CN109379389A - Network attack defence method and relevant device - Google Patents
Network attack defence method and relevant device Download PDFInfo
- Publication number
- CN109379389A CN109379389A CN201811572570.2A CN201811572570A CN109379389A CN 109379389 A CN109379389 A CN 109379389A CN 201811572570 A CN201811572570 A CN 201811572570A CN 109379389 A CN109379389 A CN 109379389A
- Authority
- CN
- China
- Prior art keywords
- target
- attribute values
- browser
- server
- page
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
Abstract
This application provides a kind of network attack defence method, server obtains the corresponding parent page of accessing page request, all code blocks of parent page include tag attributes after the accessing page request for receiving browser transmission;Server generates Target Attribute values and is assigned all tag attributes, to obtain target pages;Server judges whether the attribute value of the tag attributes of all code blocks of target pages and Target Attribute values are consistent;If it is, target pages are returned to browser, if the attribute value and Target Attribute values of any code block tag attributes are inconsistent, it is determined that there is the attack to target pages, and forbid target pages returning to browser.Compared with prior art, server is not detected according to the feature of malicious code, but the Target Attribute values pre-generated for the addition of all code blocks, as long as code block does not include that the Target Attribute values can determine that there are attacks, detection covering is more comprehensively.
Description
Technical field
This application involves technical field of network security, more specifically, being network attack defence method and relevant device.
Background technique
With the fast development of internet, network service system provides the platform of information interchange to government, enterprise and individual,
This platform summarizes magnanimity value information.Internet has also been brought huge while bringing convenient
Challenge.
Currently, network service system is intended to complicate, loophole is also more and more, the attack pattern that attacker can use
Also more and more, a kind of attack pattern specifically used is to be implanted into malicious code, the evil of implantation after server generates the page
After meaning code is sent to client, attack is generated to client.
It in the prior art, is the Malicious Code Detection technology based on scripting language, needle for the solution of network attack
Whether code, which has, is detected using the relevant knowledge of machine learning to the static nature and behavioral characteristics of malicious script language codes
Have malicious, the application technology of this method is more mature, but can not complete detection the malice in the page is implanted to attacker
Code.
Summary of the invention
In view of this, this application provides a kind of network attack defence methods.In addition, present invention also provides network attacks
Relevant device is defendd, to guarantee the application and realization of the method in practice.
In order to achieve the object, technical solution provided by the present application is as follows:
In a first aspect, it is applied to server the present invention provides a kind of network attack defence method, this method comprises:
After the accessing page request for receiving browser transmission, the corresponding parent page of the accessing page request is obtained,
Wherein all code blocks of the parent page include tag attributes;
Generate Target Attribute values;
The Target Attribute values are added for each tag attributes, to obtain target pages;
Before the target pages are returned to the browser, the tag attributes of the code block of the target pages are judged
Attribute value and the Target Attribute values it is whether consistent;
If the attribute value of the tag attributes of all code blocks and the Target Attribute values are consistent, by the target pages
It is back to the browser;
If the attribute value of the tag attributes of any code block and the Target Attribute values are inconsistent, it is determined that exist to described
The attack of target pages is forbidden the target pages being back to the browser.
Second aspect, the present invention provides a kind of network attack defence methods, are applied to browser, this method comprises:
Accessing page request is sent, the corresponding parent page of the accessing page request is obtained with trigger the server and is institute
It states the tag attributes that all code blocks include in parent page and adds Target Attribute values to obtain target pages;
Obtain the Target Attribute values that the browser generates;Wherein Target Attribute values and the clothes that the browser generates
The Target Attribute values that business device generates are identical;
Receive the target pages that the server returns;
Judge the objective attribute target attribute that the attribute value of the tag attributes of code block and the browser generate in the target pages
Whether consistent it is worth;
If the attribute value of the tag attributes of all code blocks and the Target Attribute values are consistent, the page object is executed
Face;
If the attribute value of the tag attributes of any code block and the Target Attribute values are inconsistent, it is determined that exist to described
The attack of target pages.
The third aspect, the present invention provides a kind of network attack defence installations, are applied to server, which includes:
Access modules obtain the accessing page request pair after receiving the accessing page request that browser is sent
The parent page answered, wherein all code blocks of the parent page include tag attributes;
Generation module, for generating Target Attribute values;
Attribute module is added, for adding the Target Attribute values for each tag attributes, to obtain page object
Face;
Attribute value judgment module, for judging the page object before the target pages are returned to the browser
Whether the attribute value of the tag attributes of the code block in face is consistent with the Target Attribute values;
Page return module, if the attribute value of the tag attributes for all code blocks and the Target Attribute values are uniform
It causes, then the target pages is back to the browser;
Prohibiting page return module, if the attribute value of the tag attributes for any code block and the Target Attribute values are not
Unanimously, it is determined that there is the attack to the target pages, forbid the target pages being back to the browsing
Device.
Fourth aspect, the present invention provides a kind of network attack defence installations, are applied to browser, which includes:
Access request module is sent, for sending accessing page request, the page access is obtained with trigger the server and is asked
It asks corresponding parent page and the tag attributes for including for all code blocks in the parent page adds Target Attribute values to obtain
To target pages;
Attribute value obtains module, the Target Attribute values generated for obtaining the browser;Wherein the browser generates
Target Attribute values it is identical as the Target Attribute values that the server generates;
Page module is received, the target pages returned for receiving the server;
Attribute value judgment module, for judge in the target pages attribute value of the tag attributes of code block with it is described clear
Whether the Target Attribute values that device of looking at generates are consistent;
Page module is executed, if the attribute value of the tag attributes for all code blocks and the Target Attribute values are uniform
It causes, then executes the target pages;
Page determining module, if the attribute value of the tag attributes for any code block and the Target Attribute values are different
It causes, it is determined that there is the attack to the target pages.
5th aspect, the present invention provides a kind of network attack defending systems, comprising: client and server;
Client, for sending accessing page request to server;Time synchronization is carried out, between server to negotiate phase
Same object time point;Target Attribute values are generated using the object time point;Receive the target that the server returns
The page;Judge whether the attribute value of the tag attributes of code block and the Target Attribute values are consistent in the target pages;If institute
There are the attribute value of the tag attributes of code block and the Target Attribute values consistent, then executes the target pages;If any generation
The attribute value of the tag attributes of code block and the Target Attribute values are inconsistent, it is determined that exist and attack to the network of the target pages
Hit behavior;
It is corresponding to obtain the accessing page request after receiving the accessing page request that client is sent for server
Parent page;Time synchronization is carried out, between client to negotiate identical object time point;Use the object time point
Target Attribute values are generated, and add the Target Attribute values for the tag attributes in all code blocks of the parent page,
To obtain target pages;Before the target pages are returned to the client, the code block of the target pages is judged
Whether the attribute value of tag attributes is consistent with the Target Attribute values;If the attribute value of the tag attributes of all code blocks with it is described
Target Attribute values are consistent, then the target pages are back to the client;If the category of the tag attributes of any code block
Property value and the Target Attribute values are inconsistent, it is determined that there is the attack to the target pages, forbidding will be described
Target pages are back to the client.
6th aspect, the present invention provides a kind of storage mediums, are stored thereon with computer program, the computer program
When being executed by processor, the above-mentioned network attack defence method of the claims is realized.
As can be seen from the above technical solutions, it this application provides a kind of network attack defence method, is serviced in this method
Device obtains the corresponding parent page of accessing page request, parent page after the accessing page request for receiving browser transmission
All code blocks include tag attributes;Server generates Target Attribute values and is assigned all tag attributes, with
To target pages;Server judges the tag attributes of all code blocks of target pages before target pages are returned to browser
Attribute value and Target Attribute values it is whether consistent;If it is, target pages are returned to browser, if any code block label
The attribute value of attribute and Target Attribute values are inconsistent, it is determined that there is the attack to target pages, and forbid mesh
It marks the page and returns to browser.Compared with prior art, server is not detected according to the feature of malicious code, but is institute
The Target Attribute values for having code block addition pre-generated, as long as code block does not include that the Target Attribute values can determine presence
Attack, detection covering is more comprehensively and mode is simpler.
Detailed description of the invention
In order to illustrate the technical solutions in the embodiments of the present application or in the prior art more clearly, to embodiment or will show below
There is attached drawing needed in technical description to be briefly described, it should be apparent that, the accompanying drawings in the following description is only this
The embodiment of application for those of ordinary skill in the art without creative efforts, can also basis
The attached drawing of offer obtains other attached drawings.
Fig. 1 is a flow chart of network attack defence method;
Fig. 2 is another flow chart of network attack defence method;
Fig. 3 is a structural schematic diagram of network attack defending system;
Fig. 4 is a structural schematic diagram using network attack defence installation on the server;
Fig. 5 is a structural schematic diagram using network attack defence installation on a web browser.
Specific embodiment
Below in conjunction with the attached drawing in the embodiment of the present application, technical solutions in the embodiments of the present application carries out clear, complete
Site preparation description, it is clear that described embodiments are only a part of embodiments of the present application, instead of all the embodiments.It is based on
Embodiment in the application, it is obtained by those of ordinary skill in the art without making creative efforts every other
Embodiment shall fall in the protection scope of this application.
User can issue the request of accession page by browser to server, and server receives asking for accession page
After asking, obtaining the corresponding page of access request and the page is returned into browser, browser executes the page after receiving the page, with
By page presentation to user.In the access process, attacker may carry out network attack to the page.
Network attack in the application, specific attack pattern are to be implanted into malicious code after server generates the page,
After the malicious code of implantation is sent to client, attack is generated to client.Certainly, the concrete mode of network attack has more
Kind, the application does not repeat one by one.It should be noted that the essence of network attack realizes it is to return to browser in server
The page in be implanted into malicious code, the purpose of present invention is the malicious code in the complete search page.
See Fig. 1, it illustrates a kind of signals of process of network attack defence method.As shown in Figure 1, this method can be specific
Including step S101~step S106.
S101: browser sends accessing page request to server.
When user opens browser click page link, browser sends accessing page request to server.The page is visited
Ask request can trigger the server obtain parent page, such as user need to open iqiyi.com video official's page viewing video when,
By opening browser, when the homepage of browser clicks iqiyi.com link, browser sends iqiyi.com official view to server
The request of the frequency page, trigger the server obtain the corresponding parent page of iqiyi.com official video page.
S102: server obtains parent page corresponding with accessing page request;Wherein all code blocks of parent page
It include tag attributes.
Wherein, it after the accessing page request for receiving browser transmission, searches and is somebody's turn to do in pre-stored parent page
The corresponding parent page of accessing page request.
Parent page is made of code block, and code block may be considered the page elements with label.Each code block packet
Contain tag attributes, that is to say, that include tag attributes in each label.It is marked for example, there is<script>in parent page
The label of label,<head>label, picture element label etc. type, traverse parent page in all code blocks with find<
Then all labels such as script>label,<head>label, picture element label add tag attributes for these labels.
It should be noted that tag attributes are set in advance in parent page, which is customized label category
Property, for judging whether code block is code block that attacker is added into parent page.The tag attributes are properly termed as
Token-ID, naturally it is also possible to be named as other titles.
Include tag attributes in the parent page that this step obtains, the generating modes of tag attributes can there are many.
A kind of generating mode is, before disposing the parent page to production environment, in all of the parent page
Tag attributes are added in code block.
Specifically, developer needs to carry out the code block of parent page after having write the code block of parent page
Test, by can just be disposed to the production environment of server after test.Before being disposed to production environment, developer
Code can't be added into parent page again, is safety period before this time point, therefore to original within safety period
All codes of the page are carried out from linearized analysis, it is therefore an objective to be traversed the label in all code blocks, be added label for these labels
Attribute, the tag attributes can be named as Token-ID.
Production environment is disposed into parent page with tag attributes, the parent page in this way can be by the clear of client
Device of looking at access, that is to say, that server can obtain the parent page according to the accessing page request of browser.In this realization
It just include tag attributes in parent page before browser sends accessing page request in mode.
Another generating mode is, after the accessing page request for receiving browser transmission, in the parent page
Tag attributes are added in all code blocks.In this implementation, server receives the accessing page request of browser transmission
Afterwards, tag attributes just are added in the code block of parent page.S103: server generates Target Attribute values and is each label category
Property adds Target Attribute values, to obtain target pages.
Wherein, the accessing page request that browser issues can also be touched in addition to that can obtain parent page with trigger the server
It sends out the tag attributes that server is code block and adds Target Attribute values.Parent page added with Target Attribute values is properly termed as mesh
Mark the page.
After server receives the accessing page request of browser, attribute value can be generated and add the attribute for tag attributes
Value, wherein can claim server based on the attribute value that accessing page request generates to be distinguished with hereafter other attribute values
For Target Attribute values.When each server receives the accessing page request of browser, server can all generate Target Attribute values.No
Same accessing page request, meeting trigger the server generate different Target Attribute values.
There are many generating modes of Target Attribute values.
A kind of generating mode is randomly generated.It specifically, can be with preset multiple encryption algorithms, when server connects in server
When receiving accessing page request, a kind of Encryption Algorithm of random call generates Target Attribute values, and Encryption Algorithm uses random letter
Number generates Target Attribute values.
Another generating mode is, using time parameter as input parameter, to be handled time parameter such as Hash processing
Afterwards, Target Attribute values are obtained.The time point that time parameter can be server and browser is negotiated, the time point can be with
Referred to as object time point.Specific generating mode may refer to following the description, not repeat herein.
It should be noted that server, after obtaining target pages, target pages can suffer from attack to by attacker
Inject malicious code, it is therefore desirable to execute the detection process of step S104.
S104: before the target pages are returned to the browser, server judges the code block of target pages
Whether the attribute value of tag attributes is consistent with Target Attribute values.If the attribute value and objective attribute target attribute of the tag attributes of all code blocks
It is worth consistent, execution step S105;If the attribute value of the tag attributes of any code block is inconsistent with Target Attribute values, step is executed
Rapid S106.
Specifically, server is to guarantee that the page for returning to browser is the page that do not attacked, by page object
Before face returns to browser, need to carry out safety detection to target pages.
Detection content be judge the tag attributes of all code blocks in target pages attribute value whether the target with generation
Attribute value is consistent.The reason of detecting in this way is that attacker may inject malicious code into target pages, but malicious code is simultaneously
Value and non-server Target Attribute values generated without tag attributes or with tag attributes but tag attributes, therefore
It is whether safe to detect target pages by the attribute value for detecting the tag attributes of code block.
Why not tag attributes and attribute value can be added in malicious code as attacker, the reason is that, attacker
What the title of tag attributes added by can not determining easily is, even if being capable of determining that tag attributes, but due to
Server assigns the objective attribute target attribute to the tag attributes of target pages immediately after generating Target Attribute values and by objective attribute target attribute
Value is destroyed, this process used time is very short, and attacker, which is difficult to find opportunity, steals the Target Attribute values.Therefore, even if attacker
Available tag attributes, but Target Attribute values cannot be obtained.
It should be noted that if it is determined that discovery code block does not have tag attributes in the process, then it is assumed that the category of tag attributes
Property value be sky, the attribute value and Target Attribute values that empty attribute value and Target Attribute values difference can also indicate tag attributes are not
Together.Therefore, the judgement in this step is implicit judges content including there are two, first is that whether all code blocks all have label category
Property, second is that whether the attribute value of the tag attributes of all code blocks is identical as Target Attribute values.It is only equal in two judging results
In the case where being, just think that final judging result is yes;Any one judging result is no, then it is assumed that final judgement knot
Fruit is no.
S105: target pages are back to browser by server.
Wherein, if server judges that the attribute value of the tag attributes of all code blocks is all identical as Target Attribute values,
It determines that target pages are the secure page table that do not attacked, and then target pages is back to browser.
S106: server determines the attack existed to target pages, forbids for target pages being back to browsing
Device.
Wherein, inconsistent simply by the presence of the attribute value and Target Attribute values of the tag attributes of any one code block, service
Device can be determined in the presence of the attack to target pages, and then forbid target pages returning to browser.
From the above technical scheme, this application provides a kind of network attack defence method, server exists in this method
After the accessing page request for receiving browser transmission, the corresponding parent page of accessing page request, the institute of parent page are obtained
Having code block includes tag attributes;Server generates Target Attribute values and is assigned all tag attributes, to obtain mesh
Mark the page;Server judges the category of the tag attributes of all code blocks of target pages before target pages are returned to browser
Whether property value and Target Attribute values are consistent;If it is, target pages are returned to browser, if any code block tag attributes
Attribute value and Target Attribute values it is inconsistent, it is determined that there is the attack to target pages, and forbid page object
Face returns to browser.Compared with prior art, server is not detected according to the feature of malicious code, but is all generations
The pre-generated Target Attribute values of code block addition, as long as code block does not include that the Target Attribute values can determine that there are networks
Attack, detection covering is more comprehensively and mode is simpler.
Target pages can returned to browsing by the network attack defence method that the above inventive embodiments provide, server
It is detected before device, in order to distinguish with the detection of hereafter browser, which can be known as to the first detection.It can know
Road, attacker is in addition to may attack server, it is also possible to intercepted in the transmission process of target pages target pages and to
Wherein inject malicious code.Therefore, browser can also carry out safety detection before the performance objective page, which can
To be known as the second detection.
It should be noted that the first detection of either server or the second detection of browser, detection thought is phase
With, i.e., all it is to judge whether the attribute value of all code blocks in target pages is identical as pre-generated Target Attribute values, leads to
Crossing judging result can determine whether target pages are attacked, and this detection mode can detect all code blocks,
Avoid missing inspection situation in the prior art.
See Fig. 2, it illustrates another network attack defence methods provided by the embodiments of the present application.See Fig. 2, this method can
To specifically include step S201~step S208.
S201: browser sends accessing page request to server.
S202: server obtains parent page corresponding with accessing page request;Wherein all code blocks of parent page
It include tag attributes.
S203: server generates Target Attribute values and adds Target Attribute values for each tag attributes, to obtain target
The page.
The explanation of above step may refer to the related description in above-described embodiment, not repeat herein.
S204: target pages are returned to browser by server.
S205: browser obtains the Target Attribute values of itself generation.
Wherein, browser itself can also generate Target Attribute values, it should be noted that the Target Attribute values that browser generates
It is identical as the Target Attribute values that the server generates.It is identical why two Target Attribute values need, and is because browser obtains
The purpose for taking Target Attribute values is tested using attribute value of the Target Attribute values to code block in target pages, target
The attribute value of code block is the assigned Target Attribute values of server in the page, therefore browser is needed using identical objective attribute target attribute
Value verifies the attribute value of code block in target pages.
In order to guarantee that server and browser all generate identical Target Attribute values, target can be generated in the following manner
Attribute value:
Time synchronization is carried out between browser and the server, to negotiate identical object time point;Browser calls
The event generator being deployed on the browser, so that the event generator on the browser is generated according to object time point
The Target Attribute values;The event generator of server calls deployment on the server, so that the event generator on server
Target Attribute values are generated according to object time point.
Specifically, it after server receives accessing page request, needs to generate Target Attribute values for tag attributes.It is generating
Before Target Attribute values, server and browser carry out time negotiations process, should to determine an identical time point in two sides
Time point is used to generate Target Attribute values as time parameter.For ease of description, which is properly termed as object time point.
Object time point is the time point negotiated when carrying out, such as three seconds time points after the completion of negotiating, it is seen that object time point is
Variation, therefore Target Attribute values generated are also variation.
Event generator can be all deployed between browser and server, event generator is one section of code block, event
Generator is built-in with processing function, for handling time parameter for Target Attribute values.Browser uses identical with server
Function is handled, identical object time point is handled to obtain Target Attribute values, therefore the Target Attribute values that two sides generate are
It is consistent.
It should be noted that the negotiations process of time is also possible to by event generator execution, i.e., event generator can
To carry out time synchronization.The mode of time synchronization is similar to " three-way handshake " process in network protocol, does not repeat herein.
S206: browser judges the target category that the attribute value Yu browser of the tag attributes of code block in target pages generate
Whether property value is consistent.If the attribute value of the tag attributes of all code blocks and Target Attribute values are consistent, step S207 is executed;If
The attribute value of the tag attributes of any code block and Target Attribute values are inconsistent, execute step S208.
Wherein, after browser obtains Target Attribute values, judgment method identical with server can be used to target pages
The attribute value of middle code block is judged.
S207: the browser performance objective page.
Wherein, if browser judgement show that the attribute value of tag attributes is consistent with Target Attribute values, illustrate that code block is
Developer's addition, there is no the code blocks of attacker's addition, then browser determines that network attack is not present in the target pages
Behavior, and then browser shows the target pages to user.
S208: browser determines the attack existed to target pages.
Specifically, browser detects that the attribute value of tag attributes is inconsistent with Target Attribute values, illustrates in target pages
There are the code blocks of attacker's addition, and then browser determines the attack existed to target pages.Also, in order to anti-
The target pages that only there is attack impact browser, can forbid the performance objective page.
As can be seen from the above technical solutions, it this application provides a kind of network attack defence method, is browsed in this method
Device issues accessing page request to server, and server obtains the corresponding parent page of accessing page request and is parent page
Tag attributes add Target Attribute values to obtain target pages, and target pages are returned to browser by server, browser obtained from
The Target Attribute values that body generates, the Target Attribute values are identical as the Target Attribute values that server generates, and judge target pages
Whether whether the attribute value of the tag attributes of code block consistent with the Target Attribute values of browser itself generation, according to judging result
Determine whether there is the attack to target pages.As long as it can be seen that tag attributes of this method by detection code block
Attribute value it is whether consistent with Target Attribute values, can determine target pages with the presence or absence of attack, relative to existing
There is the feature that abnormality code is not need to rely on for technology, detection covering is more comprehensively and mode is simpler.
, may be in page object it should be noted that although attacker cannot steal Target Attribute values from server end
Face steals Target Attribute values during being back to browser.The Target Attribute values that attacker steals at this time cannot be made
For the corresponding target pages of the Target Attribute values, can only use the Target Attribute values to generate server next time target pages into
Row attack, but new Target Attribute values can be generated when generation target pages server next time, therefore even if attacker will steal
To Target Attribute values be put into target pages, the normal Target Attribute values in the Target Attribute values and target pages being put into are also
Different, to can be detected by server or browser.
Network attack defence method is in addition to that can determine that target pages with the presence or absence of attack, may recognize that
The corresponding abnormality code of attack.
Specifically, it was determined that do not include label category in the code block and code block of tag attributes in target pages
Property attribute value and the inconsistent code block of attribute value predetermined not instead of developer add, attacker add
, therefore either server or browser is ok as long as determining the attack existed to the target pages
The attribute value of tag attributes in the code block and the inconsistent code block of the Target Attribute values are determined as abnormality code.
Further, browser is determined there are after abnormality code, can forbid abnormality code in the performance objective page
It executes.Also, browser can send the relevant information of abnormality code to the server.Server receives the browser and returns
The relevant information of the abnormality code returned, and according to the relevant information, the abnormality code is deleted from the target pages.
Wherein, the relevant information of abnormality code includes position of the abnormality code in target pages.
A kind of specific deletion mode is that server receives the relevant information of abnormality code, and duplication target pages are answered
The page processed, and the abnormality code in the duplication page is deleted according to the relevant information of abnormality code, and target pages are replaced with and are deleted
Except the duplication page of abnormality code.
The application also provides a kind of network attack defending system, which can verify target pages twice.Tool
Body, this application provides a kind of network attack defending system, which specifically includes client and server.
Client, for sending accessing page request to server;Time synchronization is carried out, between server to negotiate phase
Same object time point;Target Attribute values are generated using the object time point;Receive the target that the server returns
The page;Judge whether the attribute value of the tag attributes of code block and the Target Attribute values are consistent in the target pages;If institute
There are the attribute value of the tag attributes of code block and the Target Attribute values consistent, then executes the target pages;If any generation
The attribute value of the tag attributes of code block and the Target Attribute values are inconsistent, it is determined that exist and attack to the network of the target pages
Hit behavior;
It is corresponding to obtain the accessing page request after receiving the accessing page request that client is sent for server
Parent page;Time synchronization is carried out, between client to negotiate identical object time point;Use the object time point
Target Attribute values are generated, and add the Target Attribute values for the tag attributes in all code blocks of the parent page,
To obtain target pages;Before the target pages are returned to the client, the code block of the target pages is judged
Whether the attribute value of tag attributes is consistent with the Target Attribute values;If the attribute value of the tag attributes of all code blocks with it is described
Target Attribute values are consistent, then the target pages are back to the client;If the category of the tag attributes of any code block
Property value and the Target Attribute values are inconsistent, it is determined that there is the attack to the target pages, forbidding will be described
Target pages are back to the client.
As it can be seen that the system both can detecte the attack occurred on the server, generation also can detecte in mesh
The attack during page transmission is marked, is detected more comprehensive.It should be noted that the system can also be according to above-mentioned
Method is determined abnormality code and is handled abnormality code.
See Fig. 3, this application provides a kind of specific structures of network attack defending system.User end to server sends page
Face access request, server obtain the corresponding parent page of accessing page request.Event is deployed in server and client
Generator, server after receiving accessing page request need that event generator is called to generate Target Attribute values.It needs to illustrate
, the event generators of two sides has synchronization mechanism, and the event generator of two sides passes through synchronization mechanism two complete phases of generation
Same Target Attribute values.
Each code block includes tag attributes in parent page, and server assigns Target Attribute values to each label category
Property, to obtain target pages.Server by target pages return client before, using Target Attribute values to target pages into
Row judgement, to judge with the presence or absence of attack in target pages, if each generation in Target Attribute values and target pages
The attribute value of the tag attributes of code block is identical, then target pages is returned to client, if the tag attributes of any code block
Attribute value is different from Target Attribute values, then denied access, that is, forbids target pages returning to client.
After target pages reach client, client in the same way judges target pages.If do not examined
Attack is measured, then target pages are showed into user;If detecting attack, denied access, i.e.,
Forbid target pages showing user.
For network attack defence method provided by the present application, following explanation is carried out.
First, processing time overhead of this method on server and browser is very low, and does not need user and use spy
Fixed browser or any add-on assemble of installation, condition depended is few, portable strong.The generation dynamic pole of Target Attribute values
By force, it is either attacked using the XSS (Cross-SiteScripting, cross-site scripting attack) for trusting user in website, or logical
Cross pretend from trusted user request come utilize trust website CSRF (Cross-site request forgery, across
Stand request forge) attack have apparent effect.
Second, the application tag attributes of the addition in target pages, can be with due to adding on all code blocks
Referred to as global property.
See Fig. 4, it illustrates a kind of network attack defence installations provided by the embodiments of the present application, are applied to server, should
Device may include: that access modules 401, generation module 402, addition attribute module 403, attribute value determination module 404, the page return
Return module 405 and prohibiting page return module 406.
Access modules 401 obtain the accessing page request after receiving the accessing page request that browser is sent
Corresponding parent page, wherein all code blocks of the parent page include tag attributes.
Generation module 402, for generating Target Attribute values.
Attribute module 403 is added, for adding the Target Attribute values for each tag attributes, to obtain target
The page.
Attribute value judgment module 404, for judging the target before the target pages are returned to the browser
Whether the attribute value of the tag attributes of the code block of the page is consistent with the Target Attribute values.If the tag attributes of all code blocks
Attribute value and the Target Attribute values it is consistent, then trigger page return module 405;If the tag attributes of any code block
Attribute value and the Target Attribute values are inconsistent, then trigger prohibiting page return module 406.
Page return module 405, for the target pages to be back to the browser.
Prohibiting page return module 406 is forbidden for determining the attack existed to the target pages by institute
It states target pages and is back to the browser.
In one implementation, access modules 401 can specifically include: addition attribute submodule.
Attribute submodule is added, is used for before disposing the parent page to production environment, in the parent page
Tag attributes are added in all code blocks;Or, for after the accessing page request for receiving browser transmission, described original
Tag attributes are added in all code blocks of the page.
In one implementation, generation module 402 can specifically include: synchronization time submodule, call submodule.
Synchronization time submodule, for carrying out time synchronization between the browser, to negotiate the identical object time
Point.
Submodule is called, for calling the event generator being deployed on the server, so that on the server
Event generator generates the Target Attribute values according to object time point.
In one implementation, prohibiting page return module 406 can also specifically include: determining exception submodule and delete
Except submodule.
Exception submodule is determined, for the attribute value of tag attributes in the code block and the Target Attribute values is different
The code block of cause is determined as abnormality code.
First deletes submodule, for deleting the abnormality code from the target pages.
In one implementation, page return module 405 can also specifically include: receiving abnormal submodule, call son
Module.
Second deletes submodule, for according to the relevant information, the abnormality code to be deleted from the target pages
It removes.
See Fig. 5, it illustrates a kind of network attack defence installations provided by the embodiments of the present application, are applied to browser, should
Device includes: to send access request module 501, attribute value acquisition module 502, receive page module 503, attribute value determination module
504, page module and page determining module 505 are executed.
Access request module 501 is sent, for sending accessing page request, the page access is obtained with trigger the server
Request corresponding parent page and the tag attributes that include for all code blocks in the parent page add Target Attribute values with
Obtain target pages.
Attribute value obtains module 502, the Target Attribute values generated for obtaining the browser;Wherein the browser is raw
At Target Attribute values it is identical as the Target Attribute values that the server generates.
Page module 503 is received, the target pages returned for receiving the server.
Attribute value judgment module 504, for judging the attribute value of the tag attributes of code block and institute in the target pages
Whether the Target Attribute values for stating browser generation are consistent.If the attribute value of the tag attributes of all code blocks and the objective attribute target attribute
Value is consistent, then triggers and execute page module 505;If the attribute value of the tag attributes of any code block and the Target Attribute values
It is inconsistent, then trigger page determining module 506.
Page module 505 is executed, for executing the target pages.
Page determining module 506, for determining the attack existed to the target pages.
In one implementation, attribute value obtain module 502 can specifically include: synchronization time submodule, call son
Module.
Synchronization time submodule, for carrying out time synchronization between the server, to negotiate the identical object time
Point.
Submodule is called, for calling the event generator being deployed on the browser, so that on the browser
Event generator generates the Target Attribute values according to object time point.
In one implementation, attribute value obtains module 502 and can specifically include: determining exception submodule and deletes son
Module.
Exception submodule is determined, for the attribute value of tag attributes in the code block and the Target Attribute values is different
The code block of cause is determined as abnormality code.
Abnormal module is sent, for sending the relevant information of the abnormality code to the server.
It should be noted that all the embodiments in this specification are described in a progressive manner, each embodiment weight
Point explanation is the difference from other embodiments, and the same or similar parts between the embodiments can be referred to each other.
It should also be noted that, herein, relational terms such as first and second and the like are used merely to one
Entity or operation are distinguished with another entity or operation, without necessarily requiring or implying between these entities or operation
There are any actual relationship or orders.Moreover, the terms "include", "comprise" or its any other variant are intended to contain
Lid non-exclusive inclusion, so that the process, method, article or equipment including a series of elements is not only wanted including those
Element, but also including other elements that are not explicitly listed, or further include for this process, method, article or equipment
Intrinsic element.In the absence of more restrictions, the element limited by sentence "including a ...", it is not excluded that
There is also other identical elements in process, method, article or equipment including above-mentioned element.
The foregoing description of the disclosed embodiments makes professional and technical personnel in the field can be realized or use the application.
Various modifications to these embodiments will be readily apparent to those skilled in the art, as defined herein
General Principle can be realized in other embodiments without departing from the spirit or scope of the application.Therefore, the application
It is not intended to be limited to the embodiments shown herein, and is to fit to and the principles and novel features disclosed herein phase one
The widest scope of cause.
Claims (10)
1. a kind of network attack defence method, which is characterized in that be applied to server, comprising:
After the accessing page request for receiving browser transmission, the corresponding parent page of the accessing page request is obtained, wherein
All code blocks of the parent page include tag attributes;
Generate Target Attribute values;
The Target Attribute values are added for each tag attributes, to obtain target pages;
Before the target pages are returned to the browser, the category of the tag attributes of the code block of the target pages is judged
Whether property value and the Target Attribute values are consistent;
If the attribute value of the tag attributes of all code blocks and the Target Attribute values are consistent, the target pages are returned
To the browser;
If the attribute value of the tag attributes of any code block and the Target Attribute values are inconsistent, it is determined that exist to the target
The attack of the page is forbidden the target pages being back to the browser.
2. network attack defence method according to claim 1, which is characterized in that the mark of code block in the parent page
Sign the generating mode of attribute, comprising:
Before disposing the parent page to production environment, label category is added in all code blocks of the parent page
Property;
Or,
After the accessing page request for receiving browser transmission, label category is added in all code blocks of the parent page
Property.
3. network attack defence method according to claim 1, which is characterized in that the generation Target Attribute values, comprising:
Time synchronization is carried out, between the browser to negotiate identical object time point;
The event generator being deployed on the server is called, when so that the event generator on the server is according to target
Between point generate the Target Attribute values.
4. network attack defence method according to claim 1, which is characterized in that described determining in the presence of to the target
After the step of attack of the page, further includes:
The attribute value of tag attributes in the code block and the inconsistent code block of the Target Attribute values are determined as abnormal generation
Code;
The abnormality code is deleted from the target pages.
5. network attack defence method according to claim 1, which is characterized in that return to the target pages described
After the step of to the browser, further includes:
Receive the relevant information for the abnormality code that the browser returns;
According to the relevant information, the abnormality code is deleted from the target pages.
6. a kind of network attack defence method, which is characterized in that be applied to browser, comprising:
Accessing page request is sent, the corresponding parent page of the accessing page request is obtained with trigger the server and for the original
The tag attributes addition Target Attribute values that all code blocks include in the beginning page are to obtain target pages;
Obtain the Target Attribute values that the browser generates;Wherein Target Attribute values and the server that the browser generates
The Target Attribute values of generation are identical;
Receive the target pages that the server returns;
The Target Attribute values for judging that the attribute value of the tag attributes of code block is generated with the browser in the target pages are
It is no consistent;
If the attribute value of the tag attributes of all code blocks and the Target Attribute values are consistent, the target pages are executed;
If the attribute value of the tag attributes of any code block and the Target Attribute values are inconsistent, it is determined that exist to the target
The attack of the page.
7. network attack defence method according to claim 6, which is characterized in that the generation Target Attribute values, comprising:
Time synchronization is carried out, between the server to negotiate identical object time point;
The event generator being deployed on the browser is called, when so that the event generator on the browser is according to target
Between point generate the Target Attribute values.
8. network attack defence method according to claim 6, which is characterized in that described determining in the presence of to the target
After the step of attack of the page, further includes:
The attribute value of tag attributes in the code block and the inconsistent code block of the Target Attribute values are determined as abnormal generation
Code;
The relevant information of the abnormality code is sent to the server.
9. a kind of network attack defending system characterized by comprising client and server;
Client, for sending accessing page request to server;Time synchronization is carried out between server, it is identical to negotiate
Object time point;Target Attribute values are generated using the object time point;Receive the target pages that the server returns;
Judge whether the attribute value of the tag attributes of code block and the Target Attribute values are consistent in the target pages;If all codes
The attribute value of the tag attributes of block and the Target Attribute values are consistent, then execute the target pages;If any code block
The attribute value of tag attributes and the Target Attribute values are inconsistent, it is determined that there is the network attack row to the target pages
For;
Server obtains the corresponding original of the accessing page request after receiving the accessing page request that client is sent
The beginning page;Time synchronization is carried out, between client to negotiate identical object time point;It is generated using the object time point
Target Attribute values, and the Target Attribute values are added for the tag attributes in all code blocks of the parent page, with
To target pages;Before the target pages are returned to the client, the label of the code block of the target pages is judged
Whether the attribute value of attribute is consistent with the Target Attribute values;If the attribute value of the tag attributes of all code blocks and the target
Attribute value is consistent, then the target pages is back to the client;If the attribute value of the tag attributes of any code block
It is inconsistent with the Target Attribute values, it is determined that there is the attack to the target pages, forbid the target
The page is back to the client.
10. a kind of storage medium, is stored thereon with computer program, which is characterized in that the computer program is held by processor
When row, network attack defence method described in 1 to 8 any one of the claims is realized.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201811572570.2A CN109379389A (en) | 2018-12-21 | 2018-12-21 | Network attack defence method and relevant device |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201811572570.2A CN109379389A (en) | 2018-12-21 | 2018-12-21 | Network attack defence method and relevant device |
Publications (1)
Publication Number | Publication Date |
---|---|
CN109379389A true CN109379389A (en) | 2019-02-22 |
Family
ID=65371205
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201811572570.2A Pending CN109379389A (en) | 2018-12-21 | 2018-12-21 | Network attack defence method and relevant device |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN109379389A (en) |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111368231A (en) * | 2020-02-21 | 2020-07-03 | 上海红神信息技术有限公司 | Method and device for testing heterogeneous redundant architecture website |
CN112395020A (en) * | 2019-08-15 | 2021-02-23 | 奇安信安全技术(珠海)有限公司 | Safety protection method of intranet, client, target server and storage medium |
CN115794477A (en) * | 2023-02-03 | 2023-03-14 | 北京智芯微电子科技有限公司 | Time constraint method, device, chip, electronic device and storage medium of program |
Citations (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2000232443A (en) * | 1999-02-09 | 2000-08-22 | Nippon Telegr & Teleph Corp <Ntt> | Information pass control method, gateway device and recording medium |
CN101795276A (en) * | 2010-02-09 | 2010-08-04 | 戴宇星 | Static webpage anti-tampering system and method based on digital signatures |
CN102546576A (en) * | 2010-12-31 | 2012-07-04 | 北京启明星辰信息技术股份有限公司 | Webpagehanging trojan detecting and protecting method and system as well as method for extracting corresponding code |
CN103401836A (en) * | 2013-07-01 | 2013-11-20 | 北京卓易讯畅科技有限公司 | Method and device used for judging whether webpage is hijacked by ISP (internet service provider) or not |
US8931084B1 (en) * | 2008-09-11 | 2015-01-06 | Google Inc. | Methods and systems for scripting defense |
CN105245550A (en) * | 2015-10-29 | 2016-01-13 | 广州酷狗计算机科技有限公司 | Domain name hijacking judgment method and device |
US20160286005A1 (en) * | 2015-03-25 | 2016-09-29 | Cocoon Data Holdings Limited | Browser system and method |
CN107665209A (en) * | 2016-07-28 | 2018-02-06 | 北京京东尚科信息技术有限公司 | Information-pushing method and device |
CN108494762A (en) * | 2018-03-15 | 2018-09-04 | 广州优视网络科技有限公司 | Web access method, device and computer readable storage medium, terminal |
CN108881154A (en) * | 2018-04-20 | 2018-11-23 | 北京海泰方圆科技股份有限公司 | Webpage is tampered detection method, apparatus and system |
-
2018
- 2018-12-21 CN CN201811572570.2A patent/CN109379389A/en active Pending
Patent Citations (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2000232443A (en) * | 1999-02-09 | 2000-08-22 | Nippon Telegr & Teleph Corp <Ntt> | Information pass control method, gateway device and recording medium |
US8931084B1 (en) * | 2008-09-11 | 2015-01-06 | Google Inc. | Methods and systems for scripting defense |
CN101795276A (en) * | 2010-02-09 | 2010-08-04 | 戴宇星 | Static webpage anti-tampering system and method based on digital signatures |
CN102546576A (en) * | 2010-12-31 | 2012-07-04 | 北京启明星辰信息技术股份有限公司 | Webpagehanging trojan detecting and protecting method and system as well as method for extracting corresponding code |
CN103401836A (en) * | 2013-07-01 | 2013-11-20 | 北京卓易讯畅科技有限公司 | Method and device used for judging whether webpage is hijacked by ISP (internet service provider) or not |
US20160286005A1 (en) * | 2015-03-25 | 2016-09-29 | Cocoon Data Holdings Limited | Browser system and method |
CN105245550A (en) * | 2015-10-29 | 2016-01-13 | 广州酷狗计算机科技有限公司 | Domain name hijacking judgment method and device |
CN107665209A (en) * | 2016-07-28 | 2018-02-06 | 北京京东尚科信息技术有限公司 | Information-pushing method and device |
CN108494762A (en) * | 2018-03-15 | 2018-09-04 | 广州优视网络科技有限公司 | Web access method, device and computer readable storage medium, terminal |
CN108881154A (en) * | 2018-04-20 | 2018-11-23 | 北京海泰方圆科技股份有限公司 | Webpage is tampered detection method, apparatus and system |
Non-Patent Citations (2)
Title |
---|
LIANG, B等: "Malicious Web Pages Detection Based on Abnormal Visibility Recognition", 《IEEE》 * |
沙泓州等: "恶意网页识别研究综述", 《计算机学报》 * |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112395020A (en) * | 2019-08-15 | 2021-02-23 | 奇安信安全技术(珠海)有限公司 | Safety protection method of intranet, client, target server and storage medium |
CN111368231A (en) * | 2020-02-21 | 2020-07-03 | 上海红神信息技术有限公司 | Method and device for testing heterogeneous redundant architecture website |
CN111368231B (en) * | 2020-02-21 | 2023-12-15 | 上海红神信息技术有限公司 | Method and device for testing heterogeneous redundancy architecture website |
CN115794477A (en) * | 2023-02-03 | 2023-03-14 | 北京智芯微电子科技有限公司 | Time constraint method, device, chip, electronic device and storage medium of program |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
Alwan et al. | Detection and prevention of SQL injection attack: a survey | |
US8601586B1 (en) | Method and system for detecting web application vulnerabilities | |
US20090282480A1 (en) | Apparatus and Method for Monitoring Program Invariants to Identify Security Anomalies | |
CN105512559A (en) | Method and equipment for providing access | |
CN102045319B (en) | Method and device for detecting SQL (Structured Query Language) injection attack | |
Elia et al. | Comparing SQL injection detection tools using attack injection: An experimental study | |
CN105939311A (en) | Method and device for determining network attack behavior | |
CN107896219B (en) | Method, system and related device for detecting website vulnerability | |
CN112787992A (en) | Method, device, equipment and medium for detecting and protecting sensitive data | |
CN109379389A (en) | Network attack defence method and relevant device | |
CN116842531B (en) | Code vaccine-based vulnerability real-time verification method, device, equipment and medium | |
CN110099044A (en) | Cloud Host Security detection system and method | |
Ramesh et al. | Identification of phishing webpages and its target domains by analyzing the feign relationship | |
CN111625821A (en) | Application attack detection system based on cloud platform | |
Touseef et al. | Analysis of automated web application security vulnerabilities testing | |
CN107103243B (en) | Vulnerability detection method and device | |
Gupta et al. | Robust injection point-based framework for modern applications against XSS vulnerabilities in online social networks | |
KR102159399B1 (en) | Device for monitoring web server and analysing malicious code | |
KR101372906B1 (en) | Method and system to prevent malware code | |
US11693961B2 (en) | Analysis of historical network traffic to identify network vulnerabilities | |
Mohata et al. | Mobile malware detection techniques | |
Awang et al. | Detecting vulnerabilities in web applications using automated black box and manual penetration testing | |
KR101464736B1 (en) | Security Assurance Management System and Web Page Monitoring Method | |
Razzaq et al. | Ontology based application level intrusion detection system by using bayesian filter | |
CN106407802A (en) | Device, method and system for monitoring application security |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20190222 |
|
RJ01 | Rejection of invention patent application after publication |