CN108566394B - Information processing method and device - Google Patents

Information processing method and device Download PDF

Info

Publication number
CN108566394B
CN108566394B CN201810337962.4A CN201810337962A CN108566394B CN 108566394 B CN108566394 B CN 108566394B CN 201810337962 A CN201810337962 A CN 201810337962A CN 108566394 B CN108566394 B CN 108566394B
Authority
CN
China
Prior art keywords
login information
login
information
preset
verification
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201810337962.4A
Other languages
Chinese (zh)
Other versions
CN108566394A (en
Inventor
张惊申
任方英
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
New H3C Security Technologies Co Ltd
Original Assignee
New H3C Security Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by New H3C Security Technologies Co Ltd filed Critical New H3C Security Technologies Co Ltd
Priority to CN201810337962.4A priority Critical patent/CN108566394B/en
Publication of CN108566394A publication Critical patent/CN108566394A/en
Application granted granted Critical
Publication of CN108566394B publication Critical patent/CN108566394B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1491Countermeasures against malicious traffic using deception as countermeasure, e.g. honeypots, honeynets, decoys or entrapment

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Information Transfer Between Computers (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The embodiment of the application provides an information processing method and device. The method comprises the following steps: after determining that the login message from the first source address meets the preset library collision rule, when receiving each login message from the first source address, sending verification failure information aiming at each login message to the first source address; acquiring login information in each login message; receiving login information to be verified, judging whether the obtained login information contains the login information to be verified, and sending alarm information when the login information to be verified is contained; and/or sending the acquired login information to each preset address, so that the verification device corresponding to each preset address determines that the first login information is the leaked login information when the verification device verifies that the login information contains the first login information stored by the verification device, wherein the login message comprises login information used for logging in the first server. By applying the scheme provided by the embodiment of the application, the information safety can be improved.

Description

Information processing method and device
Technical Field
The present application relates to the field of communications technologies, and in particular, to an information processing method and apparatus.
Background
With the popularization of computers and networks, information technology is changing and affecting the lifestyle of human beings. Various network applications are emerging endlessly, security threats and network abuse are increasing day by day, and new requirements are brought to website managers. The login information such as the user name and the password is used as a key for logging in each website server, and is strictly protected, and once the login information is revealed, the result is not reasonable.
An attacker logs in a website server in batch by collecting user names and passwords leaked in the Internet, so as to obtain a series of user names and passwords capable of logging in the website server. Many users use the same user name and password on different websites, so an attacker can try to log in the B website by acquiring the user name and password of the user on the A website, which is a library-bumping attack.
The network device can perform library collision rule matching on the login message sent to the website server through Deep Packet Inspection (DPI) technology, and further detect a library collision attack. For example, whether a library collision attack exists may be determined according to whether the number of received login messages per unit time or the number of login failures per unit time is greater than a threshold.
When a database collision attack is detected, the attack is usually blocked, and an attacker is prevented from continuously attacking the website server. This process can prevent the attacker from attacking the web server. However, the leaked login information can still be reused by an attacker to log in other network servers, so that the information security is not high.
Disclosure of Invention
The embodiment of the application aims to provide an information processing method and an information processing device so as to improve information security.
In order to achieve the above object, an embodiment of the present application provides an information processing method applied to a network device, where the method includes:
after determining that login messages from a first source address meet preset library collision rules, when receiving all login messages from the first source address, sending verification failure information aiming at each login message to the first source address; the login message comprises login information used for logging in the first server;
acquiring login information in each login message;
receiving login information to be verified, judging whether the obtained login information contains the login information to be verified, and sending alarm information when the login information to be verified is contained; and/or sending the acquired login information to each preset address, so that the verification equipment corresponding to each preset address determines that the first login information is the leaked login information when verifying that the login information comprises the first login information stored by the verification equipment.
The embodiment of the application provides another information processing method, which is applied to a second server and comprises the following steps:
receiving login information sent by each network device; wherein the login information is: the method comprises the steps that after the fact that login messages from a first source address meet preset database collision rules is determined, network equipment obtains the login messages from the first source address;
and sending the received login information sent by each network device to each preset address, so that the verification device corresponding to each preset address determines that the first login information is the leaked login information when verifying that the login information contains the first login information stored by the verification device.
An embodiment of the present application provides an information processing apparatus, which is applied to a network device, and includes:
the system comprises a first sending module, a second sending module and a third sending module, wherein the first sending module is used for sending verification failure information aiming at each login message to a first source address when receiving each login message from the first source address after determining that the login message from the first source address meets a preset library collision rule; the login message comprises login information used for logging in the first server;
the acquisition module is used for acquiring the login information in each login message;
the verification module is also used for receiving login information to be verified, judging whether the obtained login information contains the login information to be verified or not, and sending alarm information when the login information to be verified is contained; and/or sending the acquired login information to each preset address, so that the verification equipment corresponding to each preset address determines that the first login information is the leaked login information when verifying that the login information comprises the first login information stored by the verification equipment.
An embodiment of the present application provides another information processing apparatus, which is applied to a second server, and includes:
the second receiving module is used for receiving login information sent by each network device; wherein the login information is: the method comprises the steps that after the fact that login messages from a first source address meet preset database collision rules is determined, network equipment obtains the login messages from the first source address;
and the second sending module is used for sending the received login information sent by each network device to each preset address so as to ensure that the verification device corresponding to each preset address determines that the first login information is the leaked login information when verifying that the login information contains the first login information stored by the verification device.
An embodiment of the present application provides a network device, where the network device includes: a processor and a machine-readable storage medium storing machine-executable instructions executable by the processor, the processor being caused by the machine-executable instructions to: the information processing method provided by the embodiment of the application is realized. The method comprises the following steps:
after determining that login messages from a first source address meet preset library collision rules, when receiving all login messages from the first source address, sending verification failure information aiming at each login message to the first source address; the login message comprises login information used for logging in the first server;
acquiring login information in each login message;
receiving login information to be verified, judging whether the obtained login information contains the login information to be verified, and sending alarm information when the login information to be verified is contained; and/or sending the acquired login information to each preset address, so that the verification equipment corresponding to each preset address determines that the first login information is the leaked login information when verifying that the login information comprises the first login information stored by the verification equipment.
An embodiment of the present application provides a server, including: a processor and a machine-readable storage medium storing machine-executable instructions executable by the processor, the processor being caused by the machine-executable instructions to: the other information processing method provided by the embodiment of the application is realized. The method comprises the following steps:
receiving login information sent by each network device; wherein the login information is: the method comprises the steps that after the fact that login messages from a first source address meet preset database collision rules is determined, network equipment obtains the login messages from the first source address;
and sending the received login information sent by each network device to each preset address, so that the verification device corresponding to each preset address determines that the first login information is the leaked login information when verifying that the login information contains the first login information stored by the verification device.
The embodiment of the application provides a computer-readable storage medium, and a computer program is stored in the computer-readable storage medium, and when the computer program is executed by a processor, the information processing method provided by the embodiment of the application is provided. The method comprises the following steps:
after determining that login messages from a first source address meet preset library collision rules, when receiving all login messages from the first source address, sending verification failure information aiming at each login message to the first source address; the login message comprises login information used for logging in the first server;
acquiring login information in each login message;
receiving login information to be verified, judging whether the obtained login information contains the login information to be verified, and sending alarm information when the login information to be verified is contained; and/or sending the acquired login information to each preset address, so that the verification equipment corresponding to each preset address determines that the first login information is the leaked login information when verifying that the login information comprises the first login information stored by the verification equipment.
The embodiment of the application provides a computer-readable storage medium, wherein a computer program is stored in the computer-readable storage medium, and when the computer program is executed by a processor, the computer program realizes the information processing method provided by the embodiment of the application. The method comprises the following steps:
receiving login information sent by each network device; wherein the login information is: the method comprises the steps that after the fact that login messages from a first source address meet preset database collision rules is determined, network equipment obtains the login messages from the first source address;
and sending the received login information sent by each network device to each preset address, so that the verification device corresponding to each preset address determines that the first login information is the leaked login information when verifying that the login information contains the first login information stored by the verification device.
According to the information processing method and device provided by the embodiment of the application, after the database collision attack initiated by the first source address to the first server is detected, all login messages from the first source address can be continuously received, the verification failure information is sent to the first source address, so that an attacker can be trapped to continuously send the login information, and more login information mastered by the attacker is collected. The network device may send the warning information when the login information includes login information to be verified. Therefore, the equipment sending the login information to be verified can process the leaked data according to the alarm information. And/or the network device may send the acquired login information to each preset address, and the verification device corresponding to each preset address may determine whether the first login information stored in the verification device is the leaked login information according to the login information. In this way, each verification device can execute corresponding defense measures on the own system when determining that the first login information is the leaked login information. Therefore, the information security can be improved. Of course, not all advantages described above need to be achieved at the same time in the practice of any one product or method of the present application.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below. It is obvious that the drawings in the following description are only some embodiments of the application, and that for a person skilled in the art, other drawings can be derived from them without inventive effort.
Fig. 1 is a schematic flowchart of an information processing method according to an embodiment of the present application;
fig. 2 is a schematic flowchart of another information processing method according to an embodiment of the present application;
fig. 3 is a schematic view of an application scenario provided in an embodiment of the present application;
fig. 4 is a schematic structural diagram of an information processing apparatus according to an embodiment of the present application;
fig. 5 is a schematic structural diagram of another information processing apparatus according to an embodiment of the present application;
fig. 6 is a schematic structural diagram of a network device according to an embodiment of the present application;
fig. 7 is a schematic structural diagram of a server according to an embodiment of the present application.
Detailed Description
The technical solution in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application. It is to be understood that the described embodiments are merely a few embodiments of the present application and not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
In order to improve information security, the embodiment of the application provides an information processing method and device. The present application will be described in detail below with reference to specific examples.
Fig. 1 is a schematic flowchart of an information processing method provided in an embodiment of the present application, and is applied to a network device, where the network device may be a router or a switch. The present embodiment includes the following steps S101 to S103.
Step S101: after determining that the login message from the first source address meets the preset database collision rule, when receiving each login message from the first source address, sending verification failure information aiming at each login message to the first source address.
The login message includes login information for logging in a first server, and the number of the first servers may be one or more. The first server may be understood as a web server. The first source address may be an Internet Protocol (IP) address.
The preset rule of collision library may include: the number of the login messages which are received from the first source address within the preset time length and used for logging in the first server is larger than a preset number threshold; and/or the login failure times in the login message which is received from the first source address within the preset time length and used for logging in the first server are larger than a preset time threshold.
For example, 200 login messages from the address 1.1.1.1 are received within 10 minutes, and if the preset number threshold is 50, the login messages from the address 1.1.1.1 can be considered to meet the preset database collision rule; if 180 login messages in the 200 login messages are failed, namely the login failure times are 180, and when the preset time threshold is 50, the login messages from the address 1.1.1.1 can be considered to meet the preset database collision rule.
The preset database collision rule can be obtained from the associated cloud server in advance. The preset time length, the preset number threshold and the preset frequency threshold can be determined in advance according to empirical values.
In this embodiment, after receiving each message, the network device may determine the message with the specified characteristics as a login message. For example, the specified characteristics may include logic, userid, password, and the like.
After determining that the login message from the first source address meets the preset library collision rule, the fact that the device is detected to initiate a library collision attack to the first server by using the first source address is considered. After detecting the library collision attack, the present embodiment does not block the library collision attack of the attacker, but continues to receive each login message from the first source address, and sends verification failure information for each login message to the first source address. After receiving the verification failure information, the attacker can continue to send a login message to the first server. Therefore, the attacker can be trapped to continuously send the login message, and the network equipment can collect more information mastered by the attacker.
The verification failure information may be verification failure page information, that is, verification failure page information when the website login fails. The authentication failure information may be obtained in advance from a response message sent by the first server for the login message.
In this embodiment, after determining that the login message from the first source address meets the preset library collision rule, if the network device receives each login message from the first source address, the network device does not forward each login message to the first server.
Step S102: and acquiring login information in each login message.
When the login information carried by each login message is acquired, each login information can be stored. The login information comprises a user name and a password. The obtained login information is multiple.
Step S103: receiving login information to be verified, judging whether the obtained login information contains the login information to be verified, and sending alarm information when the login information to be verified is contained; and/or sending the acquired login information to each preset address, so that the verification equipment corresponding to each preset address determines that the first login information is the leaked login information when the verification equipment verifies that the login information contains the first login information stored by the verification equipment.
The login information to be verified may be sent by the user equipment, or may be sent by the network server.
And when the alarm information is sent, sending the alarm information to the equipment sending the login information to be verified. The alarm information may be used to indicate that the login information to be verified is the leaked login information.
The preset address may be: a mail address, a client address, a host address, etc. The host address may be an IP address and/or a Media Access Control (MAC) address, etc.
One preset address may correspond to one authentication device. The authentication device may be understood as a device in the network, and the authentication device may be the web server itself or another device belonging to the same intranet as the web server. The enterprise or organization to which each authentication device belongs may be a member of a leak-proof federation organization.
Each of the authentication devices may include an authentication device corresponding to the first server.
When the preset address is a mail address, the acquired login information can be sent to each preset mail address through a mail protocol message according to a mail protocol corresponding to the mail address. For example, when the mail protocol is the SMTP protocol, a mail protocol packet carrying login information may be generated according to a packet format specified by the SMTP protocol, and the mail protocol packet is sent to a preset mail address.
When the preset address is the client address, the acquired login information can be sent to each preset client address through a client protocol message according to the client protocol corresponding to the client address.
When receiving login information sent by the network device, the verification device corresponding to each preset address can verify whether the login information contains first login information stored by the verification device, and if the login information exists, the verification device determines that the first login information is leaked login information. The first login information stored by the authentication device itself can be obtained from the corresponding network server.
For example, the authentication device itself stores 1000 pieces of first login information, and if the authentication device receives that the login information includes 5000 pieces of login information, the authentication device may match each piece of first login information with 5000 pieces of login information, and if the matching is successful, determine that the piece of first login information is the leaked login information.
As can be seen from the above, in the embodiment, after detecting that an attacker attacks against the library from the first server by using the first source address, the attacker continues to receive each login message from the first source address, and sends verification failure information to the first source address, so as to trap the attacker to continue sending the login information and collect more login information grasped by the attacker. The network device may send the warning information when the login information includes login information to be verified. Therefore, the equipment sending the login information to be verified can process the leaked data according to the alarm information. And/or the network device may send the acquired login information to each preset address, and the verification device corresponding to each preset address may determine whether the first login information stored in the verification device is the leaked login information according to the login information. In this way, each verification device can execute corresponding defense measures on the own system when determining that the first login information is the leaked login information. The present embodiment can improve information security.
In another embodiment of the present application, based on the embodiment shown in fig. 1, when the step S103 sends the acquired login information to each preset address, the method may include:
and sending the acquired login information to a second server so that the second server sends the received login information sent by each network device to each preset address.
The second server may be a server associated with the network device in advance. The second server may be a cloud server. The second server may be associated with a plurality of network devices and may receive login information transmitted by the respective network devices.
Optionally, the second server may send the login information sent by each network device received within the preset time period to each preset address.
The preset time period may be a time period taking a current time as a start time or an end time, where the current time is a time when the login information sent by the network device is received. The time length of the preset time period may be a fixed time length or a variable time length.
The login information sent by the second server to each preset address can be understood as summary information of the login information sent by each network device received within a preset time period. The second server can perform duplication removal operation on the received login information sent by each network device, and send the login information subjected to duplication removal to each preset address, so that the processing speed of the verification device can be improved. Wherein a deduplication operation may be understood as an operation that removes duplicates.
Since the amount of the login information determined in the network device is still relatively limited, the scheme of this embodiment may be implemented in order to enable the verification device to obtain more login information and further identify more leaked data.
When the acquired login information is sent to the second server, if the plaintext password exists in the login information, the plaintext password can be converted into a ciphertext password, and the converted login information is sent to the second server. This can improve the privacy of the user data as much as possible. When the plaintext cipher is converted into a ciphertext cipher, a hash value of the plaintext cipher may be used as the ciphertext cipher corresponding to the plaintext cipher.
In summary, in this embodiment, the login information may be sent to the second server, and the second server sends the received login information sent by each network device to each preset address, so that the login information sent to the verification device corresponding to each preset address is a summary of the login information of each network device, and the verification device has a larger amount of login information and richer information, and thus can more accurately determine whether the login information is the leaked login information.
In another embodiment of the present application, after sending the login information to each preset address, the network device may further receive a verification result from the first preset address, where the verification result includes the second login information. The first preset address may be one of the respective preset addresses.
And when the verification result shows that the second login information is the leaked login information, the network equipment sends a notification message to other preset addresses.
And the other preset addresses are preset addresses except the first preset address in each preset address. The notification message carries an instruction for indicating whether the second login information is the leaked login information or not.
In this embodiment, when one verification device has verified that the second login information is the leaked login information, a notification message is sent to another preset address, so that another verification device does not need to verify the second login information, and the calculation amount of the verification device is reduced as much as possible.
In another embodiment of the present application, based on the embodiment shown in fig. 1, the network device may further send the obtained login information to the verification platform, so that when the login information includes login information input by the user, the verification platform determines that the login information input by the user is the leaked login information.
Wherein the verification platform may be understood as a server. The verification platform can receive login information input by a user, match the login information input by the user with the login information, and if the matching is successful, determine that the login information input by the user is leaked login information. The verification platform may output a prompt to the user to prompt the user to modify a password, etc.
When the network equipment sends the acquired login information to the verification platform, the login information which can contain a user name and a cipher text password is sent to the verification platform. This can improve the privacy of the user data as much as possible.
When the verification platform is matched with the login information, the password input by the user can be converted into a ciphertext password, and the converted ciphertext password and the user name are matched with the login information.
And after the matching is successful, the verification platform can label the successfully matched login information. And when the login information input by other users is received, verifying the login information input by other users from the unmarked login information. This can improve the computational efficiency of the verification platform.
The embodiment can provide the verification platform for the user, and when the login information of the user is revealed through verification, the user can be prompted to modify the password, so that the influence of the revealed data can be reduced, and the information security is improved.
In another embodiment of the present application, the authentication failure information includes login failure page information for the first server. The embodiment may acquire the verification failure page information in the following manner:
generating any login information, sending the generated any login information to the first server for verification, and receiving login failure page information sent by the first server when the verification of any login information fails.
Therefore, the verification failure page information of the first server can be obtained more accurately. When the verification failure page information is sent to the first source address, the device corresponding to the first source address is not easy to detect that the device is determined to be an attacker on one side of the network device, and the concealment is better.
In this embodiment, when any login information is generated, a preset number of elements may be randomly selected within a preset character range and/or a preset number range as a user name and a password.
When any login information is successfully verified in the first server, any login information can be regenerated, any generated login information is continuously sent to the first server for verification until verification fails, and verification failure page information is received.
Fig. 2 is a schematic flowchart of another information processing method according to an embodiment of the present application. The method embodiment is applied to the second server. The method of the present embodiment includes steps S201 to S202.
Step S201: and receiving login information sent by each network device.
Wherein, the login information is: after determining that the login message from the first source address meets a preset library collision rule, the network equipment acquires the login message from the first source address.
The second server may be a server associated with the network device in advance. The second server may be a cloud server. The second server may be associated with a plurality of network devices and may receive login information transmitted by the respective network devices.
Step S202: and sending the received login information sent by each network device to each preset address, so that the verification device corresponding to each preset address determines that the first login information is the leaked login information when verifying that the login information contains the first login information stored by the verification device.
Specifically, the step may be to send the login information sent by each network device received within a preset time period to each preset address.
Each verification device comprises a verification device corresponding to the first server.
The preset time period may be a time period taking a current time as a start time or an end time, where the current time is a time when the login information sent by the network device is received. The time length of the preset time period may be a fixed time length or a variable time length.
In summary, the embodiment may receive login information sent by each network device, and send the login information to each preset address, and the verification device corresponding to each preset address may determine whether the first login information stored by the verification device is the leaked login information according to the login information. In this way, each authentication device can execute a corresponding defense measure on its own system when determining that the first login information is the leaked login information, and therefore, the present embodiment can improve information security. Meanwhile, in the embodiment, because the login information of each network device is sent to the preset address, the comprehensiveness of the login information can be improved, and more comprehensive leaked information can be detected.
In another embodiment of the present application, based on the embodiment shown in fig. 2, when the step S202 sends the received login information sent by each network device to each preset address, the step may include: and carrying out duplication removal operation on the received login information sent by each network device, and sending the duplicated login information to each preset address.
In this embodiment, removing duplicate data can improve the processing speed of the verification device.
In another embodiment of the present application, based on the embodiment shown in fig. 2, the second server may further receive a verification result from the first preset address. The authentication result includes the second login information. The first preset address may be one of the respective preset addresses.
When the verification result indicates that the second login information is the leaked login information, the second server may send a notification message to another preset address.
And the other preset addresses are preset addresses except the first preset address in each preset address. The notification message carries an instruction for indicating whether the second login information is the leaked login information or not.
In this embodiment, when one verification device has verified that the login information is the leaked login information, a notification message is sent to another preset address, so that another verification device does not need to verify the login information, and the calculation amount of the verification device is reduced as much as possible.
In another embodiment of the present application, the second server may further send the obtained login information sent by each network device to the verification platform, so that the verification platform determines that the login information input by the user is the leaked login information when the login information includes the login information input by the user. According to the embodiment, when the login information of the user is verified to be leaked, the user is prompted to modify the password, so that the influence of the leaked data can be reduced, and the information security is improved.
The second server may also count the number of occurrences of each piece of login information when receiving the login information sent by each network device. When the login information of the user is verified to be the leaked login information, the user can be prompted according to the times, for example, when the times are larger than a preset value, the user can be prompted that the security of the login information of the user is very low, so that the user can modify the password as soon as possible, and the security of the user information is improved.
The embodiments shown in fig. 1 and 2 are based on the same inventive concept, and the description thereof can be referred to each other.
The present application will be described in detail with reference to specific examples.
Fig. 3 is a schematic view of a specific application scenario provided in the embodiment of the present application. Fig. 3 includes a first server a and a network device a in the network 1, and a first server B and a network device B in the network 2. And the network equipment A, the network equipment B and the verification platform are connected with a second server. The user device may access the authentication platform. The network device a, the network device B and the second server are all devices of the manufacturer M. Vendor M builds a leak-proof federation organization into which an enterprise or organization in the network may choose to join and become a member. The first server a, the second server B and the third server C are network servers of the network 1, the network 2 and the network 3, respectively.
The members of the leak-prevention federation organization may be companies that purchase the vendor M's network device or companies that do not purchase the vendor M's network device. Companies that have purchased the network equipment of vendor M may or may not opt to join the leak-proof alliance organization.
For example, network 1 and network 2 use network devices of the manufacturer M, and network 3 does not use network devices of the manufacturer M; network 2 and network 3 are both members of a leak-proof federation organization, and network 1 is not a member of a leak-proof federation organization.
Network device a may obtain login information dataA and network device B may obtain login information dataB. Network device a and network device B may each send dataA and dataB to the second server.
The second server deduplicates dataA and dataB to obtain login information DATA, and sends both the login information DATA to the authentication device in the anti-leakage alliance organization, that is, to the mail address of administrator B in network 2 and the mail address of administrator C in network 3. Since the network 1 is not a member of the leak-proof federation organization, the second server does not send the login information DATA to the administrator a in the network 1. The host of the administrator B may verify whether the DATA includes the login information dataxx of the own network stored therein after receiving the login information DATA, and when the DATA exists, determine that the login information dataxx of the own network is the leaked login information.
When receiving the verification result of the mail address from the administrator B, the second server may send a notification message to the mail address of the administrator C to notify the administrator C to cancel the verification of whether the dataxx is the leaked login information.
The second server may also send the DATA to the verification platform. The verification platform can receive login information sent by the user equipment, match the login information with the DATA, and if the matching is successful, consider the login information sent by the user equipment as the leaked login information. The authentication platform may send a prompt to the user device to modify the password.
Fig. 4 is a schematic structural diagram of an information processing apparatus according to an embodiment of the present application. The device is applied to network equipment which can be a router or a switch and the like. The embodiment of the device corresponds to the embodiment of the method shown in fig. 1, and the device comprises:
the first sending module 401 is configured to, after determining that a login message from a first source address meets a preset library collision rule, send verification failure information for each login message to the first source address when receiving each login message from the first source address; the login message comprises login information used for logging in the first server;
an obtaining module 402, configured to obtain login information in each login message;
the verification module 403 is further configured to receive login information to be verified, determine whether the obtained login information includes the login information to be verified, and send an alarm message when the obtained login information to be verified is included; and/or sending the acquired login information to each preset address, so that the verification equipment corresponding to each preset address determines that the first login information is the leaked login information when verifying that the login information comprises the first login information stored by the verification equipment.
In another embodiment of the present application, the first sending module 401 in the embodiment of fig. 4 is specifically configured to:
and sending the acquired login information to a second server so that the second server sends the login information sent by each network device received in a preset time period to each preset address.
In another embodiment of the present application, the apparatus in the embodiment of fig. 4 further comprises:
a first receiving module (not shown in the figure) for receiving an authentication result from the first preset address, wherein the authentication result includes the second login information;
the first sending module (not shown in the figure) is further configured to send a notification message to another preset address when the verification result indicates that the second login information is the leaked login information;
the other preset addresses are preset addresses except the first preset address in each preset address, and the notification message carries an instruction for indicating whether the second login information is the leaked login information or not.
In another embodiment of the present application, the verification module 403 in the embodiment of fig. 4 is further configured to:
and sending the acquired login information to a verification platform so that the verification platform determines that the login information input by the user is the leaked login information when the login information comprises the login information input by the user.
In another embodiment of the present application, in the embodiment of fig. 4, the authentication failure information includes login failure page information for the server; the obtaining module 402 is further configured to obtain the login failure page information by:
generating any login information, and sending the generated any login information to the first server for verification;
and receiving login failure page information sent by the first server when the first server fails to verify any login information.
Since the device embodiment is obtained based on the method embodiment and has the same technical effect as the method, the technical effect of the device embodiment is not described herein again. For the apparatus embodiment, since it is substantially similar to the method embodiment, it is described relatively simply, and reference may be made to some descriptions of the method embodiment for relevant points.
Fig. 5 is a schematic structural diagram of an information processing apparatus according to an embodiment of the present application. The embodiment of the device is applied to the second server. This embodiment of the apparatus corresponds to the embodiment of the method shown in fig. 2. The device includes:
a second receiving module 501, configured to receive login information sent by each network device; wherein the login information is: the method comprises the steps that after the fact that login messages from a first source address meet preset database collision rules is determined, network equipment obtains the login messages from the first source address;
the second sending module 502 is configured to send the received login information sent by each network device to each preset address, so that when verifying that the login information includes the first login information stored by the verification device corresponding to each preset address, the verification device determines that the first login information is the leaked login information.
In another embodiment of the present application, the second sending module 502 in the embodiment of fig. 5 is specifically configured to:
and carrying out duplication removal operation on the received login information sent by each network device, and sending the duplicated login information to each preset address.
In another embodiment of the present application, the second receiving module 501 in the embodiment of fig. 5 is further configured to receive a verification result from the first preset address, where the verification result includes the second login information;
the second sending module 502 is further configured to send a notification message to another preset address when the verification result indicates that the second login information is the leaked login information;
the other preset addresses are preset addresses except the first preset address in each preset address, and the notification message carries an instruction for indicating whether the second login information is the leaked login information or not.
Fig. 6 is a schematic structural diagram of a network device according to an embodiment of the present application. The device includes: a processor 601 and a machine-readable storage medium 602, the machine-readable storage medium 602 storing machine-executable instructions executable by the processor 601, the processor 601 caused by the machine-executable instructions to: an information processing method according to an embodiment of the present application is implemented. The method comprises the following steps:
after determining that login messages from a first source address meet preset library collision rules, when receiving all login messages from the first source address, sending verification failure information aiming at each login message to the first source address; the login message comprises login information used for logging in the first server;
acquiring login information in each login message;
receiving login information to be verified, judging whether the obtained login information contains the login information to be verified, and sending alarm information when the login information to be verified is contained; and/or sending the acquired login information to each preset address, so that the verification equipment corresponding to each preset address determines that the first login information is the leaked login information when verifying that the login information comprises the first login information stored by the verification equipment.
In summary, in the embodiment, after detecting a library collision attack initiated by an attacker to the first server by using the first source address, the method continues to receive each login message from the first source address, and sends verification failure information to the first source address, so as to trap the attacker to continue sending the login information and collect more login information grasped by the attacker. The network device may send the warning information when the login information includes login information to be verified. Therefore, the equipment sending the login information to be verified can process the leaked data according to the alarm information. And/or the network device may send the acquired login information to each preset address, and the verification device corresponding to each preset address may determine whether the first login information stored in the verification device is the leaked login information according to the login information. In this way, each verification device can execute corresponding defense measures on the own system when determining that the first login information is the leaked login information. The present embodiment can improve information security.
Fig. 7 is a schematic structural diagram of a server according to an embodiment of the present application. The server includes: a processor 701 and a machine-readable storage medium 702, the machine-readable storage medium 702 storing machine-executable instructions executable by the processor 701, the processor 701 being caused by the machine-executable instructions to: another information processing method according to an embodiment of the present application is realized. The method comprises the following steps:
receiving login information sent by each network device; wherein the login information is: the method comprises the steps that after the fact that login messages from a first source address meet preset database collision rules is determined, network equipment obtains the login messages from the first source address;
and sending the received login information sent by each network device to each preset address, so that the verification device corresponding to each preset address determines that the first login information is the leaked login information when verifying that the login information contains the first login information stored by the verification device.
In summary, the embodiment may receive login information sent by each network device, and send the login information to each preset address, and the verification device corresponding to each preset address may determine whether the first login information stored by the verification device is the leaked login information according to the login information. In this way, each authentication device can execute a corresponding defense measure on its own system when determining that the first login information is the leaked login information, and therefore, the present embodiment can improve information security. Meanwhile, in the embodiment, because the login information of each network device is sent to the preset address, the comprehensiveness of the login information can be improved, and more comprehensive leaked information can be detected.
The embodiment of the application provides a computer-readable storage medium, in which a computer program is stored, and when the computer program is executed by a processor, the computer program implements an information processing method of the embodiment of the application. The method comprises the following steps:
after determining that login messages from a first source address meet preset library collision rules, when receiving all login messages from the first source address, sending verification failure information aiming at each login message to the first source address; the login message comprises login information used for logging in the first server;
acquiring login information in each login message;
receiving login information to be verified, judging whether the obtained login information contains the login information to be verified, and sending alarm information when the login information to be verified is contained; and/or sending the acquired login information to each preset address, so that the verification equipment corresponding to each preset address determines that the first login information is the leaked login information when verifying that the login information comprises the first login information stored by the verification equipment.
In summary, in the embodiment, after detecting a library collision attack initiated by an attacker to the first server by using the first source address, the method continues to receive each login message from the first source address, and sends verification failure information to the first source address, so as to trap the attacker to continue sending the login information and collect more login information grasped by the attacker. The network device may send the warning information when the login information includes login information to be verified. Therefore, the equipment sending the login information to be verified can process the leaked data according to the alarm information. And/or the network device may send the acquired login information to each preset address, and the verification device corresponding to each preset address may determine whether the first login information stored in the verification device is the leaked login information according to the login information. In this way, each verification device can execute corresponding defense measures on the own system when determining that the first login information is the leaked login information. The present embodiment can improve information security.
The embodiment of the present application provides a computer-readable storage medium, in which a computer program is stored, and when the computer program is executed by a processor, the computer program implements another information processing method of the embodiment of the present application. The method comprises the following steps:
receiving login information sent by each network device; wherein the login information is: the method comprises the steps that after the fact that login messages from a first source address meet preset database collision rules is determined, network equipment obtains the login messages from the first source address;
and sending the received login information sent by each network device to each preset address, so that the verification device corresponding to each preset address determines that the first login information is the leaked login information when verifying that the login information contains the first login information stored by the verification device.
In summary, the embodiment may receive login information sent by each network device, and send the login information to each preset address, and the verification device corresponding to each preset address may determine whether the first login information stored by the verification device is the leaked login information according to the login information. In this way, each authentication device can execute a corresponding defense measure on its own system when determining that the first login information is the leaked login information, and therefore, the present embodiment can improve information security. Meanwhile, in the embodiment, because the login information of each network device is sent to the preset address, the comprehensiveness of the login information can be improved, and more comprehensive leaked information can be detected.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
All the embodiments in the present specification are described in a related manner, and the same and similar parts among the embodiments may be referred to each other, and each embodiment focuses on the differences from the other embodiments.
The above description is only for the preferred embodiment of the present application, and is not intended to limit the scope of the present application. Any modification, equivalent replacement, improvement and the like made within the spirit and principle of the present application are included in the protection scope of the present application.

Claims (15)

1. An information processing method applied to a network device, the method comprising:
after determining that login messages from a first source address meet preset library collision rules, when receiving all login messages from the first source address, sending verification failure information aiming at each login message to the first source address; the login message comprises login information used for logging in the first server;
acquiring login information in each login message;
receiving login information to be verified, judging whether the obtained login information contains the login information to be verified, and sending alarm information when the login information to be verified is contained; and/or sending the acquired login information to each preset address, so that the verification equipment corresponding to each preset address determines that the first login information is the leaked login information when verifying that the login information comprises the first login information stored by the verification equipment.
2. The method according to claim 1, wherein the step of sending the obtained login information to each preset address comprises:
and sending the acquired login information to a second server so that the second server sends the received login information sent by each network device to each preset address.
3. The method of claim 1, further comprising:
receiving a verification result from the first preset address, wherein the verification result comprises second login information;
when the verification result shows that the second login information is the leaked login information, sending a notification message to other preset addresses;
the other preset addresses are preset addresses except the first preset address in each preset address, and the notification message carries an instruction for indicating whether the second login information is the leaked login information or not.
4. The method of claim 1, further comprising:
and sending the acquired login information to a verification platform so that the verification platform determines that the login information input by the user is the leaked login information when the login information comprises the login information input by the user.
5. The method of claim 1, wherein the authentication failure information comprises login failure page information for the first server; acquiring the login failure page information by adopting the following modes:
generating any login information, and sending the generated any login information to the first server for verification;
and receiving login failure page information sent by the first server when the first server fails to verify any login information.
6. An information processing method applied to a second server, the method comprising:
receiving login information sent by each network device; wherein the login information is: after determining that login messages from a first source address meet a preset library collision rule, when receiving each login message from the first source address, the network equipment sends verification failure information aiming at each login message to the first source address, and acquires the verification failure information from each login message from the first source address;
and sending the received login information sent by each network device to each preset address, so that the verification device corresponding to each preset address determines that the first login information is the leaked login information when verifying that the login information contains the first login information stored by the verification device.
7. The method according to claim 6, wherein the step of sending the received login information sent by each network device to each preset address comprises:
and carrying out duplication removal operation on the received login information sent by each network device, and sending the duplicated login information to each preset address.
8. The method of claim 6, further comprising:
receiving a verification result from the first preset address, wherein the verification result comprises second login information;
when the verification result shows that the second login information is the leaked login information, sending a notification message to other preset addresses;
the other preset addresses are preset addresses except the first preset address in each preset address, and the notification message carries an instruction for indicating whether the second login information is the leaked login information or not.
9. An information processing apparatus, applied to a network device, the apparatus comprising:
the system comprises a first sending module, a second sending module and a third sending module, wherein the first sending module is used for sending verification failure information aiming at each login message to a first source address when receiving each login message from the first source address after determining that the login message from the first source address meets a preset library collision rule; the login message comprises login information used for logging in the first server;
the acquisition module is used for acquiring the login information in each login message;
the verification module is used for receiving login information to be verified, judging whether the obtained login information contains the login information to be verified or not, and sending alarm information when the login information to be verified is contained; and/or sending the acquired login information to each preset address, so that the verification equipment corresponding to each preset address determines that the first login information is the leaked login information when verifying that the login information comprises the first login information stored by the verification equipment.
10. The apparatus of claim 9, wherein the first sending module is specifically configured to:
and sending the acquired login information to a second server so that the second server sends the login information sent by each network device received in a preset time period to each preset address.
11. The apparatus of claim 9, further comprising:
the first receiving module is used for receiving a verification result from the first preset address, and the verification result comprises second login information;
the first sending module is further configured to send a notification message to other preset addresses when the verification result indicates that the second login information is the leaked login information;
the other preset addresses are preset addresses except the first preset address in each preset address, and the notification message carries an instruction for indicating whether the second login information is the leaked login information or not.
12. The apparatus of claim 9, wherein the verification module is further configured to:
and sending the acquired login information to a verification platform so that the verification platform determines that the login information input by the user is the leaked login information when the login information comprises the login information input by the user.
13. An information processing apparatus, applied to a second server, the apparatus comprising:
the second receiving module is used for receiving login information sent by each network device; wherein the login information is: after determining that login messages from a first source address meet a preset library collision rule, when receiving each login message from the first source address, the network equipment sends verification failure information aiming at each login message to the first source address, and acquires the verification failure information from each login message from the first source address;
and the second sending module is used for sending the received login information sent by each network device to each preset address so as to ensure that the verification device corresponding to each preset address determines that the first login information is the leaked login information when verifying that the login information contains the first login information stored by the verification device.
14. A network device, comprising: a processor and a machine-readable storage medium storing machine-executable instructions executable by the processor, the processor being caused by the machine-executable instructions to: carrying out the method steps of any one of claims 1 to 5.
15. A server, comprising: a processor and a machine-readable storage medium storing machine-executable instructions executable by the processor, the processor being caused by the machine-executable instructions to: -carrying out the method steps of any one of claims 6 to 8.
CN201810337962.4A 2018-04-16 2018-04-16 Information processing method and device Active CN108566394B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810337962.4A CN108566394B (en) 2018-04-16 2018-04-16 Information processing method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810337962.4A CN108566394B (en) 2018-04-16 2018-04-16 Information processing method and device

Publications (2)

Publication Number Publication Date
CN108566394A CN108566394A (en) 2018-09-21
CN108566394B true CN108566394B (en) 2020-10-02

Family

ID=63535144

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810337962.4A Active CN108566394B (en) 2018-04-16 2018-04-16 Information processing method and device

Country Status (1)

Country Link
CN (1) CN108566394B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109446789A (en) * 2018-10-22 2019-03-08 武汉极意网络科技有限公司 Anticollision library method, equipment, storage medium and device based on artificial intelligence
CN109815689A (en) * 2018-12-28 2019-05-28 北京奇安信科技有限公司 A kind of website cipher safety guard method and device
CN112153052A (en) * 2020-09-25 2020-12-29 北京微步在线科技有限公司 Method and system for monitoring database collision attack

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102006271A (en) * 2008-09-02 2011-04-06 F2威尔股份有限公司 IP address secure multi-channel authentication for online transactions
CN104811449A (en) * 2015-04-21 2015-07-29 深信服网络科技(深圳)有限公司 Base collision attack detecting method and system
CN105577670A (en) * 2015-12-29 2016-05-11 南威软件股份有限公司 Warning system of database-hit attack
CN105939326A (en) * 2016-01-18 2016-09-14 杭州迪普科技有限公司 Message processing method and device
CN106209907A (en) * 2016-08-30 2016-12-07 杭州华三通信技术有限公司 A kind of method and device detecting malicious attack
CN107770112A (en) * 2016-08-15 2018-03-06 娄奥林 A kind of method for preventing that account is stolen and server

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
IN2013MU01164A (en) * 2013-03-26 2015-07-03 Tata Consultancy Services Ltd

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102006271A (en) * 2008-09-02 2011-04-06 F2威尔股份有限公司 IP address secure multi-channel authentication for online transactions
CN104811449A (en) * 2015-04-21 2015-07-29 深信服网络科技(深圳)有限公司 Base collision attack detecting method and system
CN105577670A (en) * 2015-12-29 2016-05-11 南威软件股份有限公司 Warning system of database-hit attack
CN105939326A (en) * 2016-01-18 2016-09-14 杭州迪普科技有限公司 Message processing method and device
CN107770112A (en) * 2016-08-15 2018-03-06 娄奥林 A kind of method for preventing that account is stolen and server
CN106209907A (en) * 2016-08-30 2016-12-07 杭州华三通信技术有限公司 A kind of method and device detecting malicious attack

Also Published As

Publication number Publication date
CN108566394A (en) 2018-09-21

Similar Documents

Publication Publication Date Title
EP3818675B1 (en) System and method for polluting phishing campaign responses
CA2966408C (en) A system and method for network intrusion detection of covert channels based on off-line network traffic
CN105939326B (en) Method and device for processing message
CN104184713B (en) Terminal identification method, machine identifier register method and corresponding system, equipment
CN108566394B (en) Information processing method and device
EP3509001B1 (en) Method and apparatus for detecting zombie feature
CN102404741B (en) Method and device for detecting abnormal online of mobile terminal
WO2009111224A1 (en) Identification of and countermeasures against forged websites
Akiyama et al. HoneyCirculator: distributing credential honeytoken for introspection of web-based attack cycle
Kurniawan et al. Detection and analysis cerber ransomware based on network forensics behavior
CN106982188B (en) Malicious propagation source detection method and device
CN105262748A (en) Wide area network user terminal identity authentication method and system
CN111786964A (en) Network security detection method, terminal and network security equipment
CN106209907B (en) Method and device for detecting malicious attack
Vykopal et al. Network-based dictionary attack detection
Dhanalakshmi et al. Detection of phishing websites and secure transactions
CN112398786B (en) Method and device for identifying penetration attack, system, storage medium and electronic device
US8266704B1 (en) Method and apparatus for securing sensitive data from misappropriation by malicious software
WO2014059159A2 (en) Systems and methods for testing and managing defensive network devices
CN108600209B (en) Information processing method and device
CN114006772B (en) Method and device for resisting hacker attack, electronic equipment and storage medium
JP5743822B2 (en) Information leakage prevention device and restriction information generation device
Brindtha et al. Identification and detecting of attacker in a purchase portal using honeywords
Sivabalan et al. Detecting IoT zombie attacks on web servers
Rajan et al. Performance Analysis on Web based traffic control for DDoS attacks

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant