CN110602134B - Method, device and system for identifying illegal terminal access based on session label - Google Patents

Method, device and system for identifying illegal terminal access based on session label Download PDF

Info

Publication number
CN110602134B
CN110602134B CN201910910528.5A CN201910910528A CN110602134B CN 110602134 B CN110602134 B CN 110602134B CN 201910910528 A CN201910910528 A CN 201910910528A CN 110602134 B CN110602134 B CN 110602134B
Authority
CN
China
Prior art keywords
terminal
cross
cookies
browser
domain
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201910910528.5A
Other languages
Chinese (zh)
Other versions
CN110602134A (en
Inventor
宋雪冬
范渊
黄进
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou Dbappsecurity Technology Co Ltd
Original Assignee
Hangzhou Dbappsecurity Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou Dbappsecurity Technology Co Ltd filed Critical Hangzhou Dbappsecurity Technology Co Ltd
Priority to CN201910910528.5A priority Critical patent/CN110602134B/en
Publication of CN110602134A publication Critical patent/CN110602134A/en
Application granted granted Critical
Publication of CN110602134B publication Critical patent/CN110602134B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0807Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/14Session management

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer And Data Communications (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention provides a method, a device and a system for identifying illegal terminal access based on a session label, which relate to the technical field of Internet and comprise the following steps: first intranet server, terminal browser, passback node server and system platform, system platform includes: a data acquisition and analysis module; the first intranet server is used for providing XSS attack codes so that a terminal browser can obtain terminal information of the terminal browser, the terminal information comprises cross-domain Cookies, the data acquisition and analysis module generates fingerprint information based on the terminal information and the Cookies obtained by the return node server from the terminal browser, validity of virtual identities of the cross-domain Cookies is verified through an extranet based on the fingerprint information and the cross-domain Cookies, and if the virtual identities are valid, the terminal where the terminal browser is located is determined to be an illegal terminal. The method and the device can realize effective identification of the illegal terminal by combining the XSS0day vulnerability, the Cookies and the terminal information.

Description

Method, device and system for identifying illegal terminal access based on session label
Technical Field
The invention relates to the technical field of internet, in particular to a method, a device and a system for identifying illegal terminal access based on a session label.
Background
In a larger intranet environment, management of network boundaries is often a difficult problem for network security managers, and the accompanying problem of data leakage is particularly uneasy for the network security managers. In general, most of current applications are based on a B/S architecture, so a terminal can access an interface of a server through a browser, and the server resource can be acquired as long as the terminal acquires valid terminal account information, and the possibility that an illegal terminal hides an intranet to acquire intranet resources exists. For example: illegal personnel can enter the intranet for long-term latency by bypassing the intranet boundary integrity protection means by using technical means.
Disclosure of Invention
The invention aims to provide a method, a device and a system for identifying illegal terminal access based on a session label so as to realize effective identification of illegal terminals.
The invention provides an illegal terminal access identification system based on a session label, which comprises the following steps: first intranet server, terminal browser, passback node server and system platform, wherein, the system platform includes: a data acquisition and analysis module; the first intranet server is in communication connection with the terminal browser and is used for receiving an access request initiated by the terminal browser, creating Cookies of the terminal browser according to the access request and returning the Cookies to the terminal browser; when the terminal browser accesses the first intranet server, loading and executing an XSS attack code in a page returned by the first intranet server to obtain terminal information of a terminal where the terminal browser is located, wherein the terminal information comprises cross-domain Cookies; the return node server is in communication connection with the terminal browser and the data acquisition and analysis module and is used for transmitting the terminal information and the Cookies to the data acquisition and analysis module; the data acquisition and analysis module generates fingerprint information of a terminal where the terminal browser is located based on the terminal information and the Cookies; the data acquisition and analysis module is used for comparing whether a terminal where the terminal browser is located is the same as a terminal corresponding to the fingerprint information in a preset database or not based on the fingerprint information; if so, comparing the cross-domain Cookies with cross-domain Cookies of the same terminal in a preset cross-domain Cookies library based on the fingerprint information, if the cross-domain Cookies do not exist in the preset cross-domain Cookies library, sending the cross-domain Cookies to an extranet verification tool so as to enable the extranet verification tool to perform validity verification of the cross-domain Cookies virtual identity on the extranet, and if the verification result returned by the extranet verification tool is that the cross-domain Cookies virtual identity is valid, determining the terminal where the terminal browser is located as an illegal terminal.
Further, the system platform further comprises an early warning module, and the early warning module sends the illegal terminal to a client in an early warning mode so that management personnel can conveniently track and confirm.
Further, the data acquisition and analysis module is further configured to establish a mapping relationship between the fingerprint information and the cross-domain Cookies.
Further, the system for identifying the illegal terminal access based on the session label further comprises: and the second intranet server is used for providing XSS attack codes for the terminal browser, and the terminal browser loads and executes the XSS attack codes in a page returned by the second intranet server when accessing the second intranet server to obtain the terminal information of the terminal where the terminal browser is positioned.
Further, the system platform further comprises: the code management module and the server management module; the code management module is used for maintaining XSS attack codes provided by the first intranet server and the second intranet server; and the server management module is in communication connection with the backhaul node server and is used for managing the system platform and the backhaul node server according to a management strategy.
The invention provides an illegal terminal access identification method based on a session label, which is applied to a data acquisition and analysis module and comprises the following steps: comparing whether a terminal where a terminal browser is located and a terminal corresponding to the fingerprint information in a preset database are the same terminal or not based on the fingerprint information; the fingerprint information is generated by terminal information of the terminal browser and Cookies; if so, comparing the cross-domain Cookies with the cross-domain Cookies of the same terminal in a preset cross-domain Cookies library based on the fingerprint information; the cross-domain Cookies are loaded by the terminal browser and obtained by executing an XSS attack code in a page returned by the first intranet server; if the cross-domain Cookies do not exist in the preset cross-domain Cookies library, sending the cross-domain Cookies to an extranet verification tool so that the extranet verification tool can carry out validity verification on the cross-domain Cookies virtual identity in the extranet; and if the verification result returned by the external network verification tool is that the cross-domain Cookies virtual identity is valid, determining the terminal where the terminal browser is located as an illegal terminal.
The invention provides a device for identifying illegal terminal access based on session tags, which is applied to a data acquisition and analysis module and comprises: the first comparison unit is used for comparing whether a terminal where a terminal browser is located is the same as a terminal corresponding to the fingerprint information in a preset database or not based on the fingerprint information; the fingerprint information is generated by terminal information of the terminal browser and Cookies; the second comparison unit is used for comparing the cross-domain Cookies with the cross-domain Cookies of the same terminal in a preset cross-domain Cookies library on the basis of the fingerprint information if the terminal is in the first comparison unit; the cross-domain Cookies are loaded by the terminal browser and obtained by executing an XSS attack code in a page returned by the first intranet server; a sending unit, configured to send the cross-domain Cookies to an extranet verification tool if the cross-domain Cookies do not exist in the preset cross-domain Cookies library, so that the extranet verification tool performs validity verification of a cross-domain cookie virtual identity on an extranet; and the determining unit is used for determining the terminal where the terminal browser is located as an illegal terminal if the verification result returned by the external network verification tool is that the cross-domain Cookies virtual identity is valid.
The invention provides an illegal terminal access identification system based on a session label, which comprises the following steps: the system comprises a first intranet server, a terminal browser, a return node server and an illegal terminal access identification device based on a session tag.
The invention also provides an electronic device, which comprises a memory and a processor, wherein the memory stores a computer program capable of running on the processor, and the processor realizes the illegal terminal access method based on the session tag identification when executing the computer program.
The present invention also provides a computer readable medium having a processor-executable non-volatile program code, wherein the program code causes the processor to execute the session tag-based illegal terminal access identification method.
The invention provides a method, a device and a system for identifying illegal terminal access based on a session label, which comprises the following steps: first intranet server, terminal browser, passback node server and system platform, wherein, the system platform includes: a data acquisition and analysis module; the invention can extract Cookies and terminal information of the terminal where the terminal browser is positioned by utilizing XSS attack codes in the page returned by the first intranet server, wherein the terminal information comprises: and cross-domain Cookies are generated based on the extracted information, whether the terminal where the terminal browser is located is the same terminal as the terminal corresponding to the fingerprint information in the preset database is compared based on the fingerprint information, if yes, the cross-domain Cookies read in a cross-domain mode are compared with cross-domain Cookies previously acquired by the same terminal, if new Cookies are found, the cross-domain Cookies are subjected to validity verification of cross-domain Cookies virtual identities on the extranet through an extranet verification tool, and if a verification result returned by the extranet verification tool is that the cross-domain Cookies virtual identities are valid, the terminal where the terminal browser is located is determined to be an illegal terminal. The invention can effectively solve the problem that important service data resource stealing behaviors are found when the terminal enters the intranet through long-term penetration or the attacked network boundary in the intranet, thereby realizing the effective identification of illegal terminals.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and other drawings can be obtained by those skilled in the art without creative efforts.
Fig. 1 is a schematic structural diagram of a system for identifying an illegal terminal access based on a session tag according to an embodiment of the present invention;
fig. 2 is a flowchart illustrating an operation of identifying an illegal terminal access system based on a session tag according to an embodiment of the present invention;
fig. 3 is a schematic structural diagram of another system for identifying an illegal terminal access based on a session tag according to an embodiment of the present invention;
fig. 4 is a flowchart of a method for identifying an illegal terminal access based on a session tag according to an embodiment of the present invention;
fig. 5 is a schematic structural diagram of an apparatus for identifying an illegal terminal access based on a session tag according to an embodiment of the present invention;
fig. 6 is a schematic structural diagram of another system for identifying an illegal terminal access based on a session tag according to an embodiment of the present invention.
Icon:
10-a first intranet server; 20-terminal browser; 30-backhaul node server; 40-a system platform; 41-a data acquisition and analysis module; 411-a first comparison unit; 412-a second alignment unit; 413-a transmitting unit; 414 — a determination unit; 42-early warning module; 43-a code management module; 44-a server management module; 50-second intranet server.
Detailed Description
The technical solutions of the present invention will be described clearly and completely with reference to the following embodiments, and it should be understood that the described embodiments are some, but not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
In the prior art, the HTTP1.0 protocol used for the communication connection between the server and the terminal browser is stateless. Specifically, when the terminal browser sends an access request to the server, the server will respond; when the same terminal browser sends an access request to the server again, the server still responds, but the server does not know that two access requests were sent by the same terminal browser. In short, since the server has no memory function for a series of access requests issued by the same terminal browser, the HTTP1.0 protocol is a stateless protocol.
In order to identify whether different access requests come from the same terminal browser, an HTTP Session mechanism is used, and a case of maintaining an association between a user and different access requests issued by the same user among multiple HTTP connections is called maintaining a Session (Session). Session has become the mainstream of HTTP Session, and should be said to be the position of absolute control. Session identification, namely: the terminal browser sends an access request to the server, and the server generates corresponding session information after receiving the access request. The server sends the session ID to the terminal browser, and the terminal browser receives and stores the session ID. When the terminal browser sends a request to the server next time, the request is sent to the server together with the session ID, and the server can identify the terminal browser corresponding to the session ID. Therefore, the maintenance of the session can be realized by using the session ID described above.
The Cookies are used for storing session information of the terminal browser and the server, and the terminal browser carries the Cookies each time the terminal browser sends an access request to the server. When the terminal browser interacts with the server for the first time, the contents of the specified Cookies are sent to the terminal browser through the Set-Cookies, and therefore the user identities of all the terminal browsers are specified by the server. Cookies are a way in which a server or script can maintain the identity of a user of a terminal browser under the HTTP protocol. Cookies are small text files that are saved by a Web server on a terminal browser and may contain user information related to the terminal browser. Whenever the terminal browser links to the server, the server can access Cookies using the Web site.
Cookies generally fall into two categories, one being temporary and the other being persistent. Temporary Cookies can only be stored on the terminal browser for a specified time, and once the specified time is exceeded, the Cookies can be cleared by the system. And the continuous Cookies are stored in the cookie files appointed by the terminal browser, and can still be called when the terminal browser logs in the target server next time. The embodiment of the invention adopts continuous Cookies.
In a larger intranet environment, management of network boundaries is often a difficult problem for network security managers, and the accompanying problem of data leakage is particularly uneasy for the network security managers. In general, most of the current applications are built based on a B/S architecture, and therefore, a terminal can illegally access an interface of a server through a browser. That is, as long as the terminal account information of the terminal is valid, the server resource can be acquired, and there is a possibility that an illegal terminal enters the intranet to acquire the intranet resource. Based on the above, the embodiment of the invention provides a method, a device and a system for identifying illegal terminal access based on a session tag, which can realize effective identification of the illegal terminal after fingerprint learning is performed on the terminal in an intranet for a period of time by combining XSS0day vulnerability of a terminal browser, session tag Cookies and terminal information.
For the convenience of understanding the embodiment, first, a detailed description is given to an illegal terminal access system based on session tag identification disclosed in the embodiment of the present invention.
The first embodiment is as follows:
referring to fig. 1, an embodiment of the present invention provides a system for identifying an illegal terminal access based on a session tag, where the system may include the following modules: a first intranet server 10, a terminal browser 20, a backhaul node server 30, and a system platform 40, wherein the system platform 40 includes: a data acquisition and analysis module 41;
the first intranet server 10 is in communication connection with the terminal browser 20, and is configured to receive an access request initiated by the terminal browser 20, create Cookies of the terminal browser 20 according to the access request, and return the Cookies to the terminal browser 20;
in the embodiment of the present invention, the first intranet server 10 may refer to a service server deployed with a JS code. To ensure that interference to the traffic server is minimized, it is not recommended to merge it with other servers. That is, the first intranet server 10 exists independently of the backhaul node server 30, and it is not recommended to add the functions of both servers to one server. The first intranet server 10 creates Cookies corresponding to the terminal browser 20 for the terminal browser 20 by using the Set-Cookie, where the Cookies are session IDs. First intranet server 10 transmits a session ID for storing both sessions to terminal browser 20.
When the terminal browser 20 accesses the first intranet server 10, loading and executing an XSS attack code in a page returned by the first intranet server 10 to obtain terminal information of a terminal where the terminal browser 20 is located, wherein the terminal information comprises cross-domain Cookies;
in the embodiment of the invention, the XSS attack code refers to an XSS0day bug. The XSS attack code in the page returned by the first intranet server 10 may be a JS code, and the XSS attack code is intended to obtain terminal information of the terminal where the terminal browser 20 is located by attacking the terminal browser 20, where the terminal information includes but is not limited to: cross-domain Cookies and terminal local machine information, wherein the cross-domain Cookies are generated when the terminal browser 20 accesses other websites before the current access. The terminal local information comprises local basic information and browser information, and the terminal local information comprises at least one of the following information: IP address, MAC address, operating system type and version information; browser information includes, but is not limited to, browser version information, browser plug-in information, and browser type.
The return node server 30 is in communication connection with the terminal browser 20 and the data acquisition and analysis module 41, and is used for transmitting the terminal information and Cookies to the data acquisition and analysis module 41;
in the embodiment of the present invention, the backhaul node server 30 is configured to receive the terminal information and Cookies sent by the terminal browser 20, configure a backhaul node, and transmit the terminal information and Cookies to the data acquisition and analysis module 41. Therefore, the backhaul node server 30 is used for receiving, configuring, transmitting, and other management work, and can ensure the security of information.
The data acquisition and analysis module 41 generates fingerprint information of the terminal where the terminal browser 20 is located based on the terminal information and Cookies;
in the embodiment of the present invention, the data acquisition and analysis module 41 calculates, by using a Hash algorithm, based on the terminal information and Cookies, to obtain a Hash value of the terminal where the terminal browser 20 is located, where the Hash value is fingerprint information of the terminal where the terminal browser 20 is located. Since the fingerprint information corresponds to the terminal one to one, the fingerprint information can be used to identify the terminal.
As shown in fig. 2, the operation of generating the fingerprint information of the terminal where the terminal browser 20 is located based on the terminal information and Cookies may also be performed by the backhaul node server 30.
The data acquisition and analysis module 41 is configured to compare, based on the fingerprint information, whether the terminal where the terminal browser 20 is located is the same terminal as a terminal corresponding to the fingerprint information in the preset database; if so, comparing the cross-domain Cookies with the cross-domain Cookies of the same terminal in a preset cross-domain cookie library based on the fingerprint information, if the cross-domain Cookies do not exist in the preset cross-domain cookie library, sending the cross-domain Cookies to an extranet verification tool so that the extranet verification tool performs validity verification of the cross-domain Cookies virtual identity on the extranet, and if a verification result returned by the extranet verification tool is that the cross-domain Cookies virtual identity is valid, determining the terminal where the terminal browser 20 is located as an illegal terminal.
In the embodiment of the present invention, the virtual identity may refer to extranet user information. In the same private network, most terminals adopt operating systems which are installed and deployed in a unified mode to cause that the Cookies cached by the terminals are basically the same, so that the cross-domain Cookies repeatedly appear in a preset cross-domain cookie library. The data acquisition and analysis module 41 is configured to verify whether the validity of the cross-domain cookies is invalid or repeated by using an extranet verification tool based on the fingerprint information.
Referring to fig. 2, after the terminals are determined to be the same terminal, if cross-domain Cookies exist in the preset cross-domain Cookies library, the terminal where the terminal browser 20 is located is determined to be a legal terminal. After the cross-domain Cookies are sent to the extranet verification tool, if the verification result returned by the extranet verification tool is that the virtual identity of the cross-domain Cookies is invalid, the cross-domain Cookies are stored to a preset cross-domain Cookies library, wherein the preset cross-domain Cookies library is a legal sample library.
Referring to fig. 2, if the terminal where the terminal browser 20 is located is not the same terminal as the terminal corresponding to the fingerprint information in the preset database, cross-domain Cookies are searched in the preset cross-domain Cookies library, and if cross-domain Cookies exist, the fingerprint information and the terminal where the terminal browser 20 is located are stored in the preset database. And if no cross-domain Cookies exist in the preset cross-domain Cookies library, sending the cross-domain Cookies to an extranet verification tool so that the extranet verification tool can carry out validity verification on the cross-domain Cookies virtual identity in the extranet.
The data acquisition and analysis module 41 is the focus of the present invention. The data collection and analysis module 41 may have the following functions: the method comprises the steps of receiving a function, establishing a preset database, establishing a preset cross-domain Cookies library, comparing the function, extracting information, sending the function and determining illegal access. Wherein, the preset database includes: mutually associated terminal and fingerprint information; the preset cross-domain Cookies library comprises the following steps: fingerprint information, Cookies and cross-domain Cookies associated with each other. The illegitimate terminal may include a suspected illegitimate terminal. The extranet verification tool may be located within system platform 40 or may be located outside of system platform 40.
When each terminal executes the JS code, the Cookies and cross-domain Cookies in the terminal browser 20 based on the service domain are obtained. The data acquisition and analysis module 41 acquires and learns the Cookies and the cross-domain Cookies in the service domain to generate fingerprint information, stores the terminal and the fingerprint information to a preset database correspondingly, and stores the fingerprint information, the Cookies and the cross-domain Cookies to a preset cross-domain cookie library correspondingly. Because the method is specific to the environment in a private network, the server accessed by the terminal in the private network and the software environment installed in the server are stable, and after a period of learning, the data acquisition and analysis module 41 establishes a stable preset database and a stable preset cross-domain Cookies database.
When the terminal in the private network accesses the first intranet server 10 again, the JS code deployed in the page of the first intranet server 10 is executed, and thus Cookies, cross-domain Cookies and fingerprint information of the terminal can be obtained.
In the embodiment of the invention, an information model for the terminal can be established by collecting and learning the terminal account information, the IP address, the MAC address and other related information of the whole network in the intranet, and the information model comprises the stable preset database and the preset cross-domain Cookies library. Whether the terminal is illegal or breaks through the boundary of the intranet by adopting a technical means, the terminal entering the system aims to perform penetration and data information stealing on an intranet server storing a large amount of high values. Because the conventional access control and boundary protection are difficult to discover the terminal which has penetrated into the intranet, the access of the illegal terminal can be effectively prevented by deploying the JS code on the intranet server, the JS code is effectively linked with the existing system and information collision is carried out, and the lost network and the illegal terminal can be quickly searched through correlation analysis.
The system for identifying the illegal terminal access based on the session label provided by the embodiment of the invention comprises the following steps: a first intranet server 10, a terminal browser 20, a backhaul node server 30, and a system platform 40, wherein the system platform 40 includes: a data acquisition and analysis module 41; in the embodiment of the present invention, Cookies and terminal information of a terminal where a terminal browser 20 is located can be extracted by using an XSS attack code in a page returned by a first intranet server 10, where the terminal information includes: and cross-domain Cookies, generating fingerprint information based on the extracted information, comparing whether the terminal where the terminal browser 20 is located is the same terminal with the terminal corresponding to the fingerprint information in the preset database based on the fingerprint information, comparing the cross-domain Cookies read in a cross-domain mode with the cross-domain Cookies previously acquired by the same terminal, if new Cookies are found, carrying out validity verification on the cross-domain Cookies on the extranet through an extranet verification tool, and if a verification result returned by the extranet verification tool is that the cross-domain Cookies virtual identity is valid, determining the terminal where the terminal browser 20 is located as an illegal terminal. The embodiment of the invention can effectively solve the problem that important service data resource stealing behaviors are found when the terminal enters the intranet through long-term penetration or a broken network boundary in the intranet, thereby realizing effective identification of illegal terminals.
Further, referring to fig. 3, the system platform 40 further includes an early warning module 42, and the early warning module 42 sends the illegal terminal to the client in an early warning manner, so that the manager can perform tracking confirmation.
Further, the early warning module 42 is further configured to generate warning information when the number of times that the terminal browser 20 is installed in the system or the browser is reinstalled reaches a preset number of times.
In the embodiment of the present invention, the early warning module 42 is further configured to generate alarm information when software behaviors in a non-white list and malicious continuous reinstallation systems or browser behaviors are installed on a terminal by bypassing a terminal management system by using some technical means in an environment where a white list of software and hardware of the terminal is strictly limited, so as to provide an auxiliary monitoring means for a security manager to monitor a large-scale private network environment.
Further, the data acquisition and analysis module 41 is further configured to establish a mapping relationship between the fingerprint information and the cross-domain Cookies.
In the embodiment of the present invention, the data acquisition and analysis module 41 establishes a mapping relationship between the fingerprint information and the cross-domain Cookies, and may also establish a mapping relationship between the Cookies corresponding to the fingerprint information and the cross-domain Cookies. The mapping relationship established in the embodiment of the present invention can ensure that the data acquisition and analysis module 41 can match the terminal browser 20 to determine whether the terminal is the same terminal or whether the terminal has a software change condition that violates the rule or not every time the terminal browser accesses the intranet server.
Further, the system for identifying the illegal terminal access based on the session label further comprises: and the second intranet server 50 is used for providing an XSS attack code to the terminal browser 20, and when the terminal browser 20 accesses the second intranet server 50, the terminal browser loads and executes the XSS attack code in the page returned by the second intranet server 50, so as to obtain the terminal information of the terminal where the terminal browser 20 is located.
In the embodiment of the invention, a plurality of intranet servers can be established, the information safety is facilitated by adopting a mode of managing information data by the intranet servers, and all information is prevented from being leaked after one intranet server is broken.
Further, the system platform 40 further includes: a code management module 43 and a server management module 44;
a code management module 43, configured to maintain XSS attack codes provided by the first intranet server 10 and the second intranet server 50;
in the embodiment of the present invention, the code management module 43 may implement maintenance of XSS attack codes, management of XSS0day vulnerabilities, terminal data item selection, and system status monitoring.
The server management module 44 is communicatively coupled to the backhaul node server 30 for managing the system platform 40 and the backhaul node server 30 according to a management policy.
According to the illegal terminal access system based on session tag identification, the illegal terminal is effectively identified by combining XSS0day vulnerability, Cookies and cross-domain Cookies of the terminal browser 20, namely the illegal terminal entering an intranet in an illegal latent mode is accurately identified, and the illegal terminal is further positioned and mined by matching with other safety management technologies and means. Other security management techniques include, but are not limited to: the association analysis and mining can be performed on the target terminal by utilizing a social work base or a threat information base based on a cloud end, wherein the target terminal is an illegal terminal. The embodiment of the invention utilizes the XSS attack principle and combines the characteristics of Cookies simplified conversation sent to the terminal browser 20 by the server in the B/S framework to form active defense. The embodiment of the invention can effectively identify the illegal terminal and defend the behavior of the illegal terminal when the illegal terminal accesses the first internal server and steals data or information in a large-scale complex internal network environment.
Example two:
referring to fig. 4, an embodiment of the present invention provides a method for identifying an illegal terminal access based on a session tag, where the method is applied to a data acquisition and analysis module, and the method includes:
step S101, based on the fingerprint information, comparing whether a terminal where a terminal browser is located and a terminal corresponding to the fingerprint information in a preset database are the same terminal or not; the fingerprint information is generated by terminal information of a terminal browser and Cookies;
the session label in the embodiment of the invention is greatly different from the session label in the prior art. Specifically, after the HTTP protocol communication is established between the first intranet server and the terminal browser, the first intranet server gives Cookies and JS codes to the terminal browser, the JS codes are loaded and executed by the terminal browser, terminal information and cross-domain Cookies are obtained, and a unique tag identifying the terminal is obtained through calculation, where the tag is fingerprint information.
Step S102, if yes, cross-domain Cookies are compared with cross-domain Cookies of the same terminal in a preset cross-domain Cookies library based on fingerprint information; and the cross-domain Cookies are loaded by the terminal browser and obtained by executing an XSS attack code in a return page of the first intranet server.
Step S103, if no cross-domain Cookies exist in the preset cross-domain Cookies library, sending the cross-domain Cookies to an extranet verification tool so that the extranet verification tool can carry out validity verification on the cross-domain Cookies virtual identity in the extranet.
In the embodiment of the invention, after the terminal is determined to be the same terminal, if the cross-domain Cookies exist in the preset cross-domain Cookies library, the terminal where the terminal browser is located is determined to be a legal terminal.
And step S104, if the verification result returned by the external network verification tool is that the cross-domain Cookies virtual identity is valid, determining the terminal where the terminal browser is located as an illegal terminal.
In the embodiment of the invention, after the cross-domain Cookies are sent to the extranet verification tool, if the verification result returned by the extranet verification tool is that the virtual identity of the cross-domain Cookies is invalid, the cross-domain Cookies are stored in the preset cross-domain Cookies library, wherein the preset cross-domain Cookies library is a legal sample library. If the verification result returned by the extranet verification tool is that the cross-domain Cookies virtual identity is valid, the virtual identity account of the domain where the cross-domain Cookies virtual identity is located can be obtained, and the cross-domain Cookies virtual identity may have a plurality of virtual identity accounts of the domain where the cross-domain Cookies virtual identity is located. The characteristic that the account registered in a certain website can be determined without a password when logging in again can provide a traceability basis for tracing an illegal terminal user.
The embodiment of the invention analyzes the terminal and the cross-domain Cookies by using the data acquisition and analysis module based on the fingerprint information, and judges the legality of the terminal by combining the verification result fed back by the external network verification tool. Therefore, the invention can effectively solve the problem that important service data resource stealing behaviors are found when the terminal enters the intranet through long-term penetration or the attacked network boundary in the intranet, thereby realizing the effective identification of illegal terminals.
Further, the method further comprises: if the terminal where the terminal browser is located is not the same terminal as the terminal corresponding to the fingerprint information in the preset database, searching cross-domain Cookies in the preset cross-domain Cookies library, and if the cross-domain Cookies exist, storing the fingerprint information and the terminal where the terminal browser is located in the preset database. And if no cross-domain Cookies exist in the preset cross-domain Cookies library, sending the cross-domain Cookies to an extranet verification tool so that the extranet verification tool can carry out validity verification on the cross-domain Cookies virtual identity in the extranet.
The embodiment of the invention combines the session label with the discovery technology of the illegal terminal, wherein the working principle of the session label comprises the following steps:
step 1, providing a session label for the terminal and obtaining a JS code of the terminal information.
The first intranet server inserts JS codes into an appointed page through the server management module, access of the terminal browser is waited, relevant codes are operated, and meanwhile the JS codes comprise XSS vulnerability attack codes for reading cross-domain Cookies aiming at different terminal browsers so as to obtain more terminal information. The terminal information comprises cross-domain Cookies, and the session label comprises the Cookies and the cross-domain Cookies.
And 2, the terminal browser accesses the first intranet server to generate terminal information.
When the terminal browser accesses the first intranet server, the first intranet server firstly records the session ID and sets Cookies to be sent to the terminal browser, the terminal browser records the related session tag and writes the Cookies into a local file, and meanwhile the JS code is operated on the local browser to generate terminal information.
And 3, returning the terminal information and the Cookies to the data acquisition and analysis module.
Cookies and terminal information are sent to a data acquisition and analysis module in a system platform by a return node server, the data acquisition and analysis module stores the information in a storage mode, and a hash value is calculated by combining the Cookies, the IP address, the browser version, the MAC address and other terminal information and is used for uniquely identifying the terminal.
The discovery principle of the illegal access terminal has the following steps:
step 1: and extracting the session label of the terminal where the terminal server is located.
And the terminal browser accesses the first intranet server, operates the JS code to obtain Cookies and terminal information, and sends the Cookies and the terminal information to the data acquisition and analysis module through the return node server to compare the label information, wherein the label information is a hash value.
Step 2: and comparing the conversation labels based on a preset database.
The premise of comparison is that the established preset database is stable, namely, the terminals accessing the same intranet server are fixed. Each terminal may access one or more intranet servers. Based on the fingerprint information, the terminal corresponding to the fingerprint information can be found in the established preset database. The fingerprint information generated when the same terminal browser accesses the same intranet server for multiple times is the same, so that the same terminal browser can be identified based on the fingerprint information.
And step 3: and comprehensively judging whether the terminal where the terminal browser is located is an illegal terminal.
If the cross-domain Cookies generated by operating the JS codes are the same as the cross-domain Cookies stored in a preset cross-domain Cookies library, determining the terminal as a legal terminal; and if the cross-domain Cookies can not be retrieved in the preset cross-domain Cookies library, marking the terminal as an illegal terminal, and displaying related information of the illegal terminal through the platform so as to facilitate analysis and tracking of managers.
The embodiment of the invention has the following technical characteristics:
(1) because the terminal browser has the multi-factor terminal information, the fingerprint information is established by combining the multi-factor terminal information and the Cookies.
(2) And reading the terminal information in a cross-domain mode based on the JS code execution and the vulnerability of the terminal browser, and judging whether the terminal has traces for logging in other external network systems or not based on cross-domain Cookies and account information in the terminal information.
(3) And linking a plurality of pieces of relevant information stored in a preset cross-domain Cookies library in the existing intranet to effectively position the illegal terminal.
According to the technical characteristics, the embodiment of the invention can effectively solve the problem that the illegal terminal in the intranet enters the intranet through long-term penetration or the attacked network boundary to discover the stealing behavior of important service data resources.
Example three:
referring to fig. 5, an embodiment of the present invention provides an apparatus for identifying an illegal terminal access based on a session tag, where the apparatus is applied to a data acquisition and analysis module 41, and the apparatus includes:
a first comparing unit 411, configured to compare, based on the fingerprint information, whether the terminal where the terminal browser 20 is located is the same terminal as a terminal corresponding to the fingerprint information in the preset database; the fingerprint information is generated by the terminal information of the terminal browser 20 and Cookies;
a second comparison unit 412, configured to compare cross-domain Cookies with cross-domain Cookies of the same terminal in a preset cross-domain cookie library based on the fingerprint information if yes; cross-domain Cookies are loaded by the terminal browser 20 and obtained by executing XSS attack codes in a page returned by the first intranet server 10;
the sending unit 413 is configured to send the cross-domain Cookies to an extranet verification tool if the cross-domain Cookies do not exist in the preset cross-domain Cookies library, so that the extranet verification tool performs validity verification on the cross-domain Cookies virtual identity in the extranet;
the determining unit 414 is configured to determine the terminal where the terminal browser 20 is located as an illegal terminal if the verification result returned by the extranet verification tool is that the cross-domain Cookies virtual identity is valid.
In the embodiment of the present invention, the first comparison unit 411 and the second comparison unit 412 are used to sequentially compare the terminal and the cross-domain Cookies, and when there is no cross-domain Cookies generated by the current access in the preset cross-domain Cookies library, the sending unit 413 is used to send the cross-domain Cookies to the extranet verification tool, and the extranet verification tool verifies the validity of the cross-domain Cookies virtual identity, and finally determines the terminal with the valid cross-domain Cookies virtual identity as an illegal terminal. The embodiment of the invention identifies the illegal terminal based on the session label, and the method is simple and effective.
Example four:
referring to fig. 6, an embodiment of the present invention provides a system for identifying an illegal terminal access based on a session tag, where the system includes: a first intranet server 10, a terminal browser 20, a backhaul node server 30, and an illegal terminal access device identified based on a session tag.
The embodiment of the invention can realize that the illegal terminal can be effectively identified and the behavior of the illegal terminal can be defended when the illegal terminal accesses the first internal server and steals data or information in a large-scale complex internal network environment according to the system for identifying the illegal terminal access based on the session label.
In another embodiment of the present invention, an electronic device is further provided, which includes a memory and a processor, where the memory stores a computer program executable on the processor, and the processor implements the steps of the method of the above method embodiment when executing the computer program.
In yet another embodiment of the invention, a computer-readable medium having non-volatile program code executable by a processor, the program code causing the processor to perform the method of the method embodiment is also provided.
Finally, it should be noted that: the above embodiments are only used to illustrate the technical solution of the present invention, and not to limit the same; while the invention has been described in detail and with reference to the foregoing embodiments, it will be understood by those skilled in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some or all of the technical features may be equivalently replaced; and the modifications or the substitutions do not make the essence of the corresponding technical solutions depart from the scope of the technical solutions of the embodiments of the present invention.

Claims (10)

1. An illegal terminal access identification system based on session tags, comprising: first intranet server, terminal browser, passback node server and system platform, wherein, the system platform includes: a data acquisition and analysis module;
the first intranet server is in communication connection with the terminal browser and is used for receiving an access request initiated by the terminal browser, creating Cookies of the terminal browser according to the access request and returning the Cookies to the terminal browser;
when the terminal browser accesses the first intranet server, loading and executing an XSS attack code in a page returned by the first intranet server to obtain terminal information of a terminal where the terminal browser is located, wherein the terminal information comprises cross-domain Cookies;
the return node server is in communication connection with the terminal browser and the data acquisition and analysis module and is used for transmitting the terminal information and the Cookies to the data acquisition and analysis module;
the data acquisition and analysis module generates fingerprint information of a terminal where the terminal browser is located based on the terminal information and the Cookies;
the data acquisition and analysis module is used for comparing whether a terminal where the terminal browser is located is the same as a terminal corresponding to the fingerprint information in a preset database or not based on the fingerprint information; if so, comparing the cross-domain Cookies with cross-domain Cookies of the same terminal in a preset cross-domain Cookies library based on the fingerprint information, if the cross-domain Cookies do not exist in the preset cross-domain Cookies library, sending the cross-domain Cookies to an extranet verification tool so as to enable the extranet verification tool to perform validity verification of the cross-domain Cookies virtual identity on the extranet, and if the verification result returned by the extranet verification tool is that the cross-domain Cookies virtual identity is valid, determining the terminal where the terminal browser is located as an illegal terminal.
2. The system for identifying the illegal terminal access based on the session tag as claimed in claim 1, wherein the system platform further comprises an early warning module, and the early warning module sends the illegal terminal to a client in an early warning manner so as to facilitate a manager to track and confirm.
3. The system for identifying the illegal terminal access based on the session label as claimed in claim 1, wherein the data acquisition and analysis module is further configured to establish a mapping relationship between the fingerprint information and the cross-domain Cookies.
4. The system for recognizing illegal terminal access based on session tag according to claim 1, further comprising: and the second intranet server is used for providing XSS attack codes for the terminal browser, and the terminal browser loads and executes the XSS attack codes in a page returned by the second intranet server when accessing the second intranet server to obtain the terminal information of the terminal where the terminal browser is positioned.
5. The system for identifying illegal terminal access based on session tag according to claim 4, wherein said system platform further comprises: the code management module and the server management module;
the code management module is used for maintaining XSS attack codes provided by the first intranet server and the second intranet server;
and the server management module is in communication connection with the backhaul node server and is used for managing the system platform and the backhaul node server according to a management strategy.
6. A method for identifying illegal terminal access based on session tags is characterized by being applied to a data acquisition and analysis module, and comprises the following steps:
comparing whether a terminal where a terminal browser is located and a terminal corresponding to the fingerprint information in a preset database are the same terminal or not based on the fingerprint information; the fingerprint information is generated by terminal information of the terminal browser and Cookies;
if so, comparing the cross-domain Cookies with the cross-domain Cookies of the same terminal in a preset cross-domain Cookies library based on the fingerprint information; the cross-domain Cookies are loaded by the terminal browser and obtained by executing an XSS attack code in a page returned by the first intranet server;
if the cross-domain Cookies do not exist in the preset cross-domain Cookies library, sending the cross-domain Cookies to an extranet verification tool so that the extranet verification tool can carry out validity verification on the cross-domain Cookies virtual identity in the extranet;
and if the verification result returned by the external network verification tool is that the cross-domain Cookies virtual identity is valid, determining the terminal where the terminal browser is located as an illegal terminal.
7. The device for identifying the illegal terminal access based on the session label is applied to a data acquisition and analysis module, and comprises the following components:
the first comparison unit is used for comparing whether a terminal where a terminal browser is located is the same as a terminal corresponding to the fingerprint information in a preset database or not based on the fingerprint information; the fingerprint information is generated by terminal information of the terminal browser and Cookies;
the second comparison unit is used for comparing the cross-domain Cookies with the cross-domain Cookies of the same terminal in a preset cross-domain Cookies library on the basis of the fingerprint information if the terminal is in the first comparison unit; the cross-domain Cookies are loaded by the terminal browser and obtained by executing an XSS attack code in a page returned by the first intranet server;
a sending unit, configured to send the cross-domain Cookies to an extranet verification tool if the cross-domain Cookies do not exist in the preset cross-domain Cookies library, so that the extranet verification tool performs validity verification of a cross-domain cookie virtual identity on an extranet;
and the determining unit is used for determining the terminal where the terminal browser is located as an illegal terminal if the verification result returned by the external network verification tool is that the cross-domain Cookies virtual identity is valid.
8. An illegal terminal access identification system based on session tags, comprising: a first intranet server, a terminal browser, a backhaul node server and an illegal terminal access device based on session tag identification according to claim 7.
9. An electronic device comprising a memory, a processor, and a computer program stored in the memory and executable on the processor, wherein the processor implements the method of claim 6 when executing the computer program.
10. A computer-readable medium having non-volatile program code executable by a processor, the program code causing the processor to perform the method of claim 6.
CN201910910528.5A 2019-09-24 2019-09-24 Method, device and system for identifying illegal terminal access based on session label Active CN110602134B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910910528.5A CN110602134B (en) 2019-09-24 2019-09-24 Method, device and system for identifying illegal terminal access based on session label

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910910528.5A CN110602134B (en) 2019-09-24 2019-09-24 Method, device and system for identifying illegal terminal access based on session label

Publications (2)

Publication Number Publication Date
CN110602134A CN110602134A (en) 2019-12-20
CN110602134B true CN110602134B (en) 2021-06-25

Family

ID=68863292

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910910528.5A Active CN110602134B (en) 2019-09-24 2019-09-24 Method, device and system for identifying illegal terminal access based on session label

Country Status (1)

Country Link
CN (1) CN110602134B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112073407A (en) * 2020-09-04 2020-12-11 上海浦东发展银行股份有限公司 System, method and storage medium for real-time judgment of abnormal equipment in high-concurrency service
CN113821818B (en) * 2021-11-19 2022-02-08 国网浙江省电力有限公司 Method, device and storage medium for blocking access of middleboxes based on identification management
CN114338634B (en) * 2021-12-29 2023-12-01 杭州盈高科技有限公司 Data processing method and device

Family Cites Families (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103618721A (en) * 2013-12-03 2014-03-05 彭岸峰 XSS preventing security service
CN105095309A (en) * 2014-05-21 2015-11-25 腾讯科技(深圳)有限公司 Webpage processing method and device
SE538485C2 (en) * 2014-08-08 2016-08-02 Identitrade Ab Method and system for authenticating a user
CN105490993B (en) * 2014-09-19 2019-12-20 腾讯科技(深圳)有限公司 Method and device for preventing Cookie tracking in browser
CN108737338B (en) * 2017-04-19 2021-06-04 阿里巴巴集团控股有限公司 Authentication method and system
CN107508832A (en) * 2017-09-21 2017-12-22 深圳智盾信息技术有限公司 A kind of device-fingerprint recognition methods and system
CN108833344A (en) * 2018-05-04 2018-11-16 广东睿江云计算股份有限公司 A kind of cross-domain session verification method and system
CN109657431B (en) * 2018-12-07 2020-10-16 杭州启博科技有限公司 Method for identifying user identity
CN109361574B (en) * 2018-12-17 2021-02-26 广州天懋信息系统股份有限公司 JavaScript script-based NAT detection method, system, medium and equipment

Also Published As

Publication number Publication date
CN110602134A (en) 2019-12-20

Similar Documents

Publication Publication Date Title
US11709945B2 (en) System and method for identifying network security threats and assessing network security
CN111651757B (en) Method, device, equipment and storage medium for monitoring attack behaviors
US9985989B2 (en) Managing dynamic deceptive environments
CN103607385B (en) Method and apparatus for security detection based on browser
CN105939326B (en) Method and device for processing message
EP3557843B1 (en) Content delivery network (cdn) bot detection using compound feature sets
CN110602134B (en) Method, device and system for identifying illegal terminal access based on session label
CN108989355B (en) Vulnerability detection method and device
CN111786966A (en) Method and device for browsing webpage
CN102685081A (en) Webpage request safe processing method and system
CN105635064B (en) CSRF attack detection method and device
CN105187430A (en) Reverse proxy server, reverse proxy system and reverse proxy method
CN104967628A (en) Deceiving method of protecting web application safety
CN103701816A (en) Scanning method and scanning device of server executing DOS (Denial Of service)
Yassin et al. SQLIIDaaS: A SQL injection intrusion detection framework as a service for SaaS providers
Djanali et al. SQL injection detection and prevention system with raspberry Pi honeypot cluster for trapping attacker
CN114285626B (en) Honeypot attack chain construction method and honeypot system
CN107294994B (en) CSRF protection method and system based on cloud platform
CN113194088B (en) Access interception method, device, log server and computer readable storage medium
CN116074280A (en) Application intrusion prevention system identification method, device, equipment and storage medium
CN109543419B (en) Method and device for detecting asset security
CN109218315A (en) A kind of method for managing security and security control apparatus
CN114697049B (en) WebShell detection method and device
CN110138719B (en) Network security detection method and device and electronic equipment
NL2030861B1 (en) System and method for external monitoring a cyberattack surface

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant