CN115499252B - Page restoration device, page restoration method, electronic device and storage medium - Google Patents

Page restoration device, page restoration method, electronic device and storage medium Download PDF

Info

Publication number
CN115499252B
CN115499252B CN202211442692.6A CN202211442692A CN115499252B CN 115499252 B CN115499252 B CN 115499252B CN 202211442692 A CN202211442692 A CN 202211442692A CN 115499252 B CN115499252 B CN 115499252B
Authority
CN
China
Prior art keywords
access request
target
copied
page
response
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202211442692.6A
Other languages
Chinese (zh)
Other versions
CN115499252A (en
Inventor
杨更
李鹏飞
张福
程度
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Shengxin Network Technology Co ltd
Original Assignee
Beijing Shengxin Network Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Shengxin Network Technology Co ltd filed Critical Beijing Shengxin Network Technology Co ltd
Priority to CN202211442692.6A priority Critical patent/CN115499252B/en
Publication of CN115499252A publication Critical patent/CN115499252A/en
Application granted granted Critical
Publication of CN115499252B publication Critical patent/CN115499252B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/90Details of database functions independent of the retrieved data types
    • G06F16/95Retrieval from the web
    • G06F16/957Browsing optimisation, e.g. caching or content distillation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/126Applying verification of the received information the source of the received data
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2463/00Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
    • H04L2463/146Tracing the source of attacks

Abstract

The application provides a page restoration device, a restoration method, an electronic device and a storage medium, which relate to the field of network security, wherein the restoration device comprises an acquisition device, a response device and a restoration device; the acquisition device is used for acquiring the access request, receiving the target response, rendering page information of a target page included in the target response at the client, and copying the access request and the target response; the response device is used for receiving the access request, determining a target response corresponding to the access request and sending the target response to the acquisition device; and the restoring device is used for restoring the target page displayed to the user at the client side at the server side by using the obtained copied access request and the copied target response to obtain the restored target page. By adopting the technical scheme provided by the application, the phenomenon that an attacker erases the log information of the attack after the attacker successfully invades the server, so that the source tracing is avoided, and the diversity and the accuracy of the source tracing network attack are improved.

Description

Page restoration device, page restoration method, electronic device and storage medium
Technical Field
The present application relates to the field of network security technologies, and in particular, to a page restoring device, a page restoring method, an electronic device, and a storage medium.
Background
With the rapid development of information technology, especially the continuous emergence of various new technologies, new industries and new applications, great convenience is brought to the lives of people, but on the other hand, new challenges are brought to information security. In recent years, because the protection of network security is not in place, numerous mobile phones, computers and network platforms are broken by hackers and the like, and subsequent network security accidents such as personal information leakage, personal property loss and the like frequently occur, and huge losses are brought to individuals and enterprises.
At present, various current network applications may have various webpage security vulnerabilities due to the fact that the network is not developed according to a standard, after the network is attacked, tracing searching of information security events is conducted through pages accessed by log information tracing users at a client, however, after an attacker successfully invades a server, the attacked log information can be erased on a host, and therefore the tracing is unavailable; therefore, how to trace the behavior of the user at the client becomes a problem to be solved urgently.
Disclosure of Invention
In view of this, an object of the present application is to provide a page restoring apparatus, a page restoring method, an electronic device, and a storage medium, which are capable of copying an access request and a corresponding response, and restoring a page displayed to a user at a client at a server through a restoring device by using the copied access request and the copied response, so as to trace the behavior of the user accessing the page based on the restored page, thereby avoiding a phenomenon that an attacker cannot trace the source by erasing log information of an attack after the attacker successfully invades a server, improving the diversity and accuracy of a tracing network attack, and thus improving the security of a network application.
The application mainly comprises the following aspects:
in a first aspect, an embodiment of the present application provides a page restoring apparatus, where the restoring apparatus is deployed at a server, and the restoring apparatus includes an acquisition device, a response device, and a restoring device;
the acquisition device is used for acquiring an access request aiming at a target page sent by a user at a client side and sending the access request to the response device; receiving a target response corresponding to the access request sent by the response device, and rendering page information of the target page included in the target response at the client to display the rendered target page to a user; after receiving a target response corresponding to the access request sent by the response device, copying the access request and the target response corresponding to the access request, and sending the copied access request and the copied target response to the recovery device;
the response device is in communication connection with the acquisition device and is used for receiving the access request, determining a target response corresponding to the access request and sending the target response to the acquisition device;
the restoring device is in communication connection with the acquisition device and is used for acquiring the copied access request and the copied target response sent by the acquisition device, restoring a target page displayed to a user by the client at a server side based on the copied access request and the copied target response to obtain a restored target page, and tracing the behavior of the user for accessing the target page based on the restored target page.
Further, after the responding device is configured to send the target response to the acquiring device, the responding device is further configured to:
and recording the access request and a target response corresponding to the access request to obtain log information, and tracing the behavior of the user accessing the target page based on the log information.
Further, the restoring device comprises a storage server, a headless browser and a virtual server;
the storage server is used for acquiring the copied access request and the copied target response sent by the acquisition device and storing the copied access request and the copied target response as a mapping relation;
the headless browser is used for acquiring the copied access request stored in the storage server and sending the copied access request to the virtual server; receiving the copied target response sent by the virtual server, and restoring the page information of the target page included in the copied target response at the server to obtain a restored target page;
the virtual server is configured to receive the copied access request sent by the headless browser, determine, based on the copied access request, a copied target response corresponding to the copied access request in a mapping relationship stored in the storage server, and send the copied target response to the headless browser.
Furthermore, the reduction equipment also comprises an alarm device;
the alarm device is in communication connection with the restoration device and is used for receiving the restored target page sent by the restoration device and determining whether the target page has sensitive information or not by utilizing a sensitive information set; and if so, recording the access request and the corresponding sensitive information on the target page, and generating alarm information.
Further, the storage server is further configured to:
performing hash processing on the copied access request to obtain a hash value corresponding to the copied access request;
and storing the hash value corresponding to the copied access request and the copied target response as a mapping relation.
Further, the virtual server is further configured to:
based on the copied access request, performing hash processing on the copied access request to obtain a target hash value corresponding to the copied access request;
and determining the copied target response corresponding to the target hash value in the mapping relation stored in the storage server based on the target hash value, and sending the copied target response to the headless browser.
In a second aspect, an embodiment of the present application further provides a page restoring method, where the page restoring method is applied to any one of the restoring apparatuses described above, and the restoring method includes:
acquiring an access request aiming at a target page sent by a user at a client, and determining a target response corresponding to the access request based on the access request;
acquiring page information of the target page included in the target response, and rendering the page information of the target page included in the target response at the client to display the rendered target page to a user;
after determining a target response corresponding to the access request, copying the access request and the target response corresponding to the access request, restoring a target page displayed to a user by the client at the server side based on the copied access request and the copied target response to obtain a restored target page, and tracing the behavior of the user for accessing the target page based on the restored target page.
Further, after determining the target response corresponding to the access request, the restoring method further includes:
and recording the access request and a target response corresponding to the access request to obtain log information, and tracing the behavior of the user accessing the target page based on the log information.
In a third aspect, an embodiment of the present application further provides an electronic device, including: a processor, a memory and a bus, the memory storing machine-readable instructions executable by the processor, the processor and the memory communicating via the bus when the electronic device is running, the machine-readable instructions being executable by the processor to perform the steps of the page restoration method as described above.
In a fourth aspect, the present application further provides a computer-readable storage medium, where a computer program is stored on the computer-readable storage medium, and when the computer program is executed by a processor, the steps of the page restoring method are performed as described above.
The embodiment of the application provides a page restoration device, a page restoration method, an electronic device and a storage medium, wherein the page restoration device is deployed at a server side and comprises an acquisition device, a response device and a restoration device; the acquisition device is used for acquiring an access request aiming at a target page sent by a user at a client side and sending the access request to the response device; receiving a target response corresponding to the access request sent by the response device, and rendering page information of the target page included in the target response at the client to display the rendered target page to a user; after receiving a target response corresponding to the access request sent by the response device, copying the access request and the target response corresponding to the access request, and sending the copied access request and the copied target response to the recovery device; the response device is in communication connection with the acquisition device and is used for receiving the access request, determining a target response corresponding to the access request and sending the target response to the acquisition device; the restoring device is in communication connection with the acquisition device and is used for acquiring the copied access request and the copied target response sent by the acquisition device, restoring a target page displayed to a user by the client at the server on the basis of the copied access request and the copied target response to obtain a restored target page, and tracing the behavior of the user for accessing the target page on the basis of the restored target page.
Therefore, by adopting the technical scheme provided by the application, the access request and the corresponding response can be copied, the copied access request and the copied response are used for restoring the page displayed to the user at the client side through the restoring device at the server side, so that the behavior of the user for accessing the page is traced based on the restored page, the phenomenon that an attacker cannot trace the source after successfully invading the server and the log information of the attack is erased is avoided, the diversity and the accuracy of the tracing network attack are improved, and the safety of the network application is improved.
In order to make the aforementioned objects, features and advantages of the present application comprehensible, preferred embodiments accompanied with figures are described in detail below.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are required to be used in the embodiments will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present application and therefore should not be considered as limiting the scope, and for those skilled in the art, other related drawings can be obtained from the drawings without inventive effort.
Fig. 1 illustrates one of schematic structural diagrams of a page restoring apparatus provided in an embodiment of the present application;
fig. 2 shows a second schematic structural diagram of a page restoring apparatus provided in the embodiment of the present application;
fig. 3 is a flowchart illustrating a method for restoring a page according to an embodiment of the present application;
fig. 4 shows a schematic structural diagram of an electronic device provided in an embodiment of the present application.
Icon: 100-a reduction plant; 110-a collecting device; 120-a response means; 130-a reduction unit; 131-a storage server; 132-headless browser; 133-virtual server; 140-an alarm device; 400-an electronic device; 410-a processor; 420-a memory; 430-bus.
Detailed Description
To make the purpose, technical solutions and advantages of the embodiments of the present application clearer, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it should be understood that the drawings in the present application are for illustrative and descriptive purposes only and are not used to limit the scope of protection of the present application. Additionally, it should be understood that the schematic drawings are not necessarily drawn to scale. The flowcharts used in this application illustrate operations implemented according to some embodiments of the present application. It should be understood that the operations of the flow diagrams may be performed out of order, and that steps without logical context may be reversed in order or performed concurrently. In addition, one skilled in the art, under the guidance of the present disclosure, may add one or more other operations to the flowchart, or may remove one or more operations from the flowchart.
In addition, the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. The components of the embodiments of the present application, generally described and illustrated in the figures herein, can be arranged and designed in a wide variety of different configurations. Thus, the following detailed description of the embodiments of the present application, presented in the accompanying drawings, is not intended to limit the scope of the claimed application, but is merely representative of selected embodiments of the application. All other embodiments, which can be derived by a person skilled in the art from the embodiments of the present application without making any creative effort, shall fall within the protection scope of the present application.
To enable those skilled in the art to utilize the present disclosure, the following embodiments are presented in conjunction with a specific application scenario "reduction of a page", and it will be apparent to those skilled in the art that the general principles defined herein may be applied to other embodiments and application scenarios without departing from the spirit and scope of the present disclosure.
The following device, method, electronic device or computer-readable storage medium in the embodiments of the present application may be applied to any scenario where a page needs to be restored, and the embodiments of the present application do not limit a specific application scenario, and any scheme that uses the page restoring device, the page restoring method, the electronic device and the storage medium provided in the embodiments of the present application is within the scope of protection of the present application.
It is worth noting that with the rapid development of information technology, especially the continuous emergence of various new technologies, new business states and new applications, great convenience is brought to people's lives, but on the other hand, new challenges are brought to information security. In recent years, because the protection of network security is not in place, numerous mobile phones, computers and network platforms are broken by hackers and the like, and subsequent network security accidents such as personal information leakage, personal property loss and the like frequently occur, and huge losses are brought to individuals and enterprises.
At present, various current network applications may have various webpage security vulnerabilities due to irregular development, and after a network is attacked, a user usually traces a source of a webpage accessed at a client through log information to search for a source of an information security event, but after an attacker successfully invades a server, the attacked log information is erased on a host, so that the source tracing is unavailable; therefore, how to trace the behavior of the user at the client becomes a problem to be solved urgently.
Based on this, the application provides a page restoration device, a page restoration method, an electronic device and a storage medium, wherein the page restoration device is deployed at a server side and comprises an acquisition device, a response device and a restoration device; the acquisition device is used for acquiring an access request aiming at a target page sent by a user at a client side and sending the access request to the response device; receiving a target response corresponding to the access request sent by the response device, and rendering page information of the target page included in the target response at the client to display the rendered target page to a user; after receiving a target response corresponding to the access request sent by the response device, copying the access request and the target response corresponding to the access request, and sending the copied access request and the copied target response to the recovery device; the response device is in communication connection with the acquisition device and is used for receiving the access request, determining a target response corresponding to the access request and sending the target response to the acquisition device; the restoring device is in communication connection with the acquisition device and is used for acquiring the copied access request and the copied target response sent by the acquisition device, restoring a target page displayed to a user by the client at a server side based on the copied access request and the copied target response to obtain a restored target page, and tracing the behavior of the user for accessing the target page based on the restored target page.
Therefore, by adopting the technical scheme provided by the application, the access request and the corresponding response can be copied, the copied access request and the copied response are utilized to restore the page displayed to the user at the client side through the restoring device at the server side, so that the behavior of the user for accessing the page is traced based on the restored page, the phenomenon that an attacker cannot trace the source after successfully invading the server and the log information of the attack is erased is avoided, the diversity and the accuracy of the tracing network attack are improved, and the safety of the network application is improved.
Further, a page restoring apparatus 100 disclosed in the present application is introduced.
Referring to fig. 1, fig. 1 is a schematic structural diagram of a page restoring apparatus 100 provided in an embodiment of the present application, where the page restoring apparatus 100 is provided in the embodiment of the present application, the page restoring apparatus 100 is deployed at a server, and the page restoring apparatus 100 includes an acquisition device 110, a response device 120, and a restoring device 130; the acquisition device 110 acquires an access request and sends the access request to the response device 120; the response device 120 receives the access request, determines a target response corresponding to the access request, and sends the target response to the acquisition device 110; after receiving the target response, the acquisition device 110 duplicates the access request and the target response, and sends the duplicated access request and the duplicated target response to the restoration device 130; the restoring device 130 restores, at the service end, the target page displayed to the user by the client based on the received copied access request and the copied target response, so as to obtain a restored target page.
Specifically, the acquisition device 110 is configured to obtain an access request, which is sent by a user at a client and is addressed to a target page, and send the access request to the response device 120; receiving a target response corresponding to the access request sent by the response device 120, and rendering page information of the target page included in the target response at the client, so as to display the rendered target page to a user; after receiving the target response corresponding to the access request sent by the response device 120, the access request and the target response corresponding to the access request are copied, and the copied access request and the copied target response are sent to the restoration device 130.
Here, it is necessary to connect an acquisition device 110 (a preposed reverse proxy server, such as openreserve or Nginx) in a link of an original network application (web application), that is, in a link of a client and a response device 120, where the reverse proxy server can proxy a subsequent intranet application (a web app cluster, that is, a response device 120 composed of multiple application servers), and also includes a plug-in capable of acquiring and copying a request and a corresponding response, and the plug-in transfers copied traffic information (the request and the corresponding response) to a storage server 131 (for example, a database) in the restoration device 130.
It should be noted that, when the access request and the target response are copied, the traffic mirroring may be implemented by using a traffic mirroring technology, and the traffic mirroring and restoring may be performed on the network device or may be performed on an application layer software level. Traffic mirroring is typically implemented on a network device by mapping specified network traffic (e.g., access requests and target responses) to another port using a switch's built-in commands. In this embodiment, HTTP 7 layer traffic is directly mirrored on application layer software (the acquisition device 110, e.g., openResty). For example, the body _ filter _ by _ lua and log _ by _ lua lifecycle of a core module ngx-lua-module of OpenResty may be used to obtain traffic (e.g., access request and target response) and record traffic, respectively, because the traffic is copied in layer 7, the specific content of HTTP traffic in layer 7 is directly obtained without restoration.
Illustratively, the plug-in the acquisition device 110 that obtains and copies the request and the corresponding response may be a lua plug-in for OpenResty, and the entire lifecycle of the lua plug-in includes: initial Phase, rewrite/Access Phase, content Phase, log Phase, and the like. Http traffic (including requests and corresponding responses) may be replicated at the body _ filter _ by _ lua sub-Phase of the Content Phase. After the traffic is copied, the copied traffic is transferred to the storage server 131 in the restoring apparatus 130 through log _ by _ lua of log phase, thereby completing traffic transmission.
Specifically, the response device 120 is communicatively connected to the acquisition device 110, and is configured to receive the access request, determine a target response corresponding to the access request, and send the target response to the acquisition device 110;
further, after the responding device is configured to send the target response to the acquiring device, the responding device is further configured to: and recording the access request and a target response corresponding to the access request to obtain log information, and tracing the behavior of the user accessing the target page based on the log information.
Here, the network attack technology includes the common cross-site scripting attack XSS, SQL Injection, cross-site request forgery CSRF, and server request forgery SSRF, which all need to find a leak-containing page or interface after accessing a web application (web application) page, and then launch an attack by using an attack load payload, thereby achieving the purpose of invading the web application system; at present, various web applications may have various network (web) security vulnerabilities due to the fact that development is not normative, and therefore attack steps of an attacker and historical web pages visited by the attacker need to be restored from traffic of a visit request HTTP, so that real pages with vulnerabilities and vulnerability principles are deduced back, and therefore vulnerabilities are repaired, and security is improved. At present, the technical scheme of tracing the web attack is to trace the source of information security events from log information accessed by the web, and the common defect is that once an attacker successfully invades a server once the attack is successful, the attacked log information can be erased on a host, so that the tracing is unavailable.
Specifically, the restoring device 130 is communicatively connected to the collecting device 110, and is configured to obtain the copied access request and the copied target response sent by the collecting device 110, and restore, at the service end, the target page displayed to the user by the client based on the copied access request and the copied target response, to obtain a restored target page, so as to trace the source of the behavior of the user accessing the target page based on the restored target page.
Here, another tracing means different from log information is provided, and based on the copied access request and target response, the target page requested by the user at the client is restored one-to-one at the server through the restoring apparatus 130; therefore, when an attacker erases log information and cannot trace out the attack steps of the attacker through the log information, the restoring device 100 provided by the embodiment can restore pages accessed by users, trace out specific pages accessed by the users at any time and sensitive data on the pages, and improve the tracing accuracy.
Further, referring to fig. 2, fig. 2 is a second schematic structural diagram of a page restoring apparatus, as shown in fig. 2, the restoring apparatus 130 includes a storage server 131, a headless browser 132, and a virtual server 133; the storage server 131 is configured to obtain the copied access request and the copied target response sent by the acquisition device 110, and store the copied access request and the copied target response as a mapping relationship; the headless browser 132 is configured to obtain the copied access request stored in the storage server 131, and send the copied access request to the virtual server 133; receiving the copied target response sent by the virtual server 133, and restoring the page information of the target page included in the copied target response at the server to obtain a restored target page; the virtual server 133 is configured to receive the copied access request sent by the headless browser 132, determine, based on the copied access request, the copied target response corresponding to the copied access request in the mapping relationship stored in the storage server 131, and send the copied target response to the headless browser 132.
Illustratively, a headless browser 132 needs to be maintained at the server, where the headless browser 132 may be a cluster of headless browsers, the server's headless browser 132 (headless browser) is an interface-less browser that can run on the server, and Chrome supports the headless mode from the 59beta version. The headless mode can allow the Chrome to run without an interface, which is equivalent to a process of a browser without an interface, and then the Chrome can be operated through the interface or a Chrome developer debugging tool, including loading a page, acquiring metadata (DOM information and the like), and the like, and all functions provided by the Chrome can be used. The head browser may use a chrome browser, the code logic may communicate with the head browser through a json wired protocol, and the http request stored in the storage server 131 is replayed at the server side through the head browser, so that the http page is specifically restored by using the target response http response.
Here, the above operation is repeated for each access request sent in the thread browser, and then all information of the page operated by each browser can be restored by using the thread browser.
Here, the access request (e.g., http request) initiated by the headless browser 132 is not passed through to the real server, but is passed through to the virtual server 133 (mock server), which has the advantage that the http request initiated by the thread browser may be dangerous operations, such as deleting the user, resetting the password, etc., and if passed through to the real server (web server), it may have an invasive effect on the business logic of the web app. The mock server is matched with the head browser, for a request initiated by the head browser, the mock server returns a corresponding response (response) stored previously, flow recombination is completed, a snapshot screenshot of a history access page is really restored, and no invasive influence is caused on a real server.
Here, a virtual server 133 (mock server) may be used to emulate http, https services. When the mock server receives an access request (such as an http request), it searches the previously configured rule in the storage server 131, and returns a previously specified response if it can match the http request.
Further, the storage server 131 is further configured to: performing hash processing on the copied access request to obtain a hash value corresponding to the copied access request; and storing the hash value corresponding to the copied access request and the copied target response as a mapping relation.
For example, when the storage server 131 stores data, the storage rule may be that a URL in an access request http request and http request parameters (e.g., parameters such as a user name and a password) are hashed, an obtained hash value is used as a key (key) in a key value pair, and a target response http response corresponding to the access request is used as a value (value) in the key value pair to perform corresponding storage, so as to facilitate searching in a subsequent recovery process.
Further, the virtual server 133 is further configured to: based on the copied access request, performing hash processing on the copied access request to obtain a target hash value corresponding to the copied access request; based on the target hash value, the copied target response corresponding to the target hash value is determined in the mapping relationship stored in the storage server 131, and the copied target response is sent to the headless browser 132.
Here, the virtual server 133 (mock server) first hashes the URL of the access request (http request) and the parameters (for example, the parameters such as the user name and the password) in the request, uses the obtained hash value as a target hash value, then searches for the target hash value (key) in the mapping relationship of the plurality of key value pairs stored in the storage server 131, returns a target response (that is, a value corresponding to the key) corresponding to the target hash value to the headset browser, and re-renders the headset browser to the page information corresponding to the target response by using the rendering and parsing capabilities of the browser.
Further, the reduction apparatus 100 further includes an alarm device 140; the alarm device 140 is in communication connection with the restoring device 130, and is configured to receive the restored target page sent by the restoring device 130, and determine whether the target page has sensitive information by using a sensitive information set; and if so, recording the access request and the corresponding sensitive information on the target page, and generating alarm information.
Illustratively, sensitive data in the restored HTTP traffic information (the access request and a target response corresponding to the access request) can be found through the sensitive information set, an alarm can be given when the restored page is determined to have the sensitive data, the sensitive data can be screened manually, and then the sensitive page contents in the web application system can be found, when the sensitive data are leaked, suspicious users can be traced clearly, and therefore the suspicious users can be traced clearly, and which user person accesses the sensitive pages and contents at what time.
It should be noted that, in the method for restoring a page in the prior art, the usage scenario is limited to a specific CRNWEB framework, and when the page is actually restored, an additional server is required to have a buried log service call, but the embodiment provided by the present application has no usage limitation on the web framework of the server, and does not need to make a special click service call at the server, and only by collecting an access request and a target response (HTTP traffic), and restoring the historical browsing page information of the browser by using a header browser cluster and a mock server of the server, the HTTP traffic is restored to a web page visible in the browser, and there is no invasive influence on a real web server in the process of restoring the web page, and finally, the restored web page is used to perform source tracing and sensitive information identification on a web attack behavior, so that it can be accurately determined what user has accessed a specific page of a web application having sensitive content at what time. The method for restoring the page can assist the tracing web app in suffering from web attacks, improve the accuracy and diversity of tracing, perform data security protection audit on the web app, judge whether the page contains sensitive data or not and improve the network security.
According to the page restoration device provided by the embodiment of the application, the page restoration device is deployed at a server side and comprises an acquisition device, a response device and a restoration device; the acquisition device is used for acquiring an access request aiming at a target page sent by a user at a client side and sending the access request to the response device; receiving a target response corresponding to the access request sent by the response device, and rendering page information of the target page included in the target response at the client to display the rendered target page to a user; after receiving a target response corresponding to the access request sent by the response device, copying the access request and the target response corresponding to the access request, and sending the copied access request and the copied target response to the recovery device; the response device is in communication connection with the acquisition device and is used for receiving the access request, determining a target response corresponding to the access request and sending the target response to the acquisition device; the restoring device is in communication connection with the acquisition device and is used for acquiring the copied access request and the copied target response sent by the acquisition device, restoring a target page displayed to a user by the client at a server side based on the copied access request and the copied target response to obtain a restored target page, and tracing the behavior of the user for accessing the target page based on the restored target page.
Therefore, by adopting the technical scheme provided by the application, the access request and the corresponding response can be copied, the copied access request and the copied response are utilized to restore the page displayed to the user at the client side through the restoring device at the server side, so that the behavior of the user for accessing the page is traced based on the restored page, the phenomenon that an attacker cannot trace the source after successfully invading the server and the log information of the attack is erased is avoided, the diversity and the accuracy of the tracing network attack are improved, and the safety of the network application is improved.
Referring to fig. 3, fig. 3 is a flowchart illustrating a page restoring method according to an embodiment of the present disclosure. As shown in fig. 3, the restoring method is applied to any one of the restoring devices, and the page restoring method provided in the embodiment of the present application includes:
s301, acquiring an access request aiming at a target page sent by a user at a client, and determining a target response corresponding to the access request based on the access request;
it should be noted that, after determining the target response corresponding to the access request, the restoring method further includes:
1) And recording the access request and a target response corresponding to the access request to obtain log information, and tracing the behavior of the user accessing the target page based on the log information.
S302, acquiring page information of the target page included in the target response, and rendering the page information of the target page included in the target response at the client to display the rendered target page to a user;
s303, after determining a target response corresponding to the access request, copying the access request and the target response corresponding to the access request, restoring a target page displayed to a user by the client at the server side based on the copied access request and the copied target response to obtain a restored target page, and tracing the behavior of the user for accessing the target page based on the restored target page.
It should be noted that, based on the copied access request and the copied target response, the step of restoring, at the server, the target page displayed to the user at the client to obtain a restored target page includes:
s3031, storing the copied access request and the copied target response as a mapping relation based on the copied access request;
it should be noted that the reduction method further includes:
1) Based on the copied access request, performing hash processing on the copied access request to obtain a hash value corresponding to the copied access request;
2) And storing the hash value corresponding to the copied access request and the copied target response as a mapping relation.
S3032, obtaining the stored copied access request, and determining a copied target response corresponding to the copied access request in the stored mapping relation;
it should be noted that the reduction method further includes:
1) Performing hash processing on the copied access request based on the obtained copied access request to obtain a target hash value corresponding to the copied access request;
2) And determining the copied target response corresponding to the target hash value in the stored mapping relation based on the target hash value.
S3033, restoring the page information of the target page included in the copied target response at the server to obtain a restored target page.
Further, the reduction method further comprises the following steps:
1) After the restored target page is obtained, determining whether the target page has sensitive information or not by using a sensitive information set;
2) And if so, recording the access request and the corresponding sensitive information on the target page, and generating alarm information.
The page restoration method provided by the embodiment of the application is applied to any one of the restoration devices, and comprises the following steps: acquiring an access request aiming at a target page sent by a user at a client, and determining a target response corresponding to the access request based on the access request; acquiring page information of the target page included in the target response, and rendering the page information of the target page included in the target response at the client to display the rendered target page to a user; after determining a target response corresponding to the access request, copying the access request and the target response corresponding to the access request, restoring a target page displayed to a user by the client at the server side based on the copied access request and the copied target response to obtain a restored target page, and tracing the behavior of the user for accessing the target page based on the restored target page.
Therefore, by adopting the technical scheme provided by the application, the access request and the corresponding response can be copied, the copied access request and the copied response are utilized to restore the page displayed to the user at the client side through the restoring device at the server side, so that the behavior of the user for accessing the page is traced based on the restored page, the phenomenon that an attacker cannot trace the source after successfully invading the server and the log information of the attack is erased is avoided, the diversity and the accuracy of the tracing network attack are improved, and the safety of the network application is improved.
Referring to fig. 4, fig. 4 is a schematic structural diagram of an electronic device according to an embodiment of the present disclosure. As shown in fig. 4, the electronic device 400 includes a processor 410, a memory 420, and a bus 430.
The memory 420 stores machine-readable instructions executable by the processor 410, when the electronic device 400 runs, the processor 410 communicates with the memory 420 through the bus 430, and when the machine-readable instructions are executed by the processor 410, the steps of the page restoring method in the method embodiment shown in fig. 3 may be performed.
An embodiment of the present application further provides a computer-readable storage medium, where a computer program is stored on the computer-readable storage medium, and when the computer program is executed by a processor, the step of the page restoring method in the method embodiment shown in fig. 3 may be executed.
It can be clearly understood by those skilled in the art that, for convenience and simplicity of description, the specific working processes of the above-described systems, apparatuses and units may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.
In the several embodiments provided in the present application, it should be understood that the disclosed system, apparatus and method may be implemented in other ways. The above-described apparatus embodiments are merely illustrative, and for example, the division of the units into only one type of logical function may be implemented in other ways, and for example, multiple units or components may be combined or integrated into another system, or some features may be omitted, or not implemented. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection of devices or units through some communication interfaces, and may be in an electrical, mechanical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit.
The functions, if implemented in software functional units and sold or used as a stand-alone product, may be stored in a non-transitory computer-readable storage medium executable by a processor. Based on such understanding, the technical solutions of the present application or portions thereof that substantially contribute to the prior art may be embodied in the form of a software product, which is stored in a storage medium and includes several instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the methods described in the embodiments of the present application. And the aforementioned storage medium includes: various media capable of storing program codes, such as a usb disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk.
Finally, it should be noted that: the above-mentioned embodiments are only specific embodiments of the present application, and are used to illustrate the technical solutions of the present application, but not to limit the technical solutions, and the scope of the present application is not limited to the above-mentioned embodiments, although the present application is described in detail with reference to the foregoing embodiments, those skilled in the art should understand that: those skilled in the art can still make modifications or changes to the embodiments described in the foregoing embodiments, or make equivalent substitutions for some features, within the technical scope of the present disclosure; such modifications, changes or substitutions do not depart from the spirit and scope of the exemplary embodiments of the present application, and are intended to be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.

Claims (10)

1. The page restoration equipment is characterized by being deployed at a server side and comprising an acquisition device, a response device and a restoration device;
the acquisition device is used for acquiring an access request aiming at a target page sent by a user at a client side and sending the access request to the response device; receiving a target response corresponding to the access request sent by the response device, and rendering page information of the target page included in the target response at the client to display the rendered target page to a user; after receiving a target response corresponding to the access request sent by the response device, copying the access request and the target response corresponding to the access request, and sending the copied access request and the copied target response to the recovery device;
the response device is in communication connection with the acquisition device and is used for receiving the access request, determining a target response corresponding to the access request and sending the target response to the acquisition device;
the restoring device is in communication connection with the acquisition device and is used for acquiring the copied access request and the copied target response sent by the acquisition device, restoring a target page displayed to a user by the client at a server side based on the copied access request and the copied target response to obtain a restored target page, and tracing the behavior of the user for accessing the target page based on the restored target page.
2. The reduction plant according to claim 1, characterized in that, after being configured to send the target response to the acquisition means, the response means is further configured to:
and recording the access request and a target response corresponding to the access request to obtain log information, and tracing the behavior of the user accessing the target page based on the log information.
3. The recovery apparatus according to claim 1, wherein the recovery means includes a storage server, a headless browser, and a virtual server;
the storage server is used for acquiring the copied access request and the copied target response sent by the acquisition device and storing the copied access request and the copied target response as a mapping relation;
the headless browser is used for acquiring the copied access request stored in the storage server and sending the copied access request to the virtual server; receiving the copied target response sent by the virtual server, and restoring the page information of the target page included in the copied target response at the server to obtain a restored target page;
the virtual server is configured to receive the copied access request sent by the headless browser, determine, based on the copied access request, a copied target response corresponding to the copied access request in a mapping relationship stored in the storage server, and send the copied target response to the headless browser.
4. The reduction plant according to claim 1, characterized in that it further comprises alarm means;
the alarm device is in communication connection with the reduction device and is used for receiving the reduced target page sent by the reduction device and determining whether the target page has sensitive information or not by using a sensitive information set; if yes, recording the access request and the corresponding sensitive information on the target page, and generating alarm information.
5. The reduction apparatus according to claim 3, wherein the storage server is further configured to:
performing hash processing on the copied access request to obtain a hash value corresponding to the copied access request;
and storing the hash value corresponding to the copied access request and the copied target response as a mapping relation.
6. The recovery device of claim 3, wherein the virtual server is further configured to:
based on the copied access request, performing hash processing on the copied access request to obtain a target hash value corresponding to the copied access request;
and determining the copied target response corresponding to the target hash value in the mapping relation stored in the storage server based on the target hash value, and sending the copied target response to the headless browser.
7. A method for restoring a page, wherein the method is applied to the restoring apparatus of any one of claims 1 to 6, and the method comprises:
acquiring an access request aiming at a target page sent by a user at a client, and determining a target response corresponding to the access request based on the access request;
acquiring page information of the target page included in the target response, and rendering the page information of the target page included in the target response at the client to display the rendered target page to a user;
after determining a target response corresponding to the access request, copying the access request and the target response corresponding to the access request, restoring a target page displayed to a user by the client at a server side based on the copied access request and the copied target response to obtain a restored target page, and tracing the behavior of the user accessing the target page based on the restored target page.
8. The recovery method of claim 7, wherein after determining the target response corresponding to the access request, the recovery method further comprises:
and recording the access request and a target response corresponding to the access request to obtain log information, and tracing the behavior of the user accessing the target page based on the log information.
9. An electronic device, comprising: a processor, a memory and a bus, the memory storing machine-readable instructions executable by the processor, the processor and the memory communicating via the bus when the electronic device is running, the machine-readable instructions being executable by the processor to perform the steps of the method of restoring a page as claimed in claim 7.
10. A computer-readable storage medium, characterized in that a computer program is stored on the computer-readable storage medium, which computer program, when being executed by a processor, performs the steps of the method for restoring a page according to claim 7.
CN202211442692.6A 2022-11-18 2022-11-18 Page restoration device, page restoration method, electronic device and storage medium Active CN115499252B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211442692.6A CN115499252B (en) 2022-11-18 2022-11-18 Page restoration device, page restoration method, electronic device and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211442692.6A CN115499252B (en) 2022-11-18 2022-11-18 Page restoration device, page restoration method, electronic device and storage medium

Publications (2)

Publication Number Publication Date
CN115499252A CN115499252A (en) 2022-12-20
CN115499252B true CN115499252B (en) 2023-01-20

Family

ID=84901827

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211442692.6A Active CN115499252B (en) 2022-11-18 2022-11-18 Page restoration device, page restoration method, electronic device and storage medium

Country Status (1)

Country Link
CN (1) CN115499252B (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109710354A (en) * 2018-12-13 2019-05-03 平安普惠企业管理有限公司 Page monitor method, page restoring method, device, equipment and medium
CN111177616A (en) * 2019-12-11 2020-05-19 未鲲(上海)科技服务有限公司 Page restoration display method and device, computer equipment and storage medium
CN114510672A (en) * 2022-02-17 2022-05-17 上海阅维科技股份有限公司 Internet page restoration method, system, access method, system, medium and terminal

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9549035B2 (en) * 2013-03-13 2017-01-17 Apple Inc. Automatic updating of redirected location references

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109710354A (en) * 2018-12-13 2019-05-03 平安普惠企业管理有限公司 Page monitor method, page restoring method, device, equipment and medium
CN111177616A (en) * 2019-12-11 2020-05-19 未鲲(上海)科技服务有限公司 Page restoration display method and device, computer equipment and storage medium
CN114510672A (en) * 2022-02-17 2022-05-17 上海阅维科技股份有限公司 Internet page restoration method, system, access method, system, medium and terminal

Also Published As

Publication number Publication date
CN115499252A (en) 2022-12-20

Similar Documents

Publication Publication Date Title
US11113156B2 (en) Automated ransomware identification and recovery
CN106302337B (en) Vulnerability detection method and device
US9231923B1 (en) Secure data destruction in a distributed environment using key protection mechanisms
US8285778B2 (en) Protecting web application data
US10509905B2 (en) Ransomware mitigation system
US10114960B1 (en) Identifying sensitive data writes to data stores
CN108027757B (en) System and method for restoring data from opaque data backup streams
CN107896219B (en) Method, system and related device for detecting website vulnerability
US8904492B2 (en) Method of controlling information processing system, computer-readable recording medium storing program for controlling apparatus
US9497252B2 (en) On-demand code version switching
CN103095530A (en) Method and system for sensitive information monitoring and leakage prevention based on front-end gateway
CN105518694A (en) Reverse replication to rollback corrupted files
US9177011B2 (en) Systems and methods for locating application specific data
CN111079138A (en) Abnormal access detection method and device, electronic equipment and readable storage medium
CN115225707A (en) Resource access method and device
CN106209919A (en) A kind of network safety protection method and network security protection system
CN110875899A (en) Data processing method, system and network system
CN108229162B (en) Method for realizing integrity check of cloud platform virtual machine
CN113157487A (en) Data recovery method and apparatus thereof
CN115499252B (en) Page restoration device, page restoration method, electronic device and storage medium
US11418570B2 (en) Robust computing device identification framework
CN109445909A (en) Backup method, system, terminal and the storage medium of virtual-machine data
US10181039B1 (en) Systems and methods for providing computing security by classifying organizations
US9946853B1 (en) Techniques for application code obfuscation
WO2020000753A1 (en) Device security monitoring method and apparatus

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant