CN114065228A

CN114065228A - Data processing method and device

Info

Publication number: CN114065228A
Application number: CN202010761827.XA
Authority: CN
Inventors: 张旭
Original assignee: Alibaba Group Holding Ltd
Current assignee: Alibaba Group Holding Ltd
Priority date: 2020-07-31
Filing date: 2020-07-31
Publication date: 2022-02-18

Abstract

The application provides a data processing method and device. Receiving first web data sent by a server; selecting at least one encryption algorithm among a plurality of encryption algorithms based on the first web data; encrypting at least part of data in the first web data according to an encryption algorithm to obtain encrypted data; replacing at least part of data in the first web data by using the encrypted data to obtain second web data; and sending the second web data to the client. The method is an active defense scheme, can change the encryption algorithm according to actual requirements, and improves the difficulty of collecting analysis information and the difficulty of setting attack load before illegal attack by lawbreakers, so that the possibility that the server is attacked illegally can be indirectly reduced, and the safety of the server is improved.

Description

Data processing method and device

Technical Field

The present application relates to the field of internet, and in particular, to a data processing method and apparatus.

Background

With the rapid development of network technology, various web service providers emerge endlessly, and with the gradual increase of web service providers, the competition of network market is more and more intense, and some web service providers may make illegal attacks on other web service providers to make servers of other web service providers paralyzed in order to make themselves strive for more clients to achieve maximum benefit, so that users cannot enjoy data services from the servers of other web service providers, and thus turn to request data services from the servers of some web service providers.

In one example, web server A may automatically attack web server B according to a computer program. For example, web service provider a may count a URL (Uniform Resource Locator) for accessing web service provider B in advance, generate a large number of access requests for accessing the server of web service provider B according to the URL, and then concurrently send a large number of access requests to the server of web service provider B, so as to crash the server of web service provider B.

For the web service provider B, after the situation that the server is disabled for at least one time, the characteristics of a large number of access requests that cause the server to be disabled may be counted, where the large number of access requests generated by the web service provider a typically carries some characteristics of the web service provider a, for example, an IP (Internet Protocol) address, a port number, a provider ID, and the like of the web service provider a, and thus the web service provider B may use the characteristics of the web service provider a carried in the large number of access requests as sensitive characteristics.

And then when the web server B intercepts access requests which are used for accessing the server of the web server B and carry the sensitive features, the access requests can be blocked from accessing the server of the web server B, so that the server of the web server B is prevented from being paralyzed.

However, in the above manner, the web service provider B needs to know the sensitive features to effectively prevent the server from being attacked, which is a passive defense means, when an attack occurs, effective blocking can be achieved for the known attack, and effective blocking cannot be achieved for the unknown attack or the deformed attack, which results in a vulnerability in defense, and the defense cannot be effectively achieved, so that the security of the server is still low.

Disclosure of Invention

In order to effectively realize defense to improve the security of a server, the application shows a data processing method and a data processing device.

In a first aspect, the present application shows a data processing method applied to middleware, the method including:

receiving first web data sent by a server;

selecting at least one encryption algorithm among a plurality of encryption algorithms based on the first web data;

encrypting at least part of data in the first web data according to the encryption algorithm to obtain encrypted data;

replacing at least part of data in the first web data by the encrypted data to obtain second web data;

and sending the second web data to a client.

In an optional implementation manner, the encrypting at least part of the first web data according to the encryption algorithm to obtain encrypted data includes:

determining a non-visual element in the first web data;

and encrypting the non-visual elements according to the encryption algorithm to obtain the encrypted data.

determining an element type as an element of a preset potential attack type in the first web data;

and encrypting the element of the preset potential attack type according to the encryption algorithm to obtain the encrypted data.

determining an element to be encrypted in the first web data according to the trained determination model;

and encrypting the element to be encrypted according to the encryption algorithm to obtain the encrypted data.

In an optional implementation, the method further includes:

the method comprises the steps of obtaining at least one sample data set, wherein the sample data set comprises sample web data and elements to be encrypted, and the elements to be encrypted are marked in the sample web data;

and training an initialization model according to the at least one sample data set until parameters in the initialization model are converged, thereby obtaining the data determination model.

In an alternative implementation, the selecting at least one encryption algorithm among a plurality of encryption algorithms according to the first web data includes:

obtaining a first randomized seed from the first web data;

selecting at least one encryption algorithm among the plurality of encryption algorithms according to the first randomization seed.

In an optional implementation, the method further includes:

obtaining a second randomized seed from the first web data;

setting encryption parameters of the selected encryption algorithm according to the second randomization seed.

In an optional implementation manner, before sending the second web data to the client, the method further includes:

and replacing the data identification of the at least part of the data in the rendering script by using the data identification of the encrypted data in the case that the data identification of the at least part of the data exists in the rendering script for rendering the second web data.

and adding a data tag in the second web data, wherein the data tag at least comprises an algorithm identifier of the encryption algorithm and a data identifier of the encrypted data.

In an optional implementation, the method further includes:

receiving third web data returned by the client according to the second web data, wherein the third web data at least comprises the encrypted data and the data tag;

determining the encrypted data in the third web data according to the data identifier in the data tag, and acquiring a decryption algorithm corresponding to the encryption algorithm according to the algorithm identifier in the data tag;

decrypting the encrypted data in the third web data according to the decryption algorithm to obtain the at least part of data;

replacing the encrypted data in the third web data with the at least part of data to obtain fourth web data;

and sending the fourth web data to the server.

In a second aspect, the present application shows a data processing method, which is applied to a server, and the method includes:

acquiring first web data for sending to a client;

and sending the second web data to a client.

In an optional implementation, the method further includes:

responding to the fourth web data.

In a third aspect, the present application shows a data processing method applied to a client, where the method includes:

receiving first web data sent by a server;

responding to the second web data.

In an optional implementation manner, before responding to the second web data, the method further includes:

In an optional implementation, the method further includes:

acquiring third web data which is obtained by the client according to the second web data and is used for sending to the server, wherein the third web data at least comprises the encrypted data and the data tag;

and sending the fourth web data to the server.

In a fourth aspect, the present application shows a data processing apparatus, applied to middleware, the apparatus comprising:

the first receiving module is used for receiving first web data sent by a server;

a first selection module to select at least one encryption algorithm among a plurality of encryption algorithms based on the first web data;

the first encryption module is used for encrypting at least part of data in the first web data according to the encryption algorithm to obtain encrypted data;

the first replacing module is used for replacing at least part of data in the first web data by using the encrypted data to obtain second web data;

and the first sending module is used for sending the second web data to the client.

In an optional implementation manner, the first encryption module includes:

a first determining unit for determining a non-visual element in the first web data;

and the first encryption unit is used for encrypting the non-visual element according to the encryption algorithm to obtain the encrypted data.

In an optional implementation manner, the first encryption module includes:

a second determining unit, configured to determine, in the first web data, that the element type is an element of a preset potential attack type;

and the second encryption unit is used for encrypting the element of the preset potential attack type according to the encryption algorithm to obtain the encrypted data.

In an optional implementation manner, the first encryption module includes:

a third determining unit, configured to determine an element to be encrypted in the first web data according to the trained determination model;

and the third encryption unit is used for encrypting the element to be encrypted according to the encryption algorithm to obtain the encrypted data.

In an optional implementation manner, the first encryption module further includes:

the system comprises a first acquisition unit, a second acquisition unit and a third acquisition unit, wherein the first acquisition unit is used for acquiring at least one sample data set, and the sample data set comprises sample web data and elements to be encrypted, which are marked in the sample web data;

and the training unit is used for training the initialization model according to the at least one sample data set until parameters in the initialization model are converged, so that the data determination model is obtained.

In an optional implementation manner, the first selection module includes:

a second obtaining unit, configured to obtain a first randomized seed according to the first web data;

a selecting unit for selecting at least one encryption algorithm among the plurality of encryption algorithms according to the first randomized seed.

In an optional implementation manner, the first selecting module further includes:

a third obtaining unit, configured to obtain a second randomized seed according to the first web data;

and the setting unit is used for setting the encryption parameters of the selected encryption algorithm according to the second randomization seed.

In an optional implementation, the apparatus further comprises:

and a second replacement module, configured to replace the data identifier of the at least part of the data in the rendering script with the data identifier of the encrypted data if the data identifier of the at least part of the data exists in the rendering script for rendering the second web data.

In an optional implementation, the apparatus further comprises:

a first adding module, configured to add a data tag to the second web data, where the data tag at least includes an algorithm identifier of the encryption algorithm and a data identifier of the encrypted data.

In an optional implementation, the apparatus further comprises:

the second receiving module is used for receiving third web data returned by the client according to the second web data, and the third web data at least comprises the encrypted data and the data tag;

a first determining module, configured to determine the encrypted data in the third web data according to the data identifier in the data tag, and obtain a decryption algorithm corresponding to the encryption algorithm according to the algorithm identifier in the data tag;

the first decryption module is used for decrypting the encrypted data in the third web data according to the decryption algorithm to obtain at least part of data;

a third replacing module, configured to replace the encrypted data in the third web data with the at least part of data to obtain fourth web data;

and the second sending module is used for sending the fourth web data to the server.

In a fifth aspect, the present application shows a data processing apparatus, applied to a server, the apparatus including:

the first acquisition module is used for acquiring first web data sent to the client;

a second selection module to select at least one encryption algorithm among a plurality of encryption algorithms based on the first web data;

the second encryption module is used for encrypting at least part of data in the first web data according to the encryption algorithm to obtain encrypted data;

a fourth replacing module, configured to replace at least part of the first web data with the encrypted data to obtain second web data;

and the third sending module is used for sending the second web data to the client.

In an optional implementation, the apparatus further comprises:

a second adding module, configured to add a data tag to the second web data, where the data tag at least includes an algorithm identifier of the encryption algorithm and a data identifier of the encrypted data.

In an optional implementation, the apparatus further comprises:

a third receiving module, configured to receive third web data returned by the client according to the second web data, where the third web data at least includes the encrypted data and the data tag;

a second determining module, configured to determine the encrypted data in the third web data according to the data identifier in the data tag, and obtain a decryption algorithm corresponding to the encryption algorithm according to the algorithm identifier in the data tag;

the second decryption module is used for decrypting the encrypted data in the third web data according to the decryption algorithm to obtain at least part of data;

a fifth replacing module, configured to replace the encrypted data in the third web data with the at least part of data to obtain fourth web data;

a first response module to respond to the fourth web data.

In a sixth aspect, the present application shows a data processing apparatus applied to a client, the apparatus comprising:

the fourth receiving module is used for receiving the first web data sent by the server;

a third selection module to select at least one encryption algorithm among a plurality of encryption algorithms based on the first web data;

the third encryption module is used for encrypting at least part of data in the first web data according to the encryption algorithm to obtain encrypted data;

a sixth replacing module, configured to replace at least part of the first web data with the encrypted data to obtain second web data;

and the second response module is used for responding to the second web data.

In an optional implementation, the apparatus further comprises:

a third adding module, configured to add a data tag to the second web data, where the data tag at least includes an algorithm identifier of the encryption algorithm and a data identifier of the encrypted data.

In an optional implementation, the apparatus further comprises:

a second obtaining module, configured to obtain third web data, which is obtained by the client according to the second web data and is used for being sent to the server, where the third web data at least includes the encrypted data and the data tag;

a third determining module, configured to determine the encrypted data in the third web data according to the data identifier in the data tag, and obtain a decryption algorithm corresponding to the encryption algorithm according to the algorithm identifier in the data tag;

a third decryption module, configured to decrypt, according to the decryption algorithm, the encrypted data in the third web data to obtain the at least part of data;

a seventh replacing module, configured to replace the encrypted data in the third web data with the at least part of data to obtain fourth web data;

and the fourth sending module is used for sending the fourth web data to the server.

In a seventh aspect, the present application shows an electronic device comprising:

a processor; and

a memory having executable code stored thereon, which when executed causes the processor to perform the data processing method of the first aspect.

In an eighth aspect, the present application shows one or more machine readable media having stored thereon executable code which, when executed, causes a processor to perform the data processing method of the first aspect.

In a ninth aspect, the present application shows an electronic device comprising:

a processor; and

a memory having executable code stored thereon, which when executed causes the processor to perform a data processing method according to the second aspect.

In a tenth aspect, the present application shows one or more machine readable media having stored thereon executable code which, when executed, causes a processor to perform the data processing method of the second aspect.

In an eleventh aspect, the present application shows an electronic device comprising:

a processor; and

a memory having executable code stored thereon, which when executed causes the processor to perform the data processing method of the third aspect.

In a twelfth aspect, the present application shows one or more machine-readable media having executable code stored thereon that, when executed, causes a processor to perform the data processing method of the third aspect.

Compared with the prior art, the embodiment of the application has the following advantages:

according to the method and the device, the client side obtains the second web data, the second web data does not have at least part of original data, and the second web data has the encrypted data obtained by encrypting at least part of data, so that lawless persons can not steal at least part of original data and can only steal the encrypted data.

However, the encrypted data does not have practical meaning to the lawbreaker, that is, the lawbreaker cannot usually find out the practical meaning of the encrypted data, so that the lawbreaker cannot perform illegal attack on the server based on the encrypted data.

Compared with the prior art, the method is an active defense scheme, the encryption algorithm can be changed according to actual requirements, the difficulty of collecting analysis information and the difficulty of setting attack load before illegal attack is carried out by lawless persons is improved, the possibility that the server side is illegally attacked can be indirectly reduced, and the safety of the server side can be improved.

The defense mode does not depend on sensitive characteristics in the prior art, and can universally defend various illegal attacks including known illegal attacks, unknown illegal attacks and the like, for example, illegal persons can be prevented from launching the illegal attacks to the server based on web data, so that the illegal attacks to the server are restrained from the source.

In addition, at least part of data in the web data is encrypted, so that the related information of the server can be hidden, lawless persons cannot analyze the server through reverse engineering, vulnerability discovery possibility in the server can be effectively reduced, possibility of attack on the server is reduced, and safety of the server can be improved.

In addition, if the encryption algorithms used for encrypting different web data to be sent to the client are the same, lawless persons can try to violently break the encryption algorithms according to a large amount of encrypted data, then break the decryption algorithms corresponding to the encryption algorithms according to breaks, then identify at least part of original data in the web data according to the decryption algorithms, further carry out illegal attack on the server, and accordingly the security of the server is low.

In order to further improve the security of the server, in the application, the encryption algorithms used for encrypting different web data to be sent to the client are not all the same, dynamic processing of the web data is realized, so that confusion can be caused to lawless persons, the difficulty and threshold for the lawless persons to try to violently break the encryption algorithms are increased, the lawless persons are difficult to locate the entry and the target for implementing illegal attacks, the difficulty for the lawless persons to launch the illegal attacks on the server is increased, and the security of the server can be further improved.

Drawings

FIG. 1 is a block diagram illustrating a data processing system according to an exemplary embodiment of the present application.

Fig. 2 is a flowchart illustrating a data processing method according to an exemplary embodiment of the present application.

Fig. 3 is a flow chart illustrating an encryption method according to an exemplary embodiment of the present application.

Fig. 4 is a flowchart illustrating an encryption method according to an exemplary embodiment of the present application.

Fig. 5 is a flowchart illustrating an encryption method according to an exemplary embodiment of the present application.

Fig. 6 is a flow chart illustrating a method for selecting an encryption algorithm according to an exemplary embodiment of the present application.

Fig. 7 is a flowchart illustrating a data processing method according to an exemplary embodiment of the present application.

Fig. 8 is a flowchart illustrating a data processing method according to an exemplary embodiment of the present application.

Fig. 9 is a flowchart illustrating a data processing method according to an exemplary embodiment of the present application.

Fig. 10 is a flowchart illustrating a data processing method according to an exemplary embodiment of the present application.

Fig. 11 is a flowchart illustrating a data processing method according to an exemplary embodiment of the present application.

Fig. 12 is a block diagram illustrating a data processing apparatus according to an exemplary embodiment of the present application.

Fig. 13 is a block diagram illustrating a data processing apparatus according to an exemplary embodiment of the present application.

Fig. 14 is a block diagram illustrating a data processing apparatus according to an exemplary embodiment of the present application.

Fig. 15 is a schematic structural diagram of an apparatus according to an embodiment of the present application.

Detailed Description

In order to make the aforementioned objects, features and advantages of the present application more comprehensible, the present application is described in further detail with reference to the accompanying drawings and the detailed description.

Referring to fig. 1, a block diagram of a data processing system according to the present invention is shown, where the system includes a client 01, a middleware 02, and a server 03.

The server 03 can provide data services to the client 01.

The client 01 may have an application program and the like installed thereon, and the application program may include a browser and the like.

The client 01 can perform data interaction with the server 03 according to the application program, for example, the client 01 and the server 03 perform data interaction according to a Hyper Text Transfer Protocol (HTTP) or a Transmission Control Protocol (TCP) Protocol.

The middleware 02 is arranged on a transmission path between the client 01 and the server 03, and data interacted between the client 01 and the server 03 passes through the middleware 02, is processed by the middleware 02 and then is forwarded. The process of the middleware 02 processing on the data processing can be referred to the embodiments shown later, and is not described in detail here.

The middleware 02 may be located in a separate hardware device, or may be integrated in the server 03.

The middleware 02 includes: open source programs such as Nginx (ngine x, high performance HTTP and reverse proxy web server), Apache (Apache, web server software), and Caddy.

In one embodiment, the middleware 02 may be Nginx or the like in the form of Lua script instrumentation.

Referring to fig. 2, a flow chart of a data processing method according to the present application is shown, where the method is applied to the middleware 02 shown in fig. 1, and the method may include:

in step S101, receiving first web data sent by a server;

in the application, the server can provide data service for the client, the client can send an access request to the server, the server obtains first web data to be accessed by the client according to the access request, and then the first web data can be sent to the client.

In a case that the server needs to send the first web data to the client, the server may not directly send the first web data to the client, and the server may first send the first web data to the middleware, and then the middleware receives the first web data, and then performs step S102.

Selecting at least one encryption algorithm among a plurality of encryption algorithms based on the first web data in step S102;

in the present application, a plurality of Encryption algorithms, for example, Base64 (binary Data is expressed by 64 printable characters), HMAC (Hash Message Authentication Code), DES (Data Encryption Standard), AES (Advanced Encryption Standard), DSA (Digital Signature Algorithm), ECC (Elliptic curve Cryptography), and the like, may be set in the middleware in advance. The present application does not limit the specific encryption algorithm.

In the present application, the web data that the server needs to send to the client has different differences in different services, for example, different service information in the web data, different destination IP addresses recorded in the web data, different destination port numbers recorded in the web data, different IDs (Identity documents) of users using the client recorded in the web data, different IDs of the client recorded in the web data, different sending times of the web data recorded in the web data, and the like.

Therefore, after the middleware receives the web data sent by the server and before the web data is forwarded to the client, the middleware can select the encryption algorithm from the multiple encryption algorithms according to the differences, so that the encryption algorithms selected for different web data are not all the same, the encryption algorithms used for encrypting different web data are not all the same, and the security of the server can be indirectly improved.

Further, in practical application, new encryption algorithms and the like can be continuously set in the middleware according to actual requirements so as to expand the types of the encryption algorithms, and the safety of the server side can be indirectly improved.

The specific selection manner of selecting at least one encryption algorithm from the plurality of encryption algorithms according to the first web data may be referred to as an embodiment shown later, and is not described in detail here.

In step S103, encrypting at least a part of the first web data according to an encryption algorithm to obtain encrypted data;

in one embodiment of the present application, all data in the first web data may be encrypted, and part of the data in the first web data may also be encrypted. Specific examples of which numbers in the first web data are encrypted can be found in the following embodiments, and are not described in detail here.

Alternatively, in another embodiment of the present application, at least a portion of the data may be randomly selected in the first web data, and then the randomly selected at least a portion of the data may be encrypted according to an encryption algorithm.

In step S104, replacing at least part of the data in the first web data with the encrypted data, resulting in second web data;

in step S105, the second web data is transmitted to the client.

The method and the system can effectively inhibit CSRF (Cross Site Request Forger, Cross-Site script Request Forgery) attacks, CC (challenge Collapsar) attacks, automatic crawlers, automatic database bumping and other automatic illegal attacks, and can improve the safety of the server.

In the application, the first web data includes data to be rendered by the client, and the client can render the data according to the rendering script when rendering the data.

The rendering script can be located in the first web data, the rendering script in the first web data can be separated from the data needing to be rendered, and the data identification of the data needing to be rendered is recorded in the rendering script. The rendering script can acquire the data to be rendered according to the recorded data identification and render the data to be rendered.

In a rendering script in first web data sent by a server and received by the middleware, data identifications of the data needing to be rendered are recorded. However, there may be data to be rendered in at least part of the encrypted first web data, and if there is data to be rendered in at least part of the encrypted first web data, a data identifier of the data to be rendered may exist in the rendering script, but the data identifier of the encrypted data obtained after encryption is often different from the data identifier of the data to be rendered in at least part of the data before encryption.

Thus, the data in the rendering script is identified as: the data identification of the data needing to be rendered in at least part of the data before encryption is available, the data needing to be rendered before encryption is absent in the second web data, and the encrypted data is available, but the encrypted data cannot be acquired according to the data identification of the data needing to be rendered before encryption, and further the encrypted data cannot be rendered.

Therefore, in another embodiment of the present application, in order to enable the rendering script to render the encrypted data, before the middleware sends the second web data to the client, in a case that a data identifier of at least part of the data exists in the rendering script for rendering the second web data, the data identifier of the encrypted data is used to replace the data identifier of the at least part of the data in the rendering script, so that when the client renders the second web data, the client can acquire the encrypted data in the second web data according to the data identifier of the encrypted data in the rendering script and then render the encrypted data according to the rendering script.

In one embodiment of the present application, referring to fig. 3, step S103 includes:

in step S201, a non-visual element is determined in the first web data;

in the present application, the first web data includes a visual element and a non-visual element, and the visual element can be displayed on the web page after being rendered by the client, so as to be viewed by the user.

While non-visual elements may not typically be displayed on a web page after being processed by a client, a user typically does not see non-visual elements on a web page.

For example, a virtual button is included in one web page, the virtual button is a visual element, the user can see the virtual button in the web page, the user can jump to another web page by clicking the virtual button, the virtual button includes a URL of another web page, and the like, the URL is not displayed on the web page, only exists in the web data, and therefore, the URL is a non-visual element.

If the server encrypts the visual element in the first web data, because the visual element before encryption is different from the element obtained after encrypting the visual element, and because the client receives the second web data including the element obtained after encrypting the visual element but not including the visual element before encryption, after the client renders the element obtained after encrypting the visual element, the user can see the element obtained after encrypting the visual element on the web page but cannot see the visual element before encryption, the content seen by the user is inconsistent with the visual content sent by the server, and the user actually wants to see the visual element before encryption, which results in that the user cannot see the content he wants to see.

For example, a user needs to browse news in a web page, the first web data includes the news in the web page, in one example, the news is embodied by text, the text of the news is a visual element, after the server encrypts the text of the news, the encrypted text may be scrambled, which does not have actual semantics, and the user does not understand the encrypted text.

The user sees the messy code on the web page and does not see the text of the news.

Therefore, the data service provided by the server at this time is likely to be an invalid data service, which wastes network resources, system resources of the server, system resources of the client, and the like, and may also reduce user experience.

Therefore, in order to avoid the above situation, in another embodiment of the present application, all elements in the first web data may not be encrypted, but a non-visual element may be determined in the first web data, and then step S102 is performed.

In one embodiment, the visual elements have special marks, the non-visual elements also have special marks, and the special marks of the visual elements are different from the special marks of the non-visual elements, so that the visual elements and the non-visual elements can be distinguished according to the special marks to realize the determination of the non-visual elements in the first web data.

In step S202, the non-visual element is encrypted according to an encryption algorithm to obtain encrypted data.

In one embodiment of the present application, referring to fig. 4, step S103 includes:

in step S301, determining an element type as an element of a preset potential attack type in the first web data;

in one scenario, a web page of rendered first web data includes an interface such as a login interface or a payment interface, which requires to input a user name and a password, and the interface includes at least two input boxes, a user name input box and a password input box, and in the first web data, keywords may be used to identify each input box, for example, a keyword "username" is used to identify the user name input box, and a keyword "password" is used to identify the password input box.

In the first web data, a user name input box identified by the keyword "username", a password input box identified by the keyword "password", and a password input box identified by the keyword "password" are included.

If the client has the first web data, the user may be used to enter a username in a username entry box and a password in a password entry box after the client renders the first web data.

After that, the client may generate web data, such as a login request or a payment request, to be sent to the server according to at least the keyword "username", the username used by the user to input in the username input box, the keyword "password", and the password used by the user to input in the password input box, and then send the generated web data to the server via the middleware.

However, since the keyword "username" is used to identify the username input box and the keyword "password" is used to identify the password input box in the first web data, the lawless persons can crawl the first web data and analyze the first web data, so as to find that the first web data has the keywords "username" and "password", and further determine that the user may input the username and the password in the web page obtained after rendering the first web data, in order to steal the username and the password to engage in illegal activities and obtain illegal benefits, the lawless persons can pay close attention to the web data returned by the client to the server according to the first web data, if the user inputs the username and the password in the web page obtained after rendering the first web data, the web data returned by the client to the server according to the first web data usually carries the username and the password, and thus, lawbreakers can steal the user name and the password by crawling the web data returned by the client to the server according to the first web data, so that risks are brought to the account security of the user, and further the lawbreakers can carry out illegal attacks on the server based on the user name and the password.

In general, many elements are included in the web data, and a lawbreaker usually only has an interest in some elements, that is, usually only some elements in the web data are stolen, and then information is stolen and/or a server is illegally attacked by using the some elements, for example, a lawbreaker usually steals elements related to property or confidential information, but not all elements in the web data.

Therefore, elements that a lawless person would normally steal in web data, such as elements for login account and elements paid by a user, can be evaluated or counted in advance, and then the element types of the elements are counted and used as the preset potential attack types.

In this way, in the application, the element type of the first web data may be determined to be the element of the preset potential attack type, and then the element of the preset potential attack type may be encrypted according to the encryption algorithm to obtain the encrypted data.

Under a normal condition, a lawbreaker is not interested in elements of the non-preset potential attack types in the web data, namely, the lawbreaker cannot steal the elements of the non-preset potential attack types in the web data, so that all the elements in the first web data are not required to be encrypted, the encrypted data volume is reduced, the time consumed by encryption is reduced, the efficiency of the second web data reaching the client side can be improved, and the data transmission efficiency between the server side and the client side is improved under the condition of ensuring the safety of the web data.

In step S302, the element of the preset potential attack type is encrypted according to an encryption algorithm to obtain encrypted data.

In one embodiment of the present application, referring to fig. 5, step S103 includes:

in step S401, determining an element to be encrypted in the first web data according to the trained determination model;

in an embodiment of the present application, a determination model may be trained in advance, and then an element that needs to be encrypted may be determined in the first web data according to the determination model.

For example, at least one sample data set may be obtained, the sample data set including sample web data and elements to be encrypted tagged in the sample web data. The initialization model may then be trained based on at least one sample data set until parameters in the initialization model converge, resulting in a data determination model.

Thereafter, each time web data needs to be encrypted, the elements to be encrypted may be determined in the web data according to the trained determination model.

The initialization model may include CNN (Convolutional Neural Networks), RNN (Recurrent Neural Networks), LSTM (Long Short-Term Memory), and the like, and the specific model type is not limited in the present application.

In one example, the sample web data may be multiple, and the multiple sample web data may include web data under multiple services or multiple applications, so as to improve generalization capability of the trained deterministic model.

The elements to be encrypted may be manually annotated to the sample web data by a technician. When the elements to be encrypted are marked, technicians can mark the elements to be encrypted according to actual requirements, for example, elements which are considered to be easily stolen by technicians in the sample web elements and/or elements which are easily used by a lawbreaker attack server and the like are marked as the elements to be encrypted, or non-visual elements are marked as generation encryption elements and the like.

In this step, the first web data may be input into the trained determination model to obtain the element to be encrypted output by the determination model, and then step S402 is performed.

In step S402, the element to be encrypted is encrypted according to the encryption algorithm, so as to obtain encrypted data.

In one embodiment of the present application, referring to fig. 6, step S102 includes:

in step S501, a first randomization seed is obtained from the first web data;

the first randomized seed can include at least one of: the service information in the first web data, the service type to which the service information recorded in the first web data belongs, the destination IP address recorded in the first web data, the destination port number recorded in the first web data, the ID of the user using the client recorded in the first web data, the ID of the client recorded in the first web data, the transmission time of the web data recorded in the first web data, and the like.

In step S502, at least one encryption algorithm is selected among a plurality of encryption algorithms according to the first randomization seed.

In the present application, an algorithm identifier may be set for each of a plurality of encryption algorithms, and the algorithm identifiers of different encryption algorithms are different.

For example, a plurality of encryption algorithms may be ordered, with the sequence number of each encryption algorithm being the algorithm identification of the encryption algorithm. For example, the algorithm of the encryption algorithm ordering bit 1 is identified as 1, the algorithm of the encryption algorithm ordering bit 2 is identified as 2, and so on.

As such, the algorithm identification of each of the plurality of encryption algorithms may be located within a numerical range, e.g., (1, X), where X is the total number of the plurality of encryption algorithms.

For the first randomized seed, the first randomized seed may be converted into a number according to a specific Algorithm, for example, the first randomized seed is processed according to MD5(Message Digest Algorithm, version 5) to obtain a value, and then the value is mapped to another value within the value range (1, X), for example, the value is randomly mapped to another value within the value range (1, X), and the like, or a preset range of the value is determined, and then the value is mapped to another value within the value range (1, X) that uniquely corresponds to the preset range, and the like, and then the encryption Algorithm identified as the another value is selected from among the plurality of encryption algorithms.

Due to the difference of the randomized seeds, the values obtained by the MD5 are not all the same, so that the encryption algorithms selected for different web data are not all the same, the encryption algorithms used for encrypting different web data are not all the same, and the security of the server side can be indirectly improved.

In the above-described embodiment, the encryption algorithms used in encrypting different web data are not all made the same.

In order to further improve the security of the server, in another embodiment of the present application, each encryption algorithm has its own encryption parameter. After selecting an encryption algorithm for the first web data among the plurality of encryption algorithms, a second randomization seed may also be obtained from the first web data, and then the encryption parameters of the selected encryption algorithm may be set according to the second randomization seed.

Wherein, the second randomized seed can be referred to the description of the first randomized seed, and will not be described in detail here.

A process for setting encryption parameters of a selected encryption algorithm in accordance with a second randomized seed, comprising:

the second randomized seed may be converted to a number according to a particular algorithm, for example, by processing the second randomized seed according to MD5 to obtain a value, and then setting the encryption parameters of the selected encryption algorithm according to the value.

Since the values obtained by the MD5 are not all the same due to the difference of the randomized seeds, even if the same encryption algorithm is selected for a plurality of different web data, the security of the server can be indirectly improved due to the difference of the encryption parameters in the encryption algorithms set for the different web data.

In another embodiment of the present application, before sending the second web data to the client, a data tag may be further added to the second web data, where the data tag includes at least an algorithm identifier of the selected encryption algorithm and a data identifier of the encrypted data.

Further, the data tag may also include encryption parameters set for a selected encryption algorithm, and the like.

In one embodiment of the application, after the client renders the first web data, the user can see the web page, and then can operate on the web page, so that the client generates third web data needing to be sent to the server, and then sends the third web data to the middleware.

For example, in one example, the first web data includes a virtual button, the virtual button includes a URL of another web page, and the like, the middleware has encrypted the URL of the other web page in the first web data in step S103, and thus the virtual button in the second web data does not include the URL of the other web page before encryption but includes the encrypted URL.

In this way, after the client renders the second web data, a virtual button is displayed in the web page, the virtual button includes an encrypted URL and the like, the user can see the virtual button in the web page, the user can jump to another web page by clicking the virtual button, if the user clicks the virtual button, the client generates third web data for accessing the server according to the encrypted URL, and then sends the third web data to the middleware. Since the server cannot identify the encrypted URL, the middleware needs to decrypt the encrypted URL.

Specifically, in another embodiment of the present application, referring to fig. 7, the method further includes:

in step S601, receiving third web data returned by the client according to the second web data, where the third web data at least includes encrypted data and the data tag;

the third web data may carry encrypted data obtained by encrypting according to an encryption algorithm, and the server cannot identify the encrypted data, so that the client needs to send the encrypted data to the middleware first, decrypt the encrypted data in the third web data through the middleware, and forward the decrypted data to the server.

In order to enable the third web data to decrypt the encrypted data, the third web data needs to carry a data tag carried in the second web data.

In step S602, determining encrypted data in the third web data according to the data identifier in the data tag, and obtaining a decryption algorithm corresponding to the encryption algorithm according to the algorithm identifier in the data tag;

in the present application, a plurality of encryption algorithms are set in the middleware in advance, and a decryption algorithm corresponding to each encryption algorithm may be set in the middleware.

Further, if the data tag further includes an encryption parameter of the selected encryption algorithm, etc., the decryption parameter of the decryption algorithm may be set as the acquired decryption parameter.

In step S603, decrypting the encrypted data in the third web data according to a decryption algorithm to obtain at least part of data;

in step S604, replacing the encrypted data in the third web data with at least part of the data, resulting in fourth web data;

in another embodiment of the present application, before encrypting at least part of the data in the first web data according to the encryption algorithm in step S103, the middleware may cache at least part of the data in the first web data.

After the encrypted data in the third web data is decrypted according to the decryption algorithm in step S604 to obtain at least part of data, whether the at least part of data obtained by decryption is the same as at least part of data in the first web data cached in advance may be compared, and in the case of the same, the encrypted data in the third web data is replaced by the at least part of data to obtain fourth web data.

In step S605, the fourth web data is transmitted to the server.

Therefore, the server side can be transparent, the server side does not need to be improved, and the cost can be saved on the premise of guaranteeing the safety of the server side.

Referring to fig. 8, a flow chart of a data processing method according to the present application is shown, and the method is applied to a server and may include:

in step S701, first web data for transmission to a client is acquired;

in the application, the server may provide data service for the client, the client may send an access request to the server, and the server acquires the first web data that the client needs to access according to the access request, and then performs step S702.

Selecting at least one encryption algorithm among a plurality of encryption algorithms according to the first web data in step S702;

the step can be referred to as step S102, and is not described in detail here.

In step S703, encrypting at least a part of the first web data according to an encryption algorithm to obtain encrypted data;

the step can be referred to as step S103, and is not described in detail here.

In step S704, replacing at least part of the data in the first web data with the encrypted data, resulting in second web data;

in step S705, the second web data is transmitted to the client.

In one embodiment of the application, after the client renders the first web data, the user can see the web page, and then can operate on the web page, so that the client generates third web data needing to be sent to the server, and then sends the third web data to the server.

For example, in one example, the first web data includes a virtual button, the virtual button includes a URL of another web page, and the like, and the server encrypts the URL of the other web page in the first web data in step S703, so that the virtual button in the second web data does not include the URL of the other web page before encryption but includes the encrypted URL.

In this way, after the client renders the second web data, a virtual button is displayed in the web page, the virtual button includes an encrypted URL and the like, the user can see the virtual button in the web page, the user can jump to another web page by clicking the virtual button, if the user clicks the virtual button, the client generates third web data for accessing the server according to the encrypted URL, and then sends the third web data to the server. Since the server cannot identify the encrypted URL, the server needs to decrypt the encrypted URL.

Specifically, in another embodiment of the present application, referring to fig. 9, the method further includes:

in step S801, third web data returned by the client according to the second web data is received, where the third web data at least includes encrypted data and a data tag;

in step S802, determining encrypted data in the third web data according to the data identifier in the data tag, and obtaining a decryption algorithm corresponding to the encryption algorithm according to the algorithm identifier in the data tag;

the third web data may carry encrypted data obtained by encrypting according to an encryption algorithm, and the server cannot identify the encrypted data, so that the server may perform step S802 to decrypt the encrypted data in the third web data after obtaining the third web data.

In the application, a plurality of encryption algorithms are set in the server in advance, and a decryption algorithm corresponding to each encryption algorithm can be set in the server.

In step S803, the encrypted data in the third web data is decrypted according to the decryption algorithm to obtain at least part of data;

in step S804, replacing the encrypted data in the third web data with at least part of the data to obtain fourth web data;

in another embodiment of the present application, before encrypting at least part of the data in the first web data according to the encryption algorithm in step S703, the server may cache at least part of the data in the first web data.

After the encrypted data in the third web data is decrypted according to the decryption algorithm in step S804 to obtain at least part of the data, whether the at least part of the data obtained by decryption is the same as at least part of the data in the first web data cached in advance may be compared, and in the case of the same, the encrypted data in the third web data is replaced by the at least part of the data to obtain fourth web data.

In step S805, the fourth web data is responded to.

After obtaining the fourth web data, the server may use, apply, or process the fourth web data, and so on.

Referring to fig. 10, a flow chart of a data processing method according to the present application is shown, and the method is applied to a client, and may include:

in step S901, receiving first web data sent by a server;

in the application, a server can provide data service for a client, the client can send an access request to the server, the server obtains first web data which the client needs to access according to the access request, then the first web data can be sent to the client, and then the client receives the first web data sent by the server.

Selecting at least one encryption algorithm among a plurality of encryption algorithms according to the first web data in step S902;

the step can be referred to as step S102, and is not described in detail here.

In step S903, at least a part of the first web data is encrypted according to an encryption algorithm to obtain encrypted data;

the step can be referred to as step S103, and is not described in detail here.

In step S904, at least part of the data in the first web data is replaced with the encrypted data, resulting in second web data;

in step S905, the second web data is responded.

Wherein, after obtaining the second web data, the client can use, apply or process the second web data, and so on.

The flows of steps S901 to S904 in the present application may be executed by the client based on a component, a control, a script, or an SDK (Software Development Kit) loaded in the client, where the execution flow is invisible to the outside, and a lawless person cannot steal the execution flow.

According to the method and the device, the client side exposes second web data to the outside, the processes of the step S901 to the step S904 are not exposed, the second web data does not have at least part of original data, and encrypted data obtained by encrypting at least part of data is provided, so that lawless persons can not steal at least part of original data and can only steal the encrypted data.

The method and the system can realize the transparency of the server, do not need to improve the server, and can save the cost on the premise of ensuring the safety of the server.

In another embodiment of the present application, the method further comprises: and adding a data tag in the second web data, wherein the data tag at least comprises the algorithm identification of the selected encryption algorithm and the data identification of the encrypted data.

In one embodiment of the application, after the client renders the first web data, the user can see the web page, and then can operate on the web page, so that the client generates third web data which needs to be sent to the server.

For example, in one example, the first web data includes a virtual button, the virtual button includes a URL of another web page, and the like, and the server encrypts the URL of the other web page in the first web data in step S903, so that the virtual button in the second web data does not include the URL of the other web page before encryption but includes the encrypted URL.

In this way, after the client renders the second web data, a virtual button is displayed in the web page, the virtual button includes an encrypted URL and the like, the user can see the virtual button in the web page, the user can jump to another web page by clicking the virtual button, and if the user clicks the virtual button, the client generates third web data for accessing the server according to the encrypted URL.

Specifically, in another embodiment of the present application, referring to fig. 11, a processing manner of the third web data by the client includes:

in step S1001, third web data obtained by the client according to the second web data and used for sending to the server is obtained, where the third web data at least includes encrypted data and a data tag;

in step S1002, determining encrypted data in the third web data according to the data identifier in the data tag, and obtaining a decryption algorithm corresponding to the encryption algorithm according to the algorithm identifier in the data tag;

the third web data may carry encrypted data obtained by encrypting according to an encryption algorithm, and the server cannot identify the encrypted data, so that the client may perform step S1002 to decrypt the encrypted data in the third web data after obtaining the third web data.

In the application, a plurality of encryption algorithms are set in the client in advance, and a decryption algorithm corresponding to each encryption algorithm can be set in the client.

In step S1003, decrypting the encrypted data in the third web data according to a decryption algorithm to obtain at least part of data;

in step S1004, replacing the encrypted data in the third web data with at least part of the data, resulting in fourth web data;

in another embodiment of the present application, before encrypting at least part of the first web data according to the encryption algorithm in step S903, the client may cache at least part of the first web data.

After the encrypted data in the third web data is decrypted according to the decryption algorithm in step S1004 to obtain at least part of the data, whether the at least part of the data obtained by decryption is the same as at least part of the data in the first web data cached in advance may be compared, and in the case of the same, the encrypted data in the third web data is replaced by the at least part of the data to obtain fourth web data.

In step S1005, the fourth web data is transmitted to the server.

Referring to fig. 12, a block diagram of an embodiment of a data processing apparatus according to the present application is shown, and the apparatus is applied to middleware, and specifically may include the following modules:

the first receiving module 11 is configured to receive first web data sent by a server;

a first selection module 12 for selecting at least one encryption algorithm among a plurality of encryption algorithms based on the first web data;

the first encryption module 13 is configured to encrypt at least part of the first web data according to the encryption algorithm to obtain encrypted data;

a first replacing module 14, configured to replace at least part of the first web data with the encrypted data to obtain second web data;

a first sending module 15, configured to send the second web data to the client.

In an optional implementation manner, the first encryption module includes:

In an optional implementation manner, the first selection module includes:

In an optional implementation, the apparatus further comprises:

Referring to fig. 13, a block diagram of a data processing apparatus according to an embodiment of the present application is shown, and the apparatus is applied to a server, and specifically includes the following modules:

a first obtaining module 21, configured to obtain first web data for sending to a client;

a second selection module 22 for selecting at least one encryption algorithm among a plurality of encryption algorithms based on the first web data;

the second encryption module 23 is configured to encrypt at least part of the first web data according to the encryption algorithm to obtain encrypted data;

a fourth replacing module 24, configured to replace at least part of the first web data with the encrypted data to obtain second web data;

and a third sending module 25, configured to send the second web data to the client.

In an optional implementation, the apparatus further comprises:

a first response module to respond to the fourth web data.

Referring to fig. 14, a block diagram of a data processing apparatus according to an embodiment of the present application is shown, and the apparatus is applied to a client, and specifically includes the following modules:

a fourth receiving module 31, configured to receive the first web data sent by the server;

a third selection module 32 for selecting at least one encryption algorithm among a plurality of encryption algorithms based on the first web data;

a third encryption module 33, configured to encrypt at least part of the data in the first web data according to the encryption algorithm to obtain encrypted data;

a sixth replacing module 34, configured to replace at least part of the first web data with the encrypted data to obtain second web data;

a second response module 35, configured to respond to the second web data.

In an optional implementation, the apparatus further comprises:

The

modules

31, 32, 33, and 34 in the present application may be executed by the client based on a component, a control, a script, or an SDK (Software Development Kit) loaded in the client, and are invisible to the outside, and a lawless person cannot steal the

modules

31, 32, 33, and 34.

According to the method and the device, the client side exposes the second web data to the outside, the

modules

31, 32, 33 and 34 are not exposed, the second web data does not have at least part of original data, and the second web data has the encrypted data obtained by encrypting at least part of the original data, so that lawless persons cannot steal at least part of the original data and only can steal the encrypted data.

The present application further provides a non-transitory, readable storage medium, where one or more modules (programs) are stored, and when the one or more modules are applied to a device, the device may execute instructions (instructions) of method steps in this application.

Embodiments of the present application provide one or more machine-readable media having instructions stored thereon, which when executed by one or more processors, cause an electronic device to perform the methods as described in one or more of the above embodiments. In the embodiment of the application, the electronic device comprises a server, a gateway, a sub-device and the like, wherein the sub-device is a device such as an internet of things device.

Embodiments of the present disclosure may be implemented as an apparatus, which may include electronic devices such as servers (clusters), terminal devices such as IoT devices, and the like, using any suitable hardware, firmware, software, or any combination thereof, for a desired configuration.

Fig. 15 schematically illustrates an example apparatus 1300 that can be used to implement various embodiments described herein.

For one embodiment, fig. 15 illustrates an example apparatus 1300 having one or more processors 1302, a control module (chipset) 1304 coupled to at least one of the processor(s) 1302, memory 1306 coupled to the control module 1304, non-volatile memory (NVM)/storage 1308 coupled to the control module 1304, one or more input/output devices 1310 coupled to the control module 1304, and a network interface 1312 coupled to the control module 1306.

Processor 1302 may include one or more single-core or multi-core processors, and processor 1302 may include any combination of general-purpose or special-purpose processors (e.g., graphics processors, application processors, baseband processors, etc.). In some embodiments, the apparatus 1300 can be a server device such as a gateway described in the embodiments of the present application.

In some embodiments, apparatus 1300 may include one or more computer-readable media (e.g., memory 1306 or NVM/storage 1308) having instructions 1314 and one or more processors 1302, which in combination with the one or more computer-readable media, are configured to execute instructions 1314 to implement modules to perform actions described in this disclosure.

For one embodiment, control module 1304 may include any suitable interface controllers to provide any suitable interface to at least one of the processor(s) 1302 and/or any suitable device or component in communication with control module 1304.

The control module 1304 may include a memory controller module to provide an interface to the memory 1306. The memory controller module may be a hardware module, a software module, and/or a firmware module.

Memory 1306 may be used, for example, to load and store data and/or instructions 1314 for device 1300. For one embodiment, memory 1306 may comprise any suitable volatile memory, such as suitable DRAM. In some embodiments, the memory 1306 may comprise a double data rate type four synchronous dynamic random access memory (DDR4 SDRAM).

For one embodiment, control module 1304 may include one or more input/output controllers to provide an interface to NVM/storage 1308 and input/output device(s) 1310.

For example, NVM/storage 1308 may be used to store data and/or instructions 1314. NVM/storage 1308 may include any suitable non-volatile memory (e.g., flash memory) and/or may include any suitable non-volatile storage device(s) (e.g., one or more Hard Disk Drives (HDDs), one or more Compact Disc (CD) drives, and/or one or more Digital Versatile Disc (DVD) drives).

NVM/storage 1308 may include storage resources that are physically part of the device on which apparatus 1300 is installed, or it may be accessible by the device and need not be part of the device. For example, NVM/storage 1308 may be accessible over a network via input/output device(s) 1310.

Input/output device(s) 1310 may provide an interface for apparatus 1300 to communicate with any other suitable device, input/output device(s) 1310 may include a communications component, a pinyin component, a sensor component, and so forth. The network interface 1312 may provide an interface for the device 1300 to communicate over one or more networks, and the device 1300 may wirelessly communicate with one or more components of a wireless network according to any of one or more wireless network standards and/or protocols, such as access to a wireless network according to a communication standard, e.g., WiFi, 2G, 3G, 4G, 5G, etc., or a combination thereof.

For one embodiment, at least one of the processor(s) 1302 may be packaged together with logic for one or more controllers (e.g., memory controller modules) of the control module 1304. For one embodiment, at least one of the processor(s) 1302 may be packaged together with logic for one or more controllers of the control module 1304 to form a System In Package (SiP). For one embodiment, at least one of the processor(s) 1302 may be integrated on the same die with logic for one or more controller(s) of the control module 1304. For one embodiment, at least one of the processor(s) 1302 may be integrated on the same die with logic of one or more controllers of the control module 1304 to form a system on chip (SoC).

In various embodiments, apparatus 1300 may be, but is not limited to being: a server, a desktop computing device, or a mobile computing device (e.g., a laptop computing device, a handheld computing device, a tablet, a netbook, etc.), among other terminal devices. In various embodiments, apparatus 1300 may have more or fewer components and/or different architectures. For example, in some embodiments, device 1300 includes one or more cameras, a keyboard, a Liquid Crystal Display (LCD) screen (including a touch screen display), a non-volatile memory port, multiple antennas, a graphics chip, an Application Specific Integrated Circuit (ASIC), and speakers.

An embodiment of the present application provides an electronic device, including: one or more processors; and one or more machine readable media having instructions stored thereon that, when executed by the one or more processors, cause the electronic device to perform a data processing method as described in one or more of the present applications.

For the device embodiment, since it is basically similar to the method embodiment, the description is simple, and for the relevant points, refer to the partial description of the method embodiment.

The embodiments in the present specification are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other.

Embodiments of the present application are described with reference to flowchart illustrations and/or block diagrams of methods, terminal devices (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing terminal to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing terminal, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing terminal to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be loaded onto a computer or other programmable data processing terminal to cause a series of operational steps to be performed on the computer or other programmable terminal to produce a computer implemented process such that the instructions which execute on the computer or other programmable terminal provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

While preferred embodiments of the present application have been described, additional variations and modifications of these embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. Therefore, it is intended that the appended claims be interpreted as including the preferred embodiment and all such alterations and modifications as fall within the true scope of the embodiments of the application.

Finally, it should also be noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or terminal that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or terminal. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, method, article, or terminal that comprises the element.

The data processing method and apparatus provided by the present application are introduced in detail, and a specific example is applied in the present application to explain the principle and the implementation of the present application, and the description of the above embodiment is only used to help understand the method and the core idea of the present application; meanwhile, for a person skilled in the art, according to the idea of the present application, there may be variations in the specific embodiments and the application scope, and in summary, the content of the present specification should not be construed as a limitation to the present application.

Claims

1. A data processing method, applied to middleware, the method comprising:

receiving first web data sent by a server;

and sending the second web data to a client.

2. The method of claim 1, wherein the encrypting at least a portion of the first web data according to the encryption algorithm to obtain encrypted data comprises:

determining a non-visual element in the first web data;

3. The method of claim 1, wherein the encrypting at least a portion of the first web data according to the encryption algorithm to obtain encrypted data comprises:

-determining in the first web data an element of an element type as a preset potential attack type;

4. The method of claim 1, wherein the encrypting at least a portion of the first web data according to the encryption algorithm to obtain encrypted data comprises:

5. The method of claim 4, further comprising:

6. The method of claim 1, wherein selecting at least one encryption algorithm among a plurality of encryption algorithms based on the first web data comprises:

obtaining a first randomized seed from the first web data;

7. The method of claim 6, further comprising:

obtaining a second randomized seed from the first web data;

8. The method of claim 1, wherein before sending the second web data to the client, further comprising:

9. The method of claim 1, wherein before sending the second web data to the client, further comprising:

10. The method of claim 9, further comprising:

and sending the fourth web data to the server.

11. A data processing method is applied to a server side, and the method comprises the following steps:

acquiring first web data for sending to a client;

and sending the second web data to a client.

12. The method of claim 11, wherein before sending the second web data to the client, further comprising:

13. The method of claim 12, further comprising:

responding to the fourth web data.

14. A data processing method is applied to a client, and the method comprises the following steps:

receiving first web data sent by a server;

responding to the second web data.

15. The method of claim 14, wherein prior to responding to the second web data, further comprising:

16. The method of claim 15, further comprising:

and sending the fourth web data to the server.

17. A data processing apparatus, for application to middleware, the apparatus comprising:

18. The apparatus of claim 17, wherein the first encryption module comprises:

19. The apparatus of claim 17, wherein the first encryption module comprises:

20. The apparatus of claim 17, wherein the first encryption module comprises:

21. The apparatus of claim 20, wherein the first encryption module further comprises:

22. The apparatus of claim 17, wherein the first selection module comprises:

23. The apparatus of claim 22, wherein the first selection module further comprises:

24. The apparatus of claim 17, further comprising:

25. The apparatus of claim 17, further comprising:

26. The apparatus of claim 25, further comprising:

27. A data processing apparatus, applied to a server, the apparatus comprising:

28. The apparatus of claim 27, further comprising:

29. The apparatus of claim 28, further comprising:

a first response module to respond to the fourth web data.

30. A data processing apparatus, applied to a client, the apparatus comprising:

and the second response module is used for responding to the second web data.

31. The apparatus of claim 30, further comprising:

32. The apparatus of claim 31, further comprising:

33. An electronic device, characterized in that the electronic device comprises:

a processor; and

memory having stored thereon executable code which, when executed, causes the processor to perform a data processing method as claimed in any one of claims 1-10.

34. One or more machine readable media having executable code stored thereon that, when executed, causes a processor to perform a data processing method as claimed in any one of claims 1-10.

35. An electronic device, characterized in that the electronic device comprises:

a processor; and

memory having stored thereon executable code which, when executed, causes the processor to perform the data processing method of any of claims 11-13.

36. One or more machine readable media having executable code stored thereon that, when executed, causes a processor to perform the data processing method of any of claims 11-13.

37. An electronic device, characterized in that the electronic device comprises:

a processor; and

memory having stored thereon executable code which, when executed, causes the processor to perform a data processing method as claimed in any one of claims 14-16.

38. One or more machine readable media having executable code stored thereon that when executed cause a processor to perform a data processing method as claimed in any one of claims 14-16.