Method and apparatus for generating fingerprint library, and computing device

By automatically filtering TLS client requests with the same UA field value on the TLS server to generate a fingerprint database, the high cost and low accuracy of TLS client fingerprint database generation in existing technologies are solved, achieving efficient and accurate network security protection.

WO2026144923A1PCT designated stage Publication Date: 2026-07-09HUAWEI TECH CO LTD

Patent Information

Authority / Receiving Office
WO · WO
Patent Type
Applications
Current Assignee / Owner
HUAWEI TECH CO LTD
Filing Date
2025-12-11
Publication Date
2026-07-09

Smart Images

  • Figure CN2025141809_09072026_PF_FP_ABST
    Figure CN2025141809_09072026_PF_FP_ABST
Patent Text Reader

Abstract

Provided in the present application are a method and apparatus for generating a fingerprint library, and a computing device. The method comprises: acquiring a first user agent (UA) from among a plurality of UAs comprised in UA lists, wherein the UA lists comprise a preset UA list and a UA list acquired on the basis of behavior analysis; receiving N requests sent by a plurality of TLS clients, wherein each of the N requests comprises a UA field, and N is an integer greater than 1; on the basis of the value of the first UA, performing screening on the N requests, so as to obtain M requests, wherein M is an integer less than N, and the value of the UA field of each of the M requests is the same as the value of the first UA; and adding into a fingerprint library P fingerprints of TLS clients that send the M requests, wherein P is an integer greater than 1. In the solution, a fingerprint library for TLS clients can be automatically created, thereby reducing the costs for creating a fingerprint library, improving the accuracy of the fingerprint library, and further ensuring network security.
Need to check novelty before this filing date? Find Prior Art

Description

Methods, apparatus, and computing devices for generating fingerprint databases

[0001] This application claims priority to Chinese Patent Application No. 202411985529.3, filed with the China National Intellectual Property Administration on December 30, 2024, entitled “Method, Apparatus and Computing Device for Generating a Fingerprint Database”, the entire contents of which are incorporated herein by reference. Technical Field

[0002] This application relates to the field of cybersecurity, and more specifically, to a method, apparatus, and computing device for generating a fingerprint database. Background Technology

[0003] Transport Layer Security (TLS) clients are client software used to implement TLS and ensure secure network communications. TLS client fingerprinting is an effective technique for identifying different TLS clients, offering uniqueness, stability, and security.

[0004] Typically, a fingerprint database for TLS clients can be built. By comparing the fingerprints with known TLS client fingerprint databases, the spread of malware, web crawlers, viruses, etc., can be effectively identified and prevented. However, in existing technical solutions, the fingerprints in the TLS client fingerprint database are added based on manual analysis by security personnel; therefore, the cost of generating existing fingerprint databases is high, and the output is low.

[0005] Therefore, reducing the cost of creating a fingerprint database and improving its accuracy have become urgent technical problems that need to be solved. Summary of the Invention

[0006] This application provides a method, apparatus, and computing device for generating a fingerprint database. The method can automatically create a fingerprint database for TLS clients, reduce the creation cost of the fingerprint database, improve the accuracy of the fingerprint database, and further ensure network security.

[0007] Firstly, a method for generating a fingerprint database is provided. This method is executed by a Transport Layer Security (TLS) server. The method includes: obtaining a first UA from a list of multiple UAs included in a User Agent (UA) list, the UA list including a pre-set UA list and a UA list obtained based on behavioral analysis; receiving N requests sent by multiple TLS clients, wherein each of the N requests includes a UA field, and N is an integer greater than 1; selecting M requests from the N requests based on the value of the first UA, where M is an integer less than N, and the value of the UA field of each of the M requests is the same as the value of the first UA; and adding P fingerprints of the TLS clients that sent the M requests to the fingerprint database, where P is an integer greater than 1.

[0008] In the above technical solution, the UA value of a suspicious TLS client can be used to filter requests sent between multiple TLS clients and the TLS server. TLS clients whose UA field values ​​in the sent requests are the same as the UA values ​​of the suspicious TLS clients are selected, and the fingerprints of these TLS clients are automatically added to the fingerprint database. This reduces the cost of creating the fingerprint database and further ensures network security.

[0009] In conjunction with the first aspect, in some implementations of the first aspect, the aforementioned pre-set UA list includes a gray and black market UA list, which includes a list of TLS clients that use the network to carry out illegal and criminal activities.

[0010] In conjunction with the first aspect, in some implementations of the first aspect, the aforementioned UA list based on behavior analysis may include a list of UAs of TLS clients with suspicious behavior obtained through behavior analysis.

[0011] In conjunction with the first aspect, in some implementations of the first aspect, the list of UAs for suspicious TLS clients includes UAs that trigger the protection rules built into the TLS server multiple times within a short period of time.

[0012] In conjunction with the first aspect, in some implementations of the first aspect, the list of UAs for suspicious TLS clients includes UAs that access a large number of non-existent directories in a short period of time (e.g., returning a 404 status code).

[0013] In conjunction with the first aspect, in some implementations of the first aspect, the method further includes: selecting a target fingerprint from the P fingerprints, wherein the number of source Internet Protocol IP addresses of the TLS client corresponding to the target fingerprint is greater than a first preset threshold; and adding the target fingerprint to the fingerprint database.

[0014] In the above technical solution, the P fingerprints can be further filtered to select the target fingerprint and add it to the fingerprint database, thereby further improving the accuracy of the fingerprints added to the fingerprint database.

[0015] In conjunction with the first aspect, in some implementations of the first aspect, the method further includes: selecting Q requests from the N requests based on the target fingerprint, wherein the fingerprint of the TLS client sending the Q requests is the target fingerprint; determining that the number of requests in the Q requests whose UA field value is the same as the value of the first UA is greater than a second preset threshold, and adding the target fingerprint to the fingerprint database.

[0016] In the above technical solution, if the number of requests in the Q requests whose UA field value is the same as the value of the first UA is greater than a second preset threshold, the target fingerprint can be added to the fingerprint database, thereby further improving the accuracy of the fingerprints added to the fingerprint database.

[0017] In conjunction with the first aspect, in some implementations of the first aspect, the method further includes: adding the timestamp corresponding to each of the P fingerprints to the fingerprint database, wherein the timestamp corresponding to each of the P fingerprints is the time when each of the P fingerprints was added to the fingerprint database.

[0018] In the above technical solution, the timestamp corresponding to each fingerprint can also be added to the fingerprint database. This allows the fingerprints in the fingerprint database to be updated according to the timestamp corresponding to each fingerprint, thereby reducing the false alarm rate of the fingerprint database.

[0019] In conjunction with the first aspect, in some implementations of the first aspect, the method further includes: removing fingerprints whose timestamps are less than a third preset threshold from the fingerprint database based on the timestamp corresponding to each fingerprint in the fingerprint database.

[0020] The above technical solution can also update the fingerprints in the fingerprint database, automatically remove aging fingerprints from the fingerprint database, so that the fingerprints retained in the fingerprint database are all the latest additions, thereby reducing the false alarm rate of the fingerprint database.

[0021] In conjunction with the first aspect, in some implementations of the first aspect, the method further includes: obtaining a second UA from among the multiple UAs included in the UA list; selecting S requests from the N requests based on the value of the second UA, where S is an integer less than N, and the value of the UA field of each of the S requests is the same as the value of the second UA; adding L fingerprints of the TLS client that sent the S requests to a fingerprint database, where L is an integer greater than 1.

[0022] In conjunction with the first aspect, in some implementations of the first aspect, the method further includes: receiving a handshake message sent by the target client; generating a fingerprint corresponding to the target client based on the handshake message; and determining that the target client is a malicious client if the fingerprint database contains a fingerprint corresponding to the target client.

[0023] The above technical solution can also use the generated fingerprint database to identify whether the target client is a malicious client, thereby preventing the spread of malware.

[0024] In conjunction with the first aspect, in some implementations of the first aspect, the method further includes: obtaining the P fingerprints based on the session identifier IDs included in the M requests.

[0025] In conjunction with the first aspect, in some implementations of the first aspect, the method further includes: receiving handshake messages sent by the plurality of TLS clients respectively; and generating fingerprints corresponding to the plurality of TLS clients respectively based on the fields in the handshake messages sent by the plurality of TLS clients respectively.

[0026] Secondly, an apparatus for generating a fingerprint database is provided, including an acquisition module, a receiving module, a filtering module, and an adding module. The acquisition module acquires a first UA from a list of multiple UAs included in a user agent UA list, the UA list including a pre-set UA list and a UA list obtained based on behavioral analysis; the receiving module receives N requests sent by multiple TLS clients, wherein each of the N requests includes a UA field, and N is an integer greater than 1; the filtering module filters M requests from the N requests based on the value of the first UA, where M is an integer less than N, and the value of the UA field in each of the M requests is the same as the value of the first UA; the adding module adds P fingerprints of the TLS clients that sent the M requests to the fingerprint database, where P is an integer greater than 1.

[0027] In conjunction with the second aspect, in some implementations of the second aspect, the filtering module is further used to filter out a target fingerprint from the P fingerprints, wherein the number of source Internet Protocol IP addresses of the TLS client corresponding to the target fingerprint is greater than a first preset threshold; the adding module is specifically used to add the target fingerprint to the fingerprint database.

[0028] In conjunction with the second aspect, in some implementations of the second aspect, the filtering module is further configured to filter out Q requests from the N requests based on the target fingerprint, wherein the fingerprint of the TLS client that sent the Q requests is the target fingerprint; the adding module is specifically configured to: determine that the number of requests in the Q requests whose UA field value is the same as the value of the first UA is greater than a second preset threshold, and add the target fingerprint to the fingerprint database.

[0029] In conjunction with the second aspect, in some implementations of the second aspect, the adding module is further configured to add the timestamp corresponding to each of the P fingerprints to the fingerprint database, wherein the timestamp corresponding to each of the P fingerprints is the time when each of the P fingerprints is added to the fingerprint database.

[0030] In conjunction with the second aspect, in some implementations of the second aspect, the device further includes: a removal module, used to remove fingerprints whose timestamps are less than a third preset threshold from the fingerprint database based on the timestamp corresponding to each fingerprint in the fingerprint database.

[0031] In conjunction with the second aspect, in some implementations of the second aspect, the acquisition module is further configured to acquire the second UA among the multiple UAs included in the UA list; the filtering module is further configured to filter out S requests from the N requests based on the value of the second UA, where S is an integer less than N, and the value of the UA field of each of the S requests is the same as the value of the second UA; the adding module is further configured to add L fingerprints of the TLS client that sent the S requests to the fingerprint database, where L is an integer greater than 1.

[0032] In conjunction with the second aspect, in some implementations of the second aspect, the receiving module is further configured to receive a handshake message sent by the target client; the device further includes a generation module and a determination module, wherein the generation module is configured to generate a fingerprint corresponding to the target client based on the handshake message; and the determination module is configured to determine that the target client is a malicious client if the fingerprint corresponding to the target client is included in the fingerprint database.

[0033] It should be understood that for the beneficial effects of the second aspect and its various implementations, please refer to the first aspect and its various implementations; they will not be repeated here.

[0034] Thirdly, a computing device is provided, including a processor and a memory, and optionally, an input / output interface. The processor controls the input / output interface to send and receive information, the memory stores a computer program, and the processor retrieves and runs the computer program from the memory, causing the computing device to execute the method of the first aspect or any possible implementation thereof.

[0035] Optionally, the processor can be a general-purpose processor, which can be implemented in hardware or software. When implemented in hardware, the processor can be a logic circuit, integrated circuit, etc.; when implemented in software, the processor can be a general-purpose processor that reads software code stored in memory. This memory can be integrated into the processor or located outside the processor and exist independently.

[0036] Fourthly, a computing device cluster is provided, including at least one computing device, each computing device including a processor and a memory; the processor of the at least one computing device is configured to execute instructions stored in the memory of the at least one computing device, such that the computing device cluster performs the method of the first aspect or any possible implementation thereof.

[0037] Fifthly, a chip is provided that acquires and executes instructions to implement the methods described in the first aspect and any implementation thereof.

[0038] Optionally, as one implementation, the chip includes a processor and a data interface, through which the processor reads instructions stored in the memory and executes the methods in the first aspect and any implementation thereof.

[0039] Optionally, as one implementation, the chip may further include a memory storing instructions, and the processor is used to execute the instructions stored in the memory. When the instructions are executed, the processor is used to perform the method in the first aspect and any implementation thereof.

[0040] In a sixth aspect, a computer program product containing instructions is provided, which, when executed by a computing device, cause the computing device to perform the methods described in the first aspect and any implementation thereof.

[0041] In a seventh aspect, a computer program product containing instructions is provided, which, when run by a cluster of computing devices, cause the cluster of computing devices to perform the methods described in the first aspect and any implementation thereof.

[0042] Eighthly, a computer-readable storage medium is provided, including computer program instructions that, when executed by a computing device, perform the method as described in the first aspect and any implementation thereof.

[0043] As examples, these computer-readable storage devices include, but are not limited to, one or more of the following: read-only memory (ROM), programmable ROM (PROM), erasable PROM (EPROM), flash memory, electrically EPROM (EEPROM), and hard drive.

[0044] Alternatively, as one implementation method, the aforementioned storage medium can specifically be a non-volatile storage medium.

[0045] A ninth aspect provides a computer-readable storage medium including computer program instructions that, when executed by a cluster of computing devices, perform the method as described in the first aspect and any implementation thereof.

[0046] As examples, these computer-readable storage devices include, but are not limited to, one or more of the following: read-only memory (ROM), programmable ROM (PROM), erasable PROM (EPROM), flash memory, electrically EPROM (EEPROM), and hard drive.

[0047] Alternatively, as one implementation method, the aforementioned storage medium can specifically be a non-volatile storage medium. Attached Figure Description

[0048] Figure 1 is a schematic diagram of a scenario applicable to an embodiment of this application.

[0049] Figure 2 is a schematic block diagram of a cloud scenario applicable to an embodiment of this application.

[0050] Figure 3 is a schematic flowchart of a method for generating a fingerprint database provided in an embodiment of this application.

[0051] Figure 4 is a schematic block diagram of a fingerprint database generation device 400 provided in an embodiment of this application.

[0052] Figure 5 is a schematic diagram of the architecture of a computing device 1500 provided in an embodiment of this application.

[0053] Figure 6 is a schematic diagram of the architecture of a computing device cluster provided in an embodiment of this application.

[0054] Figure 7 is a schematic diagram of the connection between computing devices 1500A and 1500B via a network provided in an embodiment of this application. Detailed Implementation

[0055] The technical solutions in this application will now be described with reference to the accompanying drawings.

[0056] This application will present various aspects, embodiments, or features relating to systems comprising multiple devices, components, modules, etc. It should be understood and appreciated that individual systems may include additional devices, components, modules, etc., and / or may not include all devices, components, modules, etc. discussed in conjunction with the accompanying drawings. Furthermore, combinations of these approaches are also possible.

[0057] Furthermore, in the embodiments of this application, the words "exemplary," "for example," etc., are used to indicate that they are examples, illustrations, or descriptions. Any embodiment or design scheme described as "exemplary" in this application should not be construed as being more preferred or advantageous than other embodiments or design schemes. Specifically, the use of the term "exemplary" is intended to present the concept in a concrete manner.

[0058] In the embodiments of this application, "corresponding" and "corresponding" can sometimes be used interchangeably. It should be noted that when the distinction is not emphasized, their intended meanings are consistent.

[0059] The business scenarios described in the embodiments of this application are for the purpose of more clearly illustrating the technical solutions of the embodiments of this application, and do not constitute a limitation on the technical solutions provided in the embodiments of this application. As those skilled in the art will know, with the evolution of network architecture and the emergence of new business scenarios, the technical solutions provided in the embodiments of this application are also applicable to similar technical problems.

[0060] References to "one embodiment" or "some embodiments" as described in this specification mean that one or more embodiments of this application include a specific feature, structure, or characteristic described in connection with that embodiment. Therefore, the phrases "in one embodiment," "in some embodiments," "in other embodiments," "in still other embodiments," etc., appearing in different parts of this specification do not necessarily refer to the same embodiment, but rather mean "one or more, but not all, embodiments," unless otherwise specifically emphasized. The terms "comprising," "including," "having," and variations thereof mean "including but not limited to," unless otherwise specifically emphasized.

[0061] In this application, "at least one" means one or more, and "more than one" means two or more. "And / or" describes the relationship between related objects, indicating that three relationships can exist. For example, A and / or B can mean: A alone, A and B simultaneously, and B alone, where A and B can be singular or plural. The character " / " generally indicates that the preceding and following related objects are in an "or" relationship. "At least one of the following" or similar expressions refer to any combination of these items, including any combination of single or plural items. For example, at least one of a, b, or c can mean: a, b, c, ab, ac, bc, or abc, where a, b, and c can be single or multiple.

[0062] TLS was developed on top of Secure Sockets Layer (SSL) and is designed to provide stronger security. For example, TLS can establish an encrypted channel between a TLS client and a TLS server, ensuring that data is not eavesdropped on or tampered with during transmission.

[0063] For example, Figure 1 is a schematic diagram of a scenario applicable to an embodiment of this application. As shown in Figure 1, this scenario may include a TLS client 110 and a TLS server 120. The TLS client 110 and the TLS server 120 first negotiate a cryptographic suite (including encryption algorithm, key length, etc.) and a session key through a handshake protocol. Once the handshake protocol is completed, the TLS client 110 and the TLS server 120 can use the negotiated cryptographic suite and session key for encrypted communication. During this process, all data is transmitted encrypted to ensure data confidentiality and integrity. When communication ends, the TLS client 110 and the TLS server 120 destroy the negotiated session key to ensure the security of the session data.

[0064] For example, the aforementioned TLS client 110 may include, but is not limited to: web browsers (such as Chrome, Firefox, Safari, etc.), email clients (such as Outlook, Thunderbird, etc.), instant messaging clients, mobile applications, etc.

[0065] For example, the aforementioned TLS server 120 may include, but is not limited to: web server, email server, email server, instant messaging server, web application firewall (WAF), etc.

[0066] During the handshake process described above, TLS client 110 sends a "Client Hello" message to TLS server 120. This "Client Hello" message contains information such as the TLS version supported by TLS client 110, a list of acceptable cipher suites, TLS extension options, supported elliptic curves, and supported elliptic curve formats. Upon receiving the "Client Hello" message from TLS client 110, TLS server 120 responds by sending a "Server Hello" message. TLS server 120 can also extract key fields from the handshake message ("Client Hello" message) sent by TLS client 110, hash the values ​​of the extracted key fields using a specific hash algorithm, and generate a fixed-length hash value. This hash value is the JA3 fingerprint corresponding to TLS client 110.

[0067] As an example, JA3 fingerprints have the following characteristics:

[0068] 1) Uniqueness

[0069] Because different TLS clients may use different field values ​​in their handshake messages, the JA3 fingerprints generated based on these field values ​​will also differ. This makes JA3 fingerprints unique and can be used to identify and classify different TLS clients.

[0070] 2) Stability

[0071] The JA3 fingerprint does not change as the TLS client changes its Internet protocol (IP) or user agent (UA), therefore the JA3 fingerprint can serve as a stable identifier to identify different TLS clients.

[0072] 3) Safety

[0073] JA3 fingerprints can be used for network traffic analysis, helping security analysts and network administrators identify and classify different TLS clients.

[0074] Therefore, JA3 fingerprinting is an effective technique for identifying different TLS clients, possessing characteristics such as uniqueness, stability, and security. Although JA3 fingerprints may overlap between different types of TLS clients, the JA3 fingerprints of malicious TLS clients are usually unique. Therefore, JA3 fingerprinting can be used to detect and defend against network attacks, such as secure sockets layer (SSL) man-in-the-middle attacks and malware propagation.

[0075] Typically, a JA3 fingerprint database for TLS clients can be built. As an example, this fingerprint database can be used in the security field; for instance, by comparing it with known TLS client JA3 fingerprint databases, the spread of malware, web crawlers, viruses, etc., can be effectively identified and blocked. Another example is its use in advertising and personalized recommendation applications. By building a device fingerprint database, accurate device identification and personalized services can be achieved, improving user experience and security.

[0076] In related technical solutions, the fingerprints contained in the fingerprint database of the TLS client are added based on manual analysis by security personnel. Therefore, the cost of generating the existing fingerprint database is high and the output is low.

[0077] In view of this, embodiments of this application provide a method for generating a fingerprint database. This method can automatically create a fingerprint database for TLS clients based on the daily traffic between TLS clients and TLS servers, reducing the creation cost of the fingerprint database, improving the accuracy of the fingerprint database, and further ensuring network security.

[0078] In one possible implementation, the method provided in this application embodiment can be applied to a cloud service scenario, where the method is executed by a cloud management platform within the cloud service scenario. For ease of description, the cloud service scenario will be described in detail below with reference to Figure 2.

[0079] Figure 2 is a schematic block diagram of a cloud scenario applicable to an embodiment of this application. As shown in Figure 2, the cloud scenario may include: a cloud management platform 210, the Internet 220, and a client 230.

[0080] As shown in Figure 2, the cloud management platform 210 is used to manage the infrastructure that provides multiple cloud services. The infrastructure includes multiple cloud data centers, each cloud data center includes multiple servers, and each server includes cloud service resources to provide corresponding cloud services to tenants.

[0081] The cloud management platform 210 can be located in a cloud data center and provides access interfaces (such as user interfaces or application program interfaces, APIs). Tenants can use client 230 to remotely access the access interface to register a cloud account and password on the cloud management platform 210 and log in. After successful authentication of the cloud account and password on the cloud management platform 210, the tenant can further select and purchase virtual machines of specific specifications (processor, memory, disk) on the cloud management platform 210. After successful purchase, the cloud management platform 210 provides the remote login account and password for the purchased virtual machine, and client 230 can remotely log in to the virtual machine to install and run the tenant's applications. Therefore, tenants can create, manage, log in to, and operate virtual machines in the cloud data center through the cloud management platform 210. Virtual machines can also be referred to as Elastic Compute Service (ECS) or Elastic Instances (different cloud service providers may use different names).

[0082] It should be understood that cloud service tenants can be individuals, businesses, schools, hospitals, government agencies, etc.

[0083] The cloud management platform 210 includes, but is not limited to, a user console, compute management services, network management services, storage management services, authentication services, and image management services. The user console provides an interface or API for interaction with tenants. The compute management services manage servers running virtual machines and containers, as well as bare metal servers. The network management services manage network services (such as gateways and firewalls). The storage management services manage storage services (such as data bucket services). The authentication services manage tenant account passwords. The image management services manage virtual machine images. Tenants use client 230 and can log in to the cloud management platform 210 via the internet 220 to manage their rented cloud services.

[0084] The method for generating a fingerprint database provided by an embodiment of this application will be described in detail below with reference to Figure 3. It should be understood that the examples in Figure 3 are merely to help those skilled in the art understand the embodiments of this application, and are not intended to limit the embodiments of the application to the specific values ​​or specific scenarios illustrated in Figure 3. Those skilled in the art can obviously make various equivalent modifications or changes based on the examples given below in Figure 3, and such modifications and changes also fall within the scope of the embodiments of this application.

[0085] Figure 3 is a schematic flowchart of a method for generating a fingerprint database according to an embodiment of this application. As shown in Figure 3, the method may include steps 310-340, which will be described in detail below.

[0086] Step 310: Obtain the first UA from the multiple UAs included in the UA list.

[0087] As an example, the TLS server can obtain the first UA from the list of multiple UAs.

[0088] It should be understood that the User-Agent (UA) is a field in the Hypertext Transfer Protocol Secure (HTTPS) protocol. This field provides the accessing TLS server with information about the TLS client that issued the HTTP request, and is a crucial basis for the TLS server to identify the TLS client's identity. The UA field typically contains a string consisting of information about the TLS client, which may include, but is not limited to, the TLS client type, version, operating system, and device type. The UA field plays a vital role in HTTP requests; it not only serves as the basis for the TLS server to identify the TLS client's identity but is also an important tool for content adaptation, logging and analysis, and the enforcement of security policies.

[0089] It's important to note that User Agents (UAs) can be spoofed. Users can change the UA of their TLS client by modifying its settings or using specific plugins. This spoofing is sometimes used to bypass access restrictions on certain websites or for specific network tests. However, a spoofed UA can also prevent the TLS server from correctly identifying the user's TLS client type, thus affecting the server's display and user experience.

[0090] The UA list mentioned above may include a pre-set UA list and a UA list obtained based on behavioral analysis.

[0091] As an example, the pre-configured UA list mentioned above includes a list of UAs for gray and black market activities, which includes a list of UAs for TLS clients that use the network to carry out illegal and criminal activities.

[0092] It should be understood that gray and black market activities, also known as black and gray industries, generally refer to illegal and criminal activities conducted online, including telecommunications fraud, cyber theft, phishing website operation, hacker extortion, malware distribution, and data trafficking. These criminals may disguise or modify the User Agent (UA) of their TLS clients to bypass network security checks or simulate the behavior of legitimate users. Therefore, the UA list of gray and black market activities can be used as the pre-set UA list mentioned above.

[0093] Another example is that the UA list obtained from behavioral analysis could include a list of TLS clients with suspicious behavior identified through behavioral analysis. For instance, the list of TLS clients with suspicious behavior might include UAs that repeatedly trigger built-in protection rules of the TLS server (e.g., WAF) within a short period of time. Or, the list of TLS clients with suspicious behavior might include UAs that access a large number of non-existent directories within a short period of time (e.g., returning a 404 status code).

[0094] Step 320: Receive N requests from multiple TLS clients.

[0095] As an example, a TLS server can receive N requests from multiple TLS clients. For instance, the TLS server can receive N requests from multiple TLS clients over a period of time. Each request received by the TLS server contains a User-Agent (UA) field, which identifies the TLS client that issued the request.

[0096] For example, the information about the TLS client mentioned above may include, but is not limited to, the type, version, operating system, and device type of the TLS client.

[0097] For example, the above N requests could be N HTTP requests, where N is an integer greater than 1.

[0098] Step 330: Based on the value of the first UA, select M requests from N requests.

[0099] In this embodiment of the application, the value of the first UA in the UA list can be used as a filtering condition to select M requests from the N requests whose UA field value is the same as the value of the first UA. That is, the UA field value of each of the M requests is the same as the value of the first UA.

[0100] M is an integer greater than 1 and less than N.

[0101] Step 340: Add the P fingerprints of the TLS client that sent M requests to the fingerprint database.

[0102] In this embodiment of the application, after selecting the above M requests from N requests, the P fingerprints of the TLS client that sent the M requests can also be added to the fingerprint database.

[0103] This application does not specifically limit the type of the P fingerprints mentioned above. The fingerprints may include, but are not limited to, any of the following fingerprints: JA3 fingerprint, JA4 fingerprint, or HTTPS fingerprint.

[0104] Optionally, before performing step 340, P fingerprints of the TLS client that sent the M requests can also be obtained.

[0105] As an example, the fingerprint of the TLS client that sent the above M requests can be obtained by the TLS server.

[0106] It should be understood that before sending N requests, the aforementioned multiple TLS clients will send handshake messages to the TLS server respectively. The TLS server will generate a fingerprint corresponding to each TLS client based on the key fields in the handshake message sent by each TLS client, and store the fingerprint of each TLS client and the corresponding session identifier in the cache of the TLS server.

[0107] In one possible implementation, the TLS server can retrieve P fingerprints of the TLS client that sent the M requests from its cache, based on the session identifiers contained in the M requests.

[0108] Optionally, in some embodiments, a timestamp for each fingerprint can also be added to the fingerprint database, which refers to the time when each fingerprint was added to the fingerprint database.

[0109] For example, the timestamp corresponding to each of the P fingerprints can also be added to the fingerprint database. The timestamp corresponding to each of the P fingerprints refers to the time when each of the P fingerprints was added to the fingerprint database.

[0110] In the above technical solution, the UA value of a suspicious TLS client can be used to filter requests sent between multiple TLS clients and the TLS server. TLS clients whose UA field values ​​in the sent requests are the same as the UA values ​​of the suspicious TLS clients are selected, and the fingerprints of these TLS clients are automatically added to the fingerprint database. This reduces the cost of creating the fingerprint database and further ensures network security.

[0111] Optionally, in some embodiments, the P fingerprints can be further filtered to select target fingerprints, thereby further improving the accuracy of fingerprints added to the fingerprint database.

[0112] The following is a detailed description of the specific implementation process for selecting the target fingerprint from P fingerprints.

[0113] For example, based on the number of each fingerprint in the P fingerprints, G fingerprints that meet preset conditions can be selected from the P fingerprints, and the target fingerprint can be determined from the G fingerprints based on the number of source IPs of the TLS clients corresponding to each of the G fingerprints. Here, G is an integer greater than 1 and less than P.

[0114] For example, the above preset condition is to select fingerprints with a quantity of K from P fingerprints, and the G fingerprints are fingerprints with a quantity of Top K from P fingerprints.

[0115] It should be understood that K can be an integer greater than or equal to 1.

[0116] For example, if K equals 1, the above G fingerprints include one fingerprint.

[0117] Another example is that if K is an integer greater than 1, the above G fingerprints include at least two fingerprints.

[0118] Specifically, in this embodiment of the application, the above-mentioned G fingerprints can be used as filtering conditions. Based on the number of source IPs of TLS clients corresponding to each of the G fingerprints, a target fingerprint is selected from the G fingerprints. The number of source IPs of TLS clients corresponding to the target fingerprint is greater than a first preset threshold.

[0119] It should be understood that the number of source IPs of the TLS clients corresponding to each of the G fingerprints can also reflect the distribution of source IPs of the TLS clients corresponding to each of the G fingerprints.

[0120] For example, if the number of source IPs of the TLS client corresponding to fingerprint 1 in the G fingerprints is greater than the first preset threshold (that is, the source IPs of the TLS client corresponding to fingerprint 1 are relatively dispersed), it means that the probability of fingerprint 1 being forged is smaller. Therefore, fingerprint 1 in the G fingerprints can be used as the target fingerprint.

[0121] Optionally, if the G fingerprints include fingerprint 2, it can also be determined whether the number of source IPs of the TLS client corresponding to fingerprint 2 is greater than the first preset threshold. Assuming the number of source IPs of the TLS client corresponding to fingerprint 2 is greater than the first preset threshold, fingerprint 2 from the G fingerprints can also be used as the target fingerprint.

[0122] In one possible implementation, after selecting the target fingerprint from P fingerprints, the target fingerprint can be added to the fingerprint database.

[0123] In another possible implementation, after selecting the target fingerprint from P fingerprints, this target fingerprint can be used as a filtering condition to select Q requests from N requests, where the fingerprint of the TLS client sending the Q requests is the target fingerprint. If the number of requests in these Q requests where the value of the UA field is the same as the value of the first UA is greater than a second preset threshold, the target fingerprint is added to the fingerprint database.

[0124] It should be understood that the above describes the construction of a fingerprint database using the first UA in the UA list as the filtering condition. In this embodiment, the second UA can also be obtained from the UA list using the above method, and the fingerprints added to the fingerprint database can be determined using the second UA as the filtering condition according to the method described in Figure 3.

[0125] For example, in this embodiment of the application, after obtaining the second UA among multiple UAs, S requests can be selected from N requests based on the value of the second UA, where S is an integer less than N, the value of the UA field of each of the S requests is the same as the value of the second UA, and L fingerprints of the TLS client that sent the S requests are added to the fingerprint database, where L is an integer greater than 1.

[0126] Similarly, the fingerprints that need to be added to the fingerprint database can be selected from L fingerprints according to the method shown in Figure 3. For the specific process, please refer to the relevant description in Figure 3, which will not be repeated here.

[0127] In this embodiment of the application, after creating the aforementioned fingerprint database, a malicious client can be identified based on this database. For example, a handshake message sent by a target client can be received, and a fingerprint corresponding to the target client can be generated based on the handshake message. If the fingerprint database contains the fingerprint corresponding to the target client, the target client can be determined to be a malicious client.

[0128] Optionally, in some embodiments, identified malicious clients may also be processed to prevent the spread of malware or limit the access frequency of crawlers.

[0129] For example, once the target client is determined to be a malicious client, the actions that can be taken against the target client may include, but are not limited to, rate limiting, verification, and permission settings.

[0130] Optionally, in some embodiments, the fingerprints added to the fingerprint database can be updated, and old fingerprints in the fingerprint database can be automatically removed, so that the fingerprints retained in the fingerprint database are all the latest additions, thereby reducing the false alarm rate of the fingerprint database.

[0131] In one possible implementation, the timestamp corresponding to each fingerprint stored in the fingerprint database can be filtered, and fingerprints with timestamps less than a third preset threshold can be removed from the fingerprint database.

[0132] The methods provided by the embodiments of this application have been described in detail above with reference to Figures 1 to 3. The embodiments of the apparatus of this application will now be described in detail below with reference to Figures 4 to 7. It should be understood that the descriptions of the method embodiments correspond to the descriptions of the apparatus embodiments; therefore, any parts not described in detail can be referred to the preceding method embodiments.

[0133] Figure 4 is a schematic block diagram of a fingerprint database generation device 400 provided in an embodiment of this application. The device 400 can be implemented by software, hardware, or a combination of both. The device 400 provided in this embodiment can implement the method flow shown in Figure 3 of this embodiment. The device 400 includes: an acquisition module 410, a receiving module 420, a filtering module 430, and an adding module 440. The acquisition module 410 is used to acquire the first UA from a list of multiple UAs included in the user agent UA list. The UA list includes a pre-set UA list and a UA list obtained based on behavior analysis. The receiving module 420 is used to receive N requests sent by multiple TLS clients, wherein each of the N requests includes a UA field, and N is an integer greater than 1. The filtering module 430 is used to filter M requests from the N requests based on the value of the first UA, wherein M is an integer less than N, and the value of the UA field of each of the M requests is the same as the value of the first UA. The adding module 440 is used to add P fingerprints of the TLS clients that sent the M requests to the fingerprint database, wherein P is an integer greater than 1.

[0134] Optionally, the filtering module 430 is further configured to filter out a target fingerprint from the P fingerprints, wherein the number of source Internet Protocol IP addresses of the TLS client corresponding to the target fingerprint is greater than a first preset threshold; the adding module 440 is specifically configured to add the target fingerprint to the fingerprint database.

[0135] Optionally, the filtering module 430 is further configured to filter out Q requests from the N requests based on the target fingerprint, wherein the fingerprint of the TLS client that sent the Q requests is the target fingerprint; the adding module 440 is specifically configured to: determine that the number of requests in the Q requests whose UA field value is the same as the value of the first UA is greater than a second preset threshold, and add the target fingerprint to the fingerprint database.

[0136] Optionally, the adding module 440 is further configured to add the timestamp corresponding to each of the P fingerprints to the fingerprint database, wherein the timestamp corresponding to each of the P fingerprints is the time when each of the P fingerprints was added to the fingerprint database.

[0137] Optionally, the device 400 further includes a removal module, used to remove fingerprints whose timestamps are less than a third preset threshold from the fingerprint database based on the timestamp corresponding to each fingerprint in the fingerprint database.

[0138] Optionally, the acquisition module 410 is further configured to acquire the second UA among the multiple UAs included in the UA list; the filtering module 430 is further configured to filter out S requests from the N requests based on the value of the second UA, where S is an integer less than N, and the value of the UA field of each of the S requests is the same as the value of the second UA; the adding module 440 is further configured to add L fingerprints of the TLS client that sent the S requests to the fingerprint database, where L is an integer greater than 1.

[0139] Optionally, the receiving module 420 is further configured to receive a handshake message sent by the target client; the device 400 further includes a generation module and a determination module, wherein the generation module is configured to generate a fingerprint corresponding to the target client based on the handshake message; and the determination module is configured to determine that the target client is a malicious client if the fingerprint corresponding to the target client is included in the fingerprint database.

[0140] The device 400 here can be embodied in the form of a functional module. The term "module" here can be implemented in software and / or hardware, without specific limitations.

[0141] For example, a "module" can be a software program, a hardware circuit, or a combination of both that implements the above functions. For instance, the implementation of module 410 will be described below using module 410 as an example. Similarly, the implementation of other modules, such as receiving module 420, filtering module 430, adding module 440, removing module, generating module, and determining module, can refer to the implementation of module 410.

[0142] As an example of a software functional unit, the acquisition module 410 may include code running on a computing instance. The computing instance may include at least one of a physical host (computing device), a virtual machine, or a container. Further, the aforementioned computing instance may be one or more. For example, the acquisition module 410 may include code running on multiple hosts / virtual machines / containers. It should be noted that the multiple hosts / virtual machines / containers used to run the code may be distributed in the same region or in different regions. Further, the multiple hosts / virtual machines / containers used to run the code may be distributed in the same availability zone (AZ) or in different AZs, each AZ including one or more geographically proximate data centers. Typically, a region may include multiple AZs.

[0143] Similarly, multiple hosts / virtual machines / containers used to run this code can be distributed within the same Virtual Private Cloud (VPC) or across multiple VPCs. Typically, a VPC is set up within a region. Communication between two VPCs within the same region, as well as between VPCs in different regions, requires a communication gateway to be set up within each VPC to enable interconnection between VPCs.

[0144] As an example of a hardware functional unit, the acquisition module 410 may include at least one computing device, such as a server. Alternatively, the acquisition module 410 may also be a device implemented using an application-specific integrated circuit (ASIC) or a programmable logic device (PLD). The PLD may be implemented using a complex programmable logical device (CPLD), a field-programmable gate array (FPGA), generic array logic (GAL), or any combination thereof.

[0145] The multiple computing devices included in the acquisition module 410 can be distributed in the same region or in different regions. Similarly, the multiple computing devices included in the acquisition module 410 can be distributed in the same Availability Zone (AZ) or in different AZs. Likewise, the multiple computing devices included in the acquisition module 410 can be distributed in the same Virtual Private Cloud (VPC) or in multiple VPCs. These multiple computing devices can be any combination of computing devices such as servers, ASICs, PLDs, CPLDs, FPGAs, and GALs.

[0146] Therefore, the modules of the various examples described in the embodiments of this application can be implemented in electronic hardware, or a combination of computer software and electronic hardware. Whether these functions are implemented in hardware or software depends on the specific application and design constraints of the technical solution. Those skilled in the art can use different methods to implement the described functions for each specific application, but such implementation should not be considered beyond the scope of this application.

[0147] It should be noted that the above embodiments of the device, when executing the above methods, are only illustrative examples of the division of the above functional modules. In practical applications, the above functions can be assigned to different functional modules as needed, that is, the internal structure of the device can be divided into different functional modules to complete all or part of the functions described above. For example, the acquisition module 410 can be used to execute any step in the above methods, the receiving module 420 can be used to execute any step in the above methods, the filtering module 430 can be used to execute any step in the above methods, the adding module 440 can be used to execute any step in the above methods, the removing module can be used to execute any step in the above methods, the generating module can be used to execute any step in the above methods, and the determining module can be used to execute any step in the above methods. The steps implemented by the acquisition module 410, receiving module 420, filtering module 430, adding module 440, removing module, generating module, and determining module can be specified as needed. By implementing different steps in the above methods through the acquisition module 410, receiving module 420, filtering module 430, adding module 440, removing module, generating module, and determining module, all the functions of the above device can be realized.

[0148] Furthermore, the apparatus and method embodiments provided in the above embodiments belong to the same concept, and their specific implementation process can be found in the method embodiments above, which will not be repeated here.

[0149] The method provided in this application can be executed by a computing device, which can also be referred to as a computer system. It includes a hardware layer, an operating system layer running on top of the hardware layer, and an application layer running on the operating system layer. The hardware layer includes hardware such as processing units, memory, and memory control units; the functions and structure of this hardware will be described in detail later. The operating system can be any one or more computer operating systems that implement business processing through processes, such as Linux, Unix, Android, iOS, or Windows. The application layer includes applications such as browsers, address books, word processing software, and instant messaging software. Optionally, the computer system can be a handheld device such as a smartphone, or a terminal device such as a personal computer; this application does not particularly limit this, as long as the method provided in this application can be used. The executing entity of the method provided in this application can be a computing device, or a functional module within the computing device capable of calling and executing programs.

[0150] The following describes in detail a computing device provided in an embodiment of this application, with reference to Figure 5.

[0151] Figure 5 is a schematic diagram of the architecture of a computing device 1500 provided in an embodiment of this application. The computing device 1500 can be a server, a computer, or other device with computing capabilities. The computing device 1500 shown in Figure 5 includes at least one processor 1510 and a memory 1520.

[0152] It should be understood that this application does not limit the number of processors and memories in the computing device 1500.

[0153] The processor 1510 executes instructions in the memory 1520, causing the computing device 1500 to implement the method provided in this application. Alternatively, the processor 1510 executes instructions in the memory 1520, causing the computing device 1500 to implement the various functional modules provided in this application, thereby implementing the method provided in this application.

[0154] Optionally, the computing device 1500 also includes a communication interface 1530. The communication interface 1530 uses a transceiver module, such as, but not limited to, a network interface card or a transceiver, to enable communication between the computing device 1500 and other devices or communication networks.

[0155] Optionally, the computing device 1500 also includes a system bus 1540, wherein the processor 1510, memory 1520, and communication interface 1530 are respectively connected to the system bus 1540. The processor 1510 can access the memory 1520 through the system bus 1540; for example, the processor 1510 can perform data read / write or code execution in the memory 1520 through the system bus 1540. The system bus 1540 is a peripheral component interconnect express (PCI) bus or an extended industry standard architecture (EISA) bus, etc. The system bus 1540 is divided into an address bus, a data bus, a control bus, etc. For ease of illustration, only one thick line is used in Figure 5, but this does not mean that there is only one bus or one type of bus.

[0156] In one possible implementation, the processor 1510 primarily functions to interpret the instructions (or code) of a computer program and process data within the computer software. The instructions of the computer program and the data within the computer software can be stored in memory 1520 or cache 1516.

[0157] Optionally, processor 1510 may be an integrated circuit chip with signal processing capabilities. By way of example and not limitation, processor 1510 may be a general-purpose processor, a digital signal processor (DSP), an application-specific integrated circuit (ASIC), a field-programmable gate array (FPGA), or other programmable logic devices, discrete gate or transistor logic devices, or discrete hardware components. Among these, a general-purpose processor is a microprocessor, etc. For example, processor 1510 may be a central processing unit (CPU).

[0158] Optionally, each processor 1510 includes at least one processing unit 1512 and a memory control unit 1514.

[0159] Optionally, the processing unit 1512, also known as the core, is the most important component of the processor. The processing unit 1512 is manufactured from single-crystal silicon using a specific production process. All calculations, command reception, command storage, and data processing are performed by the core. Each processing unit independently executes program instructions, utilizing parallel computing capabilities to accelerate program execution. Various processing units have fixed logical structures; for example, a processing unit includes logical units such as a Level 1 cache, a Level 2 cache, an execution unit, an instruction-level unit, and a bus interface.

[0160] In one implementation example, the memory control unit 1514 controls the data interaction between the memory 1520 and the processing unit 1512. Specifically, the memory control unit 1514 receives memory access requests from the processing unit 1512 and controls access to memory based on the memory access requests. By way of example and not limitation, the memory control unit is a device such as a memory management unit (MMU).

[0161] In one implementation example, each memory control unit 1514 addresses the memory 1520 via the system bus. An arbitrator (not shown in Figure 5) is configured on the system bus to handle and coordinate contention for access by the multiple processing units 1512.

[0162] In one implementation example, the processing unit 1512 and the memory control unit 1514 are connected via internal chip connection lines, such as address lines, thereby enabling communication between the processing unit 1512 and the memory control unit 1514.

[0163] Optionally, each processor 1510 also includes a cache 1516, which is a buffer for data exchange (called a cache). When the processing unit 1512 needs to read data, it first looks for the required data in the cache. If the data is found, it is executed directly; otherwise, it looks for the data in memory. Since the cache operates much faster than memory, its purpose is to help the processing unit 1512 run faster.

[0164] The memory 1520 provides runtime space for processes in the computing device 1500. For example, the memory 1520 stores the computer program (specifically, the program code) used to generate the process. After the computer program is run by the processor to generate a process, the processor allocates corresponding storage space for the process in the memory 1520. Furthermore, the aforementioned storage space further includes text segments, initialized data segments, bit initialized data segments, stack segments, heap segments, etc. The memory 1520 stores data generated during the process's execution, such as intermediate data or process data, in the aforementioned process-specific storage space.

[0165] Optionally, the memory, also known as RAM, is used to temporarily store the data processed by the processor 1510, as well as data exchanged with external storage devices such as hard disks. As long as the computer is running, the processor 1510 will load the data that needs to be processed into RAM for processing, and after the processing is completed, the processing unit 1512 will send the result out.

[0166] By way of example and not limitation, memory 1520 is volatile memory or non-volatile memory, or may include both volatile and non-volatile memory. Non-volatile memory is read-only memory (ROM), programmable read-only memory (PROM), erasable programmable read-only memory (EPROM), electrically erasable programmable read-only memory (EEPROM), or flash memory. Volatile memory is random access memory (RAM) used as an external cache. By way of example, but not limitation, many forms of RAM are available, such as static random access memory (SRAM), dynamic random access memory (DRAM), synchronous dynamic random access memory (SDRAM), double data rate synchronous dynamic random access memory (DDR SDRAM), enhanced synchronous dynamic random access memory (ESDRAM), synchronous linked dynamic random access memory (SLDRAM), and direct rambus RAM (DR RAM). It should be noted that the memory 1520 of the systems and methods described herein is intended to include, but is not limited to, these and any other suitable types of memory.

[0167] The structure of the computing device 1500 listed above is merely illustrative and is not limited thereto. The computing device 1500 in this application includes various hardware components in existing computer systems. For example, the computing device 1500 also includes other memories besides memory 1520, such as disk storage. Those skilled in the art should understand that the computing device 1500 may also include other devices necessary for normal operation. Furthermore, depending on specific needs, those skilled in the art should understand that the computing device 1500 may also include hardware devices for implementing other additional functions. In addition, those skilled in the art should understand that the computing device 1500 may only include the devices necessary for implementing the embodiments of this application, and not necessarily all the devices shown in FIG. 5.

[0168] This application also provides a computing device cluster. The computing device cluster includes at least one computing device. The computing device may be a server. In some embodiments, the computing device may also be a desktop computer, a laptop computer, or a smartphone, or other terminal device.

[0169] As shown in Figure 6, the computing device cluster includes at least one computing device 1500. The memory 1520 of one or more computing devices 1500 in the computing device cluster may store the same instructions for performing the above-described methods.

[0170] In some possible implementations, the memory 1520 of one or more computing devices 1500 in the computing device cluster may also each store a portion of the instructions for executing the above-described methods. In other words, a combination of one or more computing devices 1500 can jointly execute the instructions of the above-described methods.

[0171] It should be noted that the memory 1520 in different computing devices 1500 within the computing device cluster can store different instructions, each used to execute a portion of the functions of the aforementioned device. That is, the instructions stored in the memory 1520 of different computing devices 1500 can implement the functions of one or more modules within the aforementioned device.

[0172] In some possible implementations, one or more computing devices in a computing device cluster can be connected via a network. This network can be a wide area network (WAN) or a local area network (LAN), etc. Figure 7 illustrates one possible implementation. As shown in Figure 7, two computing devices, 1500A and 1500B, are connected via a network. Specifically, they are connected to the network through communication interfaces in each computing device.

[0173] It should be understood that the functions of computing device 1500A shown in Figure 7 can also be performed by multiple computing devices 1500. Similarly, the functions of computing device 1500B can also be performed by multiple computing devices 1500.

[0174] In this embodiment, a computer program product containing instructions is also provided. The computer program product may be a software or program product containing instructions capable of running on a computing device or stored on any usable medium. When run on a computing device, it causes the computing device to perform the methods provided above, or causes the computing device to perform the functions of the apparatus provided above.

[0175] In this embodiment, a computer-readable storage medium is also provided. This computer-readable storage medium can be any available medium that a computing device can store, or a data storage device such as a data center containing one or more available media. The available medium can be a magnetic medium (e.g., floppy disk, hard disk, magnetic tape), an optical medium (e.g., DVD), or a semiconductor medium (e.g., solid-state drive). The computer-readable storage medium includes instructions that, when executed on a computing device, cause the computing device to perform the method described above.

[0176] It should be understood that in the various embodiments of this application, the order of the above-mentioned processes does not imply the order of execution. The execution order of each process should be determined by its function and internal logic, and should not constitute any limitation on the implementation process of the embodiments of this application.

[0177] Those skilled in the art will recognize that the units and algorithm steps of the various examples described in conjunction with the embodiments disclosed herein can be implemented in electronic hardware, or a combination of computer software and electronic hardware. Whether these functions are implemented in hardware or software depends on the specific application and design constraints of the technical solution. Those skilled in the art can use different methods to implement the described functions for each specific application, but such implementation should not be considered beyond the scope of this application.

[0178] Those skilled in the art will understand that, for the sake of convenience and brevity, the specific working processes of the systems, devices, and units described above can be referred to the corresponding processes in the foregoing method embodiments, and will not be repeated here.

[0179] In the several embodiments provided in this application, it should be understood that the disclosed systems, apparatuses, and methods can be implemented in other ways. For example, the apparatus embodiments described above are merely illustrative; for instance, the division of units is only a logical functional division, and in actual implementation, there may be other division methods. For example, multiple units or components may be combined or integrated into another system, or some features may be ignored or not executed. Furthermore, the coupling or direct coupling or communication connection shown or discussed may be through some interfaces; the indirect coupling or communication connection between apparatuses or units may be electrical, mechanical, or other forms.

[0180] The units described as separate components may or may not be physically separate. The components shown as units may or may not be physical units; that is, they may be located in one place or distributed across multiple network units. Some or all of the units can be selected to achieve the purpose of this embodiment according to actual needs.

[0181] In addition, the functional units in the various embodiments of this application can be integrated into one processing unit, or each unit can exist physically separately, or two or more units can be integrated into one unit.

[0182] If the aforementioned functions are implemented as software functional units and sold or used as independent products, they can be stored in a computer-readable storage medium. Based on this understanding, the technical solution of this application, in essence, or the part that contributes to the prior art, or a portion of the technical solution, can be embodied in the form of a software product. This computer software product is stored in a storage medium and includes several instructions to cause a computer device (which may be a personal computer, server, or network device, etc.) to execute all or part of the steps of the methods described in the various embodiments of this application. The aforementioned storage medium includes various media capable of storing program code, such as USB flash drives, portable hard drives, read-only memory (ROM), random access memory (RAM), magnetic disks, or optical disks.

[0183] The above description is merely a specific embodiment of this application, but the scope of protection of this application is not limited thereto. Any variations or substitutions that can be easily conceived by those skilled in the art within the scope of the technology disclosed in this application should be included within the scope of protection of this application. Therefore, the scope of protection of this application should be determined by the scope of the claims.

Claims

1. A method for generating a fingerprint database, characterized in that, The method is executed by a Transport Layer Security (TLS) server, and the method includes: Obtain the first UA from a list of multiple UAs included in the user agent UA list, wherein the UA list includes a pre-set UA list and a UA list obtained based on behavior analysis; Receive N requests sent by multiple TLS clients, wherein each of the N requests includes a UA field, and N is an integer greater than 1; Based on the value of the first UA, M requests are selected from the N requests, where M is a positive integer less than N, and the value of the UA field of each of the M requests is the same as the value of the first UA. Add P fingerprints of the TLS clients that sent the M requests to the fingerprint database, where P is an integer greater than 1.

2. The method according to claim 1, characterized in that, The method further includes: Target fingerprints are selected from the P fingerprints, wherein the number of source Internet Protocol IP addresses of the TLS client corresponding to the target fingerprint is greater than a first preset threshold; Adding the P fingerprints of the TLS client that sent the M requests to the fingerprint database includes: Add the target fingerprint to the fingerprint database.

3. The method according to claim 2, characterized in that, The method further includes: Based on the target fingerprint, Q requests are selected from the N requests, wherein the fingerprint of the TLS client that sent the Q requests is the target fingerprint; Adding the target fingerprint to the fingerprint database includes: If the number of requests in the Q requests whose UA field value is the same as the value of the first UA is greater than a second preset threshold, the target fingerprint is added to the fingerprint database.

4. The method according to any one of claims 1 to 3, characterized in that, The method further includes: The timestamp corresponding to each of the P fingerprints is added to the fingerprint database, wherein the timestamp corresponding to each of the P fingerprints is the time when each of the P fingerprints is added to the fingerprint database.

5. The method according to any one of claims 1 to 4, characterized in that, The method further includes: Based on the timestamp corresponding to each fingerprint in the fingerprint database, fingerprints with timestamps less than a third preset threshold are removed from the fingerprint database.

6. The method according to any one of claims 1 to 5, characterized in that, The method further includes: Obtain the second UA from the multiple UAs included in the UA list; Based on the value of the second UA, S requests are selected from the N requests, where S is a positive integer less than N, and the value of the UA field of each of the S requests is the same as the value of the second UA; Add L fingerprints of the TLS client that sent the S requests to the fingerprint database, where L is an integer greater than 1.

7. The method according to any one of claims 1 to 6, characterized in that, The method further includes: Receive handshake messages sent by the target client; Based on the handshake message, a fingerprint corresponding to the target client is generated; If the fingerprint database contains the fingerprint corresponding to the target client, the target client is determined to be a malicious client.

8. An apparatus for generating a fingerprint database, characterized in that, The device includes: The acquisition module is used to acquire the first UA among multiple UAs included in the user agent UA list, wherein the UA list includes a pre-set UA list and a UA list obtained based on behavior analysis; The receiving module is used to receive N requests sent by multiple TLS clients, wherein each of the N requests includes a UA field, and N is an integer greater than 1; The filtering module is used to filter out M requests from the N requests based on the value of the first UA, where M is a positive integer less than N, and the value of the UA field of each of the M requests is the same as the value of the first UA. An addition module is provided to add P fingerprints of the TLS clients that send the M requests to the fingerprint database, where P is an integer greater than 1.

9. The apparatus according to claim 8, characterized in that, The filtering module is further configured to filter out a target fingerprint from the P fingerprints, wherein the number of source Internet Protocol IP addresses of the TLS client corresponding to the target fingerprint is greater than a first preset threshold. The added module is specifically used for: Add the target fingerprint to the fingerprint database.

10. The apparatus according to claim 9, characterized in that, The filtering module is further configured to filter out Q requests from the N requests based on the target fingerprint, wherein the fingerprint of the TLS client that sends the Q requests is the target fingerprint; The added module is specifically used for: If the number of requests in the Q requests whose UA field value is the same as the value of the first UA is greater than a second preset threshold, the target fingerprint is added to the fingerprint database.

11. The apparatus according to any one of claims 8 to 10, characterized in that, The adding module is further configured to add the timestamp corresponding to each of the P fingerprints to the fingerprint database, wherein the timestamp corresponding to each of the P fingerprints is the time when each of the P fingerprints was added to the fingerprint database.

12. The apparatus according to any one of claims 8 to 11, characterized in that, The device further includes: The removal module is used to remove fingerprints whose timestamps are less than a third preset threshold from the fingerprint database, based on the timestamp corresponding to each fingerprint in the fingerprint database.

13. The apparatus according to any one of claims 8 to 12, characterized in that, The acquisition module is further configured to acquire the second UA among the multiple UAs included in the UA list; The filtering module is further configured to filter out S requests from the N requests based on the value of the second UA, where S is a positive integer less than N, and the value of the UA field of each of the S requests is the same as the value of the second UA. The adding module is further configured to add L fingerprints of the TLS client that sent the S requests to the fingerprint database, where L is an integer greater than 1.

14. The apparatus according to any one of claims 8 to 13, characterized in that, The receiving module is also used to receive handshake messages sent by the target client; The device further includes: The generation module is used to generate a fingerprint corresponding to the target client based on the handshake message; The determination module is used to determine that the target client is a malicious client if the fingerprint database contains a fingerprint corresponding to the target client.

15. A computing device cluster, characterized in that, It includes at least one computing device, each computing device including a processor and memory; The processor of the at least one computing device is configured to execute instructions stored in the memory of the at least one computing device to cause the cluster of computing devices to perform the method as described in any one of claims 1 to 7.

16. A computer program product containing instructions, characterized in that, When the instruction is executed by the computing device cluster, the computing device cluster performs the method as described in any one of claims 1 to 7.

17. A computer-readable storage medium, characterized in that, It includes computer program instructions, which, when executed by a cluster of computing devices, perform the method as described in any one of claims 1 to 7.