CN112751802A - Application identification method, system and equipment for encrypted traffic - Google Patents
Application identification method, system and equipment for encrypted traffic Download PDFInfo
- Publication number
- CN112751802A CN112751802A CN201911045309.1A CN201911045309A CN112751802A CN 112751802 A CN112751802 A CN 112751802A CN 201911045309 A CN201911045309 A CN 201911045309A CN 112751802 A CN112751802 A CN 112751802A
- Authority
- CN
- China
- Prior art keywords
- handshake
- certificate
- application
- flow
- encrypted
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06V—IMAGE OR VIDEO RECOGNITION OR UNDERSTANDING
- G06V10/00—Arrangements for image or video recognition or understanding
- G06V10/70—Arrangements for image or video recognition or understanding using pattern recognition or machine learning
- G06V10/74—Image or video pattern matching; Proximity measures in feature spaces
- G06V10/75—Organisation of the matching processes, e.g. simultaneous or sequential comparisons of image or video features; Coarse-fine approaches, e.g. multi-scale approaches; using context analysis; Selection of dictionaries
- G06V10/757—Matching configurations of points or features
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/50—Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate
Abstract
The invention discloses an application identification method, a system and equipment of encrypted flow, which comprises the following steps: extracting handshake characteristics and certificate characteristics in encrypted traffic to be detected; matching the handshake characteristics and the certificate characteristics with a preset application characteristic comparison library; and identifying the application information of the encrypted flow to be detected after successful matching to obtain the application category of the encrypted flow to be detected. The application identification method, the system and the equipment for encrypted flow provided by the invention identify the application category of encrypted flow to be detected by matching the handshake characteristics and the certificate characteristics of the encrypted flow with the preset flow characteristic comparison library, wherein the handshake characteristics have stronger software relevance but have the possibility of collision, the certificate characteristics have stronger target relevance and verifiable legality but can not confirm the flow source only by the certificate, so that the application category corresponding to the encrypted flow can be accurately and efficiently identified by combining the handshake characteristics and the certificate.
Description
Technical Field
The invention relates to the field of encrypted traffic analysis in information security, in particular to an application identification method, system and device of encrypted traffic.
Background
With the rapid development of network technology, the variety and scale of encrypted traffic on the internet are increasingly expanding, and the security problem of the internet is also increasingly serious. Many applications use encrypted traffic to protect their data content, and Secure Sockets Layer (SSL) protocol is the most widely used network data Secure transmission protocol at present, for example: when the information is sent out from the Google server, the data flow encrypted by the SSL protocol is adopted.
In some application scenarios, such as data auditing, it is necessary to identify the application class to which the encrypted traffic belongs. Conventionally, the identification is based on the domain name characteristics of the encrypted flow in the encrypted traffic. However, a large number of encrypted streams with the same domain name feature but different services often appear in encrypted traffic, and the existing identification method cannot identify the application of the encrypted streams with the same domain name feature.
The application identification of the encrypted traffic is a difficult problem and bottleneck of network security detection, and the efficiency and the accuracy of encrypted traffic analysis and malicious traffic identification can be greatly improved by realizing the application identification of the encrypted traffic.
Disclosure of Invention
The invention aims to provide an application identification method, system and device capable of accurately identifying encrypted traffic of an application category so as to solve the problem of identification of an application source of the encrypted traffic.
In order to solve the above technical problem, the present invention provides an application identification method of encrypted traffic, comprising the following steps:
extracting handshake characteristics and certificate characteristics in encrypted traffic to be detected;
matching the handshake characteristics and the certificate characteristics with a preset application characteristic comparison library;
successfully matching, and identifying the application information of the encrypted flow to be detected to obtain the application category of the encrypted flow to be detected;
the application feature comparison library is an application feature comparison library which is obtained by extracting a plurality of existing application software in advance and establishes the corresponding relation among application information, handshake features and certificate features.
Optionally, the matching the handshake features and the certificate features with a preset application feature comparison library includes:
taking the handshake characteristics and the certificate characteristics as handshake certificate pairs to be matched with a preset handshake certificate comparison library;
the handshake certificate pair is matched with the handshake certificate comparison library, and the matching is successful;
and if the handshake certificate pair is not matched with the handshake certificate comparison library, the matching fails.
Optionally, if the handshake certificate pair is not matched with the handshake certificate comparison library, the matching fails, and then the method includes:
matching the handshake features with a preset handshake feature comparison library, and matching the certificate features with a preset certificate feature comparison library;
matching the handshake characteristics with a handshake characteristic comparison library, matching the certificate characteristics with a certificate characteristic comparison library, and matching successfully;
matching the handshake characteristics with a handshake characteristic comparison library, wherein the certificate characteristics are not matched with a certificate characteristic comparison library, and the matching is successful;
and the handshake features are not matched with the handshake feature comparison library, and the matching fails.
Optionally, the extracting handshake features in the encrypted traffic to be detected includes:
extracting a handshake feature set from handshake information of encrypted flow to be detected, extracting an abstract from the handshake feature set, and calculating a hash value according to the abstract to obtain handshake features.
Optionally, the extracting a handshake feature set from handshake information of encrypted traffic to be detected, abstracting the handshake feature set, and calculating a hash value from the abstract to obtain a handshake feature includes:
extracting a handshake feature set from handshake information of encrypted flow to be detected, wherein the handshake feature set comprises client handshake and server handshake, and the feature content comprises protocol versions of the client handshake and the server handshake, encryption suite types, encryption suite sequences, encryption suite numbers, extension item types and extension item sequences;
and (4) abstracting the handshake feature set, and calculating a hash value to obtain handshake features.
Optionally, the extracting certificate features in the encrypted traffic to be detected includes:
and extracting certificate characteristics from the certificate of the encrypted flow to be detected, wherein the certificate characteristics are obtained by calculating a hash value from all certificate information in the certificate.
Optionally, after matching the handshake features and the certificate features with a preset application feature comparison library, the method further includes:
extracting stream characteristics from a data stream of encrypted traffic to be detected;
matching the stream features with a preset stream feature comparison library;
the flow feature comparison library is an application feature comparison library composed of application information of a plurality of existing application software and corresponding flow features.
Optionally, the extracting flow characteristics from the data flow of the encrypted traffic to be detected includes:
extracting flow information from a data flow of encrypted flow to be detected, wherein the flow information comprises whether a DNS request exists, DNS request content, success of the DNS request, flow quantity, flow interval average value, flow interval variance, flow average packet quantity and flow uplink and downlink packet proportion;
the extracted flow information is abstracted into flow features.
Optionally, the matching the flow characteristics with a preset flow characteristic comparison library includes:
extracting stream characteristic content from a data stream of encrypted flow of existing application software, and abstracting the extracted characteristic content into stream characteristics, wherein the stream characteristics comprise download stream characteristics, upload stream characteristics and heartbeat stream characteristics;
creating a flow feature comparison library consisting of application information of a plurality of existing software and flow features of corresponding categories;
and matching the stream characteristics of the encrypted traffic to be detected with a stream characteristic comparison library.
Optionally, the creating process of the handshake certificate comparison library includes:
extracting application information from encrypted traffic of existing application software;
extracting handshake characteristics from handshake information of encrypted flow of the existing application software;
acquiring certificate characteristics of the existing application software from an existing certificate library;
and forming corresponding handshake certificate pairs by the handshake features and the certificate features extracted from the encrypted flow of the same application software, and creating a handshake certificate comparison library formed by the application information of a plurality of existing application software and the corresponding handshake certificate pairs.
Optionally, the creating process of the handshake feature comparison library and the certificate feature comparison library includes:
extracting application information from encrypted traffic of existing application software;
extracting handshake characteristics from handshake information of encrypted flow of the existing application software;
acquiring certificate characteristics of the existing application software from an existing certificate library;
creating a handshake feature comparison library consisting of application information of a plurality of existing application software and corresponding handshake features, and creating a certificate feature comparison library consisting of application information of a plurality of existing application software and corresponding certificate features.
The invention also provides an application identification system for encrypted traffic, which is characterized by comprising the following steps:
the extraction module is used for extracting handshake characteristics and certificate characteristics in the encrypted flow to be detected;
the matching module is used for matching the handshake characteristics and the certificate characteristics with a preset application characteristic comparison library, successfully matching, identifying the application information of the encrypted flow to be detected, and obtaining the application category of the encrypted flow to be detected;
the application feature comparison library is an application feature comparison library which is obtained by extracting a plurality of existing application software in advance and establishes the corresponding relation among application information, handshake features and certificate features.
The invention also provides a computer device, which comprises a memory and a processor, and is characterized in that the memory stores a computer program, and the processor implements the application identification method of the encrypted traffic when executing the computer program.
The application identification method, the system and the equipment for encrypted flow provided by the invention identify the application category of encrypted flow to be detected by matching the handshake characteristics and the certificate characteristics of the encrypted flow with the preset flow characteristic comparison library, wherein the handshake characteristics have stronger software relevance but have the possibility of collision, the certificate characteristics have stronger target relevance and verifiable legality but can not confirm the flow source only by the certificate, so that the application category corresponding to the encrypted flow can be accurately and efficiently identified by combining the handshake characteristics and the certificate. In addition, the scheme of the invention realizes the identification of the flow application category based on the matching of the flow characteristics and the comparison library, can realize the application identification of the encrypted flow without depending on the domain name characteristics of the network flow, and is more practical and high in identification accuracy.
Drawings
In order to more clearly illustrate the embodiments or technical solutions of the present invention, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art that other drawings can be obtained based on these drawings without creative efforts.
Fig. 1 is a flowchart of an application identification method of encrypted traffic in an embodiment of the present invention;
FIG. 2 is a flow chart of a matching process of an application identification method for encrypted traffic in an embodiment of the present invention;
fig. 3 is a flowchart of a specific matching process of the application identification method of encrypted traffic in the embodiment of the present invention;
FIG. 4 is a flowchart of an extraction process of an application identification method for encrypted traffic according to an embodiment of the present invention;
fig. 5 is a flowchart of a specific extraction process of the application identification method of encrypted traffic in the embodiment of the present invention;
fig. 6 is a flow characteristic identification flowchart of an application identification method of encrypted traffic in an embodiment of the present invention;
fig. 7 is a flow chart of flow feature extraction of an application identification method of encrypted traffic in the embodiment of the present invention;
fig. 8 is a flow characteristic matching flowchart of an application identification method of encrypted traffic in the embodiment of the present invention;
fig. 9 is a flowchart of handshake certificate comparison library creation of an application identification method for encrypted traffic in an embodiment of the present invention;
fig. 10 is a flowchart of creating a handshake feature comparison library and a certificate feature comparison library of the application identification method for encrypted traffic according to the embodiment of the present invention;
fig. 11 is a block diagram of an application identification system for encrypted traffic according to an embodiment of the present invention;
fig. 12 is a block diagram of a computer device in the embodiment of the present invention.
Detailed Description
The core of the invention is to provide an application identification method, a system and equipment which can accurately identify the encrypted flow of the application category and are used for identifying the application source of the encrypted flow.
In order that those skilled in the art will better understand the disclosure, the invention will be described in further detail with reference to the accompanying drawings and specific embodiments. It is to be understood that the described embodiments are merely exemplary of the invention, and not restrictive of the full scope of the invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The terms "first," "second," "third," "fourth," and the like in the description and in the claims of the present application and in the drawings described above, if any, are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It will be appreciated that the data so used may be interchanged under appropriate circumstances such that the embodiments described herein may be practiced otherwise than as specifically illustrated or described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
It should be noted that the description relating to "first", "second", etc. in the present invention is for descriptive purposes only and is not to be construed as indicating or implying relative importance or implicitly indicating the number of technical features indicated. Thus, a feature defined as "first" or "second" may explicitly or implicitly include at least one such feature. In addition, technical solutions between various embodiments may be combined with each other, but must be realized by a person skilled in the art, and when the technical solutions are contradictory or cannot be realized, such a combination should not be considered to exist, and is not within the protection scope of the present invention.
The embodiment of the invention can be used for encrypted flow identification scenes, in particular to application source identification in encrypted flow identification. The encrypted traffic according to the embodiment of the present invention may be PCAP and real-time traffic containing encrypted communication content, or may be encrypted traffic in other scenarios, which is not limited in the embodiment of the present invention.
The application identification method for encrypted traffic provided by the embodiment of the invention, as shown in fig. 1, includes the following steps:
s100: and extracting handshake characteristics and certificate characteristics in the encrypted traffic to be detected.
Specifically, handshake characteristics are extracted from handshake information including client handshake (client hello) and server handshake (server hello) of encrypted traffic to be detected, and a certificate fingerprint is extracted from a certificate (certificate) of the encrypted traffic to be detected as certificate characteristics.
S300: and matching the handshake characteristics and the certificate characteristics with a preset application characteristic comparison library, wherein the application characteristic comparison library is an application characteristic comparison library which is obtained by extracting a plurality of existing application software in advance and establishing corresponding relations among application information, the handshake characteristics and the certificate characteristics.
Specifically, the application feature comparison library may include an application feature comparison library composed of the application information and the handshake feature, an application feature comparison library composed of the application information and the certificate feature, and an application feature comparison library composed of the application information, the handshake feature and the certificate feature.
S500: and identifying the application information of the encrypted flow to be detected after successful matching to obtain the application category of the encrypted flow to be detected.
Specifically, the name information of the application corresponding to the hit matched features can be matched with the application feature comparison library, namely the application identification is successful.
The handshake characteristics and the certificate characteristics of the encrypted flow are matched with a preset flow characteristic comparison library to identify the application category of the encrypted flow to be detected, wherein the handshake characteristics have strong software relevance but have the possibility of collision, the certificate characteristics have strong target relevance and verifiable legality but the flow source cannot be confirmed only by the certificate, so that the application category corresponding to the encrypted flow can be accurately and efficiently identified by combining the handshake characteristics and the certificate characteristics.
In addition, the scheme of the invention realizes the identification of the flow application category based on the matching of the flow characteristics and the comparison library, can realize the application identification of the encrypted flow without depending on the domain name characteristics of the network flow, and is more practical and high in identification accuracy.
Alternatively, as shown in fig. 2, step S300 includes:
s310: and taking the handshake characteristics and the certificate characteristics as handshake certificate pairs to be matched with a preset handshake certificate comparison library.
Specifically, the preset handshake certificate comparison library is a handshake certificate pair formed by handshake features and certificate features of existing application software, the handshake certificate pair comprises the handshake certificate feature pair and an application feature comparison library corresponding to application information, and the handshake features and the certificate features extracted from the flow to be detected are used as the handshake certificate pair to be matched with the handshake certificate comparison library to obtain a matching result.
S320: the handshake certificate pair is matched with the handshake certificate comparison library, and the matching is successful.
S330: and if the handshake certificate pair is not matched with the handshake certificate comparison library, the matching fails.
Specifically, one handshake feature may correspond to multiple certificate features, for example, a browser, and in the matching process, the handshake feature and the certificate feature that need to be extracted are both matched with a handshake certificate feature pair of the same application, so that matching is successful.
Specifically, for the handshaking features and the certificate features of the flow to be detected, the handshaking features and the certificate features extracted from the flow generated by an application form a corresponding relationship, a handshaking certificate comparison library is created, the handshaking features and the certificate features of the flow to be detected serve as a handshaking certificate pair, the handshaking certificate comparison library is matched with the handshaking feature and the certificate feature to obtain a matching result, and the matching result is more accurate and the accuracy of application matching is higher due to the corresponding relationship of the handshaking certificate pair.
Optionally, as shown in fig. 3, after step S330, the method includes:
s340: and matching the handshake characteristics with a preset handshake characteristics comparison library, and matching the certificate characteristics with a preset certificate characteristics comparison library.
Specifically, one handshake feature may correspond to a plurality of certificates, and the handshake certificate comparison library may not contain corresponding application information because the collected certificates are limited, so that the handshake feature comparison library and the certificate feature comparison library may be respectively matched, which may make the matching result more comprehensive and the application matching accuracy higher.
S350: the handshake characteristics are matched with a handshake characteristic comparison library, the certificate characteristics are matched with a certificate characteristic comparison library, and the matching is successful.
S360: the handshake features are matched with a handshake feature comparison library, and the certificate features are not matched with a certificate feature comparison library, so that the matching is successful.
S370: and the handshake features are not matched with the handshake feature comparison library, and the matching fails.
Specifically, in view of the characteristic features of the handshake feature and the certificate feature, the application identification can be realized when only the handshake feature is matched, only the accuracy is not as accurate as when the handshake feature comparison library and the certificate feature comparison library are matched at the same time, and when only the certificate feature is matched, the flow source cannot be confirmed only by the certificate feature, and the application matching cannot be realized.
The method for identifying the application of the encrypted traffic in this embodiment further refines the above embodiment, and S350, S360, and S370 are not steps performed in sequence, but are selectively performed according to the execution result of S340. The detailed identification steps in the embodiment are added into the application identification method, so that the application identification method of the encrypted traffic in the embodiment is more specific and accurate.
In the method for identifying an application of encrypted traffic according to this embodiment, the matching handshake certificate comparison library and the respectively matching handshake feature comparison library and the certificate feature comparison library are in a sequential relationship, when a pair of fingerprint certificates is matched, an application category may be directly determined, when certain conditions occur, for example, one handshake feature corresponds to a very large number of certificates, application information may not be included in the library because of limited collected certificates, and at this time, the handshake certificate comparison library may not be matched, and then the single matching handshake feature comparison library and then the certificate feature comparison library may be continued, and the credibility of the three components is from high to low: handshake certificate compare repository > handshake features compare repository > certificate features compare repository.
Alternatively, as shown in fig. 4, step S100 includes:
s110: extracting a handshake feature set from handshake information of encrypted flow to be detected, extracting an abstract from the handshake feature set, and calculating a hash value according to the abstract to obtain handshake features.
Specifically, a plurality of pieces of feature content are extracted from handshake information including client handshake (client hello) and server handshake (server hello) of encrypted traffic to be detected to form a handshake feature set, the handshake feature set is abstracted, and a calculated hash value is used as a handshake feature.
The application identification method for encrypted traffic of the embodiment is specifically directed to a handshake feature extraction process of encrypted traffic to be detected, and the application identification method for encrypted traffic of the embodiment is more specific and accurate.
Alternatively, as shown in fig. 5, step S110 includes:
s111: extracting a handshake feature set from handshake information of encrypted flow to be detected, wherein the handshake feature set comprises client handshake and server handshake, and the feature content comprises protocol versions of the client handshake and the server handshake, encryption suite types, encryption suite sequences, encryption suite numbers, extension item types and extension item sequences.
Specifically, a plurality of pieces of feature content are extracted from handshake information including client handshake (client hello) and server handshake (server hello) of encrypted traffic to be detected to form a handshake feature set, wherein the feature content includes a protocol version provided by a client, a client encryption suite type, a client encryption suite sequence, a client encryption suite number, a client extension item type, a client extension item sequence, a server encryption suite type, a server encryption suite sequence, a server encryption suite number, a server extension item type, a server extension item sequence and the like.
S112: and (4) abstracting the handshake feature set, and calculating a hash value to obtain handshake features.
Specifically, the handshake feature set is abstracted, and a hash value is calculated by using a hash algorithm to obtain the handshake feature.
The application identification method for encrypted traffic of the embodiment is more specific and accurate, and particularly aims at the information content extraction and calculation method of handshake features in the handshake feature extraction process of traffic to be detected.
Alternatively, as shown in fig. 4, step S100 includes:
s120: and extracting certificate characteristics from the certificate of the encrypted flow to be detected, wherein the certificate characteristics are obtained by calculating a hash value from all certificate information in the certificate.
Specifically, a certificate fingerprint is extracted from certificate (certificate) information of encrypted traffic to be detected as a certificate feature, the certificate fingerprint is obtained by calculating a hash value according to all information contained in the certificate, and the certificate fingerprint has uniqueness and extremely high information density and is very suitable for being used as an associated encryption stream.
The method for identifying the application of the encrypted traffic in this embodiment is more specific and accurate for the certificate feature extraction process of the encrypted traffic to be detected.
Optionally, as shown in fig. 6, after the step S300, a step S400 of extracting and matching related stream features is further included, where the step S400 specifically includes:
s410: stream characteristics are extracted from a data stream of an encrypted traffic to be detected.
In particular, the flow characteristics may derive some characteristics of the encrypted traffic source application, assisting in inferring application functionality to locate the category.
S420: and matching the flow characteristics with a preset flow characteristic comparison library, wherein the flow characteristic comparison library is an application characteristic comparison library consisting of application information of a plurality of existing application software and corresponding flow characteristics.
Specifically, the flow characteristic comparison library is composed of application information of a plurality of existing application software and corresponding flow characteristics, and the application information of the network flow to be detected is obtained by matching the flow characteristic comparison library.
The method for identifying the application of the encrypted traffic in this embodiment specifically aims at the flow characteristics of the encrypted traffic to be detected, and can obtain some characteristics of the source application of the encrypted traffic from the flow characteristics, and assist in predicting the application function to locate the category, so that the application corresponding to the encrypted traffic can be accurately and efficiently identified mainly by using the handshake characteristics and the certificate characteristics and by using the flow characteristics as the assistance.
The application identification method for encrypted traffic in this embodiment can already realize application detection when only handshake and certificate are detected, but can further improve the identification accuracy after adding the flow characteristics.
The matching result in the encrypted traffic application identification method of this embodiment is mainly handshake feature matching and certificate feature matching, and is assisted by stream feature matching, so that the application corresponding to the encrypted traffic can be accurately and efficiently identified. Matching the hit handshake certificate with the name of the corresponding application, and the hit flow characteristics with the application purpose, wherein if the determined application purpose is consistent with the determined application category, the application identification is successful.
Alternatively, as shown in fig. 7, step S410 includes:
s411: extracting flow information from a data flow of encrypted flow to be detected, wherein the flow information comprises whether a DNS request exists, DNS request content, success of the DNS request, flow quantity, flow interval average value, flow interval variance, flow average packet quantity and flow uplink and downlink packet proportion.
S412: the extracted flow information is abstracted into flow features.
Specifically, a feature set containing various kinds of flow information is extracted from the data flow of the encrypted flow, and flow features of different models are abstracted according to the extracted features.
The method for identifying the application of the encrypted traffic of the embodiment is more specific and accurate for the process of extracting the stream characteristics of the encrypted traffic to be detected, and more specifically for the extraction items of the stream information.
Alternatively, as shown in fig. 8, step S420 includes:
s421: extracting stream characteristic contents from a data stream of encrypted flow of existing application software, and abstracting the extracted characteristic contents into stream characteristics, wherein the stream characteristics comprise download stream characteristics, upload stream characteristics and heartbeat stream characteristics.
S422: a flow feature comparison library is created which is composed of application information of a plurality of existing software and flow features of corresponding categories.
S423: and matching the stream characteristics of the encrypted traffic to be detected with a stream characteristic comparison library.
Specifically, a large number of known streams are extracted and abstracted into a stream model, the stream model is used as stream features in recognition, the stream features are classified into different categories such as downloading, uploading and heartbeat according to functional characteristics, and a stream feature library is created by using a large number of classified stream features.
The method for identifying the application of the encrypted traffic of the embodiment is more specific and accurate for a flow feature matching process and a flow feature comparison library creating process of the encrypted traffic to be detected.
Optionally, as shown in fig. 9, the process of creating the handshake certificate comparison library preset in step S310 includes:
s311: the application information is extracted from the encrypted traffic of the existing application software.
Specifically, the existing application software is used to generate encrypted communication traffic, and information such as application name, application purpose, security, collision performance, certificate relation and the like of the encrypted communication traffic is recorded.
S312: handshake features are extracted from handshake information of encrypted traffic of existing application software.
Specifically, handshake features in the existing application encryption traffic are extracted.
S313: and acquiring the certificate characteristics of the existing application software from the existing certificate library.
Specifically, a large number of Certificate fingerprints can be obtained from knowledge bases such as Black Cert Set (Black Certificate repository), Alexa Public Cert Set (allex Certificate ranking repository), IP Query Website Set (IP Query site Certificate repository), Shared Domain Set (Shared Domain name Certificate repository), Authority Root CA Set (Authority Root Certificate repository), Google Certificate Transparency, and the like, and the Certificate fingerprints are used as the Certificate features of the existing application.
S314: and forming corresponding handshake certificate pairs by the handshake features and the certificate features extracted from the encrypted flow of the same application software, and creating a handshake certificate comparison library formed by the application information of a plurality of existing application software and the corresponding handshake certificate pairs.
Specifically, handshake features extracted from encrypted traffic generated in the same application and certificate features form handshake certificate pairs in a corresponding relationship, the steps are repeated, and a handshake certificate comparison library formed by a plurality of handshake certificate pairs and application information is created, wherein the handshake certificate comparison library comprises application names, purposes, safety, collision, certificate relationships and handshake certificate peer-to-peer information of a plurality of applications.
The method for identifying the application of the encrypted traffic in this embodiment specifically divides the process of creating the handshake certificate comparison library of the encrypted traffic to be detected, and is more specific and accurate.
Optionally, as shown in fig. 10, the creating process of the handshake feature comparison library and the certificate feature comparison library preset in step S340 includes:
s341: the application information is extracted from the encrypted traffic of the existing application software.
Specifically, the existing application software is used to generate encrypted communication traffic, and information such as application name, application purpose, security, collision performance, certificate relation and the like of the encrypted communication traffic is recorded.
S342: handshake features are extracted from handshake information of encrypted traffic of existing application software.
Specifically, handshake features in the existing application encryption traffic are extracted.
S343: and acquiring the certificate characteristics of the existing application software from the existing certificate library.
Specifically, a large number of Certificate fingerprints can be obtained from knowledge bases such as Black Cert Set (Black Certificate repository), Alexa Public Cert Set (allex Certificate ranking repository), IP Query Website Set (IP Query site Certificate repository), Shared Domain Set (Shared Domain name Certificate repository), Authority Root CA Set (Authority Root Certificate repository), Google Certificate Transparency, and the like, and the Certificate fingerprints are used as the Certificate features of the existing application.
S344: creating a handshake feature comparison library consisting of application information of a plurality of existing application software and corresponding handshake features, and creating a certificate feature comparison library consisting of application information of a plurality of existing application software and corresponding certificate features.
Specifically, the steps are repeated, a handshake feature comparison library composed of a plurality of handshake features and application information is created, the handshake feature comparison library includes information of application names, purposes, safety, collision, certificate relations, handshake features and the like of a plurality of applications, a certificate feature comparison library composed of a large number of certificate features and application information is created, and the certificate feature comparison library includes information of application names, purposes, safety, collision, certificate relations, certificate features and the like of a plurality of applications.
The method for identifying the application of the encrypted traffic in this embodiment specifically divides the process of creating the handshake feature comparison library and the certificate feature comparison library of the encrypted traffic to be detected, and is more specific and accurate.
An embodiment of the present invention further provides an application identification system for encrypted traffic, as shown in fig. 11, including:
and the extraction module 10 is used for extracting handshake features and certificate features in the encrypted traffic to be detected.
And the matching module 20 is configured to match the handshake characteristics and the certificate characteristics with a preset application characteristic comparison library, match successfully, identify the application information of the encrypted traffic to be detected, and obtain an application category of the encrypted traffic to be detected.
The application feature comparison library is an application feature comparison library which is obtained by extracting a plurality of existing application software in advance and establishes the corresponding relation among application information, handshake features and certificate features.
Optionally, the matching module 20 includes a handshake certificate matching sub-module, configured to match the handshake features and the certificate features as handshake certificate pairs with a preset handshake certificate comparison library, where the handshake certificate pairs are matched with the handshake certificate comparison library, and the matching is successful; and if the handshake certificate pair is not matched with the handshake certificate comparison library, the matching fails.
Optionally, the matching module 20 further comprises:
and the handshake feature matching submodule is used for matching the handshake features with a preset handshake feature comparison library.
And the certificate feature matching submodule is used for matching the certificate features with a preset certificate feature comparison library.
Matching the handshake characteristics with a handshake characteristic comparison library, matching the certificate characteristics with a certificate characteristic comparison library, and matching successfully; matching the handshake characteristics with a handshake characteristic comparison library, wherein the certificate characteristics are not matched with a certificate characteristic comparison library, and the matching is successful; and the handshake features are not matched with the handshake feature comparison library, and the matching fails.
Specifically, the extraction module 10 includes:
and the handshake feature extraction submodule is used for extracting a handshake feature set from handshake information of the encrypted flow to be detected, extracting an abstract from the handshake feature set, and calculating a hash value according to the abstract to obtain the handshake feature.
And the certificate feature extraction submodule is used for extracting certificate features from the certificate of the encrypted flow to be detected, and the certificate features are obtained by calculating hash values from all certificate information in the certificate.
Specifically, the handshake feature extraction sub-module includes:
the device comprises a handshake information extraction unit and a data processing unit, wherein the handshake information extraction unit is used for extracting handshake feature sets from handshake information of encrypted flow to be detected, the handshake feature sets comprise client handshake and server handshake, and the feature contents comprise protocol versions of the client handshake and the server handshake, encryption suite types, encryption suite sequences, encryption suite numbers, extension item types and extension item sequences.
And the handshake information calculation unit is used for abstracting the handshake feature set and calculating the hash value to obtain the handshake features.
Specifically, the extraction module 10 further includes a flow feature extraction submodule, configured to extract a flow feature from the data flow of the encrypted traffic to be detected.
The matching module 20 further comprises: and the flow characteristic matching sub-module is used for matching the flow characteristics with a preset flow characteristic comparison library, wherein the flow characteristic comparison library is an application characteristic comparison library consisting of application information of a plurality of existing application software and corresponding flow characteristics.
Specifically, the flow feature extraction sub-module includes:
the flow information extraction unit is used for extracting flow information from the data flow of the encrypted flow to be detected, wherein the flow information comprises the DNS request, the DNS request content, the success of the DNS request, the flow quantity, the flow interval average value, the flow interval variance, the flow average packet quantity and the flow uplink and downlink packet proportion.
And a flow feature extraction unit which abstracts the extracted flow information into flow features.
Specifically, the stream feature matching sub-module includes:
the existing flow information extraction unit extracts flow characteristic contents from a data flow of encrypted flow of existing application software, and abstracts the extracted characteristic contents into flow characteristics, wherein the flow characteristics comprise download flow characteristics, upload flow characteristics and heartbeat flow characteristics.
And the flow characteristic comparison library creating unit is used for creating a flow characteristic comparison library consisting of the application information of a plurality of existing software and the flow characteristics of the corresponding categories.
And the flow characteristic matching unit is used for matching the flow characteristics of the encrypted flow to be detected with the flow characteristic comparison library to obtain an application flow characteristic identification result of the encrypted flow to be detected and obtain the application category of the encrypted flow to be detected.
Specifically, the matching module 20 further includes a handshake certificate comparison library creating sub-module, where the handshake certificate comparison library creating sub-module specifically includes:
and the application information extraction unit is used for extracting the application information from the encrypted flow of the existing application software.
And the handshake feature extraction unit is used for extracting handshake features from handshake information of encrypted flow of the existing application software.
And the certificate feature extraction unit is used for acquiring the certificate features of the existing application software from the existing certificate library.
And the handshake certificate comparison library creating unit is used for forming corresponding handshake certificate pairs by the handshake characteristics and the certificate characteristics extracted from the encrypted flow of the same application software, and creating a handshake certificate comparison library formed by the application information of a plurality of existing application software and the corresponding handshake certificate pairs.
Specifically, the matching module 20 further includes a handshake and certificate comparison library creating sub-module, where the handshake and certificate comparison library creating sub-module specifically includes:
and the application extraction unit is used for extracting the application information from the encrypted flow of the existing application software.
And the handshake extraction unit is used for extracting handshake characteristics from handshake information of encrypted flow of the existing application software.
And the certificate extraction unit is used for acquiring the certificate characteristics of the existing application software from the existing certificate library.
And the comparison library creating unit is used for creating a handshake feature comparison library consisting of the application information of a plurality of existing application software and corresponding handshake features and creating a certificate feature comparison library consisting of the application information of a plurality of existing application software and corresponding certificate features.
The application identification system for encrypted traffic of this embodiment is configured to implement the foregoing application identification method for encrypted traffic, and thus specific implementations in the application identification system may refer to the foregoing embodiments of the application identification method, for example, the extraction module 10 and the matching module 20 are respectively configured to implement steps S100, S300, and S500 in the application identification method, so that the specific implementations may refer to descriptions of corresponding embodiments of each part, and are not described herein again.
The system that this application provided can discern the application source of encrypting the flow automatically to help the user to carry out the application discernment of encrypting the flow, efficiency and accuracy of the analysis of the improvement encryption flow that can be very big and malicious flow discernment.
An embodiment of the present invention further provides a computer device, including a memory 1 and a processor 2, as shown in fig. 12, where the memory stores a computer program, and the processor implements the method for identifying an application of encrypted traffic according to any one of the above descriptions when executing the computer program.
The memory 1 includes at least one type of readable storage medium, which includes a flash memory, a hard disk, a multimedia card, a card type memory (e.g., SD or DX memory, etc.), a magnetic memory, a magnetic disk, an optical disk, and the like. The memory 1 may in some embodiments be an internal storage unit of the application identification device, e.g. a hard disk, encrypting the traffic. The memory 1 may also be an external storage device of the application recognition system for encrypted traffic in other embodiments, such as a plug-in hard disk, a Smart Media Card (SMC), a Secure Digital (SD) Card, a Flash memory Card (Flash Card), and the like. Further, the memory 1 may also include both an internal storage unit of the application recognition system that encrypts traffic and an external storage device. The memory 1 may be used not only to store application software installed in an application recognition system for encrypting traffic and various types of data, such as a code of an application recognition program for encrypting traffic, etc., but also to temporarily store data that has been output or is to be output.
The processor 2 may be a Central Processing Unit (CPU), controller, microcontroller, microprocessor or other data Processing chip in some embodiments, and is used for running program codes stored in the memory 1 or Processing data, such as an application identification program for executing encrypted traffic.
The computer equipment provided by the application can automatically identify the application source of the encrypted flow, so that a user is helped to identify the application of the encrypted flow, and the efficiency and accuracy of encrypted flow analysis and malicious flow identification can be greatly improved.
An embodiment of the present invention further provides a computer-readable storage medium, where a computer program is stored on the computer-readable storage medium, and when the computer program is executed by a processor, the method for identifying an application of encrypted traffic according to any of the foregoing embodiments is implemented.
The application identification system, the computer device and the computer readable storage medium for encrypting the traffic provided by the application correspond to the method. It is clear to those skilled in the art that, for convenience and brevity of description, the specific working processes of the system, the apparatus, and the computer-readable storage medium described above may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.
The application identification method, the system and the equipment for encrypted flow provided by the invention identify the application category of encrypted flow to be detected by matching the handshake characteristics and the certificate characteristics of the encrypted flow with the preset flow characteristic comparison library, wherein the handshake characteristics have stronger software relevance but have the possibility of collision, the certificate characteristics have stronger target relevance and verifiable legality but can not confirm the flow source only by the certificate, so that the application category corresponding to the encrypted flow can be accurately and efficiently identified by combining the handshake characteristics and the certificate. In addition, the scheme of the invention realizes the identification of the flow application category based on the matching of the flow characteristics and the comparison library, can realize the application identification of the encrypted flow without depending on the domain name characteristics of the network flow, and is more practical and high in identification accuracy.
The invention provides a method, a system and equipment for identifying application of encrypted flow, wherein the main technical scheme comprises the following steps:
identifying a target: encrypted traffic for communication using an encrypted communication protocol such as SSL, TLS, or the like.
Inputting: PCAP and real-time traffic containing encrypted communication content.
And (3) outputting: an application category.
SSL refers to Secure Sockets Layer Security socket Layer protocol, TLS refers to Transport Layer Security protocol, and PCAP refers to a storage format of network traffic data packets.
The key innovation point of the method, the system and the equipment for identifying the application of the encrypted flow is that the method for identifying the application of the encrypted flow is improved, handshake characteristics and certificate characteristics generated by different applications are different, the application type of the encrypted flow to be detected is identified by matching the handshake characteristics and the certificate fingerprint of the encrypted flow with a preset application characteristic comparison library, and the application identification accuracy is higher.
The embodiments are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same or similar parts among the embodiments are referred to each other. The device disclosed by the embodiment corresponds to the method disclosed by the embodiment, so that the description is simple, and the relevant points can be referred to the method part for description.
Those of skill would further appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both, and that the various illustrative components and steps have been described above generally in terms of their functionality in order to clearly illustrate this interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.
The steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. A software module may reside in Random Access Memory (RAM), memory, Read Only Memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art.
The method, system and device for identifying the application of encrypted traffic provided by the present invention are described in detail above. The principles and embodiments of the present invention are explained herein using specific examples, which are presented only to assist in understanding the method and its core concepts. It should be noted that, for those skilled in the art, it is possible to make various improvements and modifications to the present invention without departing from the principle of the present invention, and those improvements and modifications also fall within the scope of the claims of the present invention.
Claims (13)
1. An application identification method for encrypted traffic, comprising:
extracting handshake characteristics and certificate characteristics in encrypted traffic to be detected;
matching the handshake characteristics and the certificate characteristics with a preset application characteristic comparison library;
successfully matching, and identifying the application information of the encrypted flow to be detected to obtain the application category of the encrypted flow to be detected;
the application feature comparison library is an application feature comparison library which is obtained by extracting a plurality of existing application software in advance and establishes the corresponding relation among application information, handshake features and certificate features.
2. The method for identifying an application of encrypted traffic according to claim 1, wherein the matching the handshake characteristics and the certificate characteristics with a preset application characteristic comparison library comprises:
taking the handshake characteristics and the certificate characteristics as handshake certificate pairs to be matched with a preset handshake certificate comparison library;
the handshake certificate pair is matched with the handshake certificate comparison library, and the matching is successful;
and if the handshake certificate pair is not matched with the handshake certificate comparison library, the matching fails.
3. The method for identifying an application of encrypted traffic according to claim 2, wherein if the handshake certificate pair does not match the handshake certificate comparison library, the matching fails, and then the method comprises:
matching the handshake features with a preset handshake feature comparison library, and matching the certificate features with a preset certificate feature comparison library;
matching the handshake characteristics with a handshake characteristic comparison library, matching the certificate characteristics with a certificate characteristic comparison library, and matching successfully;
matching the handshake characteristics with a handshake characteristic comparison library, wherein the certificate characteristics are not matched with a certificate characteristic comparison library, and the matching is successful;
and the handshake features are not matched with the handshake feature comparison library, and the matching fails.
4. The method for identifying an application of encrypted traffic according to claim 1, wherein the extracting handshake features in the encrypted traffic to be detected includes:
extracting a handshake feature set from handshake information of encrypted flow to be detected, extracting an abstract from the handshake feature set, and calculating a hash value according to the abstract to obtain handshake features.
5. The method for identifying application of encrypted traffic according to claim 4, wherein the extracting a handshake feature set from handshake information of encrypted traffic to be detected, extracting a digest of the handshake feature set, and calculating a hash value from the digest to obtain a handshake feature comprises:
extracting a handshake feature set from handshake information of encrypted flow to be detected, wherein the handshake feature set comprises client handshake and server handshake, and the feature content comprises protocol versions of the client handshake and the server handshake, encryption suite types, encryption suite sequences, encryption suite numbers, extension item types and extension item sequences;
and (4) abstracting the handshake feature set, and calculating a hash value to obtain handshake features.
6. The method for identifying an application of encrypted traffic according to claim 1, wherein the extracting certificate features in the encrypted traffic to be detected comprises:
and extracting certificate characteristics from the certificate of the encrypted flow to be detected, wherein the certificate characteristics are obtained by calculating a hash value from all certificate information in the certificate.
7. The method for identifying an application of encrypted traffic according to claim 1, wherein the step of matching the handshake characteristics and the certificate characteristics with a preset application characteristic comparison library further comprises:
extracting stream characteristics from a data stream of encrypted traffic to be detected;
matching the stream features with a preset stream feature comparison library;
the flow feature comparison library is an application feature comparison library composed of application information of a plurality of existing application software and corresponding flow features.
8. The method for identifying an application of encrypted traffic according to claim 7, wherein the extracting stream characteristics from the data stream of the encrypted traffic to be detected comprises:
extracting flow information from a data flow of encrypted flow to be detected, wherein the flow information comprises whether a DNS request exists, DNS request content, success of the DNS request, flow quantity, flow interval average value, flow interval variance, flow average packet quantity and flow uplink and downlink packet proportion;
the extracted flow information is abstracted into flow features.
9. The method for identifying an application of encrypted traffic according to claim 7, wherein the matching the flow characteristics with a preset flow characteristic comparison library comprises:
extracting stream characteristic content from a data stream of encrypted flow of existing application software, and abstracting the extracted characteristic content into stream characteristics, wherein the stream characteristics comprise download stream characteristics, upload stream characteristics and heartbeat stream characteristics;
creating a flow feature comparison library consisting of application information of a plurality of existing software and flow features of corresponding categories;
and matching the stream characteristics of the encrypted traffic to be detected with a stream characteristic comparison library.
10. The method for identifying an application of encrypted traffic according to claim 2, wherein the process for creating the handshake certificate comparison library comprises:
extracting application information from encrypted traffic of existing application software;
extracting handshake characteristics from handshake information of encrypted flow of the existing application software;
acquiring certificate characteristics of the existing application software from an existing certificate library;
and forming corresponding handshake certificate pairs by the handshake features and the certificate features extracted from the encrypted flow of the same application software, and creating a handshake certificate comparison library formed by the application information of a plurality of existing application software and the corresponding handshake certificate pairs.
11. The method for application recognition of encrypted traffic according to claim 3, wherein the process of creating the handshake feature comparison library and the certificate feature comparison library comprises:
extracting application information from encrypted traffic of existing application software;
extracting handshake characteristics from handshake information of encrypted flow of the existing application software;
acquiring certificate characteristics of the existing application software from an existing certificate library;
creating a handshake feature comparison library consisting of application information of a plurality of existing application software and corresponding handshake features, and creating a certificate feature comparison library consisting of application information of a plurality of existing application software and corresponding certificate features.
12. An application identification system for encrypted traffic, comprising:
the extraction module is used for extracting handshake characteristics and certificate characteristics in the encrypted flow to be detected;
the matching module is used for matching the handshake characteristics and the certificate characteristics with a preset application characteristic comparison library, successfully matching, identifying the application information of the encrypted flow to be detected, and obtaining the application category of the encrypted flow to be detected;
the application feature comparison library is an application feature comparison library which is obtained by extracting a plurality of existing application software in advance and establishes the corresponding relation among application information, handshake features and certificate features.
13. A computer device comprising a memory and a processor, wherein the memory stores a computer program, and the processor implements the application identification method for encrypted traffic according to any one of claims 1 to 11 when executing the computer program.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911045309.1A CN112751802B (en) | 2019-10-30 | 2019-10-30 | Application identification method, system and equipment for encrypted traffic |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911045309.1A CN112751802B (en) | 2019-10-30 | 2019-10-30 | Application identification method, system and equipment for encrypted traffic |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112751802A true CN112751802A (en) | 2021-05-04 |
| CN112751802B CN112751802B (en) | 2023-04-18 |
Family
ID=75640590
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201911045309.1A Active CN112751802B (en) | 2019-10-30 | 2019-10-30 | Application identification method, system and equipment for encrypted traffic |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112751802B (en) |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7778194B1 (en) * | 2004-08-13 | 2010-08-17 | Packeteer, Inc. | Examination of connection handshake to enhance classification of encrypted network traffic |
| CN105871832A (en) * | 2016-03-29 | 2016-08-17 | 北京理工大学 | Network application encrypted traffic recognition method and device based on protocol attributes |
| CN106209775A (en) * | 2016-06-24 | 2016-12-07 | 深圳信息职业技术学院 | The application type recognition methods of a kind of SSL encryption network flow and device |
| CN109802924A (en) * | 2017-11-17 | 2019-05-24 | 华为技术有限公司 | A kind of method and device identifying encrypting traffic |
| US20190190961A1 (en) * | 2017-12-20 | 2019-06-20 | Cisco Technology, Inc. | Semi-active probing framework to gather threat intelligence for encrypted traffic and learn about devices |
-
2019
- 2019-10-30 CN CN201911045309.1A patent/CN112751802B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7778194B1 (en) * | 2004-08-13 | 2010-08-17 | Packeteer, Inc. | Examination of connection handshake to enhance classification of encrypted network traffic |
| CN105871832A (en) * | 2016-03-29 | 2016-08-17 | 北京理工大学 | Network application encrypted traffic recognition method and device based on protocol attributes |
| CN106209775A (en) * | 2016-06-24 | 2016-12-07 | 深圳信息职业技术学院 | The application type recognition methods of a kind of SSL encryption network flow and device |
| CN109802924A (en) * | 2017-11-17 | 2019-05-24 | 华为技术有限公司 | A kind of method and device identifying encrypting traffic |
| US20190190961A1 (en) * | 2017-12-20 | 2019-06-20 | Cisco Technology, Inc. | Semi-active probing framework to gather threat intelligence for encrypted traffic and learn about devices |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112751802B (en) | 2023-04-18 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| WO2017202214A1 (en) | File verification method and apparatus | |
| CN111182525B (en) | Method and device for storing data | |
| CN107911222B (en) | Digital signature generating method, digital signature verifying method, digital signature generating apparatus, digital signature verifying apparatus, and storage medium storing digital signature verifying program | |
| CN116432247A (en) | Infringement evidence method and device based on blockchain | |
| CN110912689A (en) | Method and system for generating and verifying unique value | |
| CN110826091B (en) | File signature method and device, electronic equipment and readable storage medium | |
| CN109450895A (en) | A kind of method for recognizing flux, device, server and storage medium | |
| CN108737328B (en) | Browser user agent identification method, system and device | |
| CN113726818B (en) | Method and device for detecting lost host | |
| CN109309665B (en) | Access request processing method and device, computing device and storage medium | |
| CN112671796B (en) | Google Driver cloud service authentication acquisition method, device, equipment and storage medium | |
| CN112769635B (en) | Service identification method and device for multi-granularity feature analysis | |
| CN112751802B (en) | Application identification method, system and equipment for encrypted traffic | |
| US11233703B2 (en) | Extending encrypted traffic analytics with traffic flow data | |
| CN111371811A (en) | Resource calling method, resource calling device, client and service server | |
| CN108471419B (en) | Certificate sharing method based on trusted identity | |
| CN107995167B (en) | Equipment identification method and server | |
| CN114172980A (en) | Method, system, device, equipment and medium for identifying type of operating system | |
| CN116244756A (en) | Method and device for verifying browser plug-in and computing equipment | |
| CN115333736A (en) | Data transmission method, equipment and system | |
| CN110020246B (en) | Terminal identification information generation method and related equipment | |
| CN114172689A (en) | Information processing method and device | |
| TWI750252B (en) | Method and device for recording website access log | |
| CN113051418A (en) | Image source tracking method and device, storage medium and electronic equipment | |
| CN111552950A (en) | Software authorization method and device and computer readable storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |