CN110839039A - Intruder countercheck method and device - Google Patents

Intruder countercheck method and device Download PDF

Info

Publication number
CN110839039A
CN110839039A CN201911139065.3A CN201911139065A CN110839039A CN 110839039 A CN110839039 A CN 110839039A CN 201911139065 A CN201911139065 A CN 201911139065A CN 110839039 A CN110839039 A CN 110839039A
Authority
CN
China
Prior art keywords
intruder
script
client
attack
information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201911139065.3A
Other languages
Chinese (zh)
Other versions
CN110839039B (en
Inventor
张恒
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Chengdu Zhidaochuangyu Information Technology Co Ltd
Original Assignee
Chengdu Zhidaochuangyu Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Chengdu Zhidaochuangyu Information Technology Co Ltd filed Critical Chengdu Zhidaochuangyu Information Technology Co Ltd
Priority to CN201911139065.3A priority Critical patent/CN110839039B/en
Publication of CN110839039A publication Critical patent/CN110839039A/en
Application granted granted Critical
Publication of CN110839039B publication Critical patent/CN110839039B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer And Data Communications (AREA)

Abstract

The application provides an intruder countercheck method and a device, wherein the intruder countercheck method is applied to a server and comprises the following steps: acquiring request information of a user for accessing a website through a client; judging whether the user is an intruder or not according to the request information; if the user is an intruder, returning target page display data and a reverse script to a browser of the client; the client side performs the anti-attack on the intrusion system used by the intruder through the anti-script. Therefore, when the server judges that the user accessing the website is the intruder, the server can return target page display data and the anti-script to the browser of the intruder client, so that when the intruder browses the target page, the anti-script implanted in the target page starts to execute and obtains real information of the intruder, and anti-attack is carried out on an intrusion system of the intruder.

Description

Intruder countercheck method and device
Technical Field
The application relates to the field of network security, in particular to an intruder countercheck method and device.
Background
With the development of computer technology, network intrusion becomes a common phenomenon in society, and many network intruders attack websites by means of networks by using computer technology mastered by themselves to achieve the purposes of earning and profit-making.
In order to prevent the intruder from attacking the website, the website side generally traces the source and penetrates the intruder. However, when the system performs tracing and penetration on an intruder, the system cannot acquire real information of the intruder due to the fact that the intruder uses a multi-layer Virtual Private Network (VPN) patch board, uses some false information such as QQ and mailbox to perform intrusion, and the like, thereby causing a great hindrance to tracing and penetration work, and failing to make effective defense and counter-measure on a website.
Disclosure of Invention
An object of the embodiments of the present application is to provide an intruder countering method and apparatus, so as to solve the technical problem that the real information of an intruder cannot be obtained.
In order to achieve the above purpose, the technical solutions provided in the embodiments of the present application are as follows:
in a first aspect, an embodiment of the present application provides an intruder countering method, applied to a server, including: acquiring request information of a user for accessing a website through a client; judging whether the user is an intruder or not according to the request information; if the user is the intruder, returning target page display data and a reverse script to a browser of the client; and the client side performs a counter attack on the intrusion system used by the intruder through the counter script. Therefore, when the server judges that the user accessing the website is the intruder, the server can return target page display data and the anti-script to the browser of the intruder client, so that when the intruder browses the target page, the anti-script implanted in the target page starts to execute and obtains real information of the intruder, and anti-attack is carried out on an intrusion system of the intruder.
In an optional embodiment of the present application, after returning the target page display data and the countering script data to the browser of the client, the intruder countering method further includes: and acquiring hardware and software information through a port of a browser for accessing the website by the intruder. Therefore, after the anti-system script in the browser of the intruder starts to be executed, the real hardware and software information of the intruder can be obtained through the port of the browser of the intruder, so that the anti-system attack is carried out on the intruder according to the real hardware and software information of the intruder.
In an optional embodiment of the present application, after returning the target page display data and the countering script data to the browser of the client, the intruder countering method further includes: and acquiring the information of the intruder by utilizing the browser webpage instant messaging function of the intruder accessing the website. Therefore, after the anti-attack script in the browser of the intruder starts to be executed, the real Internet Protocol (IP) information of the intruder can be acquired through the browser webpage instant messaging function of the intruder, so that the anti-attack is carried out on the intruder according to the real IP information of the intruder.
In an optional embodiment of the present application, after returning the target page display data and the countering script data to the browser of the client, the intruder countering method further includes: and receiving data returned after the client executes the reverse script, and analyzing the data. Therefore, the server can also receive the data returned after the client executes the reverse script, so that better defense can be performed on the intruder by analyzing the data.
In a second aspect, an embodiment of the present application provides another intruder countering method, which is applied to a client, and includes: sending request information for accessing the website; receiving returned target page display data and a reverse script; displaying a data display page based on the target page and executing the reverse script to acquire the environmental information of the intruder; and determining an attack mode according to the environment information, and performing counter attack on an intrusion system used by the intruder by using the attack mode. Therefore, after the intruder accesses the website, the target page display data and the anti-system script returned by the server are received, when the intruder browses the target page, the anti-system script implanted in the target page starts to execute and obtains the real information of the intruder, so that the aim of performing anti-system attack on the intrusion system of the intruder through the real information of the intruder by the server is fulfilled.
In an optional embodiment of the present application, the determining an attack manner according to the environment information includes: determining possible bugs of the intrusion system according to the environment information; and searching the attack mode corresponding to the vulnerability in the anti-script. Therefore, the anti-system script in the client of the intruder can determine the possible existing loophole of the intrusion system according to the real environment information of the intruder, and carry out anti-system attack on the intruder through the loophole.
In an optional embodiment of the present application, after determining, according to the environment information, a possible vulnerability of the intrusion system, the intruder countering method further includes: and acquiring the third-party website information of the intrusion system through the vulnerability of the intrusion system. Therefore, the anti-system script in the intruder client can acquire the real third-party website information of the intruder through the loophole in the intrusion system so as to know the identity of the intruder.
In an optional embodiment of the present application, the vulnerability of the intrusion system includes: 0Day holes and/or nda holes.
In an optional embodiment of the present application, the performing a counter attack on an intrusion system used by the intruder by using the attack manner includes: and uploading the Trojan corresponding to the attack mode to the intrusion system through the vulnerability. Therefore, the Trojan corresponding to the attack mode corresponding to the existing vulnerability can be uploaded to the intrusion system of the intruder, and the purpose that the server performs counter attack on the intrusion system of the intruder through the real information of the intruder is achieved.
In a third aspect, an embodiment of the present application provides an intruder countering device, which is applied to a server, and includes: the first acquisition module is used for acquiring request information of a user for accessing a website through a client; the judging module is used for judging whether the user is an intruder or not according to the request information; the return module is used for returning target page display data and a reverse script to the browser of the client if the user is the intruder; and the client side performs a counter attack on the intrusion system used by the intruder through the counter script. Therefore, when the judging module in the server judges that the user accessing the website is the intruder, the target page display data and the copy-back script can be returned to the browser of the intruder client through the returning module, so that when the intruder browses the target page, the copy-back script implanted in the target page starts to be executed and obtains the real information of the intruder, and the copy-back attack is carried out on the intrusion system of the intruder.
In an alternative embodiment of the present application, the intruder reversing apparatus further comprises: and the second acquisition module is used for acquiring hardware and software information through a port of a browser for accessing the website by the intruder. Therefore, after the anti-system script in the browser of the intruder starts to be executed, the second acquisition module can be used for acquiring the real hardware and software information of the intruder through the port of the browser of the intruder so as to carry out anti-system attack on the intruder according to the real hardware and software information of the intruder.
In an alternative embodiment of the present application, the intruder reversing apparatus further comprises: and the third acquisition module is used for acquiring the information of the intruder by utilizing the browser webpage instant messaging function of the website accessed by the intruder. Therefore, after the anti-attack script in the browser of the intruder starts to be executed, the third obtaining module can be used for obtaining the real Internet Protocol (IP) information of the intruder through the browser webpage instant messaging function of the intruder so as to carry out anti-attack on the intruder according to the real IP information of the intruder.
In an alternative embodiment of the present application, the intruder reversing apparatus further comprises: and the second receiving module is used for receiving the data returned after the client executes the reverse script and analyzing the data. Therefore, the server can also receive data returned after the client executes the reverse script through the second receiving module, so that better defense can be performed on an intruder by analyzing the data.
In a fourth aspect, an embodiment of the present application provides another intruder-countering device, which is applied to a client, and includes: the sending module is used for sending request information for accessing the website; the first receiving module is used for receiving returned target page display data and a reverse script; the execution module is used for displaying a data display page based on the target page and executing the reverse script to acquire the environmental information of the intruder; and the attack module is used for determining an attack mode according to the environment information and utilizing the attack mode to carry out counter attack on an intrusion system used by the intruder. Therefore, after the intruder accesses the website, the target page display data and the copy-back script returned by the server are received through the first receiving module, and when the intruder browses the target page, the copy-back script implanted in the target page starts to be executed and obtains the real information of the intruder, so that the purpose that the server performs copy-back attack on the intrusion system of the intruder through the real information of the intruder is achieved.
In an optional embodiment of the present application, the attack module is further configured to: determining possible bugs of the intrusion system according to the environment information; and searching the attack mode corresponding to the vulnerability in the anti-script. Therefore, the anti-system script in the client of the intruder can determine the possible existing loophole of the intrusion system according to the real environment information of the intruder, and the attack module is utilized to carry out anti-system attack on the intruder through the loophole.
In an alternative embodiment of the present application, the intruder reversing apparatus further comprises: and the fourth acquisition module is used for acquiring the third-party website information of the intrusion system through the vulnerability of the intrusion system. Therefore, the anti-script in the intruder client can acquire the real third-party website information of the intruder through the vulnerability in the intrusion system by using the fourth acquisition module so as to know the identity of the intruder.
In an optional embodiment of the present application, the vulnerability of the intrusion system includes: 0Day holes and/or nda holes.
In an optional embodiment of the present application, the attack module is further configured to: and uploading the Trojan corresponding to the attack mode to the intrusion system through the vulnerability. Therefore, the attack module can be used for uploading the trojan corresponding to the attack mode corresponding to the existing vulnerability to the intrusion system of the intruder, and the aim that the server carries out counter attack on the intrusion system of the intruder through the real information of the intruder is fulfilled.
In a fifth aspect, an embodiment of the present application provides an electronic device, including: a processor, a memory, and a bus; the processor and the memory are communicated with each other through the bus; the memory stores program instructions executable by the processor, the processor invoking the program instructions capable of performing an intruder countermeasure method as in the first and second aspects.
In a sixth aspect, embodiments of the present application provide a non-transitory computer-readable storage medium storing computer instructions that cause the computer to perform the intruder countermeasure method of the first and second aspects.
In order to make the aforementioned objects, features and advantages of the present application more comprehensible, embodiments accompanied with figures are described in detail below.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are required to be used in the embodiments of the present application will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present application and therefore should not be considered as limiting the scope, and that those skilled in the art can also obtain other related drawings based on the drawings without inventive efforts.
Fig. 1 is a flowchart of an intruder countering method implemented by interaction between a client and a server according to an embodiment of the present application;
FIG. 2 is a flowchart illustrating an implementation manner of step S107 in the embodiment of the present application;
fig. 3 is a block diagram illustrating an intruder countermeasure device according to an embodiment of the present invention;
FIG. 4 is a block diagram of another intruder-countering device according to an embodiment of the present disclosure;
fig. 5 is a block diagram of an electronic device according to an embodiment of the present disclosure.
Detailed Description
The technical solutions in the embodiments of the present application will be described below with reference to the drawings in the embodiments of the present application.
According to the traditional method for defending and countering an intruder, due to the fact that the intruder uses a multi-layer VPN springboard and uses false information such as QQ and mailbox for invading, the real data of the intruder can not be obtained, so that the tracing and infiltration of the intruder are influenced to cause great obstruction, and the invaded website can not be effectively defended and counteracted.
In view of the above problems, the inventor thought to provide an intruder countering method, which involves a server side of an intruded side and a client side of an intruding side. That is to say, when an intruder accesses a certain website through a certain client, the server corresponding to the website defends and counteracts the intrusion behavior of the intruder by the client. The intruder countering method provided by the embodiments of the present application is described in detail below.
Referring to fig. 1, fig. 1 is a flowchart of an intruder countering method implemented by interaction between a client and a server according to an embodiment of the present disclosure, where the intruder countering method includes the following steps:
step S101: the client sends request information for accessing the website.
Step S102: the server acquires request information of a user for accessing the website through the client.
Step S103: and the server judges whether the user is an intruder or not according to the request information.
Step S104: and if the user is an intruder, the server returns target page display data and a reverse script to the browser of the client.
Step S105: and the client receives the returned target page display data and the reverse script.
Step S106: the client displays a data display page based on the target page and executes a reverse script to acquire environmental information of the intruder.
Step S107: and the client determines an attack mode according to the environment information and performs counter attack on an intrusion system used by the intruder by using the attack mode.
Illustratively, when a user wants to access a website, a request for information may be sent to the website through a client. The client may be a terminal device such as a mobile phone and a computer, and the manner of sending the request information may be inputting a website address of a website, clicking a website address in a page, and the like, which are not particularly limited in the embodiments of the present application, and those skilled in the art may appropriately select the request information according to actual situations. In addition, the user accessing the website may be an intruder or a general user, and in the embodiment of the present application, the actions of the server and the client are mainly described when the user is an intruder.
After receiving request information of a user for accessing a website through a client, a server can judge whether the user is an intruder according to information of a browser manufacturer, a version and the like of the user carried in a request header in the request information. The server determines whether the user is an intruder in various ways, for example: judging whether the user has abnormal operation behavior, judging whether the IP address of the user corresponds to the geographic position, and the like, wherein the appropriate selection can be carried out by a person skilled in the art according to the conventional technical means in the field.
If the server judges that the user is an intruder, a certain means is needed to defend and counter the intruder. In the embodiment of the application, the server can return the target page display data and the counter script to the browser of the client used by the intruder, so that the counter attack can be performed on the intrusion system used by the intruder through the counter script returned to the client of the intruder.
As an embodiment, the server may transmit data resources related to the target page back to the browser, where the data resources may include descriptive documents, pictures, Javascript scripts, Cascading Style Sheets (CSSs), and other data of the target page, so that the target page may be displayed on the browser interface of the intruder.
The target page can be any page in a website, and as long as the intruder browses the page, the embedded reverse script starts to be executed; the target page may also be a specific page, such as: a page containing confidential information that a normal user would not normally view when accessing, and an intruder would like to view that particular page in order to obtain confidential information about the web site, thereby causing the embedded anti-script to begin executing.
As another embodiment, the server may implant a reverse script file in the target page in a form of a code library according to the obtained information of the browser manufacturer, the version, and the like of the intruder, wherein the reverse script file may include obfuscated JavaScript, Html 5 (H5), WebAssembly code, and the like corresponding to the information.
After the browser of the intruder client acquires the target page, displaying the data display page based on the target page and immediately starting to run the implanted counter script so as to acquire the environmental information of the intruder. The environmental information of the intruder may include system environmental information, router environmental information, etc. of the intruder. The counter script implanted in the client can determine an attack mode which can be used for attacking the system of the intruder according to the environment information.
As an implementation manner, please refer to fig. 2, fig. 2 is a flowchart of an implementation manner of step S107 in this embodiment, where the determining, by the client in step S107, an attack manner according to the environment information may include the following steps:
step S201: and the client determines possible bugs existing in the intrusion system according to the environment information.
Step S202: and the client searches an attack mode corresponding to the vulnerability in the counterscript.
Wherein, the anti-script in the client can determine the possible existing vulnerability in the system of the intruder according to the environment information, for example: 0Day vulnerabilities, nda vulnerabilities (IE cross-domain, FireFox cross-domain vulnerabilities, etc.), and the like. The 0Day vulnerability refers to a security vulnerability without an official patch or patch, and Nday refers to a security vulnerability that already owns an official patch or security solution.
A large amount of attack codes and webpage attack codes which utilize system NDay vulnerabilities to attack are integrated in the anti-script file in advance, attack mode screening is automatically carried out by judging information of a system environment, a router environment and the like of an intruder, and targeted attack is launched. For example, the anti-script determines that there may be an IE cross-domain vulnerability (IE browser used by the intruder) according to the environment information of the intruder, finds an attack mode for the IE cross-domain vulnerability according to the correspondence between the vulnerability stored in the anti-script and the attack mode, and performs anti-attack on the system of the intruder by using the attack mode. For example, Domain Name System (DNS) hijacking is implemented for the intruder's System, router administrator passwords are modified, arbitrary commands are executed in the intruder's System, and the like.
As an embodiment, the counter attack on the intrusion system used by the intruder by using the attack method in step S107 may include the following steps:
and uploading the Trojan corresponding to the attack mode to the intrusion system through the vulnerability.
In the embodiment of the application, when the server judges that the user accessing the website is the intruder, the server can return the target page display data and the anti-script to the browser of the intruder client, so that when the intruder browses the target page, the anti-script implanted in the target page starts to execute and obtains the real information of the intruder, and the anti-attack is carried out on the intrusion system of the intruder.
Further, after step S106, the intruder countering method provided in the embodiment of the present application may further include the following steps:
the server acquires hardware and software information through a port of a browser of an intruder accessing a website;
or the server acquires the information of the intruder by using the browser webpage instant messaging function of the intruder accessing the website;
or the client acquires the third-party website information of the intrusion system through the vulnerability of the intrusion system.
Illustratively, when an intruder visits a website, some information of the browser itself can be provided to a server through a port of the browser, for example, an operating system of the intruder system, installation software, a browser plug-in, and the like. Meanwhile, the server can also detect intranet information of an intruder by using a Web Real-Time Communication (WebRTC) function of the browser to acquire information such as an intranet IP, a Real IP, an intranet host, a port and the like.
In addition, when the reverse script runs, the accumulated 0Day bug can be used for acquiring information such as a head portrait, an Identity Document (ID), an address, a name, a gender and the like of the intruder in a part of social networks (third-party websites), and simultaneously, the intruder is photographed by accessing the camera of the client through the browser under a specific scene by matching with the websites, so that the image information of the intruder is acquired. When the counter script runs, the information such as Cookies, browsing records, user data and the like of other websites (third-party websites) of the intruder are obtained by utilizing the NDay vulnerability of the network exposure, and meanwhile, the keyboard operation of the intruder can be recorded.
In the embodiment of the application, the server can acquire the real information of the intruder in various ways, including directly through a port of the browser and receiving data acquired by the copy-back script, so that defense and copy-back can be performed on the intruder according to the acquired real information.
Further, after step S106, the intruder countering method provided in the embodiment of the present application may further include the following steps:
firstly, the client returns data after the reverse script is executed to the server.
And secondly, the server receives the data returned after the client executes the reverse script and analyzes the data.
Illustratively, the client can send the information of the intruder acquired by the anti-attack script to the server, so that network security personnel at the server can analyze and process the information of the intruder, and the information can help the network security personnel to analyze the intruder more comprehensively, predict and defend attacks more effectively, and trace and counter the intruder.
Referring to fig. 3, fig. 3 is a block diagram of an intruder anti-jamming device according to an embodiment of the present invention, which is applied to a server, and the intruder anti-jamming device 300 includes: a first obtaining module 301, configured to obtain request information for a user to access a website through a client; a judging module 302, configured to judge whether the user is an intruder according to the request information; a returning module 303, configured to return, to the browser of the client, target page display data and a reverse script if the user is the intruder; and the client side performs a counter attack on the intrusion system used by the intruder through the counter script.
In this embodiment of the present application, when the determining module 302 in the server determines that the user accessing the website is an intruder, the returning module 303 may return the target page display data and the copy-back script to the browser of the intruder client, so that when the intruder browses the target page, the copy-back script implanted in the target page starts to execute and obtains real information of the intruder, so as to perform a copy-back attack on an intrusion system of the intruder.
Further, the intruder countermeasure device 300 further includes: and a second obtaining module (not shown in the figure) for obtaining the hardware and software information through a port of a browser for the intruder to access the website.
In the embodiment of the application, after the reverse script in the browser of the intruder starts to be executed, the second obtaining module can be used for obtaining the real hardware and software information of the intruder through the port of the browser of the intruder so as to perform the reverse attack on the intruder according to the real hardware and software information of the intruder.
Further, the intruder countermeasure device 300 further includes: and a third obtaining module (not shown in the figure) configured to obtain information of the intruder by using an instant messaging function of a browser webpage of the website accessed by the intruder.
In this embodiment of the application, after the reverse script in the browser of the intruder starts to be executed, the third obtaining module may be used to obtain real Internet Protocol (IP) information of the intruder through the browser webpage instant messaging function of the intruder, so as to perform reverse attack on the intruder according to the real IP information of the intruder.
Further, the intruder countermeasure device 300 further includes: and a second receiving module (not shown in the figure) for receiving the data returned by the client after executing the reverse script, and analyzing the data.
In the embodiment of the application, the server can also receive data returned after the client executes the reverse script through the second receiving module, so that the data can be analyzed to better defend an intruder.
Referring to fig. 4, fig. 4 is a block diagram of another intruder-countermeasure apparatus according to an embodiment of the present invention, where the intruder-countermeasure apparatus 400 is applied to a client, and includes: a sending module 401, configured to send request information for accessing a website; a first receiving module 402, configured to receive returned target page display data and a reverse script; an executing module 403, configured to display a data display page based on the target page and execute the anti-script to obtain environment information of the intruder; and the attack module 404 is configured to determine an attack mode according to the environment information, and perform a counter attack on an intrusion system used by the intruder by using the attack mode.
In the embodiment of the application, after the intruder accesses the website, the target page display data and the copy-back script returned by the server are received through the first receiving module 402, and when the intruder browses the target page, the copy-back script implanted in the target page starts to be executed and obtains the real information of the intruder, so that the purpose that the server performs the copy-back attack on the intrusion system of the intruder through the real information of the intruder is achieved.
Further, the attack module 404 is further configured to: determining possible bugs of the intrusion system according to the environment information; and searching the attack mode corresponding to the vulnerability in the anti-script.
In the embodiment of the application, the anti-system script in the client of the intruder can determine the possible loopholes of the intrusion system according to the real environment information of the intruder, and the attack module is used for carrying out anti-system attack on the intruder through the loopholes.
Further, the intruder reaction apparatus 400 further comprises: and a fourth obtaining module (not shown in the figure) for obtaining the third-party website information of the intrusion system through the vulnerability of the intrusion system.
In the embodiment of the application, the anti-script in the intruder client can acquire the real third-party website information of the intruder through a vulnerability in the intrusion system by using the fourth acquisition module so as to know the identity of the intruder.
Further, the vulnerability of the intrusion system includes: 0Day holes and/or nda holes.
Further, the attack module 404 is further configured to: and uploading the Trojan corresponding to the attack mode to the intrusion system through the vulnerability.
In the embodiment of the application, the attack module 404 can be used to upload the trojan corresponding to the attack mode corresponding to the existing bug to the intrusion system of the intruder, so that the purpose that the server performs counter attack on the intrusion system of the intruder through the real information of the intruder is achieved.
Referring to fig. 5, fig. 5 is a block diagram of an electronic device according to an embodiment of the present disclosure, where the electronic device includes: at least one processor 501, at least one communication interface 502, at least one memory 503, and at least one communication bus 504. Wherein, the communication bus 504 is used for realizing direct connection communication of these components, the communication interface 502 is used for communicating signaling or data with other node devices, and the memory 503 stores machine readable instructions executable by the processor 501. When the electronic device is operating, the processor 501 communicates with the memory 503 via the communication bus 504, and the machine-readable instructions, when called by the processor 501, perform the intruder countering method described above.
The processor 501 may be an integrated circuit chip having signal processing capabilities. The processor 501 may be a general-purpose processor, including a Central Processing Unit (CPU), a Network Processor (NP), and the like; but also Digital Signal Processors (DSPs), Application Specific Integrated Circuits (ASICs), Field-Programmable Gate arrays (FPGAs) or other Programmable logic devices, discrete Gate or transistor logic devices, discrete hardware components. Which may implement or perform the various methods, steps, and logic blocks disclosed in the embodiments of the present application. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
The Memory 503 may include, but is not limited to, a Random Access Memory (RAM), a Read Only Memory (ROM), a Programmable Read Only Memory (PROM), an Erasable Read Only Memory (EPROM), an electrically Erasable Read Only Memory (EEPROM), and the like.
It will be appreciated that the configuration shown in fig. 5 is merely illustrative and that the electronic device may include more or fewer components than shown in fig. 5 or have a different configuration than shown in fig. 5. The components shown in fig. 5 may be implemented in hardware, software, or a combination thereof. In this embodiment, the electronic device may be, but is not limited to, an entity device such as a desktop, a notebook computer, a smart phone, an intelligent wearable device, and a vehicle-mounted device, and may also be a virtual device such as a virtual machine. In addition, the electronic device is not necessarily a single device, but may also be a combination of multiple devices, such as a server cluster, and the like. In the embodiment of the present application, both the server and the client in the intruder countering method can be implemented by the electronic device shown in fig. 5.
Embodiments of the present application further provide a computer program product comprising a computer program stored on a non-transitory computer readable storage medium, the computer program comprising program instructions, which when executed by a computer, the computer is capable of performing the steps of the method for countering an intruder in the above embodiments, for example, including: acquiring request information of a user for accessing a website through a client; judging whether the user is an intruder or not according to the request information; if the user is the intruder, returning target page display data and a reverse script to a browser of the client; and the client side performs a counter attack on the intrusion system used by the intruder through the counter script.
In the embodiments provided in the present application, it should be understood that the disclosed apparatus and method may be implemented in other ways. The above-described embodiments of the apparatus are merely illustrative, and for example, the division of the units is only one logical division, and there may be other divisions when actually implemented, and for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection of devices or units through some communication interfaces, and may be in an electrical, mechanical or other form.
In addition, units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
Furthermore, the functional modules in the embodiments of the present application may be integrated together to form an independent part, or each module may exist separately, or two or more modules may be integrated to form an independent part.
In this document, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions.
The above description is only an example of the present application and is not intended to limit the scope of the present application, and various modifications and changes may be made by those skilled in the art. Any modification, equivalent replacement, improvement and the like made within the spirit and principle of the present application shall be included in the protection scope of the present application.

Claims (12)

1. An intruder countering method applied to a server, comprising:
acquiring request information of a user for accessing a website through a client;
judging whether the user is an intruder or not according to the request information;
if the user is the intruder, returning target page display data and a reverse script to a browser of the client; and the client side performs a counter attack on the intrusion system used by the intruder through the counter script.
2. The intruder reaction method as claimed in claim 1, wherein after said returning target page display data and reaction script data to the browser of the client, the intruder reaction method further comprises:
and acquiring hardware and software information through a port of a browser for accessing the website by the intruder.
3. The intruder reaction method as claimed in claim 1, wherein after said returning target page display data and reaction script data to the browser of the client, the intruder reaction method further comprises:
and acquiring the IP information of the intruder by utilizing the browser webpage instant messaging function of the website accessed by the intruder.
4. The intruder reaction method as claimed in claim 1, wherein after said returning target page display data and reaction script data to the browser of the client, the intruder reaction method further comprises:
and receiving data returned after the client executes the reverse script, and analyzing the data.
5. An intruder countering method applied to a client, comprising:
sending request information for accessing the website;
receiving returned target page display data and a reverse script;
displaying a data display page based on the target page and executing the reverse script to acquire the environmental information of the intruder;
and determining an attack mode according to the environment information, and performing counter attack on an intrusion system used by the intruder by using the attack mode.
6. The intruder countering method according to claim 5, wherein the determining an attack style according to the environment information comprises:
determining possible bugs of the intrusion system according to the environment information;
and searching the attack mode corresponding to the vulnerability in the anti-script.
7. The method of claim 6, wherein after determining the possible vulnerabilities of the intrusion system according to the environmental information, the method further comprises:
and acquiring the third-party website information of the intrusion system through the vulnerability of the intrusion system.
8. The intruder countering method of claim 6, wherein the vulnerability of the intrusion system comprises: 0Day holes and/or nda holes.
9. The intruder countermeasure method according to claim 6, wherein the performing of the countermeasure attack on the intrusion system used by the intruder by using the attack pattern includes:
and uploading the Trojan corresponding to the attack mode to the intrusion system through the vulnerability.
10. An intruder countermeasure device, applied to a server, comprising:
the first acquisition module is used for acquiring request information of a user for accessing a website through a client;
the judging module is used for judging whether the user is an intruder or not according to the request information;
the return module is used for returning target page display data and a reverse script to the browser of the client if the user is the intruder; and the client side performs a counter attack on the intrusion system used by the intruder through the counter script.
11. An intruder countermeasure device applied to a client, comprising:
the sending module is used for sending request information for accessing the website;
the first receiving module is used for receiving returned target page display data and a reverse script;
the execution module is used for displaying a data display page based on the target page and executing the reverse script to acquire the environmental information of the intruder;
and the attack module is used for determining an attack mode according to the environment information and utilizing the attack mode to carry out counter attack on an intrusion system used by the intruder.
12. A non-transitory computer-readable storage medium storing computer instructions which, when executed by a computer, cause the computer to perform the intruder reaction method of any of claims 1-9.
CN201911139065.3A 2019-11-20 2019-11-20 Intruder countercheck method and device Active CN110839039B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911139065.3A CN110839039B (en) 2019-11-20 2019-11-20 Intruder countercheck method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911139065.3A CN110839039B (en) 2019-11-20 2019-11-20 Intruder countercheck method and device

Publications (2)

Publication Number Publication Date
CN110839039A true CN110839039A (en) 2020-02-25
CN110839039B CN110839039B (en) 2022-03-29

Family

ID=69576885

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911139065.3A Active CN110839039B (en) 2019-11-20 2019-11-20 Intruder countercheck method and device

Country Status (1)

Country Link
CN (1) CN110839039B (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112615863A (en) * 2020-12-18 2021-04-06 成都知道创宇信息技术有限公司 Method, device, server and storage medium for resisting attack host
CN114079576A (en) * 2020-08-18 2022-02-22 奇安信科技集团股份有限公司 Security defense method, security defense device, electronic apparatus, and medium
CN115051832A (en) * 2022-05-11 2022-09-13 杭州安恒信息技术股份有限公司 Traceable reverse system method, device, equipment and medium
CN115065528A (en) * 2022-06-14 2022-09-16 上海磐御网络科技有限公司 Attack countercheck system and method based on ftp service
CN116668063A (en) * 2023-04-11 2023-08-29 应急管理部大数据中心 Network attack countering method and software system based on middleware process implantation

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20170109534A1 (en) * 2015-10-16 2017-04-20 Sap Se Dynamic Analysis Security Testing of Multi-Party Web Applications Via Attack Patterns
CN107231271A (en) * 2017-04-24 2017-10-03 北京安博通科技股份有限公司 A kind of detection method and device of shared verification
CN108134797A (en) * 2017-12-28 2018-06-08 广州锦行网络科技有限公司 System and method is realized in attack counter based on Honeypot Techniques
CN108616538A (en) * 2018-04-28 2018-10-02 北京网思科平科技有限公司 Attacker's formation gathering method, system, terminal, server and its storage medium

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20170109534A1 (en) * 2015-10-16 2017-04-20 Sap Se Dynamic Analysis Security Testing of Multi-Party Web Applications Via Attack Patterns
CN107231271A (en) * 2017-04-24 2017-10-03 北京安博通科技股份有限公司 A kind of detection method and device of shared verification
CN108134797A (en) * 2017-12-28 2018-06-08 广州锦行网络科技有限公司 System and method is realized in attack counter based on Honeypot Techniques
CN108616538A (en) * 2018-04-28 2018-10-02 北京网思科平科技有限公司 Attacker's formation gathering method, system, terminal, server and its storage medium

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114079576A (en) * 2020-08-18 2022-02-22 奇安信科技集团股份有限公司 Security defense method, security defense device, electronic apparatus, and medium
CN112615863A (en) * 2020-12-18 2021-04-06 成都知道创宇信息技术有限公司 Method, device, server and storage medium for resisting attack host
CN115051832A (en) * 2022-05-11 2022-09-13 杭州安恒信息技术股份有限公司 Traceable reverse system method, device, equipment and medium
CN115065528A (en) * 2022-06-14 2022-09-16 上海磐御网络科技有限公司 Attack countercheck system and method based on ftp service
CN116668063A (en) * 2023-04-11 2023-08-29 应急管理部大数据中心 Network attack countering method and software system based on middleware process implantation
CN116668063B (en) * 2023-04-11 2024-01-30 应急管理部大数据中心 Network attack countering method and software system based on middleware process implantation

Also Published As

Publication number Publication date
CN110839039B (en) 2022-03-29

Similar Documents

Publication Publication Date Title
CN110839039B (en) Intruder countercheck method and device
US10834051B2 (en) Proxy server-based malware detection
JP6624771B2 (en) Client-based local malware detection method
US20190327265A1 (en) Quarantining malicious injected code
US20190215330A1 (en) Detecting attacks on web applications using server logs
US10432662B2 (en) Method and system for blocking malicious third party site tagging
US8910247B2 (en) Cross-site scripting prevention in dynamic content
US20200104488A1 (en) Detecting frame injection through web page analysis
US9686313B2 (en) Clickjacking protection
US20120272317A1 (en) System and method for detecting infectious web content
US20140283078A1 (en) Scanning and filtering of hosted content
Bhavani Cross-site scripting attacks on android webview
US20190222587A1 (en) System and method for detection of attacks in a computer network using deception elements
US20170353434A1 (en) Methods for detection of reflected cross site scripting attacks
US11785044B2 (en) System and method for detection of malicious interactions in a computer network
CN113726790B (en) Network attack source identification and blocking method, system, device and medium
CN106250761B (en) Equipment, device and method for identifying web automation tool
CN111079138A (en) Abnormal access detection method and device, electronic equipment and readable storage medium
CN107465702A (en) Method for early warning and device based on wireless network invasion
Bauer et al. Analyzing the dangers posed by Chrome extensions
CN110674496A (en) Method and system for program to counter invading terminal and computer equipment
US10474810B2 (en) Controlling access to web resources
CN107509200A (en) Equipment localization method and device based on wireless network invasion
Patil Request dependency integrity: validating web requests using dependencies in the browser environment
CN114048483A (en) XSS vulnerability detection method, device, equipment and medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CP02 Change in the address of a patent holder
CP02 Change in the address of a patent holder

Address after: 9/F, Block C, No. 28 Tianfu Avenue North Section, Chengdu High tech Zone, China (Sichuan) Pilot Free Trade Zone, Chengdu City, Sichuan Province, 610000

Patentee after: CHENGDU KNOWNSEC INFORMATION TECHNOLOGY Co.,Ltd.

Address before: 610000, 11th floor, building 2, no.219, Tianfu Third Street, Chengdu pilot Free Trade Zone, hi tech Zone, Chengdu, Sichuan Province 610000

Patentee before: CHENGDU KNOWNSEC INFORMATION TECHNOLOGY Co.,Ltd.