CN115001830A - DDOS (distributed denial of service) prevention one-time cross-domain information full-life-cycle secret security system and method - Google Patents
DDOS (distributed denial of service) prevention one-time cross-domain information full-life-cycle secret security system and method Download PDFInfo
- Publication number
- CN115001830A CN115001830A CN202210636652.9A CN202210636652A CN115001830A CN 115001830 A CN115001830 A CN 115001830A CN 202210636652 A CN202210636652 A CN 202210636652A CN 115001830 A CN115001830 A CN 115001830A
- Authority
- CN
- China
- Prior art keywords
- security
- information
- server
- request
- ciphertext
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 122
- 230000002265 prevention Effects 0.000 title claims abstract description 15
- 238000012545 processing Methods 0.000 claims abstract description 140
- 230000004044 response Effects 0.000 claims abstract description 76
- 230000008569 process Effects 0.000 claims abstract description 35
- 230000003068 static effect Effects 0.000 claims abstract description 33
- 230000000694 effects Effects 0.000 claims description 117
- 238000013515 script Methods 0.000 claims description 87
- 238000006243 chemical reaction Methods 0.000 claims description 60
- 230000003993 interaction Effects 0.000 claims description 47
- 238000004364 calculation method Methods 0.000 claims description 43
- 238000009877 rendering Methods 0.000 claims description 40
- 230000007123 defense Effects 0.000 claims description 24
- 230000006870 function Effects 0.000 claims description 18
- 238000012795 verification Methods 0.000 claims description 13
- 238000002347 injection Methods 0.000 claims description 10
- 239000007924 injection Substances 0.000 claims description 10
- 239000011159 matrix material Substances 0.000 claims description 10
- 230000007246 mechanism Effects 0.000 claims description 9
- 235000014510 cooky Nutrition 0.000 claims description 8
- 230000001965 increasing effect Effects 0.000 claims description 7
- 238000005516 engineering process Methods 0.000 claims description 4
- 230000005540 biological transmission Effects 0.000 claims description 3
- 230000002708 enhancing effect Effects 0.000 claims description 3
- 230000002452 interceptive effect Effects 0.000 claims description 3
- 230000003287 optical effect Effects 0.000 claims description 3
- 230000005764 inhibitory process Effects 0.000 claims 1
- 238000004422 calculation algorithm Methods 0.000 description 6
- 238000004590 computer program Methods 0.000 description 6
- 239000000243 solution Substances 0.000 description 6
- 238000004806 packaging method and process Methods 0.000 description 4
- 230000002829 reductive effect Effects 0.000 description 4
- 230000000452 restraining effect Effects 0.000 description 4
- 230000003111 delayed effect Effects 0.000 description 3
- 230000002401 inhibitory effect Effects 0.000 description 3
- 231100000817 safety factor Toxicity 0.000 description 3
- 230000001960 triggered effect Effects 0.000 description 3
- 238000004891 communication Methods 0.000 description 2
- 230000007547 defect Effects 0.000 description 2
- 230000009969 flowable effect Effects 0.000 description 2
- 230000002441 reversible effect Effects 0.000 description 2
- 230000001629 suppression Effects 0.000 description 2
- 241000700605 Viruses Species 0.000 description 1
- 238000003491 array Methods 0.000 description 1
- 230000033228 biological regulation Effects 0.000 description 1
- 230000001364 causal effect Effects 0.000 description 1
- 230000008260 defense mechanism Effects 0.000 description 1
- 230000007812 deficiency Effects 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 238000003384 imaging method Methods 0.000 description 1
- 230000000670 limiting effect Effects 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 230000006855 networking Effects 0.000 description 1
- 239000002245 particle Substances 0.000 description 1
- 238000005192 partition Methods 0.000 description 1
- 208000024891 symptom Diseases 0.000 description 1
- 230000000007 visual effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
- H04L63/067—Network architectures or network communication protocols for network security for supporting key management in a packet data network using one-time keys
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1466—Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Storage Device Security (AREA)
Abstract
The invention provides a DDOS (distributed denial of service) prevention one-time cross-domain information full-life-cycle secret security system and a method, wherein the system comprises a browser or a Web front end or a micro-service request end, a Web security server, a Web application server, a data security server, a database and a password server; the method comprises the steps that a browser sends a request to a website under the operation of a user; after receiving the request, the Web security server of the website safely processes and forwards the request; after receiving the request, the Web server of the website carries out security processing and security response on the static ciphertext page; after receiving the request, the Web application server of the website carries out dynamic page security processing and security response; and after receiving the request, the database of the website performs data service safety processing and safety response. The invention can effectively hide the real resource address of the background, defend the dynamic processing of the resource address, and make the attack target of the network attacker dynamic, thereby improving the anti-attack capability of the Web application.
Description
Technical Field
The invention belongs to the field of information security, and particularly relates to a one-time cross-domain full-life-cycle secret information security system and a method for preventing DDOS (distributed denial of service), so as to protect website information and user information, prevent information crawlers, counter attack or inhibit DDOS attack.
Background
The importance of information security has risen to the national strategic level. Although many solutions are provided by traditional information security equipment manufacturers and service providers, and strict security management systems are also stipulated by national laws and regulations and corresponding standards, the information security problem still cannot be eradicated. For example: DDOS, web page tamper-resistant events, website horse hanging events, website data encryption lasso events, etc. occur and cause economic loss and bad social impact.
The current situation of network security is analyzed, so that the situation of easy attack and difficult guard in the field of information security is caused, and the traditional protection scheme for Web application security has a short board. The existing information security adopts a defense mode of 'leakage detection and filling up', and the security hole is usually unpredictable. The situation that the information defense situation is passive is caused by a 'post remedy' security defense mechanism. Therefore, the traditional boundary defense security mechanism has a defense effect on known threats and vulnerabilities, but lacks a good defense means on unknown defects and threats such as system vulnerability caused by the backdoor of unknown vulnerabilities, unknown virus trojans and the like, and falls into the dilemma of 'addressing symptoms and not addressing the root causes'. Therefore, an effective security mechanism is needed to break the causal relationship between the vulnerability and the security, ensure the security if the vulnerability exists, and reverse the passive situation of information security defense.
At present, Web application security is protected by application firewall or intrusion prevention equipment. The devices adopt a traditional defense mode based on rule matching, and complete defense against bugs cannot be realized. On one hand, an effective defense means is lacked for unknown defects and threats, the attack and defense situation is completely passive, new vulnerabilities and threat risks cannot be actively defended, and the zero-day attack risk is easily caused if corresponding patches are not timely. On the other hand, the performance of the traditional application firewall WAF is seriously reduced even in case of downtime under the condition that the security rules are fully opened, and in reality, corresponding vulnerabilities of the application system are continuously exposed and accumulated over time, so that the conventional defense product seed rule base is inevitably enlarged and expanded, and the maintenance of the application system is in a difficult situation between security and operation in consideration of performance feasibility factors.
Therefore, a defense system and a defense method which can effectively hide real resource addresses of the background and dynamically process the resource addresses need to be designed, so that an attack target of a network attacker is made dynamic, and the system for improving the anti-attack capability of the Web application has important practical significance and broad application prospect.
Disclosure of Invention
The technical problem to be solved by the present invention is to provide a one-time cross-domain information full-lifecycle security system and method for preventing DDOS, so as to solve the deficiencies of the prior art.
The invention is realized in such a way, and provides a DDOS (distributed data operating System) prevention one-time cross-domain information full-life-cycle secret security system and a method thereof, wherein the system comprises a browser or a Web front end or a micro-service request end, a Web security server, a Web application server, a data security server, a database and a password server, and the system sends or receives, proxies or forwards a request or a response which accords with the security policy and the set security effect according to the security policy and the set security effect, and executes related security processing or embeds and/or adjusts and updates related security factors, or executes at least one of related information secret man-machine interaction, rendering factors or security codes so as to prepare for other equipment, codes or information to execute related security processing in subsequent steps.
Wherein the information includes: the system comprises at least one of a network service and micro-service entry, a resource address, page information, a request return result, a page code, a script, an SQL keyword, a Web Tag keyword, a processing script, a Cookie, a session key, login information, a key, a certificate, a security policy, a set security effect, user input and interaction, a server directory name, a file name, an SQL statement result object, an SQL cursor, an application user identifier, an information security degree identifier, an encryption mode identifier, a refined permission identifier and a refined right encryption identifier.
Wherein, the security policy includes: one-time randomized dynamic encoding and encryption, one-time use and burn-after-use, one-time pad, format-preserving encryption, homomorphic encryption, multi-party computation, pad-state conversion without decryption, man-machine interaction and usability without decryption, non-pad-uselessness, counter-attack on DDOS at an attacker end, DDOS suppression, crawler prevention at a crawler end, code injection prevention, zero-day vulnerability prevention, and at least one of traditional WAF security rules.
The security policies of the database and the data security server further include: the method comprises the steps of executing response or forwarding data refinement encryption and decryption and firewall functions through at least one of information in a user identifier, an information security degree identifier, an encryption mode conversion identifier, a refinement authority identifier and a refinement right encryption identifier, executing relevant security processing or embedding and/or adjusting and updating relevant security factors on at least one of data service, an SQL request, a UDF name, a UDF, a table name, table-in information, view name, field-in information, stored process name, stored process code, trigger name, trigger code and SQL return result, or executing at least one of relevant information secret state man-machine interaction, rendering factors or security codes to prepare other equipment, codes or information to execute relevant security processing.
The set safety effect comprises at least one safety effect of one-time, dynamic, cross-domain and full-secret information full-life-cycle safety of the information. The information enables at least one security effect that is usable, interactive, renderable into a dot matrix or image that is understandable by a user, flowable, but not stealable, unchangeable, non-imitable, traceable, documentable, not reusable without decryption.
The risk of code bugs and zero-day bugs being utilized can be effectively prevented through the non-secret and useless use of information, codes and statements, such as code injection, XSS attack, SQL injection, SQL tampering, SQL reuse, library dragging and the like.
In addition, in order to achieve the above object, the present invention further provides a method for preventing DDOS one-time cross-domain full-lifecycle confidential information security, which executes a security defense method based on the DDOS one-time cross-domain full-lifecycle confidential information security system, the method comprising:
step S1: after the browser or the Web front end or the micro-service request end returns the first or home page request, relevant security processing or embedding and/or adjusting and updating relevant security factors are executed according to the security policy and the set security effect, or at least one of relevant information secret-state man-machine interaction, rendering factors, processing certification information (word-proof-information) or security codes is executed, so that other equipment, codes or information executes relevant security processing in subsequent steps, and a request which meets the security policy and the set security effect of a requested party is sent out.
Step S2: the Web security server firstly converts the secret information and codes in the security domain of the user and the equipment in the request into the secret information and codes of the designated security domain according to the security policy and the set security effect, executes related security processing or embeds and/or adjusts and updates related security factors, or executes at least one of related information secret man-machine interaction, rendering factors or security codes so as to execute related security processing on other equipment, codes or information in the subsequent steps, converts the secret information and codes in the result into the secret information and codes of the security domain of the next requested party or receiving party, and then forwards or responds.
Step S3: according to the security policy and the set security effect, the Web server of the website firstly converts the secret information and codes in the security domain of the user and the equipment in the request into the secret information and codes of the designated security domain, executes related security processing or embeds and/or adjusts and updates related security factors on the static page, or executes at least one of related information secret man-machine interaction, rendering factors or security codes for other equipment, codes or information to execute related security processing in the subsequent steps, converts the secret information and codes in the result into the secret information and codes of the next requested party or receiving party, and then forwards or responds.
Step S4: according to the security policy and the set security effect, the Web application server of the website firstly converts the secret information and codes in the security domain of the user and the equipment in the request into the secret information and codes of the designated security domain, executes related security processing or embeds and/or adjusts and updates related security factors on the dynamic page and the micro-service interface, or executes at least one of related information secret man-machine interaction, rendering factors or security codes so as to execute related security processing in the subsequent steps of other equipment, codes or information, converts the secret information and codes in the result into the secret information and codes of the next requested party or the next receiving party, and then forwards or responds.
Step S5: the data security server executes data refinement encryption and decryption and firewall functions of response or forwarding in at least one mode of user identification, information security degree identification, encryption mode conversion identification, refinement authority identification and refinement right encryption identification according to the security strategy and the set security effect, executes related security processing or embeds and/or adjusts and updates related security factors on at least one item of data service, SQL request, UDF name, table name, view name, field name, stored process name, trigger name and SQL return result, or executes at least one item of related information secret state man-machine interaction, rendering factors or security codes so as to prepare for other equipment, codes or information to execute related security processing.
Step S6: the database of the website firstly converts the secret state information and codes in the user and equipment security domain in the request into the secret state information and codes of the designated security domain according to the security strategy and the set security effect, executes related security processing or embeds and/or adjusts and updates related security factors on at least one of the results returned by data service, SQL request, UDF, storage process, trigger and codes, table name, view name, field name, storage process name, trigger name, table, view, field, storage process, trigger and SQL, or executes at least one of related information secret state man-machine interaction, rendering factors or security codes so as to execute related security processing in the subsequent steps by other equipment, codes or information and convert the secret state information and codes in the results into the secret state information and codes of the next requested party or receiving party security domain, and then forwarded or responded to.
As a further aspect of the present invention, the method further includes initializing the system, and the initializing step includes:
step S11: initializing a Web security server, requesting a corresponding security policy and a set security effect from the password server, performing related initialization processing, initializing proof display working time (proof-of-visible-work-delay), a js script for counterclicking DDOS and delaying the request, and initializing a code capable of verifying the proof display working time.
Step S12: initializing a Web server, requesting a corresponding security policy and a set security effect from the password server, performing related initialization processing, initializing all static pages, code files and variable parameters therein, and initializing all static page directories and structures of the static pages.
Step S13: initializing a Web application server, requesting a corresponding security policy and a set security effect from the password server, carrying out related initialization processing, adding a security filter, carrying out AOP (automatic optical processing) on corresponding codes, encrypting all SQL (structured query language) statements, initializing a database drive, and adding a ciphertext SQL statement execution module.
Step S14: initializing a data security server, requesting a corresponding security policy and a set security effect from the password server, performing related initialization processing, and initializing at least one of a user identifier, an information security identifier, an encryption mode conversion identifier, a refined authority identifier and a refined authority encryption identifier to execute data refinement encryption and decryption, firewall rules and codes thereof.
Step S15: initializing a database, requesting a corresponding security policy and a set security effect from the password server, carrying out related initialization processing, installing a UDF (universal description framework) to enable a ciphertext SQL statement to be executable, encrypting a corresponding table, a corresponding field and a corresponding view, and encrypting a storage process and a trigger.
Step S16: the cryptographic server initializes, generates the required root key, the affiliated working key and the required session key, and provides the corresponding security policy and the set security effect management and service.
Wherein initializing content comprises: the encryption and embedding of the information and the code are at least one of related safety factors, information secret state man-machine interaction and rendering factors, safety codes, normal work of secret state information, normal man-machine interaction auxiliary codes and normal work auxiliary codes mixed with bright and secret information, so that the effective and complete execution of safety strategies and set safety effects in the secret state circulation of the full life cycle of the auxiliary information is realized.
As a further scheme of the present invention, after a first or home page request is made by the browser or the Web front end or the microservice request end under the operation of the user, a request meeting the website security rules must be sent to the website according to the security policy and the set security effect requirement, and the process includes:
according to the safety strategy and the set safety effect requirement, running a js script which proves the working time of display and is used for counterattacking DDOS and delaying requests;
and operating the safety request auxiliary script, and sending a one-time request with corresponding information of proving and displaying the working time length to the server according to the safety rule.
As a further scheme of the invention, the running process of the 'certificate display working time', the js script for counterclicking the DDOS and delaying the request comprises the following steps:
and S101, operating a 'certificate display working time' returned by the Web security server and a js script for counterclicking the DDOS and delaying the request.
S102, acquiring the specified character string from the info 01.
S103. display on a canvas with white background in the font in for02 with the specified character size.
And S104, calculating the HASH value of the canvas graph by using the specified HASH function.
And S105, continuously acquiring the specified character string from the info 01.
And S106, displaying the characters in the step S105 on the previous canvas according to the character display size calculated by the script according to the previous HASH and the calculated superposition mode in the font in the for 02.
And S107, calculating the HASH value of the canvas graph by using the specified HASH function.
S108, continuing the steps S105 to S107 until the HASH value meets the condition specified in the script.
And S109, sending the corresponding calculation result and the page service request back to the back end.
As a further scheme of the present invention, after receiving the request, the Web security server of the website performs security processing and forwarding on the request, including:
after receiving the request, checking a one-time request URL, a one-time request parameter name and a parameter value;
checking whether the corresponding information is unused, if the corresponding information is used, the checking is not passed, and executing a corresponding security policy and a set security effect; if the information is not used, updating the corresponding information 'burn-after-use flag';
verifying the certification display working time length according to the safety requirement;
if the request is a static webpage, converting the corresponding request information into disposable ciphertext information of a security domain of the Web server, and transmitting the disposable ciphertext information to the Web server;
and if the request is a dynamic webpage, converting the corresponding request information into disposable ciphertext information of the security domain of the Web application server, and transmitting the disposable ciphertext information to the Web application server.
As a further scheme of the invention, the operation flow for verifying the certification display working time according to the safety requirement comprises the following steps:
and S201, selectively checking the correctness of the final result and part or all of the intermediate results according to the security policy and the set security effect.
Step S202, running a code for verifying the certification display working time length.
Step S203, acquiring the specified character string from the for 01.
Step s204, display on a canvas with white background in the font in for02 according to the specified character size.
And S205, calculating the HASH value of the canvas graph by using the specified HASH function.
And S206, if the HASH value is correct and meets the specified safety condition, the verification is passed, otherwise, the verification fails.
Step S207, according to the security strategy and the set security effect, the next step is carried out: including forwarding the request, denying the request, continuing or enhancing the "demonstrate show duration of operation" requirement to counter or suppress the DDOS.
The technology for proving the display working time length and the verification mechanism thereof to counter or inhibit DDOS attack comprises the following steps: a. adjusting the size of the HASH value of which the proof display working duration meets the condition; b. adjusting the size of the image; c. changing the image character rendering operation sequence along with the calculated HASH value; d. increasing the number of operable images to be preserved; e. adjusting the data volume of the intermediate result of the proof display working time length to be sent; f. repeatedly requesting retransmission of related network packets at a TCP/IP layer for multiple times; g. adjusting at least one of TCP Windows and QoS parameters, repeating the request for the past network packet transmission method for many times at TCP/IP layer.
The effect of counterattacking or inhibiting the DDOS attack comprises the following steps: a. the calculation amount of a CPU and a GPU of the client is increased; b. the method consumes the scarce resources such as the CPU, GUP cache, memory and the like of the user end, and reduces the effective computing speed of the user end and the GUP cache; c. the request time is effectively delayed by displaying the speed bottleneck of 60-120 fp in frequency; d. the method has the advantages that the request flow and the retransmission frequency of the client are amplified, meanwhile, the related flow of the server is restrained, before the DDOS is outbreaked at the rear end, the internet channel of the client is influenced or blocked, the vigilance of an internet service provider or other users is caused, the flow control, the QoS and/or other safety mechanisms are triggered, and the like, so that the effects of counterattacking and restraining the DDOS at an attacker end are achieved.
Further, "proof-of-service-work-delay" may also be applied to software, devices, and/or protocols in other areas of communication, networking, social media, AI-social, and blockchain, among others.
As a further aspect of the present invention, after receiving the request, the Web server of the website performs security processing and security response on the static ciphertext page, and after receiving the request, the Web application server of the website performs security processing and security response on the dynamic page, including:
after receiving the request, the Web server of the website converts the corresponding one-time information into the secret information of the Web server security domain;
matching a corresponding static page according to the converted information of the Web server security domain;
the cipher server is utilized to convert the cipher text information in the corresponding page and the code thereof into corresponding cipher text information of a Web safety server security domain, and the corresponding cipher text information is returned to the Web safety server;
after receiving the request, the Web application server of the website converts the corresponding one-time information into the secret information of the security domain of the Web application server;
matching the corresponding dynamic page and the information, code and object thereof according to the information of the converted Web application server security domain;
if the security service of the data security server needs to be requested, the cipher server is utilized to convert the cipher text information in the corresponding SQL statement into the corresponding cipher text information of the security domain of the data security server, and a request for the security data security service is initiated to the data security server, and then the security processing of the service response result is completed;
if the data service of the database needs to be requested, the cipher server is utilized to convert the cipher text information in the corresponding SQL sentence into the corresponding cipher text information of the security domain of the database, and a security data service request is initiated to the database and the security processing of the service response result is completed;
the method comprises the steps that a password server is utilized to convert ciphertext information in a corresponding dynamic page or micro-service request result and a code thereof, a return result of a data security server or ciphertext information in a data service return result of a database into ciphertext information of a security domain of a Web security server, and the ciphertext information is packaged and then returned to the Web security server;
after the data security server receives the data security service request, the related one-time ciphertext information is converted into ciphertext information of an information security domain of the data security server by using the password server;
acquiring related SQL information and at least one of user identification, information safety identification, encryption mode conversion identification, refined authority identification and refined right encryption identification according to the converted secret information;
performing data refinement encryption and decryption and firewall rules of response or forwarding according to at least one information of an application user identifier, an information security degree identifier, an encryption mode conversion identifier, a refinement authority identifier and a refinement authority encryption identifier;
rejecting or reserving applied user identification, information safety identification, encryption mode identification, refined authority identification and refined authority encryption identification information from the processed SQL information;
if the data service of the database needs to be requested, the cipher server is utilized to convert the cipher text information in the corresponding SQL statement into the corresponding cipher text information of the security domain of the database, and a secret data service request is initiated to the database and the security processing of the service response result is completed;
the cipher text information in the data service return result of the corresponding database is converted into the cipher text information of the Web application server security domain by using the password server, and the cipher text information is packaged and then returned to the Web application server;
the ciphertext is converted into the full-secret state conversion from the ciphertext, wherein the ciphertext is decrypted and then encrypted, or the full-secret state conversion from the ciphertext to the ciphertext is realized by using a homomorphic encryption mode and a privacy calculation mode of multi-party calculation.
As a further aspect of the present invention, the database server is used for data security service processing and security response, and includes:
after receiving a data service request, converting related one-time ciphertext information into ciphertext information of an information security domain of a database service by using a password server;
executing related SQL according to the converted secret information to obtain related information;
converting the related ciphertext information into ciphertext information of a security domain of the application server or the data security server according to the fact that the request object is the application server or the data security server, and returning the ciphertext information to the application server or the data security server;
the ciphertext conversion is to decrypt and encrypt, or to realize full-secret conversion from the ciphertext to the ciphertext by using homomorphic encryption or a multi-party calculation mode.
As a further aspect of the present invention, the Web security server is further configured to perform security processing and security response, and includes:
after receiving the response of the Web server or the Web application server, carrying out corresponding safety processing on the corresponding ciphertext information through the password server;
converting the corresponding ciphertext information into one-time format-preserving confidential information of a browser or a Web front end or a micro-service request end according to a safety rule, and resetting a 'burn-after-use flag' of the corresponding information to be 0;
adding or not adding 'certificate display working time length' and js scripts for counterclicking DDOS and delaying requests to a return packet according to a security strategy and a set security effect requirement;
according to the safety strategy and the set safety effect requirement, adding a corresponding ciphertext to display the required ciphertext webfont file and any one of the required ciphertext auxiliary display, ciphertext auxiliary processing script, ciphertext request auxiliary script and ciphertext safety check script under the condition of not decrypting;
and returning the processed and packaged response to the browser or the Web front end or the micro-service request end.
As a further scheme of the invention, the browser or the Web front end or the micro-service request end is also used for ciphertext display, rendering and ciphertext interaction of the full-dense page, and the method comprises the following steps:
after receiving the response of the Web safety server, operating a corresponding page and a safety verification script thereof;
the page information should be correctly displayed by means of the corresponding webfont and the ciphertext auxiliary display script without decryption, and correctly interact with the user;
the page safety information is correctly processed under the condition of not needing decryption by means of the ciphertext auxiliary processing script;
waiting for the next operation by the user.
In addition, in order to achieve the above object, the present invention further provides a computer device, which includes a processor, a memory, and a WEB and micro-service application disposable cross-domain information full-lifecycle security defense program stored on the memory and executable by the processor, and which can counter DDOS attack, wherein when the WEB and micro-service application disposable cross-domain information full-lifecycle security defense program which can counter DDOS attack are executed by the processor, the steps of the system and method for counter-attacking WEB and micro-service application disposable cross-domain information full-lifecycle security defense are implemented.
In addition, in order to achieve the above object, the present invention further provides a computer readable storage medium, where a WEB and a micro-service application disposable cross-domain information full-lifecycle security defense program capable of countering DDOS attack are stored on the computer readable storage medium, where when the WEB and the micro-service application disposable cross-domain information full-lifecycle security defense program capable of countering DDOS attack are executed by a processor, the steps of the system and the method for countering the WEB and the micro-service application and disposable cross-domain information full-lifecycle security defense capable of countering DDOS attack are implemented.
Compared with the prior art, the DDOS-prevention one-time cross-domain full-lifecycle secret information security system and the method have the following characteristics:
1. the invention is used for protecting network services and applications against known and unknown information security risks. Network service and micro-service entry, resource address, page information, request return result, page code, script, SQL keyword, Web Tag keyword, processing script, Cookie, session key, login information, key, certificate, security policy, set security effect, user input and interaction, server directory name, file name SQL statement result object, SQL cursor, application user identification, information security degree identification, encryption mode identification, refined authority encryption identification and the like, the system realizes the safety effects of one-time encryption, non-encryption and non-use, burning after use, counterattacking DDOS at an attacker end, restraining DDOS, preventing crawler at a crawler end, preventing code injection, preventing zero-day loopholes and the like, and realizes the safety protection of the whole process and the whole life cycle of the universe and cross-domain of information.
2. By utilizing a one-time format-preserving encryption and confusion mechanism, one-time ciphertext random coding and secret state display, screen rendering and ciphertext man-machine interaction are realized, the normal operation and use of a website are ensured under the conditions that information and codes are not secret and useless and decryption is not needed, and the safety effects of visible unavailable, unchangeable and imitable, available, unchangeable and imitable, manageable, unchangeable and imitable are realized.
3. The system and the method realize the complete process and complete life cycle of information of universe and cross-domain in all links from a front-end browser or a Web front-end or a micro-service request end to human-computer interaction, to a security proxy server, a Web server, an application server, a management platform, a database and a file system thereof, and the like, achieve the safety effect that no plaintext coding information exists in an internal memory and on a screen, and effectively prevent information leakage risks possibly generated by information leakage, internal memory theft and screen capture.
4. The method and the system realize the safety effects of user request, session response, corresponding content information and safety factor information of the session response, one-time non-time one-time use.
5. The method has the advantages that the safety effects of one-time pad, one-time use, non-use and burning after use of page codes, scripts and corresponding background SQL statements, processing codes and scripts are achieved, the risks of code injection, XSS attack, code bugs and zero-day bugs are effectively prevented from being utilized, and the known, unknown and unrepaired safety risks are prevented.
6. The method realizes one-time pad encryption on the information such as key words, library names, table names, field names and the like in the SQL sentences, and effectively prevents risks such as SQL injection, SQL tampering, SQL reuse, library dragging and the like.
7. The effect of counterattacking or inhibiting the DDOS attack comprises the following steps: a. the calculation amount of a CPU and a GPU of the client is increased; b. scarce resources such as a user terminal CPU, a GUP cache, a memory and the like are consumed, and the effective computing speed of the users is reduced; c. effectively delaying the request time by displaying the speed bottleneck with the frequency of 60-120 fp; d. the method has the advantages that the request flow and the retransmission frequency of the client are amplified, meanwhile, the related flow of the server is restrained, before the DDOS is outbreaked at the rear end, the internet channel of the client is influenced or blocked, the vigilance of an internet service provider or other users is caused, the flow control, the QoS and/or other safety mechanisms are triggered, and the like, so that the effects of counterattacking and restraining the DDOS at an attacker end are achieved.
8. The method combines one-time pad encryption and code obfuscation of information and codes, utilizes the technology of one-time rendering noise display of a ciphertext band and the like, prevents effective screen capture and reverse OCR information, and can effectively prevent automatic crawler and Bot AI attack.
These and other aspects of the invention are apparent from and will be elucidated with reference to the embodiments described hereinafter. It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the invention, as claimed.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention. In the drawings:
FIG. 1 is a block diagram of a DDOS-resistant one-time cross-domain full-lifecycle confidential information security system according to one embodiment of the present invention;
FIG. 2 is a flowchart illustrating initialization of a DDOS-based one-time cross-domain full-lifecycle security method according to an embodiment of the present invention;
FIG. 3 is a flowchart illustrating a DDOS-based one-time cross-domain full-lifecycle security method according to an embodiment of the present invention;
FIG. 4 is a schematic flow chart illustrating the procedure of proving and displaying the working duration in the one-time cross-domain full-lifecycle secret information security method of the DDOS according to the embodiment of the present invention;
fig. 5 is a schematic flow chart illustrating the verification and demonstration of the working duration in the method for preventing DDOS one-time cross-domain full-lifecycle confidential information security according to the embodiment of the present invention.
The objects, features and advantages of the present invention will be further explained with reference to the accompanying drawings.
Detailed Description
Reference will now be made in detail to the present preferred embodiments of the present invention, examples of which are illustrated in the accompanying drawings, wherein like reference numerals refer to like elements throughout.
In the description of the present invention, the meaning of a plurality of means is one or more, the meaning of a plurality of means is two or more, and larger, smaller, larger, etc. are understood as excluding the number, and larger, smaller, inner, etc. are understood as including the number.
In the description of the present invention, the consecutive reference numbers of the method steps are for convenience of examination and understanding, and the implementation order between the steps is adjusted without affecting the technical effect achieved by the technical solution of the present invention by combining the whole technical solution of the present invention and the logical relationship between the steps.
In the description of the present invention, unless otherwise explicitly defined, terms such as set, etc. should be broadly construed, and those skilled in the art can reasonably determine the specific meanings of the above terms in the present invention in combination with the detailed contents of the technical solutions.
In the embodiment of the present invention, the DDOS-resistant one-time cross-domain information full-lifecycle confidential security system and method can be applied to a computer device, which can be a device with display and processing functions, such as a PC, a portable computer, a mobile terminal, and the like, but is not limited thereto.
Referring to fig. 1, an embodiment of the present invention provides a DDOS-resistant one-time cross-domain information full-lifecycle security system. The system comprises the browser or the Web front end or the micro-service request end 100, a Web Security server (Security Proxy)200, a Web server (Static Page)300, a Web application server (Dynamic Page)400, a data Security server (Database Security Proxy)450, a Database (Dynamic Page)500 and a password server (Hardware Security Module) 600.
The system sends a request according with the security policy and the set security effect according to the security policy and the set security effect, executes related security processing or embeds and/or adjusts and updates related security factors, or executes at least one of related information secret state man-machine interaction, rendering factors or security codes for other equipment, codes or information to execute related security processing in subsequent steps. The method ensures that in each link of the process of the full life cycle, the full secret state circulation and the use of the information, no matter how many different or same devices flow through, how many different or same security domains are served, and how many different or same users use and process the information, the specified security policy and the set security effect are finished consistently and completely.
The browser or the Web front end or the microservice request end 100 is configured to send a request to a website or an application service according to an operation of a user, and after a first or top page request is returned, execute a related security process or embed and/or adjust and update a related security factor according to a security policy and a set security effect, or execute at least one of a related information secret state human-machine interaction, a rendering factor and a security code, so as to prepare other devices, codes or information to execute a related security process in a subsequent step and send a request meeting the security policy and the set security effect.
The Web security server 200 proxies and forwards the request and response of the browser, the Web front end or the microservice request end, and executes related security processing or embeds and/or adjusts and updates related security factors or executes at least one of related information secret state man-machine interaction, rendering factors or security codes according to the security policy and the set security effect, so as to prepare other devices, codes or information to execute related security processing in subsequent steps.
The Web server 300 is configured to perform security processing or embedding and/or adjusting and updating related security factors on a static ciphertext page, or perform at least one of related information secret man-machine interaction, rendering factors or security codes according to a security policy and a set security effect, so as to prepare other devices, codes or information to perform related security processing.
The Web application server 400 is used for security processing and security response of the dynamic page and the micro service interface, and according to the security policy and the set security effect, performs related security processing or embeds and/or adjusts and updates related security factors on the dynamic page and the micro service interface, or performs at least one of related information secret state man-machine interaction, rendering factors or security codes, so as to prepare for other devices, codes or information to perform related security processing.
The data security server 450 is used for proxying and forwarding data service requests and responses, and executing functions of data fine encryption and decryption and firewall of response or forwarding by applying at least one of information of user identification, information security degree identification, encryption mode conversion identification, fine authority identification and fine authority encryption identification according to a security strategy and a set security effect; and executing related security processing or embedding and/or adjusting and updating related security factors on at least one of data service, SQL request, UDF name, table name, view name, field name, stored procedure name, trigger name and SQL return result, or executing at least one of related information secret state man-machine interaction, rendering factors or security codes for other devices, codes or information to execute related security processing.
The database 500 is used for data service security processing and security response, and according to a security policy and a set security effect, performs related security processing or embeds and/or adjusts and updates related security factors on at least one of data service, SQL request, UDF, stored procedure, trigger and code, table name, view name, field name, stored procedure name, trigger name, table, view, field, stored procedure, trigger, and SQL return result, or performs at least one of related information dense state man-machine interaction, rendering factors, or security codes, so as to prepare other devices, codes, or information to perform related security processing.
The cryptographic server 600 is configured to manage keys and other security factors, manage security policies and set security effects, and provide at least one of information encryption and decryption, information encryption state conversion service, security policies and set security effects service.
Wherein the information includes: the system comprises at least one of a network service and micro-service entry, a resource address, page information, a request return result, a page code, a script, an SQL keyword, a Web Tag keyword, a processing script, a Cookie, a session key, login information, a key, a certificate, a security policy, a set security effect, user input and interaction, a server directory name, a file name SQL statement result object, an SQL cursor, an application user identifier, an information security degree identifier, an encryption mode identifier and a refined permission identifier.
Wherein, the security policy includes: one-time randomized dynamic encoding and encryption, one-time use and burn-after-use, one-time pad, format-preserving encryption, homomorphic encryption, multi-party computation, pad state conversion without decryption, man-machine interaction and usability (ciphertext legislation) without decryption, non-pad disuse, counter-attack on DDOS at an attacker end, DDOS suppression, crawler prevention at a crawler end, code injection prevention, zero-day vulnerability prevention, and at least one of traditional WAF security rules.
The security policies of the database 500 and the data security server 450 further include: the method comprises the steps of executing response or forwarding data refinement encryption and decryption and firewall functions through at least one of information in a user identifier, an information security degree identifier, an encryption mode conversion identifier, a refinement authority identifier and a refinement right encryption identifier, executing relevant security processing or embedding and/or adjusting and updating relevant security factors on at least one of data service, an SQL request, a UDF name, a UDF, a table name, table-in information, view name, field-in information, stored process name, stored process code, trigger name, trigger code and SQL return result, or executing at least one of relevant information secret state man-machine interaction, rendering factors or security codes to prepare other equipment, codes or information to execute relevant security processing.
The set safety effect comprises at least one safety effect of disposable, dynamic, cross-domain and full-secret information full-life-cycle safety of the information. The information enables at least one security effect that is usable, interactive, renderable into a dot matrix or image that is understandable by a user, flowable, but not stealable, unchangeable, non-imitable, traceable, documentable, not reusable without decryption. By means of non-secret and non-useful information, codes and statements, risks of code injection, XSS attack, SQL injection, SQL tampering, SQL reuse and library dragging, code bugs and zero-day bugs can be effectively prevented from being utilized.
Another embodiment of the present invention provides a method for preventing DDOS one-time cross-domain full-lifecycle confidential information security, which executes a security defense method based on the above-mentioned DDOS one-time cross-domain full-lifecycle confidential information security system. Before the DDOS-proof one-time cross-domain full-lifecycle secret information security system and method are executed, the system initialization is further included.
Referring to fig. 2, the initialization step includes:
step S11: web Security server (Security Proxy)200 initializes,
1. requesting a corresponding security policy and a set security effect from the password server 600;
2. initializing a 'certification display working duration' and a js script for counterclicking a DDOS and delaying a request;
3. the initialization may verify the code to prove the "demonstrate display duration".
Step S12: web server (Static Page)300 initializes,
1. requesting a corresponding security policy and a set security effect from the password server 600;
2. initializing all static pages, code files and variable parameters in the static pages, wherein the variable parameters comprise variable names and variable values in the code files;
3. initializing all static page directories and static page structures.
The corresponding information comprises at least one of related information such as a network service and micro-service entry, a resource address, page information, a request return result, a page code, a script, an SQL keyword, a Web Tag keyword, a processing script, a Cookie, a session key, login information, a key, a certificate, a security policy, a set security effect, user input and interaction, a server directory name, a file name, an SQL statement result object, an SQL cursor, an application user identifier, an information security identifier, an encryption mode identifier, a refinement authority identifier and the like.
Step S13: a Web application server (Dynamic Page)400 initializes,
1. requesting a corresponding security policy and a set security effect from the password server 600 and performing related initialization processing;
2. adding a safety filter;
AOP processes the corresponding codes and encrypts all SQL sentences;
4. initializing the database 500 drive, and adding a ciphertext SQL statement execution module.
The corresponding information includes at least one of a service entry, a resource address, a URI (uniform resource identifier), file information, page display information, a page hidden variable, a directory, a cookie, a Session Key (Session Key), an object name and object information of which the network address and the network address correspond to each other, an SQL statement (including keywords such as Select, Insert, Delete, etc.), an SQL statement result object, an SQL cursor, an application user identifier, an information security identifier, an encryption mode identifier, and a refinement authority identifier.
Step S14, initializing the data Security server (Database Security Proxy)450, requesting the corresponding Security policy and the set Security effect from the password server, and performing related initialization processing. Initializing at least one of a user identifier, an information security identifier, an encryption mode conversion identifier, a refined authority identifier and a refined authority encryption identifier to execute data refined encryption and decryption, firewall rules and codes thereof.
Step S15: the database (Dynamic Page)500 is initialized,
1. requesting a corresponding security policy and a set security effect from the password server 600;
2. installing the UDF so that the ciphertext SQL sentence can be executed;
3. encrypting corresponding tables, fields and views;
4. encrypted storage procedure, trigger.
The corresponding information comprises at least one of corresponding library names, table space file names, table names, tables, partition names, field names, fields, view names, views, index names, indexes, encrypted storage process names, encrypted storage processes and triggers.
Step S16, the password server (Hardware Security module) 600 initializes,
1. generating a required root key;
2. generating the associated working key;
3. generating a required session key;
4. and providing corresponding security policy and set security effect management and service.
The corresponding key and its algorithm may be an internationally popular encryption algorithm, such as RSA, ECC, AES, SHA2, etc., or a standard algorithm specified by the people's republic of china: the SM2, SM4, SM3, SM9, etc., may also be at least one of a new privacy calculation algorithm, such as a multi-party calculation, homomorphic, fully homomorphic algorithm, etc., and a guaranteed format encryption algorithm derived on the basis of them, etc.
Wherein initializing content comprises: the encryption and embedding of the information and the code are at least one of related safety factors, information secret state man-machine interaction and rendering factors, safety codes, normal work of secret state information, normal man-machine interaction auxiliary codes and normal work auxiliary codes mixed with bright and secret information, so that the effective and complete execution of safety strategies and set safety effects in the secret state circulation of the full life cycle of the auxiliary information is realized.
In an embodiment of the present invention, referring to fig. 3, the DDOS-resistant one-time cross-domain full-lifecycle secret information security method includes the following steps S1-S5:
step S1, the browser or Web front end or microservice request end issues a request to the website under the operation of the user.
In an embodiment of the present invention, the sending a request to a website by a browser or a Web front end or a micro-service request end under an operation of a user includes:
1. and running a js script which is used for proving and displaying the working time and is used for counterclicking the DDOS and delaying the request according to the safety strategy and the set safety effect requirement.
2. And operating the safety request auxiliary script, and sending a one-time request with corresponding information of proving and displaying the working time length to the server according to the safety rule.
The operation flow of the js script for countering the DDOS and suspending the request is shown in fig. 4.
Step S2, the Web security server proxies and forwards the request and response of the browser, Web front end or micro-service request end, according to the security policy and the set security effect, first it converts the secret information and code in the user and device security domain in the request into the secret information and code of the designated security domain, executes the related security processing or embeds and/or adjusts and updates the related security factor, or executes at least one of the related information secret man-machine interaction, rendering factor or security code, so as to prepare other devices, codes or information to execute the related security processing in the subsequent step, converts the secret information and code in the result into the secret information and code of the next requested party or receiving party security domain, and then forwards or responds.
Specifically, in the embodiment of the present invention, after receiving the request, the Web security server 200 of the website performs security processing and forwarding on the request, including:
1. and after receiving the request, checking the one-time request URL, the one-time request parameter name and the parameter value.
2. Checking whether the corresponding information is unused, if the corresponding information is used, the checking is not passed, and executing a corresponding security policy and a set security effect; if the information is not used, the corresponding information 'burn-after-use flag' is updated.
3. And verifying the certification display working time according to the safety requirement.
4. If the request is a static webpage, the corresponding request information is converted into the one-time ciphertext information of the security domain of the Web server 300 and is forwarded to the Web server 300.
5. If the request is a dynamic webpage, the corresponding request information is converted into the one-time ciphertext information of the security domain of the Web application server 400, and the one-time ciphertext information is forwarded to the Web application server 400.
In step S3, after receiving the request, the Web server 300 of the website performs security processing and security response on the static ciphertext page. According to the security policy and the set security effect, firstly, the security information and codes in the security domain of the user and the equipment in the request are converted into the security information and codes of the designated security domain, the relevant security processing is executed on the static page or the relevant security factors are embedded and/or adjusted and updated, or at least one of the relevant information security man-machine interaction, rendering factors or security codes is executed, so that the relevant security processing is executed in the subsequent steps for other equipment, codes or information, the security information and codes in the result are converted into the security information and codes of the security domain of the next requested party or receiving party, and then the security information and codes are forwarded or responded.
Specifically, in the embodiment of the present invention, after receiving the request, the Web server 300 of the website performs security processing and security response on the static ciphertext page, including:
1. after receiving the request, the corresponding one-time information is converted into the secret information of the security domain of the Web server 300.
2. And matching the corresponding static page according to the converted information of the security domain of the Web server 300.
3. And the cipher text information in the corresponding page and the code thereof is converted into corresponding cipher text information of the security domain of the Web security server 200 by using the password server 600, and is returned to the Web security server 200.
4. The ciphertext is converted into the full-secret state conversion from the ciphertext, wherein the ciphertext is decrypted and then encrypted, or the full-secret state conversion from the ciphertext to the ciphertext is realized by using a homomorphic encryption mode and a privacy calculation mode of multi-party calculation.
In step S4, after receiving the request, the Web application server 400 of the website performs security processing and security response on the dynamic page. According to the security policy and the set security effect, firstly, the security information and codes in the security domain of the user and the equipment in the request are converted into the security information and codes of the designated security domain, the dynamic page and the micro-service interface are executed with related security processing or are embedded and/or adjusted to update related security factors, or at least one of related information security man-machine interaction, rendering factors or security codes is executed, so that other equipment, codes or information can execute related security processing in the subsequent steps, the security information and codes in the result are converted into the security information and codes of the security domain of the next requested party or receiving party, and then forwarding or responding is carried out.
Specifically, in the embodiment of the present invention, after receiving the request, the Web application server 400 of the website performs dynamic page security processing and security response, including:
1. after receiving the request, the corresponding one-time information is converted into the confidential information of the security domain of the Web application server 400.
2. And matching the corresponding dynamic page and the information, code, object and the like thereof according to the information of the converted security domain of the Web application server 400.
3. If the security service of the data security server needs to be requested, the cipher server is utilized to convert the cipher text information in the corresponding SQL statement into the corresponding cipher text information of the security domain of the data security server, and a request for the security data security service is initiated to the data security server, and then the security processing of the service response result is completed.
4. If the data service of the database 500 needs to be requested, the cipher server 600 is utilized to convert the cipher text information in the corresponding SQL statement into the corresponding cipher text information of the security domain of the database, and initiate a request for the security data service to the database, and perform corresponding security processing on the response and complete the security processing of the service response result.
5. The password server 600 is used to convert the return information of the corresponding page and the data security server 450 or the return information of the database 500 and the ciphertext information in the code thereof into the ciphertext information of the security domain of the Web security server 200, and return the ciphertext information to the Web security server 200.
6. The ciphertext conversion may be decryption first and then encryption, or may be full-ciphertext-state conversion from the ciphertext to the ciphertext by using privacy calculation methods such as homomorphic encryption, multi-party calculation, and the like.
Step S5, after the data security server 450 receives the request, it proxies and forwards the data service request and response, which according to the security policy and the set security effect, the data fine encryption and decryption and the firewall function of response or forwarding are executed by at least one of a user identifier, an information security identifier, an encryption mode conversion identifier, a fine authority identifier and a fine authority encryption identifier, and performs a related security process or embeds and/or adjusts an update related security factor for at least one of a data service, an SQL request, a UDF name, a table name, a view name, a field name, a stored procedure name, a trigger name, and an SQL return result, or at least one of the relevant information secret man-machine interaction, the rendering factor or the safety code is executed, so that other equipment, codes or information can execute relevant safety processing.
Specifically, in the embodiment of the present invention, after receiving the data security service request, the data security server 450 performs proxy and forwarding of the data service request and the response, including:
1. and converting the related one-time ciphertext information into ciphertext information of an information security domain of the data security server by using the password server.
2. And acquiring related SQL information and at least one of user identification, information safety identification, encryption mode conversion identification, refined authority identification and refined right encryption identification according to the converted secret information.
3. And performing data refinement encryption and decryption and firewall rules of response or forwarding according to at least one of the application user identifier, the information security identifier, the encryption mode conversion identifier, the refinement authority identifier and the refinement authority encryption identifier.
4. And eliminating or reserving applied user identification, information safety identification, encryption mode identification, refined authority identification and refined right encryption identification information in the processed SQL.
5. And if the data service of the database needs to be requested, the cipher server is utilized to convert the cipher text information in the corresponding SQL statement into the corresponding cipher text information of the security domain of the database, and a request of the secret data service is initiated to the database and the security processing of the service response result is completed.
6. And converting the ciphertext information in the data service return result of the corresponding database into the ciphertext information of the security domain of the Web application server by using the password server, packaging and packaging the ciphertext information, and returning the ciphertext information to the Web application server.
7. The ciphertext is converted into the full-secret state conversion from the ciphertext, wherein the ciphertext is decrypted and then encrypted, or the full-secret state conversion from the ciphertext to the ciphertext is realized by using a homomorphic encryption mode and a privacy calculation mode of multi-party calculation.
Step S6, after receiving the request, the database 500 of the website performs data service security processing and security response. According to the security policy and the set security effect, firstly it converts the secret information and code in the security domain of the user and device in request into the secret information and code of the designated security domain, performing relevant security processing or embedding and/or adjusting update relevant security factors on at least one of data services, SQL requests, UDFs, stored procedures and codes, table names, view names, field names, stored procedure names, trigger names, tables, views, fields, stored procedures, triggers and SQL return results, or performing at least one of a related information dense-state human-machine interaction, a rendering factor or a security code, and other devices, codes or information execute related safety processing in the subsequent step, the secret information and the codes in the result are converted into the secret information and the codes of the next requested party or the security domain of the receiving party, and then forwarding or responding is carried out.
Specifically, in the embodiment of the present invention, the database 500 services security processing and security response, including the following steps:
1. after receiving the request, the cryptographic server 600 is utilized to convert the corresponding one-time information into the ciphertext information of the information security domain of the database 500.
2. And executing the corresponding SQL according to the converted secret information to acquire the corresponding information.
3. According to the request object being the application server 400 or the data security server 450, the password server 600 is used to convert the corresponding ciphertext information into the ciphertext information of the 450 security domain of the Web application server 400 or the data security server, and the ciphertext information is returned to the Web application server 400 or the data security server 450.
4. The ciphertext conversion may be decryption first and then encryption, or may be full-ciphertext-state conversion from the ciphertext to the ciphertext by using privacy calculation methods such as homomorphic encryption, multi-party calculation, and the like.
In some embodiments of the present invention, the Web security server 200 is further configured to perform security processing and security response, including:
1. after receiving the response of the Web server 300 or the Web application server 400, the password server 600 performs corresponding security processing on the corresponding ciphertext information; including consistency of information, integrity checks, etc.
2. According to the safety rule, the corresponding ciphertext information is converted into one-time format-preserving confidential information of the browser or the Web front end or the micro-service request end 100, and the 'burn-after-use' flag bit of the corresponding information is reset to be 0.
3. And adding or not adding a 'certificate display working time length' and a js script for counterclicking the DDOS and delaying the request to a return packet according to the safety strategy and the set safety effect requirement.
4. And according to the safety strategy and the set safety effect requirement, adding corresponding ciphertext to display the required ciphertext webfont file and the required ciphertext auxiliary display, ciphertext auxiliary processing script, ciphertext request auxiliary script and ciphertext safety check script under the condition of not decrypting.
5. And returning the processed and packaged response to the browser or Web front end or micro-service request end 100.
In some embodiments of the present invention, the browser or the Web front end or the microservice request end is further configured to perform ciphertext display, rendering and ciphertext interaction on a full-dense page, including the following steps:
1. and after receiving the response of the Web security server 200, running the corresponding page and the security verification script thereof.
2. The page information should be correctly displayed without decryption by means of the corresponding webfont and ciphertext auxiliary display script, and correctly interact with the user.
3. The page security information (Cooker, session key, certificate, etc.) is correctly processed without decryption by means of the ciphertext auxiliary processing script.
4. Waiting for the next operation of the user.
In some embodiments of the present invention, referring to fig. 4, the operation flow of the "demonstrate show duration", js script for counterclicking DDOS and suspending requests comprises the following steps:
and S101, running a js script which is returned by the Web security server 200 and is used for proving and displaying the working time and is used for counterclicking the DDOS and delaying the request.
S102, obtaining the specified character strings (such as 2, 3 Chinese characters and the like) from the info 01.
S103. display on a canvas with white background in the font in for02 with the specified character size.
And S104, calculating the HASH value of the canvas graph by using the specified HASH function.
And S105, continuously acquiring the specified character strings (such as 2, 3 Chinese characters and the like) from the info 01.
And S106, displaying the characters in the step S105 on the previous canvas according to the character display size calculated by the script according to the previous HASH and the calculated superposition mode in the font in the for 02.
And S107, calculating the HASH value of the canvas graph by using the specified HASH function.
S108. continue steps S105 to S107 until the HASH value satisfies the condition specified in the script.
And S109, sending the corresponding calculation result (including the intermediate result and the final result) back to the back end together with the page service request.
In some embodiments of the present invention, referring to fig. 5, the operation flow of the Web Security server (Security Proxy)200 for verifying the "certification display operation duration" according to the Security requirement includes the following steps:
and S201, selectively checking the correctness of the final result and part or all of the intermediate results according to the security policy and the set security effect.
Step S202, running a code for verifying the certification display working time length.
Step S203, obtaining the specified character string (such as 2, 3 Chinese characters and the like) from the info 01.
Step s204, display on a canvas with white background in the font in for02 according to the specified character size.
And S205, calculating the HASH value of the canvas graph by using the specified HASH function.
And S206, if the HASH value is correct and meets the specified safety condition, the verification is passed, otherwise, the verification fails.
Step S207, according to the security strategy and the set security effect, the next step is carried out: including forwarding the request, denying the request, continuing or enhancing the "demonstrate show duration of operation" requirement to counter or suppress the DDOS.
In some embodiments of the present invention, when a DDOS attack is counterattacked, Security processing or embedding and/or adjusting update related Security factors is performed on DDOS attack related requests and responses through a password server (Hardware Security module) 600, a Web Security server (Security Proxy)200, a browser/Web front end or a micro-service request end, or the like, or at least one of related information secret man-machine interaction, a rendering factor or a Security code is executed, so as to prepare other devices, codes or information to execute related Security processing in subsequent steps.
Among them, the Web Security server (Security Proxy)200 is configured to:
1. after receiving the response of the Web server 300 or the Web application server 400, the password server 600 performs corresponding security processing on the corresponding ciphertext information, including information consistency, integrity check, and the like.
2. And according to the safety rule, converting the corresponding ciphertext information into one-time format-preserving confidential information of a Browser/Web front end or a micro-service request end, and resetting the 'burn-after-use flag bit' of the corresponding information to be 0.
3. And adding or not adding the 'evidence display working time length', the counterattack DDOS and the js script of the delay request to the return according to the safety strategy and the set safety effect requirement, and increasing or reducing the calculation complexity, the strength and the difficulty of the 'evidence display working time length'.
4. And according to the safety strategy and the set safety effect requirement, adding corresponding ciphertext to display the required ciphertext webfont file and the required ciphertext auxiliary display, the ciphertext auxiliary processing script, the ciphertext request auxiliary script, the ciphertext safety check script and the like under the condition of not decrypting.
5. And returning the processed and packaged response to the Browser/Web front end or the micro-service request end.
In a browser (browser)/Web front end or micro-service request end, the browser or Web front end or micro-service request end is used for:
1. and after receiving the response of the Web security server 200, running the corresponding page and the security verification script thereof.
2. The page information should be correctly displayed without decryption by means of the corresponding webfont and ciphertext auxiliary display script, and correctly interact with the user.
3. Page security information (cookie, session key, certificate) and the like should also be correctly processed without decryption by means of the ciphertext auxiliary processing script.
4. Run a "prove show duration", js script to counter-click the DDOS and defer requests.
5. Waiting for the next operation by the user.
When the DDOS is counterclicked, the browser or the Web front end or the micro-service request end comprises the following steps:
1. and running a js script which is used for proving the display working time and is used for counterclicking the DDOS and delaying the request according to the counterclicking DDOS security strategy and the set security effect requirement.
2. And operating the safety request auxiliary script, and sending a one-time request with corresponding information of proving and displaying the working time length to the server according to the safety rule.
The technology for proving the display working time length and the verification mechanism thereof to counter or inhibit DDOS attack comprises the following steps: a. adjusting the size of the HASH value of which the proof display working duration meets the condition; b. adjusting the size of the image; c. changing the image character rendering operation sequence along with the calculated HASH value; d. increasing the number of operable images to be preserved; e. adjusting the data volume of the intermediate result of the proof display working time length to be sent; f. repeatedly requesting retransmission of related network packets at a TCP/IP layer for multiple times; g. adjusting at least one of TCP Windows and QoS parameters, repeating the request for the past network packet transmission method for many times at TCP/IP layer.
The effect of counterattacking or inhibiting the DDOS attack comprises the following steps: a. the calculation amount of a CPU and a GPU of the client is increased; b. scarce resources such as a user terminal CPU, a GUP cache, a memory and the like are consumed, and the effective computing speed of the users is reduced; c. effectively delaying the request time by displaying the speed bottleneck with the frequency of 60-120 fp; d. the method has the advantages that the request flow and the retransmission frequency of the client are amplified, meanwhile, the related flow of the server is restrained, before the DDOS is outbreaked at the rear end, the internet channel of the client is influenced or blocked, the vigilance of an internet service provider or other users is caused, the flow control, the QoS and/or other safety mechanisms are triggered, and the like, so that the effects of counterattacking and restraining the DDOS at an attacker end are achieved.
The Web Security server (Security Proxy)200 further includes:
1. after receiving the request, checking the one-time request URL, the one-time request parameter name and the parameter value.
2. Checking whether the corresponding information is unused, if the corresponding information is used, the checking is not passed, and executing a corresponding security policy and a set security effect; if the information is not used, the corresponding information 'burn-after-use flag' is updated.
3. The certification display operation time is checked according to the safety requirement, and the steps are shown in figure 5.
4. If the request is a static webpage, the corresponding request information is converted into the one-time ciphertext information of the security domain of the Web server 300 and is forwarded to the Web server 300.
5. If the request is a dynamic webpage, the corresponding request information is converted into the one-time ciphertext information of the security domain of the Web application server 400 and is forwarded to the Web application server 400.
6. The ciphertext conversion may be decryption first and then encryption, or may be full-ciphertext-state conversion from the ciphertext to the ciphertext by using privacy calculation methods such as homomorphic encryption, multi-party calculation, and the like.
The Web server (Static Page)300 further includes:
1. after receiving the request, the corresponding one-time information is converted into the secret information of the security domain of the Web server 300.
2. And matching the corresponding static page according to the converted information of the security domain of the Web server 300.
3. And the cipher text information in the corresponding page and the code thereof is converted into corresponding cipher text information of the security domain of the Web security server 200 by using the password server 600, and is returned to the Web security server 200.
4. The ciphertext conversion may be decryption first and then encryption, or may be full-ciphertext-state conversion from a ciphertext to a ciphertext by using privacy calculation methods such as homomorphic encryption and multi-party calculation.
The Web application server (Dynamic Page)400 further includes:
1. and after receiving the request, converting the corresponding one-time information into the confidential information of the security domain of the Web application server 400.
2. And matching the corresponding dynamic page and the information, code, object and the like thereof according to the information of the converted security domain of the Web application server 400.
3. If the security service of the data security server needs to be requested, the cipher server is utilized to convert the cipher text information in the corresponding SQL statement into the corresponding cipher text information of the security domain of the data security server, and a request for the security data security service is initiated to the data security server, and then the security processing of the service response result is completed.
4. If the data service of the database 500 needs to be requested, the cryptograph information in the corresponding SQL statement is converted into the secret information of the security domain of the database 500 by using the password server 600, and then the data service is requested from the database 500, and the corresponding security processing is performed on the response and the security processing of the service response result is completed.
5. The password server 600 is used to convert the return information of the corresponding page and the data security server 450 or the return information of the database 500 and the ciphertext information in the code thereof into the ciphertext information of the security domain of the Web security server 200, and return the ciphertext information to the Web security server 200.
6. The ciphertext conversion may be decryption first and then encryption, or may be full-ciphertext-state conversion from a ciphertext to a ciphertext by using privacy calculation methods such as homomorphic encryption and multi-party calculation.
The data Security server (Datasets Security Proxy)450 further includes:
1. and converting the related one-time ciphertext information into ciphertext information of an information security domain of the data security server by using the password server.
2. And acquiring related SQL information and at least one of user identification, information safety identification, encryption mode conversion identification, refined authority identification and refined right encryption identification according to the converted secret information.
3. And performing data refinement encryption and decryption and firewall rules of response or forwarding according to at least one of the application user identifier, the information security identifier, the encryption mode conversion identifier, the refinement authority identifier and the refinement authority encryption identifier.
4. And eliminating or retaining the applied user identification, information safety identification, encryption mode identification, refined authority identification and refined right encryption identification information in the processed SQL information.
5. And if the data service of the database needs to be requested, the cipher server is utilized to convert the cipher text information in the corresponding SQL statement into the corresponding cipher text information of the security domain of the database, and a request of the secret data service is initiated to the database and the security processing of the service response result is completed.
6. And converting the ciphertext information in the data service return result of the corresponding database into the ciphertext information of the security domain of the Web application server by using the password server, packaging and packaging the ciphertext information, and returning the ciphertext information to the Web application server.
7. The ciphertext is converted into the full-secret state conversion from the ciphertext, wherein the ciphertext is decrypted and then encrypted, or the full-secret state conversion from the ciphertext to the ciphertext is realized by using a homomorphic encryption mode and a privacy calculation mode of multi-party calculation.
The database (Dynamic Page)500 further includes:
1. after receiving the request, the cryptographic server 600 is utilized to convert the corresponding one-time information into the ciphertext information of the information security domain of the database 500.
2. And executing the corresponding SQL according to the converted secret information to acquire the corresponding message.
3. According to the request object being the application server 400 or the data security server 450, the password server 600 is used to convert the corresponding ciphertext information into the ciphertext information of the 450 security domain of the Web application server 400 or the data security server, and the ciphertext information is returned to the Web application server 400 or the data security server 450.
4. The ciphertext conversion may be decryption first and then encryption, or may be full-ciphertext-state conversion from the ciphertext to the ciphertext by using privacy calculation methods such as homomorphic encryption, multi-party calculation, and the like.
In some embodiments of the present invention, the method further includes counterattack crawler work, where the counterattack crawler work includes performing Security processing or embedding and/or adjusting updating related Security factors on crawler-related requests and responses by using an S06 password server (Hardware Security module) 600, a Web Security server (Security Proxy)200, a browser/Web front end or micro service request end, and the like, or performing at least one of related information secret man-machine interaction, rendering factors, or Security codes, so as to prepare other devices, codes, or information to perform related Security processing in subsequent steps.
The Web Security server (Security Proxy)200 includes:
1. after receiving the response of the Web server 300 or the Web application server 400, the password server 600 performs corresponding security processing on the corresponding ciphertext information, including information consistency, integrity check, and the like.
2. And according to the safety rule, converting the corresponding ciphertext information into one-time format-preserving confidential information of a Browser/Web front end/micro-service request end, and resetting a 'burn-after-use flag bit' of the corresponding information to be 0.
3. And adding or not adding a js script for proving and displaying the working time to a return packet according to a safety strategy and a set safety effect requirement so as to achieve the safety effect of delaying and limiting the flow of the crawler.
4. According to the anti-crawler security strategy and the set security effect requirement, a corresponding ciphertext webfont file is added to display the required ciphertext without decryption, wherein a special dot matrix background (anti-OCR) for preventing character recognition and the required ciphertext auxiliary display are added to the character dot matrix, and a screen capture preventing script, a ciphertext auxiliary processing script, a ciphertext request auxiliary script, a ciphertext security check script, a ciphertext code confusion script and the like are prevented.
5. And returning the processed and packaged response to the Browser/Web front end/micro-service request end.
The browser or Web front end or micro-service request end comprises:
1. and after receiving the response of the Web security server 200, running the corresponding page and the security verification script thereof, and preventing screen capture script.
2. The page information should be correctly displayed without decryption by means of the corresponding webfont and ciphertext auxiliary display script, and correctly interact with the user.
3. Page security information (cookie, session key) and the like should be correctly processed without decryption by the ciphertext-assisted processing script.
4. According to the anti-crawler security policy and the set security effect requirement, the related security script is operated
5. Waiting for the next operation by the user.
When the crawler is counterclicked, the browser or the Web front end or the micro-service request end further performs the following steps:
1. according to the anti-crawler security policy and the set security effect requirement, a js script which proves the display working duration and is used for counterclicking DDOS and delaying the request is operated, the request time is delayed, and the crawler speed and the crawler effect are reduced and inhibited.
2. And operating the safety request auxiliary script according to the anti-crawler safety strategy and the set safety effect requirement, and sending a one-time request with corresponding information of proving and displaying the working time length to the server according to the safety rule.
The operation flow of the js script in which the "proof display operation time length" is shown in FIG. 4.
3. According to the anti-crawler security strategy and the set security effect requirement, a required ciphertext webfont file is displayed by using a corresponding ciphertext under the condition of no decryption, wherein a special dot matrix background (anti-OCR) for preventing character recognition and a required ciphertext auxiliary display are added to a character dot matrix, the ciphertext auxiliary display script is operated to display correctly, the special dot matrix background interacts with a user correctly, and the screen capture preventing script, the ciphertext auxiliary processing script, the ciphertext request auxiliary script, the ciphertext security check script, the ciphertext code confusion script and the like are operated.
The Web Security server (Security Proxy)200 also performs:
1. after receiving the request, checking the one-time request URL, the one-time request parameter name and the parameter value.
2. Checking whether the corresponding information is unused, if the corresponding information is used, the checking is not passed, and executing a corresponding security policy and a set security effect; if the information is not used, the corresponding information 'burn-after-use flag' is updated.
3. The "certification display operation duration" is checked against the security requirements, the steps of which are shown in fig. 5. The response speed is delayed.
4. If the request is a static webpage, the corresponding request information is converted into the one-time ciphertext information of the security domain of the Web server 300 and is forwarded to the Web server 300.
5. If the request is a dynamic webpage, the corresponding request information is converted into the one-time ciphertext information of the security domain of the Web application server 400 and is forwarded to the Web application server 400.
6. According to the anti-crawler security policy and the set security effect requirement, a corresponding ciphertext webfont file is added to display the required ciphertext without decryption, wherein a special dot matrix background (anti-OCR) for preventing character recognition and the required ciphertext auxiliary display, a screen capture preventing script, a ciphertext auxiliary processing script, a ciphertext request auxiliary script, a ciphertext security check script, a ciphertext code confusion script and the like are added to the character dot matrix
7. The ciphertext conversion may be decryption first and then encryption, or may be full-ciphertext-state conversion from the ciphertext to the ciphertext by using privacy calculation methods such as homomorphic encryption, multi-party calculation, and the like.
The Web server (Static Page)300 also performs:
1. after receiving the request, the corresponding one-time information is converted into the confidential information of the security domain of the Web server 300.
2. And matching the corresponding static page according to the converted information of the security domain of the Web server 300.
3. And the cipher text information in the corresponding page and the code thereof is converted into corresponding cipher text information of the security domain of the Web security server 200 by using the password server 600, and is returned to the Web security server 200.
4. The ciphertext conversion may be decryption first and then encryption, or may be full-ciphertext-state conversion from the ciphertext to the ciphertext by using privacy calculation methods such as homomorphic encryption, multi-party calculation, and the like.
The Web application server (Dynamic Page)400 also performs:
1. and after receiving the request, converting the corresponding one-time information into the confidential information of the security domain of the Web application server 400.
2. And matching the corresponding dynamic page and the information, code, object and the like thereof according to the information of the converted security domain of the Web application server 400.
3. If the security service of the data security server needs to be requested, the cipher server is utilized to convert the cipher text information in the corresponding SQL statement into the corresponding cipher text information of the security domain of the data security server, and a request for the security data security service is initiated to the data security server, and then the security processing of the service response result is completed.
4. If the data service of the database 500 needs to be requested, the cryptograph information in the corresponding SQL statement is converted into the secret state information of the security domain of the database 500 by using the cryptographic server 600, and then the data service is requested from the database 500, and the corresponding security processing is performed on the response and the security processing of the service response result is completed.
5. The password server 600 is used to convert the return information of the corresponding page and the data security server 450 or the return information of the database 500 and the ciphertext information in the code thereof into the ciphertext information of the security domain of the Web security server 200, and return the ciphertext information to the Web security server 200.
6. The ciphertext conversion may be decryption first and then encryption, or may be full-ciphertext-state conversion from the ciphertext to the ciphertext by using privacy calculation methods such as homomorphic encryption, multi-party calculation, and the like.
The data Security server (Datasets Security Proxy)450 also performs:
1. converting the related one-time ciphertext information into ciphertext information of an information security domain of the data security server by using the password server;
2. and acquiring related SQL information and at least one of user identification, information safety identification, encryption mode conversion identification, refined authority identification and refined right encryption identification according to the converted secret information.
3. And performing data refinement encryption and decryption and firewall rules of response or forwarding according to at least one of the application user identifier, the information security identifier, the encryption mode conversion identifier, the refinement authority identifier and the refinement authority encryption identifier.
4. And eliminating or retaining the applied user identification, information safety identification, encryption mode identification, refined authority identification and refined right encryption identification information in the processed SQL information.
5. And if the data service of the database needs to be requested, the cipher server is utilized to convert the cipher text information in the corresponding SQL statement into the corresponding cipher text information of the security domain of the database, and a request of the secret data service is initiated to the database and the security processing of the service response result is completed.
6. And the cryptograph information in the data service return result of the corresponding database is converted into the cryptograph information of the Web application server security domain by using the password server, and the cryptograph information is packaged and then returned to the Web application server.
7. The ciphertext is converted into the full-secret state conversion from the ciphertext, wherein the ciphertext is decrypted and then encrypted, or the full-secret state conversion from the ciphertext to the ciphertext is realized by using a homomorphic encryption mode and a privacy calculation mode of multi-party calculation.
The database (Dynamic Page)500 also performs:
1. after receiving the request, the cryptographic server 600 is utilized to convert the corresponding one-time information into the ciphertext information of the information security domain of the database 500.
2. And executing the corresponding SQL according to the converted secret information to acquire the corresponding information.
3. According to the request object being the application server 400 or the data security server 450, the password server 600 is used for converting the corresponding ciphertext information into the ciphertext information of the 450 security domain of the Web application server 400 or the data security server, and returning the ciphertext information to the 450 security domain of the Web application server 400 or the data security server.
4. The ciphertext conversion may be decryption first and then encryption, or may be full-ciphertext-state conversion from the ciphertext to the ciphertext by using privacy calculation methods such as homomorphic encryption, multi-party calculation, and the like.
An embodiment of the present invention provides a computer device, which includes a memory 100 and a processor 200, wherein the processor 200 stores a computer program, and the computer program is configured to execute the steps in the above-mentioned method for preventing DDOS one-time cross-domain full lifecycle confidential information security.
It should be understood that the Processor may be a Central Processing Unit (CPU), and the Processor may be other general purpose processors, Digital Signal Processors (DSPs), Application Specific Integrated Circuits (ASICs), Field Programmable Gate Arrays (FPGAs) or other Programmable logic devices, discrete Gate or transistor logic devices, discrete hardware components, etc. Wherein a general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
Wherein the processor is configured to run a computer program stored in the memory to implement various embodiments of the DDOS-resistant one-time cross-domain full-lifecycle confidential information security method of the present invention.
It should be recognized that the method steps in embodiments of the present invention may be embodied or carried out by computer hardware, a combination of hardware and software, or by computer instructions stored in a non-transitory computer readable memory. The method may use standard programming techniques. Each program may be implemented in a high level procedural or object oriented programming language to communicate with a computer system. However, the program(s) can be implemented in assembly or machine language, if desired. In any case, the language may be a compiled or interpreted language. Furthermore, the program can be run on a programmed application specific integrated circuit for this purpose.
Further, the operations of processes described herein can be performed in any suitable order unless otherwise indicated herein or otherwise clearly contradicted by context. The processes described herein (or variations and/or combinations thereof) may be performed under the control of one or more computer systems configured with executable instructions, and may be implemented as code (e.g., executable instructions, one or more computer programs, or one or more applications) collectively executed on one or more processors, by hardware, or combinations thereof. The computer program includes a plurality of instructions executable by one or more processors.
In addition, an embodiment of the invention also provides a computer readable storage medium.
The computer readable storage medium of the present invention stores a defense program of a DDOS disposable cross-domain full-lifecycle secret information security system, wherein when the defense program of the DDOS disposable cross-domain full-lifecycle secret information security system is executed by a processor, the steps of the above-mentioned DDOS disposable cross-domain full-lifecycle secret information security method are implemented.
It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or method that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or method. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, method, article, or method that comprises the element.
The above-mentioned serial numbers of the embodiments of the present invention are merely for description and do not represent the merits of the embodiments.
The invention is operational with numerous general purpose or special purpose computing environment or configurations. Further, the method may be implemented in any type of computing platform operatively connected to a suitable interface, including but not limited to a personal computer, mini computer, mainframe, workstation, networked or distributed computing environment, separate or integrated computer platform, or in communication with a charged particle tool or other imaging method, and the like. Aspects of the invention may be implemented in machine-readable code stored on a non-transitory storage medium or device, whether removable or integrated onto a computing platform, such as a hard disk, optically read and/or write storage media, RAM, ROM, etc., so that it is readable by a programmable computer, which when read by the computer can be used to configure and operate the computer to perform the procedures described herein. Further, the machine-readable code, or portions thereof, may be transmitted over a wired or wireless network. The invention described herein includes these and other different types of non-transitory computer-readable storage media when such media include instructions or programs that implement the steps described above in conjunction with a microprocessor or other data processor. The invention also includes the computer itself when programmed according to the methods and techniques described herein.
A computer program can be applied to input data to perform the functions described herein to transform the input data to generate output data that is stored to non-volatile memory. The output information may also be applied to one or more output devices, such as a display. In a preferred embodiment of the invention, the transformed data represents physical and tangible objects, including particular visual depictions of physical and tangible objects produced on a display.
Through the description of the foregoing embodiments, it is clear to those skilled in the art that the method of the foregoing embodiments may be implemented by software plus a necessary general hardware platform, and certainly may also be implemented by hardware, but in many cases, the former is a better implementation. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium (e.g., ROM/RAM, magnetic disk, optical disk) as described above and includes instructions for enabling a terminal device (e.g., a mobile phone, a computer, a server, an air conditioner, or a network device) to execute the method according to the embodiments of the present invention.
Claims (10)
1. A DDOS (distributed denial of service) prevention one-time cross-domain information full-life-cycle secret security system is characterized by comprising a browser or a Web front end or a micro-service request end, a Web security server, a Web application server, a data security server, a database and a password server, wherein the system sends or receives, proxies or forwards a request or a response which accords with a security policy and a set security effect according to the security policy and the set security effect, executes related security processing or embeds and/or adjusts and updates related security factors, or executes at least one of related information secret human-computer interaction, rendering factors or security codes so as to execute related security processing in subsequent steps by other equipment, codes or information;
wherein the information includes: the system comprises at least one of a network service and micro-service entry, a resource address, page information, a request return result, a page code, a script, an SQL keyword, a Web Tag keyword, a processing script, a Cookie, a session key, login information, a key, a certificate, a security policy, a set security effect, user input and interaction, a server directory name, a file name, an SQL statement result object, an SQL cursor, an application user identifier, an information security degree identifier, an encryption mode identifier, a refined permission identifier and a refined right encryption identifier;
wherein, the security policy includes: the method comprises the following steps of one-time randomized dynamic encoding and encryption, one-time use and burn-after-use, one-time pad, format-preserving encryption, homomorphic encryption, multi-party calculation, pad-state conversion without decryption, man-machine interaction and usability without decryption, non-pad-use, DDOS counterattack at an attacker end, DDOS inhibition, crawler prevention at a crawler end, code injection prevention, zero-day vulnerability prevention and at least one of traditional WAF security rules;
the security policies of the database and the data security server further include: executing response or forwarding data refinement encryption and decryption and firewall functions through at least one of user identification, information security degree identification, encryption mode conversion identification, refinement authority identification and refinement right encryption identification, and executing related security processing or embedding and/or adjusting and updating related security factors on at least one of data service, SQL request, UDF name, UDF, table name, table-in information, view name, view field name, field-in information, stored process name, stored process code, trigger name, trigger code and SQL return result, or executing at least one of related information secret state man-machine interaction, rendering factors or security codes to prepare other devices, codes or information to execute related security processing;
the set safety effect comprises at least one safety effect of information full life cycle safety of one-time, dynamic, cross-domain and full-secret information; the information achieves at least one security effect of being usable, interactive, renderable into a dot matrix or image that is understandable to a user, transferable but not stealable, unchangeable, non-counterfeitable, source traceable, and non-reusable without decryption.
2. A DDOS-resistant one-time cross-domain full-lifecycle secret information security method, wherein the DDOS-resistant one-time cross-domain full-lifecycle secret information security system of claim 1 performs a security defense method, the method comprising the steps of:
step S1: after the browser or Web front end or micro-service request end returns a first or home page request, executing related security processing or embedding and/or adjusting and updating related security factors according to a security policy and a set security effect, or executing at least one of related information secret state man-machine interaction, rendering factors, processing certification information or security codes so as to execute related security processing by other equipment, codes or information in subsequent steps and send a request meeting the security policy and the set security effect of a requested party;
step S2: the Web security server firstly converts the secret information and codes in the security domain of the user and the equipment in the request into the secret information and codes of the designated security domain according to the security policy and the set security effect, executes related security processing or embeds and/or adjusts and updates related security factors, or executes at least one of related information secret man-machine interaction, rendering factors or security codes so as to execute related security processing on other equipment, codes or information in the subsequent steps, converts the secret information and codes in the result into the secret information and codes of the security domain of the next requested party or receiving party, and then forwards or responds;
step S3: after receiving the request, the Web server of the website converts the secret information and codes in the user and equipment security domains in the request into the secret information and codes of the designated security domain according to the security policy and the set security effect, executes related security processing or embeds and/or adjusts and updates related security factors on the static page, or executes at least one of related information secret man-machine interaction, rendering factors or security codes so as to execute related security processing in subsequent steps of other equipment, codes or information, converts the secret information and codes in the result into the secret information and codes of the next requested party or receiver security domain, and then forwards or responds;
step S4: according to a security policy and a set security effect, a Web application server of a website firstly converts secret state information and codes in user and equipment security domains in a request into secret state information and codes of a designated security domain, executes related security processing or embeds and/or adjusts and updates related security factors on a dynamic page and a micro-service interface, or executes at least one of related information secret state man-machine interaction, rendering factors or security codes so as to execute related security processing in subsequent steps of other equipment, codes or information, converts the secret state information and codes in the result into secret state information and codes of a next requested party or a receiving party, and then forwards or responds;
step S5: the data security server executes data refinement encryption and decryption and firewall functions of response or forwarding in at least one mode of a user identifier, an information security degree identifier, an encryption mode conversion identifier, a refinement authority identifier and a refinement right encryption identifier according to a security strategy and a set security effect, executes related security processing or embeds and/or adjusts and updates related security factors on at least one of data services, SQL requests, UDF names, table names, view names, field names, stored process names, trigger names and SQL return results, or executes at least one of related information secret state man-machine interaction, rendering factors or security codes to prepare for other equipment, codes or information to execute related security processing;
step S6: the database of the website firstly converts the secret information and codes in the security domain of the user and the equipment in the request into the secret information and codes of the designated security domain according to the security policy and the set security effect, performing relevant security processing or embedding and/or adjusting update relevant security factors on at least one of data services, SQL requests, UDFs, stored procedures and codes, table names, view names, field names, stored procedure names, trigger names, tables, views, fields, stored procedures, triggers and SQL return results, or performing at least one of a related information dense-state human-machine interaction, a rendering factor or a security code, and other devices, codes or information execute related safety processing in the subsequent step, the secret information and the codes in the result are converted into the secret information and the codes of the next requested party or the security domain of the receiving party, and then forwarding or responding is carried out.
3. The DDOS-resistant one-time cross-domain full-lifecycle secret information security method of claim 2, further comprising initialization of the system, the initialization step comprising:
step S11: initializing a Web security server, requesting a corresponding security policy and a set security effect from the password server, carrying out related initialization processing, initializing a certification display working duration, a js script for counterclicking DDOS and delaying the request, and initializing a code capable of verifying the certification display working duration;
step S12: initializing a Web server, requesting a corresponding security policy and a set security effect from the password server, performing related initialization processing, initializing all static pages, code files and variable parameters therein, and initializing all static page directories and structures of the static pages;
step S13: initializing a Web application server, requesting a corresponding security policy and a set security effect from the password server, carrying out related initialization processing, adding a security filter, carrying out AOP (automatic optical processing) on corresponding codes, encrypting all SQL (structured query language) statements, initializing a database drive, and adding a ciphertext SQL statement execution module;
step S14: initializing a data security server, requesting a corresponding security policy and a set security effect from the password server, performing related initialization processing, and initializing at least one of a user identifier, an information security identifier, an encryption mode conversion identifier, a refined authority identifier and a refined authority encryption identifier to execute data refinement encryption and decryption, firewall rules and codes thereof;
step S15: initializing a database, requesting a corresponding security policy and a set security effect from the password server, performing related initialization processing, installing a UDF (universal description framework) to enable a ciphertext SQL statement to be executable, encrypting a corresponding table, a corresponding field and a corresponding view, and encrypting a storage process and a trigger;
step S16: the cipher server initializes, generates the needed root key, the affiliated working key and the needed session key, and provides the corresponding security policy and the set security effect management and service.
4. The method for preventing DDOS one-time cross-domain full-lifecycle secret information security according to claim 3, wherein the browser or Web front end or micro-service request end, after a first or first page request under user's operation, must send a request meeting the website security rules to the website according to the security policy and the set security effect requirement, and the process comprises:
according to the safety strategy and the set safety effect requirement, running a js script which proves the working time of display and is used for counterattacking DDOS and delaying requests;
and operating the safety request auxiliary script, and sending a one-time request with corresponding information of proving and displaying the working time length to the server according to the safety rule.
5. The method for preventing DDOS one-time cross-domain full-lifecycle confidential information security according to claim 4, wherein the running process of the proof display working duration, the js script for counterclicking DDOS and suspending requests comprises the following steps:
s101, running a 'certificate display working time' returned by the Web security server, and a js script for counterclicking DDOS and delaying requests;
s102, acquiring a specified character string from the info 01;
s103, displaying on a canvas with a white background according to the specified character size in the font in the in-for 02;
s104, calculating and obtaining the HASH value of the canvas graph by using a specified HASH function;
s105, continuously acquiring the specified character string from the infor 01;
s106, displaying the characters in the step S105 on a previous canvas according to the character display size calculated by the script according to the previous HASH and the calculated superposition mode in the font in the for 02;
s107, calculating and acquiring the HASH value of the canvas graph by using a specified HASH function;
s108, continuing the steps S105 to S107 until the HASH value meets the condition specified in the script;
and S109, sending the corresponding calculation result and the page service request back to the back end.
6. The DDOS-resistant one-time cross-domain full-lifecycle secret information security method of claim 2, wherein the Web security server of the website, after receiving the request, securely processes and forwards the request, comprising:
after receiving the request, checking a one-time request URL, a one-time request parameter name and a parameter value;
checking whether the corresponding information is unused, if the corresponding information is used, the checking is not passed, and executing a corresponding security policy and a set security effect; if the information is not used, updating the corresponding information 'burn-after-use flag';
verifying the certification display working time according to the safety strategy and the set safety effect requirement;
if the request is a static webpage, converting corresponding request information into disposable ciphertext information of a Web server security domain, and forwarding the disposable ciphertext information to the Web server;
and if the request is a dynamic webpage, converting the corresponding request information into disposable ciphertext information of the security domain of the Web application server, and transmitting the disposable ciphertext information to the Web application server.
7. The DDOS-resistant one-time cross-domain full-lifecycle secret information security method according to claim 6, wherein the checking the operation flow of the certification display working duration according to the security requirement comprises the steps of:
s201, selectively checking the correctness of a final result and a part or all of intermediate results according to a safety strategy and a set safety effect;
s202, running a code for verifying the certification display working duration;
step S203, acquiring a specified character string from the infor 01;
step S204, displaying the characters in the font in the for02 on a canvas with a white background according to the specified character size;
s205, calculating and acquiring the HASH value of the canvas graph by using a specified HASH function;
s206, if the HASH value is correct and meets the specified safety condition, the verification is passed, otherwise, the verification fails;
step S207, according to the security strategy and the set security effect, the next step is carried out: including forwarding requests, rejecting requests, continuing or enhancing "demonstrate show duration of operation" requirements to counter or suppress DDOS;
the technology for proving the display working time and the checking mechanism thereof to counter attack or inhibit DDOS attack comprises the following steps: a. adjusting the size of the HASH value of which the proof display working duration meets the condition; b. adjusting the size of the image; c. changing the image character rendering operation sequence along with the calculated HASH value; d. increasing the number of operable images to be preserved; e. adjusting the data quantity of the intermediate result of the proof display working duration to be sent; f. repeatedly requesting retransmission of related network packets at a TCP/IP layer for multiple times; g. adjusting at least one of TCP Windows and QoS parameters, repeating the request for the past network packet transmission method for many times at TCP/IP layer.
8. The method for preventing DDOS one-time cross-domain full-lifecycle secret information security as recited in claim 2, wherein the Web server of the website performs static ciphertext page security processing and security response after receiving the request, and the Web application server of the website performs dynamic page security processing and security response after receiving the request, comprising:
after receiving the request, the Web server of the website converts the corresponding one-time information into the secret information of the Web server security domain;
matching a corresponding static page according to the converted information of the Web server security domain;
the cipher server is utilized to convert the cipher text information in the corresponding page and the code thereof into corresponding cipher text information of a Web safety server security domain, and the corresponding cipher text information is returned to the Web safety server;
after receiving the request, the Web application server of the website converts the corresponding one-time information into the secret information of the security domain of the Web application server;
matching the corresponding dynamic page and the information, code and object thereof according to the information of the converted Web application server security domain;
if the security service of the data security server needs to be requested, the cipher server is utilized to convert the cipher text information in the corresponding SQL sentence into the corresponding cipher text information of the security domain of the data security server, and a security data security service request is initiated to the data security service, and then the security processing of the service response result is completed;
if the data service of the database needs to be requested, the cipher server is utilized to convert the cipher text information in the corresponding SQL statement into the corresponding cipher text information of the security domain of the database, and a secret data service request is initiated to the database and the security processing of the service response result is completed;
the method comprises the steps that a password server is utilized to convert ciphertext information in a corresponding dynamic page or micro-service request result and a code thereof, a return result of a data security server or ciphertext information in a data service return result of a database into ciphertext information of a security domain of a Web security server, and the ciphertext information is packaged and then returned to the Web security server;
after the data security server receives the data security service request, the related one-time ciphertext information is converted into ciphertext information of an information security domain of the data security server by using the password server;
acquiring related SQL information and at least one of user identification, information safety identification, encryption mode conversion identification, refined authority identification and refined authority encryption identification according to the converted secret information;
performing data refinement encryption and decryption and firewall rules of response or forwarding according to at least one information of an application user identifier, an information security degree identifier, an encryption mode conversion identifier, a refinement authority identifier and a refinement authority encryption identifier;
removing or reserving applied user identification, information safety identification, encryption mode identification, refined authority identification and refined right encryption identification information from the processed SQL information;
if the data service of the database needs to be requested, the cipher server is utilized to convert the cipher text information in the corresponding SQL statement into the corresponding cipher text information of the security domain of the database, and a secret data service request is initiated to the database and the security processing of the service response result is completed;
the cipher text information in the data service return result of the corresponding database is converted into the cipher text information of the Web application server security domain by using the password server, and the cipher text information is packaged and then returned to the Web application server;
the ciphertext is converted into the full-secret state conversion from the ciphertext, wherein the ciphertext is decrypted and then encrypted, or the full-secret state conversion from the ciphertext to the ciphertext is realized by using a homomorphic encryption mode and a privacy calculation mode of multi-party calculation.
9. The DDOS-resistant one-time cross-domain full-lifecycle secret information security method of claim 8, wherein the database server is configured for data security service processing and security response, comprising:
after receiving a data service request, converting related one-time ciphertext information into ciphertext information of an information security domain of the database service by using a password server;
executing related SQL according to the converted secret information to acquire related information;
converting the related ciphertext information into ciphertext information of a security domain of the application server or the data security server according to the request object being the application server or the data security server, and returning the ciphertext information to the application server or the data security server;
the ciphertext conversion is to decrypt and encrypt, or to realize full-secret conversion from the ciphertext to the ciphertext by using homomorphic encryption or a multi-party calculation mode.
10. The DDOS-resistant one-time cross-domain full-lifecycle confidential information security method of claim 2, wherein the Web security server is further configured for secure processing and secure response, comprising:
after receiving the response of the Web server or the Web application server, carrying out corresponding safety processing on the corresponding ciphertext information through the password server;
converting the corresponding ciphertext information into one-time format-preserving confidential information of a browser or a Web front end or a micro-service request end according to a safety rule, and resetting a 'burn-after-use flag' of the corresponding information to be 0;
adding or not adding a 'certificate display working time length' and a js script for counterclicking the DDOS and delaying the request to a return packet according to a security strategy and a set security effect requirement;
according to the safety strategy and the set safety effect requirement, adding a corresponding ciphertext to display the required ciphertext webfont file and any one of the required ciphertext auxiliary display, ciphertext auxiliary processing script, ciphertext request auxiliary script and ciphertext safety check script under the condition of not decrypting;
and returning the processed and packaged response to the browser or the Web front end or the micro-service request end.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210636652.9A CN115001830A (en) | 2022-06-07 | 2022-06-07 | DDOS (distributed denial of service) prevention one-time cross-domain information full-life-cycle secret security system and method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210636652.9A CN115001830A (en) | 2022-06-07 | 2022-06-07 | DDOS (distributed denial of service) prevention one-time cross-domain information full-life-cycle secret security system and method |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115001830A true CN115001830A (en) | 2022-09-02 |
Family
ID=83033620
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210636652.9A Pending CN115001830A (en) | 2022-06-07 | 2022-06-07 | DDOS (distributed denial of service) prevention one-time cross-domain information full-life-cycle secret security system and method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115001830A (en) |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20070294253A1 (en) * | 2006-06-20 | 2007-12-20 | Lyle Strub | Secure domain information protection apparatus and methods |
| CN106657044A (en) * | 2016-12-12 | 2017-05-10 | 杭州电子科技大学 | Webpage address hopping method for improving security defense of website system |
| CN110381049A (en) * | 2019-07-12 | 2019-10-25 | 浙江智贝信息科技有限公司 | A kind of WEB dynamic security defence method and system |
| CN110881044A (en) * | 2019-12-05 | 2020-03-13 | 北京宏达隆和科技有限公司 | Computer firewall dynamic defense security platform |
-
2022
- 2022-06-07 CN CN202210636652.9A patent/CN115001830A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20070294253A1 (en) * | 2006-06-20 | 2007-12-20 | Lyle Strub | Secure domain information protection apparatus and methods |
| CN106657044A (en) * | 2016-12-12 | 2017-05-10 | 杭州电子科技大学 | Webpage address hopping method for improving security defense of website system |
| CN110381049A (en) * | 2019-07-12 | 2019-10-25 | 浙江智贝信息科技有限公司 | A kind of WEB dynamic security defence method and system |
| CN110881044A (en) * | 2019-12-05 | 2020-03-13 | 北京宏达隆和科技有限公司 | Computer firewall dynamic defense security platform |
Non-Patent Citations (1)
| Title |
|---|
| 丁滟;魏立峰;富弘毅;: "基于安全域隔离的LAMP服务器安全保护方案", 计算机应用, no. 1, 30 June 2010 (2010-06-30) * |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11212261B2 (en) | Data computation in a multi-domain cloud environment | |
| Khan | A survey of security issues for cloud computing | |
| Jackson et al. | ForceHTTPS: Protecting high-security web sites from network attacks | |
| WO2016019342A1 (en) | Mapping between user interface fields and protocol information | |
| Atashzar et al. | A survey on web application vulnerabilities and countermeasures | |
| Cao et al. | Protecting web-based single sign-on protocols against relying party impersonation attacks through a dedicated bi-directional authenticated secure channel | |
| Bajpai et al. | Dissecting. net ransomware: key generation, encryption and operation | |
| Mary | Shellshock attack on linux systems-bash | |
| Elhakeem et al. | Developing a security model to protect websites from cross-site scripting attacks using ZEND framework application | |
| Morovati et al. | A network based document management model to prevent data extrusion | |
| Butt et al. | Cloud and its security impacts on managing a workforce remotely: a reflection to cover remote working challenges | |
| Vishal et al. | SOAiCE: simulation of attacks in cloud computing environment | |
| Khandelwal et al. | Frontline techniques to prevent web application vulnerability | |
| Uddin et al. | File upload security and validation in context of software as a service cloud model | |
| CN115001830A (en) | DDOS (distributed denial of service) prevention one-time cross-domain information full-life-cycle secret security system and method | |
| Ami et al. | Top five dangerous security risks over web application | |
| Wang et al. | MobileGuardian: A security policy enforcement framework for mobile devices | |
| Jawad et al. | Intelligent Cybersecurity Threat Management in Modern Information Technologies Systems | |
| CN115118455B (en) | Webpage security-oriented anti-crawler system and method based on attribute encryption access control | |
| Kumari et al. | Integrity service application model with prevention of cryptanalytic attacks | |
| Tselios et al. | Improving Network, Data and Application Security for SMEs | |
| Wu et al. | IoT Security Architecture | |
| ALnwihel et al. | A Novel Cloud Authentication Framework | |
| Huang et al. | A Wrapping Encryption Based on Double Randomness Mechanism. | |
| Lau et al. | Mimesis aegis: a mimicry privacy shield |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |