CN110445615B - Network request security verification method, device, medium and electronic equipment - Google Patents

Network request security verification method, device, medium and electronic equipment Download PDF

Info

Publication number
CN110445615B
CN110445615B CN201910630624.4A CN201910630624A CN110445615B CN 110445615 B CN110445615 B CN 110445615B CN 201910630624 A CN201910630624 A CN 201910630624A CN 110445615 B CN110445615 B CN 110445615B
Authority
CN
China
Prior art keywords
time
token
network request
trigger operation
expiration
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201910630624.4A
Other languages
Chinese (zh)
Other versions
CN110445615A (en
Inventor
颜媛
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Ping An Puhui Enterprise Management Co Ltd
Original Assignee
Ping An Puhui Enterprise Management Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Ping An Puhui Enterprise Management Co Ltd filed Critical Ping An Puhui Enterprise Management Co Ltd
Priority to CN201910630624.4A priority Critical patent/CN110445615B/en
Priority to PCT/CN2019/117695 priority patent/WO2021008034A1/en
Publication of CN110445615A publication Critical patent/CN110445615A/en
Application granted granted Critical
Publication of CN110445615B publication Critical patent/CN110445615B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0807Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/321Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
    • H04L9/3213Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention relates to the technical field of network monitoring, and discloses a method, a device, a medium and an electronic device for verifying network request security, wherein the method comprises the following steps: receiving a first network request; generating a first token according to the first network request and sending the first token to a sending end of the first network request, wherein the first token comprises expiration time; determining the time of trigger operation of a sending end for monitoring the first network request; when the trigger operation of the sending end of the first network request is monitored at the time, the failure time of the first token is adjusted according to the trigger operation, and the adjusted failure time of the first token is obtained; and when a second network request carrying the first token is received before the adjusted expiration time, confirming that the second network request is legal. Under the method, after the token is generated for the network request, the failure time of the token is adjusted according to the triggering operation of the user, so that the dynamic optimization of the failure time of the token is realized, and the user experience is ensured while the security of the token is considered.

Description

Network request security verification method, device, medium and electronic equipment
Technical Field
The present invention relates to the field of network monitoring technologies, and in particular, to a method, an apparatus, a medium, and an electronic device for verifying security of a network request.
Background
With the advent of the internet age, various technologies including network protocols have provided a secure and orderly environment for network communications, enabling people to freely roam about the sea of networks, and token is an important technology in the information security age. the token has certain timeliness as a token in identity authentication. At present, when a user logs in a server or submits a form to a server side, the server returns a token to the client or the App, when the user logs in or submits the form again, the token is carried by a request submitted by the client or the App, and the server side judges whether the request of the user is legal or not according to the token.
In the prior art, in order to guarantee the effectiveness of the token, a certain validity period is set for the token, and after the token expires, the user submits a request again to verify the identity, and the user may be using the client or App at this time, which destroys the user experience, but if the validity period of the token is uniformly extended in order to guarantee the user experience, the security of the token is reduced. Therefore, the prior art cannot simultaneously consider the user experience and the security of the token.
Disclosure of Invention
In order to solve the technical problem that expiration of a token in the related art damages user experience and finally causes low efficiency of using network service by a user, the invention provides a method, a device, a medium and electronic equipment for verifying network request security.
According to an aspect of the present application, there is provided a network request security verification method, the method including:
receiving a first network request;
generating a first token according to the first network request and sending the first token to a sending end of the first network request, wherein the first token comprises the expiration time of the first token;
determining the time for monitoring the trigger operation of the sending end of the first network request;
when the trigger operation of the sending end of the first network request is monitored at the time, adjusting the failure time of the first token according to the trigger operation to obtain the adjusted failure time of the first token;
and when a second network request carrying the first token is received before the adjusted expiration time, confirming that the second network request is legal.
According to another aspect of the present application, there is provided a network request security verification apparatus, the apparatus including:
a receiving module configured to receive a first network request;
a sending module configured to generate a first token according to the first network request and send the first token to a sender of the first network request, wherein the first token includes an expiration time of the first token;
a determining module configured to determine a time for a sender trigger operation of the first network request to be monitored;
the adjusting module is configured to adjust the expiration time of the first token according to the triggering operation when the triggering operation of the sending end of the first network request is monitored at the time, so as to obtain the adjusted expiration time of the first token;
a confirmation module configured to confirm that the second network request is legitimate when the second network request carrying the first token is received before the adjusted expiration time.
According to another aspect of the present application, there is provided a computer readable program medium storing computer program instructions which, when executed by a computer, cause the computer to perform the method as previously described.
According to another aspect of the present application, there is provided an electronic device including:
a processor;
a memory having computer readable instructions stored thereon which, when executed by the processor, implement the method as previously described.
The technical scheme provided by the embodiment of the invention can have the following beneficial effects:
the network request security verification method provided by the invention comprises the following steps: receiving a first network request; generating a first token according to the first network request and sending the first token to a sending end of the first network request, wherein the first token comprises the expiration time of the first token; determining the time for monitoring the trigger operation of the sending end of the first network request; when the trigger operation of the sending end of the first network request is monitored at the time, adjusting the failure time of the first token according to the trigger operation to obtain the adjusted failure time of the first token; and when a second network request carrying the first token is received before the adjusted expiration time, confirming that the second network request is legal.
Under the method, after the token is generated for the network request, the failure time of the token is automatically adjusted according to the triggering operation of the user, so that the dynamic optimization of the failure time of the token is realized, the possibility of damaging the user experience due to the overdue token is greatly reduced, and the user experience is ensured while the security of the token is considered.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the invention, as claimed.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the invention and together with the description, serve to explain the principles of the invention.
FIG. 1 is a schematic diagram illustrating an application scenario of a network request security verification method according to an example embodiment;
FIG. 2 is a flow diagram illustrating a network request security verification method in accordance with an exemplary embodiment;
FIG. 3 is a flowchart illustrating details of step 220 according to one embodiment illustrated in a corresponding embodiment of FIG. 2;
FIG. 4 is a flowchart illustrating details of step 230 according to one embodiment illustrated in a corresponding embodiment of FIG. 2;
FIG. 5 is a flowchart illustrating details of step 240 according to one embodiment illustrated in a corresponding embodiment of FIG. 2;
FIG. 6 is a flowchart illustrating details of step 240 of another embodiment according to the corresponding embodiment of FIG. 2;
FIG. 7 is a block diagram illustrating a network request security verification apparatus in accordance with an exemplary embodiment;
FIG. 8 is a block diagram illustrating an example of an electronic device for implementing the network requested security verification method described above, according to an example embodiment;
fig. 9 is a computer-readable storage medium for implementing the above-described network request security verification method according to an example embodiment.
Detailed Description
Reference will now be made in detail to the exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, like numbers in different drawings represent the same or similar elements unless otherwise indicated. The embodiments described in the following exemplary embodiments do not represent all embodiments consistent with the present invention. Rather, they are merely examples of apparatus and methods consistent with certain aspects of the invention, as detailed in the appended claims.
Furthermore, the drawings are merely schematic illustrations of the present disclosure and are not necessarily drawn to scale. Some of the block diagrams shown in the figures are functional entities and do not necessarily correspond to physically or logically separate entities.
The present disclosure first provides a network request security verification method. The network request may be any request established by sending a request message over the network, and may be a request based on various protocols, such as, typically, a request based on the HTTP protocol. The verification of the network request security refers to confirming whether the network request meets a certain security standard or requirement, and compared with an unverified network request, the network request subjected to the security verification has higher security, that is, the network request subjected to the security verification is an illegal network request, so that the security verification of the network request is an important link for judging whether the network request is legal. The implementation terminal of the present disclosure may be any device having functions of computation, processing, and communication, and may be a portable mobile device, such as a smart phone, a tablet computer, a notebook computer, or the like, or may be various fixed devices, such as a computer device, a field terminal, a desktop computer, a server, a workstation, or the like.
Fig. 1 is a schematic diagram illustrating an application scenario of a network request security verification method according to an exemplary embodiment. As shown in fig. 1, includes a server 110, a desktop computer 120, and a token 130. In fig. 1, the server 110 and the desktop computer 120 are connected by a data link, and data can be transmitted between them through the communication link. After the desktop computer 120 sends a request message to the server 110 via a web page or client, the server 110 may return the token 130 to the desktop computer 120 according to the request message. The token 130 has a dead time, and before the dead time of the token 130, the user can use the desktop computer 120 to perform various interaction activities with the server 110 through a web page or a client, etc., which require the token 130; after the expiration time of the token 130, the desktop computer 120 and the server 110 cannot perform any interaction that requires the token 130 until the server 110 again issues the relevant token to the desktop computer 120. In the conventional manner, the failure time of the token is fixed, and the inventor of the present application realizes that the scheme of using the fixed token failure time has at least the following defects: the adoption of too short or not reasonable token expiration time can interrupt the continuous interaction of the user, affecting the user experience, while the adoption of too long token expiration time can reduce the security of the token.
Fig. 2 is a flow diagram illustrating a network request security verification method in accordance with an example embodiment. As shown in fig. 2, the method comprises the following steps:
step 210, a first network request is received.
The network request can be various internet protocol-based network requests established by sending request messages, for example, the network request can be a network request based on an HTTP protocol.
In one embodiment, the first network request is generated using a POST or GET method under the HTTP protocol.
In an embodiment, the local terminal is a target receiving terminal of the first network request, that is, the local terminal returns a corresponding response to the sending terminal of the first network request according to the first network request.
In an embodiment, a target terminal outside the home terminal is a target receiving terminal of the first network request, the target terminal is configured to return a corresponding response to a sending terminal of the first network request according to the first network request, the home terminal is configured to generate a token and verify security of the network request through the token, and the first network request received by the home terminal is forwarded to the home terminal by the target receiving terminal after receiving the first network request.
In one embodiment, after receiving the first network request, the method further comprises: determining that the first network request is legitimate.
In one embodiment, the home terminal has a registration identifier library, the first network request is directly sent to the home terminal by a request terminal, each terminal needs to register with the home terminal and store an identifier of the terminal requesting registration in the registration identifier library before sending the network request to the home terminal, the first network request includes a request header, the request header includes an identifier of the request terminal, and the determining that the first network request is legal includes: acquiring the identifier of a request end in a request header of the first network request; and determining that the first network request is legal under the condition that the identification exists in a registered identification library.
Step 220, generating a first token according to the first network request and sending the first token to a sending end of the first network request.
Wherein the first token includes an expiration time of the first token.
The token is a string used to verify the legitimacy of the network request.
In one embodiment, the format of the expiration time of the first token is a preset time format, such as 2019/2/15/18: 00.
In one embodiment, the format of the expiry time of the first token is a timestamp.
In an embodiment, the first network request includes a Uniform Resource Locator (URL), a system parameter, and a service parameter, and the first token is obtained by performing a hash operation on the URL, the system parameter, and the service parameter using a hash algorithm. The uniform resource locator is an Address of a resource requested to be accessed by the first network request, the system parameter is a parameter for identifying an identity of the requesting end, and may be, for example, a system identifier of the requesting end, an mac (media Access Control) Address of the requesting end, or an IP Address (Internet Protocol Address) of the requesting end, and the like, the service parameter is an identifier of a service used for initiating the request, and may be, for example, a name of an interface called by the user for initiating the request or a name of a service entry used, and the hash algorithm may be various algorithms, such as SHA256 and MD 5.
In one embodiment, a character string consisting of a uniform resource locator, a system parameter and a service parameter is subjected to hash operation to obtain an abstract of the character string; and taking a character string formed by the digest and a time stamp representing the failure time of the first token as the first token.
In one embodiment, a hash operation is performed on each string in the uniform resource locator, the system parameter and the service parameter to obtain a digest of each string, and a string composed of the digest of each string and a timestamp representing the expiration time of the first token is used as the first token.
In one embodiment, the first network request includes a registration account of a requestor, and the generating a first token according to the first network request includes: performing hash operation on the registration account of the requester in the first network request by using a hash algorithm to obtain an abstract of the registration account; and taking a character string consisting of preset token expiration time and the abstract as a first token.
In one embodiment, the first network request includes a registration account of a requester, and before the requester sends the network request, the requester completes registration of the account by submitting identity information to a home terminal and generates a registration account for the requester, where the generated registration account and the submitted identity information are stored in the home terminal correspondingly, and the generating the first token according to the first network request includes: acquiring a registration account of a requester contained in the first network request; acquiring identity information corresponding to the registered account; carrying out hash operation on the identity information by utilizing a hash algorithm to obtain an abstract of the identity information; and taking a character string consisting of preset token expiration time and the abstract as a first token.
In one embodiment, the first network request includes a registration account of a requestor, and the generating a first token according to the first network request includes: responding to a received first network request, generating a random character string, and storing a registration account of a requester in the first network request and the random character string in a local place correspondingly; carrying out hash operation on the random character string by using a hash algorithm to obtain an abstract of the random character string; and taking a character string consisting of the timestamp representing the expiration time of the first token and the digest as the first token. The form of the random character string may be various, for example, the random character string may be a character string of a random length, or a character string of a fixed length; the random character string may be a character string containing only numbers or letters, or may be a character string containing both letters and numbers.
It is understood that the specific ways of generating the first token according to the first network request are various and not limited to those shown in the above embodiments, and other ways of generating the first token may be selected based on security and other factors in practical applications.
Step 230, determining the time for the sender to monitor the first network request to trigger the operation.
Determining a time to listen for a trigger operation of a sender of the first network request refers to determining a trigger operation of a sender of the first network request at which time to listen.
It should be noted that the time for the sender to listen to the first network request to trigger the operation may be a time point or a time period.
In one embodiment, after determining a time for a sender to listen for the first network request to trigger an operation, the method includes:
and monitoring the trigger operation of the sending end of the first network request according to the time.
The method for monitoring the trigger operation of the sending end of the first network request may be performed by monitoring a click event or a button control, and may specifically adopt different monitoring methods according to different practical applications.
In one embodiment, determining a time for a sender to listen for the first network request to trigger an operation includes: starting from the sending end sending the first token to the first network request, taking a preset first time period before a time point obtained every preset second time period as the time for monitoring the trigger operation of the sending end of the first network request, wherein the first time period is less than the second time period.
For example, the time for sending the first token to the sending end of the first network request is 2:00, and the preset first time period and the preset second time period are 3 hours and 5 hours, respectively, the obtained time point of 5 hours between the first token and the 2:00 is 7:00, and the time for triggering operation of the sending end for monitoring the first network request according to the obtained time point is 4:00-7: 00; similarly, the time for the second sending end to monitor the first network request to trigger the operation is 9:00-12: 00.
The advantage of this embodiment is that after the local terminal sends the first token to the sending terminal of the first network request, by monitoring the trigger operation of the sending terminal of the first network request in a fixed time period, the fairness of monitoring the trigger operation of the sending terminal of the first network request is ensured.
In one embodiment, determining a time for a sender to listen for the first network request to trigger an operation includes: acquiring a difference value between the time of sending the first token to a sending end of the first network request and the failure time of the first token; determining a ratio of the difference to a preset time difference reference value, wherein the preset time difference reference value corresponds to a first reference time period and a second reference time period, and the first reference time period is smaller than the second reference time period; acquiring a product of the ratio and the first reference time period as a first standard time period, and acquiring a product of the ratio and the second reference time period as a second standard time period; and starting from the sending end sending the first token to the first network request, taking a first standard time period before a time point obtained every second standard time period as the time for monitoring the trigger operation of the sending end of the first network request. The embodiment has the advantage that the time for monitoring the trigger operation of the sender of the first network request is adaptively determined according to the length of the time period from the time for sending the first token to the sender of the first network request to the time for failure of the first token, so that the determined time for monitoring the trigger operation of the sender of the first network request is more reasonable.
In one embodiment, determining a time for a sender to listen for the first network request to trigger an operation includes: dividing a time period from time of sending the first token to a sending end of the first network request to expiration time of the first token into a first number of time intervals; dividing each time interval obtained by the division into a second number of time subintervals; acquiring a random integer less than or equal to a second number for each time interval; and aiming at each time interval, sequencing time subintervals which are random integers corresponding to the time interval in the time interval, and taking the time subintervals as the time for monitoring the trigger operation of the sending end of the first network request. The advantage of this embodiment is that, because each time interval includes the time of monitoring the sending terminal trigger operation of the first network request, the fairness of determining the time of monitoring the sending terminal trigger operation of the first network request is ensured, and simultaneously, the time subinterval of the time of monitoring the sending terminal trigger operation of the first network request in each time interval is random, so that the time of determining to monitor the sending terminal trigger operation of the first network request has a certain randomness, and the security can be improved.
Step 240, when the trigger operation of the sending end of the first network request is monitored at the time, adjusting the expiration time of the first token according to the trigger operation to obtain the adjusted expiration time of the first token.
In one embodiment, the adjusting the expiration time of the first token according to the triggering operation when the triggering operation of the sender of the first network request is monitored at the time to obtain the adjusted expiration time of the first token includes:
and in response to the trigger operation of the sending end which monitors the first network request at the time, postponing the expiration time of the first token backwards for a preset time period to serve as the adjusted expiration time of the first token.
In one embodiment, after monitoring a trigger operation of the sender of the first network request at the time, and adjusting the expiration time of the first token according to the trigger operation to obtain an adjusted expiration time of the first token, the method further includes: and determining the time for monitoring the trigger operation of the sending end of the first network request again and monitoring the trigger operation of the sending end of the first network request at the time until the first token is invalid.
In one embodiment, the adjusting the expiration time of the first token according to the triggering operation when the triggering operation of the sender of the first network request is monitored at the time to obtain the adjusted expiration time of the first token includes:
acquiring the frequency of the trigger operation of the sending end which monitors the first network request at the time; and adjusting the failure time of the first token according to the frequency of the trigger operation.
In one embodiment, adjusting the expiration time of the first token based on the frequency of the triggering operation comprises: when the frequency is larger than a preset frequency threshold, postponing the expiration time of the first token backwards for a preset first time period to serve as the adjusted expiration time of the first token; and when the frequency is not greater than a preset frequency threshold, postponing the expiration time of the first token backwards for a preset second time period as the adjusted expiration time of the first token, wherein the preset second time period is less than the preset first time period.
In one embodiment, adjusting the expiration time of the first token based on the frequency of the triggering operation comprises: acquiring the ratio of the frequency to a preset frequency threshold; determining the sum of the ratio and 1; taking the product of the sum and the expiration time of the first token as the adjusted expiration time of the first token.
The embodiment has the advantage that the adjusted expiration time of the first token can better meet the user requirements by adaptively adjusting the expiration time of the first token according to the frequency of the triggering operation.
Step 250, when a second network request carrying the first token is received before the adjusted expiration time, confirming that the second network request is legal.
As described above, the token is a character string used for verifying the validity of the network request, and therefore when the second network request carrying the first token is received, if the time when the second network request is received is before the adjusted expiration time, that is, the first token is not expired, it can be determined that the second network request carries a valid first token, that is, the second network request is valid.
In one embodiment, before when a second network request carrying the first token is received before the adjusted expiration time, and the second network request is confirmed to be legitimate, the method includes:
determining whether the token requested by the second network is the first token;
if so, determining whether the time of receiving the second network request is before the adjusted expiration time, wherein when the second network request carrying the first token is received before the adjusted expiration time, confirming that the second network request is legitimate is performed under the condition that the time of receiving the second network request is determined to be before the adjusted expiration time.
In summary, according to the embodiment shown in fig. 2, dynamic optimization of the failure time of the token is achieved, the possibility of damaging the user experience due to expiration of the token is greatly reduced, the user experience is ensured, and the security of the token is considered at the same time, so that the efficiency of the user when using the network service requiring the token can be improved.
Fig. 3 is a flowchart illustrating details of step 220 according to one embodiment illustrated in a corresponding embodiment of fig. 2. As shown in fig. 3, the method comprises the following steps:
step 221, generating a pending first token according to the first network request.
Wherein the pending first token does not include an expiration time.
In one embodiment, the first network request includes a uniform resource locator and an identity of a sender of the first network request, and the generating a pending first token according to the first network request includes: performing hash operation on a character string consisting of a uniform resource locator contained in the first network request and an identity of a sending end of the first network request to obtain an abstract of the character string; and taking the digest as the pending first token.
Step 222, determining the type of the first network request.
In one embodiment, the first network request has a type identifier therein for identifying the type of the first network request.
The expiry time of the first token to be generated is determined according to the type, step 223.
In one embodiment, the first network request has a type identifier, the type identifier and the expiration time are stored in a corresponding relation table, and the expiration time corresponding to the type identifier in the first network request is obtained as the expiration time of the first token to be generated by querying the corresponding relation table.
Step 224, adding the expiration time to the to-be-determined first token to generate a first token, and sending the first token to the sending end of the first network request.
The embodiment shown in fig. 3 has the advantage that the first token generated for the network request is made more reasonable by determining the expiry time of different first tokens depending on the type of the first network request.
Fig. 4 is a flowchart illustrating details of step 230 according to one embodiment illustrated in a corresponding embodiment of fig. 2. As shown in fig. 4, step 230 includes the following steps:
step 231, obtaining a time for sending the first token to the sending end of the first network request as a first time.
In one embodiment, a timer is built in the local terminal, the timer records the sending time of each token, and the time for sending the first token to the sending end of the first network request is obtained by reading the timer.
Step 232, obtaining a time period of x minutes from the first time, as the time for monitoring the trigger operation of the sending end of the first network request.
Wherein x is a positive integer.
In one embodiment, the time period of each x minutes interval from the first time is a fixed length time period. For example, the time period of each interval may be 5 minutes, that is, whether the sender of the first network request has a trigger operation within the first 5 minutes of each acquisition.
In one embodiment, the length of each x minute interval period from the first time is a preset sequence of arithmetic differences. For example, the preset sequence of arithmetic differences is 20, 15, 10, 5, and if the first time is 18:00, the obtained time for monitoring the trigger operation of the sending end of the first network request may be 18:00-18:20, 18:20-18:35, 18:35-18:45, and 18:45-18:50, respectively.
In one embodiment, the time x minutes of each interval from the first time is determined by: acquiring a first parameter value according to the failure time of the first token; using the first parameter value, a time x minutes for each interval starting from the first time is determined.
In one embodiment, the obtaining a first parameter value according to the expiration time of the first token includes:
obtaining a first parameter value by the following expression:
Figure BDA0002128555360000111
wherein, M is a difference between the expiration time and the validation time of the first token, n is a time sequence of the trigger operation of the sender monitoring the first network request when x minutes are used as the time of the trigger operation of the sender monitoring the first network request, and y is a first parameter value;
said determining, using said first parameter value, a time x minutes for each interval starting from said first time, comprising:
obtaining a minimum integer greater than the first parameter value y as a number of minutes of x minutes for each interval from the first time.
In the foregoing embodiment, it can be seen that, starting from the validation of the first token, the frequency of the sender trigger operation for monitoring the first network request is higher and higher, that is, the time interval for monitoring the sender trigger operation for the first network request is shorter and shorter, so that this embodiment has the advantages that by setting a certain time interval for monitoring the sender trigger operation, resources such as computational overhead are saved, and by increasing the density of the monitored sender trigger operation when the first token is about to expire, the user operation is not interrupted by the expiration of the token to a greater extent, and the user experience is improved.
Fig. 5 is a flowchart illustrating details of step 240 according to one embodiment illustrated in a corresponding embodiment of fig. 2. In the embodiment shown in fig. 5, the time for monitoring the trigger operation of the sender of the first network request is a second time, as shown in fig. 5, the method includes the following steps:
step 241, obtaining a time for sending the first token to the sending end of the first network request as a first time.
In one embodiment, the sending end of the first network request has a log, where the log records time of each token received by the sending end of the first network request, and a script is embedded in an implementation terminal of the present disclosure, and the obtaining time of sending the first token to the sending end of the first network request includes: crawling, by a script, a time at which the first token is sent to the sender of the first network request from a log of the sender of the first network request.
Step 242, determine the difference between the expiration time and the first time.
Since the dead time is greater than the first time, the difference is positive.
Step 243, obtaining the sum of the difference and the second time as the adjusted expiration time of the first token.
For example, the first time is 15:00, the time for monitoring the trigger operation of the sender of the first network request is 15:20, the expiration time of the first token is 15:30, and the difference between the expiration time of the first token and the first time is 30 minutes, when the trigger operation of the sender of the first network request is monitored at 15:20, the expiration time of the first token is adjusted to 15:20+30 minutes, which is 15: 50.
In summary, the embodiment shown in fig. 5 has a benefit that, by adjusting the expiration time of the first token in a manner of extending the expiration time of the first token by the length of the valid time of the first token, the obtained adjusted expiration time of the first token can be ensured to be not interrupted due to token expiration to a greater extent, thereby improving user experience.
Fig. 6 is a flowchart illustrating details of step 240 of another embodiment according to the corresponding embodiment of fig. 2. As shown in fig. 6, step 240 includes the following steps:
step 241', when the trigger operation of the sending end of the first network request is monitored at the time, the type of the trigger operation is obtained.
In one embodiment, each trigger operation corresponds to a service name, and the service name of the trigger operation is used as the type of the trigger operation.
For example, each trigger operation of the sending end that monitors the first network request may obtain a service name corresponding to the trigger operation, that is, the service name may be used as the type of the trigger operation.
Step 242', determining an adjustment manner of the expiration time of the first token according to the type of the trigger operation.
In an embodiment, the determining the adjustment mode of the expiration time of the first token according to the type of the trigger operation includes:
taking the following formula established based on the risk level corresponding to the trigger operation as an adjustment mode of the failure time of the first token:
Figure BDA0002128555360000131
wherein α is the adjusted expiration time, β is the expiration time, M is the difference between the expiration time and the validation time of the first token, and γ is the risk level. It can be seen that the higher the risk level γ, the smaller the adjusted failure time α, i.e. the earlier the adjusted failure time. For example, the risk level of the triggering operation related to the types of the financial client, the transfer, the password modification, the bound mobile phone number change and the like may be 3, the risk level of the triggering operation related to the query of the journal record, the query of the personal information and the like may be 2, and the risk level related to the browsing of the new message and the viewing of the news may be 1, so that compared with the triggering operation with a lower risk level, the triggering operation with a higher risk level has a smaller adjustment effect on the first token, that is, the risk level of the triggering operation is higher, and even if the expiration time of the first token is delayed, the security may be improved because the final delay length is shorter.
The advantage of this embodiment is that different expiration time adjustment modes are used according to different monitored types of trigger operations, so that the trigger operation can delay the expiration time of the first token while reducing the length of the expiration time that can be prolonged by the trigger operation of a high risk level, thereby reducing the risk caused by the token expiration time extension to a certain extent.
Step 243', according to the adjustment manner, adjusting the expiration time of the first token to obtain the adjusted expiration time of the first token.
In summary, in the embodiment shown in fig. 6, different expiration time adjustment manners are used to adjust the expiration time of the first token according to different types of trigger operations, so that the obtained adjusted expiration time of the first token is more reasonable, and the degree of coincidence between the adjusted expiration time of the first token and the trigger operation of the user is improved.
The disclosure also provides a network request security verification device, and the following is an embodiment of the device.
Fig. 7 is a block diagram illustrating a network request security verification apparatus according to an example embodiment. As shown in fig. 7, the apparatus 700 includes:
a receiving module 710 configured to receive a first network request.
A sending module 720, configured to generate a first token according to the first network request and send the first token to a sender of the first network request, where the first token includes an expiration time of the first token.
A determining module 730 configured to determine a time for a sender trigger operation of the first network request to be monitored.
An adjusting module 740, configured to, when the trigger operation of the sender of the first network request is monitored at the time, adjust the expiration time of the first token according to the trigger operation, so as to obtain an adjusted expiration time of the first token.
A confirming module 750 configured to confirm that the second network request is legal when the second network request carrying the first token is received before the adjusted expiration time.
According to a third aspect of the present disclosure, there is also provided an electronic device capable of implementing the above method.
As will be appreciated by one skilled in the art, aspects of the present invention may be embodied as a system, method or program product. Thus, various aspects of the invention may be embodied in the form of: an entirely hardware embodiment, an entirely software embodiment (including firmware, microcode, etc.) or an embodiment combining hardware and software aspects that may all generally be referred to herein as a "circuit," module "or" system.
An electronic device 800 according to this embodiment of the invention is described below with reference to fig. 8. The electronic device 800 shown in fig. 8 is only an example and should not bring any limitations to the function and scope of use of the embodiments of the present invention.
As shown in fig. 8, electronic device 800 is in the form of a general purpose computing device. The components of the electronic device 800 may include, but are not limited to: the at least one processing unit 810, the at least one memory unit 820, and a bus 830 that couples the various system components including the memory unit 820 and the processing unit 810.
Wherein the storage unit stores program code that can be executed by the processing unit 810, such that the processing unit 810 performs the steps according to various exemplary embodiments of the present invention described in the "example methods" section above in this specification.
The storage unit 820 may include readable media in the form of volatile storage units, such as a random access storage unit (RAM)821 and/or a cache storage unit 822, and may further include a read only storage unit (ROM) 823.
Storage unit 820 may also include a program/utility 824 having a set (at least one) of program modules 825, such program modules 825 including, but not limited to: an operating system, one or more application programs, other program modules, and program data, each of which, or some combination thereof, may comprise an implementation of a network environment.
Bus 830 may be any of several types of bus structures including a memory unit bus or memory unit controller, a peripheral bus, an accelerated graphics port, a processing unit, or a local bus using any of a variety of bus architectures.
The electronic device 800 may also communicate with one or more external devices 1000 (e.g., keyboard, pointing device, bluetooth device, etc.), with one or more devices that enable a user to interact with the electronic device 800, and/or with any devices (e.g., router, modem, etc.) that enable the electronic device 800 to communicate with one or more other computing devices. Such communication may occur via input/output (I/O) interfaces 850. Also, the electronic device 800 may communicate with one or more networks (e.g., a Local Area Network (LAN), a Wide Area Network (WAN), and/or a public network, such as the internet) via the network adapter 860. As shown, the network adapter 860 communicates with the other modules of the electronic device 800 via the bus 830. It should be appreciated that although not shown, other hardware and/or software modules may be used in conjunction with the electronic device 800, including but not limited to: microcode, device drivers, redundant processing units, external disk drive arrays, RAID systems, tape drives, and data backup storage systems, among others.
Through the above description of the embodiments, those skilled in the art will readily understand that the exemplary embodiments described herein may be implemented by software, or by software in combination with necessary hardware. Therefore, the technical solution according to the embodiments of the present disclosure may be embodied in the form of a software product, which may be stored in a non-volatile storage medium (which may be a CD-ROM, a usb disk, a removable hard disk, etc.) or on a network, and includes several instructions to enable a computing device (which may be a personal computer, a server, a terminal device, or a network device, etc.) to execute the method according to the embodiments of the present disclosure.
According to a fourth aspect of the present disclosure, there is also provided a computer-readable storage medium having stored thereon a program product capable of implementing the above-mentioned method of the present specification. In some possible embodiments, aspects of the invention may also be implemented in the form of a program product comprising program code means for causing a terminal device to carry out the steps according to various exemplary embodiments of the invention described in the above section "exemplary methods" of the present description, when said program product is run on the terminal device.
Referring to fig. 9, a program product 900 for implementing the above method according to an embodiment of the present invention is described, which may employ a portable compact disc read only memory (CD-ROM) and include program code, and may be run on a terminal device, such as a personal computer. However, the program product of the present invention is not limited in this regard and, in the present document, a readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
The program product may employ any combination of one or more readable media. The readable medium may be a readable signal medium or a readable storage medium. A readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples (a non-exhaustive list) of the readable storage medium include: an electrical connection having one or more wires, a portable disk, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
A computer readable signal medium may include a propagated data signal with readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A readable signal medium may also be any readable medium that is not a readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device.
Program code embodied on a readable medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.
Program code for carrying out operations for aspects of the present invention may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, C + + or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computing device, partly on the user's device, as a stand-alone software package, partly on the user's computing device and partly on a remote computing device, or entirely on the remote computing device or server. In the case of a remote computing device, the remote computing device may be connected to the user computing device through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computing device (e.g., through the internet using an internet service provider).
Furthermore, the above-described figures are merely schematic illustrations of processes involved in methods according to exemplary embodiments of the invention, and are not intended to be limiting. It will be readily understood that the processes shown in the above figures are not intended to indicate or limit the chronological order of the processes. In addition, it is also readily understood that these processes may be performed synchronously or asynchronously, e.g., in multiple modules.
It will be understood that the invention is not limited to the precise arrangements described above and shown in the drawings and that various modifications and changes may be made without departing from the scope thereof. The scope of the invention is limited only by the appended claims.

Claims (7)

1. A network request security verification method, the method comprising:
receiving a first network request;
generating a first token according to the first network request and sending the first token to a sending end of the first network request, wherein the first token comprises the expiration time of the first token;
determining the time for monitoring the trigger operation of the sending end of the first network request; the determining the time for the sender to monitor the first network request to trigger the operation includes: acquiring time for sending the first token to a sending end of the first network request as first time; acquiring a time period of x minutes from the first time at each time interval, wherein x is a positive integer, and the time period is used as the time for monitoring the trigger operation of a sending end of the first network request; wherein the time x minutes of each interval from the first time is determined by: obtaining the first token according to the failure time of the first tokenA parameter value; determining the time x minutes of each interval from the first time by using the first parameter value; the obtaining a first parameter value according to the expiration time of the first token includes: obtaining a first parameter value by the following expression:
Figure FDA0003180672940000011
wherein, M is a difference between the expiration time and the validation time of the first token, n is a time sequence of the trigger operation of the sender monitoring the first network request when x minutes are used as the time of the trigger operation of the sender monitoring the first network request, and y is a first parameter value; said determining, using said first parameter value, a time x minutes for each interval starting from said first time, comprising: acquiring a minimum integer larger than the first parameter value y as the number of minutes of x minutes of each interval from the first time;
when the trigger operation of the sending end of the first network request is monitored at the time, adjusting the failure time of the first token according to the trigger operation to obtain the adjusted failure time of the first token;
and when a second network request carrying the first token is received before the adjusted expiration time, confirming that the second network request is legal.
2. The method of claim 1, wherein generating a first token according to the first network request and sending the first token to a sender of the first network request comprises:
generating a pending first token according to the first network request, wherein the pending first token does not contain a dead time;
determining a type of the first network request;
determining the expiration time of a first token to be generated according to the type;
and adding the expiration time into the to-be-determined first token to generate a first token, and sending the first token to a sending end of the first network request.
3. The method of claim 1, wherein the time for monitoring the trigger operation of the sender of the first network request is a second time, and the adjusting the expiration time of the first token according to the trigger operation when the trigger operation of the sender of the first network request is monitored at the time to obtain the adjusted expiration time of the first token comprises:
acquiring time for sending the first token to a sending end of the first network request as first time;
determining a difference between the time to failure and the first time;
and acquiring the sum of the difference and the second time as the adjusted expiration time of the first token.
4. The method of claim 1, wherein the adjusting the expiration time of the first token according to the triggering operation when the triggering operation of the sender of the first network request is monitored at the time to obtain the adjusted expiration time of the first token comprises:
when the trigger operation of the sending end of the first network request is monitored at the time, the type of the trigger operation is obtained;
determining an adjustment mode of the failure time of the first token according to the type of the trigger operation;
and adjusting the expiration time of the first token according to the adjustment mode to obtain the adjusted expiration time of the first token.
5. A network request security verification apparatus, the apparatus comprising:
a receiving module configured to receive a first network request;
a sending module configured to generate a first token according to the first network request and send the first token to a sender of the first network request, wherein the first token includes an expiration time of the first token;
a determining module configured to determine a time for a sender trigger operation of the first network request to be monitored; the determining the time for the sender to monitor the first network request to trigger the operation includes: acquiring time for sending the first token to a sending end of the first network request as first time; acquiring a time period of x minutes from the first time at each time interval, wherein x is a positive integer, and the time period is used as the time for monitoring the trigger operation of a sending end of the first network request; wherein the time x minutes of each interval from the first time is determined by: acquiring a first parameter value according to the failure time of the first token; determining the time x minutes of each interval from the first time by using the first parameter value; the obtaining a first parameter value according to the expiration time of the first token includes: obtaining a first parameter value by the following expression:
Figure FDA0003180672940000021
wherein, M is a difference between the expiration time and the validation time of the first token, n is a time sequence of the trigger operation of the sender monitoring the first network request when x minutes are used as the time of the trigger operation of the sender monitoring the first network request, and y is a first parameter value; said determining, using said first parameter value, a time x minutes for each interval starting from said first time, comprising: acquiring a minimum integer larger than the first parameter value y as the number of minutes of x minutes of each interval from the first time;
the adjusting module is configured to adjust the expiration time of the first token according to the triggering operation when the triggering operation of the sending end of the first network request is monitored at the time, so as to obtain the adjusted expiration time of the first token;
a confirmation module configured to confirm that the second network request is legitimate when the second network request carrying the first token is received before the adjusted expiration time.
6. A computer-readable program medium, characterized in that it stores computer program instructions which, when executed by a computer, cause the computer to perform the method according to any one of claims 1 to 4.
7. An electronic device, characterized in that the electronic device comprises:
a processor;
a memory having stored thereon computer readable instructions which, when executed by the processor, implement the method of any of claims 1 to 4.
CN201910630624.4A 2019-07-12 2019-07-12 Network request security verification method, device, medium and electronic equipment Active CN110445615B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN201910630624.4A CN110445615B (en) 2019-07-12 2019-07-12 Network request security verification method, device, medium and electronic equipment
PCT/CN2019/117695 WO2021008034A1 (en) 2019-07-12 2019-11-12 Method and apparatus for network request security verification, and computing device and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910630624.4A CN110445615B (en) 2019-07-12 2019-07-12 Network request security verification method, device, medium and electronic equipment

Publications (2)

Publication Number Publication Date
CN110445615A CN110445615A (en) 2019-11-12
CN110445615B true CN110445615B (en) 2021-08-31

Family

ID=68429656

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910630624.4A Active CN110445615B (en) 2019-07-12 2019-07-12 Network request security verification method, device, medium and electronic equipment

Country Status (2)

Country Link
CN (1) CN110445615B (en)
WO (1) WO2021008034A1 (en)

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112003852B (en) * 2020-08-19 2022-11-25 中国建设银行股份有限公司 Resource access control method, device, equipment and storage medium
CN112528262A (en) * 2020-12-10 2021-03-19 平安科技(深圳)有限公司 Application program access method, device, medium and electronic equipment based on token
CN112671720B (en) * 2020-12-10 2022-05-13 苏州浪潮智能科技有限公司 Token construction method, device and equipment for cloud platform resource access control
CN113179191A (en) * 2021-04-01 2021-07-27 众安信息技术服务有限公司 Network performance monitoring method and device and electronic equipment
CN113656774B (en) * 2021-08-17 2024-06-21 维沃移动通信(杭州)有限公司 Unlocking method and unlocking device of electronic equipment

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103634316A (en) * 2013-11-26 2014-03-12 乐视网信息技术(北京)股份有限公司 Account login method and electronic equipment
CN104239772A (en) * 2014-08-25 2014-12-24 联想(北京)有限公司 Information processing method and electronic equipment
CN104901933A (en) * 2014-08-12 2015-09-09 腾讯科技(深圳)有限公司 Traffic permit allocation method and device, user equipment, application server and system
CN107425977A (en) * 2017-04-28 2017-12-01 北京海泰方圆科技股份有限公司 Dynamic token method for synchronizing time and device
CN108900559A (en) * 2018-09-26 2018-11-27 平安普惠企业管理有限公司 Management method, device, computer equipment and the storage medium of logging on authentication
CN109379193A (en) * 2018-12-06 2019-02-22 佛山科学技术学院 A kind of dynamic anti-replay-attack authentication method and device

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8898091B2 (en) * 2011-05-11 2014-11-25 Ari M. Frank Computing situation-dependent affective response baseline levels utilizing a database storing affective responses
CN105450587B (en) * 2014-07-28 2018-08-24 国际商业机器公司 Method and apparatus for protecting Network Communicate Security
CN106411825A (en) * 2015-08-03 2017-02-15 天脉聚源(北京)科技有限公司 WeChat access token acquisition method and system thereof
US10505946B2 (en) * 2016-11-15 2019-12-10 Vmware, Inc. Adaptive token cache management
US20190114632A1 (en) * 2017-10-13 2019-04-18 John D. Rome Method and system to provide attribution to blockchain transactions
CN109802941A (en) * 2018-12-14 2019-05-24 平安科技(深圳)有限公司 A kind of login validation method, device, storage medium and server

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103634316A (en) * 2013-11-26 2014-03-12 乐视网信息技术(北京)股份有限公司 Account login method and electronic equipment
CN104901933A (en) * 2014-08-12 2015-09-09 腾讯科技(深圳)有限公司 Traffic permit allocation method and device, user equipment, application server and system
CN104239772A (en) * 2014-08-25 2014-12-24 联想(北京)有限公司 Information processing method and electronic equipment
CN107425977A (en) * 2017-04-28 2017-12-01 北京海泰方圆科技股份有限公司 Dynamic token method for synchronizing time and device
CN108900559A (en) * 2018-09-26 2018-11-27 平安普惠企业管理有限公司 Management method, device, computer equipment and the storage medium of logging on authentication
CN109379193A (en) * 2018-12-06 2019-02-22 佛山科学技术学院 A kind of dynamic anti-replay-attack authentication method and device

Also Published As

Publication number Publication date
CN110445615A (en) 2019-11-12
WO2021008034A1 (en) 2021-01-21

Similar Documents

Publication Publication Date Title
CN110445615B (en) Network request security verification method, device, medium and electronic equipment
CN112333198B (en) Secure cross-domain login method, system and server
KR101850677B1 (en) Method and system for determining whether a terminal logging into a website is a mobile terminal
CN111416822B (en) Method for access control, electronic device and storage medium
CN105354451B (en) Access authentication method and system
US11277404B2 (en) System and data processing method
CN107547548B (en) Data processing method and system
US20160248593A1 (en) Complete forward access sessions
EP4432144A2 (en) Anonymous event attestation with group signatures
CN112511316B (en) Single sign-on access method and device, computer equipment and readable storage medium
CN112887284B (en) Access authentication method and device, electronic equipment and readable medium
US20240187420A1 (en) Securing browser cookies
CN112511565B (en) Request response method and device, computer readable storage medium and electronic equipment
CN113225351B (en) Request processing method and device, storage medium and electronic equipment
CN112968910A (en) Replay attack prevention method and device
CN107294931B (en) Method and apparatus for adjusting restricted access frequency
CN111092864B (en) Session protection method, device, equipment and readable storage medium
CN116961918A (en) Token acquisition method and device
CN113225348B (en) Request anti-replay verification method and device
CN113765876B (en) Report processing software access method and device
CN112330366A (en) Redemption code redemption request verification method, apparatus, device and computer readable medium
Ying Research on multi-level security of shibboleth authentication mechanism
CN114584556B (en) File transmission method and device
US11647031B2 (en) Determining an origin server is potentially compromised
KR102562178B1 (en) Prevention of data manipulation of communication network measurements and protection of user privacy

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
CB02 Change of applicant information

Address after: 201, room 518000, building A, No. 1, front Bay Road, Qianhai Shenzhen Guangdong Shenzhen Hong Kong cooperation zone (Qianhai business secretary)

Applicant after: Pingan Pu Hui Enterprise Management Co., Ltd.

Address before: 518000 Guangdong city of Shenzhen province Qianhai Shenzhen Hong Kong cooperation zone before Bay Road No. 1 building 201 room A

Applicant before: Pingan Pu Hui Enterprise Management Co., Ltd.

CB02 Change of applicant information
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant