CN110650117A - Cross-site attack protection method, device, equipment and storage medium - Google Patents
Cross-site attack protection method, device, equipment and storage medium Download PDFInfo
- Publication number
- CN110650117A CN110650117A CN201910706703.9A CN201910706703A CN110650117A CN 110650117 A CN110650117 A CN 110650117A CN 201910706703 A CN201910706703 A CN 201910706703A CN 110650117 A CN110650117 A CN 110650117A
- Authority
- CN
- China
- Prior art keywords
- cross
- site
- access
- attack
- probability
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention relates to the technical field of network security, and discloses a cross-site attack protection method, which comprises the following steps: detecting codes of the external network access request through a preset lexical combination rule, setting an access identifier in the external network access request to mark whether the codes have characters of malicious attack, and performing attack defense processing based on the external network access request of which the codes do not accord with the lexical combination rule and/or have the access identifier; the invention also provides a cross-site attack protection device, equipment and a storage medium, marking based on the method can not only improve the identification efficiency of the access script code, but also improve the identification precision, and when characters of malicious attack exist, the external network access request loses the attack capability through shielding, replacing and other methods, thereby achieving the function of cross-site attack defense, improving the safety of the system and ensuring the data safety of the website.
Description
Technical Field
The present invention relates to the field of network security technologies, and in particular, to a method, an apparatus, a device, and a computer-readable storage medium for cross-site attack protection.
Background
With the continuous development of network technology, networks have become a part of people's real life, various services are realized through networks at present, and meanwhile, with the development, the networks also become important platforms and carriers for realizing intellectualization in the future. To improve the user experience, scripting languages are used extensively in web applications. With the continuous open use of network design codes, Script codes are tampered to form Cross Site Script (XSS) attacks, which become one of the most serious security problems of the internet at present.
The XSS attack means that a malicious attacker inserts a malicious script program code into a webpage (Web), and when a user browses the webpage, the malicious script program code embedded in the Web is executed, so that the user is maliciously attacked, and the problems that the privacy of the user is leaked, a client computer is infected with viruses, enterprise data is controlled, important data with commercial value of an enterprise are stolen, illegal account transfer is carried out, electronic mails are forcibly sent, a website is hung on a horse, and a victim machine is controlled to send attacks to other websites and the like are solved.
Disclosure of Invention
The invention mainly aims to provide a cross-site attack protection method, a cross-site attack protection device, cross-site attack protection equipment and a computer readable storage medium, and aims to solve the technical problem that the accuracy of the existing cross-site access defense is low.
In order to achieve the above object, the present invention provides a cross-site attack protection method, which comprises the following steps:
acquiring an external network access request received by a network side, wherein the external network access request is a set containing at least one cross-site access script code for realizing cross-site data access;
detecting whether a malicious program exists in an HTTP data packet used for responding cross-site access in a cross-site access script code carried by the external network access request or not according to a predefined lexical combination rule, wherein the lexical combination rule is a model obtained by analyzing a currently known malicious attack program;
if the malicious program exists, detecting whether an access identifier exists in the cross-site access script code, wherein the access identifier is defined based on a preset user rule;
if the access identifier exists, judging whether characters with attack capability exist in the cross-site access script code;
if the character exists in the cross-site access script code, screening out the character with the attack capability in the cross-site access script code according to the access identifier, and performing cross-site script defense processing on the cross-site access script code.
Optionally, the step of detecting whether a malicious program exists in an HTTP data packet for responding to cross-site access in a cross-site access script code carried by the extranet access request according to a predefined lexical combination rule includes:
executing the cross-site access script code to perform simulated operation, and capturing an active label on each access page of an HTTP data packet during operation;
calculating the reciprocal of the label probability of the active label in the cross-station access script code, and adding the reciprocal to obtain an arithmetic mean value as an embedded JavaScript reasonable index of the active label;
classifying the cross-site access script codes according to the reasonable indexes;
wherein the active tag is a tag which has no other active tag with the cross-site access script code, and the tag probability is a probability that the active tag directly appears on the cross-site access script code.
Optionally, the step of screening out characters with an attack capability in the cross-site access script code according to the access identifier, and performing cross-site script defense processing on the cross-site access script code includes:
extracting characters with attack capability in the cross-site access script codes;
calculating the character probability of the character appearing in the external network access request;
comparing the character probability with the preset probability level of information leakage;
and if the character probability is greater than the probability level, starting an access protection program to perform cross-site script defense processing on the access request.
Optionally, the calculating a character probability that the character appears in the extranet access request includes:
calling all historical access records of cross-site attacks in the network side, and counting the total number of cross-site access script codes of all the historical access records;
counting the occurrence times of the characters in all the historical access records;
and calculating the character probability of the characters appearing in the extranet access request according to the appearance times and the total number.
Optionally, the calculating, according to the occurrence number and the total number, a character probability that the character occurs in the extranet access request includes:
dividing said number of occurrences by said total number to obtain a percentage value;
and multiplying the percentage value by a weight coefficient to obtain the final character probability, wherein the calculation formula is as follows:
wherein, P is the probability of the occurrence of the character with the attack capability, M is the occurrence number, M is the total number of the cross-station access script codes, and α is a weight coefficient.
Optionally, the probability levels include three levels from low to high, and the performing cross-site scripting defense processing on the cross-site access script code includes:
if the character probability is greater than the first probability level and less than the second probability level, shielding the corresponding characters or the whole codes in the cross-site access script codes;
if the character probability is greater than the second probability level and less than a third probability level, replacing characters or the whole code in the cross-site access script code;
and if the character probability is greater than a third probability level, deleting the cross-site access script code from the external network access request.
Optionally, the performing cross-site scripting defense processing on the cross-site access script code further includes:
when the character probability is higher than a third probability level, performing functionality evaluation on the cross-site access script code, and determining whether the cross-site access script code is a necessary function access code in the external network access request;
if so, the cross-site access script code is reserved in the extranet access request, and the character with the attack capability is replaced by a preset safety character, wherein the safety character is a symbol only realizing the filling function of the code bit number.
In addition, to achieve the above object, the present invention further provides a cross-site attack protecting apparatus, which is characterized in that the cross-site attack protecting apparatus includes:
the system comprises an acquisition module, a storage module and a processing module, wherein the acquisition module is used for acquiring an external network access request received by a network side, and the external network access request is a set containing at least one cross-site access script code for realizing cross-site data access;
the detection module is used for detecting whether a malicious program exists in an HTTP data packet used for responding cross-site access in a cross-site access script code carried by the external network access request according to a predefined lexical combination rule, wherein the lexical combination rule is a model obtained by analyzing a currently known malicious attack program; the cross-site access script code is used for detecting whether an access identifier exists in the cross-site access script code when a malicious program exists, wherein the access identifier is defined based on a preset user rule;
the judging module is used for judging whether characters with attack capability exist in the cross-site access script codes or not if the access identification exists;
and the defense processing module is used for screening out the characters with the attack capability in the cross-site access script codes according to the access identification if the characters exist in the cross-site access script codes, and performing cross-site script defense processing on the cross-site access script codes.
Optionally, the detection module includes a simulation operation unit, a calculation unit and a classification unit;
the simulation operation unit is used for executing the cross-site access script codes to perform simulation operation and capturing an active label on each access page of the HTTP data packet during operation;
the calculating unit is used for calculating the reciprocal of the label probability of the active label in the cross-site access script code, and adding the reciprocal to obtain an arithmetic mean value as an embedded JavaScript reasonable index of the active label;
the classification unit is used for classifying the cross-site access script codes according to the reasonable indexes;
wherein the active tag is a tag which has no other active tag with the cross-site access script code, and the tag probability is a probability that the active tag directly appears on the cross-site access script code.
Optionally, the defense processing module includes an extraction unit, a probability calculation unit, a comparison unit, and a protection unit;
the extracting unit is used for extracting characters with attack capability in the cross-site access script codes;
the probability calculation unit is used for calculating the character probability of the character appearing in the extranet access request;
the comparison unit is used for comparing the character probability with the preset information divulgence probability level;
and the protection unit is used for starting an access protection program to perform cross-site script defense processing on the access request when the character probability is greater than the probability level.
Optionally, the probability calculation unit is configured to retrieve all historical access records of the network side where cross-site attacks occur, and count the total number of cross-site access script codes of all the historical access records; counting the occurrence times of the characters in all the historical access records; and calculating the character probability of the characters appearing in the extranet access request according to the appearance times and the total number.
Optionally, the probability calculation unit is configured to divide the occurrence number by the total number to obtain a percentage value; and multiplying the percentage value by a weight coefficient to obtain the final character probability, wherein the calculation formula is as follows:
wherein, P is the probability of the occurrence of the character with the attack capability, M is the occurrence number, M is the total number of the cross-station access script codes, and α is a weight coefficient.
Optionally, the probability levels include three levels from low to high, and the defense unit is configured to, when the character probability is greater than a first probability level and less than a second probability level, perform shielding processing on a corresponding character or an entire code in the cross-site access script code;
when the character probability is greater than the second probability level and less than a third probability level, replacing characters or the whole code in the cross-site access script code;
and when the character probability is greater than a third probability level, deleting the cross-site access script code from the external network access request.
Optionally, the cross-site attack protection apparatus further includes an evaluation module, configured to perform functionality evaluation on the cross-site access script code after the character probability is greater than a third probability level, and determine whether the cross-site access script code is a necessary function access code in the extranet access request; if so, the cross-site access script code is reserved in the extranet access request, and the character with the attack capability is replaced by a preset safety character, wherein the safety character is a symbol only realizing the filling function of the code bit number.
In addition, to achieve the above object, the present invention provides a cross-site attack protecting device, including: the system comprises a memory, a processor and a cross-site attack protection program which is stored on the memory and can run on the processor, wherein the cross-site attack protection program realizes the steps of the cross-site attack protection method according to any one of the above items when being executed by the processor.
In addition, to achieve the above object, the present invention further provides a computer readable storage medium, which stores a cross-site attack protection program, and when the cross-site attack protection program is executed by a processor, the computer readable storage medium implements the steps of the cross-site attack protection method according to any one of the above items.
According to the invention, the cross-site attack protection processing is carried out on the extranet access request, specifically, the access identifier is set in the request and the lexical combination detection is carried out on the code, so that the identification efficiency of the access script code is improved and the identification precision is also improved based on the marking mode, and when characters with malicious attack exist, the extranet access request loses the attack capability through the modes of shielding, replacing and the like, thereby achieving the function of cross-site attack defense, improving the safety degree of the system and ensuring the data safety of the website.
Drawings
Fig. 1 is a schematic structural diagram of a base station operating environment according to an embodiment of the present invention;
FIG. 2 is a flowchart illustrating a cross-site attack protection method according to a first embodiment of the present invention;
FIG. 3 is a flowchart illustrating a cross-site attack protection method according to a second embodiment of the present invention;
fig. 4 is a functional module diagram of the cross-site attack protection device according to the present invention.
The implementation, functional features and advantages of the objects of the present invention will be further explained with reference to the accompanying drawings.
Detailed Description
It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
The invention provides cross-site attack protection equipment.
Referring to fig. 1, fig. 1 is a schematic structural diagram of an operating environment of a cross-site attack protection device according to an embodiment of the present invention.
As shown in fig. 1, the cross-site attack protection device includes: a processor 101, e.g. a CPU, a communication bus 102, a user interface 103, a network interface 104, a memory 105. Wherein the communication bus 102 is used for enabling connection communication between these components. The user interface 103 may comprise a Display screen (Display), an input unit such as a Keyboard (Keyboard), and the network interface 104 may optionally comprise a standard wired interface, a wireless interface (e.g. WI-FI interface). The memory 105 may be a high-speed RAM memory or a non-volatile memory (e.g., a disk memory). The memory 105 may alternatively be a storage device separate from the processor 101 described above.
It will be appreciated by those skilled in the art that the hardware configuration of the cross-site attack protection device shown in fig. 1 does not constitute a limitation of the cross-site attack protection device of the present invention, and may include more or less components than those shown, or some components in combination, or a different arrangement of components.
As shown in fig. 1, the memory 105, which is a kind of computer-readable storage medium, may include therein an operating system, a network communication module, a user interface module, and a cross-site attack prevention program. The operating system is a program for managing and controlling the cross-site attack protection equipment and software resources, and supports the operation of the cross-site attack protection program and other software and/or programs.
In the hardware structure of the cross-site attack protection device shown in fig. 1, the network interface 104 is mainly used for accessing a network; the user interface 103 is mainly used for detecting a code scanning operation instruction and a payment input instruction for confirming a user terminal, and the like, and the processor 101 may be used for calling a cross-site attack protection program stored in the memory 105 and executing the following operations of the embodiments of the cross-site attack protection method.
In the embodiment of the present invention, the implementation shown in fig. 1 may also be a mobile terminal, where a processor of the mobile terminal performs cross-site data access by reading a program code, which is stored in a buffer or a storage unit and can implement a cross-site attack protection method.
Based on the hardware structure of the cross-site attack protection equipment, the invention provides various embodiments of the cross-site attack protection method.
Referring to fig. 2, fig. 2 is a flowchart of a cross-site attack protection method according to an embodiment of the present invention. In this embodiment, the method for protecting against cross-site attacks specifically includes the following steps:
step S210, obtaining an extranet access request received by a network side, wherein the extranet access request is a set containing at least one cross-site access script code for realizing cross-site data access;
in this step, the extranet access request refers to a request sent by a user on a non-accessed network side, such as a relationship between an intranet and an Internet network in a certain company. The extranet access request consists of a plurality of script codes, wherein the script codes can be one script code, and the script codes comprise a plurality of data access modes; it may also be composed of a plurality of script codes, each corresponding to the access of one kind of data. In practical application, the access script code in the extranet access request can also be understood as a finished access code, and when access is needed, the code is downloaded to a corresponding accessed terminal; it may also be a triggered script code, i.e. the actual access script code is stored in the accessed terminal and needs to be controlled by the trigger code in the request.
Step S220, detecting whether a malicious program exists in an HTTP data packet used for responding cross-site access in a cross-site access script code carried by the external network access request according to a predefined lexical combination rule, wherein the lexical combination rule is a model obtained by analyzing a currently known malicious attack program;
in this step, the specific principle of detecting whether a malicious webpage program exists is to perform cluster analysis on cross-site access script codes in the extranet access request, specifically, analyze an access interface of a webpage in the code, preliminarily determine a lexical combination form of the access program based on the interface, classify the access program into a same family, analyze lexical combination rules according to all access programs (namely, access codes) in the same family, find out which danger functions, system resources, suspicious tags, key classes, objects and the like are called in the same family program, finally define lexical analysis and detection rules according to the lexical order of the elements, and finally determine whether the access code belongs to the malicious webpage program. Compared with the traditional IPS rule and WAF rule, the detection mode in the step can effectively avoid the problem that misjudgment of the malicious program is caused because single characteristics are bypassed.
Step S230, if a malicious program exists, detecting whether an access identifier exists in the cross-site access script code, wherein the access identifier is defined based on a preset user rule;
in this step, the user rule definition should be understood as an access rule customized for access manners and information storage manners of different web pages, and an access identifier is set by the access rule, and after the web page server or the user terminal receives the access identifier, the data access to the web page can be realized by querying and selecting an access manner matched with the access identifier according to a predefined corresponding relationship.
Furthermore, there are some web page settings that require special access, for example, some codes or characters that are defined by the network as illegal access are used to implement special access, but these codes or characters are set by the system as credible access terms, and then they can be set by the access identifier, so as to implement filtering of special codes or characters.
In this embodiment, the malicious web page program detected in step S20 may be a result primarily determined to be malicious, and then the access identifier is determined in step S30, so that the result primarily determined is accurately determined, and the phenomenon of mistakenly determining malicious web page programs is avoided.
Step S240, if the access identification exists, judging whether characters with attack capability exist in the cross-site access script code;
in practical application, because the code setting of the external network access request is a public setting mode, the difference is that some check parameters or encryption are added into the code, and the security processing modes are basically the same and different things and are often cracked, so that some malicious codes are added to realize the acquisition of user information.
Then, the decomposition processing is performed on the source program to divide the keywords into individual keywords, and the keywords are divided based on the accessible data, that is, the divided keywords can be accessed by individual small bytes.
For judging whether characters with attack capability exist in the access script codes or not, specifically for detecting the keywords, the detection can be determined through comparison of a feature library or network definition for each keyword in a network;
when the judgment is made by comparing the feature libraries, each keyword obtained by division is inquired from a preset attack information library, if the inquiry exists in the attack information library, script codes with the inquired keywords in the external network access request are screened out according to the keywords, and then step S50 is executed to perform script defense processing.
In practical application, the establishment of the attack information base is specifically formed according to malicious code keywords obtained by a server through ordinary testing, and meanwhile, the offensive keywords identified on the network are also obtained from the network to form the attack information base, and certain rarely-used or more rarely-used code words can be selected according to the source code development habits of users to form the attack information base. When this type of code field is detected, a special attention judgment is required.
Further, when the definition in the network is used for determining, the common definition or the special definition of the network is obtained from the network by the keyword to be detected, and whether the keyword can be used for performing an attack is determined by the definition, some attack code programs or special use code programs are generally published on the network, and whether an access request is offensive is performed through the codes.
And step S250, if the characters exist in the cross-site access script codes, screening out the characters with the attack capability in the cross-site access script codes according to the access identification, and performing cross-site script defense processing on the cross-site access script codes.
In this embodiment, the cross-site scripting defense processing is mainly to perform shielding, deleting or replacing processing on the character with the attack capability or the whole cross-site access script code where the character is located; and the shielding means that characters are hidden from the code through some special means, so that the attack capability of the code is weakened, and even removed.
In practical application, the processing mode of shielding, deleting and replacing also needs to be selected according to the performance of the code, if the code has a special function definition, the processing mode of deleting cannot be used, the deleting usually means that the code loses execution capability, and the shielding and replacing can also keep the original function of the code.
In this embodiment, when setting the access identifier, the following specific steps may be implemented: detecting user information carried in the external network access request, and judging whether the user information is user information which is defined to be protected by a preset user rule or not;
if so, adding an access identifier in the extranet access request according to the protection policy and the access policy defined by the user rule, preferably, the access identifier is mainly used for defining an access mode and can also be used for protecting information security, and the user information can be protected simultaneously through the setting of the access identifier and special characters in the access can also be set.
In this embodiment, specifically, for the step S240, screening out and selecting the characters with the attack capability in the access script code according to the access identifier may be implemented by:
inquiring an access rule corresponding to the current access identifier according to the access identifier, the corresponding relation between the access identifier and the access rule, wherein the access rule comprises special characters for realizing cross-site access and an access mode of the cross-site access;
and filtering the characters with attack capability in the access script codes according to the special characters so as to eliminate the characters which do not meet the requirement of the access rule from the access script for subsequent cross-site script defense processing.
In this embodiment, a specific implementation process for detecting whether a malicious program exists in an HTTP data packet for responding to cross-site access in a cross-site access script code carried in the extranet access request according to a predefined lexical combination rule may be:
performing simulation operation according to the cross-site access script code, and capturing an active label on each access page of the HTTP data packet during operation;
calculating the reciprocal of the probability of the active label in the cross-site access script code, and adding the reciprocal to obtain an arithmetic mean value as an embedded JavaScript reasonable index of the active label;
classifying the cross-site access script codes according to the reasonable indexes;
wherein the active tag is a tag which has no other active tag with the cross-site access script code, and the probability of the tag is the probability of the active tag directly appearing on the cross-site access script code.
In this embodiment, the step of screening out characters with an attack capability in the cross-site access script code according to the access identifier, and performing cross-site script defense processing on the cross-site access script code includes:
extracting characters with attack capability in the cross-site access script codes;
calculating the probability of the character appearing in the extranet access request;
comparing the size relation between the probability and the preset probability level of information leakage;
and if the probability is greater than the probability level, starting an access protection program to perform cross-site script defense processing on the access request.
In practical applications, in order to reduce the probability of misjudgment, when some keywords in the code are determined to be offensive through comparison, the probability of realizing an attack may be calculated for the keywords, and whether processing is required or not may be further determined according to the probability of realizing an attack.
Further, the calculating the probability of the character appearing in the extranet access request comprises:
calling all historical access records of cross-site attacks in the network side, and counting the total number of cross-site access script codes of all the historical access records;
counting the occurrence times of the characters in all the historical access records;
and calculating the probability according to the occurrence times and the total number.
In practical application, for attack detection, a terminal or a server generally generates an attack log, all records of the terminal or the server being attacked are stored in the log, and the records may include keywords or entire script codes, and the keywords determined to be offensive by preliminary determination are then calculated from historical records to determine whether the attack characters on the network side are possible, if the calculated probability is greater than a preset upper probability limit, the characters are determined to be code characters with high risk, and step S240 is executed to perform cross-site attack defense XSS.
In this embodiment, the calculating the probability according to the occurrence number and the total number includes:
dividing said number of occurrences by said total number to obtain a percentage value;
multiplying the percentage value by a weight coefficient to obtain a final probability, wherein the calculation formula is as follows:
wherein, P is the probability of the occurrence of the character with the attack capability, M is the occurrence number, M is the total number of the cross-station access script codes, and α is a weight coefficient.
In this embodiment, after the final probability is obtained in the above manner, it is further necessary to determine a risk level of the probability, and according to an actual situation, the probability level is generally set to three levels from a low level to a low level according to an attack degree, where the performing of the cross-site scripting defense process on the cross-site access script code includes:
if the probability is greater than the first probability level and less than the second probability level, shielding corresponding characters or whole codes in the cross-site access script codes;
if the probability is greater than the second probability level and less than a third probability level, replacing characters or whole codes in the cross-site access script codes;
and if the probability is greater than a third probability level, deleting the cross-site access script code from the external network access request.
In practical application, different defense processing modes are selected according to different attack degrees, for example, in a replacement processing mode, during replacement, replacement can be performed according to the following example, an XSS attack information base contains description characteristics of 1, 2 and 3 types of XSS attack information, and if an extranet access request contains "<", the "<" is replaced by a space according to a replacement definition of the characteristics; if the extranet access request contains ">", replacing ">", according to the replacement definition of the characteristics, with a space; if the external network access request contains a content character string which accords with the regular expression \ s \ sW \ s \ s \ ", a user-defined mode is adopted to be replaced with" com.
In this embodiment, the level of the malicious attack is distinguished according to the three levels, but in practical application, not all script codes may be directly deleted, and the script codes necessary for cross-site access may not be protected by a deletion mode or an escape mode, and the script codes with a higher level of the malicious attack may be specifically implemented by the following modes:
when the result of the comparison is that the probability is greater than the third probability level, the detection of the script access function may be started to select a protection mode for security comparison, and the implementation process is specifically as follows:
performing functionality evaluation on the cross-site access script codes, and determining whether the cross-site access script codes are necessary function access codes in the external network access request;
if so, the cross-site access script code is reserved in the extranet access request, and the character with the attack capability is replaced by a preset safety character, wherein the safety character is a symbol only realizing the filling function of the code bit number.
Further, the replacement processing of the character with the attack capability or the whole cross-site access script code in which the character with the attack capability is located comprises:
and replacing the keywords in the characters, or converting the keywords in the characters into blank Chinese characters through a Chinese character conversion rule, so that the characters lose the attack capability.
In practical application, a complete script is rarely directly implanted into an attack code, but the attack code can be realized by inserting a character or a section of script into an original script of an external network access request, and for the situation, after the attack code is detected, the attack code is directly deleted or shielded; however, in the case of tampering the original script, replacement is required to be performed to ensure invalidation of the access request of the external network, and currently, in order to ensure security, the request may also be directly ignored, and a message for resending the request is returned to obtain a request again.
Further, when the request has a special function or is not provided with a repeated request, the normal execution of the request can be ensured in an alternative mode, and meanwhile, the capability of cross-site attack is removed.
The method realizes cross-site access, realizes attack detection of malicious scripts in the access request of the Internet, shields or replaces malicious code characters to enable the malicious code characters to lose attack capability, and ensures the access safety and the information safety.
The attack of cross-site access is generally performed on one side of the base station, and an attacker hijacks access data sent by a user through monitoring the base station, and then realizes malicious attack by modifying part of codes in the access data or adding some functions, for the base station-based cross-site attack protection method provided in this embodiment, the specific implementation process is as shown in fig. 3:
step S310, a base station receives a cross-station access request sent by a user through a terminal;
in this step, the cross-site access request carries identification information set by a rule negotiated in advance by a handshake protocol or an encryption communication protocol between the base station and the user terminal, and the setting rule of the identification information may be an algorithm of a check value, that is, an access script code constructed based on a user automatically generates a check value, and a calculation object of the check value is a code of the script code itself.
Step S320, the base station identifies the identification information of the cross-station access request;
in this embodiment, if the script code is identified, the script code in the cross-site access request is proved to be modified, otherwise, the script code is not modified.
Step S330, acquiring lexical combination rules, and detecting phrases of codes of cross-site access script codes in the cross-site access request;
in the step, the lexical combination rule is mainly used for detecting the combination mode between the functions and the small programs in the script codes, if the lexical combination rule is modified, the functions or the small programs in the script codes are changed necessarily, and the lexical combination rule is equivalent to secondary malicious detection, so that the accuracy of malicious attack detection is ensured.
Step S340, extracting attack characters in the cross-site access script codes;
in this embodiment, the attack character may be understood as a code function or an applet, or may be some code bytes, etc.
In this embodiment, if only the identification information or the combination mode of the script codes is detected to be incorrect in step S320 and step S330, step S350 is executed, otherwise step S360 is executed.
Step S350, calculating the attack level of the attack character;
step S360, evaluating the function level of the cross-site access script code;
and step S370, performing protection processing on the cross-site access script code.
In this step, the calculation of the attack level may specifically be calculated by calculating a probability of the character, specifically:
calling all historical access records of cross-site attacks in the network side, and counting the total number of cross-site access script codes of all the historical access records;
counting the occurrence times of the characters in all the historical access records;
dividing said number of occurrences by said total number to obtain a percentage value;
multiplying the percentage value by a weight coefficient to obtain a final probability, wherein the calculation formula is as follows:
wherein, P is the probability of the character with attack ability, M is the occurrence frequency, M is the total number of the cross-station access script code, and alpha is a weight coefficient;
comparing the character probability with the preset probability of the attack level;
if the probability is greater than the first probability level and less than the second probability level, shielding corresponding characters or whole codes in the cross-site access script codes;
if the probability is greater than the second probability level and less than a third probability level, replacing characters or whole codes in the cross-site access script codes;
and if the probability is greater than a third probability level, deleting the cross-site access script code from the external network access request.
In this embodiment, the functionality of the cross-site access script code is evaluated, and it is determined whether the cross-site access script code is a necessary function access code in the extranet access request;
if so, the cross-site access script code is reserved in the extranet access request, and the character with the attack capability is replaced by a preset safety character, wherein the safety character is a symbol only realizing the filling function of the code bit number.
In order to solve the above problem, an embodiment of the present invention further provides a cross-site attack protection device, and referring to fig. 4, fig. 4 is a schematic diagram of functional modules of the cross-site attack protection device provided in the embodiment of the present invention. In this embodiment, the apparatus comprises:
an obtaining module 41, configured to obtain an extranet access request received by a network side, where the extranet access request is a set including at least one cross-site access script code for implementing cross-site data access;
a detection module 42, configured to detect whether a malicious program exists in an HTTP data packet for responding to cross-site access in a cross-site access script code carried in the extranet access request according to a predefined lexical combination rule, where the lexical combination rule is a model obtained through analysis of a currently known malicious attack program; the cross-site access script code is used for detecting whether an access identifier exists in the cross-site access script code, wherein the access identifier is defined based on a preset user rule;
a judging module 43, configured to judge whether a character with an attack capability exists in the cross-site access script code if the access identifier exists;
and the defense processing module 44 is configured to, if the characters exist in the cross-site access script codes, screen out characters with an attack capability in the cross-site access script codes according to the access identifier, and perform cross-site script defense processing on the cross-site access script codes.
Based on the same embodiment description content as the cross-site attack protection method in the embodiment of the present invention, the embodiment of the cross-site attack protection device is not described in detail in this embodiment.
According to the method, the access identification is set in the request and the lexical combination of the code is detected, the identification is carried out based on the method, the identification efficiency of the access script code can be improved, the identification precision is also improved, and when characters of malicious attack exist, the external network access request loses the attack capability through shielding, replacing and other methods, so that the cross-site attack defense effect is achieved, the system safety is improved, and the data safety of a website is guaranteed.
The invention also provides a computer readable storage medium.
In this embodiment, the computer-readable storage medium stores a cross-site attack protection program, and the cross-site attack protection program, when executed by a processor, implements the steps of the cross-site attack protection method described in any one of the above embodiments. The method for implementing the cross-site attack protection program when executed by the processor may refer to each embodiment of the cross-site attack protection method of the present invention, and thus, redundant description is not repeated.
Through the above description of the embodiments, those skilled in the art will clearly understand that the method of the above embodiments can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware, but in many cases, the former is a better implementation manner. Based on such understanding, the technical solutions of the present invention may be embodied in the form of a software product, which is stored in a storage medium (e.g., ROM/RAM), and includes instructions for causing a terminal (e.g., a mobile phone, a computer, a server, or a network device) to execute the method according to the embodiments of the present invention.
The present invention is described in connection with the accompanying drawings, but the present invention is not limited to the above embodiments, which are only illustrative and not restrictive, and those skilled in the art can make various changes without departing from the spirit and scope of the invention as defined by the appended claims, and all changes that come within the meaning and range of equivalency of the specification and drawings that are obvious from the description and the attached claims are intended to be embraced therein.
Claims (10)
1. A cross-site attack protection method is characterized by comprising the following steps:
acquiring an external network access request received by a network side, wherein the external network access request is a set containing at least one cross-site access script code for realizing cross-site data access;
detecting whether a malicious program exists in an HTTP data packet used for responding cross-site access in a cross-site access script code carried by the external network access request or not according to a predefined lexical combination rule, wherein the lexical combination rule is a model obtained by analyzing a currently known malicious attack program;
if the malicious program exists, detecting whether an access identifier exists in the cross-site access script code, wherein the access identifier is defined based on a preset user rule;
if the access identifier exists, judging whether characters with attack capability exist in the cross-site access script code;
if the character exists in the cross-site access script code, screening out the character with the attack capability in the cross-site access script code according to the access identifier, and performing cross-site script defense processing on the cross-site access script code.
2. The cross-site attack protection method according to claim 1, wherein the step of detecting whether a malicious program exists in an HTTP data packet for responding to cross-site access in the cross-site access script code carried by the extranet access request according to a predefined lexical combination rule comprises the following steps:
executing the cross-site access script code to perform simulated operation, and capturing an active label on each access page of an HTTP data packet during operation;
calculating the reciprocal of the label probability of the active label in the cross-station access script code, and adding the reciprocal to obtain an arithmetic mean value as an embedded JavaScript reasonable index of the active label;
classifying the cross-site access script codes according to the reasonable indexes;
wherein the active tag is a tag which has no other active tag with the cross-site access script code, and the tag probability is a probability that the active tag directly appears on the cross-site access script code.
3. The cross-site attack protection method according to claim 2, wherein the step of screening out characters with attack capability in the cross-site access script code according to the access identifier and performing cross-site script defense processing on the cross-site access script code comprises:
extracting characters with attack capability in the cross-site access script codes;
calculating the character probability of the character appearing in the external network access request;
comparing the character probability with the preset probability level of information leakage;
and if the character probability is greater than the probability level, starting an access protection program to perform cross-site script defense processing on the access request.
4. The method of claim 3, wherein the calculating the character probability that the character appears in the extranet access request comprises:
calling all historical access records of cross-site attacks in the network side, and counting the total number of cross-site access script codes of all the historical access records;
counting the occurrence times of the characters in all the historical access records;
and calculating the character probability of the characters appearing in the extranet access request according to the appearance times and the total number.
5. The method for protecting against cross-site attacks according to claim 4, wherein said calculating a probability of occurrence of said character in said extranet access request according to said number of occurrences and said total number comprises:
dividing said number of occurrences by said total number to obtain a percentage value;
and multiplying the percentage value by a weight coefficient to obtain the final character probability, wherein the calculation formula is as follows:
wherein, P is the character probability of the character with attack capability, M is the occurrence frequency, M is the total number of the cross-station access script codes, and α is a weight coefficient.
6. The cross-site attack protection method according to claim 3, wherein the probability levels comprise three levels from low attack level to high attack level, and the cross-site script defense processing on the cross-site access script code comprises:
if the character probability is greater than the first probability level and less than the second probability level, shielding the corresponding characters or the whole codes in the cross-site access script codes;
if the character probability is greater than the second probability level and less than a third probability level, replacing characters or the whole code in the cross-site access script code;
and if the character probability is greater than a third probability level, deleting the cross-site access script code from the external network access request.
7. The cross-site attack protection method according to claim 6, wherein the cross-site scripting protection processing on the cross-site access script code further comprises:
if the character probability is greater than a third probability level, performing functional evaluation on the cross-site access script code, and determining whether the cross-site access script code is a necessary function access code in the external network access request;
if so, the cross-site access script code is reserved in the extranet access request, and the character with the attack capability is replaced by a preset safety character, wherein the safety character is a symbol only realizing the filling function of the code bit number.
8. A cross-site attack protection device, comprising:
the system comprises an acquisition module, a storage module and a processing module, wherein the acquisition module is used for acquiring an external network access request received by a network side, and the external network access request is a set containing at least one cross-site access script code for realizing cross-site data access;
the detection module is used for detecting whether a malicious program exists in an HTTP data packet used for responding cross-site access in a cross-site access script code carried by the external network access request according to a predefined lexical combination rule, wherein the lexical combination rule is a model obtained by analyzing a currently known malicious attack program; the cross-site access script code is used for detecting whether an access identifier exists in the cross-site access script code when a malicious program exists, wherein the access identifier is defined based on a preset user rule;
the judging module is used for judging whether characters with attack capability exist in the cross-site access script codes or not if the access identification exists;
and the defense processing module is used for screening out the characters with the attack capability in the cross-site access script codes according to the access identification if the characters exist in the cross-site access script codes, and performing cross-site script defense processing on the cross-site access script codes.
9. A cross-site attack protection device, comprising: a memory, a processor, and a cross-site attack protection program stored on the memory and executable on the processor, the cross-site attack protection program when executed by the processor implementing the steps of the cross-site attack protection method according to any one of claims 1-7.
10. A computer-readable storage medium, wherein a cross-site attack protection program is stored on the computer-readable storage medium, and when executed by a processor, the cross-site attack protection program implements the steps of the cross-site attack protection method according to any one of claims 1 to 7.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910706703.9A CN110650117B (en) | 2019-08-01 | 2019-08-01 | Cross-site attack protection method, device, equipment and storage medium |
| PCT/CN2019/119113 WO2021017318A1 (en) | 2019-08-01 | 2019-11-18 | Cross-site scripting attack protection method and apparatus, device and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910706703.9A CN110650117B (en) | 2019-08-01 | 2019-08-01 | Cross-site attack protection method, device, equipment and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN110650117A true CN110650117A (en) | 2020-01-03 |
| CN110650117B CN110650117B (en) | 2022-03-25 |
Family
ID=68989850
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910706703.9A Active CN110650117B (en) | 2019-08-01 | 2019-08-01 | Cross-site attack protection method, device, equipment and storage medium |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN110650117B (en) |
| WO (1) | WO2021017318A1 (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111259398A (en) * | 2020-02-25 | 2020-06-09 | 深信服科技股份有限公司 | Virus defense method, device, equipment and readable storage medium |
| CN112182572A (en) * | 2020-08-25 | 2021-01-05 | 通号城市轨道交通技术有限公司 | Urban rail interlocking software code static measurement method and system |
| CN112671741A (en) * | 2020-12-16 | 2021-04-16 | 平安普惠企业管理有限公司 | Network protection method, device, terminal and storage medium |
| CN113065132A (en) * | 2021-03-25 | 2021-07-02 | 深信服科技股份有限公司 | Confusion detection method and device for macro program, electronic equipment and storage medium |
| CN113810418A (en) * | 2021-09-18 | 2021-12-17 | 土巴兔集团股份有限公司 | Method for defending cross-site scripting attack and related equipment thereof |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113329026B (en) * | 2021-06-08 | 2022-09-16 | 中国传媒大学 | Attack capability determination method and system based on network target range vulnerability drilling |
| CN114257522B (en) * | 2021-12-21 | 2024-01-12 | 浙江国利网安科技有限公司 | Network security attack and defense demonstration system, method, device and storage medium |
| CN115617879B (en) * | 2022-11-23 | 2023-04-07 | 中国电子信息产业集团有限公司 | Data source management method of data element and corresponding system |
Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101901221A (en) * | 2009-05-27 | 2010-12-01 | 北京启明星辰信息技术股份有限公司 | Method and device for detecting cross site scripting |
| US20110289583A1 (en) * | 2006-03-08 | 2011-11-24 | Imperva, Inc. | Correlation engine for detecting network attacks and detection method |
| CN102833269A (en) * | 2012-09-18 | 2012-12-19 | 苏州山石网络有限公司 | Detection method and device for cross site scripting and firewall with device |
| US8578482B1 (en) * | 2008-01-11 | 2013-11-05 | Trend Micro Inc. | Cross-site script detection and prevention |
| CN104519008A (en) * | 2013-09-26 | 2015-04-15 | 北大方正集团有限公司 | Cross-site scripting attack defense method and device and application server |
| CN104601540A (en) * | 2014-12-05 | 2015-05-06 | 华为技术有限公司 | Cross-site scripting (XSS) attack defense method and Web server |
| CN106506548A (en) * | 2016-12-23 | 2017-03-15 | 努比亚技术有限公司 | The defence installation of cross-site scripting attack and method |
| CN109040097A (en) * | 2018-08-23 | 2018-12-18 | 彩讯科技股份有限公司 | A kind of defence method of cross-site scripting attack, device, equipment and storage medium |
| CN109257393A (en) * | 2018-12-05 | 2019-01-22 | 四川长虹电器股份有限公司 | XSS attack defence method and device based on machine learning |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US10375107B2 (en) * | 2010-07-22 | 2019-08-06 | International Business Machines Corporation | Method and apparatus for dynamic content marking to facilitate context-aware output escaping |
| CN106354632B (en) * | 2016-08-24 | 2019-03-12 | 北京奇虎测腾安全技术有限公司 | A kind of source code detection system and method based on Static Analysis Technology |
-
2019
- 2019-08-01 CN CN201910706703.9A patent/CN110650117B/en active Active
- 2019-11-18 WO PCT/CN2019/119113 patent/WO2021017318A1/en active Application Filing
Patent Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20110289583A1 (en) * | 2006-03-08 | 2011-11-24 | Imperva, Inc. | Correlation engine for detecting network attacks and detection method |
| US8578482B1 (en) * | 2008-01-11 | 2013-11-05 | Trend Micro Inc. | Cross-site script detection and prevention |
| CN101901221A (en) * | 2009-05-27 | 2010-12-01 | 北京启明星辰信息技术股份有限公司 | Method and device for detecting cross site scripting |
| CN102833269A (en) * | 2012-09-18 | 2012-12-19 | 苏州山石网络有限公司 | Detection method and device for cross site scripting and firewall with device |
| CN104519008A (en) * | 2013-09-26 | 2015-04-15 | 北大方正集团有限公司 | Cross-site scripting attack defense method and device and application server |
| CN104601540A (en) * | 2014-12-05 | 2015-05-06 | 华为技术有限公司 | Cross-site scripting (XSS) attack defense method and Web server |
| CN106506548A (en) * | 2016-12-23 | 2017-03-15 | 努比亚技术有限公司 | The defence installation of cross-site scripting attack and method |
| CN109040097A (en) * | 2018-08-23 | 2018-12-18 | 彩讯科技股份有限公司 | A kind of defence method of cross-site scripting attack, device, equipment and storage medium |
| CN109257393A (en) * | 2018-12-05 | 2019-01-22 | 四川长虹电器股份有限公司 | XSS attack defence method and device based on machine learning |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111259398A (en) * | 2020-02-25 | 2020-06-09 | 深信服科技股份有限公司 | Virus defense method, device, equipment and readable storage medium |
| CN112182572A (en) * | 2020-08-25 | 2021-01-05 | 通号城市轨道交通技术有限公司 | Urban rail interlocking software code static measurement method and system |
| CN112671741A (en) * | 2020-12-16 | 2021-04-16 | 平安普惠企业管理有限公司 | Network protection method, device, terminal and storage medium |
| CN112671741B (en) * | 2020-12-16 | 2022-10-18 | 平安普惠企业管理有限公司 | Network protection method, device, terminal and storage medium |
| CN113065132A (en) * | 2021-03-25 | 2021-07-02 | 深信服科技股份有限公司 | Confusion detection method and device for macro program, electronic equipment and storage medium |
| CN113065132B (en) * | 2021-03-25 | 2023-11-03 | 深信服科技股份有限公司 | Method and device for detecting confusion of macro program, electronic equipment and storage medium |
| CN113810418A (en) * | 2021-09-18 | 2021-12-17 | 土巴兔集团股份有限公司 | Method for defending cross-site scripting attack and related equipment thereof |
| CN113810418B (en) * | 2021-09-18 | 2023-12-26 | 土巴兔集团股份有限公司 | Method for defending cross-site scripting attack and related equipment thereof |
Also Published As
| Publication number | Publication date |
|---|---|
| CN110650117B (en) | 2022-03-25 |
| WO2021017318A1 (en) | 2021-02-04 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110650117B (en) | Cross-site attack protection method, device, equipment and storage medium | |
| US10817603B2 (en) | Computer security system with malicious script document identification | |
| US10430586B1 (en) | Methods of identifying heap spray attacks using memory anomaly detection | |
| US9712560B2 (en) | Web page and web browser protection against malicious injections | |
| US10581879B1 (en) | Enhanced malware detection for generated objects | |
| JP2021503142A (en) | Analysis and reporting of suspicious emails | |
| CN111818103B (en) | Traffic-based tracing attack path method in network target range | |
| US20120222117A1 (en) | Method and system for preventing transmission of malicious contents | |
| CN105072137A (en) | Spear phishing mail detection method and device | |
| CN109347882B (en) | Webpage Trojan horse monitoring method, device, equipment and storage medium | |
| US9336396B2 (en) | Method and system for generating an enforceable security policy based on application sitemap | |
| EP2977928B1 (en) | Malicious code detection | |
| CN111835777A (en) | Abnormal flow detection method, device, equipment and medium | |
| Madhubala et al. | Survey on malicious URL detection techniques | |
| CN113190839A (en) | Web attack protection method and system based on SQL injection | |
| TWI470468B (en) | System and method for detecting web malicious programs and behaviors | |
| CN114157504A (en) | Safety protection method based on Servlet interceptor | |
| CN112668005A (en) | Webshell file detection method and device | |
| JP2012088803A (en) | Malignant web code determination system, malignant web code determination method, and program for malignant web code determination | |
| CN114024709B (en) | Defensive method, XSS vulnerability searching method, flow detection device and storage medium | |
| CN117749446A (en) | Attack object tracing method, device, equipment and medium | |
| CN112583827A (en) | Data leakage detection method and device | |
| CN111935133A (en) | White list generation method and device | |
| Orunsolu et al. | A Lightweight Anti-Phishing Technique for Mobile Phone. | |
| CN106897619B (en) | Mobile terminal from malicious software cognitive method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| REG | Reference to a national code |
Ref country code: HK Ref legal event code: DE Ref document number: 40017620 Country of ref document: HK |
|
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |