A network traffic auditing and optimization defense method based on domain prefix
By dynamically selecting front-end domains, encrypting communication, and masquerading traffic characteristics, combined with real-time monitoring and adjustments, the traffic auditing system has been optimized, solving the detection blind spots of traditional systems in front-end domain attacks and achieving efficient and accurate attack identification and legal compliance.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Patents(China)
- Current Assignee / Owner
- BEIJING INST OF COMP TECH & APPL
- Filing Date
- 2025-06-26
- Publication Date
- 2026-06-16
Smart Images

Figure CN120639405B_ABST
Abstract
Description
Technical Field
[0001] This invention belongs to the field of network security technology, specifically relating to a network traffic audit optimization and defense method based on domain front-end. Background Technology
[0002] Network traffic auditing is a crucial component of network security, used to detect and prevent cyberattacks, data breaches, and other malicious activities. Domain fronting is a technique that bypasses network censorship and traffic auditing by concealing the true communication targets.
[0003] Domain front-end attacks hide the real communication target by using CDN domains, and traditional traffic auditing systems have three major flaws:
[0004] 1. Insufficient deep inspection capabilities for HTTPS traffic;
[0005] 2. Lack of domain-behavior correlation analysis mechanism;
[0006] 3. High latency in dynamic domain name switching detection. Summary of the Invention
[0007] (a) Technical problems to be solved
[0008] The technical problem to be solved by this invention is to design an audit optimization method for domain front-end attacks, which can improve the audit system's ability to identify hidden domain name spoofing.
[0009] (II) Technical Solution
[0010] To address the aforementioned technical problems, this invention provides a network traffic audit optimization and defense method based on domain front-end, comprising the following steps:
[0011] Step 1: Initialization
[0012] Build a domain name pool and initialize encrypted communication and traffic signature spoofing strategies;
[0013] Step 2: Selecting a dynamic frontend domain:
[0014] Dynamically select the front-end domain name based on the network environment and the detection rules of the traffic auditing system;
[0015] Step 3: Encrypt communication:
[0016] The communication content is encrypted using TLS / SSL, and further encrypted using a custom encryption protocol.
[0017] Step 4: Traffic Feature Spoofing
[0018] Disguise the front-end traffic of the domain according to the spoofing strategy to make it look like normal traffic;
[0019] Step 5, Dynamic Adaptation:
[0020] Monitor and adjust the traffic auditing system in real time; adjust the front-end domain selection, encrypted communication, and traffic feature masquerading strategies based on the monitoring results;
[0021] Step Six: Flow Injection
[0022] Based on the spoofing strategy and the front domain name, generate spoofed domain front traffic, capture normal traffic data, and inject the spoofed domain front traffic into the normal traffic; then send the traffic after injecting the domain front traffic to the target network.
[0023] Step 7, Flow Rate Detection:
[0024] The connection is blocked. An Hidden Markov Model (HMM) is used to identify abnormal communication timings, and the legality of the certificate is verified based on the Certificate Transparency (CT) log. When the SNI field of the front domain name is found to be inconsistent with the Host header, the system further checks for abnormal certificate chains. If so, the next step is executed; otherwise, traffic is reacquired.
[0025] Step 8: Optimize the traffic auditing system:
[0026] Adjust the state transition probabilities of the HMM based on the detection results from step seven, thereby optimizing the traffic auditing system.
[0027] Preferably, the method for selecting a domain name in step two includes:
[0028] Network environment-based selection: Choose the most suitable frontend domain name based on the current network environment;
[0029] Selection based on audit rules: Based on the detection rules of the traffic audit system, select domains that are not monitored or are difficult to detect as front-end domains;
[0030] Random selection mechanism: A random selection mechanism is used to select the front domain from the domain pool.
[0031] Preferably, in step three, the communication content is encrypted using the TLS / SSL protocol, and a valid TLS / SSL certificate is used for certificate management; and on the basis of TLS / SSL encryption, a custom encryption layer is added to further encrypt the communication content, and key management is carried out through a secure key management mechanism.
[0032] Preferably, in step four, the large data packet is divided into multiple smaller data packets; the protocol type of the attack traffic is disguised as HTTP or HTTPS traffic; and the burst traffic is adjusted to stable traffic.
[0033] The present invention also provides a system for implementing the method, comprising:
[0034] The dynamic front-end domain selection module is used for:
[0035] Dynamically select leading domains, build a domain pool, and implement domain rotation;
[0036] By analyzing the network environment and the detection rules of the traffic auditing system, the most suitable front-end domain name is selected.
[0037] Encrypted communication module, used for:
[0038] Use TLS / SSL encryption and custom encryption protocols to hide the true content of the communication;
[0039] The traffic signature spoofing module is used for:
[0040] Disguising traffic characteristics to make front-end traffic appear as normal traffic;
[0041] Perform packet size spoofing, protocol type spoofing, and traffic pattern spoofing;
[0042] The dynamic adaptation module is used for:
[0043] Monitor the updates and adjustments to the traffic auditing system, and dynamically adjust the domain pre-positioning strategy;
[0044] By monitoring the detection rules and model updates of the traffic auditing system in real time, we can adjust the selection of front-end domain names, encrypted communication, and traffic feature masquerading strategies.
[0045] The traffic injection module is used for:
[0046] Inject domain front-end traffic into network traffic;
[0047] Capture normal traffic and inject the disguised domain front-end traffic into the normal traffic, then send it to the target network;
[0048] The traffic detection and system optimization module is used for:
[0049] Perform traffic detection and optimize the traffic auditing system based on the detection results.
[0050] The present invention also provides a network traffic auditing system based on the method described above.
[0051] (III) Beneficial Effects
[0052] This invention provides an audit optimization method for domain front-end attacks. This method utilizes dynamic front-end domain selection, encrypted communication, and traffic feature spoofing techniques to optimize network traffic auditing. Through domain reputation modeling, encrypted traffic analysis, and a dynamic defense system, this method achieves accurate identification of domain front-end attacks. This invention can be used for the accurate detection and discovery of such attacks. Attached Figure Description
[0053] Figure 1 This is a schematic diagram of the layered detection architecture of the present invention. Detailed Implementation
[0054] To make the objectives, contents, and advantages of the present invention clearer, the specific embodiments of the present invention will be described in further detail below with reference to the accompanying drawings and examples.
[0055] This invention provides a network traffic audit optimization and defense method based on domain front-end, which achieves precise blocking of domain front-end attacks by constructing a multi-dimensional domain reputation model and an encrypted traffic analysis engine.
[0056] The technical solution is detailed below, forming a closed-loop technology of "domain evaluation → encryption analysis → dynamic blocking", which fills the blind spot of traditional auditing systems in detecting domain pre-attacks.
[0057] 1. Dynamic frontend domain selection
[0058] The dynamic front domain selection module is responsible for dynamically selecting the front domain based on the network environment and the detection rules of the traffic auditing system, avoiding reliance on a single domain. The specific steps are as follows:
[0059] 1.1 Domain Pool Construction
[0060] ● Domain Name Source: Select multiple legitimate domain names from common CDN service providers (such as Cloudflare, Akamai, etc.) or other high-traffic websites to build a domain name pool.
[0061] ● Domain Classification: Domains are classified based on their traffic characteristics, usage frequency, and monitoring data from traffic auditing systems. For example:
[0062] ○ High-traffic domains: such as Google, Facebook, etc. These domains are usually not strictly monitored.
[0063] ○ Low-traffic domains: such as some niche websites, these domains may not be the focus of the auditing system.
[0064] 1.2 Domain Name Selection Algorithm
[0065] ● Network Environment-Based Selection: Choose the most suitable frontend domain name based on the current network environment (such as network latency, bandwidth, etc.). For example, in an environment with high network latency, choose a domain name with a faster response time.
[0066] ● Selection based on audit rules: Based on the detection rules of the traffic audit system, select domains that are not monitored or are difficult to detect as the front-end domains. For example, select domains that are not blacklisted by the traffic audit system.
[0067] ●Random selection mechanism: To avoid being detected for using the same domain name for a long time, a random selection mechanism is used to select the front domain name from the domain name pool.
[0068] 1.3 Domain Name Rotation Mechanism
[0069] ●Regular rotation: Rotate the front domain name every once in a while (such as every hour or every day) to avoid using the same domain name for a long time.
[0070] ● Anomaly Detection Rotation: If the current front domain is detected to be monitored or blocked by the traffic audit system, immediately switch to another front domain.
[0071] 2. Encrypted communication
[0072] The encrypted communication module is responsible for hiding the actual communication content using encryption technology. The specific steps are as follows:
[0073] 2.1 TLS / SSL Encryption
[0074] ●TLS / SSL Protocol: The TLS / SSL protocol is used to encrypt communication content, ensuring that data packets are encrypted during transmission and cannot be decrypted by traffic auditing systems.
[0075] ● Certificate Management: Use valid TLS / SSL certificates to ensure the legitimacy and confidentiality of encrypted communications. For example, obtain certificates from free certificate authorities such as Let's Encrypt.
[0076] 2.2 Custom Encryption Protocol
[0077] ●Custom Encryption Layer: Add a custom encryption layer on top of TLS / SSL encryption to further encrypt communication content. For example, use AES or RSA algorithms for secondary encryption of the communication content.
[0078] ●Key Management: Ensure the security of encryption keys through a secure key management mechanism. For example, use a key exchange protocol (such as Diffie-Hellman) to dynamically generate encryption keys.
[0079] 2.3 Encrypted Communication Process
[0080] ● Client-side encryption: Before sending data, the client first encrypts it using the TLS / SSL protocol, and then performs a second encryption using a custom encryption protocol.
[0081] ●Server decryption: After receiving the data, the server first decrypts it using a custom encryption protocol, and then decrypts it using the TLS / SSL protocol to obtain the original communication content.
[0082] 3-layer detection architecture
[0083] ●Behavioral pattern analysis: Hidden Markov Model (HMM) is used to identify abnormal communication timing;
[0084] ●Certificate Chain Verification: Verifies the legitimacy of certificates based on CT (Certificate Transparency) logs.
[0085] 4. Dynamic adaptation mechanism
[0086] The dynamic adaptation module is responsible for dynamically adjusting the domain pre-positioning strategy based on updates and adjustments to the traffic auditing system. The specific steps are as follows:
[0087] 4.1 Traffic Audit System Monitoring
[0088] ●Detection Rule Monitoring: Monitor in real time whether the detection rules of the traffic auditing system are updated. For example, observe the changes in the response of the traffic auditing system by periodically sending test traffic.
[0089] ●Model Update Monitoring: Monitors in real time whether the detection model of the traffic auditing system has been updated. For example, it detects model changes by analyzing the logs or configuration files of the traffic auditing system.
[0090] 4.2 Strategy Adjustment
[0091] ● Front Domain Adjustment: If the traffic auditing system updates its domain detection rules, the front domain selection algorithm will be adjusted. For example, unmonitored domains may be selected as front domains.
[0092] ● Encrypted Communication Adjustments: If the traffic auditing system updates its encryption detection rules, adjust the encrypted communication strategy accordingly. For example, increase the complexity of the custom encryption layer.
[0093] ●Traffic Feature Disguise Adjustment: If the traffic auditing system updates its traffic feature detection rules, adjust the traffic feature masquerading strategy. For example, increase the frequency of packet size masquerading.
[0094] 4.3 Dynamic Adaptation Process
[0095] ● Real-time monitoring: Continuously monitor the updates and adjustments to the traffic auditing system.
[0096] ●Strategy Adjustment: Dynamically adjust domain-preceding strategies based on monitoring results.
[0097] ● Iterative optimization: Repeat the domain name selection, encrypted communication, and traffic feature spoofing processes to ensure that the domain front-end strategy can adapt to changes in the traffic auditing system.
[0098] 5. Traffic Injection
[0099] The traffic injection module is responsible for injecting domain front-end traffic into network traffic. The specific steps are as follows:
[0100] 5.1 Traffic Capture
[0101] ● Normal traffic capture: Captures normal traffic data in the network as the basis for domain front-end traffic.
[0102] ●Flow Analysis: Analyze the characteristics of normal flow to determine the location and manner of pre-injection flow into the domain.
[0103] 5.2 Domain Front-End Traffic Generation
[0104] ● Front domain selection: Determine the front domain based on the selection in the dynamic front domain selection module.
[0105] ● Encrypted Communication: Use the encrypted communication module to encrypt the communication content.
[0106] ● Traffic feature masquerading: Based on the strategy of the traffic feature masquerading module, the front-end traffic of the domain is masqueraded.
[0107] 5.3 Traffic Injection
[0108] ● Traffic reconfiguration: Reconfigures front-end traffic with normal traffic to ensure it complies with network protocol specifications.
[0109] ● Traffic transmission: Sending the reassembled traffic to the target network.
[0110] Example:
[0111] 1. System Architecture
[0112] The system architecture for implementing the method of this embodiment includes the following five main modules:
[0113] 1. Dynamic front-end domain selection module:
[0114] ○ Responsible for dynamically selecting front-end domains, building a domain pool, and implementing domain rotation.
[0115] ○ By analyzing the network environment and the detection rules of the traffic auditing system, the most suitable front-end domain name is selected.
[0116] 2. Encrypted communication module:
[0117] ○ Responsible for using TLS / SSL encryption and custom encryption protocols to hide the true content of communications.
[0118] ○ Ensure that data packets are encrypted during transmission.
[0119] 3. Traffic Feature Spoofing Module:
[0120] ○ Responsible for masquerading traffic characteristics, making front-end traffic appear as normal traffic.
[0121] ○ Includes functions such as packet size spoofing, protocol type spoofing, and traffic pattern spoofing.
[0122] 4. Dynamic Adaptation Module:
[0123] ○ Responsible for monitoring the updates and adjustments of the traffic auditing system, and dynamically adjusting the domain front-end strategy.
[0124] ○ By monitoring the detection rules and model updates of the traffic auditing system in real time, adjust the selection of front-end domain names, encrypted communication, and traffic feature masquerading strategies.
[0125] 5. Traffic Injection Module:
[0126] ○ Responsible for injecting domain front-end traffic into network traffic.
[0127] ○ Capture normal traffic and inject the disguised domain front-end traffic into the normal traffic, then send it to the target network.
[0128] 6. Traffic Detection and System Optimization Module:
[0129] Perform traffic detection and optimize the traffic auditing system based on the detection results.
[0130] 2. Algorithm Flow
[0131] The algorithm flow of this embodiment is as follows:
[0132] 1. Initialization:
[0133] ○ Build a domain name pool and initialize encrypted communication and traffic signature masquerading strategies.
[0134] For example, the domain pool contains domains from CDN service providers such as Cloudflare and Akamai.
[0135] 2. Dynamic frontend domain selection:
[0136] ○ Dynamically select the front domain name based on the network environment and the detection rules of the traffic audit system.
[0137] For example, choose an unmonitored Cloudflare domain as the frontend domain.
[0138] 3. Encrypted communication:
[0139] ○ Use TLS / SSL to encrypt communication content, and further encrypt it using a custom encryption protocol.
[0140] For example, the AES algorithm can be used to encrypt the communication content twice.
[0141] 4. Traffic feature spoofing:
[0142] ○ Disguise the traffic before the domain using a spoofing strategy to make it appear as normal traffic.
[0143] For example:
[0144] ■ Divide large data packets into multiple smaller data packets;
[0145] ■ Disguise the protocol type of the attack traffic as common HTTP or HTTPS traffic;
[0146] ■ Adjust the sudden surge in traffic to a stable flow rate.
[0147] 5. Dynamic adaptation:
[0148] ○ Monitor the updates and adjustments of the traffic auditing system in real time.
[0149] Based on the monitoring results, adjust the front-end domain selection, encrypted communication, and traffic feature masquerading strategies.
[0150] For example, if the traffic auditing system updates the domain detection rules, it will switch to another front domain.
[0151] 6. Traffic Injection:
[0152] ○ Capture normal traffic data and inject the disguised domain front-end traffic into the normal traffic.
[0153] ○ Send the traffic after the injected domain pre-traffic to the target network.
[0154] 7. Traffic Detection and System Optimization:
[0155] Perform traffic detection and optimize the traffic auditing system based on the detection results.
[0156] 3. Specific examples
[0157] 1. Attack detection:
[0158] ○ A discrepancy was found between the SNI field and the Host header of the cloudflare.com domain.
[0159] An abnormal certificate chain (not officially issued by Cloudflare) was detected.
[0160] 2. Dynamic response:
[0161] ○ Connection blocking is triggered when the confidence level reaches 92%.
[0162] ○ Automatically generate attack forensics reports
[0163] 3. System optimization:
[0164] ○ Add attack modes to the knowledge base
[0165] ○ Adjust the state transition probabilities of the HMM model
[0166] Through the above embodiments, this invention demonstrates how to optimize and defend a network traffic auditing system by combining dynamic pre-domain selection, encrypted communication, and traffic feature masquerading with a dynamic adaptation mechanism. This invention has the following characteristics:
[0167] 1. Accurate identification: Non-decryption detection increases the attack detection rate;
[0168] 2. High-efficiency processing: Reduces detection engine latency;
[0169] 3. Legal compliance: User data will not be decrypted throughout the entire process.
[0170] The above description is only a preferred embodiment of the present invention. It should be noted that for those skilled in the art, several improvements and modifications can be made without departing from the technical principles of the present invention, and these improvements and modifications should also be considered within the scope of protection of the present invention.
Claims
1. A domain prep based network traffic auditing optimization defense method, characterized in that, Includes the following steps: Step 1: Initialization Build a domain name pool and initialize encrypted communication and traffic signature spoofing strategies; Step 2: Selecting a dynamic frontend domain: Dynamically select the front-end domain name based on the network environment and the detection rules of the traffic auditing system; Step 3: Encrypt communication: The communication content is encrypted using TLS / SSL, and further encrypted using a custom encryption protocol. Step 4: Traffic Feature Spoofing Disguise the front-end traffic of the domain according to the spoofing strategy to make it look like normal traffic; Step 5, Dynamic Adaptation: Real-time monitoring of updates and adjustments to the traffic auditing system; Based on the monitoring results, adjust the front-end domain selection, encrypted communication, and traffic feature masquerading strategies; Step Six: Flow Injection Based on the spoofing strategy and the front domain name, generate spoofed domain front traffic, capture normal traffic data, and inject the spoofed domain front traffic into the normal traffic; then send the traffic after injecting the domain front traffic to the target network. Step 7, Flow Rate Detection: The connection is blocked. An Hidden Markov Model (HMM) is used to identify abnormal communication timings, and the legality of the certificate is verified based on the Certificate Transparency (CT) log. When the SNI field of the front domain name is found to be inconsistent with the Host header, the system further checks for abnormal certificate chains. If so, the next step is executed; otherwise, traffic is reacquired. Step 8: Optimize the traffic auditing system: Adjust the state transition probabilities of the HMM based on the detection results from step seven, thereby optimizing the traffic auditing system.
2. The method of claim 1, wherein, The domain pool contains domains from CDN service providers.
3. The method of claim 1, wherein, The methods for selecting a domain name in step two include: Network environment-based selection: Choose the most suitable frontend domain name based on the current network environment; Selection based on audit rules: Based on the detection rules of the traffic audit system, select domains that are not monitored or are difficult to detect as front-end domains; Random selection mechanism: A random selection mechanism is used to select the front domain from the domain pool.
4. The method of claim 1, wherein, In step three, the communication content is encrypted using the TLS / SSL protocol, and a valid TLS / SSL certificate is used for certificate management. On the basis of TLS / SSL encryption, a custom encryption layer is added to further encrypt the communication content, and a secure key management mechanism is used for key management.
5. The method of claim 1, wherein, In step four, large data packets are split into multiple smaller data packets; the protocol type of the attack traffic is disguised as HTTP or HTTPS traffic; and the burst traffic is adjusted to stable traffic.
6. A system for implementing the method according to any one of claims 1 to 5, characterized in that, include: The dynamic front-end domain selection module is used for: Dynamically select leading domains, build a domain pool, and implement domain rotation; By analyzing the network environment and the detection rules of the traffic auditing system, the most suitable front-end domain name is selected. Encrypted communication module, used for: Use TLS / SSL encryption and custom encryption protocols to hide the true content of the communication; The traffic signature spoofing module is used for: Disguising traffic characteristics to make front-end traffic appear as normal traffic; Perform packet size spoofing, protocol type spoofing, and traffic pattern spoofing; The dynamic adaptation module is used for: Monitor the updates and adjustments to the traffic auditing system, and dynamically adjust the domain pre-positioning strategy; By monitoring the detection rules and model updates of the traffic auditing system in real time, we can adjust the selection of front-end domain names, encrypted communication, and traffic feature masquerading strategies. The traffic injection module is used for: Inject domain front-end traffic into network traffic; Capture normal traffic and inject the disguised domain front-end traffic into the normal traffic, then send it to the target network; The traffic detection and system optimization module is used for: Perform traffic detection and optimize the traffic auditing system based on the detection results.