CN105407068B - Network Data Capture methods, devices and systems - Google Patents

Network Data Capture methods, devices and systems Download PDF

Info

Publication number
CN105407068B
CN105407068B CN201410307404.5A CN201410307404A CN105407068B CN 105407068 B CN105407068 B CN 105407068B CN 201410307404 A CN201410307404 A CN 201410307404A CN 105407068 B CN105407068 B CN 105407068B
Authority
CN
China
Prior art keywords
ssl
network data
tls
server
tls server
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201410307404.5A
Other languages
Chinese (zh)
Other versions
CN105407068A (en
Inventor
梁捷
何小鹏
杨伟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Alibaba China Co Ltd
Original Assignee
Ucweb Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Ucweb Inc filed Critical Ucweb Inc
Priority to CN201410307404.5A priority Critical patent/CN105407068B/en
Publication of CN105407068A publication Critical patent/CN105407068A/en
Application granted granted Critical
Publication of CN105407068B publication Critical patent/CN105407068B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

Network Data Capture methods, devices and systems of the invention carry out encryption encapsulation based on SSL/TLS Protocol Through Network data acquisition request;It is sent to SSL/TLS server via middle layer later, by obtaining network data from destination server after SSL/TLS server decryption processing;Then the network data that will acquire carries out encryption encapsulation based on SSL/TLS agreement and returns to terminal device via middle layer.The present invention is to be carried out data transmission between terminal device and SSL/TLS server by way of ciphertext, and network data is obtained by way of SSL/TLS transit server, the flow when the targeted website of https agreement is not supported in access will be prevented and kidnap phenomenon.

Description

Network Data Capture methods, devices and systems
Technical field
The present invention relates to mobile communication technology fields, more specifically, are related to Network Data Capture method, apparatus and are System.
Background technique
The mainstream transmission mode of network transmission is http at present.And it is based on the process that http agreement carries out network transmission Plaintext transmission, flow arbitrary can on the way be controlled.In advance down toward local, when operation, only communicates traditional program Flow;And the WebApp used online, existing communication data in flow, and have interface and the code of program, kidnap it is simply light and Yi Ju.So being kidnapped in many flows in internet and mobile Internet.
Fig. 1 shows the flow chart of normal access target website.As shown in Figure 1, when user requests access to targeted website, it is first The connection based on http agreement is established in first terminal device and targeted website, then sends network to targeted website via middle layer and asks It asks.Requested network data is sent to terminal device via middle layer by network request based on the received for targeted website.
Fig. 2 shows the flow charts that the catastrophe of access target website is held.As shown in Fig. 2, when user requests access to targeted website, Terminal device and targeted website establish the connection based on http agreement first, then send network to targeted website via middle layer Request, network operator or hacker use flow bypass analysis system or Network Sniffing system in middle layer, intercept and capture user's request Content then branches in the station address of forgery, or the network data that user requests is tried to be the first response to terminal device.It visits Ask targeted website catastrophe hold will lead to forgery website carry out fishing type attack or the frequent illegal advertisement pop-up of implantation or Poison to the caching of http with illegal malice sniff account system etc..If the network data that user requests is tried to be the first response to eventually End equipment will lead to the wrong data of terminal device acquisition or be non-legal data.Middle layer refers to except user terminal and target network The all-network node passed through between standing, the including but not limited to service such as the home router, network operator at different levels of user Device, network equipment etc..
The data that the prior art has used SSL/TLS to encrypt carry out network transmission and are difficult to crack, it is easier to be modified.From SSL/TLS can be very good to solve the problems, such as that flow is kidnapped from the point of view of actual conditions.But the Websites quantity of the https of country's deployment at present is also It is considerably less.So not supporting the website of https agreement to there is the phenomenon that being kidnapped by operator or hacker in access.
Summary of the invention
In view of the above problems, it the object of the present invention is to provide a kind of Network Data Capture method, apparatus and system, can solve Access does not support the flow of the targeted website of https agreement to kidnap problem.
According to an aspect of the present invention, a kind of Network Data Capture method executed in terminal equipment side is provided, comprising:
According to the destination server address in detected network data acquiring request, in the SSL/TLS being locally stored Corresponding SSL/TLS server address is obtained in server database, wherein store in the SSL/TLS server database There is the mapping table between destination server address and SSL/TLS server address;
After getting corresponding SSL/TLS server address, the Network Data Capture is asked based on SSL/TLS agreement It asks and carries out encryption encapsulation;
It sends the network data acquiring request after the encryption encapsulation to and SSL/TLS server address via middle layer Corresponding SSL/TLS server, for obtaining network number from the destination server after the SSL/TLS server decryption processing According to;
Successively via the SSL/TLS server and the middle layer, receive returned from destination server by described SSL/TLS server carries out the network data after encryption and package process based on SSL/TLS agreement.
Wherein, the SSL/TLS server database being locally stored utilizes external data dispatching platform to the terminal The mapping table of the destination server address that equipment issues and SSL/TLS server address is updated.
Wherein, the mapping table of the destination server address and SSL/TLS server address is by the external data Dispatching platform kidnaps what information determined according to the network data acquiring request counted in advance.
Wherein, the external data dispatching platform issues the destination server to the terminal device using broadcast mode The mapping table of address and SSL/TLS server address.
Wherein, SSL/TLS server address includes the IP address of SSL/TLS server or the domain of SSL/TLS server Name address.
Wherein, it when SSL/TLS server address is the domain name addresses of SSL/TLS server, is counted with terminal device SSL/TLS server according to transmission is determined according to the current network state of terminal device.
A kind of another Network Data Capture method of the preferred present invention, comprising:
In terminal equipment side,
According to the destination server address in detected network data acquiring request, in the SSL/TLS being locally stored Corresponding SSL/TLS server address is obtained in server database, wherein store in the SSL/TLS server database There is the mapping table between destination server address and SSL/TLS server address;
After getting corresponding SSL/TLS server address, the Network Data Capture is asked based on SSL/TLS agreement It asks and carries out encryption encapsulation;
SSL/ corresponding with SSL/TLS server address is sent by the network data acquiring request after the encryption encapsulation TLS server, for obtaining network data from the destination server after the SSL/TLS server decryption processing;
Successively via the SSL/TLS server and the middle layer, receive returned from destination server by described SSL/TLS server carries out the network data after encryption and package process based on SSL/TLS agreement.
And
In SSL/TLS server side,
To it is received encryption encapsulation after network data acquiring request be decrypted;
Based on the network data acquiring request after the decryption, network data is obtained from corresponding destination server;
Acquired network data is carried out after carrying out encryption and package process based on SSL/TLS agreement, terminal is sent to and sets It is standby.
On the other hand, the present invention also provides a kind of Network Data Capture devices, comprising:
SSL/TLS server address acquiring unit, for according to the target in detected network data acquiring request Server address obtains corresponding SSL/TLS server address in the SSL/TLS server database being locally stored, wherein The corresponding pass between destination server address and SSL/TLS server address is stored in the SSL/TLS server database It is table;
Encryption unit is requested, for getting corresponding SSL/TLS server in SSL/TLS server address acquiring unit Behind address, encryption encapsulation is carried out to the network data acquiring request based on SSL/TLS agreement;
Request transmitting unit takes for sending the network data acquiring request after the encryption encapsulation to SSL/TLS The corresponding SSL/TLS server in business device address, for being obtained after the SSL/TLS server decryption processing from the destination server Take network data;
Network data receiving unit, for successively via the SSL/TLS server and the middle layer, receiving from target What server returned is carried out the network data net after encryption and package process by the SSL/TLS server based on SSL/TLS agreement Network data.
It wherein, further include data updating unit, for what is issued using external data dispatching platform to the terminal device The mapping table of destination server address and SSL/TLS server address is with the SSL/TLS server data that is newly locally stored Library.
The preferred Network Data Capture device, the Network Data Capture device are arranged in terminal device.
On the other hand, the present invention also provides a kind of Network Data Capture devices, comprising: is set to the SSL/ of terminal device TLS server address acquiring unit requests encryption unit, request transmitting unit, network data receiving unit and is set to SSL/ The decryption unit of TLS server, Network Data Capture unit, network data encryption unit,
The SSL/TLS server address acquiring unit, for according in detected network data acquiring request Destination server address obtains corresponding SSL/TLS server address in the SSL/TLS server database being locally stored, Wherein, pair being stored in the SSL/TLS server database between destination server address and SSL/TLS server address Answer relation table;
The request encryption unit, for getting corresponding SSL/TLS clothes in SSL/TLS server address acquiring unit It is engaged in behind device address, encryption encapsulation is carried out to the network data acquiring request based on SSL/TLS agreement;
The request transmitting unit, for sending the network data acquiring request after the encryption encapsulation to and SSL/ The corresponding SSL/TLS server of TLS server address, for being taken after the SSL/TLS server decryption processing from the target Business device obtains network data;
The network data receiving unit, for successively via the SSL/TLS server and the middle layer, receive from What destination server returned is carried out the network number after encryption and package process by the SSL/TLS server based on SSL/TLS agreement According to network data.
The decryption unit, for via the middle layer from the terminal device it is received encryption encapsulation after network Data acquisition request is decrypted;
The Network Data Capture unit, for based on the network data acquiring request after the decryption, from corresponding mesh It marks server and obtains network data;
The network data transmission unit carries out acquired network data to carry out encryption envelope based on SSL/TLS agreement After dress processing, it is sent to terminal device.
On the other hand, the present invention also provides a kind of Network Data Capture systems, comprising: terminal device, middle layer and SSL/ TLS server,
The terminal device, including mentioned-above SSL/TLS server address acquiring unit, request encryption unit, ask Ask transmission unit, network data receiving unit and be set to the decryption unit of SSL/TLS server, Network Data Capture unit, Network data encryption unit and/or data updating unit, for what is issued using external data dispatching platform to the terminal device The mapping table of destination server address and SSL/TLS server address is with the SSL/TLS server data that is newly locally stored Library;
The SSL/TLS server, comprising:
Decryption unit, for via the middle layer from the terminal device it is received encryption encapsulation after network data Acquisition request is decrypted;
Network Data Capture unit, for being taken from corresponding target based on the network data acquiring request after the decryption Business device obtains network data;
Acquired network data carry out based on SSL/TLS agreement at encryption encapsulation by network data encryption unit Through being sent to terminal device by the middle layer after reason.
It wherein, further include external data dispatching platform;The external data dispatching platform, comprising:
Data distributing unit, the destination server address for issuing to the terminal device is with SSL/TLS server The mapping table of location;
Data statistics unit determines destination server for kidnapping information according to the network data acquiring request counted in advance The mapping table of address and SSL/TLS server address.
Network Data Capture methods, devices and systems of the invention are based on SSL/TLS Protocol Through Network data acquisition request Carry out encryption encapsulation;Be sent to SSL/TLS server via middle layer later, by after SSL/TLS server decryption processing from mesh It marks server and obtains network data;Then the network data that will acquire is based on SSL/TLS agreement and carries out encryption encapsulation via centre Layer returns to terminal device.The present invention is that data are carried out by way of ciphertext between terminal device and SSL/TLS server Transmission, and network data is obtained by way of SSL/TLS transit server, it will prevent and not support https in access The flow when targeted website of agreement kidnaps phenomenon.
To the accomplishment of the foregoing and related purposes, one or more aspects of the present invention include be particularly described below and The feature particularly pointed out in claim.Certain illustrative aspects of the invention is described in detail in the following description and the annexed drawings. However, these aspects indicate only usable some of the various ways in the principles of the present invention.In addition, of the invention It is intended to include all such aspects and their equivalent.
Detailed description of the invention
By reference to the following description in conjunction with the accompanying drawings and the contents of the claims, and with to it is of the invention more comprehensively Understand, other objects and results of the present invention will be more clearly understood and understood.In the accompanying drawings:
Fig. 1 shows the flow chart of normal access target website;
Fig. 2 shows the flow charts that the catastrophe of access target website is held;
Fig. 3 shows the structure chart of the Network Data Capture system of embodiment according to the present invention;
Fig. 4 shows the instance graph of Network Data Capture system 10;
Fig. 5 shows an exemplary block diagram of the Network Data Capture device 300 of embodiment according to the present invention;
Fig. 6 show the SSL/TLS server 40 of the network according to the invention data-acquisition system 10 one is exemplary Block diagram;
Fig. 7 shows the Network Data Capture method flow diagram of embodiment according to the present invention;
Fig. 8 shows the structure chart of Network Data Capture system according to another embodiment of the present invention;
Fig. 9 is the exemplary diagram of the Network Data Capture system 20 of Fig. 8;
Figure 10 shows the device block diagram of external data dispatching platform.
Identical label indicates similar or corresponding feature or function in all the appended drawings.
Specific embodiment
Following will be combined with the drawings in the embodiments of the present invention, and technical solution in the embodiment of the present invention carries out clear, complete Whole description, it is clear that described embodiments are only a part of the embodiments of the present invention, instead of all the embodiments.It is based on Embodiment in the present invention, it is obtained by those of ordinary skill in the art without making creative efforts every other Embodiment shall fall within the protection scope of the present invention.
A kind of Network Data Capture method, apparatus and system provided by the invention, by there are flow kidnap region make It is transmitted with the data of encryption, prevents the flow when the targeted website of https agreement is not supported in access and kidnap problem.
Fig. 3 shows the structure chart of the Network Data Capture system of embodiment according to the present invention.
Network Data Capture system 10 as indicated at 3, including terminal device 30, SSL/TLS server 40 and middle layer 50. The terminal device includes Network Data Capture device 300.
Fig. 4 shows the instance graph of Network Data Capture system 10.
Fig. 5 shows an exemplary block diagram of the Network Data Capture device 300 of embodiment according to the present invention.
As shown in figure 5, Network Data Capture device 300 includes: SSL/TLS server address acquiring unit 301, requests to add Close unit 302, request transmitting unit 303, network data receiving unit 304.
SSL/TLS server address acquiring unit 301, for according to the mesh in detected network data acquiring request Server address is marked, corresponding SSL/TLS server address is obtained in the SSL/TLS server database being locally stored, In, it is stored in the SSL/TLS server database corresponding between destination server address and SSL/TLS server address Relation table.Network data acquiring request include obtain web data request or obtain network others data request, such as Obtain the request of some software installation packet.
Destination server can be the server for some webpage that user requests access to, it is also possible to user's request Server when a data.Such as when obtaining some software installation packet, destination server is just to provide the service of the software download Device.
Encryption unit 302 is requested, for getting corresponding SSL/TLS in SSL/TLS server address acquiring unit 301 After server address, encryption encapsulation is carried out to the network data acquiring request based on SSL/TLS agreement.
Request transmitting unit 303, for sending the network data acquiring request after the encryption encapsulation to and SSL/TLS The corresponding SSL/TLS server of server address, for after the SSL/TLS server decryption processing from the destination server Obtain network data.
Request transmitting unit 303 sends the network data acquiring request after encryption encapsulation to SSL/TLS server Before the corresponding SSL/TLS server 40 in location, the network of terminal device 30 establishes module (not shown) and SSL/TLS is serviced Device needs to establish the network connection based on SSL/TLS agreement according to network data acquiring request, when establishing network connection, when When SSL/TLS server address is IP address, then SSL/TLS server directly corresponding with the IP address establishes network connection. When SSL/TLS server address is the domain name of SSL/TLS server, first passes around domain name resolution server and domain name is solved Analysis, the IP address of the SSL/TLS server parsed may have multiple.It is according to current network shape in a preferred embodiment State is come the SSL/TLS server that selects terminal device to carry out data transmission, and domain name resolution server is by the SSL/TLS server IP address returns to terminal device, and terminal device SSL/TLS server corresponding with the IP address carries out data transmission.Preferred In embodiment, the IP address that domain name resolution server also passes through CDN choice of technology SSL/TLS server returns to terminal device.
When SSL/TLS server address is the domain name of SSL/TLS server, pressed according to present terminal device network state According to by CDN choice of technology SSL/TLS server, selects optimal SSL/TLS server cluster and network line and make net Network message transmission rate is faster.Improve network data transmission efficiency.
Network data receiving unit 304, for connecing successively via the SSL/TLS server 40 and the middle layer 50 What receipts were returned from destination server is carried out the net after encryption and package process by the SSL/TLS server based on SSL/TLS agreement Network data.
Fig. 6 show the SSL/TLS server 40 of the network according to the invention data-acquisition system 10 one is exemplary Block diagram.
The SSL/TLS server 40 as shown in Figure 6 includes decryption unit 401, Network Data Capture unit 402, network DEU data encryption unit 403 and network data transmission unit 404.
Decryption unit 401, for via the middle layer from the terminal device it is received encryption encapsulation after network Data acquisition request is decrypted.Network data acquiring request after being decrypted that is, http agreement net Network request of data, between SSL/TLS server and destination server by http agreement transmit data, SSL/TLS server with It is by carrying out data transmission in plain text between destination server.Since the network data request after decryption is assisted based on http View, thus obtain here the mode of network data with it is common identical based on the http agreement acquisition mode of network data, this In repeat no more.
Network Data Capture unit 402, for based on the network data acquiring request after the decryption, from corresponding target Server obtains network data.
It in a preferred embodiment, further include network data encryption unit 403, for carrying out acquired network data Encryption and package process is carried out based on SSL/TLS agreement.Due to the network established between terminal device and SSL/TLS server before It is SSL/TLS agreement.So the network data returned must carry out the network number after encryption encapsulation by SSL/TLS agreement According to.
Network data transmission unit 404, for by network data encryption unit 403 carry out encryption and package process after network Data are sent to the network data receiving unit 304 of terminal device 30 via middle layer 50.
Fig. 7 shows the Network Data Capture method flow diagram of embodiment according to the present invention.
As shown in fig. 7, receive user input network data acquiring request after, execute step S700, terminal device according to Destination server address in detected network data acquiring request, in the SSL/TLS server database being locally stored It is middle to obtain corresponding SSL/TLS server address.Wherein, destination server is stored in the SSL/TLS server database Mapping table between address and SSL/TLS server address.
Network data acquiring request include obtain web data request or obtain network others data request, such as Obtain the request of some software installation packet.
Destination server can be the server for some webpage that user requests access to, it is also possible to user's request Server when a data.Such as when obtaining some software installation packet, destination server is just to provide the service of the software download Device.
SSL/TLS server address includes the IP address or SSL/TLS server of SSL/TLS server in this step Domain name addresses.
When SSL/TLS server address is the domain name addresses of SSL/TLS server, it is also necessary to pass through domain name resolution service Device parses the domain name, obtains the IP address of SSL/TLS server.
After getting corresponding SSL/TLS server address, step S710 is executed, terminal device is assisted based on SSL/TLS View carries out encryption encapsulation to the network data acquiring request.This step is equivalent to originally be that the network data of http agreement obtains It is converted into the request network data acquiring request based on https agreement after taking request to carry out encryption encapsulation by SSL/TLS agreement, But since destination server does not support https, https is decrypted to obtain so needing to be arranged SSL/TLS server The network data acquiring request of http agreement.Originally direct directly connect with destination server by terminal device of http agreement is obtained Network Data Capture mode is taken to be converted into obtaining network data by the mode of SSL/TLS transit server.Obtained in network data It takes and the address of SSL/TLS server is added in request to realize that the mode of SSL/TLS transit server obtains network data.
Complete S710 after, execute S720, terminal device via middle layer by it is described encryption encapsulation after Network Data Capture Request is sent to SSL/TLS server corresponding with SSL/TLS server address.
Before executing step S720, need to be asked according to Network Data Capture between terminal device and SSL/TLS server It asks and establishes the network connection based on SSL/TLS agreement.When establishing network connection, when SSL/TLS server address is IP address When, then SSL/TLS server directly corresponding with the IP address establishes network connection.When SSL/TLS server address is SSL/ It when the domain name of TLS server, first has to parse domain name by domain name resolution server, the SSL/TLS clothes parsed The IP address of business device may have multiple.It is to select terminal device to be counted according to current network state in a preferred embodiment According to the SSL/TLS server of transmission, the IP address of the SSL/TLS server is returned to terminal device by domain name resolution server, Terminal device SSL/TLS server corresponding with the IP address carries out data transmission.In a preferred embodiment, domain name resolution service The IP address that device also passes through CDN choice of technology SSL/TLS server returns to terminal device.
When SSL/TLS server address is the domain name of SSL/TLS server, pressed according to present terminal device network state According to by CDN choice of technology SSL/TLS server, can select optimal SSL/TLS server cluster and network line makes Obtain network data transmission rate faster.Improve network data transmission efficiency.
After SSL/TLS server receives the network data acquiring request after encryption encapsulation, S730, SSL/TLS clothes are executed Business device to institute it is received encryption encapsulate after network data acquiring request be decrypted.Network number after being decrypted According to acquisition request that is, the network data of http agreement is requested, pass through between SSL/TLS server and destination server Http agreement transmits data, is by carrying out data transmission in plain text between SSL/TLS server and destination server.
After completing S730, S740 is executed, SSL/TLS server sends the network data acquiring request after decryption to target and takes Business device.Due to decryption after network data request be based on http agreement, so here obtain network data mode with The common mode for obtaining network data based on http agreement is identical, repeats no more.
After destination server receives network data acquiring request, returns to network data and give SSL/TLS server.SSL/ TLS server is based on SSL/TLS Protocol Through Network data and carries out encryption encapsulation (S750).SSL/TLS server will encrypt later The network data of encapsulation returns to terminal device (S760) via middle layer.Due to terminal device before and SSL/TLS server Between the network established be SSL/TLS agreement.So the network data returned must be encrypted by SSL/TLS agreement Network data after encapsulation.
After terminal device receives the network data after encryption encapsulation, S770 is executed, the network data of decryption encryption encapsulation obtains To final network data.
The Network Data Capture method of the present embodiment, by carrying out network acquisition request based on SSL/ in terminal device The encryption of tls protocol encapsulates, and is then decrypted by SSL/TLS server, is gone later based on the network acquisition request after decryption Destination server obtains network data and carries out the encryption based on SSL/TLS agreement to network data after getting network data Terminal device is returned to after encapsulation, terminal device is decrypted to obtain final data to the network data after encryption encapsulation.This Embodiment is to be carried out data transmission by way of ciphertext, and pass through SSL/TLS between terminal device and SSL/TLS server The mode of transit server obtains network data, will prevent when the targeted website of https agreement is not supported in access Flow kidnaps phenomenon.
The present invention also provides Network Data Capture devices on the basis of Network Data Capture device 300 as shown in Figure 5 Increase decryption unit 401, Network Data Capture unit 402, network data encryption unit 403 and network data transmission unit 404。
The decryption unit 401, Network Data Capture unit 402, network data encryption unit 403 and network data are sent Unit 404 is identical as the working method of previous embodiment and effect, and which is not described herein again.
Fig. 8 shows the structure chart of Network Data Capture system according to another embodiment of the present invention.
Fig. 9 is the exemplary diagram of the Network Data Capture system 20 of Fig. 8.
Increase on the basis of Network Data Capture system 20 as shown in Figure 8 Network Data Capture system 10 shown in Fig. 3 External data dispatching platform 60 is added.
Figure 10 shows the device block diagram of external data dispatching platform.
External data dispatching platform 60 as shown in Figure 10, comprising:
Data statistics unit 601 determines that target takes for kidnapping information according to the network data acquiring request counted in advance The mapping table of business device address and SSL/TLS server address.
Wherein SSL/TLS server address includes the IP address of SSL/TLS server or the domain name of SSL/TLS server Address.When SSL/TLS server address is the domain name addresses of SSL/TLS server, it is also necessary to pass through domain name resolution server The domain name is parsed, the IP address of SSL/TLS server is obtained.
Data distributing unit 602, destination server address and SSL/TLS for issuing to the terminal device 30 service The mapping table of device address.The data statistics unit 601 of external data dispatching platform 60 passes through statistics discovery certain areas The phenomenon that user is held as a hostage there are flow just records these user locations and destination service that these users request access to Device information, destination server information may include the information such as the address of destination server, then distribute SSL/ according to these information TLS server address.Then the corresponding relationship of destination server address and SSL/TLS server address is generated.
From the external data dispatching platform 60 in a preferred embodiment data distributing unit 602 using broadcast mode to The terminal device 30 issues the mapping table of the destination server address Yu SSL/TLS server address.
Terminal device 30 further includes data updating unit (not shown) in preferred embodiment, for utilizing external data The mapping table of destination server address and SSL/TLS server address that dispatching platform 60 is issued to the terminal device 30 With the SSL/TLS server database being newly locally stored.
CD server, that is, external data dispatching platform 60 as shown in Figure 7, Figure 8 is connect with terminal device 30.
The mapping table of destination server address described in the present embodiment and SSL/TLS server address is by the outside Data distributing platform data statistic unit 601 kidnaps what information determined according to the network data acquiring request counted in advance.And Middle layer between SSL/TLS server and terminal device be there are network data acquiring request kidnap risk middle layer, and When SSL/TLS server goes destination server to obtain network data, between SSL/TLS server and destination server there is also in Interbed.The SSL/TLS server of safe area is selected to carry out Network Data Capture in preferred embodiment, i.e., there is no kidnap for selection The SSL/TLS server of risk obtains network data, so that the mid-level network between SSL/TLS server and destination server It is that there is no the mid-level networks for kidnapping risk for data transmission.I.e. SSL/TLS server arrangement is in unpolluted network area In.SSL/TLS server is laid out in the unpolluted network area by the statistics of external data dispatching platform.
There are flows by counting the user of discovery certain areas for the data statistics unit 601 of external data dispatching platform 60 The phenomenon that being held as a hostage just records these user locations and destination server information that these users request access to, target Server info may include the information such as the address of destination server, then with distributing SSL/TLS server according to these information Location.The mapping table of destination server address and SSL/TLS server address is generated later.Such as external data dispatching platform Data statistics unit by statistics discovery Guangzhou user access Sina when exist be held as a hostage the phenomenon that, just selection one layout exist The SSL/TLS server cluster in Wuhan generates the SSL/ of Sina website's server address and Wuhan as SSL/TLS server The mapping table of TLS server set group address.It specifically can be the domain of the SSL/TLS server cluster in Sina's domain name and Wuhan Name mapping table.
The data distributing unit 602 of external data dispatching platform 60 services destination server address and SSL/TLS later The mapping table of device address is sent to terminal device 30 by way of broadcast.
The SSL/TLS server database that terminal device 30 is locally stored uses broadcast using external data dispatching platform The mapping table of destination server address and SSL/TLS server address that form is issued to the terminal device 30 carries out more Newly.
After terminal device 30 receives the network data acquiring request of user's input, the SSL/TLS server of terminal device 30 Address acquisition unit 301 according to the destination server address requested in network data acquiring request go destination server address with The mapping table of SSL/TLS server address searches SSL/TLS server address, when in destination server address and SSL/ When can inquire corresponding and SSL/TLS server address in the mapping table of TLS server address.It is then single by request encryption First 302 terminal devices 30 are added the common network data acquiring request based on http agreement by SSL/TLS agreement Sealing dress.Become the network data acquiring request based on https agreement.Then module (figure is established by the network of terminal device 30 In be not shown) between terminal device 30 and SSL/TLS server 40 establish the network connection based on https agreement.Again by end The request transmitting unit 303 of end equipment 30 will encryption encapsulation after network data acquiring request via middle layer 50 be sent to The corresponding SSL/TLS server 40 of SSL/TLS server address.It is single by decryption after SSL/TLS server 40 receives the request Member 401 is decrypted it, and Network Data Capture unit 402 is according to the network data acquiring request after decryption from the mesh later It marks server and obtains network data.
After the network data for receiving destination server return, 403 base of network data encryption unit of SSL/TLS server 40 Encryption encapsulation is carried out to the network data in SSL/TLS agreement.Then network data transmission unit 404 will via middle layer 50 Network data after the encryption encapsulation returns to terminal device 30.The network data of 30 pairs of terminal device encryption encapsulation solves It is close to obtain final network data.
The Network Data Capture system of the present embodiment, by carrying out network acquisition request based on SSL/ in terminal device The encryption of tls protocol encapsulates, and is then decrypted by SSL/TLS server, is gone later based on the network acquisition request after decryption Destination server obtains network data and carries out the encryption based on SSL/TLS agreement to network data after getting network data Terminal device is returned to after encapsulation, terminal device is decrypted to obtain final data to the network data after encryption encapsulation.This Embodiment is to be carried out data transmission by way of ciphertext, and pass through SSL/TLS between terminal device and SSL/TLS server The mode of transit server obtains network data, will prevent when the targeted website of https agreement is not supported in access Flow kidnaps phenomenon.
Those of ordinary skill in the art may be aware that list described in conjunction with the examples disclosed in the embodiments of the present disclosure Member and algorithm steps can be realized with the combination of electronic hardware or computer software and electronic hardware.These functions are actually It is implemented in hardware or software, the specific application and design constraint depending on technical solution.Professional technician Each specific application can be used different methods to achieve the described function, but this realization is it is not considered that exceed The scope of the present invention.
It is apparent to those skilled in the art that for convenience and simplicity of description, the system of foregoing description, The specific work process of device and unit, can refer to corresponding processes in the foregoing method embodiment, and details are not described herein.
In several embodiments provided herein, it should be understood that disclosed systems, devices and methods, it can be with It realizes by another way.For example, the apparatus embodiments described above are merely exemplary, for example, the unit It divides, only a kind of logical function partition, there may be another division manner in actual implementation, such as multiple units or components It can be combined or can be integrated into another system, or some features can be ignored or not executed.Another point, it is shown or The mutual coupling, direct-coupling or communication connection discussed can be through some interfaces, the indirect coupling of device or unit It closes or communicates to connect, can be electrical property, mechanical or other forms.
The unit as illustrated by the separation member may or may not be physically separated, aobvious as unit The component shown may or may not be physical unit, it can and it is in one place, or may be distributed over multiple In network unit.It can select some or all of unit therein according to the actual needs to realize the mesh of this embodiment scheme 's.
It, can also be in addition, the functional units in various embodiments of the present invention may be integrated into one processing unit It is that each unit physically exists alone, can also be integrated in one unit with two or more units.
It, can be with if the function is realized in the form of SFU software functional unit and when sold or used as an independent product It is stored in a computer readable storage medium.Based on this understanding, technical solution of the present invention is substantially in other words The part of the part that contributes to existing technology or the technical solution can be embodied in the form of software products, the meter Calculation machine software product is stored in a storage medium, including some instructions are used so that a computer equipment (can be a People's computer, server or network equipment etc.) or processor (processor) execute side described in each embodiment of the present invention The all or part of the steps of method.And storage medium above-mentioned includes: USB flash disk, mobile hard disk, read-only memory (ROM, Read-Only Memory), random access memory (RAM, Random Access Memory), magnetic or disk etc. are various can store journey The medium of sequence code.
The above description is merely a specific embodiment, but scope of protection of the present invention is not limited thereto, any Those familiar with the art in the technical scope disclosed by the present invention, can easily think of the change or the replacement, and should all contain Lid is within protection scope of the present invention.Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.

Claims (13)

1. a kind of Network Data Capture method executed in terminal equipment side, comprising:
According to the destination server address in detected network data acquiring request, in the SSL/TLS service being locally stored Corresponding SSL/TLS server address is obtained in device database, wherein be stored with mesh in the SSL/TLS server database Mark the mapping table between server address and SSL/TLS server address;
After getting corresponding SSL/TLS server address, based on SSL/TLS agreement to the network data acquiring request into Row encryption encapsulation;
Network data acquiring request after the encryption is encapsulated is sent to corresponding with SSL/TLS server address via middle layer SSL/TLS server, for after the SSL/TLS server decryption processing from the destination server obtain network data;
Successively via the SSL/TLS server and the middle layer, receive returned from destination server by the SSL/TLS Server carries out the network data after encryption and package process based on SSL/TLS agreement.
2. Network Data Capture method as described in claim 1, wherein the SSL/TLS server data being locally stored The destination server address and SSL/TLS server address that Cooley is issued with external data dispatching platform to the terminal device Mapping table is updated.
3. Network Data Capture method as claimed in claim 2, wherein the destination server address and SSL/TLS are serviced The mapping table of device address kidnaps letter according to the network data acquiring request counted in advance by the external data dispatching platform Breath determination.
4. Network Data Capture method as claimed in claim 2, wherein the external data dispatching platform uses broadcast mode The mapping table of the destination server address Yu SSL/TLS server address is issued to the terminal device.
5. Network Data Capture method as described in claim 1, wherein SSL/TLS server address includes SSL/TLS service The IP address of device or the domain name addresses of SSL/TLS server.
6. Network Data Capture method as claimed in claim 5, wherein when SSL/TLS server address is SSL/TLS service When the domain name addresses of device, the SSL/TLS server carried out data transmission with terminal device is the current network according to terminal device What state determined.
7. a kind of Network Data Capture method, comprising:
In terminal equipment side,
According to the destination server address in detected network data acquiring request, in the SSL/TLS service being locally stored Corresponding SSL/TLS server address is obtained in device database, wherein be stored with mesh in the SSL/TLS server database Mark the mapping table between server address and SSL/TLS server address;
After getting corresponding SSL/TLS server address, based on SSL/TLS agreement to the network data acquiring request into Row encryption encapsulation;
Network data acquiring request after the encryption is encapsulated is sent to corresponding with SSL/TLS server address via middle layer SSL/TLS server, for after the SSL/TLS server decryption processing from the destination server obtain network data;
Successively via the SSL/TLS server and the middle layer, receive returned from destination server by the SSL/TLS Server carries out the network data after encryption and package process based on SSL/TLS agreement;
And
In SSL/TLS server side,
To it is received encryption encapsulation after network data acquiring request be decrypted;
Based on the network data acquiring request after the decryption, network data is obtained from corresponding destination server;
After acquired network data is based on SSL/TLS agreement progress encryption and package process, it is sent to terminal device.
8. a kind of Network Data Capture device for being set to terminal device, comprising:
SSL/TLS server address acquiring unit, for according to the destination service in detected network data acquiring request Device address obtains corresponding SSL/TLS server address, wherein described in the SSL/TLS server database being locally stored The mapping table being stored in SSL/TLS server database between destination server address and SSL/TLS server address;
Encryption unit is requested, for getting corresponding SSL/TLS server address in SSL/TLS server address acquiring unit Afterwards, encryption encapsulation is carried out to the network data acquiring request based on SSL/TLS agreement;
Request transmitting unit, for sending the network data acquiring request after the encryption encapsulation to and SSL/ via middle layer The corresponding SSL/TLS server of TLS server address, for being taken after the SSL/TLS server decryption processing from the target Business device obtains network data;
Network data receiving unit, for successively via the SSL/TLS server and the middle layer, receiving from destination service What device returned is carried out the network data after encryption and package process by the SSL/TLS server based on SSL/TLS agreement.
9. Network Data Capture device as claimed in claim 8, further includes,
Data updating unit, destination server address for being issued using from external data dispatching platform to the terminal device with The mapping table of SSL/TLS server address updates the SSL/TLS server database being locally stored.
10. Network Data Capture device as claimed in claim 8, the Network Data Capture device is arranged in terminal device.
11. a kind of Network Data Capture device, comprising: be set to the SSL/TLS server address acquiring unit of terminal device, ask It asks encryption unit, request transmitting unit, network data receiving unit and is set to the decryption unit of SSL/TLS server, network Data capture unit, network data encryption unit and network data transmission unit,
The SSL/TLS server address acquiring unit, for according to the target in detected network data acquiring request Server address obtains corresponding SSL/TLS server address in the SSL/TLS server database being locally stored, wherein The corresponding pass between destination server address and SSL/TLS server address is stored in the SSL/TLS server database It is table;
The request encryption unit, for getting corresponding SSL/TLS server in SSL/TLS server address acquiring unit Behind address, encryption encapsulation is carried out to the network data acquiring request based on SSL/TLS agreement;
The request transmitting unit, for by it is described encryption encapsulation after network data acquiring request via middle layer be sent to The corresponding SSL/TLS server of SSL/TLS server address, for after the SSL/TLS server decryption processing from the mesh It marks server and obtains network data;
The network data receiving unit, for successively via the SSL/TLS server and the middle layer, receiving from target What server returned is carried out the network data after encryption and package process by the SSL/TLS server based on SSL/TLS agreement;
The decryption unit, for via the middle layer from the terminal device it is received encryption encapsulation after network data Acquisition request is decrypted;
The Network Data Capture unit, for being taken from corresponding target based on the network data acquiring request after the decryption Business device obtains network data;Acquired network data is based on SSL/TLS agreement and is added by the network data encryption unit Close encapsulation process;
The network data transmission unit is set for the network data after encryption and package process to be sent to terminal It is standby.
12. a kind of Network Data Capture system, comprising: terminal device, middle layer and SSL/TLS server,
The terminal device, including Network Data Capture device as claimed in claim 8 or 9;
The SSL/TLS server, comprising:
Decryption unit, for via the middle layer from the terminal device it is received encryption encapsulation after Network Data Capture Request is decrypted;
Network Data Capture unit, for based on the network data acquiring request after the decryption, from corresponding destination server Obtain network data;
Acquired network data is based on SSL/TLS agreement and carries out encryption and package process by network data encryption unit;
Network data transmission unit, for the network data after encryption and package process to be sent to end via the middle layer End equipment.
13. Network Data Capture system as claimed in claim 12, further includes, external data dispatching platform;
The external data dispatching platform, comprising:
Data distributing unit, destination server address and SSL/TLS server address for being issued to the terminal device Mapping table;
Data statistics unit determines destination server address for kidnapping information according to the network data acquiring request counted in advance With the mapping table of SSL/TLS server address.
CN201410307404.5A 2014-06-30 2014-06-30 Network Data Capture methods, devices and systems Active CN105407068B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201410307404.5A CN105407068B (en) 2014-06-30 2014-06-30 Network Data Capture methods, devices and systems

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201410307404.5A CN105407068B (en) 2014-06-30 2014-06-30 Network Data Capture methods, devices and systems

Publications (2)

Publication Number Publication Date
CN105407068A CN105407068A (en) 2016-03-16
CN105407068B true CN105407068B (en) 2019-02-15

Family

ID=55472326

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201410307404.5A Active CN105407068B (en) 2014-06-30 2014-06-30 Network Data Capture methods, devices and systems

Country Status (1)

Country Link
CN (1) CN105407068B (en)

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106657105B (en) * 2016-12-29 2019-10-11 网宿科技股份有限公司 The sending method and device of target resource
CN108270748A (en) * 2016-12-30 2018-07-10 北京酷我科技有限公司 A kind of data transmission method and system
CN106850663A (en) * 2017-02-28 2017-06-13 成都瑞小博科技有限公司 A kind of method for preventing webpage from kidnapping on the router
CN108282511B (en) * 2017-09-15 2021-08-13 阿里巴巴(中国)有限公司 Network data access method, device, system, storage medium and user terminal
CN110728602A (en) * 2019-10-24 2020-01-24 广州谢大家科技有限公司 Efficient novel education recruitment resource integration system
CN112738117A (en) * 2020-12-31 2021-04-30 青岛海尔科技有限公司 Data transmission method, device and system, storage medium and electronic device

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101034981A (en) * 2006-03-07 2007-09-12 上海品伟数码科技有限公司 Network access control system and its control method
CN101141244A (en) * 2006-09-08 2008-03-12 飞塔信息科技(北京)有限公司 Network encrypted data virus detection and elimination system, proxy server and method
CN101834875A (en) * 2010-05-27 2010-09-15 华为技术有限公司 Method, device and system for defending DDoS (Distributed Denial of Service) attacks
CN202679412U (en) * 2012-07-12 2013-01-16 郑州信大信安科技有限公司 Data transmission encrypting and decrypting system
CN103139185A (en) * 2011-12-02 2013-06-05 中科信息安全共性技术国家工程研究中心有限公司 Method of achieving safe reverse proxy service
CN103179128A (en) * 2013-03-28 2013-06-26 国家电网公司 Communication security enhancement agent system between Android platform browser and website server
CN103563335A (en) * 2011-05-05 2014-02-05 阿卡麦科技公司 Combined cdn reverse proxy and an edge forward proxy with secure connections

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8352728B2 (en) * 2006-08-21 2013-01-08 Citrix Systems, Inc. Systems and methods for bulk encryption and decryption of transmitted data

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101034981A (en) * 2006-03-07 2007-09-12 上海品伟数码科技有限公司 Network access control system and its control method
CN101141244A (en) * 2006-09-08 2008-03-12 飞塔信息科技(北京)有限公司 Network encrypted data virus detection and elimination system, proxy server and method
CN101834875A (en) * 2010-05-27 2010-09-15 华为技术有限公司 Method, device and system for defending DDoS (Distributed Denial of Service) attacks
CN103563335A (en) * 2011-05-05 2014-02-05 阿卡麦科技公司 Combined cdn reverse proxy and an edge forward proxy with secure connections
CN103139185A (en) * 2011-12-02 2013-06-05 中科信息安全共性技术国家工程研究中心有限公司 Method of achieving safe reverse proxy service
CN202679412U (en) * 2012-07-12 2013-01-16 郑州信大信安科技有限公司 Data transmission encrypting and decrypting system
CN103179128A (en) * 2013-03-28 2013-06-26 国家电网公司 Communication security enhancement agent system between Android platform browser and website server

Also Published As

Publication number Publication date
CN105407068A (en) 2016-03-16

Similar Documents

Publication Publication Date Title
CN105407068B (en) Network Data Capture methods, devices and systems
CN104113879B (en) It is deployed with cloud AC WiFi communication system and communication means
CN108270882A (en) The analysis method and device of domain name, storage medium, electronic device
CN104823470A (en) System and method for correlating network information with subscriber information in mobile network environment
CN103166985A (en) Global load balancing scheduling method and data transmission method and device and system
CN107181804B (en) The method for down loading and device of resource
CN107925575A (en) Technology for managing network communication privacy
CN103795768B (en) The method and apparatus of remote access
CN105228140A (en) A kind of data access method and device
CN104350719A (en) Consolidated data services apparatus and method
US11936755B2 (en) Systems and methods for determining a destination location for transmission of packetized data in a network system based on an application server attribute
CN106131165B (en) Anti-stealing link method and device for content distributing network
JP7535022B2 (en) Apparatus, method and program for remotely managing devices
CN104640114A (en) Verification method and device of access request
US12015546B2 (en) Routing destination evaluation apparatus, routing destination evaluating method and program
CN109819068A (en) User terminal and its block chain domain name analytic method
CN111447133A (en) Message transmission method and device, storage medium and electronic device
KR20160011304A (en) System and method for providing advertisement based on web using wifi network
CN105163071B (en) Obtain the system and method for the monitor video of monitor supervision platform
US10116535B1 (en) Monitoring internet usage on home networks of panelist users using a measurement device
CN106688243A (en) Device-to-device content providing method
CN104854930B (en) Method, control node, gateway and the computer program that device for allowing with newly detecting is communicated
US11909714B2 (en) System for matching and collecting user data and/or user device data
CN109417559A (en) For disposing server, client terminal device and the method therein of the content resource of caching
KR20130072907A (en) Method and system for shortening url

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
TR01 Transfer of patent right

Effective date of registration: 20210106

Address after: 310052 room 508, 5th floor, building 4, No. 699 Wangshang Road, Changhe street, Binjiang District, Hangzhou City, Zhejiang Province

Patentee after: Alibaba (China) Co.,Ltd.

Address before: 12 / F, 28 Chengfu Road, Haidian District, Beijing 100083

Patentee before: UC MOBILE Ltd.

TR01 Transfer of patent right