CN116723238B - API encrypted flow collection and labeling method based on man-in-the-middle agent - Google Patents
API encrypted flow collection and labeling method based on man-in-the-middle agentInfo
- Publication number
- CN116723238B CN116723238B CN202310769946.3A CN202310769946A CN116723238B CN 116723238 B CN116723238 B CN 116723238B CN 202310769946 A CN202310769946 A CN 202310769946A CN 116723238 B CN116723238 B CN 116723238B
- Authority
- CN
- China
- Prior art keywords
- api
- traffic
- application
- request
- network access
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/50—Network services
- H04L67/56—Provisioning of proxy services
- H04L67/565—Conversion or adaptation of application format or content
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer And Data Communications (AREA)
Abstract
本发明公开了一种基于中间人代理的API加密流量采集与标注方法,属于网络流量数据采集技术领域。本发明采用中间人代理客户端检测应用终端的应用的所有网络访问请求,对所关注的流量进行解析,提取其中的url链接,参数等信息形成API接口文档;利用目标应用进程,目标应用进程号以及API流量源端口三者之间的映射实现加密网络流与具体应用的匹配,从而达到对API加密流量标注的目的,并生成对应的日志文档。本发明基于客户端‑服务器模式提高了流量采集与标注的效率和扩展性,不仅能实现分布式的结构,还能收集大规模的应用API加密流量和对应的密钥。本发明能够自动化完成多种用户API请求参数模拟,定向生成和采集API请求流量。
The present invention discloses a method for collecting and labeling API encrypted traffic based on a middleman proxy, which belongs to the technical field of network traffic data collection. The present invention adopts a middleman proxy client to detect all network access requests of applications of application terminals, parses the traffic of interest, extracts the URL links, parameters and other information therein to form an API interface document; and utilizes the mapping between the target application process, the target application process number and the API traffic source port to achieve the matching of the encrypted network flow with the specific application, thereby achieving the purpose of labeling the API encrypted traffic and generating the corresponding log document. The present invention improves the efficiency and scalability of traffic collection and labeling based on the client-server model, which can not only realize a distributed structure, but also collect large-scale application API encrypted traffic and corresponding keys. The present invention can automatically complete the simulation of multiple user API request parameters, and directionally generate and collect API request traffic.
Description
Technical Field
The invention belongs to the technical field of network traffic data acquisition, and particularly relates to an API encrypted traffic acquisition and labeling method based on an intermediary agent.
Background
With the rapid development of the internet, various applications occupy people's lives, including web applications, mobile applications, and PC applications. People use these applications to browse web pages to obtain knowledge, shop online, chat with friends, etc. But with this, there is raised a safety concern as to whether or not privacy of user access, etc., can be obtained through a study of traffic, particularly traffic between the target application and the server API (Application Program Interface). Although most of applications encrypt traffic at present, the encrypted traffic cannot completely cover the user behavior characteristics behind the traffic, the traffic characteristics of the applications, and the like, but to develop analysis and research on the traffic of an application network, firstly, how to collect application API encrypted traffic data on a large scale and make targeted labeling on the application API encrypted traffic data is faced, so that the API encrypted traffic collection and labeling system can well meet the requirements.
The existing mainstream application flow collection means is passive flow collection, and most of passive flow collection uses backbone network nodes of network service providers or other network interfaces belonging to specific organization teams for providing network access services to the public. By being able to capture web traffic data on a large scale at these critical network nodes, but not providing specific information about the traffic, particularly which API interface the traffic originates from, the assistance provided for traffic research is limited.
The existing mainstream application flow labeling means is mainly implemented by using a DPI (DEEP PACKET Inspection) technology, that is, an existing DPI tool is used for analyzing the acquired data packet, and fields with obvious classification features are obtained to classify the flow. However, such methods mainly aim at unencrypted HTTP traffic, and have poor effect on HTTPs traffic using encryption algorithms, because encrypted packets cannot be parsed. Meanwhile, such methods are difficult to achieve complete accuracy and even completely inapplicable to unfamiliar traffic of unknown web application types.
The existing acquisition technology mainly carries out large-scale acquisition on backbone network nodes, cannot refine influence factors of flow data so as to realize self-defined environment parameters, the acquired flow data is generally interfered by unknown request parameter influence factors, the statistical distribution of the flow data is single or fluctuation is obvious, and the later research work is seriously influenced, so that the traditional technology is not suitable for marking HTTPS flow any more.
Disclosure of Invention
The invention aims to provide an API encrypted flow collection and labeling method based on an intermediate agent, which aims to solve the technical problems that the conventional flow collection and labeling method cannot provide specific parameter information or incomplete information of encrypted API flow, so that encrypted flow labeling is inaccurate and the application range is small.
In order to achieve the above purpose, the invention adopts the following technical scheme:
an API encrypted flow collection and labeling method based on an intermediate agent comprises the following steps in a system comprising a cloud server and an application terminal provided with an intermediate agent client, wherein the system comprises the following steps:
The method comprises the steps that a man-in-the-middle agent client detects and intercepts a network access request (adopting real parameters of a user) sent by an application program of an application terminal to an application server (such as a web server), analyzes the network access request to generate a corresponding API interface document, wherein the API interface document comprises network request links and request parameters of different APIs of a target application server;
The cloud server generates a corresponding script code for each API interface document, randomly selects parameters from an interface parameter dictionary and replaces the parameters of each API interface document, generates a simulation network access request and sends the simulation network access request to the application server, namely the cloud server generates communication flow of a corresponding API according to the API interface document and the parameter dictionary, when sending the simulation network access request to the application server, the cloud server collects encrypted communication flow and a communication private key generated by the same API interface, generates a flow log file for flow marking when collecting the encrypted communication flow, and records the collected communication private key for decrypting the encrypted communication flow.
Further, the request parameters in the API interface document comprise an encryption algorithm and key information used by each handshake.
Further, the application program of the application terminal contains user preference settings and cookie caching (data stored on the user's local terminal for session tracking in order to discern the user's identity) and is able to access different web applications.
Further, the man-in-the-middle agent client analyzes the network access request and generates a corresponding API interface document and stores the API interface document specifically including:
Screening and filtering the traffic protocol types in the network access request, and reserving http and https protocol traffic;
Analyzing the network data packet of the network access request according to the corresponding protocol format, extracting url links and parameter fields in the network data packet, and storing the url links and the parameter fields in an xml file format.
Further, the broker client obtains a process corresponding to the current application program by reading a Process ID (PID) in an operating system of the application terminal, and obtains a flow corresponding to the current application program by a process source port number. The invention maps the PID to a specific system application through a packet management application program interface of an operating system to obtain the mapping relation between the flow and the application. Namely, the labeling mode is a fine-grained corresponding relation from the application, the process and the source port to the API traffic.
Further, the man-in-the-middle agent client comprises an API request positioning and intercepting module, an API request forwarding module and an API request parameter recording module;
The API request positioning and intercepting module is used for detecting and intercepting a network access request sent by an application program to the application page server, analyzing the network access request and generating a corresponding API interface document;
The API request forwarding module is used for generating a simulated network access request, establishing connection and communication between the simulated application program and the application server, and sending the content returned by the webpage server to the corresponding application program;
the API request parameter recording module is used for recording the communication log file and the API interface document.
Further, the cloud server is deployed at a physical network position capable of establishing stable connection with the application server, and comprises a packet transmitter and a flow collector;
The package sender is used for generating a corresponding script code for each API interface document, randomly selecting parameters from the interface parameter dictionary and replacing the parameters of each API interface document, generating a simulation network access request and sending the simulation network access request to the application server;
the traffic collector monitors and collects encrypted communication traffic and a communication private key generated by the same API interface based on a preset traffic capture tool (such as tcpdump).
Further, the generating, by the packet transmitter of the cloud server, a simulated network access request and sending the simulated network access request to the application server is specifically:
generating communication flow of corresponding API according to API interface document and preset parameter dictionary
Analyzing the API interface document, reading URL links and request parameters in the API interface document, loading a parameter dictionary on a cloud server, replacing related request parameters, generating corresponding python codes, executing the python codes to generate a simulation network access request, and sending the simulation network access request to an application server.
Further, the traffic collector stores the collected encrypted traffic according to the designated encrypted traffic.
Further, the flow storage format is a format in which an API request of a web application corresponds to a flow pcap record.
Furthermore, the flow collector marks the collected encrypted communication flow based on the API log document uploaded by the man-in-the-middle agent client in a manner of comparing url links. Because only the parameters are modified, the links are unchanged, so only url links are compared.
The technical scheme provided by the invention has at least the following beneficial effects:
(1) The invention can collect the complete and decryptable flow data set of the API request plaintext. The private key of encrypted communication between the application terminal (user side) and the application server side can be obtained by the mode of the intermediate proxy, the private key refers to the private key of the user side, the response message of the server can be decrypted, the intermediate proxy client monitors and intercepts the plaintext message from the application, and the network traffic safety research work is facilitated under the condition of simultaneously mastering the plaintext message and the encrypted message;
(2) The invention can customize the API requests simulating different parameters. An API interface document may be generated for the client application and the server, where the API interface document includes different API interface documents of the server, including the interface address and the request parameter, and then by continuously changing the request parameter, the encrypted traffic of the same interface under different devices and network environments is simulated to generate, and then the encrypted traffic is captured by using a traffic collection tool, where the change of the parameter is determined by a pre-stored parameter dictionary.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings required for the description of the embodiments will be briefly described below, and it is apparent that the drawings in the following description are only some embodiments of the present invention, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a block diagram of an API encrypted traffic collection and labeling system based on an intermediary agent provided by the invention;
FIG. 2 is a flowchart of the method for collecting and labeling API encrypted traffic based on an intermediary agent provided by the invention;
fig. 3 is a functional block diagram of a man-in-the-middle proxy client certificate replacement, acquisition, forwarding and recording request provided by the invention.
Wherein the reference numerals are annotated as follows:
1-PC, 2-man-in-the-middle agent client, 3-cloud server, 4-flow collector, 5-browser and 6-ladle distributor.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the present invention more apparent, the embodiments of the present invention will be described in further detail with reference to the accompanying drawings.
The embodiment of the invention discloses an API encrypted flow collection and labeling method based on an intermediate agent. The method adopts an intermediate agent client to detect all network access requests of application of an application terminal (such as a PC computer), analyzes the concerned http/https flow, extracts url links, parameters and other information in the http/https flow to form an API interface document, and utilizes the mapping between a target application process, a target application process number (PID) and an API flow source port to realize the matching of TLS (secure transport layer protocol) encrypted network flow and a specific application, thereby achieving the aim of marking the API encrypted flow and generating a corresponding log document. The invention improves the efficiency and expansibility of flow collection and labeling based on the client-server mode, not only can realize a distributed structure, but also can collect the application API encrypted flow and the corresponding secret key, and realize the acquisition of the application and API-level flow classification labels on the basis of flow collection. The invention can automatically complete the simulation of various user API request parameters, directionally generate and acquire API request flow, and the storage of the encryption flow key can help to develop the exploration of the influence factors of the encryption flow, which is still blank in the field of encryption flow analysis at present.
As shown in fig. 1, the method for collecting and labeling API encrypted traffic based on an agent for man-in-the-middle according to the embodiments of the present invention is that a system including a cloud server and a PC computer with an agent client installed therein is heavy, and various applications (e.g., a browser) and counterfeit certificates replaced by the agent client are installed in the PC computer. The man-in-the-middle client uses session acquisition and certificate replacement to implement its functions. The session acquisition is to establish connection and communication between the simulation application software and a remote web server, and simultaneously simulate the web server to forward a message to a PC computer, and the man-in-the-middle proxy client simultaneously grasps the session key and certificate of the PC computer-the man-in-the-middle proxy client) and the session key and certificate of the man-in-the-middle proxy client-the web server, so that the encrypted traffic of the two parties can be decrypted and analyzed, and url links and parameters of the concerned http/https traffic can be extracted to form an API interface document. The man-in-the-middle proxy client aims to fool the PC computer into a connection with the web server and establish a connection through two sets of protocol certificates, i.e. if this signature does not match or comes from an untrusted party, the secure client of the third party will simply disconnect and refuse to continue.
Certificate replacement can thus be used to solve the above problem, requiring manual generation of a complete certificate, and adding the generated certificate to the trusted root certificate directory in order for the PC computer to trust the broker proxy server. The certificate (used for authenticating TLS protocol) is a mechanism used for verifying identity in an encrypted TLS protocol used by HTTPS, and is a file in digital signature form, and includes a public key of a certificate owner and certificate information of a third party. Certificates are classified into two types, self-signed certificates and CA certificates. Typically self-signed certificates cannot be used for identity authentication. The basic principle of CA certificate-based identity authentication between an application client and an application server in the key negotiation process of the TLS protocol is that the application client needs to trust the CA certificate of the application server (for example, the certificate is in a trusted certificate list of an operating system, or a user adds a public key and a private key of the CA into the trusted list in a mode of 'installing a root certificate' and the like) and then the CA signs (encrypts) an original certificate of the application server to generate a final certificate, and the application client decrypts by using the public key contained in the certificate after obtaining the final certificate to obtain the original certificate of the application server. Taking the encryption of RSA as an example, if decryption with the public key of the CA is successful, indicating that the certificate is indeed encrypted with the private key of the CA, the application server may be considered trusted.
In addition, the invention organizes in a distributed client-cloud server mode, monitors network traffic of PC equipment application, analyzes http/https traffic concerned in the network traffic, extracts API interface documents, uploads the API interface documents to a server for traffic replay, and achieves the purposes of acquiring traffic classification label data of application and API interface granularity level on the basis of traffic acquisition.
As a possible implementation manner, the method for acquiring and labeling the API encrypted traffic based on the broker according to the embodiment of the present invention is that in a system including a PC computer 1 and a cloud server 3, the PC computer is installed with a browser 5 and a broker client 2, the browser 5 includes a user preference setting and a cookie cache and can access different web applications, the broker client 2 includes an API request positioning interception module, an API request forwarding module and an API request parameter recording module (i.e. an API request parameter recording device in fig. 3), as shown in fig. 3, the API request positioning interception module intercepts a request sent to a web server by the browser (the detected network request uses parameters of a real user), and then the API request forwarding module simulates the communication between the browser and the web server, and resends the content returned by the web server to the browser, while the API request parameter recording device records the request parameters. The method comprises the steps that a man-in-middle agent client 2 replaces a man-in-middle CA certificate at a PC 1 side, an API request positioning and intercepting module of the man-in-middle agent client 2 intercepts all network requests of a browser installed on the PC 1 for accessing web applications, an API request forwarding module replaces the PC 1 to communicate with a web server and forwards the network access requests of the PC 1, an API request parameter recording device records encryption algorithms and key information used by handshaking each time to decrypt and obtain the request data and the request parameters of the complete applications, the man-in-middle agent client 2 can obtain the request data and the request parameters of the complete applications, a cloud server 3 is deployed at a physical network position (shown in fig. 3) capable of establishing stable connection with the web server, the cloud server 3 comprises a packet sender 6 and a flow collector 4, wherein the packet sender 6 generates simulated user flow based on real user request data, a parameter dictionary and time delay recorded by the man-in-middle agent client 2, and the flow collector 4 uses flow capture tools such as tcpdump to collect the flow generated by the packet sender 6, meanwhile, the log files are generated to conveniently label the collected flow, and the collected flow can be encrypted, and analyzed after the session is conveniently recorded.
In the API encryption flow collection and labeling method based on the man-in-the-middle Agent, on one hand, the man-in-the-middle Agent client 2 is used for detecting all network access requests of User applications, analyzing http and https flow concerned, extracting url links and parameters of the network access requests, generating corresponding interface documents so that parameters such as User-agents can be adjusted, flow generated by different network equipment in different network environments can be simulated, the man-in-the-middle Agent client 2 can generate log files while detecting http/https flow, the log files record application names and url links of the application requests, formats such as ' application 1 ', { ' https:// request1.Com ', ' application 2 ', { ' https:// request2.Com ', },/https:// request3.Com ' }, and the subsequent flow can be rapidly simulated, the design framework of the client-server is greatly improved, and the flow is simulated from the PC interface documents are extracted from the PC, and the flow is simulated by using the PC.
As a possible implementation manner, as shown in fig. 2, the specific implementation steps of the API encrypted traffic collection and labeling method based on the broker agent provided in the embodiment of the present invention include:
step S1, a man-in-the-middle agent client 2 is adopted to monitor network access requests of applications installed in the PC 1.
In order to collect pure application API traffic, proxy forwarding is required for the application traffic, that is, all traffic of the target application process is proxied to a designated port, and the broker proxy client 2 monitors the port in real time to parse and forward the traffic.
The application flow agent forwarding method is changed according to different application types, is relatively simple for common Web applications, and is obviously more beneficial to flow collection and labeling because the browser basically realizes the functions of http/https flow agents, can proxy all flow of the browser to specified IP and ports, and uses a method of constructing a routing table by using proxy plug-ins to complete the forwarding function of API requests, and different Web application flows are forwarded to different ports through configuration rules.
For general user applications and system applications, the flow agent tool can be used to configure corresponding rules, and the flow of the target application is forwarded to the monitoring port of the man-in-the-middle agent client 2.
In order for the broker proxy client 2 to acquire a session between the target application and the target application server, the target application needs to trust and use the credentials of the broker proxy client, so that the session key between the target application and the broker proxy client 2 and the session key between the broker proxy client 2 and the target application server (web server) can be grasped, and decryption of the encrypted traffic can be achieved.
Step S2, the man-in-the-middle agent client 2 exports and stores the API interface document generated by analyzing the network access request and log information stored by the comparison PID.
The broker client 2 will parse all network request data packets according to the TCP/IP protocol stack format, and first determine the protocol type of the data packet, and since the embodiment mainly collects http/https traffic, traffic of other protocol types will be ignored. For an http/https protocol data packet, the broker proxy client 2 determines whether the data packet is encrypted by using a TLS/SSL encryption suite, if the data packet is not encrypted, the application layer of the data packet is parsed according to an http protocol format to obtain the required URL link, a request mode, a request header field and other contents, and if the data packet is encrypted by using an encryption algorithm, because the broker proxy client 2 obtains a communication key by a certificate replacement and session acquisition method, the broker proxy client 2 can decrypt the encrypted application layer payload by using the communication key, and then decrypt the decrypted application layer plaintext data according to the same processing mode as that of http.
The intermediate proxy client 2 analyzes URL links obtained by http/https data packets, the contents such as request header fields and the like form corresponding API interface documents, the formats of { URL connection of API requests, parameter forms and flow network delay } are stored, all information of the data packet requests are recorded, a packet sender randomly changes the parameter forms and the flow network delay based on the recording formats, the generation capacity of the API requests is realized, the parameter forms comprise request modes, request header and request data, the request modes comprise request modes of various http protocols such as GET, POST, HEAD, the request header comprises header information of request lines such as Cookie, user-Agent, host and the like, and the request data comprise important data which need to be encrypted and transmitted in a POST mode.
The man-in-the-middle agent client 2 generates a specific log file by comparing the mapping relation between the application process PID and the source port of the data packet, for example, a network connection occupation port condition is monitored by using a 'netstat-aon| findstr' source port 'command, a port condition owned by the application process is monitored by using a' tasklist | findstr 'PID', and therefore, a one-to-one mapping relation between the API interface flow data packet and the application process PID is formed (the mapping relation is only stored in the local of the PC computer 1), and the flow accurate acquisition capability is further realized.
Step S3, the man-in-the-middle agent client 2 uploads the saved API interface document and log file to the cloud server 3.
The man-in-the-middle client 2 writes the relation between the API interface and the application acquired in real time into a log file in the form of "application name-stream five-tuple (source address, destination address, source port, destination port, protocol type) list-API interface information", and uploads the relation to the cloud server 3 simultaneously with the API interface document generated during the process.
Step S4, the cloud server 3 receives a plurality of API interface documents sent by the man-in-the-middle agent client 2, stores all the API records, integrates parameter forms and network delay in the records to obtain a parameter dictionary and a network delay change range, can generate corresponding python script codes for each API interface document, generates new API requests by combining the stored API records based on the parameter dictionary and the delay change range, executes the python codes to send the corresponding network requests, and then captures communication encrypted traffic and communication private keys generated by the same interface by using tcpdump.
That is, in step S4, the cloud server 3 receives the API interface documents and log files sent from the plurality of man-in-the-middle proxy clients 2, and the packet sender 6 on the cloud server 3 generates the python script code by using the information provided by the API interface documents, and since the API interface documents contain all necessary information requested by the network, the function of automatically generating the python packet sending script can be implemented by using the postman tool. Then, the packet sender 6 loads a parameter dictionary library and a time delay factor library, continuously replaces related parameter information of a corresponding API, and then executes a python script to send out different data packets, wherein the parameter dictionary mainly comprises related fields such as GET parameters in url links of the API, user-Agent in http/https heads and the like, and the related fields are used for simulating the conditions of different users and different devices for initiating network requests in different environments. The TLS/SSL certificates used by the python script of the wrapper 6 are controllable and are replaced by the present invention so that the present invention does not decrypt the encrypted traffic collected by the traffic collector, facilitating the analysis of the encrypted traffic. The flow collector 4 of the cloud server 3 is mainly implemented by tcpdump, and is configured to collect a network request sent by a python script, generate an original flow file (Pcap) file, compare the original flow file with a log file corresponding to an API interface file, generate the corresponding API interface communication flow of the target application through statistics, and obtain a private key in a certificate used by the wrapper 6 at the same time, where different API interface files of the same application are stored in the same folder, and the folder contains the Pcap files collected by the different API interface flows and the private keys corresponding to the Pcap files.
The method and the system can analyze the encrypted flow of the API interface which belongs to a certain type of application, further mine some flow characteristic information and behavior patterns of the application, and particularly can decrypt and analyze the collected encrypted flow, analyze the influence factors of the encrypted flow, mine the potential user behavior pattern characteristics and help judge whether the behavior of the certain type of application leaks user privacy.
It should be noted that the above-mentioned embodiments are merely for illustrating the technical solution of the present invention, and not for limiting the same, and although the present invention has been described in detail with reference to the above-mentioned embodiments, it should be understood by those skilled in the art that the technical solution described in the above-mentioned embodiments may be modified or some technical features may be equivalently replaced, and these modifications or substitutions do not make the essence of the corresponding technical solution deviate from the spirit and scope of the technical solution of the embodiments of the present invention.
What has been described above is merely some embodiments of the present invention. It will be apparent to those skilled in the art that various modifications and improvements can be made without departing from the spirit of the invention.
Claims (9)
1. An API encrypted traffic collection and labeling method based on an intermediary agent is characterized in that in a system comprising a cloud server and an application terminal provided with an intermediary agent client, the following steps are executed:
The method comprises the steps that an intermediary proxy client detects and intercepts a network access request sent by an application program of an application terminal to an application server, analyzes the network access request to generate a corresponding API interface document, wherein the API interface document comprises network request links and request parameters of different APIs of the application server; the man-in-the-middle agent client generates a simulated network access request within the parameter variable range according to the real flow information of the application terminal, and the simulated application program establishes connection and communication with the application server, sends the content returned by the application server to the corresponding application program, records and stores a communication log file and an API interface document, and uploads the communication log file and the API interface document to the cloud server, wherein the communication log file records the application name and url link of the application request;
The cloud server generates a corresponding script code for each API interface document, randomly selects parameters from an interface parameter dictionary and replaces the parameters of each API interface document, generates a simulation network access request and sends the simulation network access request to the application server, when the simulation network access request is sent to the application server, the cloud server collects encrypted communication traffic and a communication private key generated by the same API interface, generates a traffic log file for traffic marking when collecting the encrypted communication traffic, and records the collected communication private key for decrypting the encrypted communication traffic.
2. The method of claim 1, wherein the request parameters in the API interface document include an encryption algorithm and key information used for each handshake.
3. The method of claim 1, wherein the application program of the application terminal includes user preference settings and cookie caching and is capable of accessing different web applications.
4. The method of claim 1, wherein the broker client parsing the network access request and generating and storing a corresponding API interface document specifically comprises:
Screening and filtering the traffic protocol types in the network access request, and reserving http and https protocol traffic;
Analyzing the network data packet of the network access request according to the corresponding protocol format, extracting url links and parameter fields in the network data packet, and storing the url links and the parameter fields in an xml file format.
5. The method of claim 1, wherein the broker client obtains a process corresponding to a current application by reading a process ID in an operating system of an application terminal, and obtains a flow corresponding to the current application by a process source port number, that is, mapping the process ID to a specific system application by a packet management application program interface of the operating system, so as to obtain a mapping relationship between the flow and the application.
6. The method of claim 1, wherein the broker client comprises an API request locating intercept module, an API request forwarding module, and an API request parameter recording module;
the API request positioning and intercepting module is used for detecting and intercepting a network access request sent by an application program to the application server, analyzing the network access request and generating a corresponding API interface document;
The API request forwarding module is used for generating a simulated network access request, establishing connection and communication between the simulated application program and the application server, and sending the content returned by the application server to the corresponding application program;
the API request parameter recording module is used for recording the communication log file and the API interface document.
7. The method of claim 1, wherein the cloud server is deployed at a physical network location capable of establishing a stable connection with an application server, comprising a wrapper and a traffic collector;
The package sender is used for generating a corresponding script code for each API interface document, randomly selecting parameters from the interface parameter dictionary and replacing the parameters of each API interface document, generating a simulation network access request and sending the simulation network access request to the application server;
The traffic collector monitors and collects encrypted communication traffic and a communication private key generated by the same API interface based on a preset traffic capturing tool.
8. The method of claim 7, wherein the generating and sending the simulated network access request to the application server by the packet transmitter of the cloud server is specifically:
generating communication flow of corresponding API according to API interface document and preset parameter dictionary
Analyzing the API interface document, reading URL links and request parameters in the API interface document, loading a parameter dictionary on a cloud server, replacing related request parameters, generating corresponding python codes, executing the python codes to generate a simulation network access request, and sending the simulation network access request to an application server.
9. The method of claim 7, wherein the traffic collector stores the collected encrypted traffic in a format in which an API request of a web application corresponds to a record of traffic pcap.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310769946.3A CN116723238B (en) | 2023-06-27 | 2023-06-27 | API encrypted flow collection and labeling method based on man-in-the-middle agent |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310769946.3A CN116723238B (en) | 2023-06-27 | 2023-06-27 | API encrypted flow collection and labeling method based on man-in-the-middle agent |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN116723238A CN116723238A (en) | 2023-09-08 |
| CN116723238B true CN116723238B (en) | 2025-09-19 |
Family
ID=87875025
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310769946.3A Active CN116723238B (en) | 2023-06-27 | 2023-06-27 | API encrypted flow collection and labeling method based on man-in-the-middle agent |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116723238B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117834253B (en) * | 2023-12-29 | 2024-09-17 | 北京天融信网络安全技术有限公司 | Method and device for analyzing TLS (transport layer security) traffic, TLS communication traffic analysis system and machine-readable storage medium |
Family Cites Families (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111224893A (en) * | 2019-12-30 | 2020-06-02 | 中国人民解放军国防科技大学 | VPN-based android mobile phone traffic collection and labeling system and method |
| CN112149105A (en) * | 2020-10-21 | 2020-12-29 | 腾讯科技(深圳)有限公司 | Data processing system, method, related equipment and storage medium |
| CN112804244B (en) * | 2021-01-26 | 2023-03-14 | 广州欢网科技有限责任公司 | Method, device and equipment for intelligently controlling bottom micro-service flow by API gateway |
| CN112784289B (en) * | 2021-01-26 | 2022-10-18 | 济南大学 | Extraction system and method for Android application encrypted network traffic |
| CN115037537A (en) * | 2022-06-06 | 2022-09-09 | 恒安嘉新(北京)科技股份公司 | Abnormal traffic interception and abnormal domain name identification method, device, equipment and medium |
-
2023
- 2023-06-27 CN CN202310769946.3A patent/CN116723238B/en active Active
Non-Patent Citations (2)
| Title |
|---|
| SD-Transformer: A System-Level Denoising Transformer for Encrypted Traffic Behavior Identification;Yizhuo Zhao 等;IEEE;20240226;全文 * |
| 基于系统特征去噪的网络行为分析研究;赵毅卓;万方数据库;20241125;第2-4章 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN116723238A (en) | 2023-09-08 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Husák et al. | HTTPS traffic analysis and client identification using passive SSL/TLS fingerprinting | |
| US11838330B2 (en) | Selective information extraction from network traffic traces both encrypted and non-encrypted | |
| US10193870B2 (en) | Methods and systems for non-intrusive analysis of secure communications | |
| US6928471B2 (en) | Method and apparatus for measurement, analysis, and optimization of content delivery | |
| EP3641265B1 (en) | Method, apparatus, and network system for identifying website | |
| CN115699680A (en) | Rapid identification of violations and attack execution in network traffic patterns | |
| CN111147305A (en) | Network asset portrait extraction method | |
| Datta et al. | Network traffic classification in encrypted environment: a case study of google hangout | |
| WO2020252897A1 (en) | Distributed link data authentication method, device and apparatus, and storage medium | |
| CN116723238B (en) | API encrypted flow collection and labeling method based on man-in-the-middle agent | |
| Wijesinghe et al. | An enhanced model for network flow based botnet detection | |
| CN107124385B (en) | Mirror flow-based SSL/TLS protocol plaintext data acquisition method | |
| EP2545488A1 (en) | Data capture tool and method | |
| CN114401112B (en) | Bypass deployment of real-time deep packet inspection method for TLS encrypted malicious traffic | |
| JP2005323322A (en) | Log information storage and analysis system | |
| CN117879932A (en) | Encryption traffic detection method and device, storage medium and terminal | |
| KR20190062115A (en) | ICAP protocol extension method for providing network forensic service of encrypted traffic, network forensic device supporting it and web proxy | |
| Song et al. | Evaluating the distinguishability of Tor traffic over censorship circumvention tools | |
| KR101919762B1 (en) | An encrypted traffic management apparatus and method for decrypting encrypted traffics | |
| Biß et al. | Device discovery and identification in industrial networks: Geräteerkennung und-identifizierung in industriellen Netzen | |
| Wannigama et al. | Unveiling Behavioral Transparency of Protocols Communicated by IoT Networked Assets (Full Version) | |
| Karlsson et al. | Enabling Cyber Threat Intelligence Sharing for Resource Constrained IoT | |
| Li et al. | From Fingerprint to Footprint: Characterizing the Dependencies in Encrypted DNS Infrastructures | |
| Hartmond et al. | Client Monitoring with HTTPS | |
| Zhu et al. | Encrypted Mining Traffic Detection Mechanism Based on TLS Handshake Message and Machine Learning |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |