CN103248472A - Operation request processing method and system and attack identification device - Google Patents
Operation request processing method and system and attack identification device Download PDFInfo
- Publication number
- CN103248472A CN103248472A CN2013101307135A CN201310130713A CN103248472A CN 103248472 A CN103248472 A CN 103248472A CN 2013101307135 A CN2013101307135 A CN 2013101307135A CN 201310130713 A CN201310130713 A CN 201310130713A CN 103248472 A CN103248472 A CN 103248472A
- Authority
- CN
- China
- Prior art keywords
- user
- business operation
- business
- request
- attack
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The embodiment of the invention discloses an operation request processing method and system and an attack identification device. The method comprises the following steps: intercepting a service operation request sent by a user when the user sends the service operation request, and detecting the service operation requested by the service operation request according to a preset attack user identification rule; when the requested service operation is detected to be illegal, stopping the execution of the illegal service operation; and when the requested service operation is detected to be legal, forwarding the service operation request to a service server where corresponding operation is completed. According to the invention, the service operation of the user can be detected to better ensure the safety of a network system.
Description
Technical field
The present invention relates to communication technical field, relate in particular to a kind of method, system and attack recognition device of handling operation requests.
Background technology
At present network attack may be distorted, damage routine data important in the system, in addition also may cause system crash, professional paralysis, for how guaranteeing that network system security also just seems more and more important.
In the prior art, by configuration ACL(Access Control List, Access Control List (ACL)), the User IP that can visit and the serve port that can visit are set, when the user sends logging request to service end, the user profile and the ACL that comprise according to logging request judge whether User IP can visit, and judge the service IP that the user need visit, whether port externally can visit, when judgement all satisfies condition, login request of users is forwarded to service end, so that service end authenticates this user according to logging request, behind authentication success, the user can continue other business operations.
But in the prior art, the disabled user has passed through after the user authenticates by means such as network packet capturings, can be connected to NM server and visit the illegal operations such as sensitive data of webmaster, thereby the safety of the network system that comprises NM server is exerted an influence.
Summary of the invention
The embodiment of the invention provides a kind of and handles method, the system of operation requests and attack recognition device, can user's business operation be detected, to guarantee the safety of network system preferably.
First aspect present invention provides a kind of method of handling operation requests, can comprise:
When the user sends the business operation request, tackle the business operation request that described user sends, and the business operation of asking according to the described business operation request of attack User Recognition rule detection of presetting;
When detecting the business operation of asking and be illegal business operation, stop the execution of described illegal business operation;
Be legitimate traffic when operation when detecting the business operation of asking, described business operation request be forwarded to described service server, so that service server is finished respective operations.
In first kind of possible execution mode, also comprise: be that the number of times of illegal business operation is when reaching default frequency threshold value when detecting business operation that described business operation request asks, determine that described user is for attacking the user, and adding described user to blacklist, described blacklist is used for recording user ID and/or User IP.
In conjunction with first kind of first aspect or first aspect possible implementation, in second kind of possible implementation, it is described when the user sends the business operation request, tackle the business operation request that described user sends, and according to the business operation that the described business operation request of attack User Recognition rule detection of presetting is asked, comprising:
When the user sends the business operation request, tackle the business operation request that described user sends;
Whether the business operation that described business operation request is asked according to attack User Recognition rule judgment is the key business operation;
If judge it is not the key business operation, determine that then described business operation is the legitimate traffic operation;
If judge it is the key business operation, then according to the described user of described attack User Recognition rule judgment whether the operating right of carrying out described key business operation arranged again;
If judging has operating right, determine that then described business operation is the legitimate traffic operation, otherwise, determine that described business operation is illegal business operation.
In conjunction with first aspect, or first kind of possible implementation of first aspect, or second kind of possible implementation of first aspect, in the third possible implementation, described when the user sends the business operation request, tackle the business operation request that described user sends, and before the business operation of asking according to the described business operation request of attack User Recognition rule detection of presetting, also comprise:
Preset described attack User Recognition rule, it further comprises:
According to the business operation set, identify the key business operational set;
Analyze class name, permission ID, the frequency threshold value of key business according to described key business operational set, and determine to attack the User Recognition rule.
In conjunction with first aspect, or first kind of possible implementation of first aspect, or second kind of possible implementation of first aspect, or the third possible implementation of first aspect, in the 4th kind of possible implementation, when the user sends the business operation request, tackle the business operation request that described user sends described, and before the business operation of asking according to the described business operation request of attack User Recognition rule detection of presetting, also comprise:
The logging request that the interception user sends extract User Token Token from described logging request, and whether verified users Token is effective;
When the user Token of institute's verification is invalid, then determine described user for attacking the user, and add described user to blacklist that described blacklist is used for recording user ID and/or User IP;
When the user Token of institute's verification is effective, described logging request is forwarded to service server, so that service server authenticates user identity.
In conjunction with first aspect, or first kind of possible implementation of first aspect, or second kind of possible implementation of first aspect, or the third possible implementation of first aspect, or the 4th kind of possible implementation of first aspect, in the 5th kind of possible implementation, also comprise:
When judging the user for the attack user, carry out safety operation, described safety operation comprises: record illegal business operation that described user attempts carrying out, send about described user attempt carrying out illegal business operation safety warning, disconnect at least a in being connected of described user and described service server.
Second aspect present invention provides a kind of attack recognition device, can comprise:
The interception detection module is used for when the user sends the business operation request, tackles the business operation request of described user's transmission, and the business operation of asking according to the described business operation request of attack User Recognition rule detection of presetting;
Stop module, be used for when described interception detection module detects the business operation of asking and is illegal business operation, stoping the execution of described illegal business operation;
First forwarding module, being used for when described interception detection module detects the business operation of asking is legitimate traffic when operating, and described business operation request is forwarded to described service server, so that service server is finished respective operations.
In first kind of possible implementation, also comprise: the first blacklist processing module, being used for when described interception detection module detects business operation that described business operation request asks is that the number of times of illegal business operation is when reaching default frequency threshold value, determine that described user is for attacking the user, and adding described user to blacklist, described blacklist is used for recording user ID and/or User IP.
In conjunction with first kind of second aspect or second aspect possible implementation, in second kind of possible implementation, described interception detection module comprises:
Interception unit is used for tackling the business operation request that described user sends when the user sends the business operation request;
The key business judging unit is used for whether the business operation that described business operation request is asked according to attack User Recognition rule judgment is the key business operation;
First determining unit is used for if described key business judgment unit judges is not the key business operation, determines that then described business operation is the legitimate traffic operation;
The operating right judging unit is used for then according to the described user of described attack User Recognition rule judgment whether the operating right of carrying out described key business operation being arranged again if described key business judgment unit judges is the key business operation;
Second determining unit is used for if described operating right judgment unit judges has operating right, determines that then described business operation is the legitimate traffic operation, otherwise, determine that described business operation is illegal business operation.
In conjunction with second aspect, or first kind of possible implementation of second aspect, or second kind of possible implementation of second aspect, in the third possible implementation, also comprise:
Preset module is used for presetting described attack User Recognition rule;
Described preset module specifically comprises:
Recognition unit is used for identifying the key business operational set according to the business operation set;
Analyze determining unit, be used for analyzing class name, permission ID, the frequency threshold value of key business according to described key business operational set, and determine described attack User Recognition rule.
In conjunction with second aspect, or first kind of possible implementation of second aspect, or second kind of possible implementation of second aspect, or the third possible implementation of second aspect, in the 4th kind of possible implementation, also comprise:
The interception extraction module is used for the logging request that the interception user sends, and extract User Token Token from described logging request, and whether verified users Token is effective;
The second blacklist processing module is used for user Token when the verification of described interception extraction module institute when invalid, then determines described user for attacking the user, and adds described user to blacklist, and described blacklist is for recording user ID and/or User IP;
Second forwarding module is used for described logging request being forwarded to service server, so that service server authenticates user identity when the user Token of described interception extraction module institute verification is effective.
In conjunction with second aspect, or first kind of possible implementation of second aspect, or second kind of possible implementation of second aspect, or the third possible implementation of second aspect, or the 4th kind of possible implementation of second aspect, in the 5th kind of possible implementation, also comprise:
The safety operation module, be used for when judging the user for the attack user, carry out safety operation, the described safety operation in the described safety operation module comprises: record illegal business operation that described user attempts carrying out, send about described user attempt carrying out illegal business operation safety warning, disconnect at least a in being connected of described user and described service server.
Third aspect present invention provides a kind of system that handles operation requests, can comprise: attack recognition device and service server;
Described attack recognition device, be used for when the user sends the business operation request, tackle the business operation request that described user sends, and the business operation of asking according to the described business operation request of attack User Recognition rule detection of presetting, when detecting the business operation of asking and be illegal business operation, stop the execution of described illegal business operation, it is legitimate traffic when operation when detecting the business operation of asking, described business operation request is forwarded to described service server, so that service server is finished respective operations;
Described service server is used for receiving described business operation request, and finishes business operation according to described business operation request.
In first kind of possible implementation, described attack recognition device, also being used for when detecting business operation that described business operation request asks is that the number of times of illegal business operation is when reaching default frequency threshold value, determine that described user is for attacking the user, and adding described user to blacklist, described blacklist is used for recording user ID and/or User IP.
In conjunction with first kind of the third aspect or the third aspect possible implementation, in second kind of possible implementation, described attack recognition device, also be used for when the user sends the business operation request, tackle the business operation request that described user sends, whether the business operation that described business operation request is asked according to attack User Recognition rule judgment is the key business operation, if judge it is not the key business operation, determine that then described business operation is the legitimate traffic operation, also being used for if judge is the key business operation, then according to the described user of described attack User Recognition rule judgment whether the operating right of carrying out described key business operation is arranged again, also be used for if judge operating right being arranged, determine that then described business operation is the legitimate traffic operation, otherwise, determine that described business operation is illegal business operation.
In conjunction with the third aspect, or first kind of possible implementation of the third aspect, or second kind of possible implementation of the third aspect, in the third possible implementation, described attack recognition device also is used for presetting described attack User Recognition rule, it specifically is used for gathering according to business operation, identify the key business operational set, analyze class name, permission ID, the frequency threshold value of key business according to described key business operational set, and determine described attack User Recognition rule.
In conjunction with the third aspect, or first kind of possible implementation of the third aspect, or second kind of possible implementation of the third aspect, or the third possible implementation of the third aspect, in the 4th kind of possible implementation, described attack recognition device, also be used for the logging request that the interception user sends, from described logging request, extract User Token Token, and whether verified users Token is effective, also be used for user Token when institute's verification when invalid, determine that then described user is the attack user, and add described user to blacklist, described blacklist is used for recording user ID and/or User IP, also be used for when the user Token of institute's verification is effective, described logging request being forwarded to service server, so that service server authenticates user identity.
In conjunction with the third aspect, or first kind of possible implementation of the third aspect, or second kind of possible implementation of the third aspect, or the third possible implementation of the third aspect, or the 4th kind of possible implementation of the third aspect, in the 5th kind of possible implementation, also comprise: protector;
Described protector, be used for receiving the logging request that the user sends, and combined with access control tabulation ACL and blacklist detect described logging request and whether meet registration conditions, when satisfying registration conditions, described logging request is forwarded to described service server, when not satisfying registration conditions, refuse described logging request;
Described attack recognition device specifically is used for the logging request that the described protector of interception is forwarded to described service server when being used for the logging request of interception user transmission.
In conjunction with the third aspect, or first kind of possible implementation of the third aspect, or second kind of possible implementation of the third aspect, or the third possible implementation of the third aspect, or the 4th kind of possible implementation of the third aspect, or the 5th kind of possible implementation of the third aspect, in the 6th kind of possible implementation, described attack recognition device, also be used for when judging the user for the attack user, carry out safety operation, described safety operation comprises: record the illegal business operation that described user's trial is carried out, transmission attempts carrying out the safety warning of illegal business operation about described user, disconnect at least a in being connected of described user and described service server.
Therefore, in possible implementation more of the present invention, by the interception service operation requests and detect the business operation that the business operation request is asked, when detecting the business operation of asking when being illegal business operation, can stop the execution of described illegal business operation, it is legitimate traffic when operation when detecting the business operation of asking, described business operation request is forwarded to described service server, make can be by detecting business operation legitimacy to guarantee the safety of network system preferably, effectively avoided still can carrying out the problem of illegal business operation the user by authenticating the back user, improved security of network system.
Description of drawings
In order to be illustrated more clearly in the embodiment of the invention or technical scheme of the prior art, to do to introduce simply to the accompanying drawing of required use in embodiment or the description of the Prior Art below, apparently, accompanying drawing in describing below only is some embodiments of the present invention, for those of ordinary skills, under the prerequisite of not paying creative work, can also obtain other accompanying drawing according to these accompanying drawings.
A kind of schematic flow sheet of handling the method for operation requests that Fig. 1 provides for the embodiment of the invention;
The another kind that Fig. 2 provides for the embodiment of the invention is handled the schematic flow sheet of the method for operation requests;
Wherein a kind of schematic flow sheet that detects the method for business operation that Fig. 3 provides for the embodiment of the invention;
Wherein a kind of schematic flow sheet that presets the method for attacking the User Recognition rule that Fig. 4 provides for the embodiment of the invention;
A kind of structural representation of handling the system of operation requests that Fig. 5 provides for the embodiment of the invention;
The another kind that Fig. 6 provides for the embodiment of the invention is handled the structural representation of the system of operation requests;
A kind of structural representation of attacking recognition device that Fig. 7 provides for the embodiment of the invention;
The another kind that Fig. 8 provides for the embodiment of the invention is attacked the structural representation of recognition device;
Fig. 9 is wherein a kind of concrete structure schematic diagram of the interception detection module among Fig. 8;
Figure 10 is wherein a kind of concrete structure schematic diagram of the preset module among Fig. 8;
The structural representation of a kind of network equipment that Figure 11 provides for the embodiment of the invention.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the invention, the technical scheme in the embodiment of the invention is clearly and completely described, obviously, described embodiment only is the present invention's part embodiment, rather than whole embodiment.Based on the embodiment among the present invention, those of ordinary skills belong to the scope of protection of the invention not making the every other embodiment that obtains under the creative work prerequisite.
See also Fig. 1, be a kind of schematic flow sheet of handling the method for operation requests that the embodiment of the invention provides, described method comprises:
S101 when the user sends the business operation request, tackles the business operation request that described user sends, and the business operation of asking according to the described business operation request of attack User Recognition rule detection of presetting;
In described S101, can pass through AOP(Aspect Oriented Programming, towards tangent plane programming) the business operation request that sends of the described user of technical intercept, and the legitimacy of the business operation of asking according to the described business operation request of attack User Recognition rule detection of presetting.Wherein, described business operation request can comprise: the content of business operation, operation ID, user's permission ID and other information of user.The described attack User Recognition rule that presets comprises at least: attributes such as the class name of the permission ID of operation ID, action name, business operation, frequency threshold value, realization operation and realization method of operating name.
S102 when detecting the business operation of asking and be illegal business operation, stops the execution of described illegal business operation;
In described S102, when S101 detects the business operation of asking and is illegal business operation, stop the execution of described illegal business operation, wherein, stop the detailed process of the execution of described illegal business operation to identify for add illegal business operation to described business operation request, the business operation request that will carry illegal business operation sign again is forwarded to service server, informs that described service server stops to carry out the business operation that this business operation request is asked; Perhaps, stop the detailed process of the execution of described illegal business operation to arrive service server for not transmitting this business operation request, so that service server can't be carried out this business operation.
S103 is legitimate traffic when operation when detecting the business operation of asking, and described business operation request is forwarded to described service server, so that service server is finished respective operations;
In described S103, be legitimate traffic when operation when S101 detects the business operation of asking, described business operation request is forwarded to described service server, so that service server is finished respective operations.
Therefore, in possible implementation more of the present invention, by the interception service operation requests and detect the business operation that the business operation request is asked, when detecting the business operation of asking when being illegal business operation, can stop the execution of described illegal business operation, it is legitimate traffic when operation when detecting the business operation of asking, described business operation request is forwarded to described service server, make can be by detecting business operation legitimacy to guarantee the safety of network system preferably, effectively avoided still can carrying out the problem of illegal business operation the user by authenticating the back user, improved security of network system.
See also Fig. 2, the another kind that provides for the embodiment of the invention is handled the schematic flow sheet of the method for operation requests, and described method comprises:
S201 presets described attack User Recognition rule;
Concrete, according to the business operation set, identify the key business operational set, analyze class name, permission ID, the frequency threshold value of key business again according to described key business operational set, and determine to attack the User Recognition rule.
S202, the logging request that the interception user sends extract User Token (Token, token) from described logging request, and whether verified users Token is effective;
Logging request by AOP technical intercept user sends extract User Token (Token, token) from described logging request, and whether verified users Token is effective, and for example, can verification going out the Token that the user forges is invalid Token; Perhaps can also be forwarded to the logging request of described service server by AOP technical intercept protector, from described logging request, extract user Token, and whether verified users Token is effective, wherein, described protector is used for receiving the logging request that the user sends, and combined with access control tabulation ACL and blacklist detect described logging request and whether meet registration conditions, when satisfying registration conditions, described logging request is forwarded to described service server, when not satisfying registration conditions, refuse described logging request, wherein, described logging request can comprise user Token, user ID, user name, attributes such as User IP.
S203 determines that described user is the attack user, and adds described user to blacklist that described blacklist is used for recording user ID and/or User IP;
As verified users Token among the S202 when being invalid, determine that described user is for attacking the user, and adding described user to blacklist, described blacklist is used for recording user ID and/or User IP, makes the user who adds in the blacklist all can't sign in to service end follow-up.For example, when intercepting the logging request of user's transmission, judge whether this user's user ID and/or User IP exist in the blacklist earlier, if exist, then return request failure message.
S204 is forwarded to service server with described logging request, so that service server authenticates user identity;
As verified users Token among the S202 when being effective, then described logging request is forwarded to service server, so that service server authenticates user identity, when authentication is passed through, service server is with the return authentication success message, at this moment, the user can send the business operation request to service server.
S205 when the user sends the business operation request, tackles the business operation request that described user sends, and the business operation of asking according to the described business operation request of attack User Recognition rule detection of presetting;
S206 when detecting the business operation of asking and be illegal business operation, stops the execution of described illegal business operation;
S207 is legitimate traffic when operation when detecting the business operation of asking, and described business operation request is forwarded to described service server, so that service server is finished respective operations;
The specific implementation of above-mentioned S205 to S207 can not given unnecessary details at this with reference to the S101 to S103 of above-mentioned first embodiment.
S208, be that the number of times of illegal business operation is when reaching default frequency threshold value when detecting business operation that described business operation request asks, determine that described user is the attack user, and add described user to blacklist, described blacklist is used for recording user ID and/or User IP;
In described S208, be that the number of times of illegal business operation is when reaching default frequency threshold value when detecting business operation that described business operation request asks, determine that described user is for attacking the user, and add described user to blacklist, described blacklist is used for recording user ID and/or User IP, make the user who adds in the blacklist all can't sign in to service end follow-up, wherein, default frequency threshold value can be arranged on attacks in the User Recognition rule.When the number of times that detects illegal business operation did not reach frequency threshold value, the user still can be to initiating the business operation request, and continue to judge whether the business operation request has legitimacy; When the number of times that detects illegal business operation reaches frequency threshold value, determine that described user is the attack user, and add described user to blacklist, and carry out relevant safety operation.
S209, when judging the user for the attack user, carry out safety operation, described safety operation comprises: record illegal business operation that described user attempts carrying out, send about described user attempt carrying out illegal business operation safety warning, disconnect at least a in being connected of described user and described service server;
When verified users Token is invalid or to detect business operation that described business operation request asks be that the number of times of illegal business operation is when reaching default frequency threshold value, can judge that the user attacks the user, and the execution safety operation, described safety operation comprises: record illegal business operation that described user attempts carrying out, send about described user attempt carrying out illegal business operation safety warning, disconnect at least a in being connected of described user and described service server.Wherein, send the safety warning of carrying out illegal business operation about described user's trial and arrive the keeper, allow the keeper can make corresponding prevention policies in advance.
Therefore, in possible implementation more of the present invention, by the interception service operation requests and detect the business operation that the business operation request is asked, when detecting the business operation of asking when being illegal business operation, can stop the execution of described illegal business operation, it is legitimate traffic when operation when detecting the business operation of asking, described business operation request is forwarded to described service server, so that service server is finished respective operations, the present invention can pass through to detect the legitimacy of business operation to stop user's illegal business operation, can also identify the user for attacking the user according to attacking the User Recognition rule, and add the attack user to blacklist, effectively avoided still can carrying out the problem of illegal business operation the user by authenticating the back user, improved security of network system.
Concrete, see also Fig. 3 again, the wherein a kind of schematic flow sheet that detects the method for business operation that provides for the embodiment of the invention; The described method of the embodiment of the invention can be corresponding to the S205 among the embodiment of the S101 among the embodiment of above-mentioned Fig. 1 correspondence or Fig. 2 correspondence.The embodiment of the invention describes with the business operation of being asked according to the described business operation request of attack User Recognition rule detection of presetting.The described method of the embodiment of the invention specifically comprises:
S301 when the user sends the business operation request, tackles the business operation request that described user sends;
When the user sent the business operation request, by the business operation request that the described user of AOP technical intercept sends, wherein, described business operation request can comprise: the content of business operation, operation ID, user's permission ID and other information of user.
S302, whether the business operation that described business operation request is asked according to attack User Recognition rule judgment is the key business operation;
The described attack User Recognition rule that presets comprises at least: attributes such as the class name of the permission ID of operation ID, action name, business operation, frequency threshold value, realization operation and realization method of operating name.Can identify key business according to the influence of business, described key business can comprise the right assignment associative operation, as: authorize, increase and/or deletion user wait; Described key business can also comprise the operation of visit core data, sensitive data, as: Query Database user name and/or password, affirmation and/or removing warning, increase and/or deletion network element etc.Described attack User Recognition rule has comprised the definition to key business, and whether the business operation that described business operation request is asked according to attack User Recognition rule judgment is the key business operation.
S303 determines that described business operation is the legitimate traffic operation;
When the business operation of judging among the S302 is not the key business operation, determines that then described business operation is the legitimate traffic operation, and described business operation request is forwarded to described service server, so that service server is finished respective operations.
Whether S304 has the operating right of carrying out described key business operation according to the described user of described attack User Recognition rule judgment again;
When the business operation of judging among the S302 is the key business operation, according to the described user of described attack User Recognition rule judgment whether the operating right of carrying out described key business operation is arranged again.Because described attack User Recognition rule comprises the permission ID of business operation, whether the described result that can mate according to the user right ID in the permission ID of the business operation in the described attack User Recognition rule and user's the business operation request has the operating right of carrying out described key business operation to judge described user.
S305 determines that described business operation is illegal business operation;
When S304 judges that the user does not have operating right, determine that then described business operation is illegal business operation, and stop the execution of described illegal business operation.
S306 determines that described business operation is the legitimate traffic operation;
When S304 judges that the user has operating right, determine that then described business operation is the legitimate traffic operation, and described business operation request is forwarded to described service server, so that service server is finished respective operations.
Therefore, in possible implementation more of the present invention, by attacking the operating right that the User Recognition rule is identified key business and judged the user, to determine the legitimacy of business operation, can effectively detect the legitimacy of business operation to stop user's illegal business operation.
Concrete, see also Fig. 4 again, the wherein a kind of schematic flow sheet that presets the method for attacking the User Recognition rule that provides for the embodiment of the invention; The described method of the embodiment of the invention can be corresponding to the S201 among the embodiment of above-mentioned Fig. 2 correspondence.The embodiment of the invention describes to preset attack User Recognition rule, and described method comprises:
S401 according to the business operation set, identifies the key business operational set;
S402 analyzes class name, permission ID, the frequency threshold value of key business according to described key business operational set, and determines to attack the User Recognition rule;
Concrete, gather at business operation, and identify the key business operational set according to the influence of business, for example with the right assignment associative operation, this class of visit core data, sensitive data operation etc. is defined as the key business operation to the operation that influences outbalance of business.At key business, analyze class name, method name and the frequency threshold value of key business, and these information are abstracted into attack User Recognition rule.The attribute of described attack User Recognition rule comprises at least: the class name of operation ID, action name, permission ID, frequency threshold value, realization operation, realization method of operating name etc.At last abstract attack User Recognition rule of coming out is set in the system.
Therefore, in possible implementation more of the present invention, determine by the key business operational set and to attack the User Recognition rule, again according to determined attack User Recognition rule can the effective recognition business operation legitimacy to stop user's illegal business operation.
See also Fig. 5, be a kind of structural representation of handling the system of operation requests that the embodiment of the invention provides, described system comprises: attack recognition device 1 and service server 2;
Described attack recognition device 1, be used for when the user sends the business operation request, tackle the business operation request that described user sends, and the business operation of asking according to the described business operation request of attack User Recognition rule detection of presetting, when detecting the business operation of asking and be illegal business operation, stop the execution of described illegal business operation, it is legitimate traffic when operation when detecting the business operation of asking, described business operation request is forwarded to described service server 2, so that service server 2 is finished respective operations;
Described service server 2 is used for receiving described business operation request, and finishes business operation according to described business operation request.
Wherein, described attack recognition device 1, also being used for when detecting business operation that described business operation request asks is that the number of times of illegal business operation is when reaching default frequency threshold value, determine that described user is for attacking the user, and adding described user to blacklist, described blacklist is used for recording user ID and/or User IP.
Described attack recognition device 1, also be used for when the user sends the business operation request, tackle the business operation request that described user sends, whether the business operation that described business operation request is asked according to attack User Recognition rule judgment is the key business operation, if judge it is not the key business operation, determine that then described business operation is the legitimate traffic operation, also being used for if judge is the key business operation, then according to the described user of described attack User Recognition rule judgment whether the operating right of carrying out described key business operation is arranged again, also be used for if judge operating right being arranged, determine that then described business operation is the legitimate traffic operation, otherwise, determine that described business operation is illegal business operation.
Described attack recognition device 1, also be used for presetting described attack User Recognition rule, it specifically is used for gathering according to business operation, identify the key business operational set, analyze class name, permission ID, the frequency threshold value of key business according to described key business operational set, and determine described attack User Recognition rule.
Described attack recognition device 1, also be used for the logging request that the interception user sends, from described logging request, extract User Token Token, and whether verified users Token is effective, also be used for user Token when institute's verification when invalid, determine that then described user is for attacking the user, and add described user to blacklist, described blacklist is used for recording user ID and/or User IP, also be used for when the user Token of institute's verification is effective, described logging request is forwarded to service server 2, so that 2 pairs of user identity of service server authenticate.
Described attack recognition device 1, also be used for when judging the user for the attack user, carry out safety operation, described safety operation comprises: record illegal business operation that described user attempts carrying out, send about described user attempt carrying out illegal business operation safety warning, disconnect at least a in being connected of described user and described service server 2.
Therefore, in possible implementation more of the present invention, by the interception service operation requests and detect the business operation that the business operation request is asked, when detecting the business operation of asking when being illegal business operation, can stop the execution of described illegal business operation, it is legitimate traffic when operation when detecting the business operation of asking, described business operation request is forwarded to described service server 2, make and to pass through to detect the legitimacy of business operation to stop user's illegal operation, effectively avoided still can carrying out the problem of illegal business operation the user by authenticating the back user, improved security of network system.
Further, see also Fig. 6 again, the another kind that provides for the embodiment of the invention is handled the structural representation of the system of operation requests, described system comprises attack recognition device 1 and the service server 2 among the corresponding embodiment of above-mentioned Fig. 5, further, the described system of the embodiment of the invention can also comprise: protector 3;
Described protector 3, be used for receiving the logging request that the user sends, and combined with access control tabulation ACL and blacklist detect described logging request and whether meet registration conditions, when satisfying registration conditions, described logging request is forwarded to described service server 2, when not satisfying registration conditions, refuse described logging request;
Described attack recognition device 1 specifically is used for the logging request that the described protector 3 of interception is forwarded to described service server 2 when being used for the logging request of interception user transmission.
Therefore, in possible implementation more of the present invention, by the interception service operation requests and detect the business operation that the business operation request is asked, when detecting the business operation of asking when being illegal business operation, can stop the execution of described illegal business operation, it is legitimate traffic when operation when detecting the business operation of asking, described business operation request is forwarded to described service server 2, make and to pass through to detect the legitimacy of business operation to stop user's illegal operation, effectively avoided still can carrying out the problem of illegal business operation the user by authenticating the back user, improved security of network system.
Attack recognition device 1 to the embodiment of the invention is elaborated below.
See also Fig. 7, be a kind of structural representation of attacking recognition device 1 that the embodiment of the invention provides, described attack recognition device 1 comprises: interception detection module 10, prevention module 20, first forwarding module 30;
Wherein, described interception detection module 10 is used for when the user sends the business operation request, tackles the business operation request of described user's transmission, and the business operation of asking according to the described business operation request of attack User Recognition rule detection of presetting;
The business operation request that described interception detection module 10 can send by the described user of AOP technical intercept, and the legitimacy of the business operation of asking according to the described business operation request of attack User Recognition rule detection of presetting.Wherein, described business operation request can comprise: the content of business operation, operation ID, user's permission ID and other information of user.The described attack User Recognition rule that presets comprises at least: attributes such as the class name of the permission ID of operation ID, action name, business operation, frequency threshold value, realization operation and realization method of operating name.
Described prevention module 20 is used for stoping the execution of described illegal business operation when described interception detection module 10 detects the business operation of asking and is illegal business operation;
When described interception detection module 10 detects the business operation of asking and is illegal business operation, notify described prevention module 20 to stop the execution of described illegal business operation, wherein, described prevention module 20 specifically is used for adding illegal business operation sign to described business operation request, the business operation request that will carry illegal business operation sign again is forwarded to service server 2, informs that described service server 2 stops to carry out the business operation that this business operation request is asked; Perhaps, described prevention module 20 specifically is used for not transmitting this business operation request to service server 2, so that service server 2 can't be carried out this business operation.
Described first forwarding module 30, being used for when described interception detection module 10 detects the business operation of asking is legitimate traffic when operating, and described business operation request is forwarded to described service server 2, so that service server 2 is finished respective operations;
Be legitimate traffic when operation when described interception detection module 10 detects the business operation of asking, described first forwarding module 30 is forwarded to described service server 2 with described business operation request, so that service server 2 is finished respective operations.
Therefore, in possible implementation more of the present invention, by the interception service operation requests and detect the business operation that the business operation request is asked, when detecting the business operation of asking when being illegal business operation, can stop the execution of described illegal business operation, it is legitimate traffic when operation when detecting the business operation of asking, described business operation request is forwarded to described service server 2, so that service server 2 is finished respective operations, the present invention can pass through to detect the legitimacy of business operation to stop user's illegal business operation, effectively avoided still can carrying out the problem of illegal business operation the user by authenticating the back user, improved security of network system.
Further, see also Fig. 8 again, the another kind that provides for the embodiment of the invention is attacked the structural representation of recognition device 1, described attack recognition device 1 comprises interception detection module 10, prevention module 20, first forwarding module 30 among the corresponding embodiment of above-mentioned Fig. 7, further, the described attack recognition device 1 of the embodiment of the invention can also comprise: preset module 40, interception extraction module 50, the second blacklist processing module 60, second forwarding module 70, the first blacklist processing module 80, safety operation module 90;
Wherein, described preset module 40 is used for presetting described attack User Recognition rule;
Described preset module 40 identifies the key business operational set according to the business operation set, analyzes class name, permission ID, the frequency threshold value of key business again according to described key business operational set, and determines to attack the User Recognition rule.
Described interception extraction module 50 is used for the logging request that the interception user sends, and extract User Token Token from described logging request, and whether verified users Token is effective;
The logging request that described interception extraction module 50 sends by AOP technical intercept user, from described logging request, extract user Token, and whether verified users Token is effective, and for example, it is invalid Token that described interception extraction module 50 can verification goes out the Token that the user forges; Perhaps described interception extraction module 50 can also be forwarded to the logging request of described service server 2 by AOP technical intercept protector 3, from described logging request, extract user Token, and whether verified users Token is effective, wherein, described protector 3 is used for receiving the logging request that the user sends, and combined with access control tabulation ACL and blacklist detect described logging request and whether meet registration conditions, when satisfying registration conditions, described logging request is forwarded to described service server 2, when not satisfying registration conditions, refuse described logging request, wherein, described logging request can comprise user Token, user ID, user name, attributes such as User IP.
The described second blacklist processing module 60, be used for user Token when 50 verifications of described interception extraction module when invalid, determine that then described user is the attack user, and add described user to blacklist, described blacklist is used for recording user ID and/or User IP;
As described interception extraction module 50 verified users Token when being invalid, the described second blacklist processing module 60 can determine that described user is for attacking the user, and add described user to blacklist, described blacklist is used for recording user ID and/or User IP, makes the user who adds in the blacklist all can't sign in to service end follow-up.
Described second forwarding module 70 is used for described logging request being forwarded to service server 2, so that 2 pairs of user identity of service server authenticate when the user Token of 50 verifications of described interception extraction module is effective;
As described interception extraction module 50 verified users Token when being effective, 70 of described second forwarding modules are forwarded to service server 2 with described logging request, so that 2 pairs of user identity of service server authenticate, when authentication is passed through, service server 2 is with the return authentication success message, at this moment, the user can send the business operation request to service server 2, and notifies described interception detection module 10 interceptions described business operation request.
The described first blacklist processing module 80, being used for when described interception detection module 10 detects business operation that described business operation request asks is that the number of times of illegal business operation is when reaching default frequency threshold value, determine that described user is for attacking the user, and adding described user to blacklist, described blacklist is used for recording user ID and/or User IP;
Be that the number of times of illegal business operation is when reaching default frequency threshold value when described interception detection module 10 detects business operation that described business operation request asks, the described first blacklist processing module 80 determines that described user is for attacking the user, and add described user to blacklist, described blacklist is used for recording user ID and/or User IP, make the user who adds in the blacklist all can't sign in to service end follow-up, wherein, Yu She frequency threshold value can be arranged on and attack in the User Recognition rule.When the number of times that detects illegal business operation when described interception detection module 10 did not reach frequency threshold value, the user still can be to initiating the business operation request, and continued to judge whether the business operation request has legitimacy by described interception detection module 10; When the number of times of the illegal business operation of described interception detection module 10 detections reaches frequency threshold value, notify the described first blacklist processing module 80 to determine that described users are the attack user, and add described user to blacklist, and carry out the safety operation of being correlated with.
Described safety operation module 90, be used for when judging the user for the attack user, carry out safety operation, the described safety operation in the described safety operation module 90 comprises: record illegal business operation that described user attempts carrying out, send about described user attempt carrying out illegal business operation safety warning, disconnect at least a in being connected of described user and described service server 2;
When described interception extraction module 50 verified users Token are that to detect business operation that described business operation request asks be that the number of times of illegal business operation is when reaching default frequency threshold value to invalid or described interception detection module 10, can judge that the user attacks the user, and notify described safety operation module 90 to carry out safety operation, described safety operation comprises: record the illegal business operation that described user's trial is carried out, transmission attempts carrying out the safety warning of illegal business operation about described user, disconnect at least a in being connected of described user and described service server 2.Wherein, send the safety warning of carrying out illegal business operation about described user's trial and arrive the keeper, allow the keeper can make corresponding prevention policies in advance.
Further alternative, see also Fig. 9, can comprise at the described interception detection module 10 of the embodiment of the invention:
When the user sends the business operation request, the business operation request that described interception unit 101 sends by the described user of AOP technical intercept, wherein, described business operation request can comprise: the content of business operation, operation ID, user's permission ID and other information of user.
Key business judging unit 102 is used for whether the business operation that described business operation request is asked according to attack User Recognition rule judgment is the key business operation;
Described attack User Recognition rule has comprised the definition to key business, and whether the business operation that described key business judging unit 102 can be asked according to the described business operation request of attack User Recognition rule judgment is the key business operation.Wherein, the described attack User Recognition rule that presets comprises at least: attributes such as the class name of the permission ID of operation ID, action name, business operation, frequency threshold value, realization operation and realization method of operating name.Can identify key business according to the influence of business, described key business can comprise the right assignment associative operation, as: authorize, increase and/or deletion user wait; Described key business can also comprise the operation of visit core data, sensitive data, as: Query Database user name and/or password, affirmation and/or removing warning, increase and/or deletion network element etc.
First determining unit 103 is used for if it is not the key business operation that described key business judging unit 102 is judged, determines that then described business operation is the legitimate traffic operation;
When the business operation of described key business judging unit 102 judgements is not the key business operation, described first determining unit 103 determines that described business operation is the legitimate traffic operation, and notify described first forwarding module 30 that described business operation request is forwarded to described service server 2, so that service server 2 is finished respective operations.
Operating right judging unit 104 is used for then according to the described user of described attack User Recognition rule judgment whether the operating right of carrying out described key business operation being arranged again if it is the key business operation that described key business judging unit 102 is judged;
When the business operation of described key business judging unit 102 judgements was the key business operation, whether described operating right judging unit 104 had the operating right of carrying out described key business operation according to the described user of described attack User Recognition rule judgment.Because described attack User Recognition rule comprises the permission ID of business operation, so whether the result that described operating right judging unit 104 can mate according to the user right ID in the permission ID of the business operation in the described attack User Recognition rule and user's the business operation request has the operating right of carrying out described key business operation to judge described user.
Second determining unit 105 is used for if described operating right judging unit 104 judges that operating right is arranged, and determines that then described business operation is the legitimate traffic operation, otherwise, determine that described business operation is illegal business operation;
When described operating right judging unit 104 judges that the user does not have operating right, determine that then described business operation is illegal business operation, and notify described prevention module 20 to stop the execution of described illegal business operation; When described operating right judging unit 104 judges that the user has operating right, determine that then described business operation is the legitimate traffic operation, and notify described first forwarding module 30 that described business operation request is forwarded to described service server 2, so that service server 2 is finished respective operations.
Further alternative, see also Figure 10, can comprise in the described preset module 40 of the embodiment of the invention:
Analyze determining unit 402, be used for analyzing class name, permission ID, the frequency threshold value of key business according to described key business operational set, and determine described attack User Recognition rule;
Concrete, described recognition unit 401 is gathered at business operation, and identify the key business operational set according to the influence of business, for example with the right assignment associative operation, this class of visit core data, sensitive data operation etc. is defined as the key business operation to the operation that influences outbalance of business.Described analysis determining unit 402 can analyze class name, method name and the frequency threshold value of key business at key business, and these information are abstracted into attack User Recognition rule.The attribute of described attack User Recognition rule comprises at least: the class name of operation ID, action name, permission ID, frequency threshold value, realization operation, realization method of operating name etc.At last abstract attack User Recognition rule of coming out is set in the system.
Therefore, in possible implementation more of the present invention, by the interception service operation requests and detect the business operation that the business operation request is asked, when detecting the business operation of asking when being illegal business operation, can stop the execution of described illegal business operation, it is legitimate traffic when operation when detecting the business operation of asking, described business operation request is forwarded to described service server 2, so that service server 2 is finished respective operations, the present invention can pass through to detect the legitimacy of business operation to stop user's illegal business operation, can also identify the user for attacking the user according to attacking the User Recognition rule, and add the attack user to blacklist, effectively avoided still can carrying out the problem of illegal business operation the user by authenticating the back user, improved security of network system.
The embodiment of the invention also provides a kind of computer-readable storage medium, and wherein, this computer-readable storage medium can have program stored therein, and this program comprises the part or all of step of the data processing method of putting down in writing among the said method embodiment when carrying out.
See also Figure 11, the embodiment of the invention also provides a kind of network equipment 100, the quantity that can comprise the processor 1002 in input unit 1001, output device 1003 and the processor 1002(network equipment 100 can be one or more, are example with a processor 1002 among Figure 11).In the some embodiments of the present invention, input unit 1001, output device 1003 and processor 1002 can connect by bus or other modes, and wherein, Figure 11 is to be connected to example by bus.
Wherein, described processor 1002 is carried out following steps: when input unit 1001 receives the user when sending the business operation request, tackle the business operation request that described user sends, and the business operation of asking according to the described business operation request of attack User Recognition rule detection of presetting; When detecting the business operation of asking and be illegal business operation, stop the execution of described illegal business operation; Be legitimate traffic when operation when detecting the business operation of asking, by described output device 1003 described business operation request be forwarded to described service server, so that service server is finished respective operations.
Described processor 1002 is also carried out following steps: be that the number of times of illegal business operation is when reaching default frequency threshold value when detecting business operation that described business operation request asks, determine that described user is for attacking the user, and adding described user to blacklist, described blacklist is used for recording user ID and/or User IP.
Described processor 1002 is when carrying out the step of the business operation that the described business operation request of attack User Recognition rule detection that described basis presets asks, the concrete following steps of carrying out: when the user sends the business operation request, tackle the business operation request that described user sends; Whether the business operation that described business operation request is asked according to attack User Recognition rule judgment is the key business operation; If judge it is not the key business operation, determine that then described business operation is the legitimate traffic operation; If judge it is the key business operation, then according to the described user of described attack User Recognition rule judgment whether the operating right of carrying out described key business operation arranged again; If judging has operating right, determine that then described business operation is the legitimate traffic operation, otherwise, determine that described business operation is illegal business operation.
Described processor 1002 is also carried out following steps: preset described attack User Recognition rule, it further comprises: according to the business operation set, identify the key business operational set; Analyze class name, permission ID, the frequency threshold value of key business according to described key business operational set, and determine to attack the User Recognition rule.
Described processor 1002 is also carried out following steps: the logging request that the interception user sends, extract User Token Token from described logging request, and whether verified users Token is effective; When the user Token of institute's verification is invalid, then determine described user for attacking the user, and add described user to blacklist that described blacklist is used for recording user ID and/or User IP; When the user Token of institute's verification is effective, described logging request is forwarded to service server, so that service server authenticates user identity.
Described processor 1002 is also carried out following steps: when judging the user for the attack user, carry out safety operation, described safety operation comprises: record illegal business operation that described user attempts carrying out, send about described user attempt carrying out illegal business operation safety warning, disconnect at least a in being connected of described user and described service server.
Therefore, in possible implementation more of the present invention, processor 1002 is by the interception service operation requests and detect the business operation that the business operation request is asked, when detecting the business operation of asking when being illegal business operation, can stop the execution of described illegal business operation, it is legitimate traffic when operation when detecting the business operation of asking, output device 1003 is forwarded to described service server with described business operation request, make can be by detecting business operation legitimacy to guarantee the safety of network system preferably, effectively avoided still can carrying out the problem of illegal business operation the user by authenticating the back user, improved security of network system.
One of ordinary skill in the art will appreciate that all or part of flow process that realizes in above-described embodiment method, be to instruct relevant hardware to finish by computer program, described program can be stored in the computer read/write memory medium, described program can comprise the flow process as the embodiment of above-mentioned each side method when carrying out.Wherein, described storage medium can be magnetic disc, CD, read-only storage memory body (Read-Only Memory, ROM) or at random store memory body (Random Access Memory, RAM) etc.
Above disclosed is preferred embodiment of the present invention only, can not limit the present invention's interest field certainly with this, and therefore the equivalent variations of doing according to claim of the present invention still belongs to the scope that the present invention is contained.
Claims (19)
1. a method of handling operation requests is characterized in that, comprising:
When the user sends the business operation request, tackle the business operation request that described user sends, and the business operation of asking according to the described business operation request of attack User Recognition rule detection of presetting;
When detecting the business operation of asking and be illegal business operation, stop the execution of described illegal business operation;
Be legitimate traffic when operation when detecting the business operation of asking, described business operation request be forwarded to described service server, so that service server is finished respective operations.
2. the method for claim 1 is characterized in that, also comprises:
Be that the number of times of illegal business operation is when reaching default frequency threshold value when detecting business operation that described business operation request asks, determine that described user is for attacking the user, and adding described user to blacklist, described blacklist is used for recording user ID and/or User IP.
3. method as claimed in claim 1 or 2, it is characterized in that, described when the user sends the business operation request, tackle the business operation request that described user sends, and according to the business operation that the described business operation request of attack User Recognition rule detection of presetting is asked, comprising:
When the user sends the business operation request, tackle the business operation request that described user sends;
Whether the business operation that described business operation request is asked according to attack User Recognition rule judgment is the key business operation;
If judge it is not the key business operation, determine that then described business operation is the legitimate traffic operation;
If judge it is the key business operation, then according to the described user of described attack User Recognition rule judgment whether the operating right of carrying out described key business operation arranged again;
If judging has operating right, determine that then described business operation is the legitimate traffic operation, otherwise, determine that described business operation is illegal business operation.
4. as each described method of claim 1-3, it is characterized in that, described when the user sends the business operation request, tackle the business operation request that described user sends, and before the business operation of asking according to the described business operation request of attack User Recognition rule detection of presetting, also comprise:
Preset described attack User Recognition rule, it further comprises:
According to the business operation set, identify the key business operational set;
Analyze class name, permission ID, the frequency threshold value of key business according to described key business operational set, and determine to attack the User Recognition rule.
5. as each described method of claim 1-4, it is characterized in that, described when the user sends the business operation request, tackle the business operation request that described user sends, and before the business operation of asking according to the described business operation request of attack User Recognition rule detection of presetting, also comprise:
The logging request that the interception user sends extract User Token Token from described logging request, and whether verified users Token is effective;
When the user Token of institute's verification is invalid, then determine described user for attacking the user, and add described user to blacklist that described blacklist is used for recording user ID and/or User IP;
When the user Token of institute's verification is effective, described logging request is forwarded to service server, so that service server authenticates user identity.
6. as each described method of claim 1-5, it is characterized in that, also comprise:
When judging the user for the attack user, carry out safety operation, described safety operation comprises: record illegal business operation that described user attempts carrying out, send about described user attempt carrying out illegal business operation safety warning, disconnect at least a in being connected of described user and described service server.
7. an attack recognition device is characterized in that, comprising:
The interception detection module is used for when the user sends the business operation request, tackles the business operation request of described user's transmission, and the business operation of asking according to the described business operation request of attack User Recognition rule detection of presetting;
Stop module, be used for when described interception detection module detects the business operation of asking and is illegal business operation, stoping the execution of described illegal business operation;
First forwarding module, being used for when described interception detection module detects the business operation of asking is legitimate traffic when operating, and described business operation request is forwarded to described service server, so that service server is finished respective operations.
8. attack recognition device as claimed in claim 7 is characterized in that, also comprises:
The first blacklist processing module, being used for when described interception detection module detects business operation that described business operation request asks is that the number of times of illegal business operation is when reaching default frequency threshold value, determine that described user is for attacking the user, and adding described user to blacklist, described blacklist is used for recording user ID and/or User IP.
9. as claim 7 or 8 described attack recognition devices, it is characterized in that described interception detection module comprises:
Interception unit is used for tackling the business operation request that described user sends when the user sends the business operation request;
The key business judging unit is used for whether the business operation that described business operation request is asked according to attack User Recognition rule judgment is the key business operation;
First determining unit is used for if described key business judgment unit judges is not the key business operation, determines that then described business operation is the legitimate traffic operation;
The operating right judging unit is used for then according to the described user of described attack User Recognition rule judgment whether the operating right of carrying out described key business operation being arranged again if described key business judgment unit judges is the key business operation;
Second determining unit is used for if described operating right judgment unit judges has operating right, determines that then described business operation is the legitimate traffic operation, otherwise, determine that described business operation is illegal business operation.
10. as each described attack recognition device of claim 7-9, it is characterized in that, also comprise:
Preset module is used for presetting described attack User Recognition rule;
Described preset module specifically comprises:
Recognition unit is used for identifying the key business operational set according to the business operation set;
Analyze determining unit, be used for analyzing class name, permission ID, the frequency threshold value of key business according to described key business operational set, and determine described attack User Recognition rule.
11. as each described attack recognition device of claim 7-10, it is characterized in that, also comprise:
The interception extraction module is used for the logging request that the interception user sends, and extract User Token Token from described logging request, and whether verified users Token is effective;
The second blacklist processing module is used for user Token when the verification of described interception extraction module institute when invalid, then determines described user for attacking the user, and adds described user to blacklist, and described blacklist is for recording user ID and/or User IP;
Second forwarding module is used for described logging request being forwarded to service server, so that service server authenticates user identity when the user Token of described interception extraction module institute verification is effective.
12. as each described attack recognition device of claim 7-11, it is characterized in that, also comprise:
The safety operation module, be used for when judging the user for the attack user, carry out safety operation, the described safety operation in the described safety operation module comprises: record illegal business operation that described user attempts carrying out, send about described user attempt carrying out illegal business operation safety warning, disconnect at least a in being connected of described user and described service server.
13. a system that handles operation requests is characterized in that, comprising: attack recognition device and service server;
Described attack recognition device, be used for when the user sends the business operation request, tackle the business operation request that described user sends, and the business operation of asking according to the described business operation request of attack User Recognition rule detection of presetting, when detecting the business operation of asking and be illegal business operation, stop the execution of described illegal business operation, it is legitimate traffic when operation when detecting the business operation of asking, described business operation request is forwarded to described service server, so that service server is finished respective operations;
Described service server is used for receiving described business operation request, and finishes business operation according to described business operation request.
14. system as claimed in claim 13 is characterized in that,
Described attack recognition device, also being used for when detecting business operation that described business operation request asks is that the number of times of illegal business operation is when reaching default frequency threshold value, determine that described user is for attacking the user, and adding described user to blacklist, described blacklist is used for recording user ID and/or User IP.
15. as claim 13 or 14 described systems, it is characterized in that,
Described attack recognition device, also be used for when the user sends the business operation request, tackle the business operation request that described user sends, whether the business operation that described business operation request is asked according to attack User Recognition rule judgment is the key business operation, if judge it is not the key business operation, determine that then described business operation is the legitimate traffic operation, also being used for if judge is the key business operation, then according to the described user of described attack User Recognition rule judgment whether the operating right of carrying out described key business operation is arranged again, also be used for if judge operating right being arranged, determine that then described business operation is the legitimate traffic operation, otherwise, determine that described business operation is illegal business operation.
16. as each described system of claim 13-15, it is characterized in that,
Described attack recognition device, also be used for presetting described attack User Recognition rule, it specifically is used for gathering according to business operation, identify the key business operational set, analyze class name, permission ID, the frequency threshold value of key business according to described key business operational set, and determine described attack User Recognition rule.
17. as each described system of claim 13-16, it is characterized in that,
Described attack recognition device, also be used for the logging request that the interception user sends, from described logging request, extract User Token Token, and whether verified users Token is effective, also be used for user Token when institute's verification when invalid, determine that then described user is for attacking the user, and add described user to blacklist, described blacklist is used for recording user ID and/or User IP, also be used for when the user Token of institute's verification is effective, described logging request is forwarded to service server, so that service server authenticates user identity.
18. as each described system of claim 13-17, it is characterized in that, also comprise: protector;
Described protector, be used for receiving the logging request that the user sends, and combined with access control tabulation ACL and blacklist detect described logging request and whether meet registration conditions, when satisfying registration conditions, described logging request is forwarded to described service server, when not satisfying registration conditions, refuse described logging request;
Described attack recognition device specifically is used for the logging request that the described protector of interception is forwarded to described service server when being used for the logging request of interception user transmission.
19. as each described system of claim 13-18, it is characterized in that,
Described attack recognition device, also be used for when judging the user for the attack user, carry out safety operation, described safety operation comprises: record illegal business operation that described user attempts carrying out, send about described user attempt carrying out illegal business operation safety warning, disconnect at least a in being connected of described user and described service server.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2013101307135A CN103248472A (en) | 2013-04-16 | 2013-04-16 | Operation request processing method and system and attack identification device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2013101307135A CN103248472A (en) | 2013-04-16 | 2013-04-16 | Operation request processing method and system and attack identification device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN103248472A true CN103248472A (en) | 2013-08-14 |
Family
ID=48927709
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2013101307135A Pending CN103248472A (en) | 2013-04-16 | 2013-04-16 | Operation request processing method and system and attack identification device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103248472A (en) |
Cited By (21)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104519018A (en) * | 2013-09-29 | 2015-04-15 | 阿里巴巴集团控股有限公司 | Method, device and system for preventing malicious requests for server |
| CN104639650A (en) * | 2015-02-27 | 2015-05-20 | 杭州华三通信技术有限公司 | Fine granularity distributive interface access control method and device |
| CN104883364A (en) * | 2015-05-11 | 2015-09-02 | 广东小天才科技有限公司 | Method and device for judging abnormity of server accessed by user |
| CN104980402A (en) * | 2014-04-09 | 2015-10-14 | 腾讯科技(北京)有限公司 | Method and device for recognizing malicious operation |
| CN105488430A (en) * | 2015-11-25 | 2016-04-13 | 国网北京市电力公司 | Information security detection method and system |
| CN105915497A (en) * | 2015-12-14 | 2016-08-31 | 乐视网信息技术(北京)股份有限公司 | Processing method for user login jump and processing system thereof |
| CN105959335A (en) * | 2016-07-19 | 2016-09-21 | 腾讯科技(深圳)有限公司 | Network attack behavior detection method and related device |
| CN106339824A (en) * | 2016-09-29 | 2017-01-18 | 广州鹤互联网科技有限公司 | Sign approval initiating user management method and apparatus |
| CN107438058A (en) * | 2016-05-27 | 2017-12-05 | 北京京东尚科信息技术有限公司 | The filter method and filtration system of user's request |
| CN107645524A (en) * | 2016-07-21 | 2018-01-30 | 腾讯科技(深圳)有限公司 | A kind of message push processing method and device |
| CN107819888A (en) * | 2016-09-14 | 2018-03-20 | 华为技术有限公司 | A kind of method, apparatus and network element for distributing relay address |
| CN107888659A (en) * | 2017-10-12 | 2018-04-06 | 北京京东尚科信息技术有限公司 | The processing method and system of user's request |
| CN108270839A (en) * | 2017-01-04 | 2018-07-10 | 腾讯科技(深圳)有限公司 | Access frequency control system and method |
| CN108667802A (en) * | 2018-03-30 | 2018-10-16 | 全球能源互联网研究院有限公司 | A kind of monitoring method and system of electric power application network safety |
| CN109151506A (en) * | 2018-07-27 | 2019-01-04 | 广东工业大学 | A kind of method of video file operation, system and server |
| CN110311986A (en) * | 2019-07-10 | 2019-10-08 | 中国民航信息网络股份有限公司 | The treating method and apparatus of mobile terminal request |
| CN110955895A (en) * | 2019-11-29 | 2020-04-03 | 珠海豹趣科技有限公司 | Operation interception method and device and computer readable storage medium |
| CN110968897A (en) * | 2019-12-28 | 2020-04-07 | 辽宁振兴银行股份有限公司 | Routing forwarding based on nginx and vx-api-gatway |
| CN111404971A (en) * | 2020-06-08 | 2020-07-10 | 季华实验室 | Industrial robot network interface safety control method and device and electronic equipment |
| CN113282902A (en) * | 2021-07-26 | 2021-08-20 | 南京蓝鲸人网络科技有限公司 | Business behavior safety control method, system and equipment |
| CN114189865A (en) * | 2021-12-31 | 2022-03-15 | 广州爱浦路网络技术有限公司 | Network attack protection method in communication network, computer device and storage medium |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101039326A (en) * | 2007-04-28 | 2007-09-19 | 华为技术有限公司 | Service flow recognition method, apparatus and method and system for defending distributed refuse attack |
| CN101083538A (en) * | 2006-05-30 | 2007-12-05 | 卓望数码技术(深圳)有限公司 | Real-time counting method for value added business of IP network environment |
| CN101127744A (en) * | 2007-09-29 | 2008-02-20 | 杭州华三通信技术有限公司 | Separation prompt method and system for legal client and gateway device |
| CN101163264A (en) * | 2007-11-14 | 2008-04-16 | 中兴通讯股份有限公司 | Data traffic access control method in mobile communications system |
| CN101317419A (en) * | 2006-04-24 | 2008-12-03 | 华为技术有限公司 | Operation processing method and device, service operation validity decision method and server |
| CN101340440A (en) * | 2008-08-11 | 2009-01-07 | 中兴通讯股份有限公司 | Method and apparatus for defending network attack |
| CN101351027A (en) * | 2007-07-19 | 2009-01-21 | 中国移动通信集团公司 | Method and system for processing service authentication |
-
2013
- 2013-04-16 CN CN2013101307135A patent/CN103248472A/en active Pending
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101317419A (en) * | 2006-04-24 | 2008-12-03 | 华为技术有限公司 | Operation processing method and device, service operation validity decision method and server |
| CN101083538A (en) * | 2006-05-30 | 2007-12-05 | 卓望数码技术(深圳)有限公司 | Real-time counting method for value added business of IP network environment |
| CN101039326A (en) * | 2007-04-28 | 2007-09-19 | 华为技术有限公司 | Service flow recognition method, apparatus and method and system for defending distributed refuse attack |
| CN101351027A (en) * | 2007-07-19 | 2009-01-21 | 中国移动通信集团公司 | Method and system for processing service authentication |
| CN101127744A (en) * | 2007-09-29 | 2008-02-20 | 杭州华三通信技术有限公司 | Separation prompt method and system for legal client and gateway device |
| CN101163264A (en) * | 2007-11-14 | 2008-04-16 | 中兴通讯股份有限公司 | Data traffic access control method in mobile communications system |
| CN101340440A (en) * | 2008-08-11 | 2009-01-07 | 中兴通讯股份有限公司 | Method and apparatus for defending network attack |
Cited By (33)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104519018B (en) * | 2013-09-29 | 2018-09-18 | 阿里巴巴集团控股有限公司 | A kind of methods, devices and systems preventing the malicious requests for server |
| CN104519018A (en) * | 2013-09-29 | 2015-04-15 | 阿里巴巴集团控股有限公司 | Method, device and system for preventing malicious requests for server |
| CN104980402A (en) * | 2014-04-09 | 2015-10-14 | 腾讯科技(北京)有限公司 | Method and device for recognizing malicious operation |
| CN104980402B (en) * | 2014-04-09 | 2020-02-21 | 腾讯科技(北京)有限公司 | Method and device for identifying malicious operation |
| CN104639650A (en) * | 2015-02-27 | 2015-05-20 | 杭州华三通信技术有限公司 | Fine granularity distributive interface access control method and device |
| CN104639650B (en) * | 2015-02-27 | 2018-07-31 | 新华三技术有限公司 | A kind of fine granularity distributed interface access control method and device |
| CN104883364B (en) * | 2015-05-11 | 2018-05-04 | 广东小天才科技有限公司 | A kind of method and device for judging user access server exception |
| CN104883364A (en) * | 2015-05-11 | 2015-09-02 | 广东小天才科技有限公司 | Method and device for judging abnormity of server accessed by user |
| CN105488430A (en) * | 2015-11-25 | 2016-04-13 | 国网北京市电力公司 | Information security detection method and system |
| CN105915497A (en) * | 2015-12-14 | 2016-08-31 | 乐视网信息技术(北京)股份有限公司 | Processing method for user login jump and processing system thereof |
| CN107438058A (en) * | 2016-05-27 | 2017-12-05 | 北京京东尚科信息技术有限公司 | The filter method and filtration system of user's request |
| CN105959335A (en) * | 2016-07-19 | 2016-09-21 | 腾讯科技(深圳)有限公司 | Network attack behavior detection method and related device |
| US10848505B2 (en) | 2016-07-19 | 2020-11-24 | Tencent Technology (Shenzhen) Company Limited | Cyberattack behavior detection method and apparatus |
| WO2018014808A1 (en) * | 2016-07-19 | 2018-01-25 | 腾讯科技(深圳)有限公司 | Network attack behaviour detection method and apparatus |
| CN107645524A (en) * | 2016-07-21 | 2018-01-30 | 腾讯科技(深圳)有限公司 | A kind of message push processing method and device |
| CN107645524B (en) * | 2016-07-21 | 2020-09-01 | 腾讯科技(深圳)有限公司 | Message pushing processing method and device |
| CN107819888B (en) * | 2016-09-14 | 2020-03-31 | 华为技术有限公司 | Method, device and network element for distributing relay address |
| CN107819888A (en) * | 2016-09-14 | 2018-03-20 | 华为技术有限公司 | A kind of method, apparatus and network element for distributing relay address |
| CN106339824A (en) * | 2016-09-29 | 2017-01-18 | 广州鹤互联网科技有限公司 | Sign approval initiating user management method and apparatus |
| CN108270839A (en) * | 2017-01-04 | 2018-07-10 | 腾讯科技(深圳)有限公司 | Access frequency control system and method |
| CN108270839B (en) * | 2017-01-04 | 2022-03-25 | 腾讯科技(深圳)有限公司 | Access frequency control system and method |
| CN107888659A (en) * | 2017-10-12 | 2018-04-06 | 北京京东尚科信息技术有限公司 | The processing method and system of user's request |
| CN108667802B (en) * | 2018-03-30 | 2022-12-16 | 全球能源互联网研究院有限公司 | Method and system for monitoring power application network security |
| CN108667802A (en) * | 2018-03-30 | 2018-10-16 | 全球能源互联网研究院有限公司 | A kind of monitoring method and system of electric power application network safety |
| CN109151506A (en) * | 2018-07-27 | 2019-01-04 | 广东工业大学 | A kind of method of video file operation, system and server |
| CN109151506B (en) * | 2018-07-27 | 2021-04-16 | 广东工业大学 | Method, system and server for operating video file |
| CN110311986A (en) * | 2019-07-10 | 2019-10-08 | 中国民航信息网络股份有限公司 | The treating method and apparatus of mobile terminal request |
| CN110955895A (en) * | 2019-11-29 | 2020-04-03 | 珠海豹趣科技有限公司 | Operation interception method and device and computer readable storage medium |
| CN110955895B (en) * | 2019-11-29 | 2022-03-29 | 珠海豹趣科技有限公司 | Operation interception method and device and computer readable storage medium |
| CN110968897A (en) * | 2019-12-28 | 2020-04-07 | 辽宁振兴银行股份有限公司 | Routing forwarding based on nginx and vx-api-gatway |
| CN111404971A (en) * | 2020-06-08 | 2020-07-10 | 季华实验室 | Industrial robot network interface safety control method and device and electronic equipment |
| CN113282902A (en) * | 2021-07-26 | 2021-08-20 | 南京蓝鲸人网络科技有限公司 | Business behavior safety control method, system and equipment |
| CN114189865A (en) * | 2021-12-31 | 2022-03-15 | 广州爱浦路网络技术有限公司 | Network attack protection method in communication network, computer device and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103248472A (en) | Operation request processing method and system and attack identification device | |
| US9848016B2 (en) | Identifying malicious devices within a computer network | |
| RU2680736C1 (en) | Malware files in network traffic detection server and method | |
| CN111274583A (en) | Big data computer network safety protection device and control method thereof | |
| CN111131310B (en) | Access control method, device, system, computer device and storage medium | |
| EP2383954A2 (en) | Virtual server and method for identifying zombie, and sinkhole server and method for integratedly managing zombie information | |
| KR101744631B1 (en) | Network security system and a method thereof | |
| RU2634174C1 (en) | System and method of bank transaction execution | |
| CN111314381A (en) | Safety isolation gateway | |
| CN111274046A (en) | Service call validity detection method and device, computer equipment and computer storage medium | |
| CN105516211A (en) | Method, device and system for recognizing database accessing behaviors based on behavior model | |
| CN107046516B (en) | Wind control method and device for identifying mobile terminal identity | |
| CN112231679B (en) | Terminal equipment verification method and device and storage medium | |
| CN112671736B (en) | Attack flow determination method, device, equipment and storage medium | |
| CN104601578A (en) | Recognition method and device for attack message and core device | |
| CN111898167A (en) | External terminal protection equipment and protection system including identity information verification | |
| WO2003034687A1 (en) | Method and system for securing computer networks using a dhcp server with firewall technology | |
| CN111064731B (en) | Identification method and identification device for access authority of browser request and terminal | |
| CN115150137A (en) | High-frequency access early warning method and device based on Redis | |
| US11722493B2 (en) | Access analysis system and access analysis method | |
| CN111343194B (en) | Camera violation identification method, system and equipment and computer storage medium | |
| CN107070913B (en) | Webshell attack-based detection and protection method and system | |
| KR102658384B1 (en) | A method and apparatus for In-house mobile security agent cyber attack response | |
| CN115174270B (en) | Behavior abnormity detection method, device, equipment and medium | |
| CN106685961A (en) | ATM (automatic teller machine) security defense system and ATM security defense method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20130814 |
|
| RJ01 | Rejection of invention patent application after publication |