CN104994092B - Service request processing method, terminal browser and attack protection server - Google Patents
Service request processing method, terminal browser and attack protection server Download PDFInfo
- Publication number
- CN104994092B CN104994092B CN201510375370.8A CN201510375370A CN104994092B CN 104994092 B CN104994092 B CN 104994092B CN 201510375370 A CN201510375370 A CN 201510375370A CN 104994092 B CN104994092 B CN 104994092B
- Authority
- CN
- China
- Prior art keywords
- attack
- browser
- service request
- attack protection
- webpage
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/12—Applying verification of the received information
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer And Data Communications (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The embodiment of the invention discloses service request processing method, terminal browser and attack protection servers.Wherein, the service request processing method of browser execution includes:Monitor the service request generated based on the webpage currently shown;If listening to the service request, the input behavior data recorded during the web page display are obtained;The input behavior data are sent to attack protection server, to obtain the return information that the attack protection server is carried out attack identification according to the input behavior data and generated based on recognition result;According to the return information, it is determined whether initiate the service request to the application server for providing the webpage.Technical solution provided in an embodiment of the present invention can intercept the service request attack of non-artificial operation triggering in time.
Description
Technical field
The present embodiments relate to internet security technical field more particularly to service request processing method, terminal browsings
Device and attack protection server.
Background technology
With the rapid development of development of Mobile Internet technology, application server is capable of providing also more next to the webpage information of user
It is abundanter, so that user can enjoy more, more depth service.For a shown webpage on terminal browser
Speech, wherein may include the information such as multiple components, after user triggers to the clicking operation of some component, can be based on the operation to
Application server initiates one or more service requests, so that application server carries out business processing according to these requests, such as
Issue other webpages.
However, some disabled users are under the driving of illegitimate benefits, it will usually using Malware tool in webpage
Component execute a large amount of non-artificial clicking operation, to submit service request, application server to be attacked repeatedly.
For this reason, it is necessary to a kind of mechanism identified to non-artificial clicking operation is provided for application server, so as to
Application server takes related attack protection measure.But existing mechanism is typically subsequent identification, namely sent out to terminal
After the related service request response risen, judge whether entire request process is non-artificial behaviour by analyzing response results
What work triggered, it can not timely intercept attack.
Invention content
The embodiment of the present invention provides a kind of service request processing method, terminal browser and attack protection server, with can
The service request attack of non-artificial operation triggering is intercepted in time.
On the one hand, an embodiment of the present invention provides a kind of service request processing method, this method includes:
Monitor the service request generated based on the webpage currently shown;
If listening to the service request, the input behavior data recorded during the web page display are obtained;
The input behavior data are sent to attack protection server, to obtain the attack protection server according to described defeated
Enter the return information that behavioral data is carried out attack identification and generated based on recognition result;
According to the return information, it is determined whether initiate the service request to the application server for providing the webpage.
On the other hand, the embodiment of the present invention additionally provides a kind of service request processing method, and this method includes:
Receive the data that the browser in terminal is sent, which is based on currently showing listening to for the browser
The service request that generates of webpage after, the input behavior data recorded during the web page display that get;
Attack identification is carried out according to the input behavior data;
Return information is generated based on recognition result, the browser is sent to, to indicate that the browser is returned according to
Breath of writing in reply determines whether that the application server for providing the webpage initiates the service request.
In another aspect, the embodiment of the present invention additionally provides a kind of terminal browser, including:
Service request monitoring unit, for monitoring the service request generated based on the webpage currently shown;
If input behavior data capture unit obtains for listening to the service request in the web page display
The input behavior data recorded in the process;
Input behavior data transmission unit, for the input behavior data to be sent to attack protection server, to obtain
The return that the attack protection server is carried out attack identification according to the input behavior data and generated based on recognition result
Information;
Service request initiates unit, for according to the return information, it is determined whether to the application clothes for providing the webpage
Business device initiates the service request.
In another aspect, the embodiment of the present invention additionally provides a kind of attack protection server, including:
Input behavior data receipt unit, the data for receiving the transmission of the browser in terminal, the data are described clear
Device is look at after listening to the service request generated based on the webpage that is currently shown, get during the web page display
The input behavior data of record;
Attack recognition unit, for carrying out attack identification according to the input behavior data;
Return information transmission unit is sent to the browser, with instruction for generating return information based on recognition result
The browser determines whether that the application server for providing the webpage initiates the service request according to the return information.
Technical solution provided in an embodiment of the present invention, browser are being listened in real time based on the webpage generation currently shown
Service request after, do not initiate the service request to application server immediately, but first by attack protection server to the business
Request carries out attack identification, and browser determines whether that application server is initiated business and asked again based on the recognition result later
It asks, therefore the service request with attack caused by browser can timely be intercepted, to prevent its correspondence
It is attacked with server, mitigates the service request processing load of application server.
Description of the drawings
Fig. 1 is a kind of flow diagram for service request processing method that the embodiment of the present invention one provides;
Fig. 2 is a kind of flow diagram of service request processing method provided by Embodiment 2 of the present invention;
Fig. 3 is a kind of flow diagram for service request processing method that the embodiment of the present invention three provides;
Fig. 4 is a kind of flow diagram for service request processing method that the embodiment of the present invention four provides;
Fig. 5 is a kind of flow diagram for service request processing method that the embodiment of the present invention five provides;
Fig. 6 is a kind of structural schematic diagram for terminal browser that the embodiment of the present invention six provides;
Fig. 7 is a kind of structural schematic diagram for attack protection server that the embodiment of the present invention seven provides;
Fig. 8 is the signaling process figure for the service request processing method that the embodiment of the present invention eight provides.
Specific implementation mode
The present invention is described in further detail with reference to the accompanying drawings and examples.It is understood that this place is retouched
The specific embodiment stated is used only for explaining the present invention rather than limitation of the invention.It also should be noted that in order to just
Only the parts related to the present invention are shown in description, attached drawing rather than entire infrastructure.
It should be mentioned that some exemplary embodiments are described as before exemplary embodiment is discussed in greater detail
The processing described as flow chart or method.Although operations (or step) are described as the processing of sequence by flow chart,
Many of which operation can be implemented concurrently, concomitantly or simultaneously.In addition, the sequence of operations can be pacified again
Row.The processing can be terminated when its operations are completed, it is also possible to the additional step being not included in attached drawing.Institute
It states processing and can correspond to method, function, regulation, subroutine, subprogram etc..
It should further be mentioned that in some replace implementations, the function action being previously mentioned can be according to different from attached
The sequence indicated in figure occurs.For example, involved function action is depended on, each width figure shown in succession actually may be used
Substantially simultaneously to execute or can execute in a reverse order sometimes.
Embodiment one
Fig. 1 is a kind of flow diagram for service request processing method that the embodiment of the present invention one provides.The present embodiment can
Suitable for the network architecture being made of terminal browser, application server and attack protection server.This method can be by terminal
On browser execute, the terminal, which can be laptop, desktop computer etc., has mouse input and webpage clear
Look at the electronic equipment of function.Referring to Fig. 1, service request processing method provided in this embodiment specifically includes following operation:
The service request generated based on the webpage currently shown is monitored in operation 110.
The webpage shown can be acquired by browser from application server.It include at least one component in webpage.
In getting to webpage after the trigger event of random component, browser can be based on the trigger event generate it is one or more to answering
The service request (namely HTTP request) initiated with server, application server carry out correlation after receiving these service requests
Business processing.In general, it is to be clicked the component in shown webpage by user and generated to the trigger event of component
's.But in some cases .., the trigger event is also likely to be by clicking shown webpage with aggressive robot
In component, or using other attack means and generate.So also just being had based on the service request that the trigger event generates
It may be the request with attack.
For this purpose, the present embodiment provides a kind of mechanism, generated based on the webpage currently shown so that browser is monitored in real time
Service request, if after listening to, and initiating the service request not directly to application server, but first pass through attack protection clothes
Device be engaged in service request progress attack identification, determines whether that application server initiates industry again based on recognition result later
Business request.
In the present embodiment, the service request monitored generates due to being the trigger event of random component in webpage
Each service request.In view of some service requests whether be attack request, without fastening for application server
It wants, or because of some other reason, each service request that need not be generated to all components in webpage is monitored, so
Preferably, the service request of monitoring includes:The some or all industry generated by triggering assignment component in shown webpage
Business request.
If operation 120 listens to service request, the input behavior data recorded during web page display are obtained.
Illustratively, terminal is the electronic equipment (such as laptop) of mouse input form.Browsing in terminal
After device displayed web page is to user, user can operate mouse in such a way that a kind of people is distinctive, so that mouse reaches shown webpage
In at corresponding component, and click the component using mouse, and then trigger the generation of service request.For example, in the peculiar mode of people
Under, the lines of the motion track of mouse composition are mixed and disorderly curves, some coordinate points in track repeat;In addition,
The acceleration of mobile mouse is also not fixed (being typically first to accelerate to slow down again), and traveling time is time-consuming longer;Etc..And for machine
Then it is that control mouse is reached with fixed acceleration at corresponding assembly, this process is very quick, and the movement of mouse for device people
The lines of track composition are typically straight line, and the coordinate points in track will not repeat;Alternatively, robot is not by control mouse
Punctuate hits modularity to generate service request, but cracks means directly triggering of the generation to random component in webpage with certain
Event.
For this purpose, the input behavior data that can be recorded during browser side is acquired in web page display, so that attack protection takes
Device be engaged according to the progress attack identification of input behavior data.Wherein, input behavior data include:The moving rail of mouse in terminal
Mark and/or the mouse click coordinate for triggering service request.Certainly, when may also include each coordinate points that mouse is moved in track
Time point.It should be noted that in embodiments of the present invention, mouse refers to show that mouse on a terminal screen refers to
Needle.
Input behavior data are sent to attack protection server by operation 130, to obtain attack protection server according to line of input
The return information for carrying out attack identification for data and being generated based on recognition result.
Operate 140, according to return information, it is determined whether to the application server initiating business request for providing webpage.
As a kind of specific implementation, if it is corresponding first instruction of non-attack behavior that return information, which is recognition result,
Information then initiates the service request listened to application server;
If return information is that recognition result is the corresponding verification information of attack, the verification feedback of input is obtained,
It is sent to attack protection server to be verified, and refers to based on verification successful result generates second receiving attack protection server
After showing information, the service request that listens to is initiated to application server.
As another specific implementation, if it is that non-attack behavior corresponding first refers to that return information, which is recognition result,
Show information, then initiates the service request listened to application server;If it is attack pair that return information, which is recognition result,
The third instruction information answered, then mask listened to service request, refuse to send to application server.
In scheme provided in this embodiment, browser is listening to the industry generated based on the webpage currently shown in real time
After business request, and the service request is initiated not directly to application server, but first passes through attack protection server and the business is asked
It asks and carries out attack identification, application server initiating business request is determined whether based on recognition result again later, so as to
It is enough that the generated service request with attack is timely intercepted, to prevent its application server from being attacked
It hits, mitigates the service request processing load of application server.
Embodiment two
Fig. 2 is a kind of flow diagram of service request processing method provided by Embodiment 2 of the present invention.The present embodiment exists
On the basis of above-described embodiment one, the operation for obtaining attack protection monitor code is increased.Method provided in this embodiment still can be with
It is executed by the browser in terminal.Referring to Fig. 2, method provided in this embodiment specifically includes following operation:
Operation 210 accesses and shows the webpage that application server provides.
Operation 220 is identified according to the attack protection service interface and code resource configured in webpage, from attack protection server
Obtain the attack protection monitor code of webpage.
Browser access to webpage in identify configured with attack protection service interface and code resource.Wherein, code resource
It is identified as the character string of the attack protection monitor code of unique identification webpage, can generated corresponding to webpage by attack protection server
Attack protection monitor code after be handed down to application server, be then built in webpage by application server.In this way, browser exists
It, can be according to the attack protection service interface and code resource mark configured in webpage after the webpage that application server offer is provided
Know, the attack protection monitor code of webpage is got from attack protection server.Later, browser completes industry by running the code
The subsequent operation of business request processing method.
Illustratively, operating 220 includes:Attack protection is initiated to attack protection server monitor generation based on attack protection service interface
Code obtains request, includes code resource mark in the request;Receive being identified according to code resource for attack protection server return
The attack protection monitor code of the webpage found.
The service request generated based on the webpage currently shown is monitored in operation 230.
If operation 240 listens to service request, the input behavior data recorded during web page display are obtained.
Input behavior data are sent to attack protection server by operation 250, to obtain attack protection server according to line of input
The return information for carrying out attack identification for data and being generated based on recognition result.
Operate 260, according to return information, it is determined whether to application server initiating business request.
Certainly, it will be recognized by one of ordinary skill in the art that application server also can be directly in webpage, embedded attack protection clothes
Business device is the attack protection monitor code of auto-building html files.In this way, browser get application server offer webpage after, can
The attack protection monitor code directly configured in extraction webpage, later by running the code, finishing service request processing method
Subsequent operation.
However, since attack protection monitor code amount is larger, in scheme provided in this embodiment, do not use attack protection
Technological means in monitor code embedded web page can not only accelerate loading velocity of the browser to webpage in this way, general quickly
Web page display is executed to user, and without application server by the work of attack protection monitor code embedded web page, and it is negative to mitigate it
Load.
On the basis of said program, the service request processing method provided in this embodiment executed by browser is also wrapped
It includes:While obtaining the attack protection monitor code of webpage from attack protection server, adding for attack protection server dynamic generation is obtained
Close algorithm, the encryption that Encryption Algorithm is used to communicate between browser and attack protection server.
Embodiment three
Fig. 3 is a kind of flow diagram for service request processing method that the embodiment of the present invention three provides.The present embodiment is still
It is applicable to the network architecture being made of terminal browser, application server and attack protection server.This method can be by preventing
Attack server executes, the service request processing method realized by terminal browser that can be provided with any embodiment of the present invention
Cooperation executes.Attack protection server, can be at end as the third party's physical equipment for providing attack protection service for application server
It holds browser to before application server initiating business request, attack protection monitoring is carried out to service request.Referring to Fig. 3, the present embodiment
The service request processing method of offer specifically includes following operation:
Operation 310 receives the data that the browser in terminal is sent, which is listening to for browser based on current institute
After the service request that the webpage of displaying generates, the input behavior data recorded during web page display that get.
Operation 320 carries out attack identification according to input behavior data.
Wherein, input behavior data include:The motion track of mouse and/or the mouse of triggering service request are clicked in terminal
Coordinate.Certainly, it may also include time point when each coordinate points that mouse is moved in track.
Specifically, preset attack recognizer can be used, input behavior data are parsed, to carry out attack knowledge
Not.Illustratively, if parsing obtains at least two in following result:The mouse click coordinate for triggering service request is setting
The lines that the coordinate of component position, the motion track of mouse form meet in preset mixed and disorderly curve, motion track
Some coordinate points be repeat, move mouse acceleration be not fixed and mouse traveling time be more than it is preset mobile when
It is long, then it identifies that this service request listened to of browser is the request of attack, determines that recognition result is that attack is gone
For.Otherwise, then it identifies that this service request listened to of browser is not the request for being attack, determines recognition result
For non-attack behavior.
Operation 330 generates return information based on recognition result, is sent to browser, to indicate that browser is believed according to return
Breath determines whether to provide the application server initiating business request of webpage.
Specifically, if recognition result is non-attack behavior, corresponding first instruction information is generated, browsing is sent to
Device, to indicate browser after receiving the first instruction information, to the application server initiating business request for providing webpage.
Illustratively, if recognition result is attack, authentication mechanism can be enabled, the browser in terminal is supervised
The service request heard is verified, and corrects this attack recognition result using verification result.It certainly, can be not yet
Authentication mechanism is enabled, after obtaining recognition result and being attack, corresponding third instruction information is directly generated, is sent to browsing
Device, to indicate that browser after receiving third instruction information, masks this service request listened to, refuses to offer
The application server initiating business request of webpage.
Technical solution provided in this embodiment may be implemented attack protection server and be asked to the business that browser listens in real time
It asks and carries out attack identification, and generate corresponding return information, so that browser can be based on the return letter received
Breath, it is determined whether to application server initiating business request, therefore can be to the industry with attack caused by browser
Business request is intercepted in time, to prevent its application server from being attacked, is mitigated at the service request of application server
Reason burden.
Example IV
Fig. 4 is a kind of flow diagram for service request processing method that the embodiment of the present invention four provides.The present embodiment exists
On the basis of above-described embodiment three, operation 330 is advanced optimized, this method can still be executed by attack protection server.
Referring to Fig. 4, method provided in this embodiment specifically includes following operation:
Operation 410 receives the data that the browser in terminal is sent, which is listening to for browser based on current institute
After the service request that the webpage of displaying generates, the input behavior data recorded during web page display that get.
Operation 420 carries out attack identification according to input behavior data.
If recognition result is non-attack behavior, operation 430 is executed;If recognition result is attack, execute
Operate 440- operations 460.
Operation 430 generates corresponding first instruction information, browser is sent to, to indicate that browser is receiving first
After instruction information the service request is initiated to application server.
Operation 440 generates corresponding verification information, is sent to browser.
Operation 450 verifies the verification feedback that browser is returned according to the verification information.
Illustratively, verification information is the verification picture for including identifying code;Verification feedback is verified, including:It will
Verification feedback is matched with identifying code;If matching is consistent, success is verified, otherwise verification failure.Or
Verification information is to include the verification picture of the contents such as correct option problematic, corresponding with problem, interference answer;It is right
Verification feedback is verified, including:Verification feedback is parsed, to obtain the answer selected in verification information;Verification
Whether selected answer is correct option corresponding with problem;If it is, verifying successfully, otherwise verification failure.
Operation 460, after verifying successfully, the second instruction information is issued to browser, to indicate that browser is receiving the
After two instruction information the service request is initiated to application server.
If verified successfully, show that mistake occurs for this attack identification, this business listened to of browser is asked
Ask be not attack request.The service request processing method that the present embodiment proposes as a preferred implementation manner, also
Including:Attack protection server corrects this attack recognition result, and go to attack based on operation is corrected after verifying successfully
It is optimized for recognizer.Specific amendment, which operates, includes:Obtained attack recognition result is revised as non-attack row
For recognition result.
Preferably, if verification failure, show this attack identification be it is correct, browser this listen to
The request of the really attack of service request, correspondingly, attack protection server can issue third instruction information to browser, with
Instruction browser masks the service request after receiving third instruction information, refuses to described in application server initiation
Service request.
Technical solution provided in this embodiment can enable authentication mechanism pair after obtaining recognition result and being attack
The service request that browser is listened to is verified again, whether to verify the service request really for attack, thus
The accuracy that can effectively ensure that attack protection identification, enhances the safety of application server;Also, it is obtaining recognition result
After non-attack behavior, directly issuing allows execution information of the browser to application server initiating business request, without user
Input information is verified, therefore can accelerate the speed of initiating business request, promotes user experience.
Embodiment five
Fig. 5 is a kind of flow diagram for service request processing method that the embodiment of the present invention five provides.The present embodiment exists
On the basis of above-described embodiment three and example IV, the operation for issuing attack protection monitor code is increased, this method still can be by
Attack protection server executes.Referring to Fig. 5, method provided in this embodiment specifically includes following operation:
Browser in operation 510, reception terminal is according to the attack protection service interface configured in the webpage currently shown
The attack protection monitor code initiated with code resource mark obtains request.
Operation 520 is obtained according to attack protection monitor code and is asked, and searches and obtain the attack protection monitoring generation of the webpage
Code, returns to browser.
Operation 530 receives the data that the browser in terminal is sent, which is that browser is being listened to based on the net
After the service request that page generates, the input behavior data recorded during the web page display that get;
Operation 540 carries out attack identification according to input behavior data;
Operation 550 generates return information based on recognition result, is sent to browser, to indicate that browser is believed according to return
Breath determines whether that the application server for providing the webpage initiates the service request.
In the present embodiment, the auto-building html files that application server can ask attack protection server to be provided for it in advance correspond to
Attack protection monitor code.Therefore, attack protection server further includes before executing operation 510:Application server is received to send
Attack protection monitor code generate request, which includes uniform resource identifier (URL, the Uniform Resoure of webpage
Locator) and the service request monitored is needed;It is asked according to the generation, generates corresponding attack protection monitor code, and random
Generate the character string of the unique mark code;It is identified the character string as code resource, is handed down to application server, with
Indicate application server by attack protection service interface and code resource mark configuration in webpage.
Wherein, the service request monitored is needed to be:The portion generated by triggering random component in webpage or assignment component
Point or all service requests.It is asked according to generating, generates corresponding attack protection monitor code, including:It obtains to generate and be wrapped in request
Html (Hypertext Markup Language, hypertext markup language) code of the corresponding webpages of URL contained, root
According to the service request that the needs for including in html codes and generation request are monitored, corresponding attack protection monitor code is generated.
Attack protection server can extract wherein institute after the attack protection monitor code for receiving browser transmission obtains request
Including code resource mark, and according to the identifier lookup and get corresponding attack protection monitor code.
Method provided in this embodiment further includes as a preferred implementation manner,:Dynamic generation Encryption Algorithm, the encryption
The encryption that algorithm is used to communicate between browser and attack protection server;Attack protection monitor code is being returned into the same of browser
When, the Encryption Algorithm is returned into browser.Encryption Algorithm generates in a dynamic fashion, is replaced frequently, rather than uses pre-
The fixed Encryption Algorithm first generated, considerably increases attack difficulty, can effectively prevent service request provided in this embodiment
Treatment mechanism is cracked.
In view of some Malware tools, it is possible to cracking invention method for processing business provided in this embodiment, it is
It is further ensured that safety, based on the above technical solution, attack protection server is carried out according to the input behavior data
After attack identification, further include:If recognition result is non-attack behavior, the recognition result is sent to using clothes
Business device, to indicate that application server responds the service request according to recognition result.If application server is receiving browsing
After this service request listened to that device is sent, it is non-not receive the transmission of attack protection server within a preset time interval
The recognition result of attack is then refused to respond the service request.
Embodiment six
Fig. 6 is a kind of structural schematic diagram for terminal browser that the embodiment of the present invention six provides.Referring to Fig. 6, the browser
Concrete structure it is as follows:
Service request monitoring unit 610, for monitoring the service request generated based on the webpage currently shown;
Input behavior data capture unit 620, if listening to the business for the service request monitoring unit 610
Request then obtains the input behavior data recorded during the web page display;
Input behavior data transmission unit 630, for the input behavior data to be sent to attack protection server, to obtain
It takes the attack protection server to carry out attack identification according to the input behavior data and is returned based on what recognition result generated
It writes in reply and ceases;
Service request initiates unit 640, for according to the return information, it is determined whether to the application for providing the webpage
Server initiates the service request.
Illustratively, the service request initiates unit 640, is specifically used for:
If it is the corresponding first instruction information of non-attack behavior that the return information, which is recognition result, to the application
Server initiates the service request;
If the return information is that recognition result is the corresponding verification information of attack, the verification for obtaining input is anti-
Feedback, is sent to the attack protection server and is verified, and is based on verification successful result receiving the attack protection server
After the second instruction information generated, the service request is initiated to the application server is provided.
Illustratively, browser provided in this embodiment further includes attack protection monitor code acquiring unit 600, is used for:
Before the service request monitoring unit 610 monitors the service request generated based on the webpage currently shown,
Access and show the webpage that the application server provides;
According to attack protection service interface and the code resource mark configured in the webpage, obtained from attack protection server
The attack protection monitor code of the webpage.
Illustratively, the attack protection monitor code acquiring unit 600, is additionally operable to:
While obtaining the attack protection monitor code of the webpage from the attack protection server, the attack protection clothes are obtained
The Encryption Algorithm for device dynamic generation of being engaged in, what the Encryption Algorithm was used to communicate between the browser and the attack protection server
Encryption.
Based on the above technical solution, the input behavior data include:The motion track of mouse in the terminal
And/or the mouse click coordinate of the triggering service request.
The service request monitored includes:The some or all business generated by triggering assignment component in the webpage
Request.
The said goods can perform the service request executed by the browser in terminal that any embodiment of the present invention is provided
Processing method has the corresponding function module of execution method and advantageous effect.The technology not being described in detail in the present embodiment is thin
Section, reference can be made to the service request processing method executed by the browser in terminal that any embodiment of the present invention is provided.
Embodiment seven
Fig. 7 is a kind of structural schematic diagram for attack protection server that the embodiment of the present invention seven provides.Referring to Fig. 7, this prevents attacking
The concrete structure for hitting server is as follows:
Input behavior data receipt unit 710, the data for receiving the transmission of the browser in terminal, which is described
Browser after listening to the service request generated based on the webpage that is currently shown, get in the web page display process
The input behavior data of middle record;
Attack recognition unit 720, for carrying out attack identification according to the input behavior data;
Return information transmission unit 730, for based on recognition result generation return information, being sent to the browser, with
Indicate that the browser determines whether that the application server for providing the webpage initiates the business according to the return information
Request.
Illustratively, the return information transmission unit 730, is specifically used for:
If the recognition result that the attack recognition unit 720 obtains is non-attack behavior, corresponding the is generated
One instruction information, is sent to the browser, to indicate the browser after receiving the first instruction information to described
Application server initiates the service request;
If the recognition result that the attack recognition unit 720 obtains is attack, corresponding verification is generated
Information is sent to the browser, and is verified to the verification feedback that the browser is returned according to the verification information,
The second instruction information is issued after verifying successfully to the browser, to indicate that the browser is receiving the second instruction letter
After breath the service request is initiated to the application server.
Illustratively, attack protection server provided in this embodiment further includes:Identification optimization unit 740, for described
After return information transmission unit 730 verifies successfully, this attack recognition result is corrected, and go to attack based on operation is corrected
It is optimized for recognizer.
Illustratively, attack protection server provided in this embodiment further includes attack protection monitor code issuance unit 700, is used
In:
Before the data that the input behavior data receipt unit 710 receives that the browser in terminal is sent, institute is received
State the attack protection monitor code that browser is initiated according to attack protection service interface and the code resource mark configured in the webpage
Obtain request;
It is obtained and is asked according to attack protection monitor code, searched and obtain the attack protection monitor code of the webpage, return to
The browser.
Illustratively, the attack protection monitor code issuance unit 700, is additionally operable to:
Dynamic generation Encryption Algorithm, the Encryption Algorithm between the browser and the attack protection server for communicating
Encryption;
While the attack protection monitor code is returned to the browser, the Encryption Algorithm is returned to described
Browser.
Based on the above technical solution, attack protection server provided in this embodiment further includes:
Recognition result transmission unit 750 is used in the attack recognition unit 720 according to the input behavior data
After carrying out attack identification, if obtained recognition result is non-attack behavior, the recognition result is sent to institute
Application server is stated, to indicate that the application server responds the service request according to recognition result.
The input behavior data include at least one of following data:In the terminal motion track of mouse and/or touch
The mouse click coordinate for sending out service request described.
The said goods can perform the service request executed by attack protection server that any embodiment of the present invention is provided
Reason method has the corresponding function module of execution method and advantageous effect.The technical detail not being described in detail in the present embodiment,
Reference can be made to the service request processing method executed by attack protection server that any embodiment of the present invention is provided.
Embodiment eight
Fig. 8 is the signaling process figure for the service request processing method that the embodiment of the present invention eight provides.The present embodiment can be with
Based on above-mentioned all embodiments, a kind of preferred embodiment is provided.Referring to Fig. 8, method provided in this embodiment specifically include as
Lower operation:
Browser in operation 801, terminal sends webpage to application server and obtains request, to access the webpage.
Operation 802, application server will obtain the webpage that request is found according to webpage, return to browser.
Operation 803, browser-presented webpage.
The attack protection service interface and code resource mark configured in operation 804, browser extraction webpage.
Operation 805, browser are based on attack protection service interface, and initiating attack protection monitor code to attack protection server obtains
Request, the request include code resource mark.
Operation 806, attack protection server will be identified according to code resource the attack protection monitor code of webpage that gets with
And the Encryption Algorithm of dynamic generation, return to browser.
The encryption that Encryption Algorithm is used to communicate between browser and attack protection server.
The attack protection monitor code for the webpage that browser is received by operation executes the business subsequently executed by browser
The operation of request processing method.
Operation 807, browser record input behavior data during web page display.
Operation 808, browser listen to the setting service request generated based on the webpage currently shown.
Set service request as:The some or all service requests generated by triggering assignment component in webpage.
The input behavior data of record are sent to attack protection server by operation 809, browser.
Operation 810, attack protection server carry out attack identification according to input behavior data.
If recognition result is non-attack behavior, operation 811 is executed;If recognition result is attack, verification is enabled
Mechanism executes operation 812- operations 816.
Operation 811, attack protection server generate corresponding first instruction information, are sent to browser.Execute operation 817.
Operation 812, attack protection server generate corresponding verification information, are sent to browser.
Operation 813, browser show verification information, obtain the verification feedback of input.
Verification feedback is sent to attack protection server by operation 814, browser.
Operation 815, attack protection server verify verification feedback.
If operation 816 verifies successfully, attack protection recognition result is modified to non-attack behavior by attack protection server,
And corresponding second instruction information is generated, it is sent to browser.Execute operation 817.
Preferably, if verification failure, attack protection server generate corresponding authentication failed and indicate information, be sent to clear
Look at device;Browser masks listened to setting service request, refuses to application after receiving authentication failed instruction information
Server is sent, and terminates flow.
Operation 817, browser initiate industry after receiving the first instruction information or the second instruction information to application server
Business request.
Operation 818, application server send the request for obtaining recognition result to attack protection server.
Operation 819, attack protection server return to recognition result.
Operation 820, application server determine whether response setting service request according to recognition result.
Specifically, if recognition result is non-attack behavior, setting service request is responded;If recognition result is attack
Behavior is then refused to respond setting service request.
Technical solution provided in this embodiment has the following advantages that:It can discern whether in real time as attack, in time interception
The service request of attack increases procedural freedom degree, mitigates application server burden;Encryption Algorithm is random, frequently replaces, and increases
Add attack difficulty;For attack, start identifying code automatically, protects application server.
Note that above are only presently preferred embodiments of the present invention and institute's application technology principle.It will be appreciated by those skilled in the art that
The present invention is not limited to specific embodiments described here, can carry out for a person skilled in the art it is various it is apparent variation,
It readjusts and substitutes without departing from protection scope of the present invention.Therefore, although being carried out to the present invention by above example
It is described in further detail, but the present invention is not limited only to above example, without departing from the inventive concept, also
May include other more equivalent embodiments, and the scope of the present invention is determined by scope of the appended claims.
Claims (15)
1. a kind of service request processing method, which is characterized in that the browser being applied in terminal, including:
Access and show the webpage that application server provides;
According to attack protection service interface and the code resource mark configured in the webpage, described in the acquisition of attack protection server
The attack protection monitor code of webpage;
Monitor the service request generated based on the webpage currently shown;
If listening to the service request, the input behavior data recorded during the web page display are obtained;
The input behavior data are sent to attack protection server, to obtain the attack protection server according to the line of input
The return information for carrying out attack identification for data and being generated based on recognition result;
According to the return information, it is determined whether initiate the service request to the application server for providing the webpage;
While obtaining the attack protection monitor code of the webpage from the attack protection server, the attack protection server is obtained
The Encryption Algorithm of dynamic generation, what the Encryption Algorithm was used to communicate between the browser and the attack protection server adds
It is close.
2. according to the method described in claim 1, it is characterized in that, according to the return information, it is determined whether described in offer
The application server of webpage initiates the service request, including:
If it is the corresponding first instruction information of non-attack behavior that the return information, which is recognition result, to the application service
Device initiates the service request;
If the return information is that recognition result is the corresponding verification information of attack, the verification feedback of input is obtained,
It is sent to the attack protection server to be verified, and verification successful result generation is based on receiving the attack protection server
The second instruction information after, initiate the service request to the application server.
3. according to the method described in any one of claim 1-2, which is characterized in that the input behavior data include:It is described
The mouse click coordinate of the motion track of mouse and/or the triggering service request in terminal.
4. according to the method described in any one of claim 1-2, which is characterized in that the service request monitored includes:Pass through
The some or all service requests for triggering assignment component in the webpage and generating.
5. a kind of service request processing method, which is characterized in that it is applied to attack protection server, including:
It receives browser and generation is monitored according to the attack protection that attack protection service interface and the code resource mark configured in webpage is initiated
Code obtains request;
It is obtained and is asked according to attack protection monitor code, search and obtain the attack protection monitor code of the webpage, returned to described
Browser;
The data that the browser in terminal is sent are received, which is being listened to by the browser based on the net currently shown
After the service request that page generates, the input behavior data recorded during the web page display that get;
Attack identification is carried out according to the input behavior data;
Return information is generated based on recognition result, the browser is sent to, to indicate that the browser is believed according to the return
Breath determines whether that the application server for providing the webpage initiates the service request;
Dynamic generation Encryption Algorithm, what the Encryption Algorithm was used to communicate between the browser and the attack protection server adds
It is close;
While the attack protection monitor code is returned to the browser, the Encryption Algorithm is returned into the browsing
Device.
6. according to the method described in claim 5, it is characterized in that, based on recognition result generation return information, it is sent to described
Browser, to indicate that the browser determines whether that the application server is initiated the business and asked according to the return information
It asks, including:
If recognition result is non-attack behavior, corresponding first instruction information is generated, the browser is sent to, with instruction
The browser initiates the service request after receiving the first instruction information to the application server;
If recognition result is attack, corresponding verification information is generated, is sent to the browser, and to the browsing
The verification feedback that device is returned according to the verification information is verified, and the second instruction information is issued after verifying successfully to described clear
It lookes at device, is asked with indicating that the browser initiates the business after receiving the second instruction information to the application server
It asks.
7. according to the method described in claim 6, it is characterized in that, further including:After verifying successfully, this attack is corrected
Recognition result, and attack Activity recognition algorithm is optimized based on operation is corrected.
8. according to the method described in any one of claim 6-7, which is characterized in that the input behavior data include:It is described
The mouse click coordinate of the motion track of mouse and/or the triggering service request in terminal.
9. according to the method described in any one of claim 5-7, which is characterized in that carried out according to the input behavior data
After attack identification, further include:
If recognition result is non-attack behavior, the recognition result is sent to the application server, described in instruction
Application server responds the service request according to recognition result.
10. a kind of terminal browser, which is characterized in that including:
Attack protection monitor code acquiring unit, the webpage provided for accessing and showing application server;According in the webpage
The attack protection service interface and code resource of configuration identify, and the attack protection that the webpage is obtained from attack protection server monitors generation
Code;
Service request monitoring unit, for monitoring the service request generated based on the webpage currently shown;
Input behavior data capture unit obtains if listening to the service request for the service request monitoring unit
Take the input behavior data recorded during the web page display;
Input behavior data transmission unit, for the input behavior data to be sent to attack protection server, described in acquisition
The return information that attack protection server is carried out attack identification according to the input behavior data and generated based on recognition result;
Service request initiates unit, for according to the return information, it is determined whether to the application server for providing the webpage
Initiate the service request;
The attack protection monitor code acquiring unit, is additionally operable to:
While obtaining the attack protection monitor code of the webpage from the attack protection server, the attack protection server is obtained
The Encryption Algorithm of dynamic generation, what the Encryption Algorithm was used to communicate between the browser and the attack protection server adds
It is close.
11. browser according to claim 10, which is characterized in that the service request initiates unit, is specifically used for:
If it is the corresponding first instruction information of non-attack behavior that the return information, which is recognition result, to the application service
Device initiates the service request;
If the return information is that recognition result is the corresponding verification information of attack, the verification feedback of input is obtained,
It is sent to the attack protection server to be verified, and verification successful result generation is based on receiving the attack protection server
The second instruction information after, initiate the service request to the application server.
12. a kind of attack protection server, which is characterized in that including:
Attack protection monitor code issuance unit, for receiving browser according to the attack protection service interface and code configured in webpage
The attack protection monitor code that resource identification is initiated obtains request;It is obtained and is asked according to attack protection monitor code, searched and obtain institute
The attack protection monitor code for stating webpage, returns to the browser;
Input behavior data receipt unit, the data for receiving the transmission of the browser in terminal, the data are the browser
After listening to the service request generated based on the webpage currently shown, what is got records during the web page display
Input behavior data;
Attack recognition unit, for carrying out attack identification according to the input behavior data;
Return information transmission unit is sent to the browser, described in instruction for generating return information based on recognition result
Browser determines whether that the application server for providing the webpage initiates the service request according to the return information;
The attack protection monitor code issuance unit, is additionally operable to:
Dynamic generation Encryption Algorithm, what the Encryption Algorithm was used to communicate between the browser and the attack protection server adds
It is close;
While the attack protection monitor code is returned to the browser, the Encryption Algorithm is returned into the browsing
Device.
13. attack protection server according to claim 12, which is characterized in that the return information transmission unit, specifically
For:
If the recognition result that the attack recognition unit obtains is non-attack behavior, corresponding first instruction letter is generated
Breath, is sent to the browser, to indicate the browser after receiving the first instruction information to the application service
Device initiates the service request;
If the recognition result that the attack recognition unit obtains is attack, corresponding verification information is generated, is sent out
Give the browser, and the verification feedback that the browser is returned according to the verification information verified, verification at
Issued after work(the second instruction information give the browser, with indicate the browser receive it is described second instruction information after to
The application server initiates the service request.
14. attack protection server according to claim 13, which is characterized in that further include:Identification optimization unit, is used for
After the return information transmission unit verifies successfully, this attack recognition result is corrected, and operate to attack based on correcting
Activity recognition algorithm optimizes.
15. the attack protection server according to any one of claim 12-14, which is characterized in that further include:
Recognition result transmission unit, for carrying out attack row according to the input behavior data in the attack recognition unit
After identification, the recognition result is sent to the application server, to indicate that the application server is tied according to identification
Fruit determines whether to respond the service request.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510375370.8A CN104994092B (en) | 2015-06-30 | 2015-06-30 | Service request processing method, terminal browser and attack protection server |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510375370.8A CN104994092B (en) | 2015-06-30 | 2015-06-30 | Service request processing method, terminal browser and attack protection server |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN104994092A CN104994092A (en) | 2015-10-21 |
| CN104994092B true CN104994092B (en) | 2018-11-06 |
Family
ID=54305844
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510375370.8A Active CN104994092B (en) | 2015-06-30 | 2015-06-30 | Service request processing method, terminal browser and attack protection server |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104994092B (en) |
Families Citing this family (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105376251A (en) * | 2015-12-02 | 2016-03-02 | 华侨大学 | Intrusion detection method and intrusion detection system based on cloud computing |
| CN113360812B (en) * | 2016-03-07 | 2024-02-06 | 创新先进技术有限公司 | Service execution method and device |
| CN106230855A (en) * | 2016-08-30 | 2016-12-14 | 五八同城信息技术有限公司 | Request message treatment method and device |
| CN108512808B (en) * | 2017-02-24 | 2019-05-31 | 北京数安鑫云信息技术有限公司 | A kind of malicious requests hold-up interception method and system improving access response speed |
| CN107220543B (en) * | 2017-05-31 | 2020-11-24 | 北京京东尚科信息技术有限公司 | Method and device for processing service request of mobile terminal |
| CN108495272A (en) * | 2018-03-19 | 2018-09-04 | 上海哔哩哔哩科技有限公司 | Robot recognition methods, system and storage medium based on HTML5 browsers |
| CN108460269A (en) * | 2018-03-21 | 2018-08-28 | 广州多益网络股份有限公司 | Verification method and device, verification terminal device |
| CN109407947A (en) * | 2018-09-30 | 2019-03-01 | 北京金山云网络技术有限公司 | Interface alternation and its verification method, logging request generation and verification method and device |
| CN111489184B (en) * | 2019-01-29 | 2024-09-24 | 北京京东尚科信息技术有限公司 | Method, device, server, client and medium for verifying click behavior |
| CN113632080A (en) * | 2019-04-03 | 2021-11-09 | 思杰系统有限公司 | System and method for protecting remotely hosted applications from malicious attacks |
| CN110266727A (en) * | 2019-07-09 | 2019-09-20 | 中国工商银行股份有限公司 | Recognition methods, server and the client of simulation browser behavior |
| CN110909353B (en) * | 2019-11-28 | 2022-07-15 | 网易(杭州)网络有限公司 | Plug-in detection method and device |
| CN111641588A (en) * | 2020-04-28 | 2020-09-08 | 深圳壹账通智能科技有限公司 | Webpage analog input detection method and device, computer equipment and storage medium |
| CN118138330A (en) * | 2024-03-19 | 2024-06-04 | 北京安胜华信科技有限公司 | Man-machine behavior detection method and system based on mobile terminal |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102737019A (en) * | 2011-03-31 | 2012-10-17 | 阿里巴巴集团控股有限公司 | Machine behavior determining method, webpage browser and webpage server |
| CN103218431A (en) * | 2013-04-10 | 2013-07-24 | 金军 | System and method for identifying and automatically acquiring webpage information |
| US8578482B1 (en) * | 2008-01-11 | 2013-11-05 | Trend Micro Inc. | Cross-site script detection and prevention |
-
2015
- 2015-06-30 CN CN201510375370.8A patent/CN104994092B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8578482B1 (en) * | 2008-01-11 | 2013-11-05 | Trend Micro Inc. | Cross-site script detection and prevention |
| CN102737019A (en) * | 2011-03-31 | 2012-10-17 | 阿里巴巴集团控股有限公司 | Machine behavior determining method, webpage browser and webpage server |
| CN103218431A (en) * | 2013-04-10 | 2013-07-24 | 金军 | System and method for identifying and automatically acquiring webpage information |
Also Published As
| Publication number | Publication date |
|---|---|
| CN104994092A (en) | 2015-10-21 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN104994092B (en) | Service request processing method, terminal browser and attack protection server | |
| CN105184159B (en) | The recognition methods of webpage tamper and device | |
| US10657243B2 (en) | Variation analysis-based public turing test to tell computers and humans apart | |
| TWI515588B (en) | Machine behavior determination method, web browser and web server | |
| US8825637B1 (en) | Recording user actions | |
| CN109302394A (en) | A kind of anti-simulation login method of terminal, device, server and storage medium | |
| CN103312664B (en) | Form validation methods, devices and systems | |
| CN106549980B (en) | Malicious C & C server determination method and device | |
| CN105635064B (en) | CSRF attack detection method and device | |
| CN109547426B (en) | Service response method and server | |
| CN102833212A (en) | Webpage visitor identity identification method and system | |
| CN110866239A (en) | Verification code request processing method, device, equipment and computer storage medium | |
| CN104767747A (en) | Click jacking safety detection method and device | |
| CN102801735A (en) | Network authentication method and system based on behavior mode | |
| CN106357694A (en) | Method and device for processing access request | |
| US20120180125A1 (en) | Method and system for preventing domain name system cache poisoning attacks | |
| CN103902913A (en) | Method and device for carrying out safety processing on web application | |
| WO2017215650A1 (en) | Automatic login method and device for micro-game client, program, and medium | |
| Zhang | Zhang's CAPTCHA architecture based on intelligent interaction via RIA | |
| CN112365267B (en) | Anti-crawler method and device based on operation behaviors | |
| CN104025089A (en) | Scenario-based crawling | |
| CN111953647B (en) | Security verification method and device, electronic equipment and storage medium | |
| CN110795706B (en) | Hash-based verification method, equipment, storage medium and device | |
| CN108182355B (en) | Login verification method, server and computer readable storage medium | |
| CA3052392A1 (en) | Identifying human interaction with a computer |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |