance is optimal. Otherwise, the attacker may destroy the certificate. Furthermore, if the certificate owners differ, there should not be any duplicate keys between certificates; once the same public key appears, the CA must be modified.
Analyzing the validity period of the certificate includes: and judging whether the certificate is in the validity period or not. Specifically, the certificates contain respective expiration dates, and expired certificates cannot be identified. Advances in encryption technology and hardware computer capabilities may result in the certificate being cracked if the certificate is issued for too long. To ensure the authority of the certification, legal units exceeding the validity period should issue new certificates in time.
Analyzing the correctness of the intermediate certificate and the authentication chain certificate includes: and judging whether the issuing authorities of the advanced CA certificate, the intermediate certificate and the low-level certificate are correct. In particular, when a high-level CA authenticates a low-level CA, the low-level CA may suffer from a number of limitations. For example, when the path length is set to 0, the lower-level CA is permitted to issue only the leaf certificate, and is not permitted to issue the intermediate CA certificate. The lower level CA is granted rights by the higher level CA, but no further authorization is allowed.
Analyzing the correctness of the serial number in the valid certificate includes: the analysis server checks the serial number in the valid certificate and looks up the duplicate serial number issued by the same authority. If the SSL/TLS implementation cannot identify the extended sequence number designated as critical, the certificate must be rejected. Furthermore, invalid extension values given by certificates with known non-critical extensions but with grammatically accurate values must be rejected.
In addition, the certificates in the certificate chain of the present embodiment use a combined signature algorithm of MD5 and RSA. In particular, as the computing power of the hardware equipment is greatly improved, the hash algorithms such as MD5, SHA256 and the like are more and more vulnerable to attack, and the security of the hash algorithms is increasingly weakened. The combination of MD5 and RSA is used for signing, so that the complexity of signing can be increased, the security of signing is improved, and the integrity of a certificate is further protected.
S104, verifying the corresponding flow section according to the certificate data with the abnormal analysis, and confirming whether the corresponding flow section is abnormal according to the verification result.
Specifically, when any one of the repetition frequency of the certificate, the validity of the certificate, the correctness of the host name, the public key attribute, the signature algorithm of the certificate, the validity period of the certificate, the correctness of the intermediate certificate and the certificate of the certificate chain, and the correctness of the serial number in the valid certificate among the plurality of hosts is abnormal, the abnormal certificate data is obtained.
Further, when the abnormal certificate data is analyzed, an error code is returned according to the fault reason of the abnormal certificate data, and the system starts to verify the corresponding abnormal flow section. If verification is successful, no abnormality occurs in the corresponding flow section, the authentication code of the handshake session id is set to be 1, authentication is passed, and the verification record is recorded in the large database. If verification fails, the corresponding flow section is abnormal, the handshake session id verification is stored in a large database, and meanwhile, the related error codes are also stored in the database.
Through detection, collection and analysis for one week, the abnormal error proportion of the whole certificate authentication chain is found to be high. A secure and efficient authentication process is a prerequisite for commercial communication between systems. The method of the embodiment can be applied to a power grid system network, can identify abnormal conditions of the authentication link in the flow, and then helps to improve the enterprise certificate verification flow and environment according to the abnormal data conditions. From the application performance of the method of the embodiment, the scheme can detect abnormal flow data in the power grid system and take corresponding processing measures. And meanwhile, the enterprise authentication scheme and the business communication method are modified by monitoring the certificate data, so that enterprise privacy data and secrets are prevented from being revealed.
In summary, the method of the embodiment extracts the certificate, the IP address and the certificate chain from the handshake data packet in the target time period, analyzes the data in the certificate chain, judges whether the data in the certificate chain is correct, further verifies the corresponding traffic segment according to the abnormal certificate data, and confirms whether the abnormality occurs according to the verification result.
Example two
Referring to fig. 3, fig. 3 is a schematic structural diagram of an enterprise privacy analysis and anomaly discovery device according to an embodiment of the present invention. As shown in fig. 3, the enterprise privacy analysis and anomaly discovery apparatus 300 includes:
The collecting module 301 is configured to collect a credential traffic in a target network, grab a handshake packet from the credential traffic, and take the handshake packet as a target file;
The extracting module 302 is configured to sequentially extract, in a target file in a target time period, a certificate, an IP address and a certificate chain of both parties of a session, and record a relationship between a handshake session id and the certificate, and a relationship between the handshake session id and the IP address;
an analysis module 303, configured to analyze certificate data in the certificate chain based on a relationship between the handshake session id and a certificate and a relationship between the handshake session id and an IP address;
and the verification module 304 is configured to verify the corresponding flow segment according to the certificate data analyzed to be abnormal, and confirm whether the corresponding flow segment is abnormal according to the verification result.
In a specific embodiment, the collecting module 301 is specifically configured to collect, using an isolated collector and a Flume tool, certificate traffic in the target network, and use a Bro tool to grab handshake packets of a TLS/SSL connection from the certificate traffic; sending the handshake data packet of the TLS/SSL connection to an aggregation server, wherein the aggregation server generates a file with a Kafka message queue from the handshake data packet of the TLS/SSL connection, and stores the file with the Kafka message queue as a PCAP file as the target file; and storing the target file in a large database.
In a specific embodiment, the extracting module 302 is specifically configured to read the PCAP file of the target period from the directory of the large database; recording the number of encrypted transmissions by analyzing the session in the PCAP file of the target time period and extracting an encrypted transmission session according to the number of encrypted transmissions; extracting a certificate from the encrypted transmission session by using a pkcs tool of OpenSSL, and recording the relation between the handshake session id and the certificate in the large database; extracting IP addresses of both parties of the session from the encrypted transmission session by using a pkcs tool of OpenSSL, and recording the relation between the handshake session id and the IP address in the large database; a chain of certificates is extracted from the encrypted transport session using OpenSSL's pkcs tool.
In a specific embodiment, the analysis module 303 is specifically configured to analyze, based on the relationship between the handshake session id and the certificate and the relationship between the handshake session id and the IP address, the repetition frequency of the certificate between the plurality of hosts in the certificate chain, the validity of the certificate, the correctness of the host name, the public key attribute, the validity period of the certificate, the correctness of the intermediate certificate and the certificate of the certificate chain, and the correctness of the serial number in the valid certificate, and determine whether the certificate data is correct.
Further, analyzing the repetition frequency of the certificates between the plurality of hosts in the certificate chain, the validity of the certificates, the correctness of the host names, the public key attribute, the validity period of the certificates, the correctness of the intermediate certificates and the certificate of the certificate chain, and the correctness of the serial numbers in the valid certificates, and judging whether the certificate data are correct, including: judging whether a plurality of hosts use the same certificate at the same time; judging whether an authentication process provided by the CA is correct, wherein the authentication process provided by the CA comprises whether the correct and complete storage certificate is pointed, whether the certificate is in a validity period and whether a signature is correct; verifying the identity verification chain and judging whether the identity verification chain is correct or not; verifying whether the CN in the certificate entity corresponds to the host name of the server, and determining whether the certificate entity selection name is matched with the host name of the server; analyzing the encryption algorithm, the key length and the key repeatability of the certificate; judging whether the certificate is in the validity period or not; judging whether an issuing organization of the advanced CA certificate, the intermediate certificate and the low-grade certificate is correct or not; the analysis server examines the serial numbers in the valid certificates and looks up the duplicate serial numbers issued by the same organization.
In one embodiment, the verification chain is verified using a verify tool in the OpenSSL library to determine if the verification chain is correct.
In a specific embodiment, the verification module 304 is specifically configured to, when analyzing abnormal certificate data, return an error code according to a failure cause of the abnormal certificate data, and verify a corresponding traffic segment in which the abnormality occurs; if verification is successful, the corresponding flow section is not abnormal, the authentication code of the handshake session id is set to be 1, and a verification record is recorded in the large database; if the verification fails, the corresponding flow section is abnormal, and the handshake session id verification and the error code are saved.
The enterprise privacy analysis and anomaly discovery device provided in this embodiment may execute the above method embodiment, and its implementation principle and technical effects are similar, and are not described herein.
Example III
Referring to fig. 4, fig. 4 is a schematic structural diagram of an enterprise privacy analysis and anomaly discovery device according to an embodiment of the present invention. As shown in fig. 4, the enterprise privacy analysis and anomaly discovery apparatus 400 includes a collector 401, a memory 402, and a processor 403, the memory 402 storing a computer program.
The collector 401, when executing the computer program, performs the following steps: collecting certificate traffic in a target network, grabbing a handshake data packet from the certificate traffic, and taking the handshake data packet as a target file.
The processor 403, when executing the computer program, performs the following steps: sequentially extracting certificates, IP addresses and certificate chains of both parties of a session, and recording the relation between a handshake session id and the certificates and the relation between the handshake session id and the IP addresses in a target file in a target time period; analyzing the certificate data in the certificate chain based on the relation between the handshake session id and the certificate and the relation between the handshake session id and the IP address; and verifying the corresponding flow section according to the certificate data with the abnormal analysis, and confirming whether the corresponding flow section is abnormal according to the verification result.
The enterprise privacy analysis and anomaly discovery device provided in this embodiment may execute the above method embodiment, and its implementation principle and technical effects are similar, and are not described herein.
Example IV
The present embodiment provides a computer-readable storage medium having stored thereon a computer program which, when executed by a processor, performs the steps of:
Collecting certificate traffic in a target network, capturing a handshake data packet from the certificate traffic, and taking the handshake data packet as a target file;
Sequentially extracting certificates, IP addresses and certificate chains of both parties of a session, and recording the relation between a handshake session id and the certificates and the relation between the handshake session id and the IP addresses in a target file in a target time period;
analyzing the certificate data in the certificate chain based on the relation between the handshake session id and the certificate and the relation between the handshake session id and the IP address;
And verifying the corresponding flow section according to the certificate data with the abnormal analysis, and confirming whether the corresponding flow section is abnormal according to the verification result.
The enterprise privacy analysis and anomaly discovery device provided in this embodiment may execute the above method embodiment, and its implementation principle and technical effects are similar, and are not described herein.
It will be appreciated by those skilled in the art that embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein. The scheme in the embodiment of the application can be realized by adopting various computer languages, such as object-oriented programming language Java, an transliteration script language JavaScript and the like.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
While preferred embodiments of the present application have been described, additional variations and modifications in those embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. It is therefore intended that the following claims be interpreted as including the preferred embodiments and all such alterations and modifications as fall within the scope of the application.
It will be apparent to those skilled in the art that various modifications and variations can be made to the present application without departing from the spirit or scope of the application. Thus, it is intended that the present application also include such modifications and alterations insofar as they come within the scope of the appended claims or the equivalents thereof.
The foregoing is a further detailed description of the invention in connection with the preferred embodiments, and it is not intended that the invention be limited to the specific embodiments described. It will be apparent to those skilled in the art that several simple deductions or substitutions may be made without departing from the spirit of the invention, and these should be considered to be within the scope of the invention.

Claims (10)

1. The enterprise privacy analysis and anomaly discovery method is characterized by comprising the following steps:
Collecting certificate traffic in a target network, capturing a handshake data packet from the certificate traffic, and taking the handshake data packet as a target file;
Sequentially extracting certificates, IP addresses and certificate chains of both parties of a session, and recording the relation between a handshake session id and the certificates and the relation between the handshake session id and the IP addresses in a target file in a target time period;
analyzing the certificate data in the certificate chain based on the relation between the handshake session id and the certificate and the relation between the handshake session id and the IP address;
And verifying the corresponding flow section according to the certificate data with the abnormal analysis, and confirming whether the corresponding flow section is abnormal according to the verification result.
2. The enterprise privacy analysis and anomaly discovery method of claim 1, wherein collecting credential traffic in a target network, and crawling handshake packets from the credential traffic, taking the handshake packets as target files, comprises:
Collecting certificate traffic in the target network with an quarantine collector and a Flume tool, and grabbing handshake data packets of a TLS/SSL connection from the certificate traffic with a Bro tool;
Sending the handshake data packet of the TLS/SSL connection to an aggregation server, wherein the aggregation server generates a file with a Kafka message queue from the handshake data packet of the TLS/SSL connection, and stores the file with the Kafka message queue as a PCAP file as the target file;
and storing the target file in a large database.
3. The enterprise privacy analysis and anomaly discovery method according to claim 2, wherein sequentially extracting the certificate, the IP address and the certificate chain of both parties of the session, and recording the relationship between the handshake session id and the certificate, and the relationship between the handshake session id and the IP address in the target file within the target time period, comprises:
Reading PCAP files of the target time period from the catalogue of the large database;
Recording the number of encrypted transmissions by analyzing the session in the PCAP file of the target time period and extracting an encrypted transmission session according to the number of encrypted transmissions;
Extracting a certificate from the encrypted transmission session by using a pkcs tool of OpenSSL, and recording the relation between the handshake session id and the certificate in the large database; extracting IP addresses of both parties of the session from the encrypted transmission session by using a pkcs tool of OpenSSL, and recording the relation between the handshake session id and the IP address in the large database; a chain of certificates is extracted from the encrypted transport session using OpenSSL's pkcs tool.
4. The enterprise privacy analysis and anomaly discovery method of claim 1, wherein analyzing the certificate data in the certificate chain based on the relationship of the handshake session id and the certificate, the relationship of the handshake session id and the IP address, comprises:
And analyzing the repetition frequency of the certificates among the plurality of hosts in the certificate chain, the validity of the certificates, the correctness of the host names, the public key attribute, the validity period of the certificates, the correctness of the intermediate certificates and the certificates of the certificate chain and the correctness of the serial numbers in the valid certificates based on the relation between the handshake session id and the certificates and the relation between the handshake session id and the IP addresses, and judging whether the certificate data are correct.
5. The method for analyzing the privacy of enterprises and discovering anomalies according to claim 4, wherein analyzing the repetition frequency of certificates between a plurality of hosts in the certificate chain, the validity of the certificates, the correctness of the host names, the public key attribute, the validity period of the certificates, the correctness of the intermediate certificates and the certificates of the certificate chain, and the correctness of the serial numbers in the valid certificates, and judging whether the certificate data are correct, includes:
Judging whether a plurality of hosts use the same certificate at the same time;
Judging whether an authentication process provided by the CA is correct, wherein the authentication process provided by the CA comprises whether the correct and complete storage certificate is pointed, whether the certificate is in a validity period and whether a signature is correct; verifying the identity verification chain and judging whether the identity verification chain is correct or not;
verifying whether the CN in the certificate entity corresponds to the host name of the server, and determining whether the certificate entity selection name is matched with the host name of the server;
analyzing the encryption algorithm, the key length and the key repeatability of the certificate;
judging whether the certificate is in the validity period or not;
Judging whether an issuing organization of the advanced CA certificate, the intermediate certificate and the low-grade certificate is correct or not;
The analysis server examines the serial numbers in the valid certificates and looks up the duplicate serial numbers issued by the same organization.
6. The method of claim 5, wherein verifying the authentication chain and determining whether the authentication chain is correct comprises:
and verifying the identity verification chain by using a verify tool in the OpenSSL library, and judging whether the identity verification chain is correct or not.
7. The enterprise privacy analysis and anomaly discovery method of claim 1, wherein verifying the corresponding traffic segment based on the certificate data analyzed for anomalies, and determining whether the corresponding traffic segment is anomalous based on the verification result, comprises:
when abnormal certificate data are analyzed, returning an error code according to the fault reason of the abnormal certificate data, and verifying the corresponding abnormal flow section;
If verification is successful, the corresponding flow section is not abnormal, an authentication code of the handshake session id is set to be 1, and a verification record is recorded;
if the verification fails, the corresponding flow section is abnormal, and the handshake session id verification and the error code are saved.
8. An enterprise privacy analysis and anomaly discovery apparatus, comprising:
The collecting module is used for collecting the certificate traffic in the target network, capturing a handshake data packet from the certificate traffic and taking the handshake data packet as a target file;
The extraction module is used for sequentially extracting the certificate, the IP address and the certificate chain of both sides of the session, and recording the relation between the handshake session id and the certificate and the relation between the handshake session id and the IP address in the target file in the target time period;
the analysis module is used for analyzing the certificate data in the certificate chain based on the relation between the handshake session id and the certificate and the relation between the handshake session id and the IP address;
And the verification module is used for verifying the corresponding flow section according to the certificate data with the abnormal analysis, and confirming whether the corresponding flow section is abnormal according to the verification result.
9. An enterprise privacy analysis and anomaly discovery apparatus comprising a collector, a memory and a processor, the memory storing a computer program, characterized in that,
The collector implements the following steps when executing the computer program: collecting certificate traffic in a target network, capturing a handshake data packet from the certificate traffic, and taking the handshake data packet as a target file;
the processor, when executing the computer program, performs the steps of: sequentially extracting certificates, IP addresses and certificate chains of both parties of a session, and recording the relation between a handshake session id and the certificates and the relation between the handshake session id and the IP addresses in a target file in a target time period; analyzing the certificate data in the certificate chain based on the relation between the handshake session id and the certificate and the relation between the handshake session id and the IP address; and verifying the corresponding flow section according to the certificate data with the abnormal analysis, and confirming whether the corresponding flow section is abnormal according to the verification result.
10. A computer readable storage medium, on which a computer program is stored, characterized in that the computer program, when being executed by a processor, implements the steps of the method of any of claims 1 to 7.
CN202311615606.1A 2023-05-25 2023-11-28 Enterprise privacy analysis and anomaly discovery method, device, equipment and storage medium Pending CN118368080A (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202310597624.5A CN116980175A (en) 2023-05-25 2023-05-25 Enterprise privacy analysis and anomaly discovery method, device, equipment and storage medium
CN2023105976245 2023-05-25

Publications (1)

Publication Number Publication Date
CN118368080A true CN118368080A (en) 2024-07-19

Family

ID=88480458

Family Applications (2)

Application Number Title Priority Date Filing Date
CN202310597624.5A Withdrawn CN116980175A (en) 2023-05-25 2023-05-25 Enterprise privacy analysis and anomaly discovery method, device, equipment and storage medium
CN202311615606.1A Pending CN118368080A (en) 2023-05-25 2023-11-28 Enterprise privacy analysis and anomaly discovery method, device, equipment and storage medium

Family Applications Before (1)

Application Number Title Priority Date Filing Date
CN202310597624.5A Withdrawn CN116980175A (en) 2023-05-25 2023-05-25 Enterprise privacy analysis and anomaly discovery method, device, equipment and storage medium

Country Status (1)

Country Link
CN (2) CN116980175A (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117614694B (en) * 2023-11-27 2024-06-25 陕西华春网络科技股份有限公司 Identity authentication-based bidding method
CN117978460B (en) * 2024-01-12 2024-07-09 江苏网擎信息技术有限公司 Network information security defense detection system

Also Published As

Publication number Publication date
CN116980175A (en) 2023-10-31

Similar Documents

Publication Publication Date Title
Huang et al. Analyzing forged SSL certificates in the wild
Jarmoc et al. SSL/TLS interception proxies and transitive trust
Dehalwar et al. Blockchain-based trust management and authentication of devices in smart grid
CN118368080A (en) Enterprise privacy analysis and anomaly discovery method, device, equipment and storage medium
CN110198297B (en) Flow data monitoring method and device, electronic equipment and computer readable medium
CN114598540A (en) Access control system, method, device and storage medium
US11025612B2 (en) Intelligent certificate discovery in physical and virtualized networks
US20170026184A1 (en) Detection of fraudulent digital certificates
CN117313122A (en) Data sharing and exchanging management system based on block chain
WO2001033359A1 (en) Netcentric computer security framework
Zhang et al. Kingfisher: Unveiling insecurely used credentials in iot-to-mobile communications
Kotsiuba et al. Basic forensic procedures for cyber crime investigation in smart grid networks
Zhang et al. A systematic approach to formal analysis of QUIC handshake protocol using symbolic model checking
Volarević et al. Network forensics
Li et al. Unveiling SSL/TLS MITM hosts in the wild
Al-Ayed et al. Synopsis of security: using Kerberos method to secure file transfer sessions
Koshy et al. Privacy Leaks Via SNI and Certificate Parsing
Ma Understanding the trust relationships of the web PKI
Monteiro et al. An authentication and validation mechanism for analyzing syslogs forensically
US12063237B2 (en) Methods for tracing malicious endpoints in direct communication with application back ends using TLS fingerprinting techniques
Damasco Jr et al. Safeguarding Transactional Data: A Comprehensive Investigation of VPN Integration in Point-of-Sale Systems for Enhanced Security and Connectivity
Hoogstraaten et al. Black Tulip
Yin et al. Certificate-based Enterprise Privacy Analysis and Anomaly Discovery
Rajendran Enhance MITM attack detection with response time in Secure web communication
Korhonen Outbound SSL/TLS decryption: Security impact of SSL/TLS interception

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination