CN110011860A - Android application and identification method based on network traffic analysis - Google Patents
Android application and identification method based on network traffic analysis Download PDFInfo
- Publication number
- CN110011860A CN110011860A CN201910303573.4A CN201910303573A CN110011860A CN 110011860 A CN110011860 A CN 110011860A CN 201910303573 A CN201910303573 A CN 201910303573A CN 110011860 A CN110011860 A CN 110011860A
- Authority
- CN
- China
- Prior art keywords
- http
- android application
- android
- network
- data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/14—Network analysis or design
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/08—Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
- H04L43/0876—Network utilisation, e.g. volume of load or congestion level
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Environmental & Geological Engineering (AREA)
- Debugging And Monitoring (AREA)
Abstract
Its network flow data generated apply and captured to the invention discloses a kind of Android application and identification method based on network traffic analysis including executing Android to be identified;It extracts the network flow data for belonging to http protocol and analysis obtains the structure composition of http data packet;HTTP characteristic signature is defined and extracts characteristic signature;The data packet for not having HTTP characteristic signature is associated;It is counted by the data of extraction and with associated data packet, to complete the Android application identification based on network traffic analysis.The present invention can realize the identification of the Android application run in network by being analyzed the HTTP flow in network, accuracy rate is high, the size of network flow produced by the application in the process of running of single Android can be counted simultaneously, be conducive to the case where analysis personnel more accurately portray the Android application operation in network;And the method for the present invention reliability is higher and accuracy is higher.
Description
Technical field
Present invention relates particularly to a kind of Android application and identification method based on network traffic analysis.
Background technique
As the wide hair of intelligent movable equipment is universal, Android (Android) system has become most wide in the world now
The general intelligent movable operating system used.With the fast development that Android is applied, the network flow that Android application generates is in entirety
Network flow in occupy greatly.More and more Android intelligent equipments are linked into local area network as access device
(such as intranet), network administrator need to having which Android application has been currently running one in self-administered network
Accurately understand.The information extremely closes the network security of local area network, network management and monitoring user's internet behavior etc.
Key.In addition, Android application be identified as those provided by network traffic analysis Android using researchs such as behaviors it is accurate
Information.Therefore, how the identification Android of precise and high efficiency, which is applied, has great significance for above-mentioned work.
Researcher proposes knowledge method for distinguishing using possessed feature for Android.By using in HTTP header
Host field identifies Android application.But this method cannot be identified with homologous different Android applications.Such as many peaces
Zhuo Yingyong can access Cloud Server (for example, Cloud Server of Amazon).By using the User-Agent in HTTP header
Field value identifies mobile application.But this method is not suitable for identifying Android application, because many Android application developers exist
Some off-gauge values, such as Android version number etc. are written in the field, cause recognition accuracy not high.It is answered using Android is embedded in
Advertisement base in identifies Android application, but this method cannot identify that those are not embedded in the Android application of advertisement base.
Summary of the invention
The higher peace based on network traffic analysis of higher and accuracy the purpose of the present invention is to provide a kind of reliability
Tall and erect application and identification method.
This Android application and identification method based on network traffic analysis provided by the invention, includes the following steps:
S1. Android application to be identified is executed, and captures the network flow that Android application to be identified generates when being executed
Data;
S2. it from the network flow data that step S1 is obtained, extracts and belongs to the network flow data of http protocol, and to mentioning
The structure that is taken belong to the data packet of the network flow data of http protocol is analyzed, to obtain http data packet
Structure composition;
S3. according to the structure composition of the obtained http data packet of step S2, HTTP characteristic signature is defined;
S4. the HTTP characteristic signature defined according to step S3 carries out the network flow data for belonging to http protocol of acquisition
Characteristic signature extracts;
S5. according to the characteristic signature of the step S4 network flow data for belonging to http protocol extracted, to not having HTTP
The data packet of characteristic signature is associated;
S6. it is counted by the step S4 data extracted and with the associated data packet of step S5, to complete to be based on network
The Android application identification of flow analysis.
The Android application to be identified of execution described in step S1, specially using Android application it is automatic execute tool execute to
The Android application of identification.
The network flow data that the Android application to be identified of capture described in step S1 generates when being executed, specially uses
Equipments of recording capture the network flow data that Android application to be identified generates in the process of implementation, while being arranged in local area network
WIFI routing captures and runs Android in the Android mobile device in the local area network using generated network flow data.
The equipments of recording are tcpdump data record tool.
Extraction described in step S2 belongs to the network flow data of http protocol, and to the net for belonging to http protocol of extraction
The structure of the data packet of network data on flows is analyzed, to obtain the structure composition of http data packet, is specially used
Following steps are extracted http data and are analyzed:
A. according to port numbers, it will in TCP flow include that the stream of 80 port data packets is judged as the data flow of http protocol, and
It extracts;
B. from the data flow of the step A http protocol extracted, to wherein being made requests using http protocol to server
Data packet extract;
C. the step B data packet extracted is analyzed, to be concluded that the data packet of http protocol type includes system
One resource identifier, and the uniform resource identifier is by requesting method, the path URL or resource query path and relevant parameter
Composition.
HTTP characteristic signature is defined described in step S3, is specially defined as follows four seed types: Android application name
Title, designated character string, substring sequence and<n, v>right.
The network flow that belongs to http protocol of the HTTP characteristic signature defined described in step S4 according to step S3 to acquisition
It measures data and carries out characteristic signature extraction, the extraction of characteristic signature is specially carried out using following steps step:
A. the element set of each HTTP request is extracted;
B. it is clustered using the element set of the clustering algorithm step a HTTP request extracted;
C. in the HTTP request after the completion of cluster, the HTTP request of the page having the same is merged into a feature label
Name, while the HTTP request with 80% or more identical query argument is merged into a characteristic signature.
The data packet for not having HTTP characteristic signature is associated described in step S5, specially using following steps into
Row association:
(1) it is flowed by the HTTP with general character string that time window identifies that Android application generates;
(2) HTTP with general character string that Android application generates is identified by restoring the compressed content in HTTP stream
Stream.
It is flowed described in step (1) by the HTTP with general character string that time window identifies that Android application generates, tool
Body is that following steps are identified:
Definition A is general character string type set, and B is special string type set, and A and B are mentioned from HTTP stream
It takes;aiFor an example in set A, biFor an example in set B, ai∈ A, bi∈ B, biIt is comprising special string
HTTP stream and bi∈ B, and in biFront and back time window in occur several aiIf then meeting two following conditions, assert
aiAnd biThe two examples are grouped into the same HTTP stream group g (bi) in, and there is the same Android application to generate;
Condition 1: including aiHTTP stream and include biHTTP flow Hostname having the same, or include aiHTTP
Flow and include biHTTP to flow in the Referer field of respective HTTP header include same Hostname;
Condition 2:aiAnd biTwo examples appear in window at the same time.
Android application identification of the completion described in step S6 based on network traffic analysis, is specially carried out using following steps
Identification: firstly, whether observing in the network flow generated when different Android application operations comprising four classes defined in this method
Feature string: if comprising Direct Recognition is corresponding Android application;Secondly, being associated with according to time window algorithm
The network flow not comprising feature string before and after the network flow with feature string is appeared within a certain period of time, and
Determining that this does not include the network flow of feature string is same Android using generated network flow;Finally, according to net
The compressed file for including in network flow is decompressed, and obtains corresponding feature string to identify to Android application.
This Android application and identification method based on network traffic analysis provided by the invention summarizes four kinds of different features
Signature type, and the Android application stream comprising general character string is identified by the method for association in time and recovery compressed content
Amount, therefore the method for the present invention can realize the Android run in network by being analyzed the HTTP flow in network
The identification of application, accuracy rate can achieve 90% or so, and the accuracy rate of part Android application identification can achieve 100%, meanwhile,
Method of the invention can count the size of network flow produced by the application in the process of running of single Android, be conducive to
Analysis personnel more accurately portray the case where application operation of the Android in network.
Detailed description of the invention
Fig. 1 is the method flow schematic diagram of the method for the present invention.
Fig. 2 is the HTTP stream that once-through operation Android social application iAround of the invention is generated.
Fig. 3 is the structure composition schematic diagram of HTTP request of the invention.
Fig. 4 is HTTP characteristic signature form schematic diagram of the invention.
Fig. 5 is that HTTP request of the invention merges schematic diagram.
Fig. 6 is of the invention by time window association HTTP flow diagram.
Fig. 7 is the compressed content schematic diagram in http response of the invention.
Fig. 8 is that Android application HTTP of the invention flows discrimination schematic diagram.
Fig. 9 is Android application traffic size statistical result schematic diagram of the invention.
Figure 10 is that the HTTP stream of the invention based on association in time extracts accuracy rate schematic diagram.
Specific embodiment
It is as shown in Figure 1 the method flow schematic diagram of the method for the present invention: provided by the invention this based on network flow point
The Android application and identification method of analysis, includes the following steps:
S1. Android application to be identified is executed using the automatic tool that executes of Android application, and captures Android to be identified and answers
With the network flow data generated when being executed;When capturing network flow data, usage record tool captures Android to be identified
Using the network flow data generated in the process of implementation, while WIFI is set in local area network and is routed, capture (uses
Tcpdump data record tool) network flow data caused by Android mobile device in the local area network;Network flow is caught
It obtains and is divided into two kinds of situations: first, analog subscriber clicks behavior to execute Android application and obtain;Second, capture real user uses
Android obtains when applying.So to capture the network that Android mobile device is generated in the case where connecting wifi using Android application
Flow;
S2. it from the network flow data that step S1 is obtained, extracts and belongs to the network flow data of http protocol, and to mentioning
The structure that is taken belong to the data packet of the network flow data of http protocol is analyzed, to obtain http data packet
Structure composition;Load contents structure in the data packet of HTTP request is as shown in Figure 3;Specially HTTP is extracted using following steps
Protocol data is simultaneously analyzed:
A. according to port numbers, it will in TCP flow include that the stream of 80 port data packets is judged as the data flow of http protocol, and
It extracts;
B. from the data flow of the step A http protocol extracted, to wherein being made requests using http protocol to server
Data packet extract;
C. the step B data packet extracted is analyzed, to be concluded that the data packet of http protocol type includes system
One resource identifier (Uniform Resource Identifier, URI), and the uniform resource identifier by requesting method,
The path URL or resource query path and relevant parameter composition;One HTTP request by HTTP request method, the path URL or
Query path is constituted, and is mapped as using different network behaviors.Wherein, m indicates HTTP request method, such as GET, POST
Deng;P indicates request page;One substring of t expression request page character string;Q indicates inquiry;N indicates the parameter of inquiry;V table
Show the value of query argument;
S3. according to the structure composition of the obtained http data packet of step S2, HTTP characteristic signature is defined;
HTTP characteristic signature format is as shown in Figure 4;
Many information can be used for identifying Android application, such as data packet head in the network flow that Android application generates
Portion, data packet feature load, stream feature and main-machine communication mode.The present invention pays close attention to the uniform resource identifier from HTTP request
Characteristic signature is extracted in the character string that (Uniform Resource Identifier, URI) is included.What one Android was applied
Characteristic signature is made of the fixation in HTTP request stream and unique character string.One HTTP request is by HTTP request side
Method, the path URL or query path are constituted, and are mapped as using different network behaviors.Wherein, HTTP request method includes
GET, POST etc.;Request page is this using the header for needing to request to server;Query path expression is inquired on the server
The introductory path of resource;
Specially it is defined as follows four seed types:
Android Apply Names: the title of Android application is a character that is special and being used to distinguish the application of other Androids
String;Currently, not being found to have the Android application of same title in more than 9000 a Androids applications according to the observation;Therefore logical
The program name of Android application is crossed to identify that Android application is direct and effective;Using Static Analysis Method from application
Android Apply Names and packet name are extracted in Manifest file, for example, if the packet name of this application of Fox News is
Com.android.foxnews, then the character string can serve as characteristic signature to identify Android application;
Designated character string: this kind of characteristic signature indicates the heterogeneous networks behavior of Android application.If what an Android was applied
Title be not unique or HTTP stream in do not include Apply Names information, the type characteristic signature can be used and answered to identify
With.Each unique characteristic signature and its corresponding Android application are stored by establishing a characteristic signature library;Such as
Comprising the character string of/mw-earth-vectordb in the HTTP request that Google earth is generated, which is by specifying net
Caused by network behavior.Therefore, if discovery this feature signature can recognize that the stream is to belong to Google in HTTP stream
Earth application;
Substring sequence: substring sequence is defined according to sequence of positions of the substring in HTTP request character string.Single substring can
It can be applied comprising by multiple Androids and cannot effectively identify Android application.Such as substring/bbc cannot identify BBC News this
A application, but two substrings are combined together into substring sequence,
/ bbc/bbc can this application of BBC News for identification;
<n, v>and it is right: there is special character string can be used to identify Android in the HTTP flow that some advertisement bases generate
Using.For example, the Bao Minghui of application goes out as the form of the value of query argument in the HTTP flow that Google advertisement base generates
It is existing, i.e. msid=com.socialmobile.colordict.Therefore it need to only search whether that the parameter can be gone out in flow and determine
Position can identify that the stream is which belongs to apply to its value;
S4. the HTTP characteristic signature defined according to step S3 carries out the network flow data for belonging to http protocol of acquisition
Characteristic signature extracts;The extraction of characteristic signature is specially carried out using following steps step:
A. the element set of each HTTP request is extracted;
Similar part in the HTTP request being likely to occur is analyzed, has following three part it is possible that similar
The case where:
1) requesting method: different requesting methods indicates the communication mode different from server;For example, GET indicates request
Required resource, and return to the resource;POST indicates that request server receives specified document as to the URI's identified
New subordinate entity;
2) Hostname: the Hostname of Android application should be used to say that an Android unique;Therefore, if two
A different characteristic signature is extracted from the HTTP stream for accessing same host, then the two characteristic signatures should belong to
In the same cluster;
3) accession page: being that similar accession page indicates Android using similar network row using the reason of this attribute
For;
B. it is carried out using the element set of clustering algorithm (such as fastcluster algorithm) the step a HTTP request extracted
Cluster;
C. in the HTTP request after the completion of cluster, the HTTP request of the page having the same is merged into a feature label
Name, while the HTTP request with 80% or more identical query argument is merged into a characteristic signature;
Specifically, some HTTP requests page having the same that certain clusters may be included is similar after the completion of cluster
Query argument;Need these HTTP requests to merge into a characteristic signature, because these query arguments are according to different peaces
Tall and erect mobile phone configuration and change, such as Android version number, screen resolution etc., and these HTTP requests can reflect as different hands
The similar network behavior of Android application on machine;
Fig. 5 enumerates the merging process of two HTTP requests with similar query argument: where Fig. 5 (a) lists two
HTTP request with similar query argument, Fig. 5 (b) are the HTTP requests after merging;
S5. according to the characteristic signature of the step S4 network flow data for belonging to http protocol extracted, to not having HTTP
The data packet of characteristic signature is associated;Specially it is associated using following steps:
(1) it is flowed by the HTTP with general character string that time window identifies that Android application generates;Specially following step
Suddenly it is identified:
Definition A is general character string type set, and B is special string type set, and A and B are mentioned from HTTP stream
It takes;aiFor an example in set A, biFor an example in set B, ai∈ A, bi∈ B, biIt is comprising special string
HTTP stream and bi∈ B, and in biFront and back time window in occur several aiIf then meeting two following conditions, assert
aiAnd biThe two examples are grouped into the same HTTP stream group g (bi) in, and there is the same Android application to generate;HTTP flow point group
The process of method is as shown in Figure 6;
Condition 1: including aiHTTP stream and include biHTTP flow Hostname having the same, or include aiHTTP
Flow and include biHTTP to flow in the Referer field of respective HTTP header include same Hostname;
Condition 2:aiAnd biTwo examples appear in window at the same time;
(2) HTTP with general character string that Android application generates is identified by restoring the compressed content in HTTP stream
Stream;
Because may include duplicate data in the response of HTTP when Android, which is applied, requests resource to server;
Therefore HTTP server compresses these duplicate data using compress technique (for example, gzip, deflate etc.) to save flow
Expense;It is found from the HTTP flow of acquisition, includes gzip file in the response stream of two HTTP;The content of the gzip file
Find wherein to contain Android after decompression using the URL for the picture file for needing to request, and these URL can apply institute by Android
Access;Therefore, the HTTP stream for accessing these URL can be identified according to the URL information extracted from HTTP compressed content;
It is found from Fig. 1, includes gzip file in the response stream of two HTTP;After the content of the gzip file is decompressed such as
Shown in Fig. 7, wherein containing Android using the URL for the picture file for needing to request, and these URL can be visited by Android application
It asks;Therefore, the HTTP stream for accessing these URL can be identified according to the URL information extracted from HTTP compressed content;
S6. it is counted by the step S4 data extracted and with the associated data packet of step S5, to complete to be based on network
The Android application identification of flow analysis;Firstly, in the network flow generated when the different Android application operation of observation whether include
Four category feature character string defined in this method: if comprising Direct Recognition is corresponding Android application;Secondly, according to
Time window algorithm does not include feature to be associated with before and after appearing in the network flow with feature string within a certain period of time
The network flow of character string, and determining that this does not include the network flow of feature string is same Android using generated network
Flow;Finally, being decompressed according to the compressed file for including in network flow, obtains corresponding feature string and come to Android
Using being identified.
Fig. 8 is to identify that Android applies the discrimination of generated HTTP stream, and and industry according to the HTTP characteristic signature of extraction
The discrimination of interior common method (NetworkProfiler) is compared.Wherein, the pillar of striped indicates
The discrimination for the HTTP stream that the Android application of NetworkProfiler method generates, black bar indicate method of the invention
The discrimination for the HTTP stream that Android application generates.The result shows that the knowledge proposed by the present invention based on Android application HTTP characteristic signature
The method of other method ratio NetworkProfiler has higher Android application discrimination.Discrimination can in highest situation
To improve 81%, even worst discrimination also improves 35% than the method for NetworkProfiler.Because of the invention
Method can not only identify and contain the HTTP stream of special string, and can identify and contain general character string
HTTP stream, so discrimination is greatly improved.
Fig. 9 is the statistical result for verifying the size for the HTTP stream that Android application generates, and uses the HTTP correctly counted
The ratio that stream accounts for total HTTP stream of application generation is measured as index.Wherein, the traffic statistics for thering are 12 Android to apply
Accuracy 80% or more, highest statistical correction rate can achieve 100%, i.e. the HTTP stream that Android application generates
Size correctly count completely.The network flow size that can be counted on is caused also to drop it is worth noting that the discrimination of wechat is lower
It is low, as long as the result illustrates that the HTTP of some Android application flows discrimination with higher, then can obtain higher
Statistics rate.
Figure 10 is to verify to the accuracy based on association in time extracted HTTP stream.The experiment passes through manual inspection
Android verifies whether the HTTP extracted according to related information stream is that this is answered using the method for generated each HTTP stream
With generated.The experiment is flowed by manually performing these application generation network flows with HTTP associated in real network
It compares to verify the accuracy rate of extraction.Tool is extracted according to the HTTP stream with special string based on the method for association in time
There is the HTTP of general character string to flow accuracy rate with higher, that is, the HTTP stream extracted belongs to the HTTP stream with special string
It is generated in same application.However the accuracy rate extracted in certain Android application does not reach 100%.This is because
In set time window, have in certain mobile phones it is homologous apply in running background, such as wechat and QQ, cause to extract
HTTP stream is not belonging to the application, so that the accuracy rate extracted does not reach 100%.
Claims (10)
1. a kind of Android application and identification method based on network traffic analysis, includes the following steps:
S1. Android application to be identified is executed, and captures the network flow data that Android application to be identified generates when being executed;
S2. from the network flow data that step S1 is obtained, the network flow data for belonging to http protocol is extracted, and to extraction
The structure for belonging to the data packet of the network flow data of http protocol is analyzed, to obtain the structure of http data packet
Composition;
S3. according to the structure composition of the obtained http data packet of step S2, HTTP characteristic signature is defined;
S4. the HTTP characteristic signature defined according to step S3 carries out feature to the network flow data for belonging to http protocol of acquisition
Signature extracts;
S5. according to the characteristic signature of the step S4 network flow data for belonging to http protocol extracted, to not having HTTP feature
The data packet of signature is associated;
S6. it is counted by the step S4 data extracted and with the associated data packet of step S5, to complete to be based on network flow
The Android application identification of analysis.
2. the Android application and identification method according to claim 1 based on network traffic analysis, it is characterised in that step S1
Execution Android application to be identified specially executes Android to be identified using automatic execution tool using Android and answers
With.
3. the Android application and identification method according to claim 1 based on network traffic analysis, it is characterised in that step S1
The network flow data that the described capture Android application to be identified generates when being executed, the specially capture of usage record tool to
The network flow data that the Android application of identification generates in the process of implementation, while WIFI is set in local area network and is routed, capture
Network flow data caused by Android mobile device in the local area network.
4. the Android application and identification method according to claim 3 based on network traffic analysis, it is characterised in that described
Equipments of recording are tcpdump data record tool.
5. the Android application and identification method described according to claim 1~one of 4 based on network traffic analysis, it is characterised in that
Extraction described in step S2 belongs to the network flow data of http protocol, and to the network flow number for belonging to http protocol of extraction
According to the structure of data packet analyzed, to obtain the structure composition of http data packet, specially use following steps
It extracts http data and is analyzed:
It A. will include that the stream of 80 port data packets is judged as the data flow of http protocol, and carries out in TCP flow according to port numbers
It extracts;
B. from the data flow of the step A http protocol extracted, to the number wherein made requests using http protocol to server
It is extracted according to packet;
C. the step B data packet extracted is analyzed, to be concluded that the data packet of http protocol type includes unified money
Source identifier, and the uniform resource identifier is made of requesting method, the path URL or resource query path and relevant parameter.
6. the Android application and identification method according to claim 5 based on network traffic analysis, it is characterised in that step S3
Described is defined HTTP characteristic signature, is specially defined as follows four seed types: Android Apply Names, designated character string,
Substring sequence and<n, v>right.
7. the Android application and identification method according to claim 6 based on network traffic analysis, it is characterised in that step S4
The HTTP characteristic signature defined according to step S3 carries out feature to the network flow data for belonging to http protocol of acquisition
Signature extracts, and the extraction of characteristic signature is specially carried out using following steps step:
A. the element set of each HTTP request is extracted;
B. it is clustered using the element set of the clustering algorithm step a HTTP request extracted;
C. in the HTTP request after the completion of cluster, the HTTP request of the page having the same is merged into a characteristic signature,
To have 80% or more identical query argument simultaneously, (HTTP request merges into a characteristic signature.
8. the Android application and identification method according to claim 7 based on network traffic analysis, it is characterised in that step S5
Described is associated the data packet for not having HTTP characteristic signature, is specially associated using following steps:
(1) it is flowed by the HTTP with general character string that time window identifies that Android application generates;
(2) it is flowed by the HTTP with general character string for restoring the compressed content in HTTP stream to identify that Android application generates.
9. the Android application and identification method according to claim 8 based on network traffic analysis, it is characterised in that step (1)
The HTTP with general character string for identifying that Android application generates by time window flows, and specially following steps carry out
Identification:
Definition A is general character string type set, and B is special string type set, and A and B are extracted from HTTP stream;ai
For an example in set A, biFor an example in set B, ai∈ A, bi∈ B, biIt is the HTTP comprising special string
Stream and bi∈ B, and in biFront and back time window in occur several aiIf then meeting two following conditions, a is assertiWith
biThe two examples are grouped into the same HTTP stream group g (bi) in, and there is the same Android application to generate;
Condition 1: including aiHTTP stream and include biHTTP flow Hostname having the same, or include aiHTTP stream and
Include biHTTP to flow in the Referer field of respective HTTP header include same Hostname;
Condition 2:aiAnd biTwo examples appear in window at the same time.
10. the Android application and identification method according to claim 9 based on network traffic analysis, it is characterised in that step S6
Android application identification of the completion based on network traffic analysis, is specially identified using following steps: firstly, observation
Whether comprising four category feature character strings defined in this method in the network flow that different Android applications generates when running: if
It include that then Direct Recognition is corresponding Android application;Secondly, being occurred within a certain period of time according to time window algorithm to be associated with
The network flow not comprising feature string before and after the network flow with feature string, and determine that feature should not be included
The network flow of character string is that same Android applies generated network flow;Finally, according to the pressure for including in network flow
Contracting file is decompressed, and obtains corresponding feature string to identify to Android application.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910303573.4A CN110011860A (en) | 2019-04-16 | 2019-04-16 | Android application and identification method based on network traffic analysis |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910303573.4A CN110011860A (en) | 2019-04-16 | 2019-04-16 | Android application and identification method based on network traffic analysis |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN110011860A true CN110011860A (en) | 2019-07-12 |
Family
ID=67172156
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910303573.4A Pending CN110011860A (en) | 2019-04-16 | 2019-04-16 | Android application and identification method based on network traffic analysis |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110011860A (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110661796A (en) * | 2019-09-23 | 2020-01-07 | 武汉绿色网络信息服务有限责任公司 | User action flow identification method and device |
| CN112615758A (en) * | 2020-12-16 | 2021-04-06 | 北京锐安科技有限公司 | Application identification method, device, equipment and storage medium |
| CN114143301A (en) * | 2021-12-07 | 2022-03-04 | 中国人民解放军国防科技大学 | Mobile traffic application identification feature extraction method and system |
| CN117097628A (en) * | 2023-10-19 | 2023-11-21 | 中国电子科技集团公司第五十四研究所 | Networking communication behavior identification method based on signal physical characteristic parameters |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20120317561A1 (en) * | 2011-06-13 | 2012-12-13 | Microsoft Corporation | Automatic recognition of web application |
| CN104320304A (en) * | 2014-11-04 | 2015-01-28 | 武汉虹信技术服务有限责任公司 | Multimode integration core network user traffic application identification method easy to expand |
| CN104486161A (en) * | 2014-12-22 | 2015-04-01 | 成都科来软件有限公司 | Method and device for network traffic identification |
| CN106452954A (en) * | 2016-09-30 | 2017-02-22 | 苏州迈科网络安全技术股份有限公司 | HTTP data characteristic analysis method and system |
| CN106657141A (en) * | 2017-01-19 | 2017-05-10 | 西安电子科技大学 | Android malware real-time detection method based on network flow analysis |
| CN109617762A (en) * | 2018-12-14 | 2019-04-12 | 南京财经大学 | A method of mobile application is identified using network flow |
-
2019
- 2019-04-16 CN CN201910303573.4A patent/CN110011860A/en active Pending
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20120317561A1 (en) * | 2011-06-13 | 2012-12-13 | Microsoft Corporation | Automatic recognition of web application |
| CN104320304A (en) * | 2014-11-04 | 2015-01-28 | 武汉虹信技术服务有限责任公司 | Multimode integration core network user traffic application identification method easy to expand |
| CN104486161A (en) * | 2014-12-22 | 2015-04-01 | 成都科来软件有限公司 | Method and device for network traffic identification |
| CN105357082A (en) * | 2014-12-22 | 2016-02-24 | 成都科来软件有限公司 | Method and device for identifying network flow |
| CN106452954A (en) * | 2016-09-30 | 2017-02-22 | 苏州迈科网络安全技术股份有限公司 | HTTP data characteristic analysis method and system |
| CN106657141A (en) * | 2017-01-19 | 2017-05-10 | 西安电子科技大学 | Android malware real-time detection method based on network flow analysis |
| CN109617762A (en) * | 2018-12-14 | 2019-04-12 | 南京财经大学 | A method of mobile application is identified using network flow |
Non-Patent Citations (1)
| Title |
|---|
| 苏欣: "安卓手机应用流量分析及恶意行为检测技术研究", 《中国博士学位论文全文数据库信息科技辑》 * |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110661796A (en) * | 2019-09-23 | 2020-01-07 | 武汉绿色网络信息服务有限责任公司 | User action flow identification method and device |
| CN112615758A (en) * | 2020-12-16 | 2021-04-06 | 北京锐安科技有限公司 | Application identification method, device, equipment and storage medium |
| CN112615758B (en) * | 2020-12-16 | 2022-04-29 | 北京锐安科技有限公司 | Application identification method, device, equipment and storage medium |
| CN114143301A (en) * | 2021-12-07 | 2022-03-04 | 中国人民解放军国防科技大学 | Mobile traffic application identification feature extraction method and system |
| CN114143301B (en) * | 2021-12-07 | 2024-04-19 | 中国人民解放军国防科技大学 | Mobile traffic application identification feature extraction method and system |
| CN117097628A (en) * | 2023-10-19 | 2023-11-21 | 中国电子科技集团公司第五十四研究所 | Networking communication behavior identification method based on signal physical characteristic parameters |
| CN117097628B (en) * | 2023-10-19 | 2023-12-22 | 中国电子科技集团公司第五十四研究所 | Networking communication behavior identification method based on signal physical characteristic parameters |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110011860A (en) | Android application and identification method based on network traffic analysis | |
| US8656006B2 (en) | Integrating traffic monitoring data and application runtime data | |
| US8402131B2 (en) | Hierarchy for characterizing interactions with an application | |
| CN102035698B (en) | HTTP tunnel detection method based on decision tree classification algorithm | |
| CA2769946C (en) | A method and system for efficient and exhaustive url categorization | |
| CN103546343B (en) | The network traffics methods of exhibiting of network traffic analysis system and system | |
| CN105577411B (en) | Cloud service monitoring method and device based on service origin | |
| CN107800565A (en) | Method for inspecting, device, system, computer equipment and storage medium | |
| US20190197140A1 (en) | Automation of sql tuning method and system using statistic sql pattern analysis | |
| CN106789242A (en) | A kind of identification application intellectual analysis engine based on mobile phone client software behavioral characteristics storehouse | |
| US20180316702A1 (en) | Detecting and mitigating leaked cloud authorization keys | |
| CN108234345A (en) | A kind of traffic characteristic recognition methods of terminal network application, device and system | |
| CN106899586A (en) | A kind of dns server software fingerprinting identifying system and method based on machine learning | |
| CN116467189B (en) | Method and system for interface call completion performance pressure measurement and full link data monitoring | |
| CN106559498A (en) | Air control data collection platform and its collection method | |
| CN109361575A (en) | A kind of method and its system obtaining analysis DNS data on flows | |
| US10419351B1 (en) | System and method for extracting signatures from controlled execution of applications and application codes retrieved from an application source | |
| CN106067879A (en) | The detection method of information and device | |
| CN109104381B (en) | Mobile application identification method based on third-party traffic HTTP message | |
| CN111310796B (en) | Web user click recognition method oriented to encrypted network flow | |
| CN108199878B (en) | Personal identification information identification system and method in high-performance IP network | |
| CN109559121A (en) | Transaction path calls exception analysis method, device, equipment and readable storage medium storing program for executing | |
| KR102127272B1 (en) | Automation of sql tuning method and system using statistic sql pattern analysis | |
| CN112256959A (en) | Method for analyzing information collected by WeChat public number small program | |
| CN110460620A (en) | Website defence method, device, equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20190712 |
|
| RJ01 | Rejection of invention patent application after publication |