CN109040016B - Information processing method and device and computer readable storage medium - Google Patents

Information processing method and device and computer readable storage medium Download PDF

Info

Publication number
CN109040016B
CN109040016B CN201810660852.1A CN201810660852A CN109040016B CN 109040016 B CN109040016 B CN 109040016B CN 201810660852 A CN201810660852 A CN 201810660852A CN 109040016 B CN109040016 B CN 109040016B
Authority
CN
China
Prior art keywords
access
request
access request
client
abnormal
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201810660852.1A
Other languages
Chinese (zh)
Other versions
CN109040016A (en
Inventor
耿志
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Sangfor Technologies Co Ltd
Original Assignee
Sangfor Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Sangfor Technologies Co Ltd filed Critical Sangfor Technologies Co Ltd
Priority to CN201810660852.1A priority Critical patent/CN109040016B/en
Publication of CN109040016A publication Critical patent/CN109040016A/en
Application granted granted Critical
Publication of CN109040016B publication Critical patent/CN109040016B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer And Data Communications (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The embodiment of the invention discloses an information processing method, which comprises the following steps: acquiring a malicious behavior feature library; the malicious behavior feature library comprises behavior features for carrying out malicious attack on a server; receiving an access request for accessing a server; wherein, the access request carries an access operation identifier; and determining whether the access request is an abnormal request or not based on the access operation identification and the malicious behavior feature library. The embodiment of the invention also discloses an information processing device and a computer readable storage medium.

Description

Information processing method and device and computer readable storage medium
Technical Field
The present invention relates to information protection technologies in the field of communications, and in particular, to an information processing method, an information processing apparatus, and a computer-readable storage medium.
Background
With the continuous development of scientific technology, Virtual Private Network (VPN) technology is applied more and more; VPN technology is commonly used to establish a private network over a public network and perform encrypted communications. Particularly, the VPN technology is widely applied to enterprise networks. However, for the application of VPN technology in an enterprise network, network attacks are often encountered; therefore, in the relative technology, a protection measure against network attacks is set on the data center side of the server side. However, the protection method of the relative technology at the data center side cannot solve the attack initiated by the computer which provides the service to the intranet through the client after accessing the VPN.
Disclosure of Invention
In view of this, embodiments of the present invention are expected to provide an information processing method, an information processing apparatus, and a computer-readable storage medium, so as to solve the problem that an attack initiated by a client cannot be solved in a relative protection technology, and implement protection against the attack initiated by the client.
In order to achieve the purpose, the technical scheme of the invention is realized as follows:
an information processing method, the method comprising:
acquiring a malicious behavior feature library; the malicious behavior feature library comprises behavior features which cause malicious attacks on the server;
receiving an access request for accessing a server; wherein, the access request carries an access operation identifier;
and determining whether the access request is an abnormal request or not based on the access operation identifier and the malicious behavior feature library.
Optionally, the determining, based on the access operation identifier and the malicious behavior feature library, whether the access request is an abnormal request includes:
detecting whether an access operation matched with the access operation identifier exists in the malicious behavior feature library;
if the access operation matched with the access operation identifier exists in the malicious behavior feature library, determining that the access request is an abnormal request;
and if the access operation matched with the access operation identifier does not exist in the malicious behavior database, determining that the access request is not an abnormal request.
Optionally, the determining, based on the access operation identifier and the malicious behavior feature library, whether the access request is an abnormal request includes:
acquiring process information of the client;
and determining whether the access request is an abnormal request or not based on the access operation identifier, the malicious behavior feature library and the process information of the client.
Optionally, the determining, based on the access operation identifier, the malicious behavior feature library, and the process information of the client, whether the access request is an abnormal request includes:
if the access operation matched with the access operation identifier exists in the malicious behavior feature library and a process which does not correspond to the application opened in the client at the current moment exists in the processes of the client, determining that the access request is an abnormal request;
and if the access operation matched with the access operation identifier does not exist in the malicious behavior database, and the processes of the client correspond to the application opened in the client at the current moment, determining that the access request is not an abnormal request.
Optionally, the method further includes:
if the access request is not an abnormal request, sending the access request to the server; wherein, the access request also carries access data;
receiving notification information which is sent by the server and used for notifying that the access request is an abnormal request; the notification information is obtained after the server analyzes and judges the access request;
and responding to the notification information to disconnect the communication link of the client corresponding to the access request, and setting that the object corresponding to the access request cannot initiate access operation within preset time.
Optionally, the responding to the notification information disconnects a communication link of the client corresponding to the access request, and sets that an object corresponding to the access request cannot initiate an access operation within a preset time, and then the method further includes:
recording preset information of the access request to obtain an access log, and storing the access log; the preset information comprises information capable of identifying the client;
correspondingly, the determining whether the access request is an abnormal request based on the access operation identifier and the malicious behavior feature library includes:
determining whether an access request matched with the access operation identifier exists in the access log;
if an access request matched with the access operation identifier exists in the access log, determining that the access request is the abnormal request;
if the access log does not have an access request matched with the access operation identifier, determining whether the access request is the abnormal request or not based on the access operation identifier and the malicious behavior feature library.
An information processing method, the method comprising:
receiving an access request sent by a client; the access request carries an access operation identifier and access data; the access request is sent after the client determines that the access request is not an abnormal request;
determining whether the access request is an abnormal request or not based on the access operation identifier and the access data;
if the access request is the abnormal request, sending notification information for notifying that the access request is the abnormal request to the client; the notification information is used for indicating the client to disconnect the access link and record and store preset information of the access request.
Optionally, the determining, based on the access operation identifier and the access data, whether the access request is an abnormal request includes:
acquiring access data corresponding to the access operation identifier to obtain target access data;
detecting whether the access data matches the target access data;
and if the access data is not matched with the target access data, determining that the access request is the abnormal request.
Optionally, the detecting whether the access data matches the target access data includes:
determining feature access data from the target access data;
detecting whether the access data is the same as the feature access data;
and if the access data is not the same as the characteristic access data, determining that the access data is not matched with the target access data.
Optionally, if the access request is the abnormal request, sending notification information for notifying that the access request is the abnormal request to the client, and then further including:
recording preset information of the access request to obtain an access log, and storing the access log; the preset information comprises information capable of identifying the client;
correspondingly, the determining whether the access request is an abnormal request based on the access operation identifier and the access data includes:
determining whether an access request matched with the access operation identifier exists in the access log;
if an access request matched with the access operation identifier exists in the access log, determining that the access request is the abnormal request;
and if the access log does not have the access request matched with the access operation identifier, determining whether the access request is the abnormal request or not based on the access operation identifier and the access data.
A client, the client comprising: a first processor, a first memory, and a first communication bus;
the first communication bus is used for realizing communication connection between the first processor and the first memory;
the first processor is used for executing the information processing program stored in the first memory to realize the following steps:
acquiring a malicious behavior feature library; the malicious behavior feature library comprises behavior features for carrying out malicious attack on a server;
receiving an access request for accessing a server; wherein, the access request carries an access operation identifier;
and determining whether the access request is an abnormal request or not based on the access operation identification and the malicious behavior feature library.
A server, the server comprising:
a second processor, a second memory, and a second communication bus;
the second communication bus is used for realizing communication connection between the second processor and the second memory;
the second processor is configured to execute the information processing program stored in the second memory to implement the steps of:
receiving an access request sent by a client; the access request carries an access operation identifier and access data; the access request is sent after the client determines that the access request is not an abnormal request;
determining whether the access request is an abnormal request or not based on the access operation identifier and the access data;
if the access request is the abnormal request, sending notification information for notifying that the access request is the abnormal request to the client; the notification information is used for indicating the client to disconnect the access link and record and store preset information of the access request.
A client, the client comprising: first acquisition unit, first receiving unit and first processing unit, wherein:
the first acquisition unit is used for acquiring a malicious behavior feature library; the malicious behavior feature library comprises behavior features for carrying out malicious attack on a server;
the first receiving unit is used for receiving an access request for accessing the server; wherein, the access request carries an access operation identifier;
the first processing unit is configured to determine whether the access request is an abnormal request based on the access operation identifier and the malicious behavior feature library.
A server, the server comprising: a second receiving unit, a second processing unit and a first transmitting unit, wherein:
the second receiving unit is used for receiving an access request sent by a client; the access request carries an access operation identifier and access data; the access request is sent after the client determines that the access request is not an abnormal request;
the second processing unit is used for determining whether the access request is an abnormal request or not based on the access operation identifier and the access data;
the first sending unit is configured to send notification information for notifying that the access request is an abnormal request to the client if the access request is the abnormal request; the notification information is used for indicating the client to disconnect the access link and record and store preset information of the access request.
A computer-readable storage medium storing one or more programs, which are executable by one or more processors, to implement the steps of the information processing method described above.
The information processing method, the information processing device and the computer readable storage medium provided by the embodiments of the present invention obtain a malicious behavior feature library, where the malicious behavior feature library includes a behavior feature for performing a malicious attack on a server, and receives an access request for accessing the server, where the access request carries an access operation identifier, and then determines whether the access request is an abnormal request based on the access operation identifier and the malicious behavior feature library, so that a malicious behavior initiated by a client can be identified at the client side, thereby solving a problem that an attack initiated by the client cannot be solved in a relative protection technology, and realizing protection against the attack initiated by the client.
Drawings
FIG. 1 is a flow chart illustrating an information processing method according to an embodiment of the present invention;
FIG. 2 is a flow chart illustrating another information processing method according to an embodiment of the present invention;
FIG. 3 is a flowchart illustrating another information processing method according to an embodiment of the present invention;
fig. 4 is a flowchart illustrating an information processing method according to another embodiment of the present invention;
fig. 5 is a schematic structural diagram of a client according to an embodiment of the present invention;
fig. 6 is a schematic structural diagram of a server according to an embodiment of the present invention;
fig. 7 is a schematic structural diagram of another client according to an embodiment of the present invention;
fig. 8 is a schematic structural diagram of another server according to an embodiment of the present invention.
Detailed Description
The technical solution in the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention.
It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
The information processing method provided by the embodiment of the invention can be applied to a system for providing service for an enterprise network based on a VPN technology, and the system can comprise a client and a server; the client is used for providing an interface or a platform for a user to communicate with the server; the server may be a respective server for each enterprise, and the server is used for providing services for the enterprise network. The VPN gateway realizes remote access through encryption of the data packet and conversion of a data packet target address. VPNs have a variety of classification schemes, mainly by protocol. The information processing method provided by the embodiment of the invention mainly aims at protecting the DOS (Denial of Service) attack behavior; the attack behavior causing DoS is called DoS attack, and the DoS attack can make a computer or a network unable to provide normal services. In one possible implementation, the most common DoS attacks are computer network bandwidth attacks and connectivity attacks.
An embodiment of the present invention provides an information processing method, which is shown in fig. 1 and includes the following steps:
step 101, obtaining a malicious behavior feature library.
The malicious behavior feature library comprises behavior features for carrying out malicious attacks on the server.
In other embodiments of the present invention, the step 101 of obtaining the malicious behavior feature library may be implemented by a client; the client may have the capability to provide an interface or platform for a user to communicate with the server of the enterprise. The malicious behavior feature library may include various attack behavior features that may adversely affect the server, and in a possible implementation, the malicious behavior feature library may include DoS attacks.
The malicious behavior feature library can be obtained by the client from other server sides, and of course, the other server sides can be referred to as having a function of monitoring and recording various behavior features of malicious attacks on the server of the enterprise.
Step 102, receiving an access request for accessing a server.
Wherein, the access request carries the access operation identifier.
In other embodiments of the present invention, the step 102 of receiving an access request for accessing a server may be performed by a client. Wherein the access request for accessing the server may be sent by a user who needs to send access to the server of the enterprise. The access operation identifier is used for uniquely identifying the access operation corresponding to the access request.
And 103, determining whether the access request is an abnormal request or not based on the access operation identifier and the malicious behavior feature library.
Step 103, determining whether the access request is an abnormal request or not based on the access operation identifier and the malicious behavior feature library, wherein the access request can be realized by the client; whether the access request is an abnormal request or not can be determined after the client matches the access operation identifier in the malicious behavior feature library. An exception request refers to a request that may adversely affect a server.
The information processing method provided by the embodiment of the invention obtains the malicious behavior feature library, the malicious behavior feature library comprises behavior features for carrying out malicious attack on the server, receives the access request for accessing the server, the access request carries the access operation identifier, and then determines whether the access request is an abnormal request or not based on the access operation identifier and the malicious behavior feature library, so that the malicious behavior initiated by the client can be identified at the client side, the problem that the attack initiated by the client cannot be solved in the relative protection technology is further solved, and the protection for the attack initiated by the client is realized.
Based on the foregoing embodiments, an embodiment of the present invention provides an information processing method, which is shown in fig. 2 and includes the following steps:
step 201, receiving an access request sent by a client.
The access request carries an access operation identifier and access data; the access request is sent after the client determines that the access request is not an abnormal request.
In other embodiments of the present invention, the step 201 of receiving the access request sent by the client may be implemented by a server; the server may be a server that provides services to an enterprise network. The access request is sent to a server after the client receives the access request sent by the user and the access request is determined to be not an abnormal request according to the access operation identifier and the malicious behavior feature library carried in the access request.
Step 202, determining whether the access request is an abnormal request or not based on the access operation identification and the access data.
In other embodiments of the present invention, step 202 may be implemented by the server, based on the access operation identification and the access data, determining whether the access request is an abnormal request; whether the access request is an abnormal request or not can be determined by comparing the access data with target access data corresponding to the access operation identifier by the server.
Step 203, if the access request is an abnormal request, sending notification information for notifying that the access request is an abnormal request to the client.
The notification information is used for indicating the client to disconnect the access link and record and store the preset information of the access request.
In other embodiments of the present invention, step 203 may be implemented by the server if the access request is an abnormal request, and sending notification information for notifying that the access request is an abnormal request to the client; after receiving the notification information sent by the server, the client can perform corresponding processing on the access request initiated by the client as an abnormal request according to the notification information.
It should be noted that, for the descriptions of the same steps and the same contents in this embodiment as those in other embodiments, reference may be made to the descriptions in other embodiments, which are not described herein again.
In the information processing method provided by the embodiment of the invention, the client sends the access request carrying the access operation identifier and the access data to the server after determining that the access request is not the abnormal request, and the server determines whether the access request is the abnormal request based on the access operation identifier and the access data after receiving the access request; if the access request is determined to be an abnormal request, sending notification information for notifying that the access request is the abnormal request to the client, so that the client can break an access link corresponding to the access request according to the notification information and record and store preset information of the access request, and further, identifying malicious behaviors initiated through the client on the client side is achieved, the problem that attacks initiated through the client cannot be solved in a relative protection technology is solved, and protection against the attacks initiated by the client is achieved.
Based on the foregoing embodiments, an embodiment of the present invention provides an information processing method, which is shown in fig. 3 and includes the following steps:
step 301, the client acquires a malicious behavior feature library.
The malicious behavior feature library comprises behavior features for carrying out malicious attacks on the server.
In other embodiments of the invention, the malicious traffic signature library may be updated periodically. In addition, in a feasible implementation manner, if the embodiment of the present invention protects against malicious traffic, the malicious behavior feature library may be a malicious traffic feature library. Of course, if the access request is an abnormal request, the traffic corresponding to the access request may be considered as abnormal traffic.
Step 302, the client receives an access request for accessing the server.
Wherein, the access request carries the access operation identifier.
Step 303, the client detects whether an access operation matched with the access operation identifier exists in the malicious behavior feature library.
The detection of whether the access operation matched with the access operation identifier exists in the malicious behavior feature library may be implemented by detecting whether the access operation identical to the access operation corresponding to the access operation identifier exists in the malicious behavior feature library.
And 304, if the access operation matched with the access operation identifier exists in the malicious behavior feature library, the client determines that the access request is an abnormal request, disconnects a communication link of the client corresponding to the access request, and sets that an object corresponding to the access request cannot initiate the access operation within a preset time.
If the access operation which is the same as the access operation corresponding to the access operation identifier exists in the malicious behavior characteristics, the access request can be considered as an abnormal request; if the access operation identical to the access operation corresponding to the access operation identification does not exist in the malicious behavior characteristics, the access request can be regarded as not an abnormal request. The preset time may be determined according to the degree of influence of the adverse effect that the access request may have on the server, or may be determined according to an actual application scenario.
And 305, if the access operation matched with the access operation identifier does not exist in the malicious behavior database, the client determines that the access request is not an abnormal request and sends the access request to the server.
The access request also carries access data.
In other embodiments of the present invention, if there is no access operation matching the access operation identifier in the malicious behavior library, the client considers that the access request is a normal request, and then forwards the access request to the server normally, so that the server has completed communication with the server.
Step 306, the server receives the access request sent by the client.
And 307, the server acquires the access data corresponding to the access operation identifier to obtain target access data.
The target access data corresponding to the access operation identifier refers to data information that should be included in a corresponding data packet when the access operation is not an abnormal access operation.
Step 308, the server detects whether the access data matches the target access data.
The detection of whether the access data matches the target access data may be performed by detecting whether the access data matches feature access data obtained from the target access data.
Step 309, if the access data is not matched with the target access data, the server determines that the access request is an abnormal request, and sends notification information for notifying that the access request is the abnormal request to the client.
The notification information is used for indicating the client to disconnect the access link and record and store the preset information of the access request.
In step 310, the client receives the notification information sent by the server.
Step 311, the client responds to the notification message to disconnect the communication link of the client corresponding to the access request, and sets that the object corresponding to the access request cannot initiate access operation within a preset time.
It should be noted that, for the descriptions of the same steps and the same contents in this embodiment as those in other embodiments, reference may be made to the descriptions in other embodiments, which are not described herein again.
The information processing method provided by the embodiment of the invention comprises the steps of obtaining a malicious behavior feature library, wherein the malicious behavior feature library comprises behavior features for carrying out malicious attack on a server, receiving an access request for accessing the server, wherein the access request carries an access operation identifier, then determining whether the access request is an abnormal request or not based on the access operation identifier and the malicious behavior feature library, if the access request is an abnormal request, a client sends the access request to the server, and after receiving the access request, the server determines whether the access request is an abnormal request or not based on the access operation identifier and access data; if the access request is determined to be an abnormal request, sending notification information for notifying that the access request is the abnormal request to the client, so that the client can break an access link corresponding to the access request according to the notification information and record and store preset information of the access request, and further, identifying malicious behaviors initiated through the client on the client side is achieved, the problem that attacks initiated through the client cannot be solved in a relative protection technology is solved, and protection against the attacks initiated by the client is achieved.
Based on the foregoing embodiments, an embodiment of the present invention provides an information processing method, which is shown in fig. 4 and includes the following steps:
step 401, the client acquires a malicious behavior feature library.
The malicious behavior feature library comprises behavior features for carrying out malicious attacks on the server.
Step 402, the client receives an access request for accessing the server.
Wherein, the access request carries the access operation identifier.
Step 403, the client acquires the process information of the client.
The process information of the client may refer to a process included in a process list currently running on the client.
Step 404, the client determines whether the access request is an abnormal request based on the access operation identifier, the malicious behavior feature library and the process information of the client.
Step 404, determining whether the access request is an abnormal request based on the access operation identifier, the malicious behavior feature library and the process information of the client, which may be implemented in the following manner:
and if the access operation matched with the access operation identifier exists in the malicious behavior feature library and a process which does not correspond to the application opened in the client at the current moment exists in the processes of the client, determining that the access request is an abnormal request.
The process which is existed in the process of the client and is not corresponding to the application opened at the current moment in the client refers to that the application corresponding to the process in the process list at the current moment of the client is different from the application opened at the current moment of the client, or the process which is inconsistent with the process of the application opened at the current moment of the client in the process list at the current moment of the client; in this case, it may be described that there is a process that does not correspond to the application that is currently open in the client among the processes of the client.
And if the access operation matched with the access operation identifier does not exist in the malicious behavior feature library, and the processes of the client correspond to the applications opened in the client at the current moment, determining that the access request is not an abnormal request.
The application corresponding to the process in the process list of the client at the current moment is the same as the application started by the client at the current moment, or the processes in the process list of the client at the current moment are all consistent with the processes of the application started by the client at the current moment; at this time, it can be stated that the processes of the client all correspond to the applications opened in the client at the current time.
Step 405, if the access request is an abnormal request, the client disconnects a communication link of the client corresponding to the access request, and sets that an object corresponding to the access request cannot initiate access operation within a preset time.
Step 406, if the access request is not an abnormal request, the client sends the access request to the server.
The access request also carries access data.
Step 407, the server receives the access request sent by the client.
And step 408, the server acquires the access data corresponding to the access operation identifier to obtain target access data.
Step 409, the server determines characteristic access data from the target access data.
The characteristic access data refers to data information that must exist in the access data corresponding to the access request when the access request is not an abnormal request, or may refer to data information that must be possessed if the access request achieves successful access.
Step 410, the server detects whether the access data is the same as the characteristic access data.
Detecting whether the access data is identical to the feature access data may be performed by detecting whether data in the feature access data is absent from the access data, or whether data different from the data in the feature access data is present in the access data; if the access data lacks data in the feature access data, or if data different from the data in the feature access data exists in the access data, the access data may be considered different from the feature access data.
Step 411, if the access data is different from the characteristic access data, the server determines that the access request is an abnormal request, and sends notification information for notifying that the access request is the abnormal request to the client.
The notification information is used for indicating the client to disconnect the access link and record and store the preset information of the access request.
In other embodiments of the present invention, if the server determines that the access request is a normal request, the server forwards the access request to the service server, and the service server responds to the access request, so that the user can realize normal access. Of course, the VPN can also log detailed accesses.
In step 412, the client receives the notification information sent by the server.
Step 413, the client responds to the notification message to disconnect the communication link corresponding to the access request of the client, and sets that the object corresponding to the access request cannot initiate access operation within a preset time.
In one possible implementation, steps 405 and 413 may be followed by:
a. and the client records the preset information of the access request to obtain an access log, and stores the access log.
The preset information comprises information capable of identifying the client.
In this way, the client can record and identify the access request which is an abnormal request, and can be used for judging the next access request.
That is, when the client detects whether the access request is an abnormal request next time, it may first determine whether the access log has an access request matching the access operation identifier;
if the access log has an access request matched with the access operation identifier, the client determines that the access request is an abnormal request;
and if the access log does not have the access request matched with the access operation identifier, the client determines whether the access request is an abnormal request or not based on the access operation identifier and the malicious behavior feature library.
In another possible implementation manner, step 411 may further include:
b. and the server records the preset information of the access request to obtain an access log and stores the access log.
The preset information comprises information capable of identifying the client.
In this manner, the server may record and identify the access request as an exception request, which may be used to make a determination of the next access request.
That is, when the server detects whether the access request is an abnormal request next time, it may first determine whether an access request matching the access operation identifier exists in the access log;
if the access log has an access request matched with the access operation identifier, the server determines that the access request is an abnormal request;
and if the access log does not have the access request matched with the access operation identifier, the server determines whether the access request is an abnormal request or not based on the access operation identifier and the access data.
The monitoring of the access request in the embodiment of the invention is carried out at the client side, and the detailed information recording can be carried out aiming at the abnormal access request, so that once the access request sent by the client side is determined to be the abnormal request, the position of the client side can be quickly positioned for tracing, and the attack is blocked; in addition, the DOS attack initiated after the access of the VPN can be monitored, so that the problem of network congestion caused by the attack data flow can be avoided, the speed of normal service request is ensured, and the problem of flow attack can be solved essentially.
It should be noted that, for the descriptions of the same steps and the same contents in this embodiment as those in other embodiments, reference may be made to the descriptions in other embodiments, which are not described herein again.
The information processing method provided by the embodiment of the invention comprises the steps of obtaining a malicious behavior feature library, wherein the malicious behavior feature library comprises behavior features for carrying out malicious attack on a server, receiving an access request for accessing the server, wherein the access request carries an access operation identifier, then determining whether the access request is an abnormal request or not based on the access operation identifier and the malicious behavior feature library, if the access request is an abnormal request, a client sends the access request to the server, and after receiving the access request, the server determines whether the access request is an abnormal request or not based on the access operation identifier and access data; if the access request is determined to be an abnormal request, sending notification information for notifying that the access request is the abnormal request to the client, so that the client can break an access link corresponding to the access request according to the notification information and record and store preset information of the access request, and further, identifying malicious behaviors initiated through the client on the client side is achieved, the problem that attacks initiated through the client cannot be solved in a relative protection technology is solved, and protection against the attacks initiated by the client is achieved.
Based on the foregoing embodiments, an embodiment of the present invention provides a client, where the client may be applied to the information processing method provided in the embodiments corresponding to fig. 1 and 3 to 4, and as shown in fig. 5, the client 5 may include: a first processor 51, a first memory 52 and a first communication bus 53;
the first communication bus 53 is used for realizing communication connection between the first processor 51 and the first memory 52;
the first processor 53 is configured to execute the information processing program stored in the first memory 52 to implement the steps of:
acquiring a malicious behavior feature library;
the malicious behavior feature library comprises behavior features for carrying out malicious attack on the server;
receiving an access request for accessing a server;
wherein, the access request carries an access operation identifier;
and determining whether the access request is an abnormal request or not based on the access operation identifier and the malicious behavior feature library.
In other embodiments of the present invention, the first processor 53 is configured to execute the access operation identifier and the malicious behavior feature library stored in the first memory 52 to determine whether the access request is an abnormal request, so as to implement the following steps:
detecting whether an access operation matched with the access operation identifier exists in the malicious behavior feature library;
if the access operation matched with the access operation identifier exists in the malicious behavior feature library, determining that the access request is an abnormal request;
and if the access operation matched with the access operation identifier does not exist in the malicious behavior characteristic library, determining that the access request is not an abnormal request.
In other embodiments of the present invention, the first processor 53 is configured to execute the access operation identifier and the malicious behavior feature library stored in the first memory 52 to determine whether the access request is an abnormal request, so as to implement the following steps:
acquiring process information of a client;
and determining whether the access request is an abnormal request or not based on the access operation identifier, the malicious behavior feature library and the process information of the client.
In other embodiments of the present invention, the first processor 53 is configured to execute the process information stored in the first memory 52 and based on the access operation identifier, the malicious behavior feature library and the client, and determine whether the access request is an abnormal request, so as to implement the following steps:
if the access operation matched with the access operation identifier exists in the malicious behavior feature library and a process which does not correspond to the application opened in the client at the current moment exists in the processes of the client, determining that the access request is an abnormal request;
and if the access operation matched with the access operation identifier does not exist in the malicious behavior feature library, and the processes of the client correspond to the applications opened in the client at the current moment, determining that the access request is not an abnormal request.
In other embodiments of the present invention, the first processor 53 is configured to execute the information processing program stored in the first memory 52 to implement the steps of:
if the access request is an abnormal request, disconnecting a communication link of the client corresponding to the access request, and setting that an object corresponding to the access request cannot initiate access operation within preset time;
if the access request is not an abnormal request, sending the access request to a server;
wherein, the access request also carries access data;
receiving notification information which is sent by a server and used for notifying that the access request is an abnormal request;
the notification information is obtained after the server analyzes and judges the access request;
and responding the notification information to disconnect a communication link corresponding to the access request of the client, and setting that an object corresponding to the access request cannot initiate access operation within preset time.
In other embodiments of the present invention, the first processor 53 is configured to execute the information processing program stored in the first memory 52 to implement the steps of:
recording preset information of the access request to obtain an access log, and storing the access log;
the preset information comprises information capable of identifying the client.
Correspondingly, determining whether the access request is an abnormal request or not based on the access operation identifier and the malicious behavior feature library, and the method comprises the following steps:
determining whether an access request matched with the access operation identifier exists in the access log;
if the access log has an access request matched with the access operation identifier, determining that the access request is an abnormal request;
and if the access log does not have the access request matched with the access operation identifier, determining whether the access request is an abnormal request or not based on the access operation identifier and the malicious behavior feature library.
It should be noted that, in this embodiment, a specific implementation process of the step executed by the first processor may refer to implementation processes in the information processing method provided in embodiments corresponding to fig. 1, 3 to 4, and details are not described here.
The client side provided by the embodiment of the invention obtains the malicious behavior feature library, the malicious behavior feature library comprises behavior features for carrying out malicious attack on the server and receives an access request for accessing the server, the access request carries an access operation identifier, and then whether the access request is an abnormal request is determined based on the access operation identifier and the malicious behavior feature library, so that malicious behaviors initiated through the client side can be identified at the client side, the problem that the attack initiated through the client side cannot be solved in a relative protection technology is solved, and the protection for the attack initiated by the client side is realized.
Based on the foregoing embodiments, an embodiment of the present invention provides a server, where the server may be applied to the information processing method provided in the embodiments corresponding to fig. 2 to 4, and as shown in fig. 6, the server 6 includes: a second processor 61, a second memory 62 and a second communication bus 63;
the second communication bus 63 is used for realizing communication connection between the second processor 61 and the second memory 62;
the second processor 63 is configured to execute the information processing program stored in the second memory 62 to implement the following steps:
receiving an access request sent by a client;
the access request carries an access operation identifier and access data; the access request is sent after the client determines that the access request is not an abnormal request;
determining whether the access request is an abnormal request or not based on the access operation identifier and the access data;
if the access request is an abnormal request, sending notification information for notifying that the access request is the abnormal request to the client;
the notification information is used for indicating the client to disconnect the access link and record and store the preset information of the access request.
In other embodiments of the present invention, the second processor 63 is configured to execute the access operation identification and the access data stored in the second memory 62, and determine whether the access request is an abnormal request, so as to implement the following steps:
acquiring access data corresponding to the access operation identifier to obtain target access data;
detecting whether the access data is matched with the target access data;
and if the access data is not matched with the target access data, determining that the access request is an abnormal request.
In other embodiments of the present invention, the second processor 63 is configured to execute the detecting whether the access data stored in the second memory 62 matches the target access data to implement the following steps:
determining feature access data from the target access data;
detecting whether the access data is the same as the characteristic access data;
and if the access data is not the same as the characteristic access data, determining that the access data is not matched with the target access data.
In another embodiment of the present invention, the second processor 63 is configured to execute the following steps after sending the notification message for notifying that the access request is the abnormal request to the client if the access request stored in the second memory 62 is the abnormal request:
recording preset information of the access request to obtain an access log, and storing the access log;
the preset information comprises information capable of identifying the client;
correspondingly, determining whether the access request is an abnormal request or not based on the access operation identifier and the access data comprises the following steps:
determining whether an access request matched with the access operation identifier exists in an access log;
if the access log has an access request matched with the access operation identifier, determining that the access request is an abnormal request;
and if the access log does not have the access request matched with the access operation identifier, determining whether the access request is an abnormal request or not based on the access operation identifier and the access data.
It should be noted that, in this embodiment, a specific implementation process of the step executed by the second processor may refer to an implementation process in the information processing method provided in the embodiments corresponding to fig. 2 to 4, and details are not described here.
In the server provided by the embodiment of the invention, the client sends the access request carrying the access operation identifier and the access data to the server after determining that the access request is not the abnormal request, and the server determines whether the access request is the abnormal request or not based on the access operation identifier and the access data after receiving the access request; if the access request is determined to be an abnormal request, sending notification information for notifying that the access request is the abnormal request to the client, so that the client can break an access link corresponding to the access request according to the notification information and record and store preset information of the access request, and further, identifying malicious behaviors initiated through the client on the client side is achieved, the problem that attacks initiated through the client cannot be solved in a relative protection technology is solved, and protection against the attacks initiated by the client is achieved.
Based on the foregoing embodiments, an embodiment of the present invention provides a client, and as shown in fig. 7, the client 7 includes: a first acquisition unit 71, a first receiving unit 72 and a first processing unit 73, wherein:
a first obtaining unit 71, configured to obtain a malicious behavior feature library;
the malicious behavior feature library comprises behavior features for carrying out malicious attack on the server;
a first receiving unit 72 for receiving an access request for accessing the server;
wherein, the access request carries an access operation identifier;
and the first processing unit 73 is configured to determine whether the access request is an abnormal request based on the access operation identifier and the malicious behavior feature library.
In other embodiments of the present invention, the first processing unit 73 includes: a first detection module and a first processing module, wherein:
the first detection module is used for detecting whether an access operation matched with the access operation identifier exists in the malicious behavior feature library;
the first processing module is used for determining that the access request is an abnormal request if the access operation matched with the access operation identifier exists in the malicious behavior feature library;
the first processing module is further configured to determine that the access request is not an abnormal request if the access operation matching the access operation identifier does not exist in the malicious behavior library.
In other embodiments of the present invention, the first processing unit 73 further includes: a first acquisition module and a second processing module, wherein:
the first acquisition module is used for acquiring the process information of the client;
and the second processing module is used for determining whether the access request is an abnormal request or not based on the access operation identifier, the malicious behavior feature library and the process information of the client.
In other embodiments of the present invention, the second processing module is further configured to implement the following steps:
if the access operation matched with the access operation identifier exists in the malicious behavior feature library and a process which does not correspond to the application opened in the client at the current moment exists in the processes of the client, determining that the access request is an abnormal request;
and if the access operation matched with the access operation identifier does not exist in the malicious behavior feature library, and the processes of the client correspond to the applications opened in the client at the current moment, determining that the access request is not an abnormal request.
In other embodiments of the present invention, the client further comprises: a second transmitting unit, wherein:
the first processing unit is further used for disconnecting the communication link of the client corresponding to the access request and setting that the object corresponding to the access request cannot initiate access operation within preset time if the access request is an abnormal request;
the second sending unit is used for sending the access request to the server if the access request is not an abnormal request;
wherein, the access request also carries access data;
the first receiving unit is also used for receiving notification information which is sent by the server and used for notifying that the access request is an abnormal request;
the notification information is obtained after the server analyzes and judges the access request;
the first processing unit is further configured to respond to the notification information to disconnect a communication link, corresponding to the access request, of the client, and set that an object corresponding to the access request cannot initiate an access operation within a preset time.
In other embodiments of the present invention, the client further comprises:
the first recording unit is used for recording preset information of the access request to obtain an access log and storing the access log;
the preset information comprises information capable of identifying the client.
In other embodiments of the present invention, the first processing unit further comprises: a third processing module, configured to implement the following steps:
determining whether an access request matched with the access operation identifier exists in the access log;
if the access log has an access request matched with the access operation identifier, determining that the access request is an abnormal request;
and if the access log does not have the access request matched with the access operation identifier, determining whether the access request is an abnormal request or not based on the access operation identifier and the malicious behavior feature library.
It should be noted that, in this embodiment, specific implementation processes of steps executed in each unit and/or module may refer to implementation processes in the information processing method provided in the embodiments corresponding to fig. 1, 3 to 4, and are not described herein again.
Based on the foregoing embodiment, an embodiment of the present invention provides a server, and as shown in fig. 8, the server 8 includes: a second receiving unit 81, a second processing unit 82 and a first transmitting unit 83, wherein:
a second receiving unit 81, configured to receive an access request sent by a client;
the access request carries an access operation identifier and access data; the access request is sent after the client determines that the access request is not an abnormal request;
a second processing unit 82, configured to determine whether the access request is an exception request based on the access operation identifier and the access data;
a first sending unit 83, configured to send notification information for notifying that the access request is an abnormal request to the client if the access request is an abnormal request;
the notification information is used for indicating the client to disconnect the access link and record and store the preset information of the access request.
In other embodiments of the present invention, the second processing unit includes: the second obtains module, second detection module and fourth processing module, wherein:
the second acquisition module is used for acquiring the access data corresponding to the access operation identifier to obtain target access data;
the second detection module is used for detecting whether the access data is matched with the target access data;
and the fourth processing module is used for determining that the access request is an abnormal request if the access data is not matched with the target access data.
In other embodiments of the present invention, the second detection module is further configured to perform the following steps:
determining feature access data from the target access data;
detecting whether the access data is the same as the characteristic access data;
and if the access data is not the same as the characteristic access data, determining that the access data is not matched with the target access data.
In other embodiments of the present invention, the server further comprises:
the second recording unit is used for recording the preset information of the access request to obtain an access log and storing the access log;
the preset information comprises information capable of identifying the client.
In other embodiments of the present invention, the second processing unit includes: a fifth processing module, wherein the fifth processing module is configured to implement the following steps:
determining whether an access request matched with the access operation identifier exists in an access log;
if the access log has an access request matched with the access operation identifier, determining that the access request is an abnormal request;
and if the access log does not have the access request matched with the access operation identifier, determining whether the access request is an abnormal request or not based on the access operation identifier and the access data.
It should be noted that, in this embodiment, specific implementation processes of steps executed in each unit and/or module may refer to implementation processes in the information processing method provided in the embodiments corresponding to fig. 2 to 4, and are not described herein again.
Based on the foregoing embodiments, embodiments of the present invention provide a computer-readable storage medium, where one or more programs are stored, and the one or more programs are executable by one or more processors to implement the steps of the information processing method provided in the embodiments corresponding to fig. 1 and 3 to 4 or the information processing method provided in the embodiments corresponding to fig. 2 to 4.
The computer-readable storage medium may be a Read Only Memory (ROM), a Programmable Read Only Memory (PROM), an Erasable Programmable Read Only Memory (EPROM), an Electrically Erasable Programmable Read Only Memory (EEPROM), a magnetic Random Access Memory (FRAM), a Flash Memory (Flash Memory), a magnetic surface Memory, an optical Disc, or a Compact Disc Read-Only Memory (CD-ROM); and may be various electronic devices such as mobile phones, computers, tablet devices, personal digital assistants, etc., including one or any combination of the above-mentioned memories.
It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
The above-mentioned serial numbers of the embodiments of the present invention are merely for description and do not represent the merits of the embodiments.
Through the above description of the embodiments, those skilled in the art will clearly understand that the method of the above embodiments can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware, but in many cases, the former is a better implementation manner. Based on such understanding, the technical solutions of the present invention may be embodied in the form of a software product, which is stored in a storage medium (such as ROM/RAM, magnetic disk, optical disk) and includes instructions for enabling a terminal device (such as a mobile phone, a computer, a server, an air conditioner, or a network device) to execute the method described in the embodiments of the present invention.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
The above description is only a preferred embodiment of the present invention, and not intended to limit the scope of the present invention, and all modifications of equivalent structures and equivalent processes, which are made by using the contents of the present specification and the accompanying drawings, or directly or indirectly applied to other related technical fields, are included in the scope of the present invention.

Claims (13)

1. An information processing method, characterized in that the method comprises:
acquiring a malicious behavior feature library; the malicious behavior feature library comprises behavior features for carrying out malicious attack on a server;
receiving an access request for accessing a server; wherein, the access request carries an access operation identifier;
determining whether the access request is an abnormal request or not based on the access operation identifier and the malicious behavior feature library;
wherein the determining whether the access request is an abnormal request based on the access operation identifier and the malicious behavior feature library comprises:
detecting whether an access operation matched with the access operation identifier exists in the malicious behavior feature library;
if the access operation matched with the access operation identifier exists in the malicious behavior feature library, determining that the access request is an abnormal request;
and if the access operation matched with the access operation identifier does not exist in the malicious behavior database, determining that the access request is not an abnormal request.
2. The method of claim 1, wherein determining whether the access request is an abnormal request based on the access operation identifier and the malicious behavior feature library comprises:
acquiring process information of a client;
and determining whether the access request is an abnormal request or not based on the access operation identifier, the malicious behavior feature library and the process information of the client.
3. The method of claim 2, wherein the determining whether the access request is an abnormal request based on the access operation identifier, the malicious behavior feature library, and the process information of the client comprises:
if the access operation matched with the access operation identifier exists in the malicious behavior feature library and a process which does not correspond to the application opened in the client at the current moment exists in the processes of the client, determining that the access request is an abnormal request;
and if the access operation matched with the access operation identifier does not exist in the malicious behavior feature library, and the processes of the client correspond to the application opened in the client at the current moment, determining that the access request is not an abnormal request.
4. The method according to claim 1 or 3, characterized in that the method further comprises:
if the access request is an abnormal request, disconnecting a communication link of a client corresponding to the access request, and setting that an object corresponding to the access request cannot initiate access operation within preset time;
if the access request is not an abnormal request, sending the access request to the server; wherein, the access request also carries access data;
receiving notification information which is sent by the server and used for notifying that the access request is an abnormal request; the notification information is obtained after the server analyzes and judges the access request;
and responding to the notification information to disconnect the communication link of the client corresponding to the access request, and setting that the object corresponding to the access request cannot initiate access operation within preset time.
5. The method according to claim 4, wherein after the disconnecting the communication link of the client corresponding to the access request and setting that the object corresponding to the access request cannot initiate the access operation within a preset time, the method further comprises:
recording preset information of the access request to obtain an access log, and storing the access log; the preset information comprises information capable of identifying the client;
correspondingly, the determining whether the access request is an abnormal request based on the access operation identifier and the malicious behavior feature library includes:
determining whether an access request matched with the access operation identifier exists in the access log;
if an access request matched with the access operation identifier exists in the access log, determining that the access request is the abnormal request;
if the access log does not have an access request matched with the access operation identifier, determining whether the access request is the abnormal request or not based on the access operation identifier and the malicious behavior feature library.
6. An information processing method, characterized in that the method comprises:
receiving an access request sent by a client; the access request carries an access operation identifier and access data; the access request is sent after the client determines that the access request is not an abnormal request;
determining whether the access request is an abnormal request or not based on the access operation identifier and the access data;
if the access request is the abnormal request, sending notification information for notifying that the access request is the abnormal request to the client; the notification information is used for indicating the client to disconnect an access link and recording and storing preset information of the access request;
wherein the determining whether the access request is an abnormal request based on the access operation identifier and the access data comprises:
acquiring access data corresponding to the access operation identifier to obtain target access data;
detecting whether the access data matches the target access data;
and if the access data is not matched with the target access data, determining that the access request is the abnormal request.
7. The method of claim 6, wherein the detecting whether the access data matches the target access data comprises:
determining feature access data from the target access data;
detecting whether the access data is the same as the feature access data;
and if the access data is not the same as the characteristic access data, determining that the access data is not matched with the target access data.
8. The method according to claim 6, wherein if the access request is the abnormal request, sending notification information for notifying that the access request is the abnormal request to the client, and then further comprising:
recording preset information of the access request to obtain an access log, and storing the access log; the preset information comprises information capable of identifying the client;
correspondingly, the determining whether the access request is an abnormal request based on the access operation identifier and the access data includes:
determining whether an access request matched with the access operation identifier exists in the access log;
if an access request matched with the access operation identifier exists in the access log, determining that the access request is the abnormal request;
and if the access log does not have the access request matched with the access operation identifier, determining whether the access request is the abnormal request or not based on the access operation identifier and the access data.
9. A client, the client comprising: a first processor, a first memory, and a first communication bus;
the first communication bus is used for realizing communication connection between the first processor and the first memory;
the first processor is used for executing the information processing program stored in the first memory to realize the following steps:
acquiring a malicious behavior feature library; the malicious behavior feature library comprises behavior features for carrying out malicious attack on a server;
receiving an access request for accessing a server; wherein, the access request carries an access operation identifier;
determining whether the access request is an abnormal request or not based on the access operation identifier and the malicious behavior feature library;
the first processor is configured to execute the information processing program stored in the first memory, and may further implement the following steps:
detecting whether an access operation matched with the access operation identifier exists in the malicious behavior feature library;
if the access operation matched with the access operation identifier exists in the malicious behavior feature library, determining that the access request is an abnormal request;
and if the access operation matched with the access operation identifier does not exist in the malicious behavior characteristic library, determining that the access request is not an abnormal request.
10. A server, characterized in that the server comprises: a second processor, a second memory, and a second communication bus;
the second communication bus is used for realizing communication connection between the second processor and the second memory;
the second processor is configured to execute the information processing program stored in the second memory to implement the steps of:
receiving an access request sent by a client; the access request carries an access operation identifier and access data; the access request is sent after the client determines that the access request is not an abnormal request;
determining whether the access request is an abnormal request or not based on the access operation identifier and the access data;
if the access request is the abnormal request, sending notification information for notifying that the access request is the abnormal request to the client; the notification information is used for indicating the client to disconnect an access link and recording and storing preset information of the access request;
the second processor is configured to execute the information processing program stored in the second memory, and may further implement:
acquiring access data corresponding to the access operation identifier to obtain target access data;
detecting whether the access data matches the target access data;
and if the access data is not matched with the target access data, determining that the access request is the abnormal request.
11. A client, the client comprising: first acquisition unit, first receiving unit and first processing unit, wherein:
the first acquisition unit is used for acquiring a malicious behavior feature library; the malicious behavior feature library comprises behavior features for carrying out malicious attack on a server;
the first receiving unit is used for receiving an access request for accessing the server; wherein, the access request carries an access operation identifier;
the first processing unit is used for determining whether the access request is an abnormal request or not based on the access operation identifier and the malicious behavior feature library;
the first processing unit includes: a first detection module and a first processing module, wherein:
the first detection module is used for detecting whether an access operation matched with the access operation identifier exists in the malicious behavior feature library;
the first processing module is configured to determine that the access request is an abnormal request if an access operation matching the access operation identifier exists in the malicious behavior feature library;
the first processing module is further configured to determine that the access request is not an abnormal request if the access operation matching the access operation identifier does not exist in the malicious behavior library.
12. A server, characterized in that the server comprises: a second receiving unit, a second processing unit and a first transmitting unit, wherein:
the second receiving unit is used for receiving an access request sent by a client; the access request carries an access operation identifier and access data; the access request is sent after the client determines that the access request is not an abnormal request;
the second processing unit is used for determining whether the access request is an abnormal request or not based on the access operation identifier and the access data;
the first sending unit is configured to send notification information for notifying that the access request is an abnormal request to the client if the access request is the abnormal request; the notification information is used for indicating the client to disconnect an access link and recording and storing preset information of the access request;
the second processing unit includes: the second obtains module, second detection module and fourth processing module, wherein:
the second obtaining module is used for obtaining the access data corresponding to the access operation identifier to obtain target access data;
the second detection module is used for detecting whether the access data is matched with the target access data;
the fourth processing module is configured to determine that the access request is the abnormal request if the access data is not matched with the target access data.
13. A computer-readable storage medium, characterized in that the computer-readable storage medium stores one or more programs which are executable by one or more processors to implement the steps of the information processing method according to any one of claims 1 to 5 or 6 to 8.
CN201810660852.1A 2018-06-25 2018-06-25 Information processing method and device and computer readable storage medium Active CN109040016B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810660852.1A CN109040016B (en) 2018-06-25 2018-06-25 Information processing method and device and computer readable storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810660852.1A CN109040016B (en) 2018-06-25 2018-06-25 Information processing method and device and computer readable storage medium

Publications (2)

Publication Number Publication Date
CN109040016A CN109040016A (en) 2018-12-18
CN109040016B true CN109040016B (en) 2021-04-09

Family

ID=64611132

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810660852.1A Active CN109040016B (en) 2018-06-25 2018-06-25 Information processing method and device and computer readable storage medium

Country Status (1)

Country Link
CN (1) CN109040016B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109889486A (en) * 2018-12-28 2019-06-14 武汉职业技术学院 Mobile office secure accessing platform
CN111064755B (en) * 2020-01-14 2021-08-17 腾讯科技(深圳)有限公司 Data protection method and device, computer equipment and storage medium
CN113297241A (en) * 2021-06-11 2021-08-24 工银科技有限公司 Method, device, equipment, medium and program product for judging network flow

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104065644A (en) * 2014-05-28 2014-09-24 北京知道创宇信息技术有限公司 Method and apparatus for recognizing CC attacks based on log analysis
US9237143B1 (en) * 2013-09-26 2016-01-12 Emc Corporation User authentication avoiding exposure of information about enumerable system resources
CN105337993A (en) * 2015-11-27 2016-02-17 厦门安胜网络科技有限公司 Dynamic and static combination-based mail security detection device and method
CN106330958A (en) * 2016-09-29 2017-01-11 上海创功通讯技术有限公司 Secure accessing method and device
CN106657006A (en) * 2016-11-17 2017-05-10 北京中电普华信息技术有限公司 Software information safety protection method and device
CN107395553A (en) * 2016-05-17 2017-11-24 腾讯科技(深圳)有限公司 A kind of detection method and device of network attack

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10412106B2 (en) * 2015-03-02 2019-09-10 Verizon Patent And Licensing Inc. Network threat detection and management system based on user behavior information

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9237143B1 (en) * 2013-09-26 2016-01-12 Emc Corporation User authentication avoiding exposure of information about enumerable system resources
CN104065644A (en) * 2014-05-28 2014-09-24 北京知道创宇信息技术有限公司 Method and apparatus for recognizing CC attacks based on log analysis
CN105337993A (en) * 2015-11-27 2016-02-17 厦门安胜网络科技有限公司 Dynamic and static combination-based mail security detection device and method
CN107395553A (en) * 2016-05-17 2017-11-24 腾讯科技(深圳)有限公司 A kind of detection method and device of network attack
CN106330958A (en) * 2016-09-29 2017-01-11 上海创功通讯技术有限公司 Secure accessing method and device
CN106657006A (en) * 2016-11-17 2017-05-10 北京中电普华信息技术有限公司 Software information safety protection method and device

Also Published As

Publication number Publication date
CN109040016A (en) 2018-12-18

Similar Documents

Publication Publication Date Title
CN110445770B (en) Network attack source positioning and protecting method, electronic equipment and computer storage medium
JP5682083B2 (en) Suspicious wireless access point detection
US8997201B2 (en) Integrity monitoring to detect changes at network device for use in secure network access
CN109040016B (en) Information processing method and device and computer readable storage medium
CN111010409B (en) Encryption attack network flow detection method
CN102404741B (en) Method and device for detecting abnormal online of mobile terminal
US20130227645A1 (en) Terminal and method for access point verification
CN111131310A (en) Access control method, device, system, computer device and storage medium
US20070192593A1 (en) Method and system for transparent bridging and bi-directional management of network data
US10375099B2 (en) Network device spoofing detection for information security
EP3582463B1 (en) Threat detection method and apparatus
US10320804B2 (en) Switch port leasing for access control and information security
CN106778229B (en) VPN-based malicious application downloading interception method and system
US20190036926A1 (en) Network Device Location Information Validation For Access Control and Information Security
US11190515B2 (en) Network device information validation for access control and information security
US10992643B2 (en) Port authentication control for access control and information security
CN114244570B (en) Illegal external connection monitoring method and device for terminal, computer equipment and storage medium
EP3993471B1 (en) Sim swap scam protection via passive monitoring
CN105245494B (en) A kind of determination method and device of network attack
CN111314384A (en) Terminal authentication method, device and equipment
US10454965B1 (en) Detecting network packet injection
CN112422474A (en) Encrypted data stream monitoring method, first electronic device and storage medium
WO2018014555A1 (en) Data transmission control method and apparatus
CN115189951B (en) Pseudo service simulation detection attack penetration method, pseudo service simulation detection attack penetration device and computer equipment
CN117955739B (en) Interface security identification method and device, computing equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant