RU2851682C1 - Method of classifying web traffic for setting up a secure connection - Google Patents

Abstract

FIELD: wireless communication.

SUBSTANCE: result is achieved by a method of classifying web traffic for setting up a secure connection, comprising: receiving, by a web server from a client device, a request to set up an HTTPS connection; reading, by the web server, request parameters received from the client device to establish an HTTPS connection; designation of selected key exchange algorithm and authentication algorithm; designation of protocol specification expansion set, eliminating detected shortcomings or adding functionality; designation of supported elliptic curves codes/numbers; designation of supported format of points of elliptic curves; transmitting read requests to request parameters analysis module; analysis by request parameters analysis module to assess probability that connection is generated by bot for authorization, and if the predetermined threshold is exceeded, a secure session is established between the client device and the web server, and if the threshold is not reached, the connection is reset.

EFFECT: high level of protecting a web server from external action.

2 cl, 2 dwg

Description

Field of technology:

[0001] The invention relates to the field of computing technology for classifying web traffic for establishing a secure connection.

State of the art:

[0002] Currently, there are many solutions designed to classify web traffic. One example of such solutions is a method for detecting botnets based on machine learning using real-time extracted traffic characteristics, described in US 8682812 B1. The known solution includes the steps of analyzing historical network data using predetermined heuristics to determine feature values in historical network data, obtaining a set of ground truth data with labels assigned to data units in the historical network data that identify known malicious nodes in the network, analyzing the historical network data and the ground truth data set using a machine learning algorithm to create a model representing labels as a function of feature values, analyzing real-time network data using predetermined heuristics to determine a feature value for a data unit in the real-time network data, assigning a label to the data unit by applying the model to the feature value, and categorizing the data unit as associated with a botnet based on the label.

[0003] However, the known solution has its drawbacks. One drawback is that it performs network traffic analysis after a connection has been established. This reduces the web server's protection from external influences (for example, DDoS attacks on the web server's authorization service), as malicious attacks can occur on the web server after the connection has been established, even before the bot's connection is detected. Furthermore, the known traffic analysis solution uses Layer 4 transport flow analysis, which also reduces the likelihood of timely detection of a bot attempting authorization.

Disclosure of invention:

[0004] The objective of the invention is to eliminate the above-mentioned disadvantages.

[0005] The technical result is an increase in the level of protection of the web server from external influences.

[0006] In order to achieve the technical result, a method for classifying web traffic for establishing a secure connection is proposed, comprising stages in which the following is performed:

- the receipt by the web server from the client device of a request to establish an HTTPS connection, where the HTTPS connection is a secure data transfer protocol with the ability to be encrypted using the SSL and TLS cryptographic protocols;

- reading by the web server of the request parameters received from the client device to establish an HTTPS connection, where the request parameters include application layer and presentation layer parameters of the ISO/OSI model that:

- indicate the SSL version for further work;

- indicate the selected key exchange algorithm and authentication algorithm;

- designate a set of extensions to the protocol specification that eliminate identified deficiencies or add functionality that was not provided for when the original TLS transport layer security protocol specification was approved;

- denotes codes/numbers of supported elliptic curves;

- denotes the supported format of elliptic curve points;

- transfer of read requests to the request parameters analysis module;

- analysis by the said analysis module of the request parameters to assess the probability that the connection was generated by a bot for authorization, where the analysis includes the steps at which:

a) perform an analysis of the TLS and HTTP connection parameters using a mathematical model, where the mathematical model predicts the probability that the request was made by a bot for authorization, while the mathematical model is built on the basis of stored statistics on access to the site to establish a connection between real users and bots;

b) calculate the percentage probability that the connection was generated by a bot for authorization;

c) compare the calculated probability with the threshold value, and if the specified threshold is exceeded, establish a secure session between the client device and the web server, and if the threshold value is not reached, reset the connection.

[0007] In particular cases of the implementation of the claimed method, the comparison at step c) is performed by the comparison function trashhold > FP(x), where x are the request parameters, in particular Cipher, SSLExtension, and FP(x) is a function of the request parameters that calculates the probability that the request belongs to a bot, trashhold is the threshold value above which the request can be considered a bot.

[0008] It is understood that both the foregoing general description and the following detailed description are given by way of example and explanation only and are not limitations of the invention.

Brief description of the drawings:

[0009] Fig. 1 is a schematic representation of a method for classifying web traffic to establish a secure connection.

[00010] Fig. 2 is a schematic representation of a hardware architecture that implements a method for classifying web traffic to establish a secure connection.

Implementation of the invention:

[0011] A schematic illustration of a method 100 for classifying web traffic to establish a secure connection is shown in Fig. 1.

[0012] At the first step 101, a request for establishing an HTTPS connection is received by the web server 202 from the client device 101. In the context of the present invention, an HTTPS connection is a secure data transfer protocol with the possibility of encryption by means of the SSL and TLS cryptographic protocols. It should be noted that the reception is performed by a receiving module 203 located within the server. The receiving module can be implemented, but is not limited to, in the form of an Ethernet interface module, a discrete RS-485 module, a universal asynchronous receiver-transmitter UART, etc. The method then proceeds to step 102.

[0013] At step 102, the web server 202 reads the parameters of the request received from the client device 201 for establishing an HTTPS connection. The request parameters include parameters of the application layer and the presentation layer of the ISO/OSI model. In the context of the present technical solution, the mentioned parameters are the SSLVersion parameter, configured to designate the SSL version for further operation, the Cipher parameter, configured to select the key exchange algorithm and the authentication algorithm, and the SSLExtension parameter, configured to extend the protocol specification, eliminating the detected deficiencies or adding functionality not provided for when approving the original specification of the TLS (Transport Layer Security) protocol. The method then proceeds to step 103.

[0014] At step 103, within the web server 202, the read requests are transmitted to the module 204 for analyzing the request parameters. In the context of the present invention, the module for analyzing the request parameters is implemented in hardware and is located within the body of the web server. As examples, but not limited to, the module 204 for analyzing the request parameters can be implemented in the form of a separate blade server located in the body of the web server 202, in the form of a separate controller located in the body of the web server 202, in the form of a separate printed circuit board located in the body of the web server 202, etc. The method then proceeds to step 104.

[0015] At step 104, the request parameter analysis module 204 analyzes the request parameters to estimate the probability that the connection was generated by a bot for authorization. Said analysis includes the steps of: a) analyzing the TLS and HTTP connection parameters using a mathematical model, b) calculating the percentage probability that the connection was generated by a bot for authorization, and c) comparing the calculated probability with a threshold value. The mathematical model predicts the probability that the request was made by a bot for authorization and is built on the basis of stored statistics on access to the site for establishing a connection between real users and bots. If the specified threshold is exceeded, a secure session is established between the client device 201 and the web server 202, i.e., step 105 is performed. In this case, if the threshold value is not reached, the connection is reset, i.e. Step 106 is performed. It should be noted that the comparison is performed by the comparison function trashhold > FP(x), where x are the request parameters, in particular Cipher, SSLExtension, and FP(x) is a function of the request parameters that calculates the probability that the request belongs to a bot, trashhold is a threshold value above which the request can be considered a bot. It should be noted that the said connection is established by means of connection establishment module 205. In the context of the present technical solution, connection establishment module 205 can be implemented, but not limited to, in the form of an Ethernet interface module, a discrete RS-485 module, a universal asynchronous receiver-transmitter UART, etc. Moreover, in an alternative embodiment, module 203 and module 205 can be implemented as a single data receiving and transmitting module. To assess the probability of each request belonging to a class (bot/human), an algorithm is used, the result of which is an ensemble (the sum of the results of the work) of models, each of which represents the union of logical conditions in a tree structure.

In other words, the general form of the ensemble F(x) = f1(x) + fn(x) + fn+1(x) + fN(x), where f(x) is the basic model of the ensemble (decision tree), N is the number of trees included in the ensemble, x is the query parameters, including variables generated based on data from the L6-L7 level of the OSI model, as mentioned above.

[0016] Although the present invention has been shown and described with reference to certain embodiments thereof, it will be understood by those skilled in the art that various changes and modifications can be made therein without departing from the actual scope of the invention. Accordingly, the described embodiments are intended to cover all such transformations, modifications and variations that fall within the spirit and scope of the appended claims.

Claims (14)

1. A method for classifying web traffic to establish a secure connection, comprising the following steps: - the receipt by the web server from the client device of a request to establish an HTTPS connection, where the HTTPS connection is a secure data transfer protocol with the ability to be encrypted using the SSL and TLS cryptographic protocols; - reading by the web server of the request parameters received from the client device to establish an HTTPS connection, where the request parameters include application layer and presentation layer parameters of the ISO/OSI model that: - indicate the SSL version for further work; - indicate the selected key exchange algorithm and authentication algorithm; - denote a set of extensions to the protocol specification that eliminate identified deficiencies or add functionality that was not provided for when the original TLS transport layer security protocol specification was approved; - indicate codes/numbers of supported elliptic curves; - indicate the supported format of elliptic curve points; - transfer of read requests to the request parameters analysis module; - analysis by the said analysis module of the request parameters to assess the probability that the connection was generated by a bot for authorization, where the analysis includes the steps at which: a) perform an analysis of the TLS and HTTP connection parameters using a mathematical model, where the mathematical model predicts the probability that the request was made by a bot for authorization, while the mathematical model is built on the basis of stored statistics on access to the site to establish a connection between real users and bots; b) calculate the percentage probability that the connection was generated by a bot for authorization; c) compare the calculated probability with the threshold value and, if the specified threshold is exceeded, establish a secure session between the client device and the web server, and if the threshold value is not reached, reset the connection. 2. The method according to paragraph 1, characterized in that the comparison in step c) is performed by the comparison function trashhold > FP(x), where x are the request parameters, in particular Cipher, SSLExtension, and FP(x) is a function of the request parameters that calculates the probability that the request belongs to a bot, trashhold is the threshold value above which the request can be considered a bot.