CN107222471B - Identification method and identification system for non-manual brushing function interface - Google Patents
Identification method and identification system for non-manual brushing function interface Download PDFInfo
- Publication number
- CN107222471B CN107222471B CN201710382656.8A CN201710382656A CN107222471B CN 107222471 B CN107222471 B CN 107222471B CN 201710382656 A CN201710382656 A CN 201710382656A CN 107222471 B CN107222471 B CN 107222471B
- Authority
- CN
- China
- Prior art keywords
- value
- function interface
- server
- manual
- calling parameter
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
Abstract
The embodiment of the invention provides an identification method and an identification system of a non-manual function brushing interface, wherein the identification method comprises the following steps: adding or modifying the value of the set calling parameter of the set function interface in the server, and replacing the first value with a first value and a second value, so that the server can respond to a calling function interface request carrying the value of the set calling parameter as the first value or the second value; modifying a first value of a set calling parameter requesting to call a functional interface into a second value in a client, so that a user can send a calling functional interface request carrying the set calling parameter value as the second value to the server through the client; the method comprises the steps of analyzing the numerical value of a set calling parameter in a server log, and determining whether the source of a function interface sending request corresponding to the numerical value of the set calling parameter is a non-manual function interface refreshing behavior, so that the non-manual function interface refreshing behavior is actively identified, and the method is high in speed and efficiency.
Description
Technical Field
The invention relates to the technical field of network security protection, in particular to a method and a system for identifying a non-manual function-refreshing interface.
Background
With the development of network technology, network services are developed more and more, and network evaluation provides a certain degree of guidance and reference for users, but since hackers do not manually swipe websites through abnormal accounts, the authenticity of the network evaluation is seriously affected.
The existing method for solving the problem of non-manual website swiping of hackers generally comprises the steps of identifying access behaviors through server control and identifying the access behaviors through Web application programs.
The server control identification is divided into two parts: a server control section and a log analysis recognition section. The server control mainly implements a packet filtering function by processing a traffic message, such as controlling access times and frequency limits of a single account and a single IP to a website function by an IPtables of a system or an external IPs/ids device.
For example, the limitation on accounts is that the access times of a single account per second is limited to a fixed value, and requests exceeding the time limit can directly drop packets. The limitation of the IP to a single IP address can allow access to a fixed number of accounts every second, and account access requests exceeding the frequency have the phenomenon of delayed access. The specific implementation manner is different, taking iptables as an example, the implementation can be realized through the following settings:
limiting the number of accesses of a single account:
iptables -A INPUT -p icmp -m limit --limit 3/s-j LOG --log-level INFO--log-prefix"ICMP packet IN:"
iptables -N syn-flood
iptables -A INPUT -p tcp --syn -j syn-flood
iptables -I syn-flood -p tcp -m limit --limit 3/s --limit-burst 6 -jRETURN
iptables -A syn-flood -j REJECT
limiting the access frequency of a single IP:
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 --tcp-flagsFIN,SYN,RST,ACK SYN -m connlimit --connlimit-above 50 --connlimit-mask 32 -jREJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 --tcp-flagsFIN,SYN,RST,ACK SYN -m connlimit --connlimit-above 50 --connlimit-mask 32 -jREJECT --reject-with icmp-port-unreachable
and analyzing the interception logs of the control part according to the processing result of the server control part, and identifying and judging by counting access accounts and IP with excessive times and excessive frequencies. And defining the part of the IP and the account as non-manual function interface refreshing behaviors according to certain strategies for the access behaviors with the excessive frequency and the excessive times.
However, although the existing technology for identifying and blocking the non-manual brushing function interface by controlling the server can identify and block part of the non-manual brushing function interface, the existing technology cannot meet the requirement of efficiently identifying the non-manual brushing function interface in terms of implementation cost and implementation effect, and has the following main disadvantages:
the first disadvantage is that: frequency limiting the outlet IP is actually a cutting process. The function experience of the user can be seriously reduced, the interception function directly causes accidental injury to the normal user, and the problems of misinformation and missing report can not be solved.
The second disadvantage is that: a large number of matching rules need to be written for interception, uncertainty exists in writing of the matching rules, a large number of practical experience and samples are needed for setting of thresholds, and effective recognition rate is low.
The third disadvantage is that: the process of intercepting behavior- > analyzing logs belongs to passive perception, and hackers can easily use matching rules to carry out DOS on functional interfaces or bypass attacks.
In the second scheme, the Web application program identifies the non-manual brushing function interface behavior by analyzing http request data (including URL, parameters, cookies, Headers, request entities and the like) of the application layer user.
The Web application firewall can verify the header refer and cookie of the requester, and can identify some non-manual behaviors by setting different refer or cookie for different functional interfaces. An example of a way for the Web application to identify the non-manual function-swiping interface through the referrer is as follows:
www.example.com- > preferer: null
login.example.com->referer:www.example.com
login.example.com/auth.ext->referer:login.example.com
login.example.com/secussed.ext->referer:login.example.com/auth.ext
Because the referrer through the script or the tool brush basically keeps unchanged, and the manual operation is a page interface which is accessed from the page to the next point step by step, the referrer carried by the page interface changes according to the difference of the previous page. The Web application program judges whether the referrer carried in the time is not normal user operation by verifying whether the page is accessed last time. So that it can be identified whether the functional interface is accessed by manual operation by using different preferers,
similarly, the web application may identify the behavior of the non-manual swipe interface by a different cookie, with the next cookie being generated based on the previous cookie. Examples are as follows:
www.example.com->cookie1
login.example.com->cookie2
login.example.com/auth.ext->cookie3
login.example.com/secussed.ext->cookie4
and determining whether the behavior of the function interface is manually operated or not manually refreshed by comparing the relation between the current cookie and the last cookie.
Although the control verification function of the Web application is powerful, there are some inevitable disadvantages that cannot be overcome.
The first disadvantage is that: user experience is greatly reduced, a user can only operate step by step, and the significance of the existence of the functional interface is reduced.
The second disadvantage is that: although the operation flow becomes complicated, because of passive defense, the script tool can still simulate the operation behavior of a normal user by requesting to simulate the operation of the manual brush interface for multiple times, and it is still a small challenge whether the background identification is a manual operation or not.
The third disadvantage is that: the burden of the server is increased, and the function which can be realized only by calling one interface originally can be realized only by requiring multiple times of request verification. The resource pressure for serving high-ratio stations is great.
Therefore, a method for quickly and effectively identifying a non-manual function-refreshing interface is needed.
Disclosure of Invention
The embodiment of the invention provides a method and a system for identifying a non-manual function-refreshing interface, which can quickly and effectively identify the non-manual function-refreshing interface.
In one aspect, an embodiment of the present invention provides an identification method for a non-manual function-refreshing interface, where the identification method includes:
adding or modifying the value of the set calling parameter of the set function interface in the server, and replacing the first value with a first value and a second value, so that the server can respond to a calling function interface request carrying the value of the set calling parameter as the first value or the second value;
modifying a first value of a set calling parameter requesting to call a functional interface into a second value in a client, so that a user can send a calling functional interface request carrying the set calling parameter value as the second value to the server through the client;
analyzing the value of the set calling parameter in the server log, and determining whether the source of the function interface sending request corresponding to the value of the set calling parameter is a non-manual function interface refreshing behavior, wherein the set calling parameter and requester information carried by the function interface sending request corresponding to the server response are stored in the server log.
Optionally, the determining whether a source of the function interface request corresponding to the value of the set call parameter is a non-manual function interface refreshing behavior specifically includes:
if the value of the set calling parameter in the server log is a first value, determining that the source of the function interface request corresponding to the first value is a non-manual function interface refreshing behavior;
and if the value of the set calling parameter in the server log is a second value, determining that the source of the function interface sending request corresponding to the second value is a manual operation behavior.
Optionally, the identification method further includes:
after determining that the source of the function interface sending request corresponding to the value of the set calling parameter is a non-manual function interface refreshing behavior, tracking according to requester information of the function interface sending request, and determining an account number and/or an IP address of the non-manual function interface refreshing;
and sealing and killing the non-manual brushing function interface behaviors in batches according to the account number and/or the IP address of the non-manual brushing.
Optionally, the identification method further includes:
and the setting function interface and the corresponding value of the setting calling parameter are changed at irregular time.
Optionally, the values of the set function interface and the set calling parameter are concealed and modified or added in advance in the background of the server, and the values of the corresponding set function interface and the set calling parameter are concealed and modified in advance in the background of the client.
The technical scheme has the following beneficial effects: the value of the set calling parameter for setting the functional interface is added or modified in the server, the value of the set calling parameter for requesting to call the functional interface in the client is modified, and the value of the set calling parameter carried by the request of the non-manual functional interface is not changed, so that the change is active, and whether the corresponding source for sending the functional interface request is the behavior of refreshing the functional interface manually or not can be accurately, quickly and effectively determined according to the value of the set calling parameter in the log of the server.
In another aspect, an embodiment of the present invention provides an identification system for a non-manual-swiping function interface, where the identification system includes:
the server side changing unit is used for adding or modifying the value of the set calling parameter of the set function interface in the server side, and changing the first value into a first value and a second value, so that the server side can respond to a calling function interface request carrying the value of the set calling parameter as the first value or the second value;
the client changing unit is used for modifying a first numerical value of a set calling parameter for requesting to call the functional interface into a second numerical value in the client, so that a user can send a calling functional interface request carrying the set calling parameter numerical value as the second numerical value to the server through the client;
and the analysis unit is used for analyzing the value of the set calling parameter in the server log and determining whether the source of the function interface sending request corresponding to the value of the set calling parameter is a non-manual function interface refreshing behavior, wherein the server log stores the set calling parameter and requester information carried by the function interface sending request corresponding to the server response.
Optionally, the analysis unit is specifically configured to determine that a source of the function interface request sent corresponding to the first numerical value is a non-manual function interface refreshing behavior if the numerical value of the set call parameter in the server log is the first numerical value; and if the value of the set calling parameter in the server log is a second value, determining that the source of the function interface sending request corresponding to the second value is a manual operation behavior.
Optionally, the identification system further includes:
the tracking unit is connected with the analysis unit and used for tracking according to requester information which sends a corresponding calling function interface request after determining that the source of the sending function interface request corresponding to the value of the set calling parameter is a non-manual function interface brushing behavior, and determining an account number and/or an IP address of the non-manual function interface brushing;
and the sealing and killing unit is connected with the tracking unit and is used for sealing and killing the non-manual brushing function interface behaviors in batches according to the account number and/or the IP address of the non-manual brushing.
Optionally, the identification system further includes:
and the replacing unit is respectively connected with the server changing unit and the client changing unit and is used for replacing the setting function interface and the corresponding value of the setting calling parameter at irregular time.
Optionally, the server modifying unit conceals and modifies or adds a set function interface and a set value of the call parameter in the server background in advance, and the client modifying unit conceals and modifies a corresponding set function interface and a corresponding set value of the call parameter in the client background in advance.
The technical scheme has the following beneficial effects: the invention is provided with a server changing unit, a client changing unit and an analyzing unit, the value of the set calling parameter of the set function interface is added or modified in the server, the value of the set calling parameter of the request calling function interface in the client is modified, and the value of the set calling parameter carried by the request of the non-manual function interface is not changed, so that the change is active, and whether the source of the corresponding request for sending the function interface is the behavior of the non-manual function interface can be accurately, quickly and effectively determined according to the value of the set calling parameter in the log of the server.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
FIG. 1 is a flowchart of a method for recognizing a non-manual function-refreshing interface according to an embodiment of the present invention;
fig. 2 is a schematic diagram of a unit structure of an identification system of a non-manual-swiping function interface according to an embodiment of the present invention.
Description of the symbols:
the system comprises a server-1, a client-2, a server log-3, a server changing unit-4, a client changing unit-5, an analysis unit-6, a tracking unit-7 and a sealing unit-8.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The invention aims to provide a method for identifying a non-manual function interface, which adds or modifies the value of the set calling parameter of the set function interface and the value of the set calling parameter of the request calling function interface in a client side in a server side, changes the value into initiative because the value of the set calling parameter carried by the request of the non-manual function interface is not changed, and can accurately, quickly and effectively determine whether the source of the corresponding request for sending the function interface is the behavior of the non-manual function interface according to the value of the set calling parameter in the log of the server side.
Function interface: the station side provides an interface for realizing a certain function for a user, and the user realizes the functions of checking, commenting, operating and the like by calling the function interface.
A non-manual function interface swiping behavior or a non-manual station swiping behavior: a hacker uses a large number of account numbers to realize batch operation behaviors of a certain function or activity through technologies such as a batch management script tool and a network agent, and the aim of one person to control the large number of account numbers to realize station refreshing is fulfilled by simulating manual operation of a normal user.
In order to make the aforementioned objects, features and advantages of the present invention comprehensible, embodiments accompanied with figures are described in further detail below.
As shown in fig. 1, the method for identifying a non-manual-swiping function interface of the present invention includes:
step 100: adding or modifying the value of the set calling parameter of the set function interface in the server, and replacing the first value with a first value and a second value, so that the server can respond to a calling function interface request carrying the value of the set calling parameter as the first value or the second value.
Step 200: and modifying the first value of the set calling parameter for requesting calling the functional interface into a second value in the client, so that the user can send a calling functional interface request carrying the set calling parameter value as the second value to the server through the client.
Step 300: analyzing the value of the set calling parameter in the server log, and determining whether the source of the function interface sending request corresponding to the value of the set calling parameter is a non-manual function interface refreshing behavior, wherein the set calling parameter and requester information carried by the function interface sending request corresponding to the server response are stored in the server log.
Step 400: and after determining that the source of the function interface sending request corresponding to the value of the set calling parameter is the non-manual function interface refreshing behavior, tracking according to requester information of the function interface sending request, and determining the account number and/or the IP address of the non-manual function interface refreshing.
Step 500: and sealing and killing the non-manual brushing function interface behaviors in batches according to the account number and/or the IP address of the non-manual brushing.
Since the website account numbers can be registered only by the real-name mobile phone numbers at present, and a large number of repeated registrations are not allowed, if the tracked hacker account numbers and/or IP addresses are sealed and killed in batches, the network security threat can be fundamentally reduced, and especially the fatal attack to the network station-swiping behavior is caused.
Furthermore, the values of the set function interface and the set calling parameter are concealed and modified or added in the background of the server side in advance, and the values of the corresponding set function interface and the set calling parameter are concealed and modified in the background of the client side in advance.
In step 300, the determining whether the source of the function interface request corresponding to the value of the set calling parameter is a non-manual function interface refreshing behavior specifically includes:
if the value of the set calling parameter in the server log is a first value, determining that the source of the function interface request corresponding to the first value is a non-manual function interface refreshing behavior;
and if the value of the set calling parameter in the server log is a second value, determining that the source of the function interface sending request corresponding to the second value is a manual operation behavior.
Since the logic of the scripting tool is fixed and the requested interface is also fixed, a hacker will first encapsulate the flushed destination interface into the scripting tool and then sell it to downstream users through a black-out chain. At the moment, the station side actively modifies the value of the setting calling parameter in the setting function interface, modifies the first value into the second value, but simultaneously ensures that the first value of the original value can be normally accessed, and under the condition, the logic and parameter values in the script tool can not be changed easily. The behavior of actively modifying the parameter values on the station side is discovered only when the script tool has a use problem. In this way, the parameters transmitted during batch scrubbing of the functional interface are still the values set previously, and the obtained result is the same as the expected result. While normal user operation will pass the parameter values of the modified functional interface. According to the steps 100 to 500, the manual and non-manual refreshing function interface behaviors can be accurately identified, and the network security is improved.
Because the interface parameters are modified at the background of the server or the client, a normal user does not need to make any change, the interface after the parameters are modified can be automatically loaded at the client, the interface returns a normal result, and the use of the normal user is unaware. For example, the microblog likes, and the user does not need to know the specific parameters of the 'like' interface. If the parameters of the server side are changed, the user is not required to change the parameters. All changes occur in the background. However, the functional interface in the hacker script tool is written in advance and does not automatically change the interface parameters of the request.
Although the return results of the manual and non-manual processes are the same, the transmitted parameter values are different, the non-manual refreshing function interface behavior (i.e. the script refreshing behavior) can be identified by the different parameter values carried in the analysis of the request by the server side log part, and the account number and/or the IP address of the non-manual refreshing can be known by further tracking the information of the requester.
In the implementation, the parameters of the functional interface need to be continuously adjusted, so that a better effect can be achieved, the method for identifying the non-manual brushing functional interface further comprises the steps of replacing the set functional interface and the corresponding value of the set calling parameter at irregular time, and repeating the steps from 100 to 500.
The recognition method of the non-manual brushing function interface is different from the traditional recognition mode in the conversion of attack and defense ends. The traditional anti-brushing scheme is to apply various technologies and collocate various strategies to passively prevent brushing, and the mode has the advantages of one-time deployment and long-term effectiveness. In view of this, hackers will also continuously refine their own script level, trying to bypass the constraints of policies and technologies, and a dead set of defense schemes will always have a way to overcome. Various false alarms and bugs still appear in the recognition result of the traditional scheme, so that the effect is greatly reduced. The invention actively attacks, under the condition that a hacker is not aware, the station-swiping behavior of normal user operation is simulated in batch by a script tool and can be successfully identified, the batch account ID mastered by the hacker and the used network proxy IP are completely exposed to the station side, the station side is not a dead scheme analyzed and attacked by the hacker, but continuously changes own strategies, and the non-manual function-swiping interface behavior of the hacker is actively identified and defended.
Taking the recognition of whether the microblog approval is normal user operation or the brushing of a script tool as an example:
the first step is as follows: finding a praise interface at the server:
http:// weibo.com/aj/v 6/like/add? The method includes that ajwvr is 6& loc & file & location & page _100505_ home & mid 4067200547501908& qid & heart & version & mini (this is an interface of post-type transmission parameters, the backend verifies the refer and the cookie, the present invention for convenience of writing into the form of get transmission), this is a compliable interface of post transmission, there is a set call parameter of ajvvr & 6 in the parameter, the value of the set call parameter is modified in the server background to ajwvr & 7, then the interface becomes http:// weibo.com/aj/v 6/li/add? The content is normally returned by a request in which ajwvr is 7& loc, page _100505_ home & mid, 4067200547501908& qid, heart & version mini, while the original parameter ajwvr is kept 6.
The operation of the second step: changing the value of the set calling parameter transmitted by the interface post requesting approval in the client to ajwvr-7, the request interface when the normal user approves on the webpage becomes:
http://weibo.com/aj/v6/like/add?ajwvr=7&loc=profile&location=page_100505_home&mid=4067200547501908&qid=heart&version=mini。
and at this time, the value of the call parameter ajwvr carried by the request interface complied by the script tool is still ajwvr-6 (since the request interface complied by the script is previously packaged, the value of ajwvr is still ajwvr-6), instead of manually registering the request interface on the web page, the request interface complied with becomes: http:// weibo.com/aj/v 6/like/add? ajwvr ═ 6& loc ═ profile & location ═ page _100505_ home & mid ═ 4067200547501908& qid ═ heart & version ═ mini.
The third step of operation: a hacker utilizes 1 ten thousand account numbers grasped by a script handle to carry cookie and fixed referrer of the hacker to approve a target simulation normal user for ten thousand times by setting different IP addresses and time, the returned result is the same as the expectation, and approval is successful. And normal users can also succeed in clicking and calling the interface. The script praise is not different from the praise of the ordinary user, and the hacker praise is successful.
The fourth step of operation: and analyzing the log by the analysis server, determining that the approval corresponding to the parameter ajwvr of 6 is refreshed by the script, tracking according to the information of the requester sending the corresponding approval request, and determining the account and/or the IP address of the non-manual refreshing.
The fifth step of operation: and sealing and killing the non-manual brushing function interface behaviors in batches according to the account number and/or the IP address of the non-manual brushing.
The operation of the sixth step: and replacing the setting function interface and the corresponding value of the setting calling parameter at irregular time, and repeating the steps. Since repeated use of the method may be discovered, a hacker only needs to update the interface parameter values in the own script to crack the script. At this time, the above steps need to be repeated again, and the setting function interface and the corresponding value of the setting calling parameter are changed irregularly. The replaced interface and parameter values are set in advance by the background in a concealed mode.
The invention identifies whether the calling function interface is manually operated or is in a station-refreshing action by dynamically and secretly setting some special marks, thereby correctly identifying the non-manual function interface action. The method adopts an active, hidden and dynamic technical means to set the special identification in advance so that the operation behavior of the hacker script tool is accurately exposed in log analysis, thereby accurately identifying the behavior of non-manual refreshing of the functional interface, providing a powerful basis for the station side to accurately take the next action, and having beneficial effects on the safety of the station side, particularly the refreshing prevention of the functional interface.
In addition, the invention also provides an identification system of the non-manual brushing function interface, which can quickly and effectively identify the non-manual brushing function interface. As shown in fig. 2, the recognition system of the non-manual function-refreshing interface of the present invention includes a server changing unit 4, a client changing unit 5, an analyzing unit 6, a tracking unit 7, and a sealing unit 8.
The server changing unit 4 is connected to the server 1, and is configured to add or modify a value of a set calling parameter of a set function interface in the server 1, and change the first value into a first value and a second value, so that the server 1 can respond to a request for calling the function interface, where the value of the set calling parameter is the first value or the second value.
The client changing unit 5 is connected with the client 2 and configured to modify a first value of a setting calling parameter requesting to call the function interface into a second value in the client 2, so that a user can send a calling function interface request carrying the setting calling parameter value as the second value to the server 1 through the client 2.
The analysis unit 6 and the server log 3 are configured to analyze a value of a set call parameter in the server log 3, and determine whether a source of a function interface sending request corresponding to the value of the set call parameter is a non-manual function interface refreshing behavior, where the server log 3 stores the set call parameter and requester information carried in the function interface sending request corresponding to the response of the server 1.
The analysis unit 6 is specifically configured to determine that a source of the function interface request sent corresponding to the first numerical value is a non-manual function interface refreshing behavior if the numerical value of the set call parameter in the server log 3 is the first numerical value; and if the value of the set calling parameter in the server log 3 is a second value, determining that the source of the function interface sending request corresponding to the second value is a manual operation behavior.
The tracking unit 7 is connected to the analyzing unit 6, and is configured to track, according to requester information that sends a corresponding call function interface request, after determining that a source of the send function interface request corresponding to the value of the set call parameter is a non-manual function interface swiping behavior, an account number and/or an IP address of the non-manual function interface swiping.
And the sealing and killing unit 8 is connected with the tracking unit 7 and is used for sealing and killing the non-manual brushing function interface behaviors in batches according to the account number and/or the IP address of the non-manual brushing.
In addition, the system for identifying the non-manual brushing function interface also comprises a replacing unit, wherein the replacing unit is respectively connected with the server side changing unit and the 4 client side changing unit 5 and is used for replacing the set function interface and the corresponding value of the set calling parameter at irregular time.
Furthermore, the server modifying unit 4 conceals and modifies or adds a set function interface and a set value of the call parameter in the server background in advance, and the client modifying unit 5 conceals and modifies a corresponding set function interface and a corresponding set value of the call parameter in the client background in advance.
Compared with the prior art, the recognition system of the non-manual brushing function interface has the same beneficial effects as the recognition method of the non-manual brushing function interface, and the details are not repeated herein.
It should be understood that the specific order or hierarchy of steps in the processes disclosed is an example of exemplary approaches. Based upon design preferences, it is understood that the specific order or hierarchy of steps in the processes may be rearranged without departing from the scope of the present disclosure. The accompanying method claims present elements of the various steps in a sample order, and are not intended to be limited to the specific order or hierarchy presented.
In the foregoing detailed description, various features are grouped together in a single embodiment for the purpose of streamlining the disclosure. This method of disclosure is not to be interpreted as reflecting an intention that the claimed embodiments of the subject matter require more features than are expressly recited in each claim. Rather, as the following claims reflect, invention lies in less than all features of a single disclosed embodiment. Thus, the following claims are hereby expressly incorporated into the detailed description, with each claim standing on its own as a separate preferred embodiment of the invention.
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present invention. To those skilled in the art; various modifications to these embodiments will be readily apparent, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the disclosure. Thus, the present disclosure is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
What has been described above includes examples of one or more embodiments. It is, of course, not possible to describe every conceivable combination of components or methodologies for purposes of describing the aforementioned embodiments, but one of ordinary skill in the art may recognize that many further combinations and permutations of various embodiments are possible. Accordingly, the embodiments described herein are intended to embrace all such alterations, modifications and variations that fall within the scope of the appended claims. Furthermore, to the extent that the term "includes" is used in either the detailed description or the claims, such term is intended to be inclusive in a manner similar to the term "comprising" as "comprising" is interpreted when employed as a transitional word in a claim. Furthermore, any use of the term "or" in the specification of the claims is intended to mean a "non-exclusive or".
Those of skill in the art will further appreciate that the various illustrative logical blocks, units, and steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both. To clearly illustrate the interchangeability of hardware and software, various illustrative components, elements, and steps have been described above generally in terms of their functionality. Whether such functionality is implemented as hardware or software depends upon the particular application and design requirements of the overall system. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present embodiments.
The various illustrative logical blocks, or elements, described in connection with the embodiments disclosed herein may be implemented or performed with a general purpose processor, a digital signal processor, an Application Specific Integrated Circuit (ASIC), a field programmable gate array or other programmable logic device, discrete gate or transistor logic, discrete hardware components, or any combination thereof designed to perform the functions described herein. A general-purpose processor may be a microprocessor, but in the alternative, the processor may be any conventional processor, controller, microcontroller, or state machine. A processor may also be implemented as a combination of computing devices, e.g., a digital signal processor and a microprocessor, a plurality of microprocessors, one or more microprocessors in conjunction with a digital signal processor core, or any other similar configuration.
The steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. A software module may be stored in RAM memory, flash memory, ROM memory, EPROM memory, EEPROM memory, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art. For example, a storage medium may be coupled to the processor such the processor can read information from, and write information to, the storage medium. In the alternative, the storage medium may be integral to the processor. The processor and the storage medium may reside in an ASIC, which may be located in a user terminal. In the alternative, the processor and the storage medium may reside in different components in a user terminal.
In one or more exemplary designs, the functions described above in connection with the embodiments of the invention may be implemented in hardware, software, firmware, or any combination of the three. If implemented in software, the functions may be stored on or transmitted over as one or more instructions or code on a computer-readable medium. Computer-readable media includes both computer storage media and communication media that facilitate transfer of a computer program from one place to another. Storage media may be any available media that can be accessed by a general purpose or special purpose computer. For example, such computer-readable media can include, but is not limited to, RAM, ROM, EEPROM, CD-ROM or other optical disk storage, magnetic disk storage or other magnetic storage devices, or any other medium which can be used to carry or store program code in the form of instructions or data structures and which can be read by a general-purpose or special-purpose computer, or a general-purpose or special-purpose processor. Additionally, any connection is properly termed a computer-readable medium, and, thus, is included if the software is transmitted from a website, server, or other remote source via a coaxial cable, fiber optic cable, twisted pair, Digital Subscriber Line (DSL), or wirelessly, e.g., infrared, radio, and microwave. Such discs (disk) and disks (disc) include compact disks, laser disks, optical disks, DVDs, floppy disks and blu-ray disks where disks usually reproduce data magnetically, while disks usually reproduce data optically with lasers. Combinations of the above may also be included in the computer-readable medium.
The above-mentioned embodiments are intended to illustrate the objects, technical solutions and advantages of the present invention in further detail, and it should be understood that the above-mentioned embodiments are merely exemplary embodiments of the present invention, and are not intended to limit the scope of the present invention, and any modifications, equivalent substitutions, improvements and the like made within the spirit and principle of the present invention should be included in the scope of the present invention.
Claims (8)
1. A method for identifying a non-manual brushing function interface is characterized by comprising the following steps:
adding or modifying the value of the set calling parameter of the set function interface in the server, and replacing the first value with a first value and a second value, so that the server can respond to a calling function interface request carrying the value of the set calling parameter as the first value or the second value;
modifying a first value of a set calling parameter requesting to call a functional interface into a second value in a client, so that a user can send a calling functional interface request carrying the set calling parameter value as the second value to the server through the client;
analyzing the value of the set calling parameter in the log of the server, and determining whether the source of the function interface request corresponding to the value of the set calling parameter is a non-manual function interface refreshing behavior, specifically comprising: if the value of the set calling parameter in the server log is a first value, determining that the source of the function interface request corresponding to the first value is a non-manual function interface refreshing behavior; if the value of the set calling parameter in the server log is a second value, determining that the source of the function interface sending request corresponding to the second value is a manual operation behavior;
and the server log stores set calling parameters and requester information carried by a function interface sending and calling request corresponding to the server response.
2. The method of claim 1, further comprising:
after determining that the source of the function interface sending request corresponding to the value of the set calling parameter is a non-manual function interface refreshing behavior, tracking according to requester information of the function interface sending request, and determining an account number and/or an IP address of the non-manual function interface refreshing;
and sealing and killing the non-manual brushing function interface behaviors in batches according to the account number and/or the IP address of the non-manual brushing.
3. The method of claim 1, further comprising:
and the setting function interface and the corresponding value of the setting calling parameter are changed at irregular time.
4. The method for identifying a non-manual swiping function interface according to any one of claims 1 to 3, wherein the values of the set function interface and the set calling parameter are pre-concealed and modified or added in the background of the server, and the values of the corresponding set function interface and the set calling parameter are pre-concealed and modified in the background of the client.
5. A recognition system for a non-manual swipe function interface, the recognition system comprising:
the server side changing unit is used for adding or modifying the value of the set calling parameter of the set function interface in the server side, and changing the first value into a first value and a second value, so that the server side can respond to a calling function interface request carrying the value of the set calling parameter as the first value or the second value;
the client changing unit is used for modifying a first numerical value of a set calling parameter for requesting to call the functional interface into a second numerical value in the client, so that a user can send a calling functional interface request carrying the set calling parameter numerical value as the second numerical value to the server through the client;
an analysis unit, configured to analyze a value of a set call parameter in a server log, and determine whether a source of a function interface request sent corresponding to the value of the set call parameter is a non-manual function interface refreshing behavior, where the analysis unit is specifically configured to: if the value of the set calling parameter in the server log is a first value, determining that the source of the function interface request corresponding to the first value is a non-manual function interface refreshing behavior; if the value of the set calling parameter in the server log is a second value, determining that the source of the function interface sending request corresponding to the second value is a manual operation behavior;
and the server log stores set calling parameters and requester information carried by a function interface sending and calling request corresponding to the server response.
6. The system of claim 5, further comprising:
the tracking unit is connected with the analysis unit and used for tracking according to requester information which sends a corresponding calling function interface request after determining that the source of the sending function interface request corresponding to the value of the set calling parameter is a non-manual function interface brushing behavior, and determining an account number and/or an IP address of the non-manual function interface brushing;
and the sealing and killing unit is connected with the tracking unit and is used for sealing and killing the non-manual brushing function interface behaviors in batches according to the account number and/or the IP address of the non-manual brushing.
7. The system of claim 5, further comprising:
and the replacing unit is respectively connected with the server changing unit and the client changing unit and is used for replacing the setting function interface and the corresponding value of the setting calling parameter at irregular time.
8. The system for identifying a non-manual-swiping function interface according to any one of claims 5-7, wherein the server modifying unit conceals and modifies or adds the setting function interface and the setting calling parameter value in the server background in advance, and the client modifying unit conceals and modifies the corresponding setting function interface and the setting calling parameter value in the client background in advance.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710382656.8A CN107222471B (en) | 2017-05-26 | 2017-05-26 | Identification method and identification system for non-manual brushing function interface |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710382656.8A CN107222471B (en) | 2017-05-26 | 2017-05-26 | Identification method and identification system for non-manual brushing function interface |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN107222471A CN107222471A (en) | 2017-09-29 |
| CN107222471B true CN107222471B (en) | 2020-01-14 |
Family
ID=59944744
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710382656.8A Active CN107222471B (en) | 2017-05-26 | 2017-05-26 | Identification method and identification system for non-manual brushing function interface |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN107222471B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110035068B (en) * | 2019-03-14 | 2021-10-01 | 微梦创科网络科技(中国)有限公司 | Sealing forbidding method and device for anti-grabbing station system |
| CN112671695A (en) * | 2019-10-16 | 2021-04-16 | 上海擎感智能科技有限公司 | Method, system, medium, and apparatus for limiting number of IP access connections from the same source |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2006081459A2 (en) * | 2005-01-25 | 2006-08-03 | Whitehat Security, Inc. | System for detecting vulnerabilities in web applications using client-side application interfaces |
| CN104618352A (en) * | 2015-01-16 | 2015-05-13 | 沈文策 | Script-based flow anti-brush method and system |
| CN104917643A (en) * | 2014-03-11 | 2015-09-16 | 腾讯科技(深圳)有限公司 | Abnormal account detection method and device |
| CN105897782A (en) * | 2016-06-30 | 2016-08-24 | 北京奇艺世纪科技有限公司 | Method and device for treating call request of interface |
-
2017
- 2017-05-26 CN CN201710382656.8A patent/CN107222471B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2006081459A2 (en) * | 2005-01-25 | 2006-08-03 | Whitehat Security, Inc. | System for detecting vulnerabilities in web applications using client-side application interfaces |
| CN104917643A (en) * | 2014-03-11 | 2015-09-16 | 腾讯科技(深圳)有限公司 | Abnormal account detection method and device |
| CN104618352A (en) * | 2015-01-16 | 2015-05-13 | 沈文策 | Script-based flow anti-brush method and system |
| CN105897782A (en) * | 2016-06-30 | 2016-08-24 | 北京奇艺世纪科技有限公司 | Method and device for treating call request of interface |
Also Published As
| Publication number | Publication date |
|---|---|
| CN107222471A (en) | 2017-09-29 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10248782B2 (en) | Systems and methods for access control to web applications and identification of web browsers | |
| De Ryck et al. | Automatic and precise client-side protection against CSRF attacks | |
| CN107465648B (en) | Abnormal equipment identification method and device | |
| US10771500B2 (en) | System and method of determining DDOS attacks | |
| US20150304350A1 (en) | Detection of malware beaconing activities | |
| CN108259425A (en) | The determining method, apparatus and server of query-attack | |
| US10083322B2 (en) | Obscuring user web usage patterns | |
| EP2830280B1 (en) | Web caching with security as a service | |
| CN107645478B (en) | Network attack defense system, method and device | |
| US20160234230A1 (en) | System and method for preventing dos attacks utilizing invalid transaction statistics | |
| CN105939350B (en) | Network access control method and system | |
| WO2016191232A1 (en) | Mitigation of computer network attacks | |
| CN102404741B (en) | Method and device for detecting abnormal online of mobile terminal | |
| CN109361574B (en) | JavaScript script-based NAT detection method, system, medium and equipment | |
| CN111970261A (en) | Network attack identification method, device and equipment | |
| CN107222471B (en) | Identification method and identification system for non-manual brushing function interface | |
| WO2023045196A1 (en) | Access request capturing method and apparatus, computer device, and storage medium | |
| US11729214B1 (en) | Method of generating and using credentials to detect the source of account takeovers | |
| Wedman et al. | An analytical study of web application session management mechanisms and HTTP session hijacking attacks | |
| US11356478B2 (en) | Phishing protection using cloning detection | |
| KR102040227B1 (en) | Method and system for evaluating security effectiveness between device | |
| US20220329567A1 (en) | User interface for web server risk awareness | |
| CN106656912A (en) | Method and device for detecting denial of service attack | |
| CN115102781A (en) | Network attack processing method, device, electronic equipment and medium | |
| CN114389863A (en) | Honeypot interaction method and device, honeypot network, honeypot equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |