CN110177096B - Client authentication method, device, medium and computing equipment - Google Patents

Client authentication method, device, medium and computing equipment Download PDF

Info

Publication number
CN110177096B
CN110177096B CN201910443250.5A CN201910443250A CN110177096B CN 110177096 B CN110177096 B CN 110177096B CN 201910443250 A CN201910443250 A CN 201910443250A CN 110177096 B CN110177096 B CN 110177096B
Authority
CN
China
Prior art keywords
client
access request
webpage
webpage address
authentication
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201910443250.5A
Other languages
Chinese (zh)
Other versions
CN110177096A (en
Inventor
何卫斌
沈明星
金海浪
王成
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Netease Hangzhou Network Co Ltd
Original Assignee
Netease Hangzhou Network Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Netease Hangzhou Network Co Ltd filed Critical Netease Hangzhou Network Co Ltd
Priority to CN201910443250.5A priority Critical patent/CN110177096B/en
Publication of CN110177096A publication Critical patent/CN110177096A/en
Application granted granted Critical
Publication of CN110177096B publication Critical patent/CN110177096B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • H04L63/205Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved

Abstract

The embodiment of the invention provides a client authentication method which is applied to a security gateway, wherein the security gateway is used for information forwarding between a client and a server. The method comprises the following steps: receiving a first webpage access request from the client; determining whether a web page address requested by the first web page access request exists in a set of web page addresses; when the webpage address exists in the webpage address set, a first strategy is adopted to authenticate the client; when the webpage address does not exist in the webpage address set, adopting a second strategy to authenticate the client; wherein the first policy is different from the second policy. The method can provide various strategies for client authentication, and avoids the false killing of a normal client caused by the use of a single strategy by the security gateway. In addition, the embodiment of the invention provides a client authentication device, a medium and a computing device.

Description

Client authentication method, device, medium and computing equipment
Technical Field
The embodiment of the invention relates to the technical field of Internet, in particular to a client authentication method, a client authentication device, a client authentication medium and computing equipment.
Background
This section is intended to provide a background or context to the embodiments of the invention that are recited in the claims. The description herein is not admitted to be prior art by inclusion in this section.
Prevention and response to network attacks has been an important issue throughout the internet world. The CC (challenge Collapsar) attack is a network attack method aiming at a server, and simulates the access behavior of a normal client so as to achieve the aim of exhausting server resources and finally causing the server to be incapable of providing services. The principle of the CC attack is simple, an interface URL which can consume a large amount of server resources is searched, high-frequency access is continuously carried out, and finally the server resources are exhausted. An interface that consumes a large amount of server resources, for example, a dynamic query page of a web site, causes a large amount of database query operations to be generated in the background every time the page is accessed. CC attacks are all initiated by various attack tools, which are generally simple to implement and whose behavior characteristics are clearly distinguished from web browsers. Therefore, it is necessary to identify the client to defend against CC attacks.
Disclosure of Invention
In this context, embodiments of the present invention are intended to provide a client authentication method, apparatus, medium, and computing device, which can effectively identify whether the source of an access request is a client or an attack tool.
In a first aspect of embodiments of the present invention, a client authentication method is provided, which is applied to a security gateway, where the security gateway is configured to forward information between a client and a server. The method comprises the following steps: receiving a first webpage access request from the client; determining whether a web page address requested by the first web page access request exists in a set of web page addresses; when the webpage address exists in the webpage address set, a first strategy is adopted to authenticate the client; when the webpage address does not exist in the webpage address set, adopting a second strategy to authenticate the client; wherein the first policy is different from the second policy.
In one embodiment of the present invention, before the receiving the first web page access request from the client, the method further comprises: setting the webpage address set, acquiring at least one piece of response information with content types in the content type set in response information from the server in the process of information forwarding, acquiring at least one access request corresponding to the at least one piece of response information from the client, acquiring at least one webpage address requested by the at least one access request, and adding the at least one webpage address to the webpage address set to update the webpage address set.
In one embodiment of the invention, the method further comprises setting the set of content types. Wherein the content type set comprises at least one content type supporting javascript code execution.
In an embodiment of the present invention, the adopting the first policy to authenticate the client includes: sending a first response to the first web page access request to the client, the first response comprising first javascript code for the client authentication; acquiring a second webpage access request sent by the client based on the first response, wherein the second webpage access request comprises authentication information of the client; and verifying the authentication information based on the first javascript code; and after the authentication information passes verification, forwarding the second webpage access request to the server.
In an embodiment of the present invention, the verifying the authentication information based on the first javascript code includes: determining whether the authentication information meets a predetermined condition, wherein the predetermined condition is a condition determined based on the first javascript code; and when the authentication information meets the preset condition, determining that the authentication information passes the verification, otherwise, determining that the authentication information does not pass the verification.
In an embodiment of the present invention, the recognizing the client by using the second policy includes forwarding the first web page access request to the server according to a preset rule.
In a second aspect of the embodiments of the present invention, a client authentication apparatus is provided. The client authentication device is arranged on a security gateway, and the security gateway is used for forwarding information between the client and the server. The device comprises a client information receiving module, a first determining module and an authentication module. The client information receiving module is used for receiving a first webpage access request from the client. The first determining module is used for determining whether the webpage address requested by the first webpage access request exists in a webpage address set. The authentication module is used for adopting a first strategy to authenticate the client when the webpage address exists in the webpage address set; when the webpage address does not exist in the webpage address set, adopting a second strategy to authenticate the client; wherein the first policy is different from the second policy.
In an embodiment of the present invention, the apparatus further includes a web page address set obtaining module. The webpage address set acquisition module comprises a webpage address set setting submodule, a first acquisition submodule, a second acquisition submodule, a third acquisition submodule and a webpage address set updating submodule. The webpage address set setting submodule is used for setting the webpage address set before the first webpage access request from the client side is received. The first obtaining submodule is used for obtaining at least one piece of response information which has the content type in the content type set in the response information from the server in the information forwarding process. The second obtaining submodule is used for obtaining at least one access request corresponding to the at least one response message from the client. The third obtaining submodule is used for obtaining at least one webpage address requested by the at least one access request. The webpage address set updating submodule is used for adding the at least one webpage address to the webpage address set so as to update the webpage address set.
In one embodiment of the invention, the apparatus further comprises a content type set setting module. The content type set setting module is used for setting the content type set, wherein the content type set comprises at least one content type supporting javascript code execution.
In an embodiment of the present invention, the adopting the first policy to authenticate the client includes: sending a first response to the first web page access request to the client, the first response comprising first javascript code for the client authentication; acquiring a second webpage access request sent by the client based on the first response, wherein the second webpage access request comprises authentication information of the client and an access request to a webpage address; verifying the authentication information based on the first javascript code; and after the authentication information passes verification, forwarding the second webpage access request to the server.
In an embodiment of the present invention, the verifying the authentication information based on the first javascript code includes: determining whether the authentication information meets a predetermined condition, wherein the predetermined condition is a condition determined based on the first javascript code; when the authentication information meets the preset condition, determining that the authentication information passes verification; otherwise, determining that the authentication information is not verified.
In an embodiment of the present invention, the authenticating the client by using the second policy includes forwarding the first web page access request to the server according to a preset rule.
In a third aspect of embodiments of the present invention, there is provided a computer-readable storage medium having stored thereon executable instructions, which when executed by a processor, cause the processor to perform the client authentication method as described above.
In a fourth aspect of embodiments of the present invention, a computing device is provided. The computing device includes one or more memories storing executable instructions, and one or more processors. The one or more processors execute the executable instructions to implement the client authentication method as described above.
According to the client authentication method, the client authentication device, the client authentication medium and the computing equipment, the authentication strategy applicable to the client can be distinguished according to the webpage address accessed by the access request, so that the targeted strategy is selected for client identification. Specifically, when a webpage address requested by an access request is in a webpage address set, a first strategy is adopted to identify whether a source party of the access request is a client or an attack tool; or when the webpage address requested by the access request is not in the webpage address set, adopting a second strategy to identify whether the source of the access request is the client or the attack tool.
According to some embodiments of the invention, the set of web addresses may be a set of web addresses requested by clients capable of applying the first policy. Therefore, according to the client authentication method, the client authentication device, the client authentication medium and the client authentication computing device, the second strategy can be adopted for authentication of the client which cannot be applied or is uncertain whether the first strategy can be applied or not, in this way, the phenomenon that some clients are mistakenly used as attack tools for mistakenly killing when authentication and identification are carried out only through the first strategy can be avoided, further, the loss caused by mistakenly killing of normal access of the client is avoided, and better experience is brought to a user.
Drawings
The above and other objects, features and advantages of exemplary embodiments of the present invention will become readily apparent from the following detailed description read in conjunction with the accompanying drawings. Several embodiments of the invention are illustrated by way of example, and not by way of limitation, in the figures of the accompanying drawings and in which:
fig. 1 schematically illustrates an application scenario of a client authentication method, apparatus, medium, and computing device according to embodiments of the present invention;
FIG. 2 schematically shows a flow diagram of a method of client authentication according to an embodiment of the invention;
FIG. 3 schematically illustrates a flow chart of a method of authenticating a client with a first policy according to an embodiment of the invention;
FIG. 4 schematically shows a scenario illustration of a method of authenticating a client using a first policy according to an embodiment of the present invention;
FIG. 5 schematically illustrates a flow of a method for verifying authentication information during authentication of a client with a first policy in FIG. 3;
FIG. 6 schematically shows a flow diagram of a method of client authentication according to another embodiment of the invention;
fig. 7 schematically shows a scenario illustration of a client authentication method according to another embodiment of the present invention;
fig. 8 schematically shows a block diagram of a client authentication apparatus according to an embodiment of the present invention;
FIG. 9 schematically shows an illustration of a program product suitable for implementing a method of client authentication according to an embodiment of the invention; and
fig. 10 schematically illustrates a block diagram of a computing device suitable for implementing a client authentication method according to an embodiment of the present invention.
In the drawings, the same or corresponding reference numerals indicate the same or corresponding parts.
Detailed Description
The principles and spirit of the present invention will be described with reference to a number of exemplary embodiments. It is understood that these embodiments are given solely for the purpose of enabling those skilled in the art to better understand and to practice the invention, and are not intended to limit the scope of the invention in any way. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the disclosure to those skilled in the art.
As will be appreciated by one skilled in the art, embodiments of the present invention may be embodied as a system, apparatus, device, method, or computer program product. Accordingly, the present disclosure may be embodied in the form of: entirely hardware, entirely software (including firmware, resident software, micro-code, etc.), or a combination of hardware and software.
According to the embodiment of the invention, a client authentication method, a client authentication device, a client authentication medium and a computing device applied to a security gateway are provided.
In this document, it is to be understood that any number of elements in the specification and drawings is to be considered exemplary rather than limiting, and that any nomenclature is used for distinction only and not in any limiting sense.
The principles and spirit of the present invention are explained in detail below with reference to several representative embodiments of the invention.
Summary of The Invention
The inventor finds that when the client is authenticated and identified to defend against network attacks, if the authentication and identification strategy is too single and strict, some normally accessed clients can be killed by mistake. Therefore, it is necessary to select the corresponding authentication policy in a targeted manner according to different clients. For example, different access requests can be distinguished according to the requested webpage addresses, authentication is performed through different strategies, and the problem of mistaken killing of the client caused by a single authentication strategy can be avoided to a certain extent.
Having described the general principles of the invention, various non-limiting embodiments of the invention are described in detail below.
Application scene overview
Reference is first made to fig. 1.
Fig. 1 schematically illustrates an application scenario of a client authentication method, apparatus, medium, and computing device according to embodiments of the present invention.
As shown in fig. 1, the application scenario includes a terminal device 11, a security gateway 12, and a server 13. The terminal device 11, the security gateway 12 and the server 13 may be connected to each other via a network. Various application clients (simply clients) may be installed in the terminal device 11, such as a shopping application, a web browser application, a search application, an instant messaging tool, a mailbox client, social platform software, etc. (for example only). The security gateway 12 is used for information forwarding between the client and the server 13.
The terminal device 11 may be various electronic devices having a display screen and supporting web browsing, including but not limited to smart phones, tablet computers, laptop portable computers, desktop computers, and the like.
The user may operate the client in the terminal device 11, so that the client sends a user access request to the server. The user access request first reaches the security gateway 12, passes through the security gateway 12 and is forwarded to the server 13. The response information returned by the server 13 also reaches the security gateway 12 first, and is forwarded to the client in the terminal device 11 through the security gateway 12.
In some embodiments, security gateway 12 may securely authenticate the forwarded information. For example, when the access frequency for the server 13 is higher than a preset warning value, the security gateway 12 may perform security authentication on an access request for accessing the server 13, wherein the access request from a client meeting the security requirement is released according to the authentication result, so as to prevent network attacks such as CC attacks. For example, the terminal device 11 may be operated by a malicious user and installed with an attack tool. Security gateway 11 may perform the client authentication method of an embodiment of the present invention to identify whether the source of the access request to be sent to server 13 is a client or an attack tool. For an access request identified as originating from an attack tool, security gateway 12 will directly drop the access request. For an access request identified as originating from a client, security gateway 12 may forward the access request to server 13.
It should be understood that fig. 1 is merely illustrative, and the number of terminal devices, security gateways, servers, etc. therein is merely illustrative. There may be any number of end devices, security gateways, and servers, as desired for implementation.
Exemplary method
A client authentication method according to an exemplary embodiment of the present invention is described below with reference to fig. 2 to 7 in conjunction with the application scenario of fig. 1. It should be noted that the above application scenarios are merely illustrated for the convenience of understanding the spirit and principles of the present invention, and the embodiments of the present invention are not limited in this respect. Rather, embodiments of the present invention may be applied to any scenario where applicable.
Fig. 2 schematically shows a flow chart of a client authentication method according to an embodiment of the invention.
As shown in fig. 2, the client authentication method may include operation S210, operation S220, operation S230A, and operation S230B. The client authentication method is applied to the security gateway 12.
In operation S210, a first web page access request is received from a client.
In operation S220, it is determined whether a web page address requested by the first web page access request exists in the web page address set.
In operation S230A, a first policy is taken to authenticate the client when the web address exists in the set of web addresses. The set of web addresses may be preset by the designer according to the actual service, or may be obtained by learning records during the daily information forwarding process of the security gateway 12, for which reference may be made to the following description regarding fig. 6 to 7.
In operation S230B, when the web address does not exist in the web address set, a second policy is adopted to authenticate the client, wherein the first policy is different from the second policy. According to some embodiments of the invention, the first policy may be, for example, a security detection policy conventional in the art, and the second policy may be, for example, a security policy for processing analysis of emerging clients.
According to the embodiment of the invention, the authentication strategies applicable to the client can be distinguished according to the webpage addresses accessed by the access request, so that the targeted strategies are selected to identify the client, the phenomenon that some clients are mistakenly killed due to the fact that a single authentication strategy is used is avoided, the loss caused by the mistaken killing of the normal access of the client is further avoided, and better experience is brought to users.
According to an embodiment of the invention, the first policy may be a JavaScript code based security verification policy, and the second policy may be another policy different from the JavaScript code based security verification policy.
For example, the second policy may be to limit the forwarding frequency of access requests to a particular web page address. Or for example, the second policy may be to first introduce an access request in which the requested webpage address is not in the webpage address set into the data flow system, and authenticate whether the source of the access request is a client or an attack tool through big data analysis processing in the data flow system. For example, if it is found through the big data analysis process that the access frequency to a certain web address is higher than the alarm value, and the accesses are from the same source, the source can be determined as an attack tool, and accordingly the access request sent by the attack tool will be discarded.
Fig. 3 schematically shows a flowchart of a method for authenticating a client with a first policy in operation S230A according to an embodiment of the present invention. Fig. 4 schematically shows a scenario of the method for authenticating a client by using a first policy in fig. 3 according to an embodiment of the present invention.
In particular, fig. 3 and 4 illustrate an implementation flow of a security verification policy based on JavaScript code. Implementation of the JavaScript code based security verification policy is described below in conjunction with fig. 3 and 4. Operation S230A may include operations S301 through S304, according to an embodiment of the present invention.
First, the security gateway 12 receives a first web access request (i.e., request 1 in fig. 4) transmitted by a client (installed in the terminal device 11) in operation S201 as described above.
The security gateway 12 then transmits a first response1 to the first web page access request resquest1 to the client in operation S301. The first response1 may include a first javascript code for authenticating the client. The first javascript generation may contain logic that generates certain information, which may be a cookie, for example.
Then, the security gateway 12 may obtain a second web access request 2 sent by the client based on the first response1 in operation S302, where the second web access request 2 includes the authentication information of the client (for example, the request 2 carries a cookie generated by the client according to information generation logic included in the first javascript code);
the security gateway 12 then verifies the authentication information based on the first javascript code in operation S303, and forwards the second web access request 2 to the server 13 after the authentication information is verified in operation S304. The specific implementation of operation S303 may refer to the illustration in fig. 5.
Fig. 5 schematically shows a flow of a method for verifying authentication information in the process of authenticating the client by adopting the first policy in operation S303 in fig. 3.
As shown in fig. 5, operation S303 may include operation S501, and operation S502 or operation S503.
In operation S501, it is determined whether the authentication information (e.g., the cookie carried in the request 2) meets a predetermined condition, where the predetermined condition is a condition determined based on the first javascript code. The predetermined condition may be, for example, a range of cookie values determined based on the first javascript code, or may be, for example, execution of the first javascript code to obtain certain values.
Then, in operation S502, when the authentication information meets a predetermined condition, it is determined that the authentication information is verified. Or in operation S503, when the authentication information does not meet the predetermined condition, it is determined that the authentication information is not verified.
For example, security gateway 12 may verify that the cookie contained in request 2 meets a predetermined condition based on logic contained in the first javascript code that generates a cookie. For example, the logic contained in the first Javascript code that generates a cookie is to generate an odd sequence of 5 characters, security gateway 12 verifies whether the cookie contained in request 2 contains an odd sequence of 5 characters.
If the cookie contained in the validation request 2 meets the predetermined condition, the cookie contained in the request 2 is deemed to be validated. At this point security gateway 12 may determine that both request 1 and request 2 originate from clients and not attack tools. In this manner, security gateway 12 may forward resquest2 to server 13 (i.e., security gateway 12 sends resquest3 to server 13). Thereafter, security gateway 12, upon receiving a response3 from server 13 based on request 3, may forward response3 to the client (i.e., security gateway 12 sends response2 to the client). The client completes an access upon receiving response 2.
If the cookie contained in validate request 2 does not meet the predetermined condition, the cookie contained in the request 2 is deemed to not validate. Security gateway 12 may now determine that both of the resquest1 and resquest2 originated from an attack tool. At this point, security gateway 12 will discard request 2. In some embodiments, if the source of the request 1 is an attack tool, after the security gateway 12 bounces back the first javascript code, no request 2 will be generated since the attack tool may not have code execution capability, and no request 2 will reach the security gateway.
As such, the JavaScript code based security verification policy can authenticate to a client (e.g., a partial web browser) that can execute the JavaScript code. This type of web browser has one feature: JavaScript code in the response message may be executed and various interactions with the server 13 are implemented according to the code logic.
Summarizing, the security verification policy based on JavaScript code is: the security gateway 12 rebounds a piece of JavaScript code (i.e., the first JavaScript code) to the client, and if the client can execute the first JavaScript code, the client will reinitiate an access request 2 according to the logic of the first JavaScript code and bring up a cookie generated by executing the first JavaScript code. The security gateway 12 receives the request resquest2 sent by the client, and checks whether the cookie carried in the resquest2 meets the predetermined condition. If the predetermined condition is met, the request 2 is proxied to the server 13 at the back end. If the cookie carried in the request 2 does not comply with the predetermined condition (e.g., the cookie is not present or the value is incorrect), the request 1, and the request 2 (if any) are discarded.
Generally speaking, after the attack tool receives the first JavaScript code in the response1 rebounded by the security gateway 12, because the JavaScript code execution capability is not available, the JavaScript code will be directly discarded, and there is no subsequent behavior of re-initiating the request 2. Therefore, when the JavaScript code-based security verification policy is applied, all requests of the attack tool cannot reach the server 13 at the back end, and the attack effect cannot be generated.
However, as internet technology has developed, web pages have begun to be asynchronous, and a large number of ajax requests have appeared in web pages. After the client sends an ajax request, if the expected response information is a piece of formatted data, but the security gateway 12 rebounds a piece of JavaScript code based on the security verification policy of the JavaScript code, the client cannot process the JavaScript code at this time. Therefore, for a client sending a request such as ajax, if a security verification policy based on JavaScript code is applied, the client can be mistaken as an attack tool.
According to an embodiment of the present invention, the set of web addresses may be a set of at least a portion of web addresses requested to be accessed by a client applying a security verification policy based on JavaScript code. Therefore, according to the client authentication method provided by the embodiment of the invention, the client which is not suitable for the security verification strategy based on the JavaScript code can be authenticated by adopting the second strategy.
According to the embodiment of the present invention, the second policy is adopted to authenticate the client in operation S230B, which may be to forward the first web page access request to the server 13 according to a preset rule. For example, in the case where only one first web page access request is included in security gateway 12, the first web page access request may be forwarded directly to server 13. Alternatively, if a plurality of first web page access requests are currently included in security gateway 12, the first web page access requests are forwarded to server 13 at a limited frequency. The limited frequency may be, for example, 1s allowing only 1 first web page access request to pass through. According to the embodiment of the present invention, when the second policy is applied to authenticate the client, even if the access request is from an attack tool, the server 13 cannot be attacked by resource exhaustion or the like due to the limitation of the limited frequency, thereby protecting the security of the server 13.
Fig. 6 schematically shows a flow chart of a client authentication method according to another embodiment of the present invention.
As shown in fig. 6, according to another embodiment of the present invention, the client authentication method may include operations S610 to S660 in addition to operations S210, S220, S230A, and S230B. Wherein, according to an embodiment of the present invention, operations S610 to S660 may be performed before operation S210.
In operation S610, a set of web page addresses is set.
In operation S620, a set of content types is set, wherein the set of content types includes at least one content type supporting javascript code execution. The execution of operation S620 after operation S610 in fig. 6 is merely an example. In some embodiments, there is no explicit sequential logical order between operation S620 and operation S610.
Whether the client is a web page or an app (application), there is an implicit agreement in advance about the content of the response to the different interface URLs (i.e. web page addresses) in the server 13. The client will use the responsive content according to this convention. For example, the response of the interface URI1 of the server 13 is to format data, which the client requesting the resource of the URI1 parses and is exposed to the client's own intentions. The response of the interface URI2 of the server 13 is html code, and the client requesting the resource of the URI2 will parse and expose the response information as required by the html specification. According to the http protocol specification, the response message of the server 13 explicitly identifies the type of network resource (e.g., text/html, image/jpeg, etc.) in the response message in the Content-type field of the http header.
According to the embodiment of the present invention, the Content Type is the Content Type-Type used for identifying the network resource in the response information response returned by the server 13. The Content Type, Content-Type, refers to the Content-Type existing in the web page, and is used to define the Type of the network resource and the code of the web page, and determine in what form and what code the client will read the file. Common Content-types are: text/html, image/jpeg, audio/mp3, video/mpeg, or application/json, etc. Wherein the text/html is a content type supporting the execution of javascript codes.
Then, in operation S630, at least one response message having the content type in the content type set is obtained from the response messages from the server 13 in the process of forwarding the message. Next, in operation S640, at least one access request corresponding to the at least one response message is obtained from the client. Then, in operation S650, at least one web page address requested by the at least one access request is obtained. And adding the at least one web page address to the web page address set to update the web page address set in operation S660.
According to one embodiment of the present invention, the learning record and update of the webpage addresses in the webpage address set in operations S630-S650 may be learned and updated by security gateway 12 while security gateway 12 is in a non-authentication state. When the security gateway 12 is in the non-authentication state, for example, when the access amount to the server 13 is smaller than the warning value, the security gateway 12 may perform only information forwarding without performing authentication of the client. Given that malicious access to server 13 is not a routine event, the set of web page addresses can be more fully retrieved based on the access data with security gateway 12 in a non-authenticated state.
According to an embodiment of the present invention, the set of web addresses set in operation S610 may be an empty set, or may also include an initial number of web addresses. Then, the security gateway 12 self-learns the content types of the network resources provided by the respective interface URIs (i.e., the web addresses) on the server 13 and adds the web addresses supporting the execution of the javascript code to the set of web addresses in operation S630 to operation S650.
In this way, when the client needs to be authenticated, for an access request of which the webpage address in the access request belongs to the webpage address set, the authentication can be performed through a security verification policy based on JavaScript codes, so as to determine whether the client or a malicious attack tool sends the access request. And for the webpage address in the access request not belonging to the access request in the webpage address set, authenticating the client by using a second strategy. In this way, the corresponding authentication strategy can be adopted in a targeted manner according to different clients, and the phenomenon that some clients are killed by mistake due to the fact that a single security verification strategy based on JavaScript codes is used is avoided.
Fig. 7 schematically shows a scenario of a client authentication method according to another embodiment of the present invention.
As shown in fig. 7, according to the client authentication method of the embodiment of the present invention, in the process of forwarding information, the security gateway 12 records the webpage address requested by the access request whose Content-type belongs to the Content type set in the response information response of the server 13 into the webpage address set, so that the security gateway 12 continuously learns and updates the access request to which the security verification policy based on JavaScript codes can be applied.
Thereafter, when authenticating the client, for each access request passing through the security gateway 12, it is first determined whether the webpage address requested in the access request is in the webpage address set.
If the webpage address requested in the access request is in the webpage address set, rebounding a piece of JavaScript code to the client by the security verification policy based on the JavaScript code to wait for the execution result of the client, so as to identify whether the source of the access request is the client or an attack tool (similar to the authentication scenario shown in FIG. 4).
And if the webpage address requested in the access request is not in the webpage address set, authenticating the client by adopting a second strategy. Therefore, the client authentication method provided by the embodiment of the invention can be applied to a complex web environment, and solves the problem that the client is killed by mistake due to a single client authentication strategy.
Exemplary devices
Having described the method of the exemplary embodiment of the present invention, the client authentication apparatus of the exemplary embodiment of the present invention will be described next with reference to fig. 8.
Fig. 8 schematically shows a block diagram of a client authentication apparatus 800 according to an embodiment of the present invention.
As shown in fig. 8, according to the embodiment of the present invention, the client authentication apparatus 800 is disposed in the security gateway 12, and the security gateway 12 is used for information forwarding between the client and the server 13. The apparatus 800 includes a client information receiving module 810, a first determining module 820, and an authenticating module 830. The client authentication apparatus 800 may be used to perform the client authentication method described with reference to fig. 2 to 7.
The client information receiving module 810 may perform operation S210, for example, for receiving a first web page access request from the client.
The first determining module 820 may perform operation S220, for example, to determine whether the web page address requested by the first web page access request exists in the web page address set.
The authentication module 830 may perform, for example, operations S230A and S230B, for adopting a first policy to authenticate the client when the web address exists in the set of web addresses; and when the webpage address does not exist in the webpage address set, adopting a second strategy to authenticate the client; wherein the first policy is different from the second policy.
According to an embodiment of the present invention, the authenticating the client with the first policy (operation S230A) includes: transmitting a first response to the first web access request to the client, the first response including a first javascript code for the client authentication (operation S301); acquiring a second web page access request sent by the client based on the first response, wherein the second web page access request comprises authentication information of the client and an access request to the web page address (operation S302); verifying the authentication information based on the first javascript code (operation S303); and forwarding the second web access request to the server 13 after the authentication information is verified (operation S304).
According to an embodiment of the present invention, the verifying the authentication information based on the first javascript code (operation S303) includes: determining whether the authentication information meets a predetermined condition, wherein the predetermined condition is a condition determined based on the first javascript code (operation S501); and determining that the authentication information is verified to be passed (operation S502) when the authentication information meets the predetermined condition, and determining that the authentication information is not verified to be passed (operation S503) otherwise.
According to an embodiment of the present invention, the authenticating the client with the second policy (operation S230B) includes forwarding the first web access request to the server 13 according to a preset rule.
According to an embodiment of the present invention, the apparatus 800 further includes a web address set obtaining module 840. The web address set obtaining module 840 includes a web address set setting sub-module 841, a first obtaining sub-module 842, a second obtaining sub-module 843, a third obtaining sub-module 844, and a web address set updating sub-module 845.
The web page address set setting sub-module 841 may, for example, perform operation S610 for setting the web page address set before the receiving of the first web page access request from the client.
The first obtaining sub-module 842 may, for example, perform operation S630, and is configured to obtain at least one response message with a content type in the content type set from the response messages from the server 13 in the process of forwarding information.
The second obtaining sub-module 843 may perform operation S640, for example, to obtain at least one access request corresponding to the at least one response message from the client.
The third obtaining sub-module 844 may perform operation S650, for example, to obtain at least one web page address requested by the at least one access request.
The web page address set updating submodule 845 may perform operation S660, for example, to add the at least one web page address to the web page address set to update the web page address set.
The apparatus 800 further comprises a content type set setting module 850 according to an embodiment of the present invention. The content type set setting module 850 may execute operation S620, for example, to set the content type set, where the content type set includes at least one content type supporting javascript code execution.
Exemplary Medium
Having described the method and apparatus of exemplary embodiments of the present invention, the media of exemplary embodiments of the present invention will now be described with reference to FIG. 9.
Embodiments of the present invention also provide a computer-readable storage medium having stored thereon executable instructions that, when executed by a processor, cause the processor to perform the client authentication method described with reference to fig. 2-7.
In some possible embodiments, aspects of the present invention may also be implemented in the form of a program product including program code for causing a computing device to perform operations in a client authentication method according to various exemplary embodiments of the present invention described in the above section "exemplary method" of this specification, when the program product is run on the computing device, for example, the computing device may perform operation S210 as shown in fig. 2: receiving a first webpage access request from the client; operation S220: determining whether a web page address requested by the first web page access request exists in a set of web page addresses; in operation S230A: when the web page address exists in the set of web page addresses, a first policy is adopted to authenticate the client, and operation S230B: and when the webpage address does not exist in the webpage address set, adopting a second strategy to authenticate the client. Wherein the first policy is different from the second policy.
The program product may employ any combination of one or more readable media. The readable medium may be a readable signal medium or a readable storage medium. A readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples (a non-exhaustive list) of the readable storage medium include: an electrical connection having one or more wires, a portable disk, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
As shown in fig. 9, a program product 900 suitable for implementing a client authentication method according to an embodiment of the present invention is depicted, which may employ a portable compact disc read only memory (CD-ROM) and include program code, and may be run on a computing device, such as a personal computer. However, the program product of the present invention is not limited in this regard and, in the present document, a readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
A readable signal medium may include a propagated data signal with readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A readable signal medium may also be any readable medium that is not a readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device.
Program code embodied on a readable medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.
Program code for carrying out operations for aspects of the present invention may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, C + + or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computing device, partly on the user's device, as a stand-alone software package, partly on the user's computing device and partly on a remote computing device, or entirely on the remote computing device or server. In the case of a remote computing device, the remote computing device may be connected to the user computing device through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computing device (e.g., through the internet using an internet service provider).
Exemplary computing device
Having described the method, medium, and apparatus of exemplary embodiments of the present invention, a computing device of exemplary embodiments of the present invention is now described with reference to FIG. 10.
The embodiment of the invention also provides the computing equipment. The computing device includes one or more memories, and one or more processors. The one or more memories store executable instructions. The one or more processors execute the executable instructions to implement the client authentication methods described with reference to fig. 2-7.
The embodiment of the invention also provides the computing equipment. As will be appreciated by one skilled in the art, aspects of the present invention may be embodied as a system, method or program product. Thus, various aspects of the invention may be embodied in the form of: an entirely hardware embodiment, an entirely software embodiment (including firmware, microcode, etc.) or an embodiment combining hardware and software aspects that may all generally be referred to herein as a "circuit," module "or" system.
In some possible implementations, a computing device according to the present invention may include at least one processor, and at least one processor. Wherein the processor stores program code that, when executed by the processor, causes the processor to perform the steps in the client authentication method according to various exemplary embodiments of the present invention described in the "exemplary methods" section above in this specification. For example, the processor may perform operation S210 as shown in fig. 2: receiving a first webpage access request from the client; operation S220: determining whether a web page address requested by the first web page access request exists in a set of web page addresses; in operation S230A: when the web page address exists in the set of web page addresses, a first policy is adopted to authenticate the client, and operation S230B: and when the webpage address does not exist in the webpage address set, adopting a second strategy to authenticate the client. Wherein the first policy is different from the second policy.
A computing device 1000 suitable for implementing a client authentication method according to an embodiment of the present invention is described below with reference to fig. 10. The computing device 1000 as shown in FIG. 10 is only one example and should not be taken to limit the scope of use and functionality of embodiments of the present invention.
As shown in fig. 10, computing device 1000 is embodied in the form of a general purpose computing device. Components of computing device 1000 may include, but are not limited to: the at least one processor 1010, the at least one processor 1020, and a bus 1030 that couples the various system components including the processor 1020 and the processor 1010.
The bus 730 includes a data bus, a control bus, and an address bus.
The processor 1020 may include readable media in the form of volatile memory, such as Random Access Memory (RAM)1021 and/or cache memory 1022, and may further include Read Only Memory (ROM) 1023.
Storage 1020 may also include a program/utility 1025 having a set (at least one) of program modules 1024, such program modules 1024 including, but not limited to: an operating system, one or more application programs, other program modules, and program data, each of which, or some combination thereof, may comprise an implementation of a network environment.
Computing device 1000 may also communicate with one or more external devices 1040 (e.g., keyboard, pointing device, bluetooth device, etc.), with one or more devices that enable a user to interact with computing device 1000, and/or with any devices (e.g., router, modem, etc.) that enable computing device 1000 to communicate with one or more other computing devices. Such communication may be through an input/output (I/0) interface 1050. Moreover, computing device 1000 may also communicate with one or more networks (e.g., a Local Area Network (LAN), a Wide Area Network (WAN), and/or a public network, such as the internet) through network adapter 1060. As shown, the network adapter 1060 communicates with other modules of the computing device 1000 over a bus 1030. It should be appreciated that although not shown in the figures, other hardware and/or software modules may be used in conjunction with computing device 1000, including but not limited to: microcode, device drivers, redundant processors, external disk drive arrays, RAID systems, tape drives, and data backup storage systems, among others.
It should be noted that although in the above detailed description several units/modules or sub-units/modules of the apparatus are mentioned, such a division is merely exemplary and not mandatory. Indeed, the features and functionality of two or more of the units/modules described above may be embodied in one unit/module according to embodiments of the invention. Conversely, the features and functions of one unit/module described above may be further divided into embodiments by a plurality of units/modules.
Moreover, while the operations of the method of the invention are depicted in the drawings in a particular order, this does not require or imply that the operations must be performed in this particular order, or that all of the illustrated operations must be performed, to achieve desirable results. Additionally or alternatively, certain steps may be omitted, multiple steps combined into one step execution, and/or one step broken down into multiple step executions.
While the spirit and principles of the invention have been described with reference to several particular embodiments, it is to be understood that the invention is not limited to the disclosed embodiments, nor is the division of aspects, which is for convenience only as the features in such aspects may not be combined to benefit. The invention is intended to cover various modifications and equivalent arrangements included within the spirit and scope of the appended claims.

Claims (14)

1. A client authentication method is applied to a security gateway, wherein the security gateway is used for information forwarding between a client and a server, and the method comprises the following steps:
acquiring a webpage address set through learning records in an information forwarding process, wherein the security gateway self-learns the content types of network resources provided by each webpage address in the information forwarding process, and adds a webpage address supporting the execution of javascript codes into the webpage address set;
receiving a first webpage access request from the client;
determining whether a web page address requested by the first web page access request exists in the set of web page addresses; and
when the webpage address exists in the webpage address set, a first strategy is adopted to authenticate the client; when the webpage address does not exist in the webpage address set, adopting a second strategy to authenticate the client;
wherein the first policy is different from the second policy.
2. The method of claim 1, wherein said obtaining a set of web page addresses by learning records in an information forwarding process prior to said receiving a first web page access request from said client comprises:
setting the webpage address set;
acquiring at least one piece of response information with the content type in the content type set in the response information from the server in the information forwarding process;
acquiring at least one access request corresponding to the at least one response message from the client;
acquiring at least one webpage address requested by the at least one access request; and
adding the at least one web page address to the set of web page addresses to update the set of web page addresses.
3. The method of claim 2, wherein the method further comprises:
and setting the content type set, wherein the content type set comprises at least one content type supporting javascript code execution.
4. The method of claim 1 or 3, wherein said adopting a first policy to authenticate the client comprises:
sending a first response to the first web page access request to the client, the first response comprising first javascript code for the client authentication;
acquiring a second webpage access request sent by the client based on the first response, wherein the second webpage access request comprises authentication information of the client;
verifying the authentication information based on the first javascript code; and
and after the authentication information passes verification, forwarding the second webpage access request to the server.
5. The method of claim 4, wherein the verifying the authentication information based on the first javascript code comprises:
determining whether the authentication information meets a predetermined condition, wherein the predetermined condition is a condition determined based on the first javascript code; and
when the authentication information meets the preset condition, determining that the authentication information passes verification; otherwise, determining that the authentication information is not verified.
6. The method of claim 1 or 3, wherein said adopting a second policy to authenticate the client comprises:
and forwarding the first webpage access request to the server according to a preset rule.
7. A client authentication apparatus provided in a secure gateway, the secure gateway being configured to forward information between a client and a server, the apparatus comprising:
the security gateway is used for self-learning the content type of the network resources provided by each webpage address in the information forwarding process and adding the webpage address supporting the execution of the javascript code into the webpage address set;
the client information receiving module is used for receiving a first webpage access request from the client;
a first determining module, configured to determine whether a web address requested by the first web access request exists in a web address set; and
the authentication module is used for adopting a first strategy to authenticate the client when the webpage address exists in the webpage address set; when the webpage address does not exist in the webpage address set, adopting a second strategy to authenticate the client; wherein the first policy is different from the second policy.
8. The apparatus of claim 7, wherein the web address set obtaining module comprises:
the webpage address set setting submodule is used for setting the webpage address set before the first webpage access request from the client is received;
the first obtaining submodule is used for obtaining at least one piece of response information which has the content type in the content type set in the response information from the server in the information forwarding process;
the second obtaining submodule is used for obtaining at least one access request corresponding to the at least one response message from the client;
a third obtaining submodule, configured to obtain at least one webpage address requested by the at least one access request; and
and the webpage address set updating submodule is used for adding the at least one webpage address to the webpage address set so as to update the webpage address set.
9. The apparatus of claim 8, wherein the apparatus further comprises:
and the content type set setting module is used for setting the content type set, wherein the content type set comprises at least one content type supporting javascript code execution.
10. The apparatus of claim 7 or 9, wherein the employing the first policy to authenticate the client comprises:
sending a first response to the first web page access request to the client, the first response comprising first javascript code for the client authentication;
acquiring a second webpage access request sent by the client based on the first response, wherein the second webpage access request comprises authentication information of the client and an access request to a webpage address;
verifying the authentication information based on the first javascript code; and
and after the authentication information passes verification, forwarding the second webpage access request to the server.
11. The apparatus of claim 10, wherein the verifying the authentication information based on the first javascript code comprises:
determining whether the authentication information meets a predetermined condition, wherein the predetermined condition is a condition determined based on the first javascript code;
when the authentication information meets the preset condition, determining that the authentication information passes verification; otherwise, determining that the authentication information is not verified.
12. The apparatus of claim 7 or 9, wherein the employing the second policy to authenticate the client comprises:
and forwarding the first webpage access request to the server according to a preset rule.
13. A computer readable storage medium having stored thereon executable instructions which, when executed by a processor, cause the processor to perform a client authentication method according to any one of claims 1 to 6.
14. A computing device, comprising:
one or more memories storing executable instructions;
one or more processors executing the executable instructions to implement the client authentication method of any one of claims 1 to 6.
CN201910443250.5A 2019-05-24 2019-05-24 Client authentication method, device, medium and computing equipment Active CN110177096B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910443250.5A CN110177096B (en) 2019-05-24 2019-05-24 Client authentication method, device, medium and computing equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910443250.5A CN110177096B (en) 2019-05-24 2019-05-24 Client authentication method, device, medium and computing equipment

Publications (2)

Publication Number Publication Date
CN110177096A CN110177096A (en) 2019-08-27
CN110177096B true CN110177096B (en) 2021-09-07

Family

ID=67695915

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910443250.5A Active CN110177096B (en) 2019-05-24 2019-05-24 Client authentication method, device, medium and computing equipment

Country Status (1)

Country Link
CN (1) CN110177096B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114143056B (en) * 2021-11-24 2024-04-05 上海派拉软件股份有限公司 Terminal access method and device, electronic equipment and storage medium

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101854335A (en) * 2009-03-30 2010-10-06 华为技术有限公司 Method, system and network device for filtration
CN103685294A (en) * 2013-12-20 2014-03-26 北京奇虎科技有限公司 Method and device for identifying attack sources of denial of service attack
CN103929498A (en) * 2014-05-05 2014-07-16 北京京东尚科信息技术有限公司 Method and device for processing client requests
CN105162793A (en) * 2015-09-23 2015-12-16 上海云盾信息技术有限公司 Method and apparatus for defending against network attacks
CN105897694A (en) * 2016-03-25 2016-08-24 网宿科技股份有限公司 Session identification method and system of client
CN108965251A (en) * 2018-06-08 2018-12-07 广州大学 A kind of safe mobile phone guard system that cloud combines
CN109510815A (en) * 2018-10-19 2019-03-22 杭州安恒信息技术股份有限公司 A kind of multistage detection method for phishing site and detection system based on supervised learning

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9479396B2 (en) * 2013-05-31 2016-10-25 Sungard Availability Services, Lp XML based generic UNIX discovery framework
US9794227B2 (en) * 2014-03-07 2017-10-17 Microsoft Technology Licensing, Llc Automatic detection of authentication methods by a gateway
CN105100084B (en) * 2015-07-07 2018-03-30 中国科学院计算技术研究所 It is a kind of to prevent the method and system across station request forgery attack
CN105978933B (en) * 2016-04-25 2019-09-17 青岛海信电器股份有限公司 A kind of web-page requests and response method, terminal, server and system
CN107426243A (en) * 2017-08-28 2017-12-01 北京奇安信科技有限公司 A kind of network safety protection method and device
CN108055241A (en) * 2017-11-15 2018-05-18 滨州市工商行政管理局 A kind of defence method and system of CC attacks

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101854335A (en) * 2009-03-30 2010-10-06 华为技术有限公司 Method, system and network device for filtration
CN103685294A (en) * 2013-12-20 2014-03-26 北京奇虎科技有限公司 Method and device for identifying attack sources of denial of service attack
CN103929498A (en) * 2014-05-05 2014-07-16 北京京东尚科信息技术有限公司 Method and device for processing client requests
CN105162793A (en) * 2015-09-23 2015-12-16 上海云盾信息技术有限公司 Method and apparatus for defending against network attacks
CN105897694A (en) * 2016-03-25 2016-08-24 网宿科技股份有限公司 Session identification method and system of client
CN108965251A (en) * 2018-06-08 2018-12-07 广州大学 A kind of safe mobile phone guard system that cloud combines
CN109510815A (en) * 2018-10-19 2019-03-22 杭州安恒信息技术股份有限公司 A kind of multistage detection method for phishing site and detection system based on supervised learning

Also Published As

Publication number Publication date
CN110177096A (en) 2019-08-27

Similar Documents

Publication Publication Date Title
US11188645B2 (en) Identifying whether an application is malicious
US10212173B2 (en) Deterministic reproduction of client/server computer state or output sent to one or more client computers
US9430640B2 (en) Cloud-assisted method and service for application security verification
US20080244715A1 (en) Method and apparatus for detecting and reporting phishing attempts
US20110283174A1 (en) Optimizing Security Seals on Web Pages
US11770385B2 (en) Systems and methods for malicious client detection through property analysis
CN105430011A (en) Method and device for detecting distributed denial of service attack
US10972507B2 (en) Content policy based notification of application users about malicious browser plugins
CN110958119A (en) Identity verification method and device
WO2014114127A1 (en) Method, apparatus and system for webpage access control
US20230291758A1 (en) Malware Detection Using Document Object Model Inspection
US20140208385A1 (en) Method, apparatus and system for webpage access control
CN110177096B (en) Client authentication method, device, medium and computing equipment
CN112202813B (en) Network access method and device
US10686834B1 (en) Inert parameters for detection of malicious activity
US9398041B2 (en) Identifying stored vulnerabilities in a web service
US11128639B2 (en) Dynamic injection or modification of headers to provide intelligence
US20160366172A1 (en) Prevention of cross site request forgery attacks
CN109857488B (en) Application program call control method and device, terminal and readable storage medium
CN112383542B (en) User login method and system, authentication end and user end
CN114598524B (en) Method, device, equipment and storage medium for detecting agent tool
CN116208392A (en) Active defense method and device for Web attack
WO2023166336A1 (en) System and method to prevent an attack on an application programming interface
CN114143056A (en) Terminal access method and device, electronic equipment and storage medium
CN114553524A (en) Flow data processing method and device, electronic equipment and gateway

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant