CN110659500A - Server security detection method and device, computer equipment and storage medium - Google Patents
Server security detection method and device, computer equipment and storage medium Download PDFInfo
- Publication number
- CN110659500A CN110659500A CN201910746155.2A CN201910746155A CN110659500A CN 110659500 A CN110659500 A CN 110659500A CN 201910746155 A CN201910746155 A CN 201910746155A CN 110659500 A CN110659500 A CN 110659500A
- Authority
- CN
- China
- Prior art keywords
- detection
- writing
- information
- abnormal
- operation data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2141—Access rights, e.g. capability lists, access control lists, access tables, access matrices
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computing Systems (AREA)
- Debugging And Monitoring (AREA)
Abstract
The application relates to a server security detection method, a server security detection device, computer equipment and a storage medium. Based on a hacker attack protection technology, when an access request trigger detection instruction sent by a client is received, acquiring the location of a user according to the access request; the detection data generated according to the location of the user is fed back to the client, so that the identification difficulty of the specific program can be improved; obtaining feedback information fed back by the client according to the detection data, wherein the feedback information comprises: detecting information input through the canvas and operation data generated in the input process; carrying out anomaly detection on the detection information and the operation data to obtain a detection result; and intercepting the access request when the detection result is abnormal. By carrying out anomaly analysis on the detection information input by the drawing and the operation data generated in the input process, whether the access request is sent by a specific program can be detected, so that the risk that the server is maliciously attacked by hackers is reduced.
Description
Technical Field
The present application relates to the field of computer technologies, and in particular, to a server security detection method, apparatus, computer device, and storage medium.
Background
Along with the development of the internet technology, the user experience is greatly improved in a convenient interaction mode, and in the interaction by utilizing the internet technology, in order to obtain benefits, some lawless persons can adopt various illegal means to obtain benefits, such as: a hacker makes continuous login attempts on a certain specific registered user in a specific program brute force cracking mode, maliciously cracks passwords, swipes and forum irrigation water and the like, and therefore attacks the server.
At present, in order to effectively prevent a certain hacker from making continuous login attempts in a specific program brute force cracking mode for a certain specific registered user, digital verification codes and graphic verification codes are generally applied mostly, server attacks are avoided in the specific program brute force cracking mode by mixing graphic texts, in order to enable the specific program to be incapable of identifying correct verification information, confusion of the graphic texts used for verification is often caused, but the cognitive level of the user is limited, due to the fact that the confusion of the graphic texts is too much, the user is difficult to identify the correct verification information, verification code input errors often occur, and the simple confusion of the graphic texts is often caused. Therefore, the server is easily attacked by hackers.
Disclosure of Invention
In view of the foregoing, it is desirable to provide a server security detection method, an apparatus, a computer device, and a storage medium for reducing malicious server attacks.
A server security detection method, the method comprising:
when an access request trigger detection instruction sent by a client is received, acquiring the location of a user according to the access request;
feeding back detection data generated according to the location of the user to the client;
obtaining feedback information fed back by the client according to the detection data, wherein the feedback information comprises: detecting information input through the canvas and operation data generated in the input process;
carrying out anomaly detection on the detection information and the operation data to obtain a detection result;
and intercepting the access request when the detection result is abnormal.
In one embodiment, after the step of intercepting the access request of the client when the detection result is abnormal, the method further includes:
acquiring the IP address of the client according to the access request of the client;
and intercepting the access request sent by the IP address when the number of times of the access request sent by the IP address detected as abnormal exceeds the preset number of times.
In one embodiment, the step of feeding back, to the client, detection data generated according to a location of the user includes:
acquiring correct option information and wrong option information according to the location of the user;
and generating detection data according to the correct option information, the wrong option information and a preset template, and feeding back the detection data to the client.
In one embodiment, the step of performing anomaly detection on the detection information and the operation data to obtain a detection result includes:
performing anomaly analysis on the operation data to determine whether the operation data is abnormal;
analyzing the detection information according to verification information corresponding to the detection data to determine whether the detection information is abnormal;
when at least one of the operation data and the detection information is abnormal, judging that the detection result is abnormal;
and when the operation data and the detection information are not abnormal, judging that the detection result is normal.
In one embodiment, the step of performing an anomaly analysis on the operation data to determine whether the operation data is anomalous includes:
analyzing the operation data to obtain writing duration and writing sequence;
analyzing the writing duration based on the preset writing duration to determine whether the writing duration is abnormal;
analyzing the writing sequence based on a preset writing sequence to determine whether the writing sequence is abnormal;
when at least one of the writing duration and the writing sequence is abnormal, judging that the operation data is abnormal;
and when the writing duration and the writing sequence are not abnormal, judging that the operation data is normal.
In one embodiment, the step of analyzing the operation data and obtaining the writing duration and the writing sequence includes:
analyzing the operation data to obtain a writing start time point, a writing end time point, a writing moving time point and corresponding pixel points of the time points in the canvas;
determining writing duration according to the writing starting time point and the writing ending time point;
and determining a writing sequence according to the writing starting time point, the writing ending time point, the writing moving time point and the pixel points corresponding to the time points.
In one embodiment, the step of analyzing the detection information according to the verification information corresponding to the detection data to determine whether the detection information is abnormal includes:
comparing the detection information with verification information corresponding to the detection data;
when the detection information is consistent with the verification information, determining that the detection information is normal;
and when the detection information is inconsistent with the verification information, determining that the detection information is abnormal.
A server security detection apparatus, the apparatus comprising:
the user location obtaining module is used for obtaining the location of the user according to the access request when receiving the access request triggering detection instruction sent by the client;
the detection data feedback module is used for feeding back detection data generated according to the location of the user to the client;
a feedback information obtaining module, configured to obtain feedback information that is fed back by the client according to the detection data, where the feedback information includes: detecting information input through the canvas and operation data generated in the input process;
the anomaly detection module is used for carrying out anomaly detection on the detection information and the operation data to obtain a detection result;
and the interception module is used for intercepting the access request when the detection result is abnormal.
A computer device comprising a memory storing a computer program and a processor implementing the steps of the method when executing the computer program.
A computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the steps of the method.
According to the server security detection method, the server security detection device, the computer equipment and the storage medium, when an access request triggering detection instruction sent by the client is received, the location of a user is obtained according to the access request; the detection data generated according to the location of the user is fed back to the client, so that the identification difficulty of the specific program can be improved; obtaining feedback information fed back by the client according to the detection data, wherein the feedback information comprises: detecting information input through the canvas and operation data generated in the input process; carrying out anomaly detection on the detection information and the operation data to obtain a detection result; and intercepting the access request when the detection result is abnormal. By carrying out anomaly analysis on the detection information input by the drawing and the operation data generated in the input process, whether the access request is sent by a specific program can be detected, so that the risk that the server is attacked maliciously is reduced.
Drawings
FIG. 1 is a diagram illustrating an exemplary embodiment of a server security detection method;
FIG. 2 is a flowchart illustrating a method for server security detection according to an embodiment;
FIG. 3 is a block diagram showing the structure of a server security detection apparatus according to an embodiment;
FIG. 4 is a diagram illustrating an internal structure of a computer device according to an embodiment.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the present application is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the present application and are not intended to limit the present application.
The server security detection method provided by the application can be applied to the application environment shown in fig. 1. Wherein the terminal 102 communicates with the server 104 via a network. When an access request triggering detection instruction sent by a user through a client of the terminal 102 is received, acquiring the location of the user according to the access request; feeding back detection data generated according to the location of the user to the client; obtaining feedback information fed back by the client according to the detection data, wherein the feedback information comprises: detecting information input through the canvas and operation data generated in the input process; carrying out anomaly detection on the detection information and the operation data to obtain a detection result; and intercepting the access request when the detection result is abnormal. The terminal 102 may be, but is not limited to, various personal computers, notebook computers, smart phones, tablet computers, and portable wearable devices. The server 104 may be implemented as a stand-alone server or as a server cluster comprised of multiple servers.
In an embodiment, as shown in fig. 2, a server security detection method is provided, which is described by taking the method as an example applied to the server in fig. 1, and includes steps S220 to S300:
step S220, when receiving an access request trigger detection instruction sent by the client, obtaining the location of the user according to the access request.
The Client (Client), or called user, refers to a program corresponding to the server and providing local services for the Client, and may be installed in a local operating system or an ordinary Client, and needs to operate in cooperation with the server, such as a web browser used by the world wide web, an email Client when receiving and sending emails, and Client software for instant messaging, etc. The access request can be an account login request, a request for accessing a page, and the like. And detecting an access request sent by the client, judging whether security detection is needed, and triggering a detection instruction when the security detection is needed. The user location refers to the area in which the user is located by the access request sent by the terminal, and the specific geographic location is located according to the access request IP address.
Step S240, feeding back the detection data generated according to the location of the user to the client.
The detection data is used for verifying the access party, the content of the detection data can be a question, and the question can be asked according to the characteristics of the location of the user, for example, the location of the user is Changsha, which has some famous scenic spots, and which scenic spot of orange continents, terracotta soldiers and Taishan mountains is in the current city? can be used as the question of the detection data.
Step S260, obtaining feedback information fed back by the client according to the detection data, where the feedback information includes: detection information input through the canvas and operation data generated at the time of input.
After receiving the detection data, the client displays the detection data on the terminal, and a user can trigger an input window of the client through the terminal based on the displayed detection data to input detection information. The input window can be used for handwriting the canvas, and the user can write detection information on the canvas according to the content of the detection data, such as: numbers or words, etc. The detection information may be a number or a character recognized after writing, or may be a picture saved after writing. The operation data is the time at which touchStart, touchEnd, touchMove events, etc. occur as they are written on the canvas.
Step S280, performing anomaly detection on the detection information and the operation data to obtain a detection result.
When the detection information is a picture stored after writing, the picture is identified and analyzed based on the pixel point of the picture, the number or the character written in the picture is determined, and the number or the character is compared with the corresponding stored verification information to determine whether the picture is abnormal. Whether the operation data is input manually or not can be determined, the time of occurrence of touchStart, touchEnd, touchMove events and the like triggered when the operation data is written on a canvas, if the operation data is an access request sent by a program, the operation data cannot be written on the canvas, so that the occurrence time of touchStart, touchEnd and touchMove events cannot be obtained, or the occurrence time of touchStart, touchEnd and touchMove events is greatly different from the occurrence time of touchStart, touchEnd and touchMove events generated when the operation data is input manually. When one of the detection information and the operation data is abnormal, the detection result is abnormal, or the detection information and the operation data are both abnormal, the detection result is also abnormal, the detection information and the operation data are both normal, and the detection result is also normal.
And step S300, intercepting the access request when the detection result is abnormal.
The access request can be determined to have a certain risk when the detection result is abnormal, the access of the access request can be intercepted to avoid unnecessary loss, the interception reason can also be fed back to the terminal, the possibility that the access is intercepted due to improper operation of the user can be avoided, and the user can be reminded to access again. When the detection result is normal, the detection result is normal through the access request, the access request can be determined to have a low risk, the access request can be granted to the access request through the access request sent by a person through the terminal, and the required data is returned to the client according to the access request.
In the server security detection method, when an access request triggering detection instruction sent by a client is received, the location of a user is obtained according to the access request; the detection data generated according to the location of the user is fed back to the client, so that the identification difficulty of the specific program can be improved; obtaining feedback information fed back by the client according to the detection data, wherein the feedback information comprises: detecting information input through the canvas and operation data generated in the input process; carrying out anomaly detection on the detection information and the operation data to obtain a detection result; and intercepting the access request when the detection result is abnormal. By carrying out anomaly analysis on the detection information input by the drawing and the operation data generated in the input process, whether the access request is sent by a specific program can be detected, so that the risk that the server is attacked maliciously is reduced.
In one embodiment, after the step of intercepting the access request of the client when the detection result is abnormal, the method further includes: acquiring an IP address of a client according to an access request of the client; and intercepting the access request sent by the IP address when the number of times of the access request sent by the IP address detected as abnormal exceeds the preset number of times.
The IP address is a uniform address format provided by the IP protocol, and a logical address is allocated to each network and each host on the Internet, so as to shield the difference of physical addresses. The method for acquiring the IP address of the client includes: getremoteaddr () method, and so on. The preset times can be set according to local detection requirements, such as: and after the access request is detected to be abnormal, acquiring an abnormal access request IP address, storing, counting, and intercepting all access requests sent by the IP address when the count of the IP address exceeds a preset number. The risk that a hacker attacks the server by using a specific program is reduced, all access requests sent by the IP address are intercepted, the calculation amount of the server is reduced, and the calculation rate is improved.
In one embodiment, the step of feeding back the detection data generated according to the location of the user to the client comprises: acquiring correct option information and wrong option information according to the location of the user; and generating detection data according to the correct option information, the wrong option information and a preset template, and feeding back the detection data to the client.
The preset template is used for forming a complete questioning content by using the correct option information and the wrong option information, for example, the questioning is that which one of the several scenic spots of the tangerine, the warrior and the Taishan mountain is in the current city? ', the preset template is that which one of the several scenic spots of the XXX, the XXX and the XXX is in the current city? ', and the preset template can be that which one of the several scenic spots of the following scenic spots is in the current city 351, XXX is in the current city XXX? ', and the preset template can be that the current one of the following scenic spots is in the XXX, XXX is in the current city XXX, 361,? 1 and the content can be replaced by using the replaceable template.
In one embodiment, the step of performing anomaly detection on the detection information and the operation data to obtain a detection result includes: performing anomaly analysis on the operation data to determine whether the operation data is abnormal; analyzing the detection information according to the verification information corresponding to the detection data, and determining whether the detection information is abnormal; when at least one of the operation data and the detection information is abnormal, judging that the detection result is abnormal; and when the operation data and the detection information are not abnormal, judging that the detection result is normal.
The operation data comprises touchStart, touchEnd and touchMove event occurrence time (namely writing start time point, writing end time point, writing moving time point, pixel points corresponding to the time points in a canvas and the like, the verification information corresponding to the detection data refers to verification information stored when the detection data is generated, and the verification information is consistent with the content of the detection data.
In one embodiment, the step of performing an anomaly analysis on the operational data to determine whether the operational data is anomalous comprises: analyzing the operation data to obtain writing duration and writing sequence; analyzing the writing duration based on the preset writing duration to determine whether the writing duration is abnormal; analyzing the writing sequence based on a preset writing sequence to determine whether the writing sequence is abnormal; when at least one of the writing duration and the writing sequence is abnormal, judging that the operation data is abnormal; and when the writing duration and the writing sequence are not abnormal, judging that the operation data is normal.
The writing duration refers to the duration of writing according to the content of the detection data on a canvas of the terminal by a user, the writing duration is determined by a writing starting time point and a writing ending time point, and the writing starting time point is generated and the calculation is started after the canvas is opened by the user. The writing sequence refers to the sequence of numbers or characters written by a user on a canvas of the terminal according to the content of the detection data or the sequence of strokes. The preset writing sequence is obtained according to a writing sequence experiment of a large number of users, whether the writing sequence is a normal writing sequence or not can be determined based on the preset writing sequence, if the writing sequence does not accord with the preset writing sequence, the writing sequence can be judged to be abnormal, and if the writing sequence accords with the preset writing sequence, the writing sequence can be judged to be normal. The preset writing time is obtained according to the writing time experiments of a large number of users, whether the writing time is in the normal writing time range or not can be determined based on the preset writing time, if the writing time is smaller than the preset writing time, the writing time can be judged to be abnormal, and if the writing time is larger than or equal to the preset writing time, the writing time can be judged to be normal. And when the writing duration and the writing sequence are both abnormal, judging that the operation data are abnormal, when any one of the writing duration and the writing sequence is abnormal, judging that the operation data are abnormal, and when the writing duration and the writing sequence are both normal, judging that the operation data are normal. The risk of being hacked into the server using a particular program is reduced.
In one embodiment, the step of analyzing the operation data to obtain the writing duration and the writing sequence includes: analyzing the operation data to obtain a writing start time point, a writing end time point, a writing moving time point and corresponding pixel points of the time points in the canvas; determining writing duration according to the writing starting time point and the writing ending time point; and determining a writing sequence according to the writing starting time point, the writing ending time point, the writing moving time point and the pixel points corresponding to the time points.
The writing start time point refers to the time when the touchStart event occurs, the writing end time point refers to the time when the touchEnd event occurs, the writing movement time point refers to the time when the touchMove event occurs, and the writing movement time point may be a plurality of time points. The corresponding pixel points of each time point in the canvas refer to the corresponding pixel points in the writing starting time point, the writing ending time point and the writing moving time point. Generating a two-dimensional array according to the time points of touchStart, touchEnd and touchMove events, wherein one time point corresponds to one pixel point, and performing correlation analysis on the correlation of the two arrays to determine a writing sequence, namely a stroke sequence, for example: the Chinese character and stroke are lines continuously written once without interruption during the writing of the Chinese character. Strokes are the smallest units of construction of a Chinese character. The strokes can be divided into horizontal, vertical, left-falling, dot, right-falling, turning and so on, and the specific subdivision can reach more than 30. The total time from the writing start time point to the writing end time point is the writing time length. Whether the attack is further judged according to the writing sequence and the writing duration, the attack of the specific program is prevented, and the cracking difficulty is enhanced.
In one embodiment, the step of analyzing the detection information according to the verification information corresponding to the detection data to determine whether the detection information is abnormal includes: comparing the detection information with verification information corresponding to the detection data; when the detection information is consistent with the verification information, determining that the detection information is normal; when the detection information is inconsistent with the verification information, it is determined that the detection information is abnormal.
The method comprises the steps of directly comparing detection information with verification information corresponding to detection data when the detection information is figures or characters identified after writing is finished, and detecting whether the detection information is abnormal or not, traversing all pixel points on a picture when the detection information is the picture stored after writing is finished, carrying out two-dimensional array processing, deleting interfered points and lines, cutting continuous characters in an array into independent characters, and then directly and circularly matching all existing data with the same font to determine the detection information, wherein a question of the detection data is that a hacker is in a city? where a hacker is located in several scenic areas such as orange continents, warriors and Taishan mountains, the detection information is determined to be normal if the hacker is a hacker, or the detection information is abnormal if the detection information is not in the orange continent, or the hacker is in the city? 1 where the hacker is located in the server, the orange continent, 2, warriors, 3 and the Taishan mountain, the detection information is not detected, and the hacker is not detected if the hacker is in the hacker, the hacker is detected, the server detects whether the attack is detected by the attack risk of the hacker, and the hacker is determined to be abnormal.
It should be understood that, although the steps in the flowchart of fig. 2 are shown in order as indicated by the arrows, the steps are not necessarily performed in order as indicated by the arrows. The steps are not performed in the exact order shown and described, and may be performed in other orders, unless explicitly stated otherwise. Moreover, at least a portion of the steps in fig. 2 may include multiple sub-steps or multiple stages that are not necessarily performed at the same time, but may be performed at different times, and the order of performance of the sub-steps or stages is not necessarily sequential, but may be performed in turn or alternately with other steps or at least a portion of the sub-steps or stages of other steps.
In one embodiment, as shown in fig. 3, there is provided a server security detection apparatus, including: the user location obtaining module 310, the detection data feedback module 320, the feedback information obtaining module 330, the anomaly detecting module 340 and the intercepting module 350, wherein:
the user location obtaining module 310 is configured to, when receiving an access request trigger detection instruction sent by a client, obtain a user location according to the access request;
the detection data feedback module 320 is used for feeding back detection data generated according to the location of the user to the client;
a feedback information obtaining module 330, configured to obtain feedback information fed back by the client according to the detection data, where the feedback information includes: detecting information input through the canvas and operation data generated in the input process;
the anomaly detection module 340 is configured to perform anomaly detection on the detection information and the operation data to obtain a detection result;
and the intercepting module 350 is configured to intercept the access request when the detection result is abnormal.
In one embodiment, the server security detection apparatus further includes an IP address obtaining module, configured to obtain an IP address of the client according to an access request of the client; and intercepting the access request sent by the IP address when the number of times of the access request sent by the IP address detected as abnormal exceeds the preset number of times.
In one embodiment, the detection data feedback module 320 further comprises: the option acquisition module is used for acquiring correct option information and wrong option information according to the location of the user; and the detection data feedback module is used for generating detection data according to the correct option information, the wrong option information and the preset template, and feeding the detection data back to the client.
In one embodiment, the anomaly detection module 330 includes: the operation data analysis unit is used for carrying out abnormity analysis on the operation data and determining whether the operation data is abnormal; the detection information analysis unit is used for analyzing the detection information according to the verification information corresponding to the detection data and determining whether the detection information is abnormal or not; an abnormality determination unit configured to determine that the detection result is abnormal when at least one of the operation data and the detection information is abnormal; and the normal determination unit is used for determining that the detection result is normal when no abnormality occurs in the operation data and the detection information.
In one embodiment, the operation data analysis unit includes: the operation data analysis subunit is used for analyzing the operation data to acquire writing duration and writing sequence; the writing duration analyzing subunit is used for analyzing the writing duration based on the preset writing duration and determining whether the writing duration is abnormal or not; the writing sequence analysis subunit is used for analyzing the writing sequence based on a preset writing sequence and determining whether the writing sequence is abnormal; the operation data abnormity judging subunit is used for judging that the operation data is abnormal when at least one of the writing duration and the writing sequence is abnormal; and the operational data normality judging subunit is used for judging that the operational data is normal when the writing duration and the writing sequence are not abnormal.
In one embodiment, the operational data analysis subunit is to: analyzing the operation data to obtain a writing start time point, a writing end time point, a writing moving time point and corresponding pixel points of the time points in the canvas; determining writing duration according to the writing starting time point and the writing ending time point; and determining a writing sequence according to the writing starting time point, the writing ending time point, the writing moving time point and the pixel points corresponding to the time points.
In one embodiment, the detection information analysis unit is configured to: comparing the detection information with verification information corresponding to the detection data; when the detection information is consistent with the verification information, determining that the detection information is normal; when the detection information is inconsistent with the verification information, it is determined that the detection information is abnormal.
For specific limitations of the server security detection apparatus, reference may be made to the above limitations of the server security detection method, which is not described herein again. The modules in the server security detection device can be wholly or partially implemented by software, hardware and a combination thereof. The modules can be embedded in a hardware form or independent from a processor in the computer device, and can also be stored in a memory in the computer device in a software form, so that the processor can call and execute operations corresponding to the modules.
In one embodiment, a computer device is provided, which may be a server, the internal structure of which may be as shown in fig. 4. The computer device includes a processor, a memory, a network interface, and a database connected by a server bus. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device comprises a nonvolatile storage medium and an internal memory. The non-volatile storage medium stores an operation server, a computer program, and a database. The internal memory provides an environment for the operation server and the execution of the computer program in the nonvolatile storage medium. The database of the computer device is used for storing data such as feedback information. The network interface of the computer device is used for communicating with an external terminal through a network connection. The computer program is executed by a processor to implement a server security detection method.
Those skilled in the art will appreciate that the architecture shown in fig. 4 is merely a block diagram of some of the structures associated with the disclosed aspects and is not intended to limit the computing devices to which the disclosed aspects apply, as particular computing devices may include more or less components than those shown, or may combine certain components, or have a different arrangement of components.
In one embodiment, there is provided a computer device comprising a memory storing a computer program and a processor implementing the following steps when the processor executes the computer program:
when an access request trigger detection instruction sent by a client is received, acquiring the location of a user according to the access request; feeding back detection data generated according to the location of the user to the client; obtaining feedback information fed back by the client according to the detection data, wherein the feedback information comprises: detecting information input through the canvas and operation data generated in the input process; carrying out anomaly detection on the detection information and the operation data to obtain a detection result; and intercepting the access request when the detection result is abnormal.
In one embodiment, the processor, when executing the computer program, further performs the steps of: acquiring an IP address of a client according to an access request of the client; and intercepting the access request sent by the IP address when the number of times of the access request sent by the IP address detected as abnormal exceeds the preset number of times.
In one embodiment, the processor, when executing the computer program, further performs the steps of: acquiring correct option information and wrong option information according to the location of the user; and generating detection data according to the correct option information, the wrong option information and a preset template, and feeding back the detection data to the client.
In one embodiment, the processor, when executing the computer program, further performs the steps of: performing anomaly analysis on the operation data to determine whether the operation data is abnormal; analyzing the detection information according to the verification information corresponding to the detection data, and determining whether the detection information is abnormal; when at least one of the operation data and the detection information is abnormal, judging that the detection result is abnormal; and when the operation data and the detection information are not abnormal, judging that the detection result is normal.
In one embodiment, the processor, when executing the computer program, further performs the steps of: analyzing the operation data to obtain writing duration and writing sequence; analyzing the writing duration based on the preset writing duration to determine whether the writing duration is abnormal; analyzing the writing sequence based on a preset writing sequence to determine whether the writing sequence is abnormal; when at least one of the writing duration and the writing sequence is abnormal, judging that the operation data is abnormal; and when the writing duration and the writing sequence are not abnormal, judging that the operation data is normal.
In one embodiment, the processor, when executing the computer program, further performs the steps of: analyzing the operation data to obtain a writing start time point, a writing end time point, a writing moving time point and corresponding pixel points of the time points in the canvas; determining writing duration according to the writing starting time point and the writing ending time point; and determining a writing sequence according to the writing starting time point, the writing ending time point, the writing moving time point and the pixel points corresponding to the time points.
In one embodiment, the processor, when executing the computer program, further performs the steps of: comparing the detection information with verification information corresponding to the detection data; when the detection information is consistent with the verification information, determining that the detection information is normal; when the detection information is inconsistent with the verification information, it is determined that the detection information is abnormal.
In one embodiment, a computer-readable storage medium is provided, having a computer program stored thereon, which when executed by a processor, performs the steps of:
when an access request trigger detection instruction sent by a client is received, acquiring the location of a user according to the access request; feeding back detection data generated according to the location of the user to the client; obtaining feedback information fed back by the client according to the detection data, wherein the feedback information comprises: detecting information input through the canvas and operation data generated in the input process; carrying out anomaly detection on the detection information and the operation data to obtain a detection result; and intercepting the access request when the detection result is abnormal.
In one embodiment, the computer program when executed by the processor further performs the steps of: acquiring an IP address of a client according to an access request of the client; and intercepting the access request sent by the IP address when the number of times of the access request sent by the IP address detected as abnormal exceeds the preset number of times.
In one embodiment, the computer program when executed by the processor further performs the steps of: acquiring correct option information and wrong option information according to the location of the user; and generating detection data according to the correct option information, the wrong option information and a preset template, and feeding back the detection data to the client.
In one embodiment, the computer program when executed by the processor further performs the steps of: performing anomaly analysis on the operation data to determine whether the operation data is abnormal; analyzing the detection information according to the verification information corresponding to the detection data, and determining whether the detection information is abnormal; when at least one of the operation data and the detection information is abnormal, judging that the detection result is abnormal; and when the operation data and the detection information are not abnormal, judging that the detection result is normal.
In one embodiment, the computer program when executed by the processor further performs the steps of: analyzing the operation data to obtain writing duration and writing sequence; analyzing the writing duration based on the preset writing duration to determine whether the writing duration is abnormal; analyzing the writing sequence based on a preset writing sequence to determine whether the writing sequence is abnormal; when at least one of the writing duration and the writing sequence is abnormal, judging that the operation data is abnormal; and when the writing duration and the writing sequence are not abnormal, judging that the operation data is normal.
In one embodiment, the computer program when executed by the processor further performs the steps of: analyzing the operation data to obtain a writing start time point, a writing end time point, a writing moving time point and corresponding pixel points of the time points in the canvas; determining writing duration according to the writing starting time point and the writing ending time point; and determining a writing sequence according to the writing starting time point, the writing ending time point, the writing moving time point and the pixel points corresponding to the time points.
In one embodiment, the computer program when executed by the processor further performs the steps of: comparing the detection information with verification information corresponding to the detection data; when the detection information is consistent with the verification information, determining that the detection information is normal; when the detection information is inconsistent with the verification information, it is determined that the detection information is abnormal.
It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above can be implemented by hardware instructions of a computer program, which can be stored in a non-volatile computer-readable storage medium, and when executed, can include the processes of the embodiments of the methods described above. Any reference to memory, storage, database, or other medium used in the embodiments provided herein may include non-volatile and/or volatile memory, among others. Non-volatile memory can include read-only memory (ROM), Programmable ROM (PROM), Electrically Programmable ROM (EPROM), Electrically Erasable Programmable ROM (EEPROM), or flash memory. Volatile memory can include Random Access Memory (RAM) or external cache memory. By way of illustration and not limitation, RAM is available in a variety of forms such as Static RAM (SRAM), Dynamic RAM (DRAM), Synchronous DRAM (SDRAM), Double Data Rate SDRAM (DDRSDRAM), Enhanced SDRAM (ESDRAM), Synchronous Link DRAM (SLDRAM), Rambus Direct RAM (RDRAM), direct bus dynamic RAM (DRDRAM), and memory bus dynamic RAM (RDRAM).
The technical features of the above embodiments can be arbitrarily combined, and for the sake of brevity, all possible combinations of the technical features in the above embodiments are not described, but should be considered as the scope of the present specification as long as there is no contradiction between the combinations of the technical features.
The above-mentioned embodiments only express several embodiments of the present application, and the description thereof is more specific and detailed, but not construed as limiting the scope of the invention. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the concept of the present application, which falls within the scope of protection of the present application. Therefore, the protection scope of the present patent shall be subject to the appended claims.
Claims (10)
1. A server security detection method, the method comprising:
when an access request trigger detection instruction sent by a client is received, acquiring the location of a user according to the access request;
feeding back detection data generated according to the location of the user to the client;
obtaining feedback information fed back by the client according to the detection data, wherein the feedback information comprises: detecting information input through the canvas and operation data generated in the input process;
carrying out anomaly detection on the detection information and the operation data to obtain a detection result;
and intercepting the access request when the detection result is abnormal.
2. The method according to claim 1, wherein after the step of intercepting the access request of the client when the detection result is abnormal, the method further comprises:
acquiring the IP address of the client according to the access request of the client;
and intercepting the access request sent by the IP address when the number of times of the access request sent by the IP address detected as abnormal exceeds the preset number of times.
3. The method of claim 1, wherein the step of feeding back the detection data generated according to the user location to the client comprises:
acquiring correct option information and wrong option information according to the location of the user;
and generating detection data and feeding back the detection data to the client according to the correct option information, the wrong option information and a preset template.
4. The method according to claim 1, wherein the step of performing anomaly detection on the detection information and the operation data to obtain a detection result comprises:
performing anomaly analysis on the operation data to determine whether the operation data is abnormal;
analyzing the detection information according to verification information corresponding to the detection data to determine whether the detection information is abnormal;
when at least one of the operation data and the detection information is abnormal, judging that the detection result is abnormal;
and when the operation data and the detection information are not abnormal, judging that the detection result is normal.
5. The method of claim 4, wherein the step of analyzing the operational data for anomalies to determine whether the operational data is anomalous comprises:
analyzing the operation data to obtain writing duration and writing sequence;
analyzing the writing duration based on the preset writing duration to determine whether the writing duration is abnormal;
analyzing the writing sequence based on a preset writing sequence to determine whether the writing sequence is abnormal;
when at least one of the writing duration and the writing sequence is abnormal, judging that the operation data is abnormal;
and when the writing duration and the writing sequence are not abnormal, judging that the operation data is normal.
6. The method of claim 5, wherein the step of analyzing the operational data to obtain writing duration and writing order comprises:
analyzing the operation data to obtain a writing start time point, a writing end time point, a writing moving time point and corresponding pixel points of the time points in the canvas;
determining writing duration according to the writing starting time point and the writing ending time point;
and determining a writing sequence according to the writing starting time point, the writing ending time point, the writing moving time point and the pixel points corresponding to the time points.
7. The method according to claim 4, wherein the step of analyzing the detection information according to the verification information corresponding to the detection data to determine whether the detection information is abnormal includes:
comparing the detection information with verification information corresponding to the detection data;
when the detection information is consistent with the verification information, determining that the detection information is normal;
and when the detection information is inconsistent with the verification information, determining that the detection information is abnormal.
8. An apparatus for server security detection, the apparatus comprising:
the user location obtaining module is used for obtaining the location of the user according to the access request when receiving the access request triggering detection instruction sent by the client;
the detection data feedback module is used for feeding back detection data generated according to the location of the user to the client;
a feedback information obtaining module, configured to obtain feedback information that is fed back by the client according to the detection data, where the feedback information includes: detecting information input through the canvas and operation data generated in the input process;
the anomaly detection module is used for carrying out anomaly detection on the detection information and the operation data to obtain a detection result;
and the interception module is used for intercepting the access request when the detection result is abnormal.
9. A computer device comprising a memory and a processor, the memory storing a computer program, wherein the processor implements the steps of the method of any one of claims 1 to 7 when executing the computer program.
10. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the steps of the method of any one of claims 1 to 7.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910746155.2A CN110659500A (en) | 2019-08-13 | 2019-08-13 | Server security detection method and device, computer equipment and storage medium |
| PCT/CN2019/117809 WO2021027150A1 (en) | 2019-08-13 | 2019-11-13 | Server security detection method and apparatus, computer device, and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910746155.2A CN110659500A (en) | 2019-08-13 | 2019-08-13 | Server security detection method and device, computer equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN110659500A true CN110659500A (en) | 2020-01-07 |
Family
ID=69037682
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910746155.2A Pending CN110659500A (en) | 2019-08-13 | 2019-08-13 | Server security detection method and device, computer equipment and storage medium |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN110659500A (en) |
| WO (1) | WO2021027150A1 (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112435045A (en) * | 2020-12-08 | 2021-03-02 | 中国建设银行股份有限公司 | Method, device, storage medium and computer equipment for processing user feedback information |
Families Citing this family (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113626234B (en) * | 2021-06-30 | 2024-07-02 | 济南浪潮数据技术有限公司 | Abnormality processing method and device, electronic equipment and readable storage medium |
| CN113746845B (en) * | 2021-09-06 | 2023-04-18 | 成都安美勤信息技术股份有限公司 | Method and system for detecting abnormal behaviors of industrial Internet of things |
| CN113992728A (en) * | 2021-10-23 | 2022-01-28 | 福建百悦信息科技有限公司 | Remote control system, method and device of intelligent water meter and storage medium |
| CN114039778A (en) * | 2021-11-09 | 2022-02-11 | 深信服科技股份有限公司 | Request processing method, device, equipment and readable storage medium |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103035078A (en) * | 2012-11-30 | 2013-04-10 | 深圳天源迪科信息技术股份有限公司 | Payment security monitoring method based on position |
| CN104219206A (en) * | 2013-05-31 | 2014-12-17 | 腾讯科技(深圳)有限公司 | Method, device and system for assisting verification of Internet identity |
| CN104901924A (en) * | 2014-03-05 | 2015-09-09 | 腾讯科技(深圳)有限公司 | Internet account verifying method and device |
| CN107018138A (en) * | 2017-04-11 | 2017-08-04 | 百度在线网络技术(北京)有限公司 | Method and apparatus for defining the competence |
| CN107358148A (en) * | 2017-05-24 | 2017-11-17 | 广东数相智能科技有限公司 | A kind of method and device of the anti-cheating network research based on handwriting recognition |
| CN108256303A (en) * | 2018-01-10 | 2018-07-06 | 深圳壹账通智能科技有限公司 | Electronic device, auth method and storage medium |
| CN109523392A (en) * | 2018-10-19 | 2019-03-26 | 中国平安财产保险股份有限公司 | Signature file generation method, device, computer equipment and storage medium |
| CN109977821A (en) * | 2019-03-14 | 2019-07-05 | 上海古鳌电子科技股份有限公司 | A kind of verifying data signature system |
Family Cites Families (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1980128A (en) * | 2005-12-01 | 2007-06-13 | 王继华 | Method and system for identifying internet user |
| US10387880B2 (en) * | 2015-08-18 | 2019-08-20 | International Business Machines Corporation | Location history and travel path knowledge based authentication |
| US9888383B2 (en) * | 2016-05-02 | 2018-02-06 | International Business Machines Corporation | Authentication using dynamic verbal questions based on social and geospatial history |
| CN108460268A (en) * | 2017-02-20 | 2018-08-28 | 阿里巴巴集团控股有限公司 | Verification method and device |
| CN106991303B (en) * | 2017-03-07 | 2020-01-21 | 微梦创科网络科技(中国)有限公司 | Gesture verification code identification method and device |
-
2019
- 2019-08-13 CN CN201910746155.2A patent/CN110659500A/en active Pending
- 2019-11-13 WO PCT/CN2019/117809 patent/WO2021027150A1/en active Application Filing
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103035078A (en) * | 2012-11-30 | 2013-04-10 | 深圳天源迪科信息技术股份有限公司 | Payment security monitoring method based on position |
| CN104219206A (en) * | 2013-05-31 | 2014-12-17 | 腾讯科技(深圳)有限公司 | Method, device and system for assisting verification of Internet identity |
| CN104901924A (en) * | 2014-03-05 | 2015-09-09 | 腾讯科技(深圳)有限公司 | Internet account verifying method and device |
| CN107018138A (en) * | 2017-04-11 | 2017-08-04 | 百度在线网络技术(北京)有限公司 | Method and apparatus for defining the competence |
| CN107358148A (en) * | 2017-05-24 | 2017-11-17 | 广东数相智能科技有限公司 | A kind of method and device of the anti-cheating network research based on handwriting recognition |
| CN108256303A (en) * | 2018-01-10 | 2018-07-06 | 深圳壹账通智能科技有限公司 | Electronic device, auth method and storage medium |
| CN109523392A (en) * | 2018-10-19 | 2019-03-26 | 中国平安财产保险股份有限公司 | Signature file generation method, device, computer equipment and storage medium |
| CN109977821A (en) * | 2019-03-14 | 2019-07-05 | 上海古鳌电子科技股份有限公司 | A kind of verifying data signature system |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112435045A (en) * | 2020-12-08 | 2021-03-02 | 中国建设银行股份有限公司 | Method, device, storage medium and computer equipment for processing user feedback information |
Also Published As
| Publication number | Publication date |
|---|---|
| WO2021027150A1 (en) | 2021-02-18 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110659500A (en) | Server security detection method and device, computer equipment and storage medium | |
| US11057440B2 (en) | Method for processing message in group session, storage medium, and computer device | |
| Zhu et al. | Captcha as graphical passwords—A new security primitive based on hard AI problems | |
| US9680836B2 (en) | Generation of a visually obfuscated representation of an alphanumeric message that indicates availability of a proposed identifier | |
| US8984649B2 (en) | Method and system for authenticating user access to a restricted resource across a computer network | |
| CN109462602B (en) | Login information storage method, login verification method, device, equipment and medium | |
| CN109547426B (en) | Service response method and server | |
| CN108924118B (en) | Method and system for detecting database collision behavior | |
| US10142308B1 (en) | User authentication | |
| CN104144419A (en) | Identity authentication method, device and system | |
| JP2015115079A (en) | Method and apparatus for input verification | |
| CN111193740B (en) | Encryption method, device, decryption method, computer device and storage medium | |
| CN111259358B (en) | Login method, login device, computer equipment and storage medium | |
| CN108470126B (en) | Data processing method, device and storage medium | |
| CN109818906B (en) | Equipment fingerprint information processing method and device and server | |
| CN109640374B (en) | Wireless network access method, wireless network processing device, storage medium and computer equipment | |
| CN110472386B (en) | Dynamic verification method, dynamic verification device, computer equipment and storage medium | |
| CN109858290B (en) | Password input method, device, computer equipment and storage medium | |
| CN108418809B (en) | Chat data processing method and device, computer equipment and storage medium | |
| CN111125748A (en) | Judgment method and device for unauthorized query, computer equipment and storage medium | |
| CN112632504B (en) | Webpage access method, device, system, computer equipment and storage medium | |
| Azad et al. | A secure hybrid authentication scheme using passpoints and press touch code | |
| WO2021169469A1 (en) | Voiceprint data processing method and apparatus, computer device, and storage medium | |
| CN112233749B (en) | Health detection report acquisition method and device, computer equipment and storage medium | |
| US20180124034A1 (en) | Image based method, system and computer program product to authenticate user identity |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| TA01 | Transfer of patent application right | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20210128 Address after: 518066 Room 201, building A, No. 1, Qian Wan Road, Qianhai Shenzhen Hong Kong cooperation zone, Shenzhen, Guangdong (Shenzhen Qianhai business secretary Co., Ltd.) Applicant after: Shenzhen saiante Technology Service Co.,Ltd. Address before: 1-34 / F, Qianhai free trade building, 3048 Xinghai Avenue, Mawan, Qianhai Shenzhen Hong Kong cooperation zone, Shenzhen, Guangdong 518000 Applicant before: Ping An International Smart City Technology Co.,Ltd. |
|
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20200107 |