CN104270358B - Trustable network transaction system client monitor and its implementation - Google Patents

Abstract

Translated fromChinese

可信网络交易系统客户端监控器及其实现方法。监控器包括分析提取出用户上网过程中的浏览行为功能模块和把提取出的浏览行为按照特定的格式存储为行为日志的功能模块。方法：步骤1、监控器启动之后，请求访问当前主机上的网络适配器接口，成功获得网络适配器的访问接口之后，开始捕获该网络适配器接口的IP层数据包；步骤2、根据IP协议的报文格式，提取出IP数据包中的数据部分，进行下一步解析；对提取出的IP数据包需要进行判断，如果其为TCP数据包，则保留该数据包进行下一步解析；如果不是TCP数据包，则不保留该数据包；等等。本发明作为可信交易安全客户端的基础组件，为后续的工作如基于行为模式的证书等提供了直接和充足的数据。

A client monitor of a trusted network transaction system and its implementation method. The monitor includes a functional module for analyzing and extracting browsing behaviors of users during the surfing process and a functional module for storing the extracted browsing behaviors as behavior logs in a specific format. Method: Step 1, after the monitor starts, request to visit the network adapter interface on the current host, after successfully obtaining the access interface of the network adapter, start to capture the IP layer data packets of the network adapter interface; Step 2, according to the IP protocol message Format, extract the data part in the IP data packet, and proceed to the next step of analysis; the extracted IP data packet needs to be judged, if it is a TCP data packet, then keep the data packet for the next step of analysis; if it is not a TCP data packet , the packet is not retained; and so on. As a basic component of the trusted transaction security client, the invention provides direct and sufficient data for subsequent work such as certificates based on behavior patterns.

Description

Translated fromChinese

可信网络交易系统客户端监控器及其实现方法Trusted network transaction system client monitor and its implementation method

技术领域technical field

本发明属于网络交易安全技术领域。The invention belongs to the technical field of network transaction security.

背景技术Background technique

随着互联网的飞速发展以及计算机科学技术的不断进步，网络交易也如火如荼地迅猛发展起来，这不仅给我国经济的发展提供了持续的动力，同时也给广大人民的生活带来了极大的便利。越来越多的人通过网络交易和支付方式开展业务活动，网络交易的发展前景十分广阔。With the rapid development of the Internet and the continuous advancement of computer science and technology, online transactions have also developed rapidly, which not only provides a continuous impetus to the development of my country's economy, but also brings great convenience to the lives of the people . More and more people carry out business activities through online transactions and payment methods, and the development prospects of online transactions are very broad.

然而，由于网络交易和支付平台兴起不久，网络支付的安全体系还不健全，网络交易流程和行为的可信问题也变得越来越突出，已逐渐成为网络交易发展面临的瓶颈问题。在网络交易中面临的一个问题是，用户身份的可信问题，即参与网络交易的用户身份是否合法。针对这个问题，目前电子商务企业普遍采取的解决方案是数字证书和对软件进行补丁更新或是版本升级。经过调研，以国内某大型网络支付平台公司为例，目前的解决策略在业界的应用存在明显的不足，当用户的账户密码被盗后,无法识别黑客盗用用户的账户进行交易,侵害用户利益的用户身份可信问题。存在这些不足主要原因在于,目前还缺乏一套针对网络交易的可信认证系统，去监控和管理交易中各方的身份和交易行为的可信问题。However, due to the recent rise of online transaction and payment platforms, the security system of online payment is not perfect, and the credibility of online transaction processes and behaviors has become more and more prominent, which has gradually become a bottleneck problem facing the development of online transactions. One of the problems faced in network transactions is the credibility of user identities, that is, whether the user identities participating in network transactions are legal. In response to this problem, the solutions commonly adopted by e-commerce companies are digital certificates and software patch updates or version upgrades. After investigation, taking a large domestic online payment platform company as an example, the current solution strategy has obvious shortcomings in the application of the industry. When the user's account password is stolen, it is impossible to identify the hacker who has stolen the user's account for transactions and violated the user's interests. User identity credible issues. The main reason for these shortcomings is that there is still a lack of a credible authentication system for online transactions to monitor and manage the credibility of the identities and transaction behaviors of all parties in the transaction.

发明内容Contents of the invention

针对这个问题的一种解决方案是，搭建网络交易的第四方认证中心和安全客户端，形成网络交易可信认证系统平台，并制定网络交易可信认证的认证协议。One solution to this problem is to build a fourth-party authentication center and secure client for online transactions, form a trusted authentication system platform for online transactions, and formulate an authentication protocol for trusted authentication of online transactions.

本发明面向的情况是，在可信认证系统中，使用监控器记录客户端用户的上网浏览行为，并以特殊的格式保存成日志文件，以便安全客户端完成其余部分的工作，进而保证可信认证系统的实行。The situation faced by the present invention is that in the trusted authentication system, the monitor is used to record the surfing behavior of the client user, and save it as a log file in a special format, so that the secure client can complete the rest of the work, thereby ensuring the authenticity Implementation of the authentication system.

本发明给出的技术方案为：The technical scheme provided by the present invention is:

一种可信网络交易系统客户端监控器，其特征在于，监控器的功能主要包括两个方面。首先，监控器能够分析提取出用户上网过程中的浏览行为；其次，监控器能把提取出的浏览行为按照特定的格式存储为行为日志。所述浏览行为，即描述一个用户上网过程中特定方式的上网习惯，包括浏览的网页，偏好的上网时间等。监控器捕获用户网络适配器的IP数据包，根据IP报文的格式、TCP数据包的格式以及HTTP数据包格式，层层解析，提取出IP数据包中的浏览网页，上网时间等信息。A client monitor of a trusted network transaction system is characterized in that the functions of the monitor mainly include two aspects. First, the monitor can analyze and extract the browsing behavior of the user during the surfing process; secondly, the monitor can store the extracted browsing behavior as a behavior log in a specific format. The browsing behavior refers to describing a user's surfing habits in a specific way during the surfing process, including webpages browsed, preferred surfing time, and the like. The monitor captures the IP data packets of the user's network adapter, and analyzes them layer by layer according to the format of the IP packets, TCP data packets and HTTP data packets, and extracts information such as browsing webpages and online time in the IP data packets.

所述行为日志，即刻画用户浏览行为的文本文件。用户浏览行为中的关键信息，如浏览的网页，偏好的上网时间等都需要按照特定的格式存储在行为日志当中。监控器捕捉的用户的网络数据，并经过解析提取出浏览行为信息之后，将浏览行为存储在行为日志当中。每当捕获到新的浏览行为时，及时更新行为日志，以保证行为日志能够充分完备地记录用户的浏览行为，为之后的可信安全客户端的工作提供充足的资料。The behavior log is a text file describing the user's browsing behavior. The key information in the user's browsing behavior, such as the web pages browsed and the preferred online time, etc., need to be stored in the behavior log according to a specific format. The monitor captures the user's network data, and after parsing and extracting the browsing behavior information, the browsing behavior is stored in the behavior log. Whenever a new browsing behavior is captured, the behavior log is updated in time to ensure that the behavior log can fully record the user's browsing behavior and provide sufficient information for the subsequent work of the trusted security client.

除此之外，为了保证用户的浏览行为能够全面地记录，监控器应该在开机后自动运行，捕获用户的上网浏览行为。In addition, in order to ensure that the user's browsing behavior can be fully recorded, the monitor should automatically run after booting to capture the user's Internet browsing behavior.

监控器捕获浏览行为模式的方法，其特征在于，包括如下步骤：The method for a monitor to capture a browsing behavior pattern is characterized in that it comprises the following steps:

1、监控器启动之后，请求访问当前主机上的网络适配器接口。成功获得网络适配器的访问接口之后，开始捕获该网络适配器接口的IP层数据包。1. After the monitor starts, it requests access to the network adapter interface on the current host. After successfully obtaining the access interface of the network adapter, start to capture the IP layer data packets of the network adapter interface.

2、根据IP协议的报文格式，提取出IP数据包中的数据部分，进行下一步解析。由于IP协议作为网络层协议，为多种类型的传输层协议提供服务，所以对提取出的IP数据包需要进行判断，如果其为TCP数据包，则保留该数据包进行下一步解析；如果不是TCP数据包，则不保留该数据包。2. According to the message format of the IP protocol, the data part in the IP data packet is extracted, and the next step is analyzed. Since the IP protocol, as a network layer protocol, provides services for various types of transport layer protocols, it is necessary to judge the extracted IP data packet, if it is a TCP data packet, then keep the data packet for further analysis; if not TCP packet, the packet is not preserved.

3、当获得TCP数据包后，根据TCP协议格式，对TCP数据包进行解析，如果该TCP数据包封装了HTTP数据包，则提取出该HTTP数据包，否则丢弃TCP数据包。3. After obtaining the TCP data packet, analyze the TCP data packet according to the TCP protocol format, if the TCP data packet encapsulates the HTTP data packet, extract the HTTP data packet, otherwise discard the TCP data packet.

4、对于HTTP数据包，即用户浏览网页所产生的数据包，根据其协议格式，可以从数据包中提取出访问网页的地址、访问网页的时间、该网页的引用页以及网页的标题等信息。4. For the HTTP data packet, that is, the data packet generated by the user browsing the webpage, according to its protocol format, information such as the address of the visited webpage, the time of visiting the webpage, the reference page of the webpage, and the title of the webpage can be extracted from the data packet. .

5、提取出浏览行为后，按照如下格式存储到XML文件中。5. After extracting the browsing behavior, store it in the XML file according to the following format.

其中root作为根元素有且只有一个，所有的信息均是root结点的子结点。Among them, there is one and only one root as the root element, and all the information is the child node of the root node.

Capture表示监控器所捕获到的一条浏览行为，在capture中包含6个元素，分别表示6种对应信息。Capture represents a browsing behavior captured by the monitor, and the capture contains 6 elements, which respectively represent 6 corresponding information.

id表示某个浏览行为的编号，编号从1开始，每捕获一条浏览行为，编号自动增加。id indicates the number of a certain browsing behavior, the number starts from 1, and every time a browsing behavior is captured, the number increases automatically.

url是浏览行为中最重要的信息，表示用户所访问的网页的网址。通过分析解析该网址，可以发现用户访问的网站内容，以此刻画用户的浏览行为。The url is the most important information in the browsing behavior, and represents the URL of the web page visited by the user. By analyzing and analyzing the URL, the content of the website visited by the user can be discovered, so as to describe the browsing behavior of the user.

referer表示某个网页的引用页面，如当用户通过百度搜索查找关键词sina并进入新浪主页之后，在新浪主页的浏览记录中即存在着引用页百度。引用页面刻画了浏览行为中的先后序列关系。Referer means the referring page of a certain webpage. For example, when a user searches for the keyword sina through Baidu search and enters the homepage of Sina, the referring page Baidu exists in the browsing history of the homepage of Sina. Citing pages describe the sequential relationship in browsing behavior.

timestamp，即访问某个网页的时刻。timestamp, that is, the moment when a web page is accessed.

title表示浏览网页的题目。Title是url的补充和完善，在分析浏览行为时可以起到辅助的作用。title represents the title of browsing the web page. Title is the supplement and improvement of url, which can play an auxiliary role in analyzing browsing behavior.

keywords表示网页的关键字，通过keywords可以确定网页所属的类别。The keywords represent the keywords of the webpage, and the category to which the webpage belongs can be determined through the keywords.

6、将上述各xml文件存储生成访问日志，为第三方认证中心完成基于行为模式的认证提供了直接和充足的数据。6. Store the above xml files to generate access logs, providing direct and sufficient data for the third-party authentication center to complete authentication based on behavior patterns.

本发明的创新点及有益效果Innovation point and beneficial effect of the present invention

1)利用监控器捕捉浏览行为，通过解析捕捉到的数据包提取用户的行为信息。1) Use the monitor to capture browsing behavior, and extract user behavior information by analyzing the captured data packets.

2)采用xml文件存储行为日志，便于文件的传输和解析。2) Use xml files to store behavior logs, which is convenient for file transmission and analysis.

3)作为可信交易安全客户端的基础组件，为后续的工作如基于行为模式的证书等提供了直接和充足的数据。在可信认证系统中，使用本发明监控器记录客户端用户的上网浏览行为，并以特殊的格式保存成日志文件，以便安全客户端完成其余部分的工作，进而保证可信认证系统的实行。3) As a basic component of the trusted transaction security client, it provides direct and sufficient data for subsequent work such as certificates based on behavior patterns. In the credible authentication system, the monitor of the present invention is used to record the surfing behavior of the client user, and save it as a log file in a special format, so that the security client can complete the rest of the work, thereby ensuring the implementation of the credible authentication system.

附图说明Description of drawings

图1监控器工作流程。Figure 1 Monitor workflow.

具体实施方式Detailed ways

监控器捕获浏览行为模式，即监控器的工作流程如图1所示。The monitor captures browsing behavior patterns, that is, the workflow of the monitor is shown in Figure 1.

1、监控器启动之后，请求访问当前主机上的网络适配器接口。成功获得网络适配器的访问接口之后，开始捕获该网络适配器接口的IP层数据包。1. After the monitor starts, it requests access to the network adapter interface on the current host. After successfully obtaining the access interface of the network adapter, start to capture the IP layer data packets of the network adapter interface.

2、根据IP协议的报文格式，提取出IP数据包中的数据部分，进行下一步解析。由于IP协议作为网络层协议，为多种类型的传输层协议提供服务，所以对提取出的IP数据包需要进行判断，如果其为TCP数据包，则保留该数据包进行下一步解析；如果不是TCP数据包，则不保留该数据包。2. According to the message format of the IP protocol, the data part in the IP data packet is extracted, and the next step is analyzed. Since the IP protocol, as a network layer protocol, provides services for various types of transport layer protocols, it is necessary to judge the extracted IP data packet, if it is a TCP data packet, then keep the data packet for further analysis; if not TCP packet, the packet is not preserved.

3、当获得TCP数据包后，根据TCP协议格式，对TCP数据包进行解析，如果该TCP数据包封装了HTTP数据包，则提取出该HTTP数据包，否则丢弃TCP数据包。3. After obtaining the TCP data packet, analyze the TCP data packet according to the TCP protocol format, if the TCP data packet encapsulates the HTTP data packet, extract the HTTP data packet, otherwise discard the TCP data packet.

4、对于HTTP数据包，即用户浏览网页所产生的数据包，根据其协议格式，可以从数据包中提取出访问网页的地址、访问网页的时间、该网页的引用页以及网页的标题等信息。4. For the HTTP data packet, that is, the data packet generated by the user browsing the webpage, according to its protocol format, information such as the address of the visited webpage, the time of visiting the webpage, the reference page of the webpage, and the title of the webpage can be extracted from the data packet. .

5、提取出浏览行为后，按照如下格式存储到XML文件中。5. After extracting the browsing behavior, store it in the XML file according to the following format.

其中root作为根元素有且只有一个，所有的信息均是root结点的子结点。Among them, there is one and only one root as the root element, and all the information is the child node of the root node.

Capture表示监控器所捕获到的一条浏览行为，在capture中包含6个元素，分别表示6种对应信息。Capture represents a browsing behavior captured by the monitor, and the capture contains 6 elements, which respectively represent 6 corresponding information.

id表示某个浏览行为的编号，编号从1开始，每捕获一条浏览行为，编号自动增加。id indicates the number of a certain browsing behavior, the number starts from 1, and every time a browsing behavior is captured, the number increases automatically.

url是浏览行为中最重要的信息，表示用户所访问的网页的网址。通过分析解析该网址，可以发现用户访问的网站内容，以此刻画用户的浏览行为。The url is the most important information in the browsing behavior, and represents the URL of the web page visited by the user. By analyzing and analyzing the URL, it is possible to discover the content of the website visited by the user, so as to describe the browsing behavior of the user.

referer表示某个网页的引用页面，如当用户通过百度搜索查找关键词sina并进入新浪主页之后，在新浪主页的浏览记录中即存在着引用页百度。引用页面刻画了浏览行为中的先后序列关系。Referer means the referring page of a certain webpage. For example, when a user searches for the keyword sina through Baidu search and enters the homepage of Sina, the referring page Baidu exists in the browsing history of the homepage of Sina. Citing pages describe the sequential relationship in browsing behavior.

timestamp，即访问某个网页的时刻。timestamp, that is, the moment when a web page is accessed.

title表示浏览网页的题目，如访问百度的主页时，对应title为“百度一下，你就知道”。Title是url的补充和完善，在分析浏览行为时可以起到辅助的作用。Title indicates the title of browsing the webpage. For example, when visiting Baidu's homepage, the corresponding title is "Baidu, you will know". Title is the supplement and improvement of url, which can play an auxiliary role in analyzing browsing behavior.

keywords表示网页的关键字，通过keywords可以确定网页所属的类别。The keywords represent the keywords of the webpage, and the category to which the webpage belongs can be determined through the keywords.

6、将上述各xml文件存储生成访问日志，为第三方认证中心完成基于行为模式的认证提供了直接和充足的数据。6. Store the above xml files to generate access logs, providing direct and sufficient data for the third-party authentication center to complete authentication based on behavior patterns.

Claims (1)

Translated fromChinese

1.一种可信网络交易系统客户端监控器，其特征在于，1. A trusted network transaction system client monitor, characterized in that,监控器包括分析提取出用户上网过程中的浏览行为功能模块，The monitor includes a functional module that analyzes and extracts the browsing behavior of the user during the surfing process,所述浏览行为，即描述一个用户上网过程中特定方式的上网习惯，包括浏览的网页，偏好的上网时间；The browsing behavior refers to describing a user's surfing habits in a specific way during the surfing process, including the webpages browsed and the preferred surfing time;监控器捕获用户网络适配器的IP数据包，根据IP报文的格式、TCP数据包的格式以及HTTP数据包格式，层层解析，提取出IP数据包中的浏览网页，上网时间信息；The monitor captures the IP packets of the user's network adapter, and analyzes layer by layer according to the format of the IP packets, the format of the TCP packets and the format of the HTTP packets, and extracts the browsing time information in the IP packets;监控器又包括把提取出的浏览行为按照特定的格式存储为行为日志的功能模块，The monitor also includes a functional module that stores the extracted browsing behavior as a behavior log in a specific format.所述行为日志，即刻画用户浏览行为的文本文件；用户浏览行为中的关键信息，都需要按照特定的格式存储在行为日志当中；监控器捕捉的用户的网络数据，并经过解析提取出浏览行为信息之后，将浏览行为存储在行为日志当中；每当捕获到新的浏览行为时，及时更新行为日志，以保证行为日志能够充分完备地记录用户的浏览行为，为之后的可信安全客户端的工作提供充足的资料；The behavior log is a text file describing the user's browsing behavior; the key information in the user's browsing behavior needs to be stored in the behavior log in a specific format; the user's network data captured by the monitor is analyzed and extracted to extract the browsing behavior After the information is collected, the browsing behavior is stored in the behavior log; whenever a new browsing behavior is captured, the behavior log is updated in time to ensure that the behavior log can fully and completely record the user's browsing behavior, and provide future work for trusted security clients. provide sufficient information;监控器捕获浏览行为模式的方法，包括如下步骤：A method for a monitor to capture a browsing behavior pattern, comprising the following steps:步骤1、监控器启动之后，请求访问当前主机上的网络适配器接口，成功获得网络适配器的访问接口之后，开始捕获该网络适配器接口的IP层数据包；Step 1, after the monitor starts, request to visit the network adapter interface on the current host, after successfully obtaining the access interface of the network adapter, start to capture the IP layer data packets of the network adapter interface;步骤2、根据IP协议的报文格式，提取出IP数据包中的数据部分，进行下一步解析；对提取出的IP数据包需要进行判断，如果其为TCP数据包，则保留该数据包进行下一步解析；如果不是TCP数据包，则不保留该数据包；Step 2, extract the data part in the IP packet according to the message format of the IP protocol, and carry out the next step analysis; the extracted IP packet needs to be judged, if it is a TCP packet, then keep the packet for further processing The next step is to analyze; if it is not a TCP packet, the packet is not retained;步骤3、当获得TCP数据包后，根据TCP协议格式，对TCP数据包进行解析，如果该TCP数据包封装了HTTP数据包，则提取出该HTTP数据包，否则丢弃TCP数据包；Step 3, after obtaining the TCP data packet, according to the TCP protocol format, the TCP data packet is analyzed, if the TCP data packet encapsulates the HTTP data packet, then extract the HTTP data packet, otherwise discard the TCP data packet;步骤4、对于HTTP数据包，即用户浏览网页所产生的数据包，根据其协议格式，可以从数据包中提取出访问网页的地址、访问网页的时间、该网页的引用页以及网页的标题信息；Step 4, for the HTTP data packet, that is, the data packet generated by the user browsing the webpage, according to its protocol format, the address of the visited webpage, the time of the visited webpage, the reference page of the webpage and the title information of the webpage can be extracted from the data packet ;步骤5、提取出浏览行为后，按照如下格式存储到XML文件中：Step 5. After extracting the browsing behavior, store it in the XML file according to the following format:其中root作为根元素有且只有一个，所有的信息均是root结点的子结点；Among them, there is one and only one root as the root element, and all the information is the child node of the root node;Capture表示监控器所捕获到的一条浏览行为；Capture represents a browsing behavior captured by the monitor;id表示某个浏览行为的编号，编号从1开始，每捕获一条浏览行为，编号自动增加；id indicates the number of a browsing behavior, the number starts from 1, and every time a browsing behavior is captured, the number automatically increases;url表示用户所访问的网页的网址，通过分析解析该网址，发现用户访问的网站内容，以此刻画用户的浏览行为；url indicates the URL of the webpage visited by the user. By analyzing and analyzing the URL, the content of the website visited by the user is found, so as to describe the browsing behavior of the user;referer表示某个网页的引用页面，引用页面刻画了浏览行为中的先后序列关系；Referer indicates the reference page of a certain web page, and the reference page depicts the sequential relationship in browsing behavior;timestamp，表示访问某个网页的时刻；timestamp, indicating the moment of accessing a certain web page;title表示浏览网页的题目；title indicates the title of browsing the webpage;keywords表示网页的关键字，通过keywords确定网页所属的类别；keywords represent the keywords of the webpage, and the category to which the webpage belongs is determined through keywords;步骤6、将上述各XML 文件存储生成访问日志，基于行为模式的认证提供直接和充足的数据。Step 6. Store the above-mentioned XML files to generate access logs, and provide direct and sufficient data based on behavior pattern authentication.