CN105282112A - Terminal and method for detecting security of data interaction in terminal - Google Patents

Terminal and method for detecting security of data interaction in terminal Download PDF

Info

Publication number
CN105282112A
CN105282112A CN201410336749.3A CN201410336749A CN105282112A CN 105282112 A CN105282112 A CN 105282112A CN 201410336749 A CN201410336749 A CN 201410336749A CN 105282112 A CN105282112 A CN 105282112A
Authority
CN
China
Prior art keywords
terminal
interaction object
preset
network identifier
data
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
CN201410336749.3A
Other languages
Chinese (zh)
Inventor
李川
刘晋黔
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
ZTE Corp
Original Assignee
ZTE Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by ZTE Corp filed Critical ZTE Corp
Priority to CN201410336749.3A priority Critical patent/CN105282112A/en
Priority to PCT/CN2014/086858 priority patent/WO2016008212A1/en
Publication of CN105282112A publication Critical patent/CN105282112A/en
Withdrawn legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The embodiment of the invention discloses a terminal and a method for detecting security of data interaction in a terminal. The method comprises the steps: when data interaction is conducted by the terminal, the terminal matches a network identity of an interaction target of the terminal with preset information stored by the terminal; if the preset information does not exist in the network identity of the interaction target of the terminal, the terminal identifies the network identity of the interaction target of the terminal according to a preset identification strategy; and the terminal updates the network identity of the interaction target of the terminal in the preset information according to an identification result.

Description

Terminal and method for detecting security of terminal data interaction
Technical Field
The invention relates to a mobile terminal security technology, in particular to a terminal and a method for detecting the security of terminal data interaction.
Background
With the rapid development of intelligent terminals, the terminals increasingly need to perform data interaction with the network and transmit a large amount of data with the network; however, in the process of data interaction between the terminal and the network, especially, in the process of data interaction between the terminal and an unknown web page or website, it is difficult to ensure the security of the data of the unknown web page or website interacting with the terminal, and thus the security of the user information stored in the terminal is easily compromised.
Disclosure of Invention
In order to solve the above technical problems, embodiments of the present invention are expected to provide a terminal and a method for detecting security of data interaction of the terminal, which can improve security of the terminal during data interaction.
The technical scheme of the embodiment of the invention is realized as follows:
in a first aspect, an embodiment of the present invention provides a method for detecting security of data interaction of a terminal, where the method includes:
when a terminal carries out data interaction, the terminal matches a network identifier of a terminal interaction object with preset information stored by the terminal;
when the network identification of the terminal interaction object is not in the preset information, the terminal identifies the network identification of the terminal interaction object according to a preset identification strategy;
and the terminal updates the network identification of the terminal interaction object to the preset information according to the identification result.
According to a first possible implementation manner, in combination with the first aspect, the preset information includes a white list and a black list, where the white list includes a trusted and secure network identifier; the blacklist includes untrusted, dangerous network identifications;
the network identification of the terminal interaction object comprises a Uniform Resource Locator (URL) or an IP address of the terminal interaction object.
According to a second possible implementation manner, in combination with the first possible implementation manner, when the network identifier of the terminal interaction object is not in the preset information, the identifying, by the terminal, the network identifier of the terminal interaction object according to a preset identification policy includes:
when the network identification of the terminal interaction object is not in the white list or the black list, the terminal identifies the network identification of the terminal interaction object according to a preset identification strategy;
correspondingly, the updating, by the terminal, the network identifier of the terminal interaction object to the preset information according to the recognition result includes:
when the network identification of the terminal interaction object is identified as an untrusted dangerous network identification, the terminal adds the network identification of the terminal interaction object to the blacklist;
and when the network identification of the terminal interaction object is identified as the trusted and safe network identification, the terminal adds the network identification of the terminal interaction object to the white list.
According to the third possible implementation manner, in combination with the second possible implementation manner, the identifying, by the terminal, the network identifier of the terminal interaction object according to the preset identification policy may include at least one of the following:
the method comprises the steps that the terminal identifies the connection stability of the terminal interaction object, the terminal identifies the abnormal interaction data volume of the terminal interaction object, the terminal identifies the terminal interaction object to maliciously scan the terminal port, the terminal identifies the terminal interaction object to launch an Address Resolution Protocol (ARP) attack to the terminal, and the terminal identifies the terminal interaction object to send a large-size ping packet to the terminal.
According to the fourth possible implementation manner, in combination with the third possible implementation manner, the identifying, by the terminal, the connection stability of the terminal interaction object includes:
the terminal obtains the complete data length sent by the terminal interaction object by analyzing the application layer data of the data packet sent by the terminal interaction object;
the terminal obtains the data length accepted by the terminal according to the size of the data packet received by the terminal and compares the data length with the complete data length;
when the data length accepted by the terminal is smaller than the complete data length, the terminal counts the number of connection termination data packets sent by the terminal interaction object within a preset first time threshold;
when the number of the termination connection data packets exceeds a preset first number threshold, the terminal confirms that the terminal interaction object is unstable, and identifies the network identifier of the terminal interaction object as an untrusted and dangerous network identifier;
and when the number of the termination connection data packets does not exceed a preset first number threshold, the terminal confirms that the terminal interaction object is stable, and identifies the network identifier of the terminal interaction object as a trusted and safe network identifier.
According to a fifth possible implementation manner, in combination with the third possible implementation manner, the identifying, by the terminal, that the interactive data volume of the terminal interactive object is abnormal includes:
the terminal records a Transmission Control Protocol (TCP) connection request initiated to the terminal interactive object, and records a first connection time period of the terminal and the terminal interactive object;
the terminal counts a first data length received from the terminal interaction object in the first time period;
after a preset time interval, the terminal initiates a TCP connection request to the terminal interaction object for the second time, and counts a second data length received from the terminal interaction object in the first connection time period;
when the sum of the first data length and the second data length exceeds a preset first data length threshold, the terminal confirms that the interactive data volume of the terminal interactive object is abnormal, and identifies that the network identifier of the terminal interactive object is an untrusted and dangerous network identifier;
and when the sum of the first data length and the second data length does not exceed a preset first data length threshold, the terminal confirms that the interactive data volume of the terminal interactive object is not abnormal, and identifies that the network identifier of the terminal interactive object is a trusted and safe network identifier.
According to a sixth possible implementation manner, in combination with the third possible implementation manner, the identifying, by the terminal, that the terminal interaction object maliciously scans the terminal port includes:
after the terminal receives the data packet sent by the terminal interactive object, analyzing a TCP (transmission control protocol) head of the data packet;
when the flag bit of the TCP head of the data packet is SYN and the TCP head of the data packet does not have ACK information, the terminal confirms that the terminal interaction object maliciously scans the terminal port and identifies the network identifier of the terminal interaction object as an untrusted and dangerous network identifier;
otherwise, the terminal confirms that the terminal interaction object does not maliciously scan the terminal port, and identifies the network identifier of the terminal interaction object as a trusted and safe network identifier.
According to a seventh possible implementation manner, in combination with the third possible implementation manner, the identifying, by the terminal, the terminal interaction object to launch an ARP attack to the terminal includes:
in a preset second time period, when the number of ARP request messages sent by the terminal interactive object and received by the terminal exceeds a preset second number threshold, the terminal confirms that the terminal interactive object sends ARP attacks to the terminal and identifies that the network identifier of the terminal interactive object is an untrusted and dangerous network identifier;
and in a preset second time period, when the number of ARP request messages sent by the terminal interaction object and received by the terminal does not exceed a preset second number threshold, the terminal confirms that the terminal interaction object does not initiate ARP attack to the terminal, and identifies the network identifier of the terminal interaction object as a trusted and safe network identifier.
According to an eighth possible implementation manner, in combination with the third possible implementation manner, the identifying, by the terminal, that the terminal interaction object sends the large-size ping packet to the terminal includes:
after the terminal receives an Internet Control Message Protocol (ICMP) data packet sent by the terminal interaction object and confirms that the ICMP data packet is a ping request data packet sent by the terminal interaction object, analyzing the ICMP data packet and acquiring the data length of the ICMP data packet;
when the data length of the ICMP data packet exceeds a preset second data length threshold value, the terminal determines that the terminal interaction object sends a large-size ping packet to the terminal, and identifies the network identification of the terminal interaction object as an untrusted and dangerous network identification;
and when the data length of the ICMP data packet does not exceed a preset second data length threshold value, the terminal determines that the terminal interaction object does not send a large-size ping packet to the terminal, and identifies the network identifier of the terminal interaction object as a trusted and safe network identifier.
According to a ninth possible implementation manner, in combination with the first possible implementation manner, the method further includes:
when the network identification of the terminal interaction object is in the blacklist, the terminal terminates the data interaction with the terminal interaction object;
and when the network identifier of the terminal interaction object is in the white list, the terminal allows data interaction with the terminal interaction object.
According to a tenth possible implementation manner, in combination with the ninth possible implementation manner, when the network identifier of the terminal interaction object is in the white list, the method further includes:
in the process of data interaction between the terminal and the terminal interaction object, the terminal identifies the network identifier of the terminal interaction object according to the preset identification strategy;
and when the network identification of the terminal interaction object is identified as an untrusted dangerous network identification, the terminal adds the network identification of the terminal interaction object to the blacklist and deletes the network identification of the terminal interaction object from the white list.
According to an eleventh possible implementation manner, with reference to the first aspect, the method further includes:
when the preset information comprises the URLs with the preset number and belongs to the same HOST, the terminal replaces the URLs belonging to the same HOST in the preset information with the HOST; or,
when the preset information comprises a preset number of network protocol IP addresses belonging to the same gateway, the terminal replaces the IP addresses belonging to the same gateway in the preset information with the gateway address;
correspondingly, the terminal matches the network identifier of the terminal interaction object with preset information stored by the terminal, and the method comprises the following steps:
the terminal matches the URL of the terminal interaction object with the HOST in the preset information;
or the terminal matches the IP address of the terminal interaction object with the gateway address in the preset information.
In a second aspect, an embodiment of the present invention provides a terminal, where the terminal includes: a matching unit, a recognition unit and an updating unit, wherein,
the matching unit is used for matching the network identifier of the terminal interaction object with preset information stored by the terminal when the terminal performs data interaction;
the identification unit is used for identifying the network identifier of the terminal interaction object according to a preset identification strategy when the network identifier of the terminal interaction object is not in the preset information;
and the updating unit is used for updating the network identification of the terminal interaction object to the preset information according to the identification result of the identification unit.
According to a first possible implementation manner, in combination with the second aspect, the preset information includes a white list and a black list, where the white list includes a trusted and secure network identifier; the blacklist includes untrusted, dangerous network identifications;
the network identification of the terminal interaction object comprises a Uniform Resource Locator (URL) or an IP address of the terminal interaction object.
According to a second possible implementation manner, in combination with the first possible implementation manner, the updating unit is configured to:
when the network identification of the terminal interaction object is identified as an untrusted dangerous network identification, adding the network identification of the terminal interaction object to the blacklist; and
and when the network identification of the terminal interaction object is identified as the trusted and safe network identification, adding the network identification of the terminal interaction object into the white list.
According to a third possible implementation manner, in combination with a second possible implementation manner, the identification unit is configured to identify connection stability of the terminal interaction object, identify that an interaction data amount of the terminal interaction object is abnormal, identify that the terminal interaction object maliciously scans the terminal port, identify that the terminal interaction object initiates an ARP attack to the terminal, and identify that the terminal interaction object sends a large-size ping packet to the terminal.
According to a fourth possible implementation manner, in combination with the third possible implementation manner, the identification unit is configured to:
obtaining the complete data length sent by the terminal interaction object by analyzing the application layer data of the data packet sent by the terminal interaction object; and the number of the first and second groups,
obtaining the data length accepted by the terminal according to the size of the data packet received by the terminal, and comparing the data length accepted by the terminal with the complete data length; and the number of the first and second groups,
when the length of the data accepted by the terminal is smaller than the length of the complete data, counting the number of connection termination data packets sent by the terminal interaction object within a preset first time threshold; and
when the number of the termination connection data packets exceeds a preset first number threshold, confirming that the terminal interaction object is unstable, and identifying that the network identifier of the terminal interaction object is an untrusted and dangerous network identifier; and the number of the first and second groups,
and when the number of the termination connection data packets does not exceed a preset first number threshold, confirming that the terminal interaction object is stable, and identifying the network identifier of the terminal interaction object as a trusted and safe network identifier.
According to a fifth possible implementation manner, in combination with the third possible implementation manner, the identifying unit is configured to:
recording a Transmission Control Protocol (TCP) connection request initiated to the terminal interactive object, and recording a first connection time period of the terminal and the terminal interactive object; and the number of the first and second groups,
counting the length of first data received from the terminal interaction object in the first time period; and the number of the first and second groups,
after a preset time interval, initiating a TCP connection request to the terminal interaction object for the second time, and counting the length of second data received from the terminal interaction object in the first connection time period; and the number of the first and second groups,
when the sum of the first data length and the second data length exceeds a preset first data length threshold value, confirming that the interactive data volume of the terminal interactive object is abnormal, and identifying that the network identification of the terminal interactive object is an untrusted and dangerous network identification; and the number of the first and second groups,
and when the sum of the first data length and the second data length does not exceed a preset first data length threshold value, confirming that the interactive data volume of the terminal interactive object is not abnormal, and identifying that the network identifier of the terminal interactive object is a trusted and safe network identifier.
According to a sixth possible implementation manner, in combination with the third possible implementation manner, the identifying unit is configured to:
after receiving a data packet sent by the terminal interactive object, analyzing a TCP (transmission control protocol) head of the data packet; and the number of the first and second groups,
when the flag bit of the TCP head of the data packet is SYN and the TCP head of the data packet does not have ACK information, confirming that the terminal interaction object maliciously scans the terminal port and identifying that the network identifier of the terminal interaction object is an untrusted and dangerous network identifier; and the number of the first and second groups,
otherwise, confirming that the terminal interaction object does not maliciously scan the terminal port, and identifying the network identifier of the terminal interaction object as a trusted and safe network identifier.
According to a seventh possible implementation manner, in combination with the third possible implementation manner, the identifying unit is configured to:
when the number of ARP request messages sent by the terminal interactive object exceeds a preset second number threshold value within a preset second time period, confirming that the terminal interactive object sends ARP attacks to the terminal, and identifying that the network identification of the terminal interactive object is an untrusted and dangerous network identification; and the number of the first and second groups,
and in a preset second time period, when the number of the ARP request messages sent by the terminal interactive object does not exceed a preset second number threshold value, confirming that the terminal interactive object does not initiate ARP attack to the terminal, and identifying that the network identifier of the terminal interactive object is a trusted and safe network identifier.
According to an eighth possible implementation manner, in combination with the third possible implementation manner, the identifying unit is configured to:
after receiving an ICMP data packet sent by the terminal interaction object and confirming that the ICMP data packet is a ping request data packet sent by the terminal interaction object, analyzing the ICMP data packet and acquiring the data length of the ICMP data packet; and the number of the first and second groups,
when the data length of the ICMP data packet exceeds a preset second data length threshold value, determining that the terminal interaction object sends a large-size ping packet to the terminal, and identifying the network identification of the terminal interaction object as an untrusted and dangerous network identification; and the number of the first and second groups,
and when the data length of the ICMP data packet does not exceed a preset second data length threshold value, determining that the terminal interaction object does not send a large-size ping packet to the terminal, and identifying the network identifier of the terminal interaction object as a trusted and safe network identifier.
According to a ninth possible implementation manner, in combination with the first possible implementation manner, the terminal further includes: the interaction control unit is used for terminating the data interaction with the terminal interaction object when the network identifier of the terminal interaction object is in the blacklist; and
and when the network identifier of the terminal interaction object is in the white list, allowing data interaction with the terminal interaction object.
According to a tenth possible implementation manner, in combination with the ninth possible implementation manner, the identifying unit is further configured to identify the network identifier of the terminal interaction object according to the preset identification policy when the network identifier of the terminal interaction object is in the white list and in a process of data interaction between the terminal and the terminal interaction object;
and the updating unit is further configured to add the network identifier of the terminal interaction object to the blacklist and delete the network identifier of the terminal interaction object from the whitelist when the network identifier of the terminal interaction object is identified as an untrusted dangerous network identifier.
According to an eleventh possible implementation manner, with reference to the second aspect, the terminal further includes a replacing unit, configured to, when the preset information includes a preset number of URLs belonging to the same HOST, replace the URLs belonging to the same HOST in the preset information with the HOST; or,
when the preset information comprises a preset number of network protocol IP addresses belonging to the same gateway, replacing the IP addresses belonging to the same gateway in the preset information with the gateway addresses;
correspondingly, the matching unit is further configured to:
matching the URL of the terminal interaction object with HOST in the preset information; or,
and matching the IP address of the terminal interaction object with the gateway address in the preset information.
The embodiment of the invention provides a terminal and a method for detecting the security of terminal data interaction; by configuring the safe list and the non-safe list, the data interaction of the webpage or the website in the non-safe list is avoided in the data interaction process of the terminal, so that the security of the terminal in the data interaction process is improved.
Drawings
Fig. 1 is a schematic flowchart of a method for detecting security of terminal data interaction according to an embodiment of the present invention;
fig. 2 is a schematic structural diagram of a terminal according to an embodiment of the present invention;
fig. 3 is a schematic structural diagram of another terminal according to an embodiment of the present invention.
Detailed Description
The technical solution in the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention.
Referring to fig. 1, a flow of a method for detecting security of data interaction of a terminal according to an embodiment of the present invention is shown, where the method may be applied to a terminal, and the terminal may be, by way of example and not limitation, a smart mobile device with a communication function, such as a smart phone, a tablet computer, a palm computer, a laptop, a wearable electronic device, and the like; the method can comprise the following steps:
s101: when a terminal carries out data interaction, the terminal matches a network identifier of a terminal interaction object with preset information stored by the terminal;
illustratively, the preset information may include a white list and a black list, wherein the white list may include trusted and secure network identifications; untrusted, dangerous network identifications may be included in the blacklist; the network identifier may specifically include a Uniform Resource Locator (URL) of a web page or a website, an IP address, and the like.
It can be understood that the terminal interaction object may be a network element device interacting with the terminal, such as a server, a gateway, another terminal, and the like, and the terminal matches the network identifier of the terminal interaction object with preset information stored in the terminal itself, that is, the terminal matches the network identifier of the terminal interaction object with a white list and a black list stored in the terminal respectively.
It should be noted that, after the terminal matches the network identifier of the terminal interaction object with the preset information stored in the terminal itself, the obtained matching result may be divided into: the network identification of the terminal interaction object is in the preset information, and the network identification of the terminal interaction object is not in the preset information;
after the terminal matches the network identifier of the terminal interaction object with the white list and the black list stored in the terminal, the following three matching results can be obtained:
A. the network identification of the terminal interaction object is in the white list;
B. the network identification of the terminal interaction object is in the blacklist;
C. and the network identification of the terminal interaction object is not in the white list or the black list.
It can be understood that, the matching results a and B may be regarded that the network identifier of the terminal interaction object is in the preset information, and the matching result C may be regarded that the network identifier of the terminal interaction object is not in the preset information.
Preferably, the specific acquisition process of the above A, B, C three matching results may be:
firstly, the terminal matches the network identification of the terminal interaction object with the white list; the matching results that can be obtained are: the network identification of the terminal interaction object is in the white list, or the network identification of the terminal interaction object is not in the white list;
then, when the network identifier of the terminal interaction object is not in the white list, the terminal matches the network identifier of the terminal interaction object with the black list; the matching results that can be obtained are: the network identification of the terminal interaction object is in the blacklist, or the network identification of the terminal interaction object is not in the white list or the blacklist;
it should be noted that, when the network identifier of the terminal interaction object is not in the preset information, that is, the terminal obtains the matching result C, the terminal must also identify the network identifier of the terminal interaction object, as in step S102;
s102: when the network identification of the terminal interaction object is not in the preset information, the terminal identifies the network identification of the terminal interaction object according to a preset identification strategy;
illustratively, the terminal identifies the network identifier of the terminal interaction object according to a preset identification policy, which may include at least one of the following:
the method comprises the steps that the terminal identifies the connection stability of the terminal interactive object, the terminal identifies the abnormal interactive data volume of the terminal interactive object, the terminal identifies the terminal interactive object to maliciously scan the terminal port, the terminal identifies the terminal interactive object to initiate Address Resolution Protocol (ARP) attack to the terminal and identifies the terminal interactive object to send a large-size ping packet to the terminal.
It can be understood that, in addition to the five items described above, the terminal may add or delete an identification item for identifying a network identifier of the terminal interaction object according to its actual application scenario, which is not specifically limited in this embodiment of the present invention.
Specifically, the identifying, by the terminal, the connection stability of the terminal interaction object may include:
the terminal obtains the complete data length sent by the terminal interaction object by analyzing the application layer data of the data packet sent by the terminal interaction object;
the terminal obtains the data length accepted by the terminal according to the size of the data packet received by the terminal and compares the data length with the complete data length;
when the data length accepted by the terminal is smaller than the complete data length, the terminal counts the number of connection termination data packets sent by the terminal interaction object within a preset first time threshold;
when the number of the termination connection data packets exceeds a preset first number threshold, the terminal confirms that the terminal interaction object is unstable, and identifies the network identifier of the terminal interaction object as an untrusted and dangerous network identifier;
and when the number of the termination connection data packets does not exceed a preset first number threshold, the terminal confirms that the terminal interaction object is stable, and identifies the network identifier of the terminal interaction object as a trusted and safe network identifier.
Specifically, the identifying, by the terminal, that the interactive data volume of the terminal interactive object is abnormal may include:
the terminal records initiate a Transmission Control Protocol (TCP) connection request to the terminal interaction object, and records a first connection time period of the terminal and the terminal interaction object;
the terminal counts a first data length received from the terminal interaction object in the first time period;
after a preset time interval, the terminal initiates a TCP connection request to the terminal interaction object for the second time, and counts a second data length received from the terminal interaction object in the first connection time period;
when the sum of the first data length and the second data length exceeds a preset first data length threshold, the terminal confirms that the interactive data volume of the terminal interactive object is abnormal, and identifies that the network identifier of the terminal interactive object is an untrusted and dangerous network identifier;
and when the sum of the first data length and the second data length does not exceed a preset first data length threshold, the terminal confirms that the interactive data volume of the terminal interactive object is not abnormal, and identifies that the network identifier of the terminal interactive object is a trusted and safe network identifier.
Specifically, the identifying, by the terminal, that the terminal interaction object maliciously scans the terminal port may include:
after the terminal receives the data packet sent by the terminal interactive object, analyzing a TCP (transmission control protocol) head of the data packet;
when the flag bit of the TCP head of the data packet is SYN and the TCP head of the data packet does not have ACK information, the terminal confirms that the terminal interaction object maliciously scans the terminal port and identifies the network identifier of the terminal interaction object as an untrusted and dangerous network identifier;
otherwise, the terminal confirms that the terminal interaction object does not maliciously scan the terminal port, and identifies the network identifier of the terminal interaction object as a trusted and safe network identifier.
Specifically, the identifying, by the terminal, the terminal interaction object to launch an ARP attack to the terminal may include:
in a preset second time period, when the number of ARP request messages sent by the terminal interactive object and received by the terminal exceeds a preset second number threshold, the terminal confirms that the terminal interactive object sends ARP attacks to the terminal and identifies that the network identifier of the terminal interactive object is an untrusted and dangerous network identifier;
and in a preset second time period, when the number of ARP request messages sent by the terminal interaction object and received by the terminal does not exceed a preset second number threshold, the terminal confirms that the terminal interaction object does not initiate ARP attack to the terminal, and identifies the network identifier of the terminal interaction object as a trusted and safe network identifier.
Specifically, the identifying, by the terminal, that the terminal interaction object sends a large-size ping packet to the terminal may include:
after the terminal receives an Internet Control Message Protocol (ICMP) data packet sent by the terminal interaction object and confirms that the ICMP data packet is a ping request data packet sent by the terminal interaction object, analyzing the ICMP data packet and acquiring the data length of the ICMP data packet;
when the data length of the ICMP data packet exceeds a preset second data length threshold value, the terminal determines that the terminal interaction object sends a large-size ping packet to the terminal, and identifies the network identification of the terminal interaction object as an untrusted and dangerous network identification;
and when the data length of the ICMP data packet does not exceed a preset second data length threshold value, the terminal determines that the terminal interaction object does not send a large-size ping packet to the terminal, and identifies the network identifier of the terminal interaction object as a trusted and safe network identifier.
As can be seen from the above, the recognition result may include:
the network identification of the terminal interaction object is identified as an untrusted dangerous network identification and the network identification of the terminal interaction object is identified as a trusted safe network identification.
S103: the terminal updates the network identification of the terminal interaction object to the preset information according to the identification result;
specifically, the updating, by the terminal, the network identifier of the terminal interaction object to the preset information according to the recognition result may include:
when the network identification of the terminal interaction object is identified as an untrusted dangerous network identification, the terminal adds the network identification of the terminal interaction object to the blacklist; and the number of the first and second groups,
and when the network identification of the terminal interaction object is identified as the trusted and safe network identification, the terminal adds the network identification of the terminal interaction object to the white list.
The above processes of S101 to S103 may enable how to update the network identifier of the terminal interaction object into the preset information when the network identifier of the terminal interaction object is not in the preset information, so that the update of the preset information can be implemented in the interaction process.
In addition, when the network identifier of the terminal interaction object obtained in step S101 is in the preset information, that is, after the terminal obtains the matching result a or the matching result B, the terminal may perform corresponding control operations on data interaction according to the matching result a or the matching result B, where the specific control operations may include:
when the network identification of the terminal interaction object is in the blacklist, the terminal terminates the data interaction with the terminal interaction object;
and when the network identifier of the terminal interaction object is in the white list, the terminal allows data interaction with the terminal interaction object.
Preferably, when the network identifier of the terminal interaction object is in the white list, the method may further include:
in the process of data interaction between the terminal and the terminal interaction object, the terminal can also identify the network identifier of the terminal interaction object according to the preset identification strategy;
when the network identification of the terminal interaction object is identified as an untrusted dangerous network identification, the terminal adds the network identification of the terminal interaction object to the blacklist and deletes the network identification of the terminal interaction object from the white list;
it is to be understood that when the network identifier of the terminal interaction object is identified as a trusted, secure network identifier, the terminal continues to maintain the state of the network identifier of the terminal interaction object in the white list.
It should be noted that, since the network identifier may specifically include a Uniform Resource Locator (URL) and an IP address of a web page or a website, the method may further include:
when the preset information comprises that the URLs with preset number belong to the same HOST, the terminal replaces the URLs belonging to the same HOST in the preset information with the HOST;
and when the preset information comprises the IP addresses with the preset number belonging to the same gateway, the terminal replaces the IP addresses belonging to the same gateway in the preset information with the gateway addresses.
Correspondingly, the matching, by the terminal, the network identifier of the terminal interaction object with preset information stored in the terminal itself may include:
the terminal matches the URL of the terminal interaction object with the HOST in the preset information;
or the terminal matches the IP address of the terminal interaction object with the gateway address in the preset information.
The embodiment of the invention provides a method for detecting the security of terminal data interaction; by configuring the safe list and the non-safe list, the data interaction of the webpage or the website in the non-safe list is avoided in the data interaction process of the terminal, so that the security of the terminal in the data interaction process is improved.
Referring to fig. 2, which shows a structure of a terminal 20 according to an embodiment of the present invention, the terminal 20 may include: a matching unit 201, a recognition unit 202 and an updating unit 203, wherein,
the matching unit 201 is configured to match the network identifier of the terminal interaction object with preset information stored in the terminal 20 when the terminal 20 performs data interaction;
the identifying unit 202 is configured to identify the network identifier of the terminal interaction object according to a preset identification policy when the network identifier of the terminal interaction object is not in the preset information;
the updating unit 203 is configured to update the network identifier of the terminal interaction object to the preset information according to the recognition result of the recognizing unit 202.
Illustratively, the preset information includes a white list and a black list, wherein the white list may include trusted and secure network identifications; untrusted, dangerous network identifications may be included in the blacklist; the network identifier may specifically include a URL, an IP address, etc. of the web page or website.
Illustratively, trusted, secure network identifications may be included in the whitelist; untrusted, dangerous network identifications may be included in the blacklist; the network identifier may specifically include a URL, an IP address, etc. of the web page or website.
It can be understood that the terminal interaction object may be a network element device interacting with the terminal 20, such as a server, a gateway, another terminal, and the like, and the matching unit 201 matches the network identifier of the terminal interaction object with preset information stored in the terminal 20 itself, that is, matches the network identifier of the terminal interaction object with a white list and a black list stored in the terminal 20 respectively.
It should be noted that, after the matching unit 201 matches the network identifier of the terminal interaction object with the preset information stored in the terminal 20 itself, the obtained matching result may be divided into: the network identification of the terminal interaction object is in the preset information, and the network identification of the terminal interaction object is not in the preset information;
after the matching unit 201 matches the network identifier of the terminal interaction object with the white list and the black list stored in the terminal 20, the following three matching results may be obtained:
A. the network identification of the terminal interaction object is in the white list;
B. the network identification of the terminal interaction object is in the blacklist;
C. and the network identification of the terminal interaction object is not in the white list or the black list.
It can be understood that, the matching results a and B may be regarded that the network identifier of the terminal interaction object is in the preset information, and the matching result C may be regarded that the network identifier of the terminal interaction object is not in the preset information.
Preferably, the specific acquisition process of the above A, B, C three matching results may be:
firstly, the matching unit 201 matches the network identifier of the terminal interaction object with the white list; the matching unit 201 can obtain the matching result as: the network identification of the terminal interaction object is in the white list, or the network identification of the terminal interaction object is not in the white list;
then, when the network identifier of the terminal interaction object is not in the white list, the matching unit 201 matches the network identifier of the terminal interaction object with the black list; the matching unit 201 can obtain the matching result as: the network identification of the terminal interaction object is in the blacklist, or the network identification of the terminal interaction object is not in the white list or the blacklist;
it should be noted that, when the network identifier of the terminal interaction object is not in the preset information, that is, the matching unit 201 obtains the matching result C, the identifying unit 202 may be specifically configured to identify at least one of the following items: identifying the connection stability of the terminal interaction object, identifying the abnormal interaction data volume of the terminal interaction object, identifying the malicious scanning of the terminal port by the terminal interaction object, identifying the ARP attack initiated by the terminal interaction object to the terminal and identifying the large-size ping packet sent by the terminal interaction object to the terminal.
It is understood that, in addition to the five items described above, the identifying unit 202 may add or delete an identifying item for identifying a network identifier of the terminal interaction object according to an actual application scenario of the terminal 20, which is not specifically limited in this embodiment of the present invention.
Optionally, the identifying unit 202 may be configured to:
obtaining the complete data length sent by the terminal interaction object by analyzing the application layer data of the data packet sent by the terminal interaction object; and the number of the first and second groups,
obtaining the data length accepted by the terminal according to the size of the data packet received by the terminal, and comparing the data length accepted by the terminal with the complete data length; and the number of the first and second groups,
when the length of the data accepted by the terminal is smaller than the length of the complete data, counting the number of connection termination data packets sent by the terminal interaction object within a preset first time threshold; and
when the number of the termination connection data packets exceeds a preset first number threshold, confirming that the terminal interaction object is unstable, and identifying that the network identifier of the terminal interaction object is an untrusted and dangerous network identifier; and the number of the first and second groups,
and when the number of the termination connection data packets does not exceed a preset first number threshold, confirming that the terminal interaction object is stable, and identifying the network identifier of the terminal interaction object as a trusted and safe network identifier.
Optionally, the identifying unit 202 may be configured to:
recording a Transmission Control Protocol (TCP) connection request initiated to the terminal interactive object, and recording a first connection time period of the terminal and the terminal interactive object; and the number of the first and second groups,
counting the length of first data received from the terminal interaction object in the first time period; and the number of the first and second groups,
after a preset time interval, initiating a TCP connection request to the terminal interaction object for the second time, and counting the length of second data received from the terminal interaction object in the first connection time period; and the number of the first and second groups,
when the sum of the first data length and the second data length exceeds a preset first data length threshold value, confirming that the interactive data volume of the terminal interactive object is abnormal, and identifying that the network identification of the terminal interactive object is an untrusted and dangerous network identification; and the number of the first and second groups,
and when the sum of the first data length and the second data length does not exceed a preset first data length threshold value, confirming that the interactive data volume of the terminal interactive object is not abnormal, and identifying that the network identifier of the terminal interactive object is a trusted and safe network identifier.
Optionally, the identifying unit 202 may be configured to:
after receiving a data packet sent by the terminal interactive object, analyzing a TCP (transmission control protocol) head of the data packet; and the number of the first and second groups,
when the flag bit of the TCP head of the data packet is SYN and the TCP head of the data packet does not have ACK information, confirming that the terminal interaction object maliciously scans the terminal port and identifying that the network identifier of the terminal interaction object is an untrusted and dangerous network identifier; and the number of the first and second groups,
otherwise, confirming that the terminal interaction object does not maliciously scan the terminal port, and identifying the network identifier of the terminal interaction object as a trusted and safe network identifier.
Optionally, the identifying unit 202 may be configured to:
when the number of ARP request messages sent by the terminal interactive object exceeds a preset second number threshold value within a preset second time period, confirming that the terminal interactive object sends ARP attacks to the terminal, and identifying that the network identification of the terminal interactive object is an untrusted and dangerous network identification; and the number of the first and second groups,
and in a preset second time period, when the number of the ARP request messages sent by the terminal interactive object does not exceed a preset second number threshold value, confirming that the terminal interactive object does not initiate ARP attack to the terminal, and identifying that the network identifier of the terminal interactive object is a trusted and safe network identifier.
Optionally, the identifying unit 202 may be configured to:
after receiving an ICMP data packet sent by the terminal interaction object and confirming that the ICMP data packet is a ping request data packet sent by the terminal interaction object, analyzing the ICMP data packet and acquiring the data length of the ICMP data packet; and the number of the first and second groups,
when the data length of the ICMP data packet exceeds a preset second data length threshold value, determining that the terminal interaction object sends a large-size ping packet to the terminal, and identifying the network identification of the terminal interaction object as an untrusted and dangerous network identification; and the number of the first and second groups,
and when the data length of the ICMP data packet does not exceed a preset second data length threshold value, determining that the terminal interaction object does not send a large-size ping packet to the terminal, and identifying the network identifier of the terminal interaction object as a trusted and safe network identifier.
As can be seen from the above, the result of the recognition performed by the recognition unit 202 may include: the network identification of the terminal interaction object is identified as an untrusted dangerous network identification and the network identification of the terminal interaction object is identified as a trusted safe network identification.
Exemplarily, the updating unit 203 is configured to add the network identifier of the terminal interaction object to the blacklist when the network identifier of the terminal interaction object is identified by the identifying unit 202 as an untrusted dangerous network identifier; and
when the network identity of the terminal interaction object is identified by the identification unit 202 as a trusted, secure network identity, the network identity of the terminal interaction object is added to the white list.
Illustratively, referring to fig. 3, the terminal 20 may further include: an interaction control unit 204, configured to terminate data interaction with the terminal interaction object when the network identifier of the terminal interaction object is in the blacklist; and
and when the network identifier of the terminal interaction object is in the white list, allowing data interaction with the terminal interaction object.
Preferably, when the network identifier of the terminal interaction object is in the white list, the identifying unit may be further configured to identify the network identifier of the terminal interaction object according to the preset identification policy in a process of data interaction between the terminal 20 and the terminal interaction object;
the updating unit 203 may be further configured to, when the network identifier of the terminal interaction object is identified as an untrusted dangerous network identifier, add the network identifier of the terminal interaction object to the blacklist, and delete the network identifier of the terminal interaction object from the whitelist.
It should be noted that, since the network identifier may specifically include a URL and an IP address of a web page or a website, referring to fig. 3, the terminal 20 further includes a replacing unit 205, configured to:
when the preset information comprises the URLs with the preset number and belongs to the same HOST, replacing the URLs belonging to the same HOST in the preset information with the HOST; or,
when the preset information comprises a preset number of network protocol IP addresses belonging to the same gateway, replacing the IP addresses belonging to the same gateway in the preset information with the gateway addresses;
accordingly, the matching unit 201 may further be configured to:
matching the URL of the terminal interaction object with HOST in the preset information;
or matching the IP address of the terminal interaction object with the gateway address in the preset information.
The embodiment of the invention provides a terminal 20; by configuring the safe list and the non-safe list, the data interaction of the webpage or the website in the non-safe list is avoided in the data interaction process of the terminal, so that the security of the terminal in the data interaction process is improved.
As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of a hardware embodiment, a software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, optical storage, and the like) having computer-usable program code embodied therein.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
The above description is only a preferred embodiment of the present invention, and is not intended to limit the scope of the present invention.

Claims (24)

1. A method for detecting the security of terminal data interaction is characterized in that the method comprises the following steps:
when a terminal carries out data interaction, the terminal matches a network identifier of a terminal interaction object with preset information stored by the terminal;
when the network identification of the terminal interaction object is not in the preset information, the terminal identifies the network identification of the terminal interaction object according to a preset identification strategy;
and the terminal updates the network identification of the terminal interaction object to the preset information according to the identification result.
2. The method of claim 1, wherein the predetermined information comprises a white list and a black list, wherein the white list comprises trusted secure network identifiers; the blacklist includes untrusted, dangerous network identifications;
the network identification of the terminal interaction object comprises a Uniform Resource Locator (URL) or an IP address of the terminal interaction object.
3. The method according to claim 2, wherein when the network identifier of the terminal interaction object is not in the preset information, the terminal identifies the network identifier of the terminal interaction object according to a preset identification policy, including:
when the network identification of the terminal interaction object is not in the white list or the black list, the terminal identifies the network identification of the terminal interaction object according to a preset identification strategy;
correspondingly, the updating, by the terminal, the network identifier of the terminal interaction object to the preset information according to the recognition result includes:
when the network identification of the terminal interaction object is identified as an untrusted dangerous network identification, the terminal adds the network identification of the terminal interaction object to the blacklist;
and when the network identification of the terminal interaction object is identified as the trusted and safe network identification, the terminal adds the network identification of the terminal interaction object to the white list.
4. The method according to claim 3, wherein the terminal identifies the network identifier of the terminal interaction object according to a preset identification policy, which may include at least one of:
the method comprises the steps that the terminal identifies the connection stability of the terminal interaction object, the terminal identifies the abnormal interaction data volume of the terminal interaction object, the terminal identifies the terminal interaction object to maliciously scan the terminal port, the terminal identifies the terminal interaction object to launch an Address Resolution Protocol (ARP) attack to the terminal, and the terminal identifies the terminal interaction object to send a large-size ping packet to the terminal.
5. The method according to claim 4, wherein the terminal identifies the connection stability of the terminal interaction object, and comprises:
the terminal obtains the complete data length sent by the terminal interaction object by analyzing the application layer data of the data packet sent by the terminal interaction object;
the terminal obtains the data length accepted by the terminal according to the size of the data packet received by the terminal and compares the data length with the complete data length;
when the data length accepted by the terminal is smaller than the complete data length, the terminal counts the number of connection termination data packets sent by the terminal interaction object within a preset first time threshold;
when the number of the termination connection data packets exceeds a preset first number threshold, the terminal confirms that the terminal interaction object is unstable, and identifies the network identifier of the terminal interaction object as an untrusted and dangerous network identifier;
and when the number of the termination connection data packets does not exceed a preset first number threshold, the terminal confirms that the terminal interaction object is stable, and identifies the network identifier of the terminal interaction object as a trusted and safe network identifier.
6. The method according to claim 4, wherein the terminal identifies the abnormal interaction data volume of the terminal interaction object, and comprises:
the terminal records a Transmission Control Protocol (TCP) connection request initiated to the terminal interactive object, and records a first connection time period of the terminal and the terminal interactive object;
the terminal counts a first data length received from the terminal interaction object in the first time period;
after a preset time interval, the terminal initiates a TCP connection request to the terminal interaction object for the second time, and counts a second data length received from the terminal interaction object in the first connection time period;
when the sum of the first data length and the second data length exceeds a preset first data length threshold, the terminal confirms that the interactive data volume of the terminal interactive object is abnormal, and identifies that the network identifier of the terminal interactive object is an untrusted and dangerous network identifier;
and when the sum of the first data length and the second data length does not exceed a preset first data length threshold, the terminal confirms that the interactive data volume of the terminal interactive object is not abnormal, and identifies that the network identifier of the terminal interactive object is a trusted and safe network identifier.
7. The method of claim 4, wherein the terminal recognizing that the terminal interaction object maliciously scans the terminal port comprises:
after the terminal receives the data packet sent by the terminal interactive object, analyzing a TCP (transmission control protocol) head of the data packet;
when the flag bit of the TCP head of the data packet is SYN and the TCP head of the data packet does not have ACK information, the terminal confirms that the terminal interaction object maliciously scans the terminal port and identifies the network identifier of the terminal interaction object as an untrusted and dangerous network identifier;
otherwise, the terminal confirms that the terminal interaction object does not maliciously scan the terminal port, and identifies the network identifier of the terminal interaction object as a trusted and safe network identifier.
8. The method according to claim 4, wherein the terminal recognizing the terminal interaction object initiating ARP attack to the terminal comprises:
in a preset second time period, when the number of ARP request messages sent by the terminal interactive object and received by the terminal exceeds a preset second number threshold, the terminal confirms that the terminal interactive object sends ARP attacks to the terminal and identifies that the network identifier of the terminal interactive object is an untrusted and dangerous network identifier;
and in a preset second time period, when the number of ARP request messages sent by the terminal interaction object and received by the terminal does not exceed a preset second number threshold, the terminal confirms that the terminal interaction object does not initiate ARP attack to the terminal, and identifies the network identifier of the terminal interaction object as a trusted and safe network identifier.
9. The method according to claim 4, wherein the terminal recognizing that the terminal interaction object sends a large-size ping packet to the terminal comprises:
after the terminal receives an Internet Control Message Protocol (ICMP) data packet sent by the terminal interaction object and confirms that the ICMP data packet is a ping request data packet sent by the terminal interaction object, analyzing the ICMP data packet and acquiring the data length of the ICMP data packet;
when the data length of the ICMP data packet exceeds a preset second data length threshold value, the terminal determines that the terminal interaction object sends a large-size ping packet to the terminal, and identifies the network identification of the terminal interaction object as an untrusted and dangerous network identification;
and when the data length of the ICMP data packet does not exceed a preset second data length threshold value, the terminal determines that the terminal interaction object does not send a large-size ping packet to the terminal, and identifies the network identifier of the terminal interaction object as a trusted and safe network identifier.
10. The method of claim 2, further comprising:
when the network identification of the terminal interaction object is in the blacklist, the terminal terminates the data interaction with the terminal interaction object;
and when the network identifier of the terminal interaction object is in the white list, the terminal allows data interaction with the terminal interaction object.
11. The method according to claim 10, wherein when the network identification of the terminal interaction object is in the white list, the method further comprises:
in the process of data interaction between the terminal and the terminal interaction object, the terminal identifies the network identifier of the terminal interaction object according to the preset identification strategy;
and when the network identification of the terminal interaction object is identified as an untrusted dangerous network identification, the terminal adds the network identification of the terminal interaction object to the blacklist and deletes the network identification of the terminal interaction object from the white list.
12. The method of claim 1, further comprising:
when the preset information comprises the URLs with the preset number and belongs to the same HOST, the terminal replaces the URLs belonging to the same HOST in the preset information with the HOST; or,
when the preset information comprises a preset number of network protocol IP addresses belonging to the same gateway, the terminal replaces the IP addresses belonging to the same gateway in the preset information with the gateway address;
correspondingly, the terminal matches the network identifier of the terminal interaction object with preset information stored by the terminal, and the method comprises the following steps:
the terminal matches the URL of the terminal interaction object with the HOST in the preset information;
or the terminal matches the IP address of the terminal interaction object with the gateway address in the preset information.
13. A terminal, characterized in that the terminal comprises: a matching unit, a recognition unit and an updating unit, wherein,
the matching unit is used for matching the network identifier of the terminal interaction object with preset information stored by the terminal when the terminal performs data interaction;
the identification unit is used for identifying the network identifier of the terminal interaction object according to a preset identification strategy when the network identifier of the terminal interaction object is not in the preset information;
and the updating unit is used for updating the network identification of the terminal interaction object to the preset information according to the identification result of the identification unit.
14. The terminal of claim 13, wherein the predetermined information comprises a white list and a black list, wherein the white list comprises trusted, secure network identifiers; the blacklist includes untrusted, dangerous network identifications;
the network identification of the terminal interaction object comprises a Uniform Resource Locator (URL) or an IP address of the terminal interaction object.
15. The terminal according to claim 14, wherein the updating unit is configured to:
when the network identification of the terminal interaction object is identified as an untrusted dangerous network identification, adding the network identification of the terminal interaction object to the blacklist; and
and when the network identification of the terminal interaction object is identified as the trusted and safe network identification, adding the network identification of the terminal interaction object into the white list.
16. The terminal according to claim 15, wherein the identifying unit is configured to identify connection stability of the terminal interaction object, identify an abnormal amount of interaction data of the terminal interaction object, identify that the terminal interaction object maliciously scans the terminal port, identify that the terminal interaction object initiates an ARP attack on the terminal, and identify that the terminal interaction object sends a large-size ping packet to the terminal.
17. The terminal according to claim 16, wherein the identifying unit is configured to:
obtaining the complete data length sent by the terminal interaction object by analyzing the application layer data of the data packet sent by the terminal interaction object; and the number of the first and second groups,
obtaining the data length accepted by the terminal according to the size of the data packet received by the terminal, and comparing the data length accepted by the terminal with the complete data length; and the number of the first and second groups,
when the length of the data accepted by the terminal is smaller than the length of the complete data, counting the number of connection termination data packets sent by the terminal interaction object within a preset first time threshold; and
when the number of the termination connection data packets exceeds a preset first number threshold, confirming that the terminal interaction object is unstable, and identifying that the network identifier of the terminal interaction object is an untrusted and dangerous network identifier; and the number of the first and second groups,
and when the number of the termination connection data packets does not exceed a preset first number threshold, confirming that the terminal interaction object is stable, and identifying the network identifier of the terminal interaction object as a trusted and safe network identifier.
18. The terminal according to claim 16, wherein the identifying unit is configured to:
recording a Transmission Control Protocol (TCP) connection request initiated to the terminal interactive object, and recording a first connection time period of the terminal and the terminal interactive object; and the number of the first and second groups,
counting the length of first data received from the terminal interaction object in the first time period; and the number of the first and second groups,
after a preset time interval, initiating a TCP connection request to the terminal interaction object for the second time, and counting the length of second data received from the terminal interaction object in the first connection time period; and the number of the first and second groups,
when the sum of the first data length and the second data length exceeds a preset first data length threshold value, confirming that the interactive data volume of the terminal interactive object is abnormal, and identifying that the network identification of the terminal interactive object is an untrusted and dangerous network identification; and the number of the first and second groups,
and when the sum of the first data length and the second data length does not exceed a preset first data length threshold value, confirming that the interactive data volume of the terminal interactive object is not abnormal, and identifying that the network identifier of the terminal interactive object is a trusted and safe network identifier.
19. The terminal according to claim 16, wherein the identifying unit is configured to:
after receiving a data packet sent by the terminal interactive object, analyzing a TCP (transmission control protocol) head of the data packet; and the number of the first and second groups,
when the flag bit of the TCP head of the data packet is SYN and the TCP head of the data packet does not have ACK information, confirming that the terminal interaction object maliciously scans the terminal port and identifying that the network identifier of the terminal interaction object is an untrusted and dangerous network identifier; and the number of the first and second groups,
otherwise, confirming that the terminal interaction object does not maliciously scan the terminal port, and identifying the network identifier of the terminal interaction object as a trusted and safe network identifier.
20. The terminal according to claim 16, wherein the identifying unit is configured to:
when the number of ARP request messages sent by the terminal interactive object exceeds a preset second number threshold value within a preset second time period, confirming that the terminal interactive object sends ARP attacks to the terminal, and identifying that the network identification of the terminal interactive object is an untrusted and dangerous network identification; and the number of the first and second groups,
and in a preset second time period, when the number of the ARP request messages sent by the terminal interactive object does not exceed a preset second number threshold value, confirming that the terminal interactive object does not initiate ARP attack to the terminal, and identifying that the network identifier of the terminal interactive object is a trusted and safe network identifier.
21. The terminal of claim 16, wherein the identifying unit is configured to:
after receiving an ICMP data packet sent by the terminal interaction object and confirming that the ICMP data packet is a ping request data packet sent by the terminal interaction object, analyzing the ICMP data packet and acquiring the data length of the ICMP data packet; and the number of the first and second groups,
when the data length of the ICMP data packet exceeds a preset second data length threshold value, determining that the terminal interaction object sends a large-size ping packet to the terminal, and identifying the network identification of the terminal interaction object as an untrusted and dangerous network identification; and the number of the first and second groups,
and when the data length of the ICMP data packet does not exceed a preset second data length threshold value, determining that the terminal interaction object does not send a large-size ping packet to the terminal, and identifying the network identifier of the terminal interaction object as a trusted and safe network identifier.
22. The terminal of claim 14, wherein the terminal further comprises: the interaction control unit is used for terminating the data interaction with the terminal interaction object when the network identifier of the terminal interaction object is in the blacklist; and
and when the network identifier of the terminal interaction object is in the white list, allowing data interaction with the terminal interaction object.
23. The terminal of claim 22, wherein the identifying unit is further configured to identify the network identifier of the terminal interaction object according to the preset identification policy when the network identifier of the terminal interaction object is in the white list and during a data interaction between the terminal and the terminal interaction object;
and the updating unit is further configured to add the network identifier of the terminal interaction object to the blacklist and delete the network identifier of the terminal interaction object from the whitelist when the network identifier of the terminal interaction object is identified as an untrusted dangerous network identifier.
24. The terminal according to claim 13, further comprising a replacing unit, configured to replace a URL belonging to a same HOST in the preset information with the HOST when a preset number of URLs belonging to the same HOST are included in the preset information; or,
when the preset information comprises a preset number of network protocol IP addresses belonging to the same gateway, replacing the IP addresses belonging to the same gateway in the preset information with the gateway addresses;
correspondingly, the matching unit is further configured to:
matching the URL of the terminal interaction object with HOST in the preset information; or,
and matching the IP address of the terminal interaction object with the gateway address in the preset information.
CN201410336749.3A 2014-07-15 2014-07-15 Terminal and method for detecting security of data interaction in terminal Withdrawn CN105282112A (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN201410336749.3A CN105282112A (en) 2014-07-15 2014-07-15 Terminal and method for detecting security of data interaction in terminal
PCT/CN2014/086858 WO2016008212A1 (en) 2014-07-15 2014-09-18 Terminal as well as method for detecting security of terminal data interaction, and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201410336749.3A CN105282112A (en) 2014-07-15 2014-07-15 Terminal and method for detecting security of data interaction in terminal

Publications (1)

Publication Number Publication Date
CN105282112A true CN105282112A (en) 2016-01-27

Family

ID=55077862

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201410336749.3A Withdrawn CN105282112A (en) 2014-07-15 2014-07-15 Terminal and method for detecting security of data interaction in terminal

Country Status (2)

Country Link
CN (1) CN105282112A (en)
WO (1) WO2016008212A1 (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108234486A (en) * 2017-12-29 2018-06-29 北京神州绿盟信息安全科技股份有限公司 A kind of network monitoring method and monitoring server
CN111125751A (en) * 2019-12-03 2020-05-08 中盈优创资讯科技有限公司 Database penetration preventing method and device
CN111859361A (en) * 2020-09-23 2020-10-30 歌尔光学科技有限公司 Communication method, communication device, electronic equipment and storage medium
CN116150221A (en) * 2022-10-09 2023-05-23 浙江博观瑞思科技有限公司 Information interaction method and system for service of enterprise E-business operation management

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111010362B (en) * 2019-03-20 2021-09-21 新华三技术有限公司 Monitoring method and device for abnormal host

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102231745A (en) * 2011-07-08 2011-11-02 盛大计算机(上海)有限公司 Safety system and method for network application
US20120088503A1 (en) * 2008-07-18 2012-04-12 Research In Motion Limited Apparatus and method for performing network scanning using black-list network information
CN103701804A (en) * 2013-12-26 2014-04-02 北京奇虎科技有限公司 Network shopping environment safety detecting method and device

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102118326B (en) * 2011-01-27 2013-09-25 郭少方 Method for processing E-mail
CN102708186A (en) * 2012-05-11 2012-10-03 上海交通大学 Identification method of phishing sites
CN103916389B (en) * 2014-03-19 2017-08-08 汉柏科技有限公司 Defend the method and fire wall of HttpFlood attacks

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20120088503A1 (en) * 2008-07-18 2012-04-12 Research In Motion Limited Apparatus and method for performing network scanning using black-list network information
CN102231745A (en) * 2011-07-08 2011-11-02 盛大计算机(上海)有限公司 Safety system and method for network application
CN103701804A (en) * 2013-12-26 2014-04-02 北京奇虎科技有限公司 Network shopping environment safety detecting method and device

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108234486A (en) * 2017-12-29 2018-06-29 北京神州绿盟信息安全科技股份有限公司 A kind of network monitoring method and monitoring server
CN111125751A (en) * 2019-12-03 2020-05-08 中盈优创资讯科技有限公司 Database penetration preventing method and device
CN111859361A (en) * 2020-09-23 2020-10-30 歌尔光学科技有限公司 Communication method, communication device, electronic equipment and storage medium
CN111859361B (en) * 2020-09-23 2021-08-31 歌尔光学科技有限公司 Communication method, communication device, electronic equipment and storage medium
CN116150221A (en) * 2022-10-09 2023-05-23 浙江博观瑞思科技有限公司 Information interaction method and system for service of enterprise E-business operation management

Also Published As

Publication number Publication date
WO2016008212A1 (en) 2016-01-21

Similar Documents

Publication Publication Date Title
US10929538B2 (en) Network security protection method and apparatus
US10419431B2 (en) Preventing cross-site request forgery using environment fingerprints of a client device
US20160285822A1 (en) Detecting and preventing session hijacking
CN109768991B (en) Message replay attack detection method and device and electronic equipment
WO2014172956A1 (en) Login method,apparatus, and system
CN105282112A (en) Terminal and method for detecting security of data interaction in terminal
US9338657B2 (en) System and method for correlating security events with subscriber information in a mobile network environment
CA3159619C (en) Packet processing method and apparatus, device, and computer-readable storage medium
CN104601568A (en) Virtual security isolation method and device
WO2020107446A1 (en) Method and apparatus for obtaining attacker information, device, and storage medium
CN111010409A (en) Encryption attack network flow detection method
CN101834870A (en) Method and device for preventing deceptive attack of MAC (Medium Access Control) address
CN102438028A (en) Method, device and system for preventing fraud of dynamic host configuration protocol (DHCP) server
CN104219339A (en) Method and device for detecting address resolution protocol attack in local area network
CN104967632B (en) Webpage abnormal data processing method, data server and system
CN111131186B (en) Http session protection method, device, equipment and medium
CN115023926B (en) Traffic detection method, device, server and storage medium
CN111756716A (en) Flow detection method and device and computer readable storage medium
CN106656966A (en) Method and device for intercepting service processing request
CN105516200B (en) Cloud system method and device of safe processing
CN107707569A (en) DNS request processing method and DNS systems
CN105049546A (en) Client terminal IP address allocation method through DHCP server and device thereof
CN113709129A (en) White list generation method, device and system based on traffic learning
CN105429980A (en) Network security processing method and network security processing device
EP2835944A1 (en) A device having IPv6 firewall functionality and method related thereto

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
WW01 Invention patent application withdrawn after publication

Application publication date: 20160127

WW01 Invention patent application withdrawn after publication