WO2021026937A1 - Method and apparatus for checking login behavior, and system, storage medium and electronic apparatus - Google Patents

Method and apparatus for checking login behavior, and system, storage medium and electronic apparatus Download PDF

Info

Publication number
WO2021026937A1
WO2021026937A1 PCT/CN2019/100898 CN2019100898W WO2021026937A1 WO 2021026937 A1 WO2021026937 A1 WO 2021026937A1 CN 2019100898 W CN2019100898 W CN 2019100898W WO 2021026937 A1 WO2021026937 A1 WO 2021026937A1
Authority
WO
WIPO (PCT)
Prior art keywords
login
behavior
login behavior
information
matches
Prior art date
Application number
PCT/CN2019/100898
Other languages
French (fr)
Chinese (zh)
Inventor
徐贵斌
Original Assignee
奇安信安全技术(珠海)有限公司
奇安信科技集团股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 奇安信安全技术(珠海)有限公司, 奇安信科技集团股份有限公司 filed Critical 奇安信安全技术(珠海)有限公司
Priority to CN201980094803.9A priority Critical patent/CN113812125B/en
Priority to PCT/CN2019/100898 priority patent/WO2021026937A1/en
Publication of WO2021026937A1 publication Critical patent/WO2021026937A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols

Definitions

  • the embodiments of the present application relate to the field of network security, and specifically, to a method and device, system, storage medium, and electronic device for verifying login behavior.
  • a business system manager when managing a server or a remote device, a business system manager usually adopts a remote login management mode, and uses different remote management methods according to different businesses.
  • the C/S mode is usually adopted, and the terminal is connected to the Telnet server program of the managed server through the Telnet (remote terminal protocol) client program for management.
  • Telnet remote terminal protocol
  • the B/S mode is usually adopted, and the terminal uses a browser to log in and manage through the management page provided by the corresponding web service.
  • the embodiments of the present application provide a method and device, system, storage medium, and electronic device for verifying login behavior.
  • a method for verifying a login behavior including: acquiring a first login behavior of a first device, and acquiring a second login behavior of a second device, where the first device is The device that initiates remote login, the second device is the device that is logged in; it is determined whether the first login behavior matches the second login behavior; when the first login behavior matches the second login behavior , It is determined that the first device is a legally logged-in device.
  • determining whether the first login behavior matches the second login behavior includes: obtaining the initiation time of the first login behavior, and obtaining the response time of the second login behavior; determining the initiation time Whether the interval between the response time and the response time is less than a predetermined threshold; when the interval between the initiation time and the response time is less than the predetermined threshold, it is determined that the first login behavior matches the second login behavior; at the initiation time When the interval from the response time is greater than or equal to a predetermined threshold, it is determined that the first login behavior does not match the second login behavior.
  • judging whether the first login behavior matches the second login behavior includes: acquiring first information of the first login behavior, and acquiring second information of the second login behavior, where: The first information includes: a first network address, the second information includes: a second network address; judging whether the first information and the second information match; in the first information and the second information When matching, it is determined that the first login behavior matches the second login behavior; when the first information and the second information do not match, it is determined that the first login behavior does not match the second login behavior. match.
  • determining whether the first login behavior matches the second login behavior includes: reading the operation process of the first login behavior, and reading the response process of the second login behavior; determining the Whether the operation process and the response process match; when the operation process and the response process match, it is determined that the first login behavior matches the second login behavior; the operation process and the response process do not match When matching, it is determined that the first login behavior does not match the second login behavior.
  • acquiring the first login behavior of the first device and acquiring the second login behavior of the second device includes: acquiring first behavior information of the Telnet client program of the first device, and acquiring the The second behavior information of the Telnet server program of the second device.
  • acquiring the first login behavior of the first device and acquiring the second login behavior of the second device includes: acquiring a remote service management page provided by a web service of a browser of the first device, and acquiring the first device 2.
  • the remote service management page of the device includes: acquiring a remote service management page provided by a web service of a browser of the first device, and acquiring the first device 2.
  • the method before determining that the first device is a legal login device, the method further includes: obtaining a login account and a login password entered on the first device; determining that the login account has login authority, and The login password is correct.
  • an apparatus for verifying login behavior including: a first obtaining module, configured to obtain a first login behavior of a first device, and a second login behavior of a second device, Wherein, the first device is the device that initiates remote login, and the second device is the device that is logged in; the judgment module is used to judge whether the first login behavior matches the second login behavior; the first determination The module is configured to determine that the first device is a legal login device when the first login behavior matches the second login behavior.
  • the judging module includes: a first acquiring unit, configured to acquire the initiation time of the first login behavior, and acquiring the response time of the second login behavior; the first determining unit, configured to determine the Whether the interval between the initiation time and the response time is less than a predetermined threshold; the first determining unit is configured to determine the first login behavior and the second login behavior when the interval between the initiation time and the response time is less than the predetermined threshold The login behavior matches; when the interval between the initiation time and the response time is greater than or equal to a predetermined threshold, it is determined that the first login behavior does not match the second login behavior.
  • the judgment module includes: a second obtaining unit, configured to obtain first information of the first login behavior, and obtain second information of the second login behavior, wherein the first information includes : A first network address, the second information includes: a second network address; a second determination unit, used to determine whether the first information and the second information match; a second determination unit, used in the When the first information matches the second information, it is determined that the first login behavior matches the second login behavior; when the first information does not match the second information, the first login behavior is determined The behavior does not match the second login behavior.
  • the judgment module includes: a reading unit configured to read the operation process of the first login behavior and read the response process of the second login behavior; and a third judgment unit configured to determine Whether the operation process and the response process match; a third determining unit, configured to determine that the first login behavior matches the second login behavior when the operation process matches the response process; When the operation process and the response process do not match, it is determined that the first login behavior does not match the second login behavior.
  • the first obtaining module includes: a first obtaining unit configured to obtain first behavior information of the Telnet client program of the first device, and obtain the Telnet server of the second device The second behavior information of the program.
  • the first obtaining module includes: a second obtaining unit configured to obtain a remote service management page provided by a web service of a browser of the first device, and obtain a remote service management page of the second device .
  • the apparatus further includes: a second obtaining module, configured to obtain the login account and login input on the first device before the first determining module determines that the first device is a legal login device Password; the second determination module is used to determine that the login account has login authority and the login password is correct.
  • a second obtaining module configured to obtain the login account and login input on the first device before the first determining module determines that the first device is a legal login device Password; the second determination module is used to determine that the login account has login authority and the login password is correct.
  • a system for verifying login behavior including: a first device, a second device, and a central control server connected to the first device and the second device, wherein: The first device is used to initiate remote login to the second device; the second device is used to respond to the remote login initiated by the first device; the central control server includes as described in the above embodiment installation.
  • another system for verifying login behavior including: a first device and a second device, wherein the first device is used to initiate remote login to the second device
  • the second device is used to respond to the remote login initiated by the first device, and includes the device described in the foregoing embodiment.
  • a storage medium in which a computer program is stored, wherein the computer program is configured to execute the steps in any one of the foregoing method embodiments when running.
  • an electronic device including a memory and a processor, the memory is stored with a computer program, and the processor is configured to run the computer program to execute any of the above Steps in the method embodiment.
  • the first login behavior of the first device that initiated the login and the second login behavior of the logged-in second device are obtained, and then it is determined whether the first login behavior matches the second login behavior.
  • the first device is determined to be a legitimate login device, and the judgment is made through two-way correlation verification, which solves the technical problem that the remote login behavior can only be verified by account passwords in related technologies. It can avoid illegal logins created by weak passwords, leaked passwords, or blasted passwords, and improves the security of remote logins.
  • FIG. 1 is a hardware structural block diagram of a verification server for a login behavior according to an embodiment of the present application
  • Fig. 2 is a flowchart of a method for verifying a login behavior according to an embodiment of the present application
  • FIG. 3 is a schematic diagram of a remote login process in C/S mode and B/S mode according to an embodiment of the present application
  • Fig. 4 is a structural block diagram of an apparatus for verifying a login behavior according to an embodiment of the present application
  • Figure 5 is a structural block diagram of a system for verifying login behaviors according to an embodiment of the present application.
  • Fig. 6 is a structural block diagram of another system for verifying login behaviors according to an embodiment of the present application.
  • FIG. 1 is a hardware structural block diagram of a verification server for a login behavior in an embodiment of the present application.
  • the server 10 may include one or more (only one is shown in FIG. 1) processor 102 (the processor 102 may include, but is not limited to, a processing device such as a microprocessor MCU or a programmable logic device FPGA) And the memory 104 for storing data.
  • the aforementioned server may also include a transmission device 106 and an input/output device 108 for communication functions.
  • FIG. 1 is only for illustration, and does not limit the structure of the foregoing server.
  • the server 10 may also include more or fewer components than shown in FIG. 1, or have a different configuration from that shown in FIG.
  • the memory 104 may be used to store computer programs, for example, software programs and modules of application software, such as a computer program corresponding to a method for verifying login behavior in the embodiment of the present application.
  • the processor 102 runs the computer stored in the memory 104 Programs to execute various functional applications and data processing, that is, to achieve the above-mentioned methods.
  • the memory 104 may include a high-speed random access memory, and may also include a non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory.
  • the storage 104 may further include storage remotely provided with respect to the processor 102, and these remote storages may be connected to the server 10 through a network. Examples of the aforementioned networks include, but are not limited to, the Internet, corporate intranets, local area networks, mobile communication networks, and combinations thereof.
  • the transmission device 106 is used to receive or send data via a network.
  • the foregoing specific examples of the network may include a wireless network provided by the communication provider of the server 10.
  • the transmission device 106 includes a network adapter (Network Interface Controller, NIC for short), which can be connected to other network devices through a base station to communicate with the Internet.
  • the transmission device 106 may be a radio frequency (Radio Frequency, referred to as RF) module, which is used to communicate with the Internet in a wireless manner.
  • RF Radio Frequency
  • FIG. 2 is a flowchart of a method for verifying login behavior according to an embodiment of the present application. As shown in FIG. 2, the process includes the following steps:
  • Step S202 acquiring the first login behavior of the first device, and acquiring the second login behavior of the second device, where the first device is the device that initiates remote login, and the second device is the device that is logged in;
  • This embodiment is applied in various remote login scenarios.
  • the management device (first device) initiates a remote login request to request to log in to the managed device (second device). After the login is successful, the management The device can control the managed device locally within the scope of authority.
  • the behavior generated on the first device is the first login behavior
  • the behavior generated on the second device is the second login behavior.
  • Step S204 Determine whether the first login behavior matches the second login behavior
  • the first login behavior before judging whether the first login behavior matches the second login behavior, it can also determine whether the first login behavior and the second login behavior are legal. When the first login behavior and the second login behavior are legal, the first login behavior is further determined. Whether the login behavior matches the second login behavior;
  • determining whether the first login behavior is legal includes: determining whether the login process or the startup process of the login process is legal, whether a visible login window is displayed on the first device, etc.
  • the first device (the login terminal) can use the window to determine whether there is a user displaying the login.
  • the judgment through the process + visible window can prevent the attacker from starting a login process after controlling the login terminal, but hiding the window, thus Bypass the associated check that only judges the process without judging whether there is a visible login window.
  • Step S206 When the first login behavior matches the second login behavior, it is determined that the first device is a legal login device.
  • the second device accepts the login of the first device; otherwise, it rejects the login of the first device and provides alarm information.
  • the first login behavior of the first device that initiated the login and the second login behavior of the logged-in second device are obtained, and then it is determined whether the first login behavior matches the second login behavior.
  • the first device is determined to be a legitimate login device, and the judgment is made through bidirectional correlation verification, which solves the technical problem that the remote login behavior can only be verified by account passwords in related technologies. It can avoid illegal logins created by weak passwords, leaked passwords, or blasted passwords, and improves the security of remote logins.
  • the first login behavior and the second login behavior of this embodiment may include dynamic behavior information and static information, where the dynamic behavior information may include behavior chain information, process chain information, etc., and the static information includes the IP address of the device and the unified resource Network addresses such as Uniform Resource Locator (URL) addresses, MAC addresses, device identifications, etc.
  • dynamic behavior information may include behavior chain information, process chain information, etc.
  • static information includes the IP address of the device and the unified resource Network addresses such as Uniform Resource Locator (URL) addresses, MAC addresses, device identifications, etc.
  • URL Uniform Resource Locator
  • the solution of this embodiment can be applied to various login modes, such as C/S mode, B/S mode, etc.
  • the communication mode between the first device and the second device can also be a relay or direct connection. It is an arbitrary information transmission and data exchange method such as C directly connected to S or S directly connected to C (B/S similar).
  • FIG. 3 is a schematic diagram of the remote login process of the C/S mode and the B/S mode of the embodiment of the present application. An example is given below:
  • the C/S mode when managing the Windows operating system of the server, the C/S mode can be used.
  • the terminal is connected to the Telnet server program of the managed server through the Telnet (remote login protocol) client program.
  • Telnet remote login protocol
  • Obtaining the first login behavior of the first device and the second login behavior of the second device include: acquiring the first behavior information of the Telnet client program of the first device, and acquiring the second behavior information of the Telnet server program of the second device Behavioral information.
  • the B/S mode login scenario when web service systems such as websites, emails, forums, OA, etc. are managed, the B/S mode is usually adopted, and the terminal uses a browser to perform login management through the management page provided by the corresponding web service.
  • Obtaining the first login behavior of the first device and the second login behavior of the second device include: acquiring the remote service management page provided by the web service of the browser of the first device, and acquiring the remote service management of the second device page.
  • the login behavior of the first login behavior administrator (remote login personnel) in the terminal of this embodiment For example: Open Telnet and connect to the IP address of the remote server, or open a browser and access the URL of the remote service management page.
  • the second login behavior is that the managed server (or other devices) receives a connection request from the remote terminal, and the requested content is the connection management service or the management page.
  • the difference between normal login management and illegal login management after the attacker obtains the password through technical means is that the first behavior in normal login management occurs on the administrator’s terminal, while the first in illegal login management This behavior occurred on the attacker’s terminal. Even if the attacker uses port mapping, address resolution protocol (Address Resolution Protocol, ARP) attacks and other technologies, imitating a trusted terminal. However, the first login behavior, such as opening the Telnet client program or browser, and entering the managed IP or URL, is still the behavior of the attacker and only occurs on the attacker's terminal (which can be considered as the third device) , Not the first device that initiated the login.
  • ARP Address Resolution Protocol
  • first device the administrator's terminal
  • second device the managed server
  • determining whether the first login behavior matches the second login behavior includes:
  • the initiation time in this embodiment may be the time when the login process on the first device (Telnet client program, remote management service provided by the browser, etc.) initiates the login to the second device, and the response time is the corresponding login process on the second device Response time.
  • S12 Determine whether the interval between the initiation time and the response time is less than a predetermined threshold; the predetermined threshold is a small time range, which can be set within 1s in a better network environment.
  • determining whether the first login behavior matches the second login behavior includes:
  • S21 Acquire first information about a first login behavior and acquire second information about a second login behavior, where the first information includes: a first network address, and the second information includes: a second network address; wherein, the network address includes IP address, MAC address, URL address, etc.
  • Network address matching includes multiple matching strategies. Taking IP address as an example, when the target IP address entered by the first device is the same as the actual IP address of the second device, it can be considered as a match, otherwise it does not match; the first device If the IP address of is the same as the source IP address of the second device response (the IP address of the device that initiated the login), it can be considered a match, otherwise it does not match; the source IP address carried in the dot information sent by the first device to the server , When it matches the preset legal IP address list configured by the second device, it can be considered a match, otherwise it does not match. URL address and other network addresses are similar.
  • the device identification can also be matched. For example, when the device identification of the first device matches the list of legal devices configured by the second device, it is determined that the first login behavior matches the second login behavior; otherwise, It is determined that the first login behavior does not match the second login behavior.
  • the device identification (such as MID) may be carried in the request message of the first login behavior, or it may be uploaded by the first device to the server of the third party, and the second device may obtain it from the server after receiving the request message.
  • determining whether the first login behavior matches the second login behavior includes:
  • the process of the Telnet client program and the process of the Telnet server program are matched processes.
  • this embodiment can also be combined with a login account and a login password for dual judgment.
  • the first device Before determining that the first device is a legal login device, it further includes: obtaining the login account and login password entered on the first device; determining the login account Have the login authority and the login password is correct. Only when the first login behavior matches the second login behavior, and the user name and password are correct, it is considered a legal login. Only when any one behavior occurs, even if the user name and password are correct, it is considered an attack. The illegal login status of the person.
  • the executive body of this embodiment may be a cloud server or a local server connecting two or more clients or servers, or it may be a client or server that initiates a login or responds to a login.
  • the client may be Mobile terminal, PC, etc., but not limited to this.
  • it includes: the C program installed on the management terminal, the S program installed on the managed terminal, and the M program installed on the central control server.
  • C program used to check and judge the occurrence and legitimacy of the management initiated behavior, including but not limited to: whether the Telnet program or browser is started, whether it is started normally or abnormally, whether it is a hidden operation in the background or a normal operation with a visible window, Whether there is input the correct IP of the managed terminal or the URL of the management page, etc.
  • M program used to obtain the management behavior and managed behavior performed by each terminal, and provide query services.
  • S program used to check and judge the occurrence of the management behavior of the managed terminal.
  • the M program retrieves whether the corresponding device, IP, or account is initiated on the management terminal.
  • Corresponding management behaviors are comprehensively judged through two-way correlation verification, accept normal logins, reject illegal logins and provide alarm information.
  • the method according to the above embodiment can be implemented by means of software plus the necessary general hardware platform, of course, it can also be implemented by hardware, but in many cases the former is Better implementation.
  • the technical solution of this application essentially or the part that contributes to the existing technology can be embodied in the form of a software product, and the computer software product is stored in a storage medium (such as ROM/RAM, magnetic disk, The optical disc) includes several instructions to enable a terminal device (which can be a mobile phone, a computer, a server, or a network device, etc.) to execute the method described in each embodiment of the present application.
  • a device and system for verifying a login behavior are also provided, which is used to implement the above-mentioned embodiments and preferred implementations, and those that have been explained will not be repeated.
  • the term "module” can implement a combination of software and/or hardware with predetermined functions.
  • the devices described in the following embodiments are preferably implemented by software, hardware or a combination of software and hardware is also possible and conceived.
  • Fig. 4 is a structural block diagram of an apparatus for verifying a login behavior according to an embodiment of the present application. As shown in Fig. 4, the apparatus includes: a first acquisition module 40, a judgment module 42, and a first determination module 44, where:
  • the first acquisition module 40 is configured to acquire the first login behavior of the first device and the second login behavior of the second device, where the first device is the device that initiates remote login, and the second device is the remote login device. Logged in device;
  • the judgment module 42 is configured to judge whether the first login behavior matches the second login behavior
  • the first determining module 44 is configured to determine that the first device is a legal login device when the first login behavior matches the second login behavior.
  • the judging module includes: a first acquiring unit, configured to acquire the initiation time of the first login behavior, and acquiring the response time of the second login behavior; the first determining unit, configured to determine the Whether the interval between the initiation time and the response time is less than a predetermined threshold; the first determining unit is configured to determine the first login behavior and the second login behavior when the interval between the initiation time and the response time is less than the predetermined threshold The login behavior matches; when the interval between the initiation time and the response time is greater than or equal to a predetermined threshold, it is determined that the first login behavior does not match the second login behavior.
  • the judgment module includes: a second obtaining unit, configured to obtain first information of the first login behavior, and obtain second information of the second login behavior, wherein the first information includes : A first network address, the second information includes: a second network address; a second determination unit, used to determine whether the first information and the second information match; a second determination unit, used in the When the first information matches the second information, it is determined that the first login behavior matches the second login behavior; when the first information does not match the second information, the first login behavior is determined The behavior does not match the second login behavior.
  • the judgment module includes: a reading unit configured to read the operation process of the first login behavior and read the response process of the second login behavior; and a third judgment unit configured to determine Whether the operation process and the response process match; a third determining unit, configured to determine that the first login behavior matches the second login behavior when the operation process matches the response process; When the operation process and the response process do not match, it is determined that the first login behavior does not match the second login behavior.
  • the first obtaining module includes: a first obtaining unit configured to obtain first behavior information of the Telnet client program of the first device, and obtain the Telnet server of the second device The second act information of the program.
  • the first obtaining module includes: a second obtaining unit configured to obtain a remote service management page provided by a web service of a browser of the first device, and obtain a remote service management page of the second device .
  • the apparatus further includes: a second obtaining module, configured to obtain the login account and login input on the first device before the first determining module determines that the first device is a legal login device Password; the second determination module is used to determine that the login account has login authority and the login password is correct.
  • a second obtaining module configured to obtain the login account and login input on the first device before the first determining module determines that the first device is a legal login device Password; the second determination module is used to determine that the login account has login authority and the login password is correct.
  • Figure 5 is a structural block diagram of a system for verifying login behaviors according to an embodiment of the present application.
  • the system includes: a first device 50, a second device 52, and the first device and the The central control server 54 connected to the second device, wherein the first device 50 is used to initiate remote login to the second device; the second device 52 is used to respond to the remote login initiated by the first device ;
  • the central control server includes the device described in the foregoing embodiment.
  • FIG. 6 is a structural block diagram of another system for verifying login behaviors according to an embodiment of the present application.
  • the system includes: a first device 60 and a second device 62, wherein the first device 60 , Is used to initiate remote login to the second device; the second device 62 is used to respond to the remote login initiated by the first device, and includes the apparatus described in the foregoing embodiment.
  • each of the above modules can be implemented by software or hardware.
  • it can be implemented in the following manner, but not limited to this: the above modules are all located in the same processor; or, the above modules are combined in any combination The forms are located in different processors.
  • the embodiment of the present application also provides a storage medium in which a computer program is stored, wherein the computer program is configured to execute the steps in any of the foregoing method embodiments when running.
  • the foregoing storage medium may be configured to store a computer program for executing the following steps:
  • the above-mentioned storage medium may include, but is not limited to: U disk, read-only memory (Read-Only Memory, ROM for short), Random Access Memory (RAM for short), Various media that can store computer programs, such as mobile hard disks, magnetic disks, or optical disks.
  • the embodiment of the present application also provides an electronic device, including a memory and a processor, the memory is stored with a computer program, and the processor is configured to run the computer program to execute the steps in any of the foregoing method embodiments.
  • the foregoing electronic device may further include a transmission device and an input-output device, wherein the transmission device is connected to the foregoing processor, and the input-output device is connected to the foregoing processor.
  • the foregoing processor may be configured to execute the following steps through a computer program:
  • the disclosed technical content can be implemented in other ways.
  • the device embodiments described above are only illustrative.
  • the division of the units is only a logical function division.
  • multiple units or components may be combined or may be Integrate into another system, or some features can be ignored or not implemented.
  • the displayed or discussed mutual coupling or direct coupling or communication connection may be indirect coupling or communication connection through some interfaces, units or modules, and may be in electrical or other forms.
  • the units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, they may be located in one place, or they may be distributed on multiple network units. Some or all of the units may be selected according to actual needs to achieve the objectives of the solutions of the embodiments.
  • each unit in each embodiment of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units may be integrated into one unit.
  • the above-mentioned integrated unit can be implemented in the form of hardware or software functional unit.
  • the integrated unit is implemented in the form of a software functional unit and sold or used as an independent product, it can be stored in a computer readable storage medium.
  • the technical solution of this application essentially or the part that contributes to the existing technology or all or part of the technical solution can be embodied in the form of a software product, and the computer software product is stored in a storage medium , Including several instructions to make a computer device (which may be a personal computer, a server, or a network device, etc.) execute all or part of the steps of the method described in each embodiment of the present application.
  • the aforementioned storage media include: U disk, read-only memory (ROM, Read-Only Memory), random access memory (RAM, Random Access Memory), mobile hard disk, magnetic disk or optical disk and other media that can store program code .

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

A method and apparatus for checking a login behavior, and a system, a storage medium and an electronic apparatus. The method comprises: acquiring a first login behavior of a first device, and acquiring a second login behavior of a second device, wherein the first device is a device that initiates remote login, and the second device is a device that is logged into (S202); determining whether the first login behavior matches the second login behavior (S204); and when the first login behavior matches the second login behavior, determining that the first device is a legitimate login device (S206). The method solves the technical problem in related technology of a remote login behavior only being able to be checked by means of an account password, and can prevent an illegitimate login created by using a weak password, a password leak or a password being cracked.

Description

登录行为的校验方法及装置、系统、存储介质、电子装置Check-in behavior verification method and device, system, storage medium and electronic device 技术领域Technical field
本申请实施例涉及网络安全领域,具体而言,涉及一种登录行为的校验方法及装置、系统、存储介质、电子装置。The embodiments of the present application relate to the field of network security, and specifically, to a method and device, system, storage medium, and electronic device for verifying login behavior.
背景技术Background technique
相关技术中,业务系统管理人员在对服务器或者远程设备进行管理时,通常都采用远程登录管理模式,并根据业务的不同采用不同的远程管理方法。比如:针对服务器Windows操作系统的管理时,通常采用C/S模式,在终端通过Telnet(远程终端协议)客户端程序连接到被管理服务器端的Telnet服务端程序,进行管理。而针对网站、邮件、论坛、OA(办公自动化,Office Automation)系统等Web服务系统进行管理时,通常采用B/S模式,在终端使用浏览器通过相应Web服务提供的管理页面进行登录管理。In related technologies, when managing a server or a remote device, a business system manager usually adopts a remote login management mode, and uses different remote management methods according to different businesses. For example, for the management of the server Windows operating system, the C/S mode is usually adopted, and the terminal is connected to the Telnet server program of the managed server through the Telnet (remote terminal protocol) client program for management. When managing web service systems such as websites, emails, forums, and OA (Office Automation) systems, the B/S mode is usually adopted, and the terminal uses a browser to log in and manage through the management page provided by the corresponding web service.
无论是哪一种远程管理模式,在安全防护方面几乎都是以“用户名+口令”的验证方式来进行安全校验,以解决非法登录问题。但就实际的安全效果来看,当前的安全防护手段并不能达到预期效果,通过弱口令猜测、爆破等手段拿到合法用户名与口令进行非法登录的案例,占到整体攻击成功案例的30%以上,相关技术中的登录方式存在严重的安全缺陷。Regardless of the remote management mode, in terms of security protection, almost always use the authentication method of "user name + password" to perform security verification to solve the problem of illegal login. However, in terms of actual security effects, the current security protection methods cannot achieve the expected results. Cases of illegal logins with legitimate user names and passwords through weak password guessing, blasting, etc., account for 30% of the overall successful attacks. Above, the login method in the related technology has serious security defects.
针对相关技术中存在的上述问题,目前尚未发现有效的解决方案。For the above-mentioned problems existing in related technologies, no effective solution has been found yet.
发明内容Summary of the invention
本申请实施例提供了一种登录行为的校验方法及装置、系统、存储介质、电子装置。The embodiments of the present application provide a method and device, system, storage medium, and electronic device for verifying login behavior.
根据本申请的一个实施例,提供了一种登录行为的校验方法,包括:获取第一设备的第一登录行为,以及获取第二设备的第二登录行为,其中,所述第一设备为发起远程登录的设备,所述第二设备为被登录的设备;判断所述第一登录行为与所述第二登录行为是否匹配;在所述第一登录行为与所述第二登录行为匹配时,确定所述第一设备为合法登录设备。According to an embodiment of the present application, a method for verifying a login behavior is provided, including: acquiring a first login behavior of a first device, and acquiring a second login behavior of a second device, where the first device is The device that initiates remote login, the second device is the device that is logged in; it is determined whether the first login behavior matches the second login behavior; when the first login behavior matches the second login behavior , It is determined that the first device is a legally logged-in device.
可选的,判断所述第一登录行为与所述第二登录行为是否匹配包括:获取所述第一登录行为的发起时间,以及获取所述第二登录行为的响应时间;判断所述发起时间和所述响应时间的间隔是否小于预定阈值;在所述发起时间和所述响应时间的间隔小于预定阈值时,确定所述第一登录行为与所述第二登录行为匹配;在所述发起时间和所述响应时间的间隔大于或等于预定阈值时,确定所述第一登录行为与所述第二登录行为不匹配。Optionally, determining whether the first login behavior matches the second login behavior includes: obtaining the initiation time of the first login behavior, and obtaining the response time of the second login behavior; determining the initiation time Whether the interval between the response time and the response time is less than a predetermined threshold; when the interval between the initiation time and the response time is less than the predetermined threshold, it is determined that the first login behavior matches the second login behavior; at the initiation time When the interval from the response time is greater than or equal to a predetermined threshold, it is determined that the first login behavior does not match the second login behavior.
可选的,判断所述第一登录行为与所述第二登录行为是否匹配包括:获取所述第一登录行为的第一信息,以及获取所述第二登录行为的第二信息,其中,所述第一信息包括:第一网络地址,所述第二信息包括:第二网络地址;判断所述第一信息和所述第二信息是否匹配;在所述第一信息和所述第二信息匹配时,确定所述第一登录行为与所述第二登录行为匹配;在所述第一信息和所述第二信息不匹配时,确定所述第一登录行为与所述第二登录行为不匹配。Optionally, judging whether the first login behavior matches the second login behavior includes: acquiring first information of the first login behavior, and acquiring second information of the second login behavior, where: The first information includes: a first network address, the second information includes: a second network address; judging whether the first information and the second information match; in the first information and the second information When matching, it is determined that the first login behavior matches the second login behavior; when the first information and the second information do not match, it is determined that the first login behavior does not match the second login behavior. match.
可选的,判断所述第一登录行为与所述第二登录行为是否匹配包括:读取所述第一登录行为的操作进程,以及读取所述第二登录行为的响应进程;判断所述操作进程和所述响应进程是否匹配;在所述操作进程和所述响应进程匹配时,确定所述第一登录行为与所述第二登录行为匹配;在所述操作进程和所述响应进程不匹配时,确定所述第一登录行为与所述第二登录行为不匹配。Optionally, determining whether the first login behavior matches the second login behavior includes: reading the operation process of the first login behavior, and reading the response process of the second login behavior; determining the Whether the operation process and the response process match; when the operation process and the response process match, it is determined that the first login behavior matches the second login behavior; the operation process and the response process do not match When matching, it is determined that the first login behavior does not match the second login behavior.
可选的,获取第一设备的第一登录行为,以及获取第二设备的第二登录行为包括:获取所述第一设备的远程登录协议Telnet客户端程序的第一行为信息,以及获取所述第二设备的Telnet服务端程序的第二行为信息。Optionally, acquiring the first login behavior of the first device and acquiring the second login behavior of the second device includes: acquiring first behavior information of the Telnet client program of the first device, and acquiring the The second behavior information of the Telnet server program of the second device.
可选的,获取第一设备的第一登录行为,以及获取第二设备的第二登录行为包括:获取所述第一设备的浏览器的web服务提供的远程服务管理页面,以及获取所述第二设备的远程服务管理页面。Optionally, acquiring the first login behavior of the first device and acquiring the second login behavior of the second device includes: acquiring a remote service management page provided by a web service of a browser of the first device, and acquiring the first device 2. The remote service management page of the device.
可选的,在确定所述第一设备为合法登录设备之前,所述方法还包括:获取在所述第一设备上输入的登录账号和登录口令;确定所述登录账号具备登录权限,且所述登录口令正确。Optionally, before determining that the first device is a legal login device, the method further includes: obtaining a login account and a login password entered on the first device; determining that the login account has login authority, and The login password is correct.
根据本申请的另一个实施例,提供了一种登录行为的校验装置,包括: 第一获取模块,用于获取第一设备的第一登录行为,以及获取第二设备的第二登录行为,其中,所述第一设备为发起远程登录的设备,所述第二设备为被登录的设备;判断模块,用于判断所述第一登录行为与所述第二登录行为是否匹配;第一确定模块,用于在所述第一登录行为与所述第二登录行为匹配时,确定所述第一设备为合法登录设备。According to another embodiment of the present application, there is provided an apparatus for verifying login behavior, including: a first obtaining module, configured to obtain a first login behavior of a first device, and a second login behavior of a second device, Wherein, the first device is the device that initiates remote login, and the second device is the device that is logged in; the judgment module is used to judge whether the first login behavior matches the second login behavior; the first determination The module is configured to determine that the first device is a legal login device when the first login behavior matches the second login behavior.
可选的,所述判断模块包括:第一获取单元,用于获取所述第一登录行为的发起时间,以及获取所述第二登录行为的响应时间;第一判断单元,用于判断所述发起时间和所述响应时间的间隔是否小于预定阈值;第一确定单元,用于在所述发起时间和所述响应时间的间隔小于预定阈值时,确定所述第一登录行为与所述第二登录行为匹配;在所述发起时间和所述响应时间的间隔大于或等于预定阈值时,确定所述第一登录行为与所述第二登录行为不匹配。Optionally, the judging module includes: a first acquiring unit, configured to acquire the initiation time of the first login behavior, and acquiring the response time of the second login behavior; the first determining unit, configured to determine the Whether the interval between the initiation time and the response time is less than a predetermined threshold; the first determining unit is configured to determine the first login behavior and the second login behavior when the interval between the initiation time and the response time is less than the predetermined threshold The login behavior matches; when the interval between the initiation time and the response time is greater than or equal to a predetermined threshold, it is determined that the first login behavior does not match the second login behavior.
可选的,所述判断模块包括:第二获取单元,用于获取所述第一登录行为的第一信息,以及获取所述第二登录行为的第二信息,其中,所述第一信息包括:第一网络地址,所述第二信息包括:第二网络地址;第二判断单元,用于判断所述第一信息和所述第二信息是否匹配;第二确定单元,用于在所述第一信息和所述第二信息匹配时,确定所述第一登录行为与所述第二登录行为匹配;在所述第一信息和所述第二信息不匹配时,确定所述第一登录行为与所述第二登录行为不匹配。Optionally, the judgment module includes: a second obtaining unit, configured to obtain first information of the first login behavior, and obtain second information of the second login behavior, wherein the first information includes : A first network address, the second information includes: a second network address; a second determination unit, used to determine whether the first information and the second information match; a second determination unit, used in the When the first information matches the second information, it is determined that the first login behavior matches the second login behavior; when the first information does not match the second information, the first login behavior is determined The behavior does not match the second login behavior.
可选的,所述判断模块包括:读取单元,用于读取所述第一登录行为的操作进程,以及读取所述第二登录行为的响应进程;第三判断单元,用于判断所述操作进程和所述响应进程是否匹配;第三确定单元,用于在所述操作进程和所述响应进程匹配时,确定所述第一登录行为与所述第二登录行为匹配;在所述操作进程和所述响应进程不匹配时,确定所述第一登录行为与所述第二登录行为不匹配。Optionally, the judgment module includes: a reading unit configured to read the operation process of the first login behavior and read the response process of the second login behavior; and a third judgment unit configured to determine Whether the operation process and the response process match; a third determining unit, configured to determine that the first login behavior matches the second login behavior when the operation process matches the response process; When the operation process and the response process do not match, it is determined that the first login behavior does not match the second login behavior.
可选的,所述第一获取模块包括:第一获取单元,用于获取所述第一设备的远程登录协议Telnet客户端程序的第一行为信息,以及获取所述第二设备的Telnet服务端程序的第二行为信息。Optionally, the first obtaining module includes: a first obtaining unit configured to obtain first behavior information of the Telnet client program of the first device, and obtain the Telnet server of the second device The second behavior information of the program.
可选的,所述第一获取模块包括:第二获取单元,用于获取所述第一设备的浏览器的web服务提供的远程服务管理页面,以及获取所述第二设备的 远程服务管理页面。Optionally, the first obtaining module includes: a second obtaining unit configured to obtain a remote service management page provided by a web service of a browser of the first device, and obtain a remote service management page of the second device .
可选的,所述装置还包括:第二获取模块,用于在所述第一确定模块确定所述第一设备为合法登录设备之前,获取在所述第一设备上输入的登录账号和登录口令;第二确定模块,用于确定所述登录账号具备登录权限,且所述登录口令正确。Optionally, the apparatus further includes: a second obtaining module, configured to obtain the login account and login input on the first device before the first determining module determines that the first device is a legal login device Password; the second determination module is used to determine that the login account has login authority and the login password is correct.
根据本申请的又一个实施例,提供了一种登录行为的校验系统,包括:第一设备,第二设备,与所述第一设备和所述第二设备连接的中控服务器,其中,所述第一设备,用于向所述第二设备发起远程登录;所述第二设备,用于响应所述第一设备发起的远程登录;所述中控服务器,包括如上述实施例所述的装置。According to another embodiment of the present application, a system for verifying login behavior is provided, including: a first device, a second device, and a central control server connected to the first device and the second device, wherein: The first device is used to initiate remote login to the second device; the second device is used to respond to the remote login initiated by the first device; the central control server includes as described in the above embodiment installation.
根据本申请的又一个实施例,提供了另一种登录行为的校验系统,包括:第一设备,第二设备,其中,所述第一设备,用于向所述第二设备发起远程登录;所述第二设备,用于响应所述第一设备发起的远程登录,包括如上述实施例所述的装置。According to another embodiment of the present application, another system for verifying login behavior is provided, including: a first device and a second device, wherein the first device is used to initiate remote login to the second device The second device is used to respond to the remote login initiated by the first device, and includes the device described in the foregoing embodiment.
根据本申请的又一个实施例,还提供了一种存储介质,所述存储介质中存储有计算机程序,其中,所述计算机程序被设置为运行时执行上述任一项方法实施例中的步骤。According to another embodiment of the present application, there is also provided a storage medium in which a computer program is stored, wherein the computer program is configured to execute the steps in any one of the foregoing method embodiments when running.
根据本申请的又一个实施例,还提供了一种电子装置,包括存储器和处理器,所述存储器中存储有计算机程序,所述处理器被设置为运行所述计算机程序以执行上述任一项方法实施例中的步骤。According to another embodiment of the present application, there is also provided an electronic device, including a memory and a processor, the memory is stored with a computer program, and the processor is configured to run the computer program to execute any of the above Steps in the method embodiment.
通过本申请实施例,获取发起登录的第一设备的第一登录行为,以及获取被登录的第二设备的第二登录行为,然后判断第一登录行为与第二登录行为是否匹配,在第一登录行为与第二登录行为匹配时,确定第一设备为合法登录设备,通过双向关联校验来进行判断,解决了相关技术中只能通过账号口令校验远程登录行为的技术问题。可以避免利用弱口令、口令泄露或口令被爆破等创建的非法登录,提高了远程登录的安全性。Through the embodiment of this application, the first login behavior of the first device that initiated the login and the second login behavior of the logged-in second device are obtained, and then it is determined whether the first login behavior matches the second login behavior. When the login behavior matches the second login behavior, the first device is determined to be a legitimate login device, and the judgment is made through two-way correlation verification, which solves the technical problem that the remote login behavior can only be verified by account passwords in related technologies. It can avoid illegal logins created by weak passwords, leaked passwords, or blasted passwords, and improves the security of remote logins.
附图说明Description of the drawings
此处所说明的附图用来提供对本申请实施例的进一步理解,构成本申请的一部分,本申请的示意性实施例及其说明用于解释本申请,并不构成对本 申请的不当限定。在附图中:The drawings described here are used to provide a further understanding of the embodiments of the present application and constitute a part of the present application. The exemplary embodiments of the present application and their descriptions are used to explain the present application, and do not constitute an improper limitation of the present application. In the attached picture:
图1是本申请实施例的一种登录行为的校验服务器的硬件结构框图;FIG. 1 is a hardware structural block diagram of a verification server for a login behavior according to an embodiment of the present application;
图2是根据本申请实施例的一种登录行为的校验方法的流程图;Fig. 2 is a flowchart of a method for verifying a login behavior according to an embodiment of the present application;
图3是本申请实施例C/S模式和B/S模式的远程登录流程的示意图;FIG. 3 is a schematic diagram of a remote login process in C/S mode and B/S mode according to an embodiment of the present application;
图4是根据本申请实施例的登录行为的校验装置的结构框图;Fig. 4 is a structural block diagram of an apparatus for verifying a login behavior according to an embodiment of the present application;
图5是根据本申请实施例的一种登录行为的校验系统的结构框图;Figure 5 is a structural block diagram of a system for verifying login behaviors according to an embodiment of the present application;
图6是根据本申请实施例的另一种登录行为的校验系统的结构框图。Fig. 6 is a structural block diagram of another system for verifying login behaviors according to an embodiment of the present application.
具体实施方式detailed description
为了使本技术领域的人员更好地理解本申请方案,下面将结合本申请实施例中的附图,对本申请实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例仅仅是本申请一部分的实施例,而不是全部的实施例。基于本申请中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都应当属于本申请保护的范围。需要说明的是,在不冲突的情况下,本申请中的实施例及实施例中的特征可以相互组合。In order to enable those skilled in the art to better understand the solution of the application, the technical solutions in the embodiments of the application will be clearly and completely described below in conjunction with the drawings in the embodiments of the application. Obviously, the described embodiments are only It is a part of the embodiments of this application, not all the embodiments. Based on the embodiments in this application, all other embodiments obtained by those of ordinary skill in the art without creative work should fall within the protection scope of this application. It should be noted that the embodiments in this application and the features in the embodiments can be combined with each other if there is no conflict.
需要说明的是,本申请的说明书和权利要求书及上述附图中的术语“第一”、“第二”等是用于区别类似的对象,而不必用于描述特定的顺序或先后次序。应该理解这样使用的数据在适当情况下可以互换,以便这里描述的本申请的实施例能够以除了在这里图示或描述的那些以外的顺序实施。此外,术语“包括”和“具有”以及他们的任何变形,意图在于覆盖不排他的包含,例如,包含了一系列步骤或单元的过程、方法、系统、产品或设备不必限于清楚地列出的那些步骤或单元,而是可包括没有清楚地列出的或对于这些过程、方法、产品或设备固有的其它步骤或单元。It should be noted that the terms "first" and "second" in the description and claims of the application and the above-mentioned drawings are used to distinguish similar objects, and are not necessarily used to describe a specific sequence or sequence. It should be understood that the data used in this way can be interchanged under appropriate circumstances so that the embodiments of the present application described herein can be implemented in a sequence other than those illustrated or described herein. In addition, the terms "including" and "having" and any variations of them are intended to cover non-exclusive inclusions. For example, a process, method, system, product or device that includes a series of steps or units is not necessarily limited to the clearly listed Those steps or units may include other steps or units that are not clearly listed or are inherent to these processes, methods, products, or equipment.
实施例1Example 1
本申请实施例一所提供的方法实施例可以在服务器、计算机、终端或者类似的运算装置中执行。以运行在服务器上为例,图1是本申请实施例的一种登录行为的校验服务器的硬件结构框图。如图1所示,服务器10可以包括一个或多个(图1中仅示出一个)处理器102(处理器102可以包括但不限于微处理器MCU或可编程逻辑器件FPGA等的处理装置)和用于存储数据的存 储器104,可选地,上述服务器还可以包括用于通信功能的传输设备106以及输入输出设备108。本领域普通技术人员可以理解,图1所示的结构仅为示意,其并不对上述服务器的结构造成限定。例如,服务器10还可包括比图1中所示更多或者更少的组件,或者具有与图1所示不同的配置。The method embodiment provided in Embodiment 1 of the present application may be executed in a server, a computer, a terminal, or a similar computing device. Taking running on a server as an example, FIG. 1 is a hardware structural block diagram of a verification server for a login behavior in an embodiment of the present application. As shown in FIG. 1, the server 10 may include one or more (only one is shown in FIG. 1) processor 102 (the processor 102 may include, but is not limited to, a processing device such as a microprocessor MCU or a programmable logic device FPGA) And the memory 104 for storing data. Optionally, the aforementioned server may also include a transmission device 106 and an input/output device 108 for communication functions. A person of ordinary skill in the art can understand that the structure shown in FIG. 1 is only for illustration, and does not limit the structure of the foregoing server. For example, the server 10 may also include more or fewer components than shown in FIG. 1, or have a different configuration from that shown in FIG.
存储器104可用于存储计算机程序,例如,应用软件的软件程序以及模块,如本申请实施例中的一种登录行为的校验方法对应的计算机程序,处理器102通过运行存储在存储器104内的计算机程序,从而执行各种功能应用以及数据处理,即实现上述的方法。存储器104可包括高速随机存储器,还可包括非易失性存储器,如一个或者多个磁性存储装置、闪存、或者其他非易失性固态存储器。在一些实例中,存储器104可进一步包括相对于处理器102远程设置的存储器,这些远程存储器可以通过网络连接至服务器10。上述网络的实例包括但不限于互联网、企业内部网、局域网、移动通信网及其组合。The memory 104 may be used to store computer programs, for example, software programs and modules of application software, such as a computer program corresponding to a method for verifying login behavior in the embodiment of the present application. The processor 102 runs the computer stored in the memory 104 Programs to execute various functional applications and data processing, that is, to achieve the above-mentioned methods. The memory 104 may include a high-speed random access memory, and may also include a non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory. In some examples, the storage 104 may further include storage remotely provided with respect to the processor 102, and these remote storages may be connected to the server 10 through a network. Examples of the aforementioned networks include, but are not limited to, the Internet, corporate intranets, local area networks, mobile communication networks, and combinations thereof.
传输装置106用于经由一个网络接收或者发送数据。上述的网络具体实例可包括服务器10的通信供应商提供的无线网络。在一个实例中,传输装置106包括一个网络适配器(Network Interface Controller,简称为NIC),其可通过基站与其他网络设备相连从而可与互联网进行通讯。在一个实例中,传输装置106可以为射频(Radio Frequency,简称为RF)模块,其用于通过无线方式与互联网进行通讯。The transmission device 106 is used to receive or send data via a network. The foregoing specific examples of the network may include a wireless network provided by the communication provider of the server 10. In one example, the transmission device 106 includes a network adapter (Network Interface Controller, NIC for short), which can be connected to other network devices through a base station to communicate with the Internet. In an example, the transmission device 106 may be a radio frequency (Radio Frequency, referred to as RF) module, which is used to communicate with the Internet in a wireless manner.
在本实施例中提供了一种登录行为的校验方法,图2是根据本申请实施例的一种登录行为的校验方法的流程图,如图2所示,该流程包括如下步骤:In this embodiment, a method for verifying login behavior is provided. FIG. 2 is a flowchart of a method for verifying login behavior according to an embodiment of the present application. As shown in FIG. 2, the process includes the following steps:
步骤S202,获取第一设备的第一登录行为,以及获取第二设备的第二登录行为,其中,第一设备为发起远程登录的设备,第二设备为被登录的设备;Step S202, acquiring the first login behavior of the first device, and acquiring the second login behavior of the second device, where the first device is the device that initiates remote login, and the second device is the device that is logged in;
本实施例应用在各种远程登录的场景中,在远程登录时,在管理设备(第一设备)发起远程登录请求,以请求登录到被管理设备(第二设备),在登录成功后,管理设备即可以在本地在权限范围内操控被管理设备。在第一设备上产生的行为为第一登录行为,在第二设备上产生的行为为第二登录行为。This embodiment is applied in various remote login scenarios. During remote login, the management device (first device) initiates a remote login request to request to log in to the managed device (second device). After the login is successful, the management The device can control the managed device locally within the scope of authority. The behavior generated on the first device is the first login behavior, and the behavior generated on the second device is the second login behavior.
步骤S204,判断第一登录行为与第二登录行为是否匹配;Step S204: Determine whether the first login behavior matches the second login behavior;
本实施例在判断第一登录行为与第二登录行为是否匹配之前,还可以判 断第一登录行为和第二登录行为是否合法,在第一登录行为和第二登录行为合法时,进一步判断第一登录行为与第二登录行为是否匹配;In this embodiment, before judging whether the first login behavior matches the second login behavior, it can also determine whether the first login behavior and the second login behavior are legal. When the first login behavior and the second login behavior are legal, the first login behavior is further determined. Whether the login behavior matches the second login behavior;
可选的,判断第一登录行为是否合法包括:判断登录进程或者登录进程的启动进程是否合法,是否在第一设备上显示可见的登录窗口等。第一设备(登录端)可以用窗口来判断是否有用户在进行显示的登录,通过进程+可见的窗口进行判断,可以杜绝攻击者控制了登录终端后,启动一个登录进程,但隐藏窗口,从而绕过只判断进程不判断是否有可见登录窗口的关联校验。Optionally, determining whether the first login behavior is legal includes: determining whether the login process or the startup process of the login process is legal, whether a visible login window is displayed on the first device, etc. The first device (the login terminal) can use the window to determine whether there is a user displaying the login. The judgment through the process + visible window can prevent the attacker from starting a login process after controlling the login terminal, but hiding the window, thus Bypass the associated check that only judges the process without judging whether there is a visible login window.
步骤S206,在第一登录行为与第二登录行为匹配时,确定第一设备为合法登录设备。Step S206: When the first login behavior matches the second login behavior, it is determined that the first device is a legal login device.
在第一设备为合法登录设备时,第二设备接受第一设备的登录,否则,拒约第一设备的登录并提供报警信息。When the first device is a legal login device, the second device accepts the login of the first device; otherwise, it rejects the login of the first device and provides alarm information.
通过上述步骤,获取发起登录的第一设备的第一登录行为,以及获取被登录的第二设备的第二登录行为,然后判断第一登录行为与第二登录行为是否匹配,在第一登录行为与第二登录行为匹配时,确定第一设备为合法登录设备,通过双向关联校验来进行判断,解决了相关技术中只能通过账号口令校验远程登录行为的技术问题。可以避免利用弱口令、口令泄露或口令被爆破等创建的非法登录,提高了远程登录的安全性。Through the above steps, the first login behavior of the first device that initiated the login and the second login behavior of the logged-in second device are obtained, and then it is determined whether the first login behavior matches the second login behavior. When matching with the second login behavior, the first device is determined to be a legitimate login device, and the judgment is made through bidirectional correlation verification, which solves the technical problem that the remote login behavior can only be verified by account passwords in related technologies. It can avoid illegal logins created by weak passwords, leaked passwords, or blasted passwords, and improves the security of remote logins.
本实施例的第一登录行为、第二登录行为可以包括动态行为信息和静态信息,其中,动态行为信息又可以包括行为链信息、进程链信息等,静态信息包括,设备的IP地址,统一资源定位符(Uniform Resource Locator,URL)地址、MAC地址等网络地址、设备标识等。The first login behavior and the second login behavior of this embodiment may include dynamic behavior information and static information, where the dynamic behavior information may include behavior chain information, process chain information, etc., and the static information includes the IP address of the device and the unified resource Network addresses such as Uniform Resource Locator (URL) addresses, MAC addresses, device identifications, etc.
本实施例的方案可以应用在各种不同的登录模式中,如C/S模式,B/S模式等,第一设备与第二设备的通讯方式也可以是中转或者直连的通讯方式,可以是C直连S、或S直连C(B/S类似)等任意的信息传输与数据交换方式,图3是本申请实施例C/S模式和B/S模式的远程登录流程的示意图。下面进行举例说明:The solution of this embodiment can be applied to various login modes, such as C/S mode, B/S mode, etc. The communication mode between the first device and the second device can also be a relay or direct connection. It is an arbitrary information transmission and data exchange method such as C directly connected to S or S directly connected to C (B/S similar). FIG. 3 is a schematic diagram of the remote login process of the C/S mode and the B/S mode of the embodiment of the present application. An example is given below:
在C/S模式的登录场景中,针对服务器Windows操作系统的管理时,可以采用C/S模式,在终端通过Telnet(远程登录协议)客户端程序连接到被管理服务器端的Telnet服务端程序,进行管理。获取第一设备的第一登录行为, 以及获取第二设备的第二登录行为包括:获取第一设备的Telnet客户端程序的第一行为信息,以及获取第二设备的Telnet服务端程序的第二行为信息。In the login scenario of the C/S mode, when managing the Windows operating system of the server, the C/S mode can be used. The terminal is connected to the Telnet server program of the managed server through the Telnet (remote login protocol) client program. management. Obtaining the first login behavior of the first device and the second login behavior of the second device include: acquiring the first behavior information of the Telnet client program of the first device, and acquiring the second behavior information of the Telnet server program of the second device Behavioral information.
在B/S模式的登录场景中,在网站、邮件、论坛、OA等Web服务系统进行管理时,通常采用B/S模式,在终端使用浏览器通过相应Web服务提供的管理页面进行登录管理。获取第一设备的第一登录行为,以及获取第二设备的第二登录行为包括:获取所述第一设备的浏览器的web服务提供的远程服务管理页面,以及获取第二设备的远程服务管理页面。In the B/S mode login scenario, when web service systems such as websites, emails, forums, OA, etc. are managed, the B/S mode is usually adopted, and the terminal uses a browser to perform login management through the management page provided by the corresponding web service. Obtaining the first login behavior of the first device and the second login behavior of the second device include: acquiring the remote service management page provided by the web service of the browser of the first device, and acquiring the remote service management of the second device page.
判断第一设备的第一登录行为与第二设备的第二登录行为是否匹配的方式包括多种,可以根据获取到的双向登录行为执行对应的判断,在获取到多组登录行为时,也可以组合起来判断。There are multiple ways to determine whether the first login behavior of the first device matches the second login behavior of the second device. Corresponding judgments can be performed based on the acquired two-way login behaviors. When multiple sets of login behaviors are acquired, Combine it to judge.
本实施例的第一登录行为管理员(远程登录人员)在终端的登录行为。比如:打开Telnet并连接远程服务器的IP地址、或打开浏览器并访问远程服务管理页面的URL。第二登录行为为被管理的服务器(也可以是其他设备)接收到了来自远程终端的连接请求,而请求的内容是连接管理服务或管理页面。当一个两端远程登录行为发生时,这两个行为应该是在一个很短的时间、甚至可以认为是在同一时间里相继发生。The login behavior of the first login behavior administrator (remote login personnel) in the terminal of this embodiment. For example: Open Telnet and connect to the IP address of the remote server, or open a browser and access the URL of the remote service management page. The second login behavior is that the managed server (or other devices) receives a connection request from the remote terminal, and the requested content is the connection management service or the management page. When a remote login behavior occurs at both ends, these two behaviors should occur in a short period of time, or even at the same time.
而正常的登录管理,与攻击者通过技术手段获取到口令后的非法登录管理的区别就是,正常的登录管理中的第一个行为是发生在管理员的终端,而非法的登录管理的第一个行为是发生在攻击者的终端。即使攻击者利用了端口映射、地址解析协议(Address Resolution Protocol,ARP)攻击等技术,仿冒了可信终端。但第一登录行为,比如:打开Telnet客户端程序或浏览器,输入被管理的IP或URL等行为,仍然是攻击者的行为只会发生在攻击者的终端(可以认为是第三设备)上,而不是发起登录的第一设备。The difference between normal login management and illegal login management after the attacker obtains the password through technical means is that the first behavior in normal login management occurs on the administrator’s terminal, while the first in illegal login management This behavior occurred on the attacker’s terminal. Even if the attacker uses port mapping, address resolution protocol (Address Resolution Protocol, ARP) attacks and other technologies, imitating a trusted terminal. However, the first login behavior, such as opening the Telnet client program or browser, and entering the managed IP or URL, is still the behavior of the attacker and only occurs on the attacker's terminal (which can be considered as the third device) , Not the first device that initiated the login.
本实施例在管理者的终端(第一设备)上判断第一登录行为是否有正常发生,同时在被管理的服务器端(第二设备)判断第二登录行为是否有正常发生,只有两个行为都共同发生,登录行为匹配时,才认为是一个合法的登录。下面进行举例说明:In this embodiment, it is judged whether the first login behavior occurs normally on the administrator's terminal (first device), and at the same time, whether the second login behavior occurs normally on the managed server (second device), there are only two behaviors Both occur together, and only when the login behavior matches, it is considered a legitimate login. An example is given below:
在本实施例的一个实施方式中,判断第一登录行为与第二登录行为是否匹配包括:In an implementation of this embodiment, determining whether the first login behavior matches the second login behavior includes:
S11,获取第一登录行为的发起时间,以及获取第二登录行为的响应时间;S11, acquiring the initiation time of the first login behavior, and acquiring the response time of the second login behavior;
本实施例的发起时间可以是第一设备上的登录进程(Telnet客户端程序,浏览器提供的远程管理服务等)向第二设备发起登录的时间,响应时间是第二设备上对应的登录进程的响应时间。The initiation time in this embodiment may be the time when the login process on the first device (Telnet client program, remote management service provided by the browser, etc.) initiates the login to the second device, and the response time is the corresponding login process on the second device Response time.
S12,判断发起时间和响应时间的间隔是否小于预定阈值;预定阈值是一个很小的时间范围,在网络环境较好的情况下,可以设置在1s以内。S12: Determine whether the interval between the initiation time and the response time is less than a predetermined threshold; the predetermined threshold is a small time range, which can be set within 1s in a better network environment.
S13,在发起时间和响应时间的间隔小于预定阈值时,确定第一登录行为与第二登录行为匹配;在发起时间和响应时间的间隔大于或等于预定阈值时,确定第一登录行为与第二登录行为不匹配。S13. When the interval between the initiation time and the response time is less than a predetermined threshold, determine that the first login behavior matches the second login behavior; when the interval between the initiation time and the response time is greater than or equal to the predetermined threshold, determine the first login behavior and the second login behavior. The login behavior does not match.
在本实施例的另一个实施方式中,判断第一登录行为与第二登录行为是否匹配包括:In another implementation manner of this embodiment, determining whether the first login behavior matches the second login behavior includes:
S21,获取第一登录行为的第一信息,以及获取第二登录行为的第二信息,其中,第一信息包括:第一网络地址,第二信息包括:第二网络地址;其中,网络地址包括IP地址,MAC地址,URL地址等。S21. Acquire first information about a first login behavior and acquire second information about a second login behavior, where the first information includes: a first network address, and the second information includes: a second network address; wherein, the network address includes IP address, MAC address, URL address, etc.
S22,判断第一信息和第二信息是否匹配;S22: Determine whether the first information and the second information match;
网络地址的匹配包括多种匹配策略,以IP地址为例,在第一设备输入的目标IP地址与第二设备的实际IP地址相同时,则可认为是匹配的,否则不匹配;第一设备的IP地址与第二设备响应的源IP地址(发起登录的设备的IP地址)相同时,则可认为是匹配的,否则不匹配;第一设备发送到服务端的打点信息中携带的源IP地址,与第二设备配置的预设合法IP地址列表匹配时,则可认为是匹配的,否则不匹配。URL地址等其他网络地址类似。Network address matching includes multiple matching strategies. Taking IP address as an example, when the target IP address entered by the first device is the same as the actual IP address of the second device, it can be considered as a match, otherwise it does not match; the first device If the IP address of is the same as the source IP address of the second device response (the IP address of the device that initiated the login), it can be considered a match, otherwise it does not match; the source IP address carried in the dot information sent by the first device to the server , When it matches the preset legal IP address list configured by the second device, it can be considered a match, otherwise it does not match. URL address and other network addresses are similar.
S23,在第一信息和第二信息匹配时,确定第一登录行为与第二登录行为匹配;在第一信息和第二信息不匹配时,确定第一登录行为与第二登录行为不匹配。S23: When the first information and the second information match, determine that the first login behavior matches the second login behavior; when the first information and the second information do not match, determine that the first login behavior does not match the second login behavior.
除了匹配网络地址之外,还可以匹配设备标识,如第一设备的设备标识与第二设备配置的合法设备列表匹配时,确定所述第一登录行为与所述第二登录行为匹配;否则,确定所述第一登录行为与所述第二登录行为不匹配。该设备标识(如MID)可以携带在第一登录行为的请求消息中,也可以是第一设备上传到第三方的服务端,第二设备在接收到请求消息后从服务端获取。In addition to matching the network address, the device identification can also be matched. For example, when the device identification of the first device matches the list of legal devices configured by the second device, it is determined that the first login behavior matches the second login behavior; otherwise, It is determined that the first login behavior does not match the second login behavior. The device identification (such as MID) may be carried in the request message of the first login behavior, or it may be uploaded by the first device to the server of the third party, and the second device may obtain it from the server after receiving the request message.
在本实施例的另一个实施方式中,判断第一登录行为与第二登录行为是否匹配包括:In another implementation manner of this embodiment, determining whether the first login behavior matches the second login behavior includes:
S31,读取第一登录行为的操作进程,以及读取第二登录行为的响应进程;S31: Read the operation process of the first login behavior, and read the response process of the second login behavior;
S32,判断操作进程和响应进程是否匹配;S32: Determine whether the operation process and the response process match;
以Telnet进程为例,Telnet客户端程序的进程和Telnet服务端程序的进程为匹配的进程。Taking the Telnet process as an example, the process of the Telnet client program and the process of the Telnet server program are matched processes.
S33,在操作进程和响应进程匹配时,确定第一登录行为与第二登录行为匹配;在操作进程和响应进程不匹配时,确定第一登录行为与第二登录行为不匹配。S33: When the operation process and the response process match, determine that the first login behavior matches the second login behavior; when the operation process and the response process do not match, determine that the first login behavior does not match the second login behavior.
可选的,本实施例还可以结合登录账号和登录口令来双重判断,在确定第一设备为合法登录设备之前,还包括:获取在第一设备上输入的登录账号和登录口令;确定登录账号具备登录权限,且登录口令正确。只有在第一登录行为与第二登录行为匹配,且用户名与口令都正确时,才认为是一个合法的登录,只有任意一个行为发生时,即使用户名与口令正确,也都被认为是攻击者的非法登录状态。Optionally, this embodiment can also be combined with a login account and a login password for dual judgment. Before determining that the first device is a legal login device, it further includes: obtaining the login account and login password entered on the first device; determining the login account Have the login authority and the login password is correct. Only when the first login behavior matches the second login behavior, and the user name and password are correct, it is considered a legal login. Only when any one behavior occurs, even if the user name and password are correct, it is considered an attack. The illegal login status of the person.
可选地,本实施例的执行主体可以为连接两个或多个客户端或服务器的云端服务器或本地服务器等,也可以是发起登录或者是响应登录的客户端、服务器等,客户端可以是移动终端,PC等,但不限于此。Optionally, the executive body of this embodiment may be a cloud server or a local server connecting two or more clients or servers, or it may be a client or server that initiates a login or responds to a login. The client may be Mobile terminal, PC, etc., but not limited to this.
在本实施例的一个实施场景中,包括:安装在管理终端的C程序、安装在被管理终端的S程序、及安装在中控服务器的M程序。In an implementation scenario of this embodiment, it includes: the C program installed on the management terminal, the S program installed on the managed terminal, and the M program installed on the central control server.
C程序:用于检查并判断管理发起行为的发生及其正当性,包括但不限于:Telnet程序或浏览器是否启动、是正常启动还是异常启动、是后台隐藏操作还是有可见窗口的正常操作、是否有输入正确的被管理终端的IP或管理页面URL行为等等。C program: used to check and judge the occurrence and legitimacy of the management initiated behavior, including but not limited to: whether the Telnet program or browser is started, whether it is started normally or abnormally, whether it is a hidden operation in the background or a normal operation with a visible window, Whether there is input the correct IP of the managed terminal or the URL of the management page, etc.
并将行为指纹、终端ID、IP、登录的时间、登录人员等信息发送给M程序。And send the behavior fingerprint, terminal ID, IP, login time, login personnel and other information to the M program.
M程序:用于获取各个终端执行的管理行为和被管理行为,并提供查询服务。M program: used to obtain the management behavior and managed behavior performed by each terminal, and provide query services.
S程序:用于检查并判断被管理端的管理行为的发生,当有特定设备、IP、账号发起特定的远程管理请求时,向M程序检索对应的设备、IP、账号是否有在管理终端上发起对应的管理行为,通过双向关联校验来进行综合判断,接受正常的登录,拒约非法的登录并提供报警信息。S program: used to check and judge the occurrence of the management behavior of the managed terminal. When a specific device, IP, or account initiates a specific remote management request, the M program retrieves whether the corresponding device, IP, or account is initiated on the management terminal Corresponding management behaviors are comprehensively judged through two-way correlation verification, accept normal logins, reject illegal logins and provide alarm information.
通过以上的实施方式的描述,本领域的技术人员可以清楚地了解到根据上述实施例的方法可借助软件加必需的通用硬件平台的方式来实现,当然也可以通过硬件,但很多情况下前者是更佳的实施方式。基于这样的理解,本申请的技术方案本质上或者说对现有技术做出贡献的部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质(如ROM/RAM、磁碟、光盘)中,包括若干指令用以使得一台终端设备(可以是手机,计算机,服务器,或者网络设备等)执行本申请各个实施例所述的方法。Through the description of the above embodiments, those skilled in the art can clearly understand that the method according to the above embodiment can be implemented by means of software plus the necessary general hardware platform, of course, it can also be implemented by hardware, but in many cases the former is Better implementation. Based on this understanding, the technical solution of this application essentially or the part that contributes to the existing technology can be embodied in the form of a software product, and the computer software product is stored in a storage medium (such as ROM/RAM, magnetic disk, The optical disc) includes several instructions to enable a terminal device (which can be a mobile phone, a computer, a server, or a network device, etc.) to execute the method described in each embodiment of the present application.
实施例2Example 2
在本实施例中还提供了一种登录行为的校验装置,系统,用于实现上述实施例及优选实施方式,已经进行过说明的不再赘述。如以下所使用的,术语“模块”可以实现预定功能的软件和/或硬件的组合。尽管以下实施例所描述的装置较佳地以软件来实现,但是硬件,或者软件和硬件的组合的实现也是可能并被构想的。In this embodiment, a device and system for verifying a login behavior are also provided, which is used to implement the above-mentioned embodiments and preferred implementations, and those that have been explained will not be repeated. As used below, the term "module" can implement a combination of software and/or hardware with predetermined functions. Although the devices described in the following embodiments are preferably implemented by software, hardware or a combination of software and hardware is also possible and conceived.
图4是根据本申请实施例的登录行为的校验装置的结构框图,如图4所示,该装置包括:第一获取模块40,判断模块42,第一确定模块44,其中,Fig. 4 is a structural block diagram of an apparatus for verifying a login behavior according to an embodiment of the present application. As shown in Fig. 4, the apparatus includes: a first acquisition module 40, a judgment module 42, and a first determination module 44, where:
第一获取模块40,用于获取第一设备的第一登录行为,以及获取第二设备的第二登录行为,其中,所述第一设备为发起远程登录的设备,所述第二设备为被登录的设备;The first acquisition module 40 is configured to acquire the first login behavior of the first device and the second login behavior of the second device, where the first device is the device that initiates remote login, and the second device is the remote login device. Logged in device;
判断模块42,用于判断所述第一登录行为与所述第二登录行为是否匹配;The judgment module 42 is configured to judge whether the first login behavior matches the second login behavior;
第一确定模块44,用于在所述第一登录行为与所述第二登录行为匹配时,确定所述第一设备为合法登录设备。The first determining module 44 is configured to determine that the first device is a legal login device when the first login behavior matches the second login behavior.
可选的,所述判断模块包括:第一获取单元,用于获取所述第一登录行为的发起时间,以及获取所述第二登录行为的响应时间;第一判断单元,用于判断所述发起时间和所述响应时间的间隔是否小于预定阈值;第一确定单元,用于在所述发起时间和所述响应时间的间隔小于预定阈值时,确定所述 第一登录行为与所述第二登录行为匹配;在所述发起时间和所述响应时间的间隔大于或等于预定阈值时,确定所述第一登录行为与所述第二登录行为不匹配。Optionally, the judging module includes: a first acquiring unit, configured to acquire the initiation time of the first login behavior, and acquiring the response time of the second login behavior; the first determining unit, configured to determine the Whether the interval between the initiation time and the response time is less than a predetermined threshold; the first determining unit is configured to determine the first login behavior and the second login behavior when the interval between the initiation time and the response time is less than the predetermined threshold The login behavior matches; when the interval between the initiation time and the response time is greater than or equal to a predetermined threshold, it is determined that the first login behavior does not match the second login behavior.
可选的,所述判断模块包括:第二获取单元,用于获取所述第一登录行为的第一信息,以及获取所述第二登录行为的第二信息,其中,所述第一信息包括:第一网络地址,所述第二信息包括:第二网络地址;第二判断单元,用于判断所述第一信息和所述第二信息是否匹配;第二确定单元,用于在所述第一信息和所述第二信息匹配时,确定所述第一登录行为与所述第二登录行为匹配;在所述第一信息和所述第二信息不匹配时,确定所述第一登录行为与所述第二登录行为不匹配。Optionally, the judgment module includes: a second obtaining unit, configured to obtain first information of the first login behavior, and obtain second information of the second login behavior, wherein the first information includes : A first network address, the second information includes: a second network address; a second determination unit, used to determine whether the first information and the second information match; a second determination unit, used in the When the first information matches the second information, it is determined that the first login behavior matches the second login behavior; when the first information does not match the second information, the first login behavior is determined The behavior does not match the second login behavior.
可选的,所述判断模块包括:读取单元,用于读取所述第一登录行为的操作进程,以及读取所述第二登录行为的响应进程;第三判断单元,用于判断所述操作进程和所述响应进程是否匹配;第三确定单元,用于在所述操作进程和所述响应进程匹配时,确定所述第一登录行为与所述第二登录行为匹配;在所述操作进程和所述响应进程不匹配时,确定所述第一登录行为与所述第二登录行为不匹配。Optionally, the judgment module includes: a reading unit configured to read the operation process of the first login behavior and read the response process of the second login behavior; and a third judgment unit configured to determine Whether the operation process and the response process match; a third determining unit, configured to determine that the first login behavior matches the second login behavior when the operation process matches the response process; When the operation process and the response process do not match, it is determined that the first login behavior does not match the second login behavior.
可选的,所述第一获取模块包括:第一获取单元,用于获取所述第一设备的远程登录协议Telnet客户端程序的第一行为信息,以及获取所述第二设备的Telnet服务端程序的第二行为信息。Optionally, the first obtaining module includes: a first obtaining unit configured to obtain first behavior information of the Telnet client program of the first device, and obtain the Telnet server of the second device The second act information of the program.
可选的,所述第一获取模块包括:第二获取单元,用于获取所述第一设备的浏览器的web服务提供的远程服务管理页面,以及获取所述第二设备的远程服务管理页面。Optionally, the first obtaining module includes: a second obtaining unit configured to obtain a remote service management page provided by a web service of a browser of the first device, and obtain a remote service management page of the second device .
可选的,所述装置还包括:第二获取模块,用于在所述第一确定模块确定所述第一设备为合法登录设备之前,获取在所述第一设备上输入的登录账号和登录口令;第二确定模块,用于确定所述登录账号具备登录权限,且所述登录口令正确。Optionally, the apparatus further includes: a second obtaining module, configured to obtain the login account and login input on the first device before the first determining module determines that the first device is a legal login device Password; the second determination module is used to determine that the login account has login authority and the login password is correct.
图5是根据本申请实施例的一种登录行为的校验系统的结构框图,如图5所示,该系统包括:第一设备50,第二设备52,与所述第一设备和所述第二设备连接的中控服务器54,其中,所述第一设备50,用于向所述第二设备发 起远程登录;所述第二设备52,用于响应所述第一设备发起的远程登录;所述中控服务器,包括如上述实施例所述的装置。Figure 5 is a structural block diagram of a system for verifying login behaviors according to an embodiment of the present application. As shown in Figure 5, the system includes: a first device 50, a second device 52, and the first device and the The central control server 54 connected to the second device, wherein the first device 50 is used to initiate remote login to the second device; the second device 52 is used to respond to the remote login initiated by the first device ; The central control server includes the device described in the foregoing embodiment.
图6是根据本申请实施例的另一种登录行为的校验系统的结构框图,如图6所示,该系统包括:第一设备60,第二设备62,其中,所述第一设备60,用于向所述第二设备发起远程登录;所述第二设备62,用于响应所述第一设备发起的远程登录,包括如上述实施例所述的装置。6 is a structural block diagram of another system for verifying login behaviors according to an embodiment of the present application. As shown in FIG. 6, the system includes: a first device 60 and a second device 62, wherein the first device 60 , Is used to initiate remote login to the second device; the second device 62 is used to respond to the remote login initiated by the first device, and includes the apparatus described in the foregoing embodiment.
需要说明的是,上述各个模块是可以通过软件或硬件来实现的,对于后者,可以通过以下方式实现,但不限于此:上述模块均位于同一处理器中;或者,上述各个模块以任意组合的形式分别位于不同的处理器中。It should be noted that each of the above modules can be implemented by software or hardware. For the latter, it can be implemented in the following manner, but not limited to this: the above modules are all located in the same processor; or, the above modules are combined in any combination The forms are located in different processors.
实施例3Example 3
本申请的实施例还提供了一种存储介质,该存储介质中存储有计算机程序,其中,该计算机程序被设置为运行时执行上述任一项方法实施例中的步骤。The embodiment of the present application also provides a storage medium in which a computer program is stored, wherein the computer program is configured to execute the steps in any of the foregoing method embodiments when running.
可选地,在本实施例中,上述存储介质可以被设置为存储用于执行以下步骤的计算机程序:Optionally, in this embodiment, the foregoing storage medium may be configured to store a computer program for executing the following steps:
S1,获取第一设备的第一登录行为,以及获取第二设备的第二登录行为,其中,所述第一设备为发起远程登录的设备,所述第二设备为被登录的设备;S1. Acquire a first login behavior of a first device and acquire a second login behavior of a second device, where the first device is a device that initiates remote login, and the second device is a device that is logged in;
S2,判断所述第一登录行为与所述第二登录行为是否匹配;S2: Determine whether the first login behavior matches the second login behavior;
S3,在所述第一登录行为与所述第二登录行为匹配时,确定所述第一设备为合法登录设备。S3: When the first login behavior matches the second login behavior, determine that the first device is a legal login device.
可选地,在本实施例中,上述存储介质可以包括但不限于:U盘、只读存储器(Read-Only Memory,简称为ROM)、随机存取存储器(Random Access Memory,简称为RAM)、移动硬盘、磁碟或者光盘等各种可以存储计算机程序的介质。Optionally, in this embodiment, the above-mentioned storage medium may include, but is not limited to: U disk, read-only memory (Read-Only Memory, ROM for short), Random Access Memory (RAM for short), Various media that can store computer programs, such as mobile hard disks, magnetic disks, or optical disks.
本申请的实施例还提供了一种电子装置,包括存储器和处理器,该存储器中存储有计算机程序,该处理器被设置为运行计算机程序以执行上述任一项方法实施例中的步骤。The embodiment of the present application also provides an electronic device, including a memory and a processor, the memory is stored with a computer program, and the processor is configured to run the computer program to execute the steps in any of the foregoing method embodiments.
可选地,上述电子装置还可以包括传输设备以及输入输出设备,其中, 该传输设备和上述处理器连接,该输入输出设备和上述处理器连接。Optionally, the foregoing electronic device may further include a transmission device and an input-output device, wherein the transmission device is connected to the foregoing processor, and the input-output device is connected to the foregoing processor.
可选地,在本实施例中,上述处理器可以被设置为通过计算机程序执行以下步骤:Optionally, in this embodiment, the foregoing processor may be configured to execute the following steps through a computer program:
S1,获取第一设备的第一登录行为,以及获取第二设备的第二登录行为,其中,所述第一设备为发起远程登录的设备,所述第二设备为被登录的设备;S1. Acquire a first login behavior of a first device and acquire a second login behavior of a second device, where the first device is a device that initiates remote login, and the second device is a device that is logged in;
S2,判断所述第一登录行为与所述第二登录行为是否匹配;S2: Determine whether the first login behavior matches the second login behavior;
S3,在所述第一登录行为与所述第二登录行为匹配时,确定所述第一设备为合法登录设备。S3: When the first login behavior matches the second login behavior, determine that the first device is a legal login device.
可选地,本实施例中的具体示例可以参考上述实施例及可选实施方式中所描述的示例,本实施例在此不再赘述。Optionally, for specific examples in this embodiment, reference may be made to the examples described in the above-mentioned embodiments and optional implementation manners, and details are not described herein again in this embodiment.
上述本申请实施例序号仅仅为了描述,不代表实施例的优劣。The serial numbers of the foregoing embodiments of the present application are only for description, and do not represent the advantages and disadvantages of the embodiments.
在本申请的上述实施例中,对各个实施例的描述都各有侧重,某个实施例中没有详述的部分,可以参见其他实施例的相关描述。In the above-mentioned embodiments of the present application, the description of each embodiment has its own focus. For a part that is not described in detail in an embodiment, reference may be made to related descriptions of other embodiments.
在本申请所提供的几个实施例中,应该理解到,所揭露的技术内容,可通过其它的方式实现。其中,以上所描述的装置实施例仅仅是示意性的,例如所述单元的划分,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式,例如多个单元或组件可以结合或者可以集成到另一个系统,或一些特征可以忽略,或不执行。另一点,所显示或讨论的相互之间的耦合或直接耦合或通信连接可以是通过一些接口,单元或模块的间接耦合或通信连接,可以是电性或其它的形式。In the several embodiments provided in this application, it should be understood that the disclosed technical content can be implemented in other ways. The device embodiments described above are only illustrative. For example, the division of the units is only a logical function division. In actual implementation, there may be other division methods. For example, multiple units or components may be combined or may be Integrate into another system, or some features can be ignored or not implemented. In addition, the displayed or discussed mutual coupling or direct coupling or communication connection may be indirect coupling or communication connection through some interfaces, units or modules, and may be in electrical or other forms.
所述作为分离部件说明的单元可以是或者也可以不是物理上分开的,作为单元显示的部件可以是或者也可以不是物理单元,即可以位于一个地方,或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部单元来实现本实施例方案的目的。The units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, they may be located in one place, or they may be distributed on multiple network units. Some or all of the units may be selected according to actual needs to achieve the objectives of the solutions of the embodiments.
另外,在本申请各个实施例中的各功能单元可以集成在一个处理单元中,也可以是各个单元单独物理存在,也可以两个或两个以上单元集成在一个单元中。上述集成的单元既可以采用硬件的形式实现,也可以采用软件功能单元的形式实现。In addition, the functional units in each embodiment of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units may be integrated into one unit. The above-mentioned integrated unit can be implemented in the form of hardware or software functional unit.
所述集成的单元如果以软件功能单元的形式实现并作为独立的产品销售或使用时,可以存储在一个计算机可读取存储介质中。基于这样的理解,本申请的技术方案本质上或者说对现有技术做出贡献的部分或者该技术方案的全部或部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质中,包括若干指令用以使得一台计算机设备(可为个人计算机、服务器或者网络设备等)执行本申请各个实施例所述方法的全部或部分步骤。而前述的存储介质包括:U盘、只读存储器(ROM,Read-Only Memory)、随机存取存储器(RAM,Random Access Memory)、移动硬盘、磁碟或者光盘等各种可以存储程序代码的介质。If the integrated unit is implemented in the form of a software functional unit and sold or used as an independent product, it can be stored in a computer readable storage medium. Based on this understanding, the technical solution of this application essentially or the part that contributes to the existing technology or all or part of the technical solution can be embodied in the form of a software product, and the computer software product is stored in a storage medium , Including several instructions to make a computer device (which may be a personal computer, a server, or a network device, etc.) execute all or part of the steps of the method described in each embodiment of the present application. The aforementioned storage media include: U disk, read-only memory (ROM, Read-Only Memory), random access memory (RAM, Random Access Memory), mobile hard disk, magnetic disk or optical disk and other media that can store program code .
以上所述仅是本申请的优选实施方式,应当指出,对于本技术领域的普通技术人员来说,在不脱离本申请原理的前提下,还可以做出若干改进和润饰,这些改进和润饰也应视为本申请的保护范围。The above are only the preferred embodiments of this application. It should be pointed out that for those of ordinary skill in the art, without departing from the principle of this application, several improvements and modifications can be made, and these improvements and modifications are also Should be regarded as the scope of protection of this application.

Claims (1)

  1. Figure PCTCN2019100898-appb-100001
    Figure PCTCN2019100898-appb-100001
PCT/CN2019/100898 2019-08-15 2019-08-15 Method and apparatus for checking login behavior, and system, storage medium and electronic apparatus WO2021026937A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN201980094803.9A CN113812125B (en) 2019-08-15 2019-08-15 Verification method and device for login behavior, system, storage medium and electronic device
PCT/CN2019/100898 WO2021026937A1 (en) 2019-08-15 2019-08-15 Method and apparatus for checking login behavior, and system, storage medium and electronic apparatus

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2019/100898 WO2021026937A1 (en) 2019-08-15 2019-08-15 Method and apparatus for checking login behavior, and system, storage medium and electronic apparatus

Publications (1)

Publication Number Publication Date
WO2021026937A1 true WO2021026937A1 (en) 2021-02-18

Family

ID=74569711

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2019/100898 WO2021026937A1 (en) 2019-08-15 2019-08-15 Method and apparatus for checking login behavior, and system, storage medium and electronic apparatus

Country Status (2)

Country Link
CN (1) CN113812125B (en)
WO (1) WO2021026937A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114785576A (en) * 2022-04-06 2022-07-22 北京蓝海在线科技有限公司 Account password authority authentication method and device, electronic equipment and storage medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102298536A (en) * 2011-06-10 2011-12-28 邵永相 Remote control method, device and system
US20160285949A1 (en) * 2013-10-30 2016-09-29 Le Shi Zhi Xin Electronic Technology (Tianjin) Limited Wireless login-based remote control method and device
CN107689944A (en) * 2016-08-05 2018-02-13 阿里巴巴集团控股有限公司 Identity identifying method, device and system
CN108881127A (en) * 2017-05-15 2018-11-23 中兴通讯股份有限公司 A kind of method and system of control remote access permission
CN108924219A (en) * 2018-06-29 2018-11-30 深圳臻迪信息技术有限公司 The method, apparatus and system of remote operation terminal

Family Cites Families (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101079903B (en) * 2007-06-21 2011-01-19 中国工商银行股份有限公司 Method and system based on remote login of user terminal
CN107689936B (en) * 2016-08-03 2021-07-06 阿里巴巴集团控股有限公司 Security verification system, method and device for login account
CN107295024A (en) * 2017-08-24 2017-10-24 四川长虹电器股份有限公司 It is a kind of to realize the method that web front end is landed safely and accessed
CN108023874B (en) * 2017-11-15 2020-11-03 平安科技(深圳)有限公司 Single sign-on verification device and method and computer readable storage medium
CN107911383A (en) * 2017-12-04 2018-04-13 鼎点视讯科技有限公司 A kind of cryptographic check method and apparatus
CN108156169A (en) * 2017-12-28 2018-06-12 惠州Tcl家电集团有限公司 Account login validation method, system and computer readable storage medium
CN109104418A (en) * 2018-07-25 2018-12-28 浙江威步机器人技术有限公司 Account login validation method, device, storage medium and server
CN109710437A (en) * 2018-10-29 2019-05-03 努比亚技术有限公司 A kind of application logs in optimization method, terminal and computer readable storage medium

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102298536A (en) * 2011-06-10 2011-12-28 邵永相 Remote control method, device and system
US20160285949A1 (en) * 2013-10-30 2016-09-29 Le Shi Zhi Xin Electronic Technology (Tianjin) Limited Wireless login-based remote control method and device
CN107689944A (en) * 2016-08-05 2018-02-13 阿里巴巴集团控股有限公司 Identity identifying method, device and system
CN108881127A (en) * 2017-05-15 2018-11-23 中兴通讯股份有限公司 A kind of method and system of control remote access permission
CN108924219A (en) * 2018-06-29 2018-11-30 深圳臻迪信息技术有限公司 The method, apparatus and system of remote operation terminal

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114785576A (en) * 2022-04-06 2022-07-22 北京蓝海在线科技有限公司 Account password authority authentication method and device, electronic equipment and storage medium

Also Published As

Publication number Publication date
CN113812125A (en) 2021-12-17
CN113812125B (en) 2023-10-20

Similar Documents

Publication Publication Date Title
US9942220B2 (en) Preventing unauthorized account access using compromised login credentials
JP6349579B2 (en) Conditional login promotion
US9729514B2 (en) Method and system of a secure access gateway
US8387131B2 (en) Enforcing secure internet connections for a mobile endpoint computing device
US9654480B2 (en) Systems and methods for profiling client devices
WO2016165536A1 (en) Identity verification method and device
US20140020067A1 (en) Apparatus and method for controlling traffic based on captcha
US10419431B2 (en) Preventing cross-site request forgery using environment fingerprints of a client device
US8914644B2 (en) System and method of facilitating the identification of a computer on a network
CN110855709A (en) Access control method, device, equipment and medium for security access gateway
US10218712B2 (en) Access control using information on devices and access locations
CN106060072B (en) Authentication method and device
CN113341798A (en) Method, system, device, equipment and storage medium for remotely accessing application
CN109302397B (en) Network security management method, platform and computer readable storage medium
CN114363067B (en) Network access control method, device, computer equipment and storage medium
WO2021026937A1 (en) Method and apparatus for checking login behavior, and system, storage medium and electronic apparatus
CN112398786B (en) Method and device for identifying penetration attack, system, storage medium and electronic device
CN112395586A (en) File access control method, device, system, storage medium and electronic device
CN112929388B (en) Network identity cross-device application rapid authentication method and system, and user agent device
US10523715B1 (en) Analyzing requests from authenticated computing devices to detect and estimate the size of network address translation systems
CN115694843B (en) Camera access management method, system, device and medium for avoiding counterfeiting
KR102362320B1 (en) System and method for communicating of network address mutation on dynamic network security
US20240031412A1 (en) Address management apparatus, address management system, address management method, and program
TWI706281B (en) Device verification method
CN115766095A (en) Industrial equipment identity authentication method and device, computer equipment and storage medium

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19941702

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 19941702

Country of ref document: EP

Kind code of ref document: A1