[go: up one dir, main page]

CN104765884B - A kind of fingerprint identification method of HTTPS webpages - Google Patents

A kind of fingerprint identification method of HTTPS webpages Download PDF

Info

Publication number
CN104765884B
CN104765884B CN201510213462.6A CN201510213462A CN104765884B CN 104765884 B CN104765884 B CN 104765884B CN 201510213462 A CN201510213462 A CN 201510213462A CN 104765884 B CN104765884 B CN 104765884B
Authority
CN
China
Prior art keywords
matching
https
unknown
fingerprint
coefficient
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201510213462.6A
Other languages
Chinese (zh)
Other versions
CN104765884A (en
Inventor
余翔湛
何慧
张伟哲
叶麟
张宏莉
康宁
丛小亮
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Harbin Institute of Technology Shenzhen
Original Assignee
Harbin Institute of Technology Shenzhen
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Harbin Institute of Technology Shenzhen filed Critical Harbin Institute of Technology Shenzhen
Priority to CN201510213462.6A priority Critical patent/CN104765884B/en
Publication of CN104765884A publication Critical patent/CN104765884A/en
Application granted granted Critical
Publication of CN104765884B publication Critical patent/CN104765884B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Landscapes

  • Information Transfer Between Computers (AREA)

Abstract

本申请涉及一种HTTPS网页的指纹提取方法和指纹识别方法,指纹提取方法包括:根据待处理HTTPS网页的数据流,获得待处理HTTPS网页的多个对象各自的密文长度和加密方式;根据待处理HTTPS网页的多个对象各自的密文长度和加密方式,获得多个对象各自的明文长度区间,以确定每个对象的信息,其中每个对象的信息包括该对象对应的最大长度、最小长度和平均长度;以及利用待处理HTTPS网页的多个对象各自的信息,构建待处理HTTPS网页的指纹。指纹识别方法包括:通过提取待识别HTTPS网页的对象信息,与HTTPS网页指纹库中的信息进行匹配,完成识别。本发明的指纹提取方法和指纹识别方法,可行性强,识别准确率高。

The present application relates to a fingerprint extraction method and a fingerprint identification method of an HTTPS webpage. The fingerprint extraction method includes: according to the data flow of the HTTPS webpage to be processed, obtaining the respective ciphertext lengths and encryption methods of a plurality of objects of the HTTPS webpage to be processed; Process the respective ciphertext lengths and encryption methods of multiple objects in the HTTPS webpage, and obtain the respective plaintext length intervals of multiple objects to determine the information of each object, where the information of each object includes the maximum length and minimum length corresponding to the object and the average length; and using the respective information of multiple objects of the HTTPS webpage to be processed to construct a fingerprint of the HTTPS webpage to be processed. The fingerprint identification method includes: extracting the object information of the HTTPS webpage to be identified, and matching with the information in the fingerprint database of the HTTPS webpage to complete the identification. The fingerprint extraction method and the fingerprint recognition method of the present invention have strong feasibility and high recognition accuracy.

Description

一种HTTPS网页的指纹识别方法A Fingerprint Identification Method for HTTPS Web Pages

技术领域technical field

本发明涉及计算机技术领域,具体涉及一种HTTPS网页的指纹提取方法和指纹识别方法。The invention relates to the technical field of computers, in particular to a fingerprint extraction method and a fingerprint identification method of an HTTPS webpage.

背景技术Background technique

目前,随着流量识别领域技术的发展,在网络管理方面对其的需求也越来越广泛。人们不再局限于以往在应用层面对流量的识别,而更侧重于加密流量的识别方法,如P2P,SSL,SSH等。随着近年来SSL协议及其衍生体TLS协议的发展,HTTPS协议(HTTP协议与SSL协议的结合体)逐渐兴起。At present, with the development of technology in the field of traffic identification, the demand for it in network management is also becoming more and more extensive. People are no longer limited to the identification of traffic at the application level, but more focused on the identification methods of encrypted traffic, such as P2P, SSL, SSH and so on. With the development of the SSL protocol and its derivative TLS protocol in recent years, the HTTPS protocol (a combination of the HTTP protocol and the SSL protocol) has gradually emerged.

HTTPS是一种保证网页数据安全传输的加密协议。在HTTPS协议中,HTTP负责网页数据的传输,SSL协议负责数据加密和身份认证。目前,HTTPS协议已经被广泛地应用到网络银行、网络支付、电子商务等重要服务中。众多Web站点为了自身在通讯过程中的安全,也都通过HTTPS协议来进行数据传输。即使是通常采用HTTP协议的普通网站,也会对其用户登录和注册等涉及到网络用户私密信息的页面采用HTTPS协议进行传输,甚至为用户提供专门的HTTPS协议通道。因此,HTTPS协议在Web通讯市场上已经占有了一席之地,HTTPS加密流量越来越广泛,且将持续增加。然而,目前针对HTTPS的加密技术的识别准确率较低,可行性较差。HTTPS is an encryption protocol that ensures the secure transmission of web page data. In the HTTPS protocol, HTTP is responsible for the transmission of web page data, and the SSL protocol is responsible for data encryption and identity authentication. At present, the HTTPS protocol has been widely used in important services such as online banking, online payment, and e-commerce. Many Web sites also use the HTTPS protocol for data transmission for their own security in the communication process. Even ordinary websites that usually use the HTTP protocol will use the HTTPS protocol for transmission of their user login and registration pages that involve private information of network users, and even provide users with a dedicated HTTPS protocol channel. Therefore, the HTTPS protocol has already occupied a place in the Web communication market, and HTTPS encrypted traffic is becoming more and more widespread, and will continue to increase. However, the current encryption technology for HTTPS has low identification accuracy and poor feasibility.

发明内容Contents of the invention

本发明提供一种HTTPS网页的指纹提取方法和指纹识别方法,其目的是解决目前针对基于HTTPS协议的加密网页流量的识别准确率较低的问题。The invention provides a fingerprint extraction method and a fingerprint identification method of an HTTPS webpage, and aims to solve the problem of low recognition accuracy for encrypted webpage traffic based on the HTTPS protocol at present.

为了实现上述发明目的,本发明采取的技术方案如下:In order to realize the foregoing invention object, the technical scheme that the present invention takes is as follows:

一种HTTPS网页的指纹提取方法,该指纹提取方法包括:根据待处理HTTPS网页的数据流,获得待处理HTTPS网页的多个对象各自的密文长度和加密方式;根据待处理HTTPS网页的多个对象各自的密文长度和加密方式,获得多个对象各自的明文长度区间,以确定每个对象的信息,其中每个对象的信息包括该对象对应的最大长度、最小长度和平均长度;以及利用待处理HTTPS网页的多个对象各自的信息,构建待处理HTTPS网页的指纹。A fingerprint extraction method of an HTTPS webpage, the fingerprint extraction method comprising: according to the data stream of the HTTPS webpage to be processed, obtaining the respective ciphertext lengths and encryption methods of a plurality of objects of the HTTPS webpage to be processed; The respective ciphertext lengths and encryption methods of the objects, and obtain the respective plaintext length intervals of multiple objects to determine the information of each object, wherein the information of each object includes the corresponding maximum length, minimum length and average length of the object; and use The information of multiple objects of the HTTPS webpage to be processed is used to construct the fingerprint of the HTTPS webpage to be processed.

优选地,在获得多个对象各自的明文长度区间的步骤中:针对多个对象中的每个对象,当该对象采用流加密方式时,该对象的明文长度区间为L(D)=[L(E)-nL(Mac),L(E)-nL(Mac)],当该对象采用块加密方式时,该对象的明文长度区间为L(D)=[L(E)-nL(Mac)-n-n(bs-1),L(E)-nL(Mac)-n],其中,L(D)表示该对象的明文长度区间,且明文长度区间内逗号左侧表达式表示该对象的最小长度,而逗号右侧表达式表示该对象的最大程度;L(E)表示该对象的密文长度,L(Mac)表示根据该对象的加密方式所获得的校验信息长度,n表示该对象在传输中的分片数,bs表示根据该对象的加密方式所采取的块大小。Preferably, in the step of obtaining the respective plaintext length intervals of multiple objects: for each of the multiple objects, when the object adopts stream encryption, the plaintext length interval of the object is L(D)=[L (E)-nL(Mac), L(E)-nL(Mac)], when the object adopts the block encryption method, the plaintext length interval of the object is L(D)=[L(E)-nL(Mac )-n-n(bs-1),L(E)-nL(Mac)-n], where L(D) represents the plaintext length interval of the object, and the expression on the left side of the comma in the plaintext length interval represents the object’s The minimum length, and the expression on the right side of the comma indicates the maximum extent of the object; L(E) indicates the length of the ciphertext of the object, L(Mac) indicates the length of the verification information obtained according to the encryption method of the object, and n indicates the length of the object The number of fragments of the object in transmission, bs represents the block size adopted according to the encryption method of the object.

优选地,构建的待处理HTTPS网页的指纹为:fp={obji,i=1,2,...,N0},其中,N0表示待处理HTTPS网页所包括的对象数量,fp表示待处理HTTPS网页的指纹,obji={obji_min,obji_max,obji_s},obji_min表示待处理HTTPS网页的第i个对象的最小长度,obji_max表示第i个对象的最大长度,obji_s表示第i个对象的平均长度,且 Preferably, the fingerprint of the constructed HTTPS webpage to be processed is: fp={obj i , i=1,2,...,N 0 }, where N 0 represents the number of objects included in the HTTPS webpage to be processed, and fp represents The fingerprint of the HTTPS web page to be processed, obj i = {obj i _min, obj i _max, obj i _s}, obj i _min represents the minimum length of the i-th object of the HTTPS web page to be processed, and obj i _max represents the length of the i-th object The maximum length, obj i _s represents the average length of the i-th object, and

一种HTTPS网页的指纹识别方法,该指纹识别方法包括:捕获预定数量个未知HTTPS网页的数据流,以确定预定数量个未知HTTPS网页所包括的所有未知对象的密文长度和加密方式;根据每个未知对象的密文长度和加密方式,获得每个未知对象的明文长度区间,以确定每个未知对象的信息,其中每个未知对象的信息包括该未知对象对应的最大长度、最小长度和平均长度;根据所有未知对象的信息,构建预定数量个未知HTTPS网页对应的待识别数据集;以及将待识别数据集与预定指纹库中每个已知HTTPS网页的指纹进行匹配,以根据匹配结果来确定待识别数据集对应的已知HTTPS网页的指纹,作为待识别数据集的指纹识别结果。A fingerprint identification method for an HTTPS webpage, the fingerprint identification method comprising: capturing the data streams of a predetermined number of unknown HTTPS webpages to determine the ciphertext lengths and encryption methods of all unknown objects included in the predetermined number of unknown HTTPS webpages; The ciphertext length and encryption method of each unknown object, and obtain the plaintext length interval of each unknown object to determine the information of each unknown object, where the information of each unknown object includes the maximum length, minimum length and average length corresponding to the unknown object length; according to the information of all unknown objects, construct a predetermined number of unknown HTTPS web pages corresponding to the data set to be identified; Determine the fingerprint of the known HTTPS web page corresponding to the data set to be identified as the fingerprint identification result of the data set to be identified.

优选地,将待识别数据集与预定指纹库中每个已知HTTPS网页的指纹进行匹配的步骤包括:针对预定数量个未知HTTPS网页所包括的每个未知对象,判定每个已知HTTPS网页的每个已知对象的明文长度区间是否与该未知对象的明文长度区间有交集:若有交集,则将该已知对象的信息存入该已知对象所属已知HTTPS网页对应的匹配集中,在每个已知HTTPS网页对应的匹配集包含的所有已知对象之中确定该未知对象的匹配对象,使得匹配对象的平均长度与该未知对象的平均长度之间距离最小,并将匹配对象与该未知对象之间的对应关系存入匹配对象所属已知HTTPS网页对应的匹配集中。Preferably, the step of matching the data set to be identified with the fingerprint of each known HTTPS webpage in the predetermined fingerprint database includes: for each unknown object included in a predetermined number of unknown HTTPS webpages, determining the identity of each known HTTPS webpage Whether the plaintext length interval of each known object intersects with the plaintext length interval of the unknown object: if there is an intersection, the information of the known object is stored in the matching set corresponding to the known HTTPS webpage to which the known object belongs, in Determine the matching object of the unknown object among all known objects contained in the matching set corresponding to each known HTTPS webpage, so that the distance between the average length of the matching object and the average length of the unknown object is the smallest, and the matching object and the unknown object The correspondence between the unknown objects is stored in the matching set corresponding to the known HTTPS web pages to which the matching objects belong.

优选地,该未知对象的明文长度区间中的较小值可以等于该未知对象的最小长度与预设的缓冲因子之差,而该未知对象的明文长度区间中的较大值可以等于该未知对象的最大长度与缓冲因子之和。Preferably, the smaller value in the plaintext length interval of the unknown object may be equal to the difference between the minimum length of the unknown object and a preset buffer factor, and the larger value in the plaintext length interval of the unknown object may be equal to the unknown object The sum of the maximum length of and the buffer factor.

优选地,根据匹配结果来确定待识别数据集对应的已知HTTPS网页的指纹的步骤包括:根据预定数量个未知HTTPS网页所包括的所有未知对象的个数及总字节数、预定指纹库中每个已知HTTPS网页所包括的所有已知对象的个数及总字节数、每个匹配集中所包括的所有已知对象的个数及总字节数、每个匹配集中所包括的每个对应关系中包括的已知对象的平均长度和未知对象的平均长度,计算每个已知HTTPS网页对应的匹配系数;在所有已知HTTPS网页对应的匹配系数中,去除其中小于第一系数阈值的匹配系数,将当前剩余的所有匹配系数按从小到大排序后得到排序后的系数集;分别计算当前系数集中每两个相邻匹配系数中的前后系数比,并确定所计算的所有前后系数比中的最小值,将该最小值对应的两个相邻匹配系数中的在后匹配系数以及排在在后匹配系数以后的所有匹配系数从系数集中删除,以更新当前系数集;根据当前系数集中值最大的匹配系数确定第二系数阈值,将该系数集中小于第二系数阈值的匹配系数去除,将当前剩余匹配系数所对应的所有已知HTTPS网页的指纹确定为待识别数据集的指纹识别结果。Preferably, the step of determining the fingerprint of the known HTTPS web page corresponding to the data set to be identified according to the matching result includes: according to the number and total number of bytes of all unknown objects included in the predetermined number of unknown HTTPS web pages, the predetermined fingerprint library The number and total bytes of all known objects included in each known HTTPS webpage, the number and total bytes of all known objects included in each matching set, and the number and total bytes of each known object included in each matching set The average length of the known objects included in the corresponding relationship and the average length of the unknown objects, calculate the matching coefficient corresponding to each known HTTPS webpage; in the matching coefficients corresponding to all known HTTPS webpages, remove wherein less than the first coefficient threshold The matching coefficients of the current remaining matching coefficients are sorted from small to large to obtain the sorted coefficient set; respectively calculate the ratio of front and back coefficients in every two adjacent matching coefficients in the current coefficient set, and determine all the calculated front and back coefficients The minimum value in the ratio, delete the matching coefficients in the two adjacent matching coefficients corresponding to the minimum value and all matching coefficients after the matching coefficients from the coefficient set to update the current coefficient set; according to the current coefficient The matching coefficient with the largest centralized value determines the second coefficient threshold, removes the matching coefficients that are smaller than the second coefficient threshold in the coefficient set, and determines the fingerprints of all known HTTPS webpages corresponding to the current remaining matching coefficients as the fingerprint identification of the data set to be identified result.

优选地,第二系数阈值等于当前系数集中值最大的匹配系数的预定倍数,其中,预定倍数在0到1之间取值。Preferably, the second coefficient threshold is equal to a predetermined multiple of the matching coefficient with the largest value in the current coefficient set, wherein the predetermined multiple takes a value between 0 and 1.

本发明和现有技术相比,具有如下有益效果:Compared with the prior art, the present invention has the following beneficial effects:

本发明的一种HTTPS网页的指纹提取方法和指纹识别方法,可行性较强,识别准确率较高,能够在保障信息安全的同时更好的对网络服务进行有效的管理,同时能够防止不法分子通过HTTPS加密网页的方式传递非法有害信息。The fingerprint extraction method and fingerprint identification method of an HTTPS web page of the present invention have strong feasibility and high recognition accuracy, can better manage network services effectively while ensuring information security, and can prevent criminals Illegal and harmful information is transmitted through HTTPS encrypted web pages.

附图说明Description of drawings

图1是本发明实施例的一种HTTPS网页的指纹提取方法的一个示例的流程图;以及Fig. 1 is the flow chart of an example of the fingerprint extraction method of a kind of HTTPS webpage of the embodiment of the present invention; And

图2是本发明实施例的一种HTTPS网页的指纹识别方法的一个示例的流程图。FIG. 2 is a flow chart of an example of a fingerprint identification method for an HTTPS webpage according to an embodiment of the present invention.

具体实施方式Detailed ways

为使本发明的发明目的、技术方案和有益效果更加清楚明了,下面结合附图对本发明的实施例进行说明,需要说明的是,在不冲突的情况下,本申请中的实施例和实施例中的特征可以相互任意组合。In order to make the purpose of the invention, technical solutions and beneficial effects of the present invention clearer, the embodiments of the present invention will be described below in conjunction with the accompanying drawings. The features in can be combined arbitrarily with each other.

本发明的实施例提供了一种HTTPS网页的指纹提取方法,该指纹提取方法包括:根据待处理HTTPS网页的数据流,获得待处理HTTPS网页的多个对象各自的密文长度和加密方式;根据待处理HTTPS网页的多个对象各自的密文长度和加密方式,获得多个对象各自的明文长度区间,以确定每个对象的信息,其中每个对象的信息包括该对象对应的最大长度、最小长度和平均长度;以及利用待处理HTTPS网页的多个对象各自的信息,构建待处理HTTPS网页的指纹。Embodiments of the present invention provide a method for extracting fingerprints of HTTPS webpages, the fingerprint extraction method comprising: according to the data flow of the HTTPS webpages to be processed, obtaining the respective ciphertext lengths and encryption methods of a plurality of objects of the HTTPS webpages to be processed; To process the respective ciphertext lengths and encryption methods of multiple objects on the HTTPS web page, obtain the respective plaintext length intervals of multiple objects to determine the information of each object, where the information of each object includes the corresponding maximum length, minimum length and average length; and using the information of multiple objects of the HTTPS webpage to be processed to construct the fingerprint of the HTTPS webpage to be processed.

图1示出了根据本发明实施例的一种HTTPS网页的指纹提取方法的一个示例处理的流程图。如图1所示,该处理流程开始之后,首先执行步骤S110。Fig. 1 shows a flow chart of an example process of a fingerprint extraction method for an HTTPS webpage according to an embodiment of the present invention. As shown in FIG. 1 , after the processing flow starts, step S110 is executed first.

在步骤S110中,根据待处理HTTPS网页(例如可以是多个待处理HTTPS网页中的任一个)的数据流,获得待处理HTTPS网页的多个对象各自的密文长度和加密方式。然后,执行步骤S120。In step S110, according to the data flow of the HTTPS webpage to be processed (for example, any one of the HTTPS webpages to be processed), the ciphertext lengths and encryption modes of the multiple objects of the HTTPS webpage to be processed are obtained. Then, step S120 is executed.

在步骤S120中,根据待处理HTTPS网页的多个对象各自的密文长度和加密方式,获得多个对象各自的明文长度区间,以确定每个对象的信息,其中每个对象的信息包括该对象对应的最大长度、最小长度和平均长度。然后,执行步骤S130。In step S120, according to the respective ciphertext lengths and encryption methods of the multiple objects of the HTTPS webpage to be processed, the respective plaintext length intervals of the multiple objects are obtained to determine the information of each object, wherein the information of each object includes the object The corresponding maximum length, minimum length and average length. Then, step S130 is executed.

优选地,在步骤S120中,可以通过如下处理获得多个对象各自的明文长度区间:针对多个对象中的每个对象,当该对象采用流加密方式时,该对象的明文长度区间为L(D)=[L(E)-nL(Mac),L(E)-nL(Mac)],当该对象采用块加密方式时,该对象的明文长度区间为L(D)=[L(E)-nL(Mac)-n-n(bs-1),L(E)-nL(Mac)-n],其中,L(D)表示该对象的明文长度区间,且明文长度区间内逗号左侧表达式表示该对象的最小长度,而逗号右侧表达式表示该对象的最大程度;L(E)表示该对象的密文长度,L(Mac)表示根据该对象的加密方式所获得的校验信息长度,n表示该对象在传输中的分片数,bs表示根据该对象的加密方式所采取的块大小。Preferably, in step S120, the respective plaintext length intervals of the plurality of objects can be obtained through the following processing: for each object in the plurality of objects, when the object adopts the stream encryption method, the plaintext length interval of the object is L( D)=[L(E)-nL(Mac), L(E)-nL(Mac)], when the object adopts the block encryption method, the plaintext length interval of the object is L(D)=[L(E )-nL(Mac)-n-n(bs-1),L(E)-nL(Mac)-n], where L(D) represents the plaintext length interval of the object, and the expression on the left side of the comma in the plaintext length interval The formula represents the minimum length of the object, and the expression on the right side of the comma represents the maximum degree of the object; L(E) represents the ciphertext length of the object, and L(Mac) represents the verification information obtained according to the encryption method of the object length, n indicates the number of fragments of the object in transmission, and bs indicates the block size adopted according to the encryption method of the object.

在步骤S130中,利用待处理HTTPS网页的多个对象各自的信息,构建待处理HTTPS网页的指纹,以完成对待处理HTTPS网页的指纹提取。然后,结束处理。In step S130, the fingerprints of the HTTPS webpages to be processed are constructed by using the information of multiple objects of the HTTPS webpages to be processed, so as to complete the fingerprint extraction of the HTTPS webpages to be processed. Then, the processing ends.

优选地,构建的待处理HTTPS网页的指纹可以为:fp={obji,i=1,2,...,N0},其中,N0表示待处理HTTPS网页所包括的对象数量,fp表示待处理HTTPS网页的指纹,obji={obji_min,obji_max,obji_s},obji_min表示待处理HTTPS网页的第i个对象的最小长度,obji_max表示第i个对象的最大长度,obji_s表示第i个对象的平均长度,且 Preferably, the fingerprint of the constructed HTTPS webpage to be processed can be: fp={obj i , i=1,2,...,N 0 }, wherein, N 0 represents the number of objects included in the HTTPS webpage to be processed, and fp Represents the fingerprint of the HTTPS webpage to be processed, obj i = {obj i _min, obj i _max, obj i _s}, obj i _min represents the minimum length of the i-th object of the HTTPS webpage to be processed, and obj i _max represents the i-th object The maximum length of , obj i _s represents the average length of the i-th object, and

通过以上描述可知,上述根据本发明实施例的一种HTTPS网页的指纹提取方法,其根据HTTPS网页的多个对象各自的密文长度和加密方式,获得多个对象各自的明文长度区间以确定各个对象的信息,进而得到HTTPS网页的指纹。该指纹提取方法可行性较强,便于后续的解密即指纹识别过程的实现,使得后续的识别准确率较高。As can be seen from the above description, the above-mentioned fingerprint extraction method of an HTTPS webpage according to an embodiment of the present invention obtains the respective plaintext length intervals of multiple objects according to the respective ciphertext lengths and encryption methods of multiple objects of the HTTPS webpage to determine each Object information, and then get the fingerprint of the HTTPS web page. The fingerprint extraction method is highly feasible, and is convenient for the subsequent decryption, that is, the realization of the fingerprint identification process, so that the subsequent identification accuracy is high.

此外,本发明的实施例还提供了一种HTTPS网页的指纹识别方法,该指纹识别方法包括:捕获预定数量个未知HTTPS网页的数据流,以确定预定数量个未知HTTPS网页所包括的所有未知对象的密文长度和加密方式;根据每个未知对象的密文长度和加密方式,获得每个未知对象的明文长度区间,以确定每个未知对象的信息,其中每个未知对象的信息包括该未知对象对应的最大长度、最小长度和平均长度;根据所有未知对象的信息,构建预定数量个未知HTTPS网页对应的待识别数据集;以及将待识别数据集与预定指纹库中每个已知HTTPS网页的指纹进行匹配,以根据匹配结果来确定待识别数据集对应的已知HTTPS网页的指纹,作为所述待识别数据集的指纹识别结果。In addition, an embodiment of the present invention also provides a fingerprint identification method for an HTTPS webpage, the fingerprint identification method includes: capturing the data streams of a predetermined number of unknown HTTPS webpages to determine all unknown objects included in the predetermined number of unknown HTTPS webpages The ciphertext length and encryption method of each unknown object; according to the ciphertext length and encryption method of each unknown object, the plaintext length interval of each unknown object is obtained to determine the information of each unknown object, wherein the information of each unknown object includes the unknown The maximum length, minimum length and average length corresponding to the object; according to the information of all unknown objects, construct a predetermined number of unknown HTTPS web pages corresponding to the data set to be identified; and combine the data set to be identified with each known HTTPS web page in the predetermined fingerprint library The fingerprints are matched, so as to determine the fingerprint of the known HTTPS webpage corresponding to the data set to be identified according to the matching result, as the fingerprint identification result of the data set to be identified.

图2示出了根据本发明实施例的一种HTTPS网页的指纹识别方法的一个示例处理的流程图。如图2所示,该处理流程开始之后,首先执行步骤S210。Fig. 2 shows a flow chart of an example process of a fingerprint identification method for an HTTPS webpage according to an embodiment of the present invention. As shown in FIG. 2 , after the processing flow starts, step S210 is executed first.

在步骤S210中,捕获预定数量个未知HTTPS网页的数据流,以确定预定数量个未知HTTPS网页所包括的所有未知对象的密文长度和加密方式。然后,执行步骤S220。In step S210, the data streams of a predetermined number of unknown HTTPS webpages are captured to determine the ciphertext lengths and encryption methods of all unknown objects included in the predetermined number of unknown HTTPS webpages. Then, step S220 is executed.

在步骤S220中,根据每个未知对象的密文长度和加密方式,获得每个未知对象的明文长度区间,以确定每个未知对象的信息,其中每个未知对象的信息包括该未知对象对应的最大长度、最小长度和平均长度。然后,执行步骤S230。In step S220, according to the ciphertext length and encryption method of each unknown object, the plaintext length interval of each unknown object is obtained to determine the information of each unknown object, wherein the information of each unknown object includes the corresponding Maximum length, minimum length, and average length. Then, step S230 is executed.

在步骤S230中,根据所有未知对象的信息,构建预定数量个未知HTTPS网页对应的待识别数据集。然后,执行步骤S240。In step S230, according to the information of all unknown objects, construct a data set to be identified corresponding to a predetermined number of unknown HTTPS webpages. Then, step S240 is executed.

在步骤S240中,将待识别数据集与预定指纹库中每个已知HTTPS网页的指纹进行匹配,以根据匹配结果来确定待识别数据集对应的已知HTTPS网页的指纹,作为所述待识别数据集的指纹识别结果。然后,结束处理。In step S240, the data set to be identified is matched with the fingerprint of each known HTTPS web page in the predetermined fingerprint library, so as to determine the fingerprint of the known HTTPS web page corresponding to the data set to be identified as the fingerprint to be identified according to the matching result. The fingerprinting results of the dataset. Then, the processing ends.

优选地,在步骤S240中,可以通过如下处理来将待识别数据集与预定指纹库中每个已知HTTPS网页的指纹进行匹配:针对预定数量个未知HTTPS网页所包括的每个未知对象,判定每个已知HTTPS网页的每个已知对象的明文长度区间是否与该未知对象的明文长度区间有交集:若有交集,则将该已知对象的信息存入该已知对象所属已知HTTPS网页对应的匹配集中,在每个已知HTTPS网页对应的匹配集包含的所有已知对象之中确定该未知对象的匹配对象,使得匹配对象的平均长度与该未知对象的平均长度之间距离(即匹配对象的平均长度与该未知对象的平均长度之差)最小,并将匹配对象与该未知对象之间的对应关系存入匹配对象所属已知HTTPS网页对应的匹配集中。其中,该未知对象的明文长度区间中的较小值可以等于该未知对象的最小长度与预设的缓冲因子之差,而该未知对象的明文长度区间中的较大值可以等于该未知对象的最大长度与缓冲因子之和。Preferably, in step S240, the data set to be identified can be matched with the fingerprints of each known HTTPS webpage in the predetermined fingerprint database through the following processing: for each unknown object included in a predetermined number of unknown HTTPS webpages, determine Whether the plaintext length interval of each known object of each known HTTPS webpage intersects with the plaintext length interval of the unknown object: if there is an intersection, the information of the known object is stored in the known HTTPS to which the known object belongs In the matching set corresponding to the webpage, determine the matching object of the unknown object among all known objects contained in the matching set corresponding to each known HTTPS webpage, so that the distance between the average length of the matching object and the average length of the unknown object is ( That is, the difference between the average length of the matching object and the average length of the unknown object) is the smallest, and the corresponding relationship between the matching object and the unknown object is stored in the matching set corresponding to the known HTTPS webpage to which the matching object belongs. Wherein, the smaller value in the plaintext length interval of the unknown object may be equal to the difference between the minimum length of the unknown object and the preset buffer factor, and the larger value in the plaintext length interval of the unknown object may be equal to the unknown object's The sum of the maximum length and the buffer factor.

优选地,在步骤S240中,可以通过如下处理来确定待识别数据集对应的已知HTTPS网页的指纹:根据预定数量个未知HTTPS网页所包括的所有未知对象的个数及总字节数、预定指纹库中每个已知HTTPS网页所包括的所有已知对象的个数及总字节数、每个匹配集中所包括的所有已知对象的个数及总字节数、每个匹配集中所包括的每个对应关系中包括的已知对象的平均长度和未知对象的平均长度,计算每个已知HTTPS网页对应的匹配系数;在所有已知HTTPS网页对应的匹配系数中,去除其中小于第一系数阈值的匹配系数,将当前剩余的所有匹配系数按从小到大排序后得到排序后的系数集;分别计算当前系数集中每两个相邻匹配系数中的前后系数比,并确定所计算的所有前后系数比中的最小值,将该最小值对应的两个相邻匹配系数中的在后匹配系数以及排在在后匹配系数以后的所有匹配系数从系数集中删除,以更新当前系数集;根据当前系数集中值最大的匹配系数确定第二系数阈值,将该系数集中小于第二系数阈值的匹配系数去除,将当前剩余匹配系数所对应的所有已知HTTPS网页的指纹确定为待识别数据集的指纹识别结果。Preferably, in step S240, the fingerprint of the known HTTPS web page corresponding to the data set to be identified can be determined through the following processing: according to the number of all unknown objects and the total number of bytes included in the predetermined number of unknown HTTPS web pages, the predetermined The number of all known objects and the total number of bytes included in each known HTTPS web page in the fingerprint database, the number and total number of bytes of all known objects included in each matching set, the number of all known objects included in each matching set, The average length of known objects and the average length of unknown objects included in each corresponding relationship are included, and the matching coefficient corresponding to each known HTTPS webpage is calculated; among the matching coefficients corresponding to all known HTTPS webpages, remove those less than the first The matching coefficient of a coefficient threshold, sort all the remaining matching coefficients from small to large to obtain the sorted coefficient set; respectively calculate the ratio of front and rear coefficients in every two adjacent matching coefficients in the current coefficient set, and determine the calculated For the minimum value among all front-to-back coefficient ratios, the subsequent matching coefficients among the two adjacent matching coefficients corresponding to the minimum value and all matching coefficients after the following matching coefficients are deleted from the coefficient set to update the current coefficient set; Determine the second coefficient threshold according to the matching coefficient with the largest value in the current coefficient set, remove the matching coefficients in the coefficient set that are smaller than the second coefficient threshold, and determine the fingerprints of all known HTTPS webpages corresponding to the current remaining matching coefficients as the data set to be identified fingerprint recognition results.

其中,第二系数阈值例如可以等于当前系数集中值最大的匹配系数的预定倍数,其中,预定倍数在0到1之间取值。Wherein, the second coefficient threshold may be equal to, for example, a predetermined multiple of the matching coefficient with the largest value in the current coefficient set, wherein the predetermined multiple takes a value between 0 and 1.

下面将描述根据本发明的实施例的一种HTTPS网页的指纹识别方法的一个应用示例。An application example of a fingerprint identification method for an HTTPS webpage according to an embodiment of the present invention will be described below.

首先,每当完成一整条HTTPS数据流的捕获后,对其内部数据进行分析,获得该数据流的加密算法和信息摘要算法,计算出流中所有应答对象的明文区间,并存入未知对象集合中。每当捕获预定数量条(例如10条)HTTPS数据流后,此时未知对象集合中共有Nu个对象,然后对这Nu个对象进行指纹识别。First of all, after completing the capture of an entire HTTPS data stream, analyze its internal data, obtain the encryption algorithm and information digest algorithm of the data stream, calculate the plaintext interval of all response objects in the stream, and store them in unknown objects set. Whenever a predetermined number (for example, 10) of HTTPS data streams are captured, there are Nu objects in the unknown object collection at this time, and then fingerprint identification is performed on these Nu objects.

令UKOBJ表示上述待识别数据集,则:Let UKOBJ represent the above-mentioned data set to be identified, then:

UKOBJ={ukobjk,k=1,2,...,Nu}。UKOBJ={ukobj k , k=1, 2, . . . , N u }.

其中,Nu表示上述预定数量个未知HTTPS网页所包括的未知对象的总数,ukobjk表示上述预定数量个未知HTTPS网页所包括的所有未知对象中的第k个未知对象的信息,且ukobjk={ukobjk_min,ukobjk_max,ukobjk_s}。Wherein, Nu represents the total number of unknown objects included in the above-mentioned predetermined number of unknown HTTPS webpages, ukobj k represents the information of the kth unknown object in all unknown objects included in the above-mentioned predetermined number of unknown HTTPS webpages, and ukobj k ={ ukobj k_min , ukobj k_max , ukobj k_s }.

ukobjk_min表示上述第k个未知对象的最小长度,ukobjk_max表示上述第k个未知对象的最大长度,ukobjk_s表示上述第k个未知对象的平均长度,且 ukobj k_min represents the minimum length of the above kth unknown object, ukobj k_max represents the maximum length of the above kth unknown object, ukobj k_s represents the average length of the above kth unknown object, and

设预定指纹库中包括M个已知HTTPS网页的指纹,表示为其中,fpm为上述预定指纹库中包括的第m个已知HTTPS网页的指纹,为该第m个已知HTTPS网页所包括的第j个已知对象的信息。It is assumed that the predetermined fingerprint database includes the fingerprints of M known HTTPS webpages, expressed as Wherein, fp m is the fingerprint of the mth known HTTPS webpage included in the above-mentioned predetermined fingerprint library, is the information of the jth known object included in the mth known HTTPS webpage.

其中,表示上述第m个已知HTTPS网页所包括的第j个已知对象的最小长度,表示上述第m个已知HTTPS网页所包括的第j个已知对象的最大长度,表示上述第m个已知HTTPS网页所包括的第j个已知对象的平均长度,且 in, Indicates the minimum length of the jth known object included in the above mth known HTTPS web page, Indicates the maximum length of the jth known object included in the above mth known HTTPS web page, Indicates the average length of the jth known object included in the above mth known HTTPS webpage, and

针对上述预定数量个未知HTTPS网页所包括的每个未知对象,对每个已知HTTPS网页的每个已知对象进行如下判定:该已知对象的明文长度区间是否与该未知对象的明文长度区间[ukobjk_min,ukobjk_max]有交集:若有交集,则将该已知对象的信息存入该已知HTTPS网页对应的匹配集Rm中,然后继续下面的判定;否则,直接判定下一个已知对象。For each unknown object included in the aforementioned predetermined number of unknown HTTPS webpages, the following determination is made for each known object of each known HTTPS webpage: the plaintext length interval of the known object Whether there is an intersection with the plaintext length interval [ukobj k _min, ukobj k _max] of the unknown object: If there is an intersection, store the information of the known object into the matching set R m corresponding to the known HTTPS web page, and then continue The following judgment; otherwise, directly judge the next known object.

在一个例子中,例如可以判定和[ukobjk_min-α,ukobjk_max+α]之间是否有交集:若有交集,则将存入对应的匹配集Rm中。其中,α为缓冲因子,通过加入缓冲因子,能够在一定程度上抵消由于浏览器或系统内核不同对HTTP数据报头的影响。其中,α例如可以在10到30之间取值。In one example, it can be determined, for example and [ukobj k _min-α,ukobj k _max+α]: if there is an intersection, then Stored in the corresponding matching set R m . Among them, α is a buffer factor. By adding the buffer factor, it can offset the influence of different browsers or system kernels on the HTTP data header to a certain extent. Wherein, α may take a value between 10 and 30, for example.

然后,针对上述预定数量个未知HTTPS网页所包括的每个未知对象,在每个已知HTTPS网页对应的匹配集Rm包含的所有已知对象之中,确定该未知对象的匹配对象,使得该未知对象的匹配对象的平均长度与该未知对象的平均长度ukobjk'_s之间距离最小,并将该未知对象的匹配对象的信息与该未知对象的信息ukobjk'之间的对应关系存入该已知HTTPS网页对应的匹配集Rm中,其中 Then, for each unknown object included in the aforementioned predetermined number of unknown HTTPS webpages, among all known objects included in the matching set R m corresponding to each known HTTPS webpage, determine the matching object of the unknown object, so that the Average length of matching objects for unknown objects The distance between the average length ukobj k' _s of the unknown object is the smallest, and the information of the matching object of the unknown object Correspondence with the information ukobj k ' of the unknown object Stored in the matching set R m corresponding to the known HTTPS web page, where

然后,针对每个已知HTTPS网页对应的匹配集Rm,提取如下信息:(1)上述预定数量个未知HTTPS网页所包括的所有未知对象的个数uk_num;(2)上述预定数量个未知HTTPS网页所包括的总字节数uk_bytes;(3)该已知HTTPS网页所包括的所有已知对象的个数fpm_num;(4)该已知HTTPS网页所包括的所有已知对象的总字节数fpm_bytes;(5)该匹配集Rm中所包括的所有已知对象的个数(即,当前HTTPS网页中与未知对象相匹配的所有已知对象个数)Rm_num;(6)该匹配集Rm中所包括的所有已知对象的总字节数Rm_bytes;(7)该匹配集Rm中所包括的每个对应关系中所包括的已知对象的平均长度以及(8)该匹配集Rm中所包括的每个对应关系中所包括的未知对象的平均长度ukobjk'_s。Then, for the matching set R m corresponding to each known HTTPS webpage, the following information is extracted: (1) the number uk_num of all unknown objects included in the above-mentioned predetermined number of unknown HTTPS webpages; (2) the above-mentioned predetermined number of unknown HTTPS The total number of bytes uk_bytes that the webpage includes; (3) the number fpm_num of all known objects that this known HTTPS webpage includes; (4) the total number of all known objects that this known HTTPS webpage includes The number of sections fp m _bytes; (5) the number of all known objects included in the matching set R m (that is, the number of all known objects that match unknown objects in the current HTTPS web page) R m _num; ( 6) the total number of bytes R m _bytes of all known objects included in the matching set R m ; (7) each corresponding relationship included in the matching set R m The average length of known objects included in and (8) each correspondence included in the matching set R m The average length of unknown objects included in ukobj k' _s.

根据上述八种信息,计算每个已知HTTPS网页对应的匹配系数:According to the above eight kinds of information, calculate the matching coefficient corresponding to each known HTTPS web page:

其中,Nk为匹配集Rm包含的未知对象的个数。in, N k is the number of unknown objects contained in the matching set R m .

在所有已知HTTPS网页对应的匹配系数中,去除其中小于第一系数阈值β的匹配系数,将当前剩余的所有匹配系数按从小到大排序后得到排序后的系数集表示匹配系数所对应的已知HTTPS网页的序号,Nρ1为当前系数集中(即执行完“去除其中小于第一系数阈值β的匹配系数”的处理之后的系数集中)所包含的匹配系数的个数。若此时系数集ρ为空,则表示上述预定数量个HTTPS流量中并不包含预定指纹库中已知HTTPS网页所产生的流量,指纹识别完成;否则,继续下面处理。其中,第一系数阈值β的值可以根据经验值设定,也可以通过试验的方法来确定,这里不再详述。Among the matching coefficients corresponding to all known HTTPS webpages, the matching coefficients smaller than the first coefficient threshold β are removed, and all the remaining matching coefficients are sorted from small to large to obtain the sorted coefficient set Indicates the serial number of the known HTTPS web page corresponding to the matching coefficient, and Nρ1 is the number of matching coefficients contained in the current coefficient set (that is, the coefficient set after performing the process of "removing the matching coefficients smaller than the first coefficient threshold β") . If the coefficient set ρ is empty at this time, it means that the predetermined number of HTTPS flows does not include the flows generated by known HTTPS webpages in the predetermined fingerprint library, and the fingerprint identification is completed; otherwise, continue the following processing. Wherein, the value of the first coefficient threshold β can be set according to empirical values, or can be determined through experiments, which will not be described in detail here.

分别计算当前系数集中每两个相邻匹配系数中的前后系数比(此时p=1,2,…,Nρ1-1),并确定所计算的所有前后系数比中的最小值,将该最小值对应的两个相邻匹配系数中的在后匹配系数以及排在上述在后匹配系数以后的所有匹配系数从上述系数集中删除,以更新当前系数集,为Nρ2为当前系数集中(即执行完“将该最小值对应的两个相邻匹配系数中的在后匹配系数以及排在上述在后匹配系数以后的所有匹配系数从上述系数集中删除”的处理之后的系数集中)所包含的匹配系数的个数。Calculate the ratio of front and back coefficients in each two adjacent matching coefficients in the current coefficient set separately (p=1, 2,..., Nρ1-1 at this time), and determine the minimum value among all calculated front and rear coefficient ratios, and the subsequent matching coefficient and rank of the two adjacent matching coefficients corresponding to the minimum value All matching coefficients after the above-mentioned subsequent matching coefficients are deleted from the above-mentioned coefficient set to update the current coefficient set, as Nρ2 is the current coefficient set (that is, after the processing of "deleting the subsequent matching coefficients among the two adjacent matching coefficients corresponding to the minimum value and all matching coefficients ranked after the above-mentioned subsequent matching coefficients from the above-mentioned coefficient set" The number of matching coefficients contained in the coefficient set of .

然后,根据当前系数集中值最大的匹配系数确定第二系数阈值β'。其中,第二系数阈值β'可以等于当前系数集中值最大的匹配系数的预定倍数,其中,预定倍数在0到1之间取值。例如, 为预设比例系数(即上述预定倍数),将该系数集中小于上述第二系数阈值β'的匹配系数去除,得到剩余匹配系数所构成的系数集则为指纹识别的结果,Nρ3为当前系数集中(即执行完“将该系数集中小于上述第二系数阈值β'的匹配系数去除”的处理之后的系数集中)所包含的匹配系数的个数。也即,当前剩余匹配系数所对应的所有已知HTTPS网页的指纹为上述待识别数据集的指纹识别结果。其中,预定倍数的值可以根据经验值设定,也可以通过试验的方法来确定,这里不再详述。Then, according to the matching coefficient with the largest value in the current coefficient set A second coefficient threshold β' is determined. Wherein, the second coefficient threshold β' may be equal to a predetermined multiple of the matching coefficient with the largest value in the current coefficient set, wherein the predetermined multiple takes a value between 0 and 1. E.g, is the preset proportional coefficient (that is, the predetermined multiple), remove the matching coefficients in the coefficient set that are smaller than the second coefficient threshold β', and obtain the coefficient set composed of the remaining matching coefficients Nρ3 is the result of fingerprint identification, and Nρ3 is the number of matching coefficients included in the current coefficient set (that is, the coefficient set after performing the process of "removing matching coefficients in the coefficient set smaller than the second coefficient threshold β'"). That is, the fingerprints of all known HTTPS webpages corresponding to the current remaining matching coefficients are the fingerprint identification results of the above-mentioned data set to be identified. Wherein, the value of the predetermined multiple can be set according to empirical values, or can be determined through experiments, which will not be described in detail here.

通过以上描述可知,上述根据本发明实施例的一种HTTPS网页的指纹识别方法,其利用上文所述的指纹提取方法来获得未知HTTPS网页的指纹,并与预定指纹库中的指纹进行比较,从而根据比较结果来确定指纹识别的结果。该指纹识别方法可行性较强,识别准确率较高。As can be seen from the above description, the above-mentioned fingerprint identification method of an HTTPS webpage according to the embodiment of the present invention uses the fingerprint extraction method described above to obtain the fingerprint of an unknown HTTPS webpage, and compares it with the fingerprint in the predetermined fingerprint library, Therefore, the fingerprint identification result is determined according to the comparison result. The fingerprint recognition method has strong feasibility and high recognition accuracy.

上述根据本发明实施例的HTTPS网页的指纹提取问题和指纹识别方法,其能够在保障信息安全的同时更好的对网络服务进行有效的管理,同时能够防止不法分子通过HTTPS加密网页的方式传递非法有害信息。The above-mentioned fingerprint extraction problem and fingerprint identification method of HTTPS webpage according to the embodiment of the present invention can better manage network services effectively while ensuring information security, and can prevent criminals from transmitting illegal information through HTTPS encrypted webpages. harmful information.

虽然本发明所揭示的实施方式如上,但其内容只是为了便于理解本发明的技术方案而采用的实施方式,并非用于限定本发明。任何本发明所属技术领域内的技术人员,在不脱离本发明所揭示的核心技术方案的前提下,可以在实施的形式和细节上做任何修改与变化,但本发明所限定的保护范围,仍须以所附的权利要求书限定的范围为准。Although the embodiments disclosed in the present invention are as above, the content thereof is only for the convenience of understanding the technical solutions of the present invention, and is not intended to limit the present invention. Anyone skilled in the technical field to which the present invention belongs can make any modifications and changes in the form and details of implementation without departing from the core technical solution disclosed in the present invention, but the scope of protection defined by the present invention remains The scope defined by the appended claims shall prevail.

Claims (4)

1.一种HTTPS网页的指纹识别方法,其特征在于,所述指纹识别方法包括:1. a kind of fingerprint identification method of HTTPS webpage, it is characterized in that, described fingerprint identification method comprises: 捕获预定数量个未知HTTPS网页的数据流,以确定所述预定数量个未知HTTPS网页所包括的所有未知对象的密文长度和加密方式;Capture the data streams of a predetermined number of unknown HTTPS webpages to determine the ciphertext length and encryption method of all unknown objects included in the predetermined number of unknown HTTPS webpages; 根据每个未知对象的密文长度和加密方式,获得每个未知对象的明文长度区间,以确定每个未知对象的信息,其中每个未知对象的信息包括该未知对象对应的最大长度、最小长度和平均长度;According to the ciphertext length and encryption method of each unknown object, the plaintext length interval of each unknown object is obtained to determine the information of each unknown object, where the information of each unknown object includes the maximum length and minimum length corresponding to the unknown object and average length; 根据所述所有未知对象的信息,构建所述预定数量个未知HTTPS网页对应的待识别数据集;以及Constructing a data set to be identified corresponding to the predetermined number of unknown HTTPS webpages according to the information of all the unknown objects; and 将所述待识别数据集与预定指纹库中每个已知HTTPS网页的指纹进行匹配,以根据匹配结果来确定所述待识别数据集对应的已知HTTPS网页的指纹,作为所述待识别数据集的指纹识别结果;Matching the fingerprint of each known HTTPS web page in the predetermined fingerprint library with the data set to be identified, so as to determine the fingerprint of the known HTTPS web page corresponding to the data set to be identified as the data to be identified according to the matching result set of fingerprinting results; 将所述待识别数据集与预定指纹库中每个已知HTTPS网页的指纹进行匹配的步骤包括:The step of matching the fingerprint of each known HTTPS webpage in the predetermined fingerprint library with the data set to be identified comprises: 针对所述预定数量个未知HTTPS网页所包括的每个未知对象,For each unknown object included in the predetermined number of unknown HTTPS webpages, 判定每个已知HTTPS网页的每个已知对象的明文长度区间是否与该未知对象的明文长度区间有交集:若有交集,则将该已知对象的信息存入该已知对象所属已知HTTPS网页对应的匹配集中,Determine whether the plaintext length interval of each known object of each known HTTPS webpage intersects with the plaintext length interval of the unknown object: if there is an intersection, store the information of the known object into the known object to which the known object belongs. The matching set corresponding to the HTTPS web page, 在每个已知HTTPS网页对应的匹配集包含的所有已知对象之中确定该未知对象的匹配对象,使得所述匹配对象的平均长度与该未知对象的平均长度之间距离最小,并将所述匹配对象与该未知对象之间的对应关系存入所述匹配对象所属已知HTTPS网页对应的匹配集中。Determine the matching object of the unknown object among all known objects contained in the matching set corresponding to each known HTTPS web page, so that the distance between the average length of the matching object and the average length of the unknown object is the smallest, and the The corresponding relationship between the matching object and the unknown object is stored in the matching set corresponding to the known HTTPS webpage to which the matching object belongs. 2.根据权利要求1所述的指纹识别方法,其特征在于,所述未知对象的明文长度区间中的较小值等于所述未知对象的最小长度与预设的缓冲因子之差,而所述未知对象的明文长度区间中的较大值等于所述未知对象的最大长度与所述缓冲因子之和。2. The fingerprint identification method according to claim 1, wherein the smaller value in the plaintext length interval of the unknown object is equal to the difference between the minimum length of the unknown object and a preset buffer factor, and the The greater value in the interval of the plaintext length of the unknown object is equal to the sum of the maximum length of the unknown object and the buffer factor. 3.根据权利要求1或2所述的指纹识别方法,其特征在于,所述根据匹配结果来确定所述待识别数据集对应的已知HTTPS网页的指纹的步骤包括:3. The fingerprint identification method according to claim 1 or 2, wherein the step of determining the fingerprint of the known HTTPS web page corresponding to the data set to be identified according to the matching result comprises: 根据所述预定数量个未知HTTPS网页所包括的所有未知对象的个数及总字节数、所述预定指纹库中每个已知HTTPS网页所包括的所有已知对象的个数及总字节数、每个匹配集中所包括的所有已知对象的个数及总字节数、每个匹配集中所包括的每个对应关系中包括的已知对象的平均长度和未知对象的平均长度,计算每个已知HTTPS网页对应的匹配系数;According to the number and total bytes of all unknown objects included in the predetermined number of unknown HTTPS webpages, the number and total bytes of all known objects included in each known HTTPS webpage in the predetermined fingerprint library number, the number of all known objects included in each matching set and the total number of bytes, the average length of known objects and the average length of unknown objects included in each corresponding relationship included in each matching set, calculate The matching coefficient corresponding to each known HTTPS web page; 在所有已知HTTPS网页对应的匹配系数中,去除其中小于第一系数阈值的匹配系数,将当前剩余的所有匹配系数按从小到大排序后得到排序后的系数集;Among the matching coefficients corresponding to all known HTTPS web pages, the matching coefficients smaller than the first coefficient threshold are removed, and all the remaining matching coefficients are sorted from small to large to obtain a sorted coefficient set; 分别计算当前系数集中每两个相邻匹配系数中的前后系数比,并确定所计算的所有前后系数比中的最小值,将该最小值对应的两个相邻匹配系数中的在后匹配系数以及排在所述在后匹配系数以后的所有匹配系数从所述系数集中删除,以更新当前系数集;Calculate the front and rear coefficient ratios of every two adjacent matching coefficients in the current coefficient set, and determine the minimum value of all the calculated front and rear coefficient ratios, and the subsequent matching coefficient of the two adjacent matching coefficients corresponding to the minimum value and all matching coefficients ranked after the subsequent matching coefficients are deleted from the coefficient set to update the current coefficient set; 根据当前系数集中值最大的匹配系数确定第二系数阈值,将该系数集中小于所述第二系数阈值的匹配系数去除,将当前剩余匹配系数所对应的所有已知HTTPS网页的指纹确定为所述待识别数据集的指纹识别结果。Determine the second coefficient threshold according to the matching coefficient with the largest value in the current coefficient set, remove the matching coefficients in the coefficient set that are smaller than the second coefficient threshold, and determine the fingerprints of all known HTTPS webpages corresponding to the current remaining matching coefficients as the described Fingerprint identification results of the dataset to be identified. 4.根据权利要求3所述的指纹识别方法,其特征在于,所述第二系数阈值等于所述当前系数集中值最大的匹配系数的预定倍数,其中,所述预定倍数在0到1之间取值。4. The fingerprint identification method according to claim 3, wherein the second coefficient threshold is equal to a predetermined multiple of the matching coefficient with the largest value in the current coefficient set, wherein the predetermined multiple is between 0 and 1 value.
CN201510213462.6A 2015-04-30 2015-04-30 A kind of fingerprint identification method of HTTPS webpages Active CN104765884B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201510213462.6A CN104765884B (en) 2015-04-30 2015-04-30 A kind of fingerprint identification method of HTTPS webpages

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201510213462.6A CN104765884B (en) 2015-04-30 2015-04-30 A kind of fingerprint identification method of HTTPS webpages

Publications (2)

Publication Number Publication Date
CN104765884A CN104765884A (en) 2015-07-08
CN104765884B true CN104765884B (en) 2018-06-22

Family

ID=53647711

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201510213462.6A Active CN104765884B (en) 2015-04-30 2015-04-30 A kind of fingerprint identification method of HTTPS webpages

Country Status (1)

Country Link
CN (1) CN104765884B (en)

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107277019B (en) * 2017-06-23 2020-05-12 武汉斗鱼网络科技有限公司 Data plaintext acquisition method and device, electronic terminal and readable storage medium
CN109831448A (en) * 2019-03-05 2019-05-31 南京理工大学 For the detection method of particular encryption web page access behavior
CN112788159B (en) * 2020-12-31 2022-07-08 山西三友和智慧信息技术股份有限公司 Webpage fingerprint tracking method based on DNS traffic and KNN algorithm
CN113407880A (en) * 2021-05-06 2021-09-17 中南大学 Access behavior identification method suitable for encrypted HTTP/2 webpage
CN116016365B (en) * 2023-01-06 2023-09-19 哈尔滨工业大学 Webpage identification method based on data packet length information under encrypted flow
CN116744052A (en) * 2023-04-20 2023-09-12 东南大学 Encryption video identification method oriented to HTTP/2 flow multiplexing characteristics

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101741745A (en) * 2009-12-29 2010-06-16 苏州融通科技有限公司 Method and system for identifying application traffic of peer-to-peer network
CN102404396A (en) * 2011-11-14 2012-04-04 北京星网锐捷网络技术有限公司 P2P traffic identification method, device, equipment and system
CN104038389A (en) * 2014-06-19 2014-09-10 高长喜 Multiple application protocol identification method and device

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8726005B2 (en) * 2009-12-10 2014-05-13 George Mason Intellectual Properties, Inc. Website matching based on network traffic

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101741745A (en) * 2009-12-29 2010-06-16 苏州融通科技有限公司 Method and system for identifying application traffic of peer-to-peer network
CN102404396A (en) * 2011-11-14 2012-04-04 北京星网锐捷网络技术有限公司 P2P traffic identification method, device, equipment and system
CN104038389A (en) * 2014-06-19 2014-09-10 高长喜 Multiple application protocol identification method and device

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
"PPI:towards precise page identification for encrypted web-browsing traffic";yuan zhenlong等;《Proceedings of the ninth ACM/IEEE symposium on Architecture for networking and communications systems.IEEE Press》;20131022;第109-110页 *
"Website指纹识别攻击与防护技术研究";吴家顺;《中国优秀硕士学位论文全文数据库》;20130715(第7期);摘要,第25页第3.1.2节,第30页第3.2.1节,第31页第3.2.1节,图3.13 *

Also Published As

Publication number Publication date
CN104765884A (en) 2015-07-08

Similar Documents

Publication Publication Date Title
CN104765884B (en) A kind of fingerprint identification method of HTTPS webpages
Mohsin et al. Based blockchain-PSO-AES techniques in finger vein biometrics: A novel verification secure framework for patient authentication
CN110213227B (en) A kind of network data flow detection method and device
EP3697042B1 (en) Traffic analysis method, public service traffic attribution method and corresponding computer system
CN104539514B (en) Information filtering method and device
CN109194657B (en) Webpage encryption traffic characteristic extraction method based on accumulated data packet length
CN108400962B (en) Authentication and key agreement method under multi-server architecture
CN113949653B (en) Encryption protocol identification method and system based on deep learning
He et al. Inferring application type information from tor encrypted traffic
CN103491107B (en) Wooden horse communication feature rapid extracting method based on network data flow bunch cluster
Lingyu et al. A hierarchical classification approach for tor anonymous traffic
CN113824729B (en) An encrypted traffic detection method, system and related device
CN114362988B (en) Method and device for identifying network traffic
CN109327444A (en) A kind of registration of account information and authentication method and device
WO2016195090A1 (en) Detection system, detection device, detection method and detection program
CN116112182A (en) Digital signature method, device, electronic equipment and storage medium
WO2016201876A1 (en) Service identification method and device for encrypted traffic, and computer storage medium
CN118551403A (en) An anti-counterfeiting method for electronic certificates and related equipment
KR102119636B1 (en) Anonymous network analysis system using passive fingerprinting and method thereof
CN111382296B (en) Data processing method, device, terminal and storage medium
CN103905184A (en) Classical network and quantum secret communication network integration traffic control method
CN115834097B (en) HTTPS malicious software flow detection system and method based on multiple views
CN106126758B (en) Cloud system for information processing and information evaluation
CN110519061A (en) A kind of identity identifying method based on biological characteristic, equipment and system
CN116614248A (en) Multi-mode fusion-based botnet detection method for Internet of things

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
EXSB Decision made by sipo to initiate substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant