Method and device for detecting counterfeit flow and electronic equipment

文档序号：1834650 发布日期：2021-11-12 浏览：2次中文

阅读说明：本技术 一种检测伪造流量的方法、装置及电子设备 (Method and device for detecting counterfeit flow and electronic equipment ) 是由徐静宇于海东于 2020-05-11 设计创作，主要内容包括：本发明提供了一种检测伪造流量的方法、装置及电子设备,其中,该方法包括：获取待处理的加密流量；根据密码套件特征判断加密流量中的握手消息是否异常,在握手消息异常时,确定加密流量为伪造流量；判断证书特征是否异常,在证书特征异常时,确定加密流量为伪造流量；根据证书特征判断握手消息是否异常,在握手消息异常时,确定加密流量为伪造流量；判断数据包特征是否异常,在数据包特征异常时,确定加密流量为伪造流量。通过本发明实施例提供的检测伪造流量的方法、装置及电子设备,从多个维度对加密流量进行检测,能够比较准确地检测出伪造流量,检测精度高；且该检测方式简单,不需要大量计算即可实现检测,检测效率高。(The invention provides a method, a device and electronic equipment for detecting counterfeit flow, wherein the method comprises the following steps: acquiring encryption flow to be processed; judging whether handshake messages in the encrypted flow are abnormal according to the characteristics of the password suite, and determining the encrypted flow as forged flow when the handshake messages are abnormal; judging whether the certificate characteristics are abnormal or not, and determining the encrypted flow as a forged flow when the certificate characteristics are abnormal; judging whether the handshake message is abnormal according to the certificate characteristics, and determining the encrypted flow as forged flow when the handshake message is abnormal; and judging whether the characteristics of the data packet are abnormal or not, and determining the encrypted flow as a forged flow when the characteristics of the data packet are abnormal. By the method, the device and the electronic equipment for detecting the counterfeit traffic, the encrypted traffic is detected from multiple dimensions, the counterfeit traffic can be detected more accurately, and the detection precision is high; the detection mode is simple, detection can be realized without a large amount of calculation, and the detection efficiency is high.)

1. A method of detecting counterfeit traffic, comprising:

acquiring encryption flow to be processed;

determining the characteristics of a password suite of the encrypted flow, judging whether handshake messages in the encrypted flow are abnormal according to the characteristics of the password suite, and determining the encrypted flow as counterfeit flow when the handshake messages are abnormal;

determining the certificate characteristics of the encrypted traffic, judging whether the certificate characteristics are abnormal or not, and determining the encrypted traffic as forged traffic when the certificate characteristics are abnormal; judging whether the handshake message is abnormal according to the certificate characteristics, and determining the encrypted flow as a forged flow when the handshake message is abnormal;

determining the data packet characteristics of the encrypted flow, judging whether the data packet characteristics are abnormal or not, and determining the encrypted flow as a forged flow when the data packet characteristics are abnormal.

2. The method of claim 1, wherein the determining whether the handshake message in the encrypted traffic is abnormal according to the cipher suite characteristics comprises:

judging whether handshake messages in the encrypted flow accord with protocol regulations or not according to the selected cipher suite type, and determining that the handshake messages are abnormal when the handshake messages do not accord with the protocol regulations; wherein the cipher suite type is a cipher suite feature.

3. The method of claim 1, wherein determining whether the credential characteristic is anomalous comprises:

extracting domain name feature CN features in the certificate features, judging whether a target port of the encrypted traffic is abnormal or not when the domain name features in the certificate features are matched with the domain name features of a known site set, and determining that the certificate features are abnormal when the target port is abnormal; and/or

And determining all certificates corresponding to the server address of the encrypted traffic, and determining that the certificate features are abnormal when the certificates corresponding to the server address contain a plurality of certificates belonging to the known site set.

4. The method of claim 1, wherein the determining whether the handshake message is abnormal according to the certificate characteristics comprises:

determining a cipher suite type selected by the encrypted traffic, determining whether the selected cipher suite type and the selected certificate type are matched, and determining that the handshake message is abnormal when the cipher suite type is not matched with the certificate type; wherein the certificate type is a certificate feature.

5. The method of claim 1, wherein said determining whether the packet characteristic is abnormal comprises:

determining a protocol header and a data packet length in the data packet characteristics;

determining that the data packet characteristic is abnormal when the protocol header is different from a standard protocol header of the selected protocol;

when the length of the data packet is inconsistent with the length attribute in the data packet, determining that the characteristic of the data packet is abnormal;

and determining that the characteristic of the data packet is abnormal when the lengths of a plurality of data packets are regular or the lengths of the plurality of data packets are the same.

6. The method of any of claims 1-5, further comprising, prior to the determining the certificate characteristic of the encrypted traffic:

determining whether the session of the encrypted flow is a new session according to the session identifier of the encrypted flow;

and when the session of the encrypted flow is not a new session, if the encrypted flow contains the certificate message, determining that the encrypted flow is a forged flow.

7. An apparatus for detecting counterfeit traffic, comprising:

the acquisition module is used for acquiring the encrypted flow to be processed;

the first processing module is used for determining the characteristics of a password suite of the encrypted flow, judging whether a handshake message in the encrypted flow is abnormal according to the characteristics of the password suite, and determining the encrypted flow as a forged flow when the handshake message is abnormal;

the second processing module is used for determining the certificate characteristics of the encrypted traffic, judging whether the certificate characteristics are abnormal or not, and determining the encrypted traffic as forged traffic when the certificate characteristics are abnormal; judging whether the handshake message is abnormal according to the certificate characteristics, and determining the encrypted flow as a forged flow when the handshake message is abnormal;

and the third processing module is used for determining the data packet characteristics of the encrypted flow, judging whether the data packet characteristics are abnormal or not, and determining the encrypted flow as a forged flow when the data packet characteristics are abnormal.

8. The apparatus of claim 7, further comprising a fourth processing module;

before the second processing module determines the certificate characteristics of the encrypted traffic, the fourth processing module is to:

determining whether the session of the encrypted flow is a new session according to the session identifier of the encrypted flow;

and when the session of the encrypted flow is not a new session, if the encrypted flow contains the certificate message, determining that the encrypted flow is a forged flow.

9. An electronic device comprising a bus, a transceiver, a memory, a processor and a computer program stored on the memory and executable on the processor, the transceiver, the memory and the processor being connected via the bus, characterized in that the computer program, when executed by the processor, implements the steps in the method of detecting fake traffic according to any of the claims 1 to 6.

10. A computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the steps of the method of detecting counterfeit traffic according to any one of claims 1 to 6.

Technical Field

The present invention relates to the field of traffic detection technologies, and in particular, to a method and an apparatus for detecting counterfeit traffic, an electronic device, and a computer-readable storage medium.

Background

At present, the global internet is trending towards a comprehensive encryption era. According to Gartner's prediction, over 80% of enterprise network traffic is encrypted, and more than half of the network malware will be hidden in the encrypted network traffic, i.e., more than half of the network malware will perform illegal or non-compliant operations based on the encrypted traffic. These malicious encrypted network traffic are generally detected by characteristics such as certificates and SNI (service Name Indication),

in the process of implementing the invention, the inventor finds that at least the following problems exist in the existing scheme:

the conventional detection is mainly performed by judging whether certificates and SNIs in network traffic are correct, but some high-level threats may forge SSL (Secure Sockets Layer)/TLS (Transport Layer Security protocol) protocols, that is, they may bypass the conventional detection by forging certificates and SNIs, even directly using public known certificates, and so on, so it is particularly critical to detect whether the SSL/TLS protocols are forged.

Disclosure of Invention

In order to solve the existing technical problem, embodiments of the present invention provide a method and an apparatus for detecting a fake traffic, an electronic device, and a computer-readable storage medium.

In a first aspect, an embodiment of the present invention provides a method for detecting fake traffic, including:

acquiring encryption flow to be processed;

In a second aspect, an embodiment of the present invention further provides an apparatus for detecting a counterfeit flow rate, including:

the acquisition module is used for acquiring the encrypted flow to be processed;

In a third aspect, an embodiment of the present invention provides an electronic device, including a bus, a transceiver, a memory, a processor, and a computer program stored on the memory and executable on the processor, where the transceiver, the memory, and the processor are connected via the bus, and the computer program, when executed by the processor, implements the steps in any of the above methods for detecting forged traffic.

In a fourth aspect, the present invention further provides a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the steps in the method for detecting counterfeit traffic described in any one of the above.

The method, the device, the electronic equipment and the computer readable storage medium for detecting the counterfeit traffic, provided by the embodiment of the invention, can be used for detecting the encrypted traffic from multiple dimensions such as the characteristics of a password suite, the characteristics of a certificate, the characteristics of a data packet and the like based on the normal characteristics of the encrypted traffic, so that the abnormal counterfeit traffic can be determined. In the embodiment, whether the handshake message is abnormal is judged according to the characteristics of the password suite and the certificate, and comprehensive judgment is carried out according to whether the characteristics of the certificate and the data packet are abnormal, so that the encrypted flow can be detected in a multi-dimensional and all-around manner, the forged flow can be detected accurately, and the detection precision is high; the detection mode is simple, detection can be realized without a large amount of calculation, and the detection efficiency is high.

Drawings

In order to more clearly illustrate the technical solutions in the embodiments or the background art of the present invention, the drawings required to be used in the embodiments or the background art of the present invention will be described below.

Fig. 1 is a flow chart illustrating a method for detecting counterfeit traffic according to an embodiment of the present invention;

fig. 2 shows a detailed flowchart of a method for detecting counterfeit traffic according to an embodiment of the present invention;

fig. 3 is a schematic structural diagram illustrating an apparatus for detecting counterfeit traffic according to an embodiment of the present invention;

fig. 4 shows a schematic structural diagram of an electronic device for performing a method for detecting counterfeit traffic according to an embodiment of the present invention.

Detailed Description

In the description of the embodiments of the present invention, it should be apparent to those skilled in the art that the embodiments of the present invention can be embodied as methods, apparatuses, electronic devices, and computer-readable storage media. Thus, embodiments of the invention may be embodied in the form of: entirely hardware, entirely software (including firmware, resident software, micro-code, etc.), a combination of hardware and software. Furthermore, in some embodiments, embodiments of the invention may also be embodied in the form of a computer program product in one or more computer-readable storage media having computer program code embodied in the medium.

The computer-readable storage media described above may take any combination of one or more computer-readable storage media. The computer-readable storage medium includes: an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination thereof. More specific examples of the computer-readable storage medium include: a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only Memory (ROM), an erasable programmable read-only Memory (EPROM), a Flash Memory, an optical fiber, a compact disc read-only Memory (CD-ROM), an optical storage device, a magnetic storage device, or any combination thereof. In embodiments of the invention, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, device, or apparatus.

The computer program code embodied on the computer readable storage medium may be transmitted using any appropriate medium, including: wireless, wire, fiber optic cable, Radio Frequency (RF), or any suitable combination thereof.

Computer program code for carrying out operations for embodiments of the present invention may be written in assembly instructions, Instruction Set Architecture (ISA) instructions, machine related instructions, microcode, firmware instructions, state setting data, integrated circuit configuration data, or in one or more programming languages, including an object oriented programming language, such as: java, Smalltalk, C + +, and also include conventional procedural programming languages, such as: c or a similar programming language. The computer program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the case of a remote computer, the remote computer may be over any of a variety of networks, including: a Local Area Network (LAN) or a Wide Area Network (WAN), which may be connected to the user's computer, may be connected to an external computer.

The method, the device and the electronic equipment are described through the flow chart and/or the block diagram.

It will be understood that each block of the flowchart illustrations and/or block diagrams, and combinations of blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer-readable program instructions. These computer-readable program instructions may be provided to a processor of a general purpose computer, special purpose computer, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions/acts specified in the flowchart and/or block diagram block or blocks.

These computer-readable program instructions may also be stored in a computer-readable storage medium that can direct a computer or other programmable data processing apparatus to function in a particular manner. Thus, the instructions stored in the computer-readable storage medium produce an article of manufacture including instruction means which implement the function/act specified in the flowchart and/or block diagram block or blocks.

The computer readable program instructions may also be loaded onto a computer, other programmable data processing apparatus, or other devices to cause a series of operational steps to be performed on the computer, other programmable apparatus or other devices to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide processes for implementing the functions/acts specified in the flowchart and/or block diagram block or blocks.

The embodiments of the present invention will be described below with reference to the drawings.

Fig. 1 shows a flowchart of a method for detecting counterfeit traffic according to an embodiment of the present invention. As shown in fig. 1, the method includes:

step 101: and acquiring the encryption flow to be processed.

In the embodiment of the invention, when the acquired or intercepted network traffic is the encrypted traffic, the network traffic can be used as the encrypted traffic to be processed. The encrypted traffic is generated during communication between the client and the server, and specifically may be SSL/TLS encrypted traffic. The encrypted traffic generally includes handshake messages (e.g., ClientHello messages, ServerHello messages, etc.), and for a new session, also includes a certificate message issued by the server, where the certificate message includes information related to a certificate.

Step 102: and determining the characteristics of a password suite of the encrypted flow, judging whether handshake messages in the encrypted flow are abnormal according to the characteristics of the password suite, and determining the encrypted flow as forged flow when the handshake messages are abnormal.

In the embodiment of the present invention, the characteristics of the password suite are characteristics related to the password suite determined by the server, and specifically, the password suite used by the encrypted traffic may be determined based on a ServerHello message issued by the server. For different characteristics of the password suite, the client and the server adopt different handshake flows in a handshake stage, namely, handshake messages are not completely the same; if the characteristics of the cipher suite should correspond to the handshake message a, but the handshake message a is not included in the encrypted traffic or does not correspond to the handshake message a, it may be determined that the handshake message is abnormal, and it is determined that the encrypted traffic is an illegally-forged (Fake) traffic, that is, the network traffic is forged.

Optionally, the step 102 "determining whether the handshake message in the encrypted traffic is abnormal according to the characteristics of the cipher suite" includes: judging whether handshake messages in the encrypted flow accord with protocol regulations or not according to the selected cipher suite type, and determining that the handshake messages are abnormal when the handshake messages do not accord with the protocol regulations; wherein the cipher suite type is a cipher suite feature.

In the embodiment of the present invention, the cipher suite types include RSA-type cipher suites, DHE-type cipher suites, and the like. If the Server selects an RSA password suite, the Server cannot generate a Server Key Exchange message in a handshake phase; conversely, if the Server chooses to use a DHE-like cipher suite, the Server must send a Server Key Exchange message to complete the Key agreement. Therefore, if the cipher suite type of the encrypted traffic is an RSA-type cipher suite but the Server sends a Server Key Exchange message, it indicates that the handshake message of the encrypted traffic does not meet the protocol specification, and the handshake message is abnormal; similarly, if the cipher suite type of the encrypted traffic is a DHE-type cipher suite and the Server does not send a Server Key Exchange message, the handshake message is also abnormal, so that the encrypted traffic can be determined to be an illegal forged traffic.

Step 103: determining the certificate characteristics of the encrypted flow, judging whether the certificate characteristics are abnormal or not, and determining the encrypted flow as forged flow when the certificate characteristics are abnormal; and judging whether the handshake message is abnormal according to the certificate characteristics, and determining the encrypted flow as forged flow when the handshake message is abnormal.

In the embodiment of the present invention, as described above, the encrypted traffic includes the certificate message, the certificate feature of the encrypted traffic can be extracted based on the certificate message, the certificate feature specifically includes a domain name feature, a certificate type, and the like, and whether the encrypted traffic is counterfeit traffic can be determined based on one or more certificate features of the encrypted traffic. Optionally, the domain Name feature may include CommonName in certificate Subject and Subject Alternative Name in certificate extensions, which are referred to as CN feature and SAN feature in short, that is, the domain Name feature may include CN feature and SAN feature.

Specifically, if the certificate characteristics of the encrypted traffic are different from the standard certificate characteristics, it is determined that the certificate of the encrypted traffic is tampered, and it is determined that the encrypted traffic is counterfeit traffic. In addition, the flow of the handshake phase may also be different for different certificate characteristics, i.e., the handshake messages may also be different; if the handshake message corresponding to the certificate feature is inconsistent with the handshake message included in the encrypted traffic, it may be said that the handshake message in the encrypted traffic is abnormal, and the encrypted traffic is a fake traffic.

Step 104: determining the data packet characteristics of the encrypted flow, judging whether the data packet characteristics are abnormal or not, and determining the encrypted flow as the forged flow when the data packet characteristics are abnormal.

In the embodiment of the invention, a Data packet, namely Application Data (Application Data), is sent when the client and the server communicate, and whether the characteristics of the Data packet are abnormal or not is judged by extracting the characteristics of the Data packet, so that whether the encrypted flow is forged flow or not is determined. In this embodiment, the data packet characteristics include a protocol header and a data packet length, and the step of "determining whether the data packet characteristics are abnormal" includes:

step A1: the protocol header and the packet length in the packet characteristics are determined.

Step A2: and determining the characteristic exception of the data packet when the protocol header is different from the standard protocol header of the selected protocol.

In the embodiment of the invention, when the SSL/TLS protocol is in handshake, the ServerHello message can determine the final communication protocol version, such as TLS 1.1 or TLS 1.2; different protocol versions, the protocol header used in transferring the encrypted data is different, for example, the protocol header of the data packet corresponding to TLS 1.2 is 0x 0302. If the value of the protocol header does not match the final communication protocol version determined in the ServerHello message of the encrypted traffic, the packet characteristic abnormality of the encrypted traffic is indicated, and the encrypted traffic is fake traffic.

Step A3: and when the length of the data packet is inconsistent with the length attribute in the data packet, determining that the characteristics of the data packet are abnormal.

In the embodiment of the invention, for SSL/TLS flow, the 4 th byte and the 5 th byte of a data packet are Length (Length) attributes, and the Length attributes are used for identifying the actual Length of the data packet; if the actual length of the data packet does not accord with the length attribute contained in the data packet, the characteristic abnormity of the data packet can be also shown, namely the encrypted traffic is fake traffic.

Step A4: and determining the characteristic abnormality of the data packet when the lengths of a plurality of data packets are regular or the lengths of the plurality of data packets are the same.

In this embodiment, in a normal situation, the data packets sent by the encrypted traffic are irregular, that is, the length of the data packets is irregular. If the packet length of the encrypted traffic is regular, for example, the packet length is incremented according to an arithmetic progression, or the packet length is periodic (for example, the packet length is transmitted according to the mode of 2, 3, 2, 3), it indicates that the packet of the encrypted traffic is likely to be illegally tampered, and it can be determined that the packet is abnormal in characteristics, that is, the encrypted traffic is a fake traffic. Alternatively, if a plurality of packets of the encrypted traffic have the same length (in this case, it can be considered that the encrypted traffic has regularity), for example, if the number of packets having the same length is large or the ratio of the packets is large, it can be considered that the characteristics of the packets are abnormal, that is, the encrypted traffic is a fake traffic.

The method for detecting the counterfeit traffic, provided by the embodiment of the invention, is used for detecting the encrypted traffic from multiple dimensions such as the characteristics of a password suite, the characteristics of a certificate, the characteristics of a data packet and the like based on the normal characteristics of the encrypted traffic, so that the abnormal counterfeit traffic can be determined. In the embodiment, whether the handshake message is abnormal is judged according to the characteristics of the password suite and the certificate, and comprehensive judgment is carried out according to whether the characteristics of the certificate and the data packet are abnormal, so that the encrypted flow can be detected in a multi-dimensional and all-around manner, the forged flow can be detected accurately, and the detection precision is high; the detection mode is simple, detection can be realized without a large amount of calculation, and the detection efficiency is high.

On the basis of the above embodiment, in this embodiment, whether the certificate feature is abnormal is determined based on the domain name feature. Specifically, the step 103 of "determining whether the certificate feature is abnormal" includes:

step B1: and extracting domain name features in the certificate features, judging whether a destination port of the encrypted flow is abnormal or not when the domain name features in the certificate features are matched with the domain name features of the known site set, and determining that the certificate features are abnormal when the destination port is abnormal.

In the embodiment of the present invention, a Public Site Set (PSS) refers to a Set including a plurality of known sites, such as known sites of Google, Baidu, and the like. Since an illegitimate server will typically forge the certificate of a known site, the certificate characteristics in the encrypted traffic associated with the illegitimate server will be consistent with the certificate characteristics of the known site. In this embodiment, it is determined whether the encrypted traffic to be processed is the same as the traffic of the known site based on domain name features such as CN features and SAN features, if the encrypted traffic and the traffic of the known site are the same, the determination is continued based on the destination port, and if the destination port is not normal, it is determined that the encrypted traffic is the network traffic generated by the pseudo-known site, and the encrypted traffic is the fake traffic. For example, if the destination port of the general encrypted traffic is 443, and if the destination port of the encrypted traffic is not 443, it can be determined that the encrypted traffic is counterfeit traffic. In addition, those skilled in the art will understand that if the destination port is normal, it only indicates that the encrypted traffic passes the destination port detection in step B1, and cannot indicate that the encrypted traffic is necessarily legitimate normal traffic.

Alternatively, the determination may be made based on the certificate itself; specifically, the step 103 of "determining whether the certificate feature is abnormal" includes:

step B2: and determining all certificates corresponding to the server address of the encrypted flow, and determining that the certificate characteristics are abnormal when the certificates corresponding to the server address contain a plurality of certificates belonging to the known site set.

In the embodiment of the invention, as for a normal legal server, a plurality of X.509 certificates can be used, but a plurality of certificates belonging to a known site set cannot be contained; for example, a legitimate server will not contain both a certificate for Google and a certificate for Baidu. In this embodiment, all the certificates corresponding to the server address are determined based on the server address, and the server address is compared with the certificates of the known site set, so that whether the server address includes a plurality of certificates belonging to the known site set can be determined, if the server address includes a plurality of certificates belonging to the known site set, the certificate features are abnormal, and the corresponding encrypted traffic is counterfeit traffic. For example, a certain server address (specifically, an IP address) may return a certificate of Baidu or a certificate of Google, and the server address is abnormal, and encrypted traffic related to the server address is fake traffic.

Optionally, the present embodiment may also determine according to whether the certificate type and the password suite type are matched. Specifically, the step 103 of "determining whether the handshake message is abnormal according to the certificate characteristics" includes: determining the type of the selected cipher suite of the encrypted flow, determining whether the type of the selected cipher suite is matched with the type of the selected certificate, and determining that the handshake message is abnormal when the type of the cipher suite is not matched with the type of the certificate; wherein the certificate type is a certificate feature.

In the embodiment of the present invention, during handshaking, the SSL/TLS protocol selects different types of cipher suites to correspond to different types of certificates, for example, an RSA-type cipher suite must correspond to an RSA (the name of the Algorithm is named as the name of the inventor: Ron Rivest, Adi Shamir, and Leonard Adleman) certificate, an ECDSA (Elliptic Curve Digital Signature Algorithm) -type cipher suite must correspond to an ECC (Elliptic Curve Cryptography) certificate, and otherwise, key agreement cannot be completed. In this embodiment, if the cipher suite type and the certificate type selected by the encrypted traffic are not matched, it may be indicated that the handshake message is abnormal, that is, the encrypted traffic is counterfeit traffic.

Optionally, before "determining the certificate characteristic of the encrypted traffic" in step 103, the method further includes:

step C1: and determining whether the session of the encrypted flow is a new session according to the session identification of the encrypted flow.

Step C2: and when the session of the encrypted flow is not a new session, if the encrypted flow contains the certificate message, determining that the encrypted flow is a forged flow.

In the embodiment of the present invention, whether the Session corresponding to the encrypted traffic is a new Session may be determined according to whether the Session identifier (Session ID) of the encrypted traffic is new. If the session of the encrypted flow is not a new session, the session of the encrypted flow is a recovery session, and based on SSL/TLS protocol, complete handshake cannot be performed when the session is successfully recovered, and certificate information cannot be generated; if the encrypted traffic contains the certificate message, the encrypted traffic can be determined to be fake traffic, and the certificate feature does not need to be extracted from the certificate message at this time, so that the processing efficiency can be improved.

The method for detecting the forged flow provided by the embodiment of the invention is used for detecting the encrypted flow from multiple dimensions based on multiple detection indexes, so that accurate detection is realized. During the process of detecting certain encrypted flow, the encrypted flow can be sequentially detected based on a plurality of detection indexes, and when the encrypted flow does not accord with the current detection index, the encrypted flow can be proved to be a forged flow; if the encryption flow accords with the current detection index, the encryption index can only be proved to pass the current detection index, and the next judgment is needed to be carried out. In particular, the method for detecting counterfeit traffic can be seen in fig. 2. As shown in fig. 2, the method includes:

step 201: and acquiring the encrypted flow to be processed, and determining the session identifier of the encrypted flow.

Step 202: and judging whether the session of the encrypted flow is a new session or not according to the session identifier, if not, continuing to step 203, and if so, continuing to step 204.

Step 203: and judging whether the encrypted flow contains the certificate message, if not, continuing to step 204, otherwise, continuing to step 213.

In this embodiment, if the encrypted traffic does not include the certificate message, it indicates that the encrypted traffic passes the current round of detection, and needs to be further determined based on other indicators subsequently; if the encrypted traffic contains the certificate message, it can be determined that the encrypted traffic is counterfeit traffic.

Step 204: and judging whether the encrypted flow is matched with the domain name characteristics of the known site set, if so, continuing to step 205, otherwise, continuing to step 206.

Step 205: and judging whether the destination port of the encrypted traffic is abnormal, if the destination port is not abnormal, continuing to step 206, otherwise, continuing to step 213.

Before step 204, all certificate features of the encrypted traffic may be extracted, or only the domain name features may be extracted, and when other parts (such as the certificate type) in the certificate features need to be determined, the extraction is performed.

Step 206: and judging whether the characteristics of the cipher suite are matched with the handshake messages in the encrypted flow, if so, continuing to step 207, otherwise, continuing to step 213.

In the embodiment of the invention, if the cipher suite type of the encrypted flow is RSA cipher suite, whether the Server sends a Server Key Exchange message is judged, and if the Server sends the Server Key Exchange message, the handshake message of the encrypted flow is not in accordance with the protocol regulation, and the encrypted flow is forged flow. If the type of the cipher suite of the encrypted traffic is a DHE type cipher suite, it is also necessary to determine whether the Server sends a Server Key Exchange message, and conversely, if the Server does not send a Server Key Exchange message, the handshake message is also abnormal, so that the encrypted traffic can be determined to be illegal forged traffic.

Step 207: and judging whether the selected password suite type is matched with the certificate type, if so, continuing to step 208, otherwise, continuing to step 213.

Step 208: and judging whether the protocol header is the same as the standard protocol header of the selected protocol, if so, continuing to the step 209, otherwise, continuing to the step 213.

In the method of determining by comparing the protocol headers, it is also compared whether the protocol headers of the data packets correspond to the TLS version number, that is, the TLS version number of the data packets may also be checked.

Step 209: and judging whether the length of the data packet is consistent with the length attribute in the data packet, if so, continuing to step 210, otherwise, continuing to step 213.

Step 210: and determining whether the certificate corresponding to the encrypted traffic contains a plurality of certificates belonging to the set of known sites, if not, continuing to step 211, otherwise, continuing to step 213.

Step 211: and counting to judge whether the length of the data packet is abnormal, if not, continuing to step 212, otherwise, continuing to step 213.

Step 212: the encrypted traffic is normal traffic.

Step 213: the encrypted traffic is fake traffic.

In the embodiment of the present invention, the detection index includes a password suite feature, a certificate feature, and a data packet feature, and specifically includes: the detection order of each detection index can be adjusted properly, and fig. 2 only shows one detection order. In addition, the detection process of the destination port can be executed when the encrypted traffic is matched with the domain name characteristics of the known site set, and the detection of the destination port can also be directly carried out.

The method for detecting counterfeit traffic according to the embodiment of the present invention is described in detail above with reference to fig. 1 to 2, and the method can also be implemented by a corresponding apparatus, and the apparatus for detecting counterfeit traffic according to the embodiment of the present invention is described in detail below with reference to fig. 3.

Fig. 3 is a schematic structural diagram illustrating an apparatus for detecting counterfeit traffic according to an embodiment of the present invention. As shown in fig. 3, the apparatus for detecting a counterfeit traffic includes:

an obtaining module 31, configured to obtain an encrypted flow to be processed;

the first processing module 32 is configured to determine a cipher suite feature of the encrypted traffic, determine whether a handshake message in the encrypted traffic is abnormal according to the cipher suite feature, and determine that the encrypted traffic is a counterfeit traffic when the handshake message is abnormal;

the second processing module 33 is configured to determine a certificate feature of the encrypted traffic, determine whether the certificate feature is abnormal, and determine that the encrypted traffic is a fake traffic when the certificate feature is abnormal; judging whether the handshake message is abnormal according to the certificate characteristics, and determining the encrypted flow as a forged flow when the handshake message is abnormal;

the third processing module 34 is configured to determine a packet characteristic of the encrypted traffic, determine whether the packet characteristic is abnormal, and determine that the encrypted traffic is a fake traffic when the packet characteristic is abnormal.

On the basis of the foregoing embodiment, the determining, by the first processing module 32 according to the characteristics of the cipher suite, whether the handshake message in the encrypted traffic is abnormal includes:

On the basis of the foregoing embodiment, the determining, by the second processing module 33, whether the certificate feature is abnormal includes:

extracting domain name features in the certificate features, judging whether a target port of the encrypted traffic is abnormal or not when the domain name features in the certificate features are matched with the domain name features of a known site set, and determining that the certificate features are abnormal when the target port is abnormal; and/or

On the basis of the foregoing embodiment, the determining, by the second processing module 33, whether the handshake message is abnormal according to the certificate characteristic includes:

On the basis of the foregoing embodiment, the determining, by the third processing module 34, whether the packet characteristic is abnormal includes:

determining a protocol header and a data packet length in the data packet characteristics;

determining that the data packet characteristic is abnormal when the protocol header is different from a standard protocol header of the selected protocol;

when the length of the data packet is inconsistent with the length attribute in the data packet, determining that the characteristic of the data packet is abnormal;

and determining that the characteristic of the data packet is abnormal when the lengths of a plurality of data packets are regular or the lengths of the plurality of data packets are the same.

On the basis of the above embodiment, the apparatus further includes a fourth processing module;

before the second processing module 33 determines the certificate characteristics of the encrypted traffic, the fourth processing module is configured to:

determining whether the session of the encrypted flow is a new session according to the session identifier of the encrypted flow;

and when the session of the encrypted flow is not a new session, if the encrypted flow contains the certificate message, determining that the encrypted flow is a forged flow.

The device for detecting the counterfeit traffic, provided by the embodiment of the invention, is used for detecting the encrypted traffic from multiple dimensions such as the characteristics of a password suite, the characteristics of a certificate, the characteristics of a data packet and the like based on the normal characteristics of the encrypted traffic, so that the abnormal counterfeit traffic can be determined. In the embodiment, whether the handshake message is abnormal is judged according to the characteristics of the password suite and the certificate, and comprehensive judgment is carried out according to whether the characteristics of the certificate and the data packet are abnormal, so that the encrypted flow can be detected in a multi-dimensional and all-around manner, the forged flow can be detected accurately, and the detection precision is high; the detection mode is simple, detection can be realized without a large amount of calculation, and the detection efficiency is high.

In addition, an embodiment of the present invention further provides an electronic device, which includes a bus, a transceiver, a memory, a processor, and a computer program stored in the memory and capable of running on the processor, where the transceiver, the memory, and the processor are connected via the bus, and when being executed by the processor, the computer program implements each process of the above-mentioned method for detecting a fake traffic, and can achieve the same technical effect, and is not described herein again to avoid repetition.

Specifically, referring to fig. 4, an embodiment of the present invention further provides an electronic device, which includes a bus 1110, a processor 1120, a transceiver 1130, a bus interface 1140, a memory 1150, and a user interface 1160.

In an embodiment of the present invention, the electronic device further includes: a computer program stored on the memory 1150 and executable on the processor 1120, the computer program when executed by the processor 1120 performing the steps of:

acquiring encryption flow to be processed;

Optionally, when the processor 1120 executes the step of "determining whether the handshake message in the encrypted traffic is abnormal according to the characteristics of the cipher suite", the processor is caused to specifically implement the following steps:

Optionally, when the computer program is executed by the processor 1120, the step of "determining whether the certificate feature is abnormal" causes the processor to specifically implement the steps of:

Optionally, when the processor 1120 executes the step of "determining whether the handshake message is abnormal according to the certificate characteristic", the computer program causes the processor to specifically implement the following steps:

Optionally, when the processor 1120 executes the step of "determining whether the characteristic of the data packet is abnormal", the processor is enabled to specifically implement the following steps:

determining a protocol header and a data packet length in the data packet characteristics;

determining that the data packet characteristic is abnormal when the protocol header is different from a standard protocol header of the selected protocol;

when the length of the data packet is inconsistent with the length attribute in the data packet, determining that the characteristic of the data packet is abnormal;

and determining that the characteristic of the data packet is abnormal when the lengths of a plurality of data packets are regular or the lengths of the plurality of data packets are the same.

Optionally, before the computer program is executed by the processor 1120 to determine the certificate characteristic of the encrypted traffic, the following steps may be further implemented:

determining whether the session of the encrypted flow is a new session according to the session identifier of the encrypted flow;

and when the session of the encrypted flow is not a new session, if the encrypted flow contains the certificate message, determining that the encrypted flow is a forged flow.

A transceiver 1130 for receiving and transmitting data under the control of the processor 1120.

In embodiments of the invention in which a bus architecture (represented by bus 1110) is used, bus 1110 may include any number of interconnected buses and bridges, with bus 1110 connecting various circuits including one or more processors, represented by processor 1120, and memory, represented by memory 1150.

Bus 1110 represents one or more of any of several types of bus structures, including a memory bus, and memory controller, a peripheral bus, an Accelerated Graphics Port (AGP), a processor, or a local bus using any of a variety of bus architectures. By way of example, and not limitation, such architectures include: an Industry Standard Architecture (ISA) bus, a Micro Channel Architecture (MCA) bus, an Enhanced ISA (EISA) bus, a Video Electronics Standards Association (VESA), a Peripheral Component Interconnect (PCI) bus.

Processor 1120 may be an integrated circuit chip having signal processing capabilities. In implementation, the steps of the above method embodiments may be performed by integrated logic circuits in hardware or instructions in software in a processor. The processor described above includes: general purpose processors, Central Processing Units (CPUs), Network Processors (NPs), Digital Signal Processors (DSPs), Application Specific Integrated Circuits (ASICs), Field Programmable Gate Arrays (FPGAs), Complex Programmable Logic Devices (CPLDs), Programmable Logic Arrays (PLAs), Micro Control Units (MCUs) or other Programmable Logic devices, discrete gates, transistor Logic devices, discrete hardware components. The various methods, steps and logic blocks disclosed in embodiments of the present invention may be implemented or performed. For example, the processor may be a single core processor or a multi-core processor, which may be integrated on a single chip or located on multiple different chips.

Processor 1120 may be a microprocessor or any conventional processor. The steps of the method disclosed in connection with the embodiments of the present invention may be directly performed by a hardware decoding processor, or may be performed by a combination of hardware and software modules in the decoding processor. The software modules may be located in a Random Access Memory (RAM), a Flash Memory (Flash Memory), a Read-Only Memory (ROM), a Programmable ROM (PROM), an Erasable PROM (EPROM), a register, and other readable storage media known in the art. The readable storage medium is located in a memory, and a processor reads information in the memory and completes the steps of the method in combination with hardware of the processor.

The bus 1110 may also connect various other circuits such as peripherals, voltage regulators, or power management circuits to provide an interface between the bus 1110 and the transceiver 1130, as is well known in the art. Therefore, the embodiments of the present invention will not be further described.

The transceiver 1130 may be one element or may be multiple elements, such as multiple receivers and transmitters, providing a means for communicating with various other apparatus over a transmission medium. For example: the transceiver 1130 receives external data from other devices, and the transceiver 1130 transmits data processed by the processor 1120 to other devices. Depending on the nature of the computer system, a user interface 1160 may also be provided, such as: touch screen, physical keyboard, display, mouse, speaker, microphone, trackball, joystick, stylus.

It is to be appreciated that in embodiments of the invention, the memory 1150 may further include memory located remotely with respect to the processor 1120, which may be coupled to a server via a network. One or more portions of the above-described networks may be an ad hoc network (ad hoc network), an intranet (intranet), an extranet (extranet), a Virtual Private Network (VPN), a Local Area Network (LAN), a Wireless Local Area Network (WLAN), a Wide Area Network (WAN), a Wireless Wide Area Network (WWAN), a Metropolitan Area Network (MAN), the Internet (Internet), a Public Switched Telephone Network (PSTN), a plain old telephone service network (POTS), a cellular telephone network, a wireless fidelity (Wi-Fi) network, and combinations of two or more of the above. For example, the cellular telephone network and the wireless network may be a global system for Mobile Communications (GSM) system, a Code Division Multiple Access (CDMA) system, a Worldwide Interoperability for Microwave Access (WiMAX) system, a General Packet Radio Service (GPRS) system, a Wideband Code Division Multiple Access (WCDMA) system, a Long Term Evolution (LTE) system, an LTE Frequency Division Duplex (FDD) system, an LTE Time Division Duplex (TDD) system, a long term evolution-advanced (LTE-a) system, a Universal Mobile Telecommunications (UMTS) system, an enhanced Mobile Broadband (eMBB) system, a mass Machine Type Communication (mtc) system, an Ultra Reliable Low Latency Communication (urrllc) system, or the like.

It is to be understood that the memory 1150 in embodiments of the present invention can be either volatile memory or nonvolatile memory, or can include both volatile and nonvolatile memory. Wherein the nonvolatile memory includes: Read-Only Memory (ROM), Programmable ROM (PROM), Erasable PROM (EPROM), Electrically Erasable PROM (EEPROM), or Flash Memory.

The volatile memory includes: random Access Memory (RAM), which acts as an external cache. By way of example, and not limitation, many forms of RAM are available, such as: static random access memory (Static RAM, SRAM), Dynamic random access memory (Dynamic RAM, DRAM), Synchronous Dynamic random access memory (Synchronous DRAM, SDRAM), Double Data Rate Synchronous Dynamic random access memory (Double Data Rate SDRAM, DDRSDRAM), Enhanced Synchronous DRAM (ESDRAM), Synchronous Link DRAM (SLDRAM), and Direct memory bus RAM (DRRAM). The memory 1150 of the electronic device described in the embodiments of the invention includes, but is not limited to, the above and any other suitable types of memory.

In an embodiment of the present invention, memory 1150 stores the following elements of operating system 1151 and application programs 1152: an executable module, a data structure, or a subset thereof, or an expanded set thereof.

Specifically, the operating system 1151 includes various system programs such as: a framework layer, a core library layer, a driver layer, etc. for implementing various basic services and processing hardware-based tasks. Applications 1152 include various applications such as: media Player (Media Player), Browser (Browser), for implementing various application services. A program implementing a method of an embodiment of the invention may be included in application program 1152. The application programs 1152 include: applets, objects, components, logic, data structures, and other computer system executable instructions that perform particular tasks or implement particular abstract data types.

In addition, an embodiment of the present invention further provides a computer-readable storage medium, where a computer program is stored, and when the computer program is executed by a processor, the computer program implements each process of the above method for detecting a fake traffic, and can achieve the same technical effect, and in order to avoid repetition, details are not repeated here.

In particular, the computer program may, when executed by a processor, implement the steps of:

acquiring encryption flow to be processed;

Optionally, when the computer program is executed by the processor to perform the step of determining whether the handshake message in the encrypted traffic is abnormal according to the characteristics of the cipher suite, the processor is caused to specifically implement the following steps:

Optionally, when the computer program is executed by the processor in the step of "determining whether the certificate feature is abnormal", the processor is caused to specifically implement the following steps:

Optionally, when the computer program is executed by the processor to perform the step of determining whether the handshake message is abnormal according to the certificate characteristic, the processor is caused to specifically implement the following steps:

Optionally, when the computer program is executed by the processor to perform the step of "determining whether the characteristic of the data packet is abnormal", the processor is enabled to specifically implement the following steps:

determining a protocol header and a data packet length in the data packet characteristics;

determining that the data packet characteristic is abnormal when the protocol header is different from a standard protocol header of the selected protocol;

when the length of the data packet is inconsistent with the length attribute in the data packet, determining that the characteristic of the data packet is abnormal;

and determining that the characteristic of the data packet is abnormal when the lengths of a plurality of data packets are regular or the lengths of the plurality of data packets are the same.

Optionally, before the computer program is executed by the processor to determine the certificate characteristic of the encrypted traffic, the following steps may be further implemented:

determining whether the session of the encrypted flow is a new session according to the session identifier of the encrypted flow;

and when the session of the encrypted flow is not a new session, if the encrypted flow contains the certificate message, determining that the encrypted flow is a forged flow.

The computer-readable storage medium includes: permanent and non-permanent, removable and non-removable media may be tangible devices that retain and store instructions for use by an instruction execution apparatus. The computer-readable storage medium includes: electronic memory devices, magnetic memory devices, optical memory devices, electromagnetic memory devices, semiconductor memory devices, and any suitable combination of the foregoing. The computer-readable storage medium includes: phase change memory (PRAM), Static Random Access Memory (SRAM), Dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), Read Only Memory (ROM), non-volatile random access memory (NVRAM), Electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), Digital Versatile Discs (DVD) or other optical storage, magnetic tape cartridge storage, magnetic tape disk storage or other magnetic storage devices, memory sticks, mechanically encoded devices (e.g., punched cards or raised structures in a groove having instructions recorded thereon), or any other non-transmission medium useful for storing information that may be accessed by a computing device. As defined in embodiments of the present invention, the computer-readable storage medium does not include transitory signals per se, such as radio waves or other freely propagating electromagnetic waves, electromagnetic waves propagating through a waveguide or other transmission medium (e.g., optical pulses traveling through a fiber optic cable), or electrical signals transmitted through a wire.

In the several embodiments provided in the present application, it should be understood that the disclosed apparatus, electronic device and method may be implemented in other ways. For example, the above-described apparatus embodiments are merely illustrative, and for example, the division of the modules or units is only one logical division, and there may be other divisions in actual implementation, for example, multiple units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may also be an electrical, mechanical or other form of connection.

The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one position, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to solve the problem to be solved by the embodiment of the invention.

In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.

The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solutions of the embodiments of the present invention may be substantially or partially contributed by the prior art, or all or part of the technical solutions may be embodied in a software product stored in a storage medium and including instructions for causing a computer device (including a personal computer, a server, a data center, or other network devices) to execute all or part of the steps of the methods of the embodiments of the present invention. And the storage medium includes various media that can store the program code as listed in the foregoing.

The above description is only a specific implementation of the embodiments of the present invention, but the scope of the embodiments of the present invention is not limited thereto, and any person skilled in the art can easily conceive of changes or substitutions within the technical scope of the embodiments of the present invention, and all such changes or substitutions should be covered by the scope of the embodiments of the present invention. Therefore, the protection scope of the embodiments of the present invention shall be subject to the protection scope of the claims.

20页详细技术资料下载

上一篇：一种医用注射器针头装配设备

下一篇：可靠传输网络中维持实时音讯串流播放延迟的方法及系统

Method and device for detecting counterfeit flow and electronic equipment

相关技术

网友询问留言