CN111131293A - Service disguising method and device - Google Patents
Service disguising method and device Download PDFInfo
- Publication number
- CN111131293A CN111131293A CN201911402159.5A CN201911402159A CN111131293A CN 111131293 A CN111131293 A CN 111131293A CN 201911402159 A CN201911402159 A CN 201911402159A CN 111131293 A CN111131293 A CN 111131293A
- Authority
- CN
- China
- Prior art keywords
- service
- client
- request message
- masquerading
- request
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1491—Countermeasures against malicious traffic using deception as countermeasure, e.g. honeypots, honeynets, decoys or entrapment
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q30/00—Commerce
- G06Q30/018—Certifying business or products
- G06Q30/0185—Product, service or business identity fraud
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1466—Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Business, Economics & Management (AREA)
- Signal Processing (AREA)
- Computer Networks & Wireless Communication (AREA)
- General Engineering & Computer Science (AREA)
- Computing Systems (AREA)
- Computer Hardware Design (AREA)
- Finance (AREA)
- General Business, Economics & Management (AREA)
- General Physics & Mathematics (AREA)
- Physics & Mathematics (AREA)
- Theoretical Computer Science (AREA)
- Strategic Management (AREA)
- Marketing (AREA)
- Economics (AREA)
- Development Economics (AREA)
- Accounting & Taxation (AREA)
- Entrepreneurship & Innovation (AREA)
- Computer And Data Communications (AREA)
Abstract
The application provides a service disguising method and a device, wherein the service disguising method applied to a server comprises the following steps: a handshake process of establishing connection with the client through the disguise service; after establishing connection with a client, receiving a request message for requesting service, which is sent by the client, through a camouflage service; judging whether the request message accords with a reliable request rule or not; and if the request message does not accord with the reliable request rule, returning a response message defined by the masquerading service to the client through the masquerading service. Therefore, for hacker attack, disguise misleading can be carried out from the stage of scanning the target host by a hacker, if the server judges that the abnormal client requests the server for service through the disguise service, a response message defined by the disguise service can be returned to the abnormal client, so that the hacker can not determine the real service of the host through the abnormal client, and can not use the known loophole to attack the host, thereby improving the accuracy of intercepting the attack.
Description
Technical Field
The present application relates to the field of communications, and in particular, to a service masquerading method and apparatus.
Background
With the development of computer technology, hacker intrusion is a common phenomenon in society, and hackers attack target hosts, thereby causing various security problems such as data leakage in the hosts. At present, one of the main methods for host attack defense is to use an Intrusion Detection System (IDS) or an Intrusion Prevention System (IPS), but such systems rely on an attack Detection library when defending against an attack and cannot intercept an attack that does not exist in the attack Detection library, so that the accuracy of intercepting the attack is low.
Disclosure of Invention
The embodiment of the application aims to provide a service disguising method and a service disguising device, which are used for solving the technical problem of low accuracy rate of interception attacks.
In order to achieve the above purpose, the technical solutions provided in the embodiments of the present application are as follows:
in a first aspect, an embodiment of the present application provides a service masquerading method, which is applied to a server, and includes: a handshake process of establishing connection with the client through the disguise service; after the connection with the client is established, receiving a request message for requesting service, which is sent by the client, through the camouflage service; judging whether the request message accords with a reliable request rule or not; and if the request message does not accord with the reliable request rule, returning a response message defined by the masquerading service to the client through the masquerading service. Therefore, for hacker attack, disguise misleading can be carried out from the stage of scanning the target host by a hacker, if the server judges that the abnormal client requests the server for service through the disguise service, a response message defined by the disguise service can be returned to the abnormal client, so that the hacker can not determine the real service of the host through the abnormal client, and can not use the known loophole to attack the host, thereby improving the accuracy of intercepting the attack.
In an optional embodiment of the present application, after the determining whether the request packet conforms to the reliable request rule, the service masquerading method further includes: if the request message conforms to the reliable request rule, forwarding the request message to a real service through the camouflage service; and forwarding the response message of the real service to the client through the disguise service. Therefore, if the server judges that the service requested by the server is the normal client through the masquerading service, the request message sent by the normal client can be forwarded to the real service, so that the normal client can perform subsequent interaction with the real service.
In an optional embodiment of the present application, the request packet is constructed by a real service request packet; the judging whether the request message conforms to the reliable request rule includes: and judging whether the characteristics of the request message are matched with the characteristics of the real service, if so, determining that the request message conforms to the reliable request rule, otherwise, determining that the request message does not conform to the reliable request rule. Therefore, in the process that the client requests the server for service, if the characteristics of the request message received by the disguise service are matched with the characteristics of the request message corresponding to the real service, the current client is a normal client, and subsequent interaction can be performed on the client through the real service.
In an optional embodiment of the present application, the request packet carries a feature related to the masquerading service; the judging whether the request message conforms to the reliable request rule includes: and judging whether the request message carries predefined characteristics, if so, the request message conforms to the reliable request rule, otherwise, the request message does not conform to the reliable request rule. Therefore, in the process that the client requests the server for service, if the request message received by the masquerading service carries the predefined characteristics, the current client is a normal client, and subsequent interaction can be carried out on the client through real service.
In an optional embodiment of the present application, before the receiving, by the masquerading service, the request packet for requesting a service, which is sent by the client, the service masquerading method further includes: and sending the predefined characteristics to a normal client. Therefore, before the process of requesting the server for service, the client can allocate the predefined characteristics to the normal client, so that whether the client is the normal client can be judged according to whether the request message sent by the client carries the allocated predefined characteristics, and the attack can be intercepted.
In an optional embodiment of the present application, the request packet carries a feature related to a predefined service; the judging whether the request message conforms to the reliable request rule includes: and judging whether the characteristics of the request message are matched with the characteristics of the predefined service, if so, determining that the request message conforms to the reliable request rule, otherwise, determining that the request message does not conform to the reliable request rule. Therefore, in the process that the client requests the server for service, if the characteristics of the request message received by the disguise service are matched with the characteristics of the request message corresponding to the predefined service, the current client is a normal client, and subsequent interaction can be performed by actually serving the client.
In an optional embodiment of the present application, before receiving, by a masquerading service, a request packet for requesting a service, where the request packet is sent by a client, the service masquerading method further includes: sending the characteristics of the predefined service to a normal client. Therefore, before the process of requesting the service from the server, the client can send the characteristics of the predefined service to the normal client, so that whether the client is the normal client can be judged according to whether the characteristics of the request message sent by the client are matched with the characteristics of the predefined service, and the attack can be intercepted.
In an optional embodiment of the present application, before the sending the feature of the predefined service to the normal client, the service masquerading method further comprises: receiving client data sent by the client and sending server data to the client; determining the predefined service based on the client data and the server data. Therefore, the server can determine the predefined service according to the client data and the server data, so that whether the client is a normal client can be judged according to whether the characteristics of the request message sent by the client are matched with the characteristics of the predefined service, and the attack can be intercepted.
In a second aspect, an embodiment of the present application provides a service masquerading apparatus, which is applied to a server, and includes: the handshake module is used for establishing a handshake process of connection with the client through the disguise service; the first receiving module is used for receiving a request message for requesting service, which is sent by the client, through the camouflage service after the connection with the client is established; the judging module is used for judging whether the request message accords with a reliable request rule or not; and the return module is used for returning a response message defined by the masquerading service to the client through the masquerading service if the request message does not accord with the reliable request rule. Therefore, for hacker attack, disguise misleading can be carried out from the stage of scanning the target host by a hacker, if the server judges that the abnormal client requests the server for service through the disguise service, a response message defined by the disguise service can be returned to the abnormal client, so that the hacker can not determine the real service of the host through the abnormal client, and can not use the known loophole to attack the host, thereby improving the accuracy of intercepting the attack.
In an optional embodiment of the present application, the service disguising apparatus further comprises: the first forwarding module is used for forwarding the request message to a real service through the disguised service if the request message conforms to the reliable request rule; and the second forwarding module is used for forwarding the response message of the real service to the client through the disguised service. Therefore, if the server judges that the service requested by the server is the normal client through the masquerading service, the request message sent by the normal client can be forwarded to the real service, so that the normal client can perform subsequent interaction with the real service.
In an optional embodiment of the present application, the request packet is constructed by a real service request packet; the judging module is further configured to: and judging whether the characteristics of the request message are matched with the characteristics of the real service, if so, determining that the request message conforms to the reliable request rule, otherwise, determining that the request message does not conform to the reliable request rule. Therefore, in the process that the client requests the server for service, if the characteristics of the request message received by the disguise service are matched with the characteristics of the request message corresponding to the real service, the current client is a normal client, and subsequent interaction can be performed on the client through the real service.
In an optional embodiment of the present application, the request packet carries a feature related to the masquerading service; the judging module is further configured to: and judging whether the request message carries predefined characteristics, if so, the request message conforms to the reliable request rule, otherwise, the request message does not conform to the reliable request rule. Therefore, in the process that the client requests the server for service, if the request message received by the masquerading service carries the predefined characteristics, the current client is a normal client, and subsequent interaction can be carried out on the client through real service.
In an optional embodiment of the present application, the service disguising apparatus further comprises: and the first sending module is used for sending the predefined characteristics to a normal client. Therefore, before the process of requesting the server for service, the client can allocate the predefined characteristics to the normal client, so that whether the client is the normal client can be judged according to whether the request message sent by the client carries the allocated predefined characteristics, and the attack can be intercepted.
In an optional embodiment of the present application, the request packet carries a feature related to a predefined service; the judging module is further configured to: and judging whether the characteristics of the request message are matched with the characteristics of the predefined service, if so, determining that the request message conforms to the reliable request rule, otherwise, determining that the request message does not conform to the reliable request rule. Therefore, in the process that the client requests the server for service, if the characteristics of the request message received by the disguise service are matched with the characteristics of the request message corresponding to the predefined service, the current client is a normal client, and subsequent interaction can be performed by actually serving the client.
In an optional embodiment of the present application, the service disguising apparatus further comprises: and the second sending module is used for sending the characteristics of the predefined service to the normal client. Therefore, before the process of requesting the service from the server, the client can send the characteristics of the predefined service to the normal client, so that whether the client is the normal client can be judged according to whether the characteristics of the request message sent by the client are matched with the characteristics of the predefined service, and the attack can be intercepted.
In an optional embodiment of the present application, the service disguising apparatus further comprises: the second receiving module is used for receiving the client data sent by the client and sending the server data to the client; a determining module for determining the predefined service based on the client data and the server data. Therefore, the server can determine the predefined service according to the client data and the server data, so that whether the client is a normal client can be judged according to whether the characteristics of the request message sent by the client are matched with the characteristics of the predefined service, and the attack can be intercepted.
In a third aspect, an embodiment of the present application provides an electronic device, including: a processor, a memory, and a bus; the processor and the memory are communicated with each other through the bus; the memory stores program instructions executable by the processor, the processor invoking the program instructions capable of performing a service masquerading method as in the first aspect.
In a fourth aspect, embodiments of the present application provide a non-transitory computer-readable storage medium storing computer instructions that cause the computer to perform the service masquerading method of the first aspect.
In order to make the aforementioned objects, features and advantages of the present application more comprehensible, embodiments accompanied with figures are described in detail below.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are required to be used in the embodiments of the present application will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present application and therefore should not be considered as limiting the scope, and that those skilled in the art can also obtain other related drawings based on the drawings without inventive efforts.
Fig. 1 is a block diagram illustrating a service masquerading system according to an embodiment of the present disclosure;
fig. 2 is a flowchart of a service masquerading method according to an embodiment of the present application;
fig. 3 is a schematic diagram illustrating a normal client-server interaction process according to an embodiment of the present application;
fig. 4 is a schematic diagram illustrating an abnormal client-server interaction process according to an embodiment of the present application;
fig. 5 is a block diagram illustrating a service disguising apparatus according to an embodiment of the present application;
fig. 6 is a block diagram of an electronic device according to an embodiment of the present disclosure.
Detailed Description
The technical solutions in the embodiments of the present application will be described below with reference to the drawings in the embodiments of the present application.
With the development of computer technology, hacker intrusion has become a common phenomenon in society. A hacker usually uses a service scanning tool to perform port scanning on a specific target host for attacking, determines a port service which is running on the host and can establish connection with the outside, tries to attack a service corresponding to the target host by using a known vulnerability according to the type of the port service to obtain a vulnerability of the target host, and then uses the corresponding vulnerability to attack.
One of the main methods for host attack defense at present is to use an Intrusion Detection System (IDS) or an Intrusion Prevention System (IPS) to compare the traffic of the connection service with the existing attack detection library to detect the corresponding attack and intercept or warn.
However, firstly, the method needs to monitor the flow and compare with the attack detection library, so that the network delay is greatly increased, the network speed of the service and the connection host is reduced, and the normal use of the normal service of the host is influenced; secondly, the system extremely depends on an attack detection library, and has no interception or warning capability for novel unknown attacks, and also has contradiction points of missing detection or false alarm easily because of the existence of attack of types such as variant, confusion and the like for the rules of the attack detection library; finally, in the method, the process aiming at the attack defense is all positioned after the host scanning stage of the hacking stage, so that a hacker can try a new round of attack at any time by using the updated vulnerability information to determine the information of the host application.
In addition to the above methods, the main method for host attack defense may further include using a Firewall (Firewall) system to impose a pre-rule restriction on the hosts of the connected application or the connection method used, and to uniformly deny connection requests to hosts that do not conform to the connection.
However, firstly, the method needs to determine the host with the connection requirement in advance, which causes corresponding inconvenience for dynamic update and modification, and meanwhile, the temporary connection request which is increased first can be rejected and cannot be connected; secondly, for a pre-allowed host, if the host is trapped, the defense strategy of the host cannot defend the attack from the trapped pre-allowed host.
Based on the above analysis, the inventors provide a service masquerading system, a service masquerading method, and a service masquerading apparatus. In the embodiment of the application, for the attack of the hacker, disguised misleading is carried out from the host scanning stage, so that the hacker cannot determine the real application of the host, and therefore the known vulnerability can not be used for attacking the host, and the purpose of intercepting the hacking attack is achieved.
Referring to fig. 1, fig. 1 is a block diagram of a service masquerading system according to an embodiment of the present application, and the service masquerading system 100 may include one or more clients 101 and a server 102. The client 101 and the server 102 may first perform a handshake process that depends on the bottom layer, for example: a Transmission Control Protocol (TCP), a Transport Layer Security (TLS), and the like, in the handshake process, a normal client (a client that normally interacts with a server) and an abnormal client (a hacker client or a client with a suspicious point) are not obviously different.
Subsequently, the client 101 needs to perform an application-layer-based handshake process with the server 102 (for convenience of description, the subsequent handshake processes all represent the application-layer-based handshake process, and this application layer is an application layer in the TCP/IP layered model, or broadly refers to a session layer, a presentation layer, and an application layer in the OSI layered model). The server returns a response message (the response message refers to a message returned after the port service performs corresponding processing according to the request service) after receiving the request message (the request message refers to a message received by the port service at the port) for the first time, and the server performs all the stages of the request and the response message before the port service performs processing. In the application layer handshake process, the server 102 interacts with the client 101 through the masquerading service instead of the real service, so that an abnormal client cannot determine the real service in the server 102 but only acquires the related information of the masquerading service in the server 102.
The service refers to a program which is operated by the computer, can correspondingly process an external program or information, and is a program which can enable other programs or computers which are not originally operated to interact with the program; the real service in the server 102 refers to a service that can be actually provided in the process of interaction between the server 102 and the client 101, and the disguised service refers to the server 102 inducing the wrong judgment of the real service by the opposite side through false fingerprint information (the fingerprint refers to the response of the port service to the first request message), so that the abnormal client is prevented from directly attacking the real service.
In the application layer-based handshake process, after judging that the normal client is a normal client, the masquerading service can forward the corresponding request message to the real service so that the normal client can perform normal interaction with the real service; for the abnormal client, after judging that the abnormal client is not a normal client, the masquerading service returns a response message defined by the masquerading service to the client 101, so that the abnormal client cannot acquire the relevant information of the real service, and the purpose of intercepting the attack of the abnormal client is realized.
Based on the service masquerading system, an embodiment of the present application further provides a service masquerading method, please refer to fig. 2, and fig. 2 is a flowchart of the service masquerading method provided by the embodiment of the present application. In the service masquerading method, the following steps may be included:
step S201: the server performs a handshake process of establishing a connection with the client through the masquerading service.
Step S202: after the connection with the client is established, the server receives a request message for requesting service, which is sent by the client, through the disguise service.
Step S203: the server judges whether the request message conforms to the reliable request rule.
Step S204: and if the request message does not accord with the reliable request rule, the server returns a response message defined by the masquerading service to the client through the masquerading service.
Specifically, the client and the server may first perform a handshake process depending on the bottom layer, for example: TCP, TLS, etc. Subsequently, in the handshake process of the port service, in order to prevent the abnormal client from successfully attacking the real service through blind test attack (which means that a hacker directly sends an attack instruction without determining the service of the target host), the server may handshake with the client through the masquerading service. In the process, the server can firstly receive a request message sent by the client through the disguise service, and then judge whether the request message accords with the reliable request rule. It should be noted that, in the embodiment of the present application, the main body of the determination request packet is not specifically limited, and may be a real service or a masquerading service, or may be another module in the server, and those skilled in the art may appropriately adjust the main body according to actual situations. The process of determining whether the request message conforms to the reliable request rule will be described in detail in the following embodiments.
If the server judges that the request message does not accord with the reliable request rule through the disguise service, the client sending the request message can be considered as an abnormal client, so that the client cannot interact with the real service, and a response message defined by the disguise service can be returned to the abnormal client. Under the condition, the abnormal client can only acquire the related information of the disguised service, so that the abnormal client cannot attack the vulnerability of the real service, the purpose of disguising and misleading the hacker attack from the host scanning stage is realized, and the attack of the hacker is successfully intercepted.
If the server judges that the request message conforms to the reliable request rule through the disguise service, the client sending the request message can be considered as a normal client, and the client can be served with a real service. In this case, after step S202, the service masquerading method provided in the embodiment of the present application may further include the following steps:
firstly, if the request message accords with the reliable request rule, the server forwards the request message to a real service through a camouflage service.
And secondly, the server forwards the response message of the real service to the client through the disguise service.
In the embodiment of the application, for hacker attack, disguise misleading can be carried out from the stage of scanning the target host by a hacker, and if the server judges that an abnormal client requests service from the server through disguise service, a response message defined by the disguise service can be returned to the abnormal client, so that the hacker cannot determine the real service of the host through the abnormal client, and cannot attack the host by using a known vulnerability, and the accuracy rate of intercepting the attack is improved. Correspondingly, if the server judges that the client performing the handshake process with the server is the normal client through the masquerading service, the request message sent by the normal client can be forwarded to the real service, so that the normal client can perform subsequent interaction with the real service.
Further, in the service masquerading method provided in the embodiment of the present application, there may be various cases in a manner of determining whether the request packet conforms to the reliable request rule, which is described in detail below by way of example:
in the first case, the request message is constructed by a real service request message, in this case, step S203 may include the following steps:
the server judges whether the characteristics of the request message are matched with the characteristics of the real service, if so, the request message conforms to the reliable request rule, otherwise, the request message does not conform to the reliable request rule.
In this case, since the normal client already knows the specific information of the real service before interacting with the real service, in other words, the request message sent by the normal client to the server is constructed as a real service request message. Therefore, when the masquerading service judges that the characteristics carried in the request message sent by the client are matched with the characteristics of the real service, the masquerading service forwards the request message sent by the client to the real service, so that the client can interact with the real service. Correspondingly, when the masquerading service judges that the characteristics carried in the request message sent by the client are not matched with the characteristics of the real service or the request message sent by the client does not carry the characteristics (such as a sent empty packet and the like), the masquerading service returns a response message defined by the masquerading service to the client, so that the client cannot interact with the real service.
Referring to fig. 3, fig. 3 is a schematic diagram of a normal interaction process between a client and a server according to an embodiment of the present application, where the interaction process may include the following steps:
step S301: the server performs a handshake process of establishing connection with the normal client through the masquerading service.
Step S302: the server receives a request message for requesting service, which is sent by a normal client, through the disguised service.
Step S303: the server judges whether the characteristics of the request message are matched with the characteristics of the real service.
Step S304: and if the request message conforms to the reliable request rule, the server forwards the request message to the real service through the disguised service.
Step S305: the server forwards the response message of the real service to the normal client through the disguise service.
Correspondingly, referring to fig. 4, fig. 4 is a schematic diagram of an abnormal client and server interaction process provided in an embodiment of the present application, where the interaction process may include the following steps:
step S401: the server performs a handshake process of establishing connection with the abnormal client through the masquerading service.
Step S402: the server receives a request message for requesting service, which is sent by a normal client, through the disguised service.
Step S403: the server judges whether the characteristics of the request message are matched with the characteristics of the real service.
Step S404: and if the request message does not accord with the reliable request rule, the server returns a response message defined by the masquerading service to the abnormal client through the masquerading service.
It should be noted that, when the masquerading service determines that the characteristics carried in the request message sent by the client match the characteristics of the real service, there is a high possibility that the client is a reliable normal client, but there is a certain possibility that the client is a hacker client, and the hacker conforms to the reliable request rule in the process of blind trial attack. When the masquerading service judges that the characteristics carried in the request message sent by the client are not matched with the characteristics of the real service or the request message sent by the client does not carry the characteristics, the client is an unreliable hacker client with a high possibility, but a certain possibility exists, and the client is a normal client. For example: when the request message sent by the client is an empty packet, the masquerading service can mistake the request message as a hacker client.
Therefore, in the process that the client requests the server for service, if the characteristics of the request message received by the disguise service are matched with the characteristics of the request message corresponding to the real service, the current client is a normal client, and subsequent interaction can be performed on the client through the real service. The method has less influence on the real service, but the real service request message has no characteristic value and can not be judged, or a hacker uses blind test attack, if the blind test attack accords with the real service, the blind test attack can also be forwarded to the real service, so that the request of a normal client is intercepted.
In the second case, the request packet carries a feature related to the masquerading service, in this case, step S203 may include the following steps:
the server judges whether the request message carries the predefined characteristics, if so, the request message accords with the reliable request rule, otherwise, the request message does not accord with the reliable request rule.
In this case, before step S202, the service masquerading method in the embodiment of the present application may further include the steps of:
the server sends the predefined characteristics to the normal client.
The predefined features may be key information generated by the server, features input by a person, and the like, which are not specifically limited in the embodiment of the present application and can be appropriately selected by a person skilled in the art according to actual situations.
The method comprises the steps that a normal client is allocated with predefined characteristics of the disguise service before interacting with a real service, so that a request message sent to the disguise service by the normal client can carry characteristics related to the disguise service, and when the disguise service judges that the request message sent by the client carries the predefined characteristics, the disguise service forwards the request message sent by the client to the real service, so that the client can interact with the real service. Correspondingly, when the masquerading service judges that the request message sent by the client does not carry the predefined characteristics, the masquerading service returns a response message defined by the masquerading service to the client, so that the client cannot interact with the real service.
In this case, the interaction process between the normal client and the server is similar to that between the normal client and the server in the first case, and those skilled in the art can clearly know the interaction process in this case based on the above description, and therefore the details are not described here.
It should be noted that when the masquerading service determines that the request message sent by the client does not carry the predefined characteristic, there is a high possibility that the client is an unreliable hacker client, but there is a certain possibility that the client is a normal client. For example: when the masquerading service request message has no characteristics, cannot embed a key and the like, the determination cannot be carried out, and the masquerading service can mistake the masquerading service request message as a hacker client.
Therefore, in the process that the client requests the server for service, if the request message received by the masquerading service carries the predefined characteristics, the current client is a normal client, and subsequent interaction can be carried out on the client through real service. The method can defend blind test attack, but the masquerading service request report has no characteristics or can not embed the key, and the judgment can not be carried out.
In a third case, the request packet carries a feature related to a predefined service, in this case, step S203 may include the following steps:
the server judges whether the characteristics of the request message are matched with the characteristics of the predefined service, if so, the request message conforms to the reliable request rule, otherwise, the request message does not conform to the reliable request rule.
In this case, before step S201, the service masquerading method in the embodiment of the present application may further include the steps of:
the characteristics of the predefined service are sent to the normal client.
As an implementation manner, before sending the feature of the predefined service to the normal client, the service masquerading method in the embodiment of the present application may further include the following steps:
the first step is to receive client data sent by a client and send server data to the client.
In a second step, predefined services are determined from the client data and the server data.
The predefined service may be a predefined service determined through the above steps, a service defined artificially, and the like, which is not specifically limited in the embodiment of the present application, and a person skilled in the art may appropriately select the predefined service according to actual situations.
The normal client sends the characteristics of the predefined service before interacting with the real service, so that the request message sent by the normal client to the masquerading service can carry the characteristics related to the predefined service, and when the masquerading service judges that the characteristics of the request message are matched with the characteristics of the predefined service, the masquerading service forwards the request message sent by the client to the real service, so that the client can interact with the real service. Correspondingly, when the masquerading service judges that the characteristics of the request message are not matched with the characteristics of the predefined service, the masquerading service returns a response message defined by the masquerading service to the client, so that the client cannot interact with the real service.
In this case, the interaction process between the normal client and the server is similar to that between the normal client and the server in the first case, and those skilled in the art can clearly know the interaction process in this case based on the above description, and therefore the details are not described here.
Therefore, in the process that the client requests the server for service, if the characteristics of the request message received by the disguise service are matched with the characteristics of the request message corresponding to the predefined service, the current client is a normal client, and subsequent interaction can be performed by actually serving the client. The method can defend blind trial attacks and also defend key or characteristic exhaustive attempts.
Further, the three ways of determining whether the request packet conforms to the reliable request rule are only examples given in the embodiment of the present application, and other implementation ways are also available, and those skilled in the art may make appropriate adjustments according to actual situations, which is not specifically limited in the present application. In addition, the three modes can be used as the reliable request rule independently, and can also be combined in pairs or three modes. For example, the server simultaneously judges whether the characteristics of the request packet sent by the client are matched with the characteristics of the real service through the masquerading service, judges whether the request packet sent by the client carries predefined characteristics, judges whether the characteristics of the request packet sent by the client are matched with the characteristics of the predefined service, and considers that the client is a normal client as long as one of the three judgment conditions is met, and the server can forward the request packet sent by the server to the real service, so that the accuracy rate of intercepting attacks is further improved.
Referring to fig. 5, fig. 5 is a block diagram of a service disguising apparatus according to an embodiment of the present application, where the service disguising apparatus 500 is applied to a server, and includes: a handshake module 501, configured to perform a handshake process of establishing a connection with a client through a masquerading service; a first receiving module 502, configured to receive, through the masquerading service, a request packet for requesting a service, where the request packet is sent by the client after establishing connection with the client; a judging module 503, configured to judge whether the request packet conforms to a reliable request rule; a returning module 504, configured to return, to the client through the masquerading service, a response packet defined by the masquerading service if the request packet does not conform to the reliable request rule.
In the embodiment of the application, for hacker attack, disguise misleading can be carried out from the stage of scanning the target host by a hacker, and if the server judges that an abnormal client requests service from the server through disguise service, a response message defined by the disguise service can be returned to the abnormal client, so that the hacker cannot determine the real service of the host through the abnormal client, and cannot attack the host by using a known vulnerability, and the accuracy rate of intercepting the attack is improved.
Further, the service disguising apparatus 500 further includes: the first forwarding module is used for forwarding the request message to a real service through the disguised service if the request message conforms to the reliable request rule; and the second forwarding module is used for forwarding the response message of the real service to the client through the disguised service.
In the embodiment of the application, if the server judges that the service requested by the server is the normal client through the masquerading service, the request message sent by the normal client can be forwarded to the real service, so that the normal client can perform subsequent interaction with the real service.
Further, the request message is constructed by a real service request message; the determining module 503 is further configured to: and judging whether the characteristics of the request message are matched with the characteristics of the real service, if so, determining that the request message conforms to the reliable request rule, otherwise, determining that the request message does not conform to the reliable request rule.
In the embodiment of the application, in the process that the client requests the server for service, if the characteristics of the request message received by the disguise service are matched with the characteristics of the request message corresponding to the real service, the current client is a normal client, and the subsequent interaction can be performed on the client through the real service.
Further, the request packet carries a feature related to the masquerading service; the determining module 503 is further configured to: and judging whether the request message carries a predefined characteristic or not through the camouflage service.
In the embodiment of the application, in the process that the client requests the server for service, if the request message received by the masquerading service carries the predefined characteristics, the current client is a normal client, and subsequent interaction can be performed by actually serving the client.
Further, the service disguising apparatus 500 further includes: and the configuration module is used for distributing the predefined characteristics to the normal client.
In the embodiment of the application, before the process of requesting the server for service, the client may allocate the predefined feature to the normal client, so that whether the client is the normal client can be determined according to whether the request message sent by the client carries the allocated predefined feature, so as to intercept the attack.
Further, the request packet carries a feature related to a predefined service; the determining module 503 is further configured to: and judging whether the characteristics of the request message are matched with the characteristics of the predefined service, if so, determining that the request message conforms to the reliable request rule, otherwise, determining that the request message does not conform to the reliable request rule.
In the embodiment of the application, in the process that the client requests the server for the service, if the characteristics of the request message received by the disguised service are matched with the characteristics of the request message corresponding to the predefined service, the current client is a normal client, and the subsequent interaction can be performed on the client through the real service.
Further, the service disguising apparatus 500 further includes: and the second sending module is used for sending the characteristics of the predefined service to the normal client.
In the embodiment of the application, before the process of requesting the service from the server, the client can send the characteristics of the predefined service to the normal client, so that whether the client is the normal client can be judged according to whether the characteristics of the request message sent by the client are matched with the characteristics of the predefined service, and the attack can be intercepted.
Further, the service disguising apparatus 500 further includes: the second receiving module is used for receiving the client data sent by the client and sending the server data to the client; a determining module for determining the predefined service based on the client data and the server data.
In the embodiment of the application, the server can determine the predefined service according to the client data and the server data, so that whether the client is a normal client can be judged according to whether the characteristics of the request message sent by the client are matched with the characteristics of the predefined service, and the attack can be intercepted.
Referring to fig. 6, fig. 6 is a block diagram of an electronic device according to an embodiment of the present disclosure, where the electronic device includes: at least one processor 601, at least one communication interface 602, at least one memory 603, and at least one communication bus 604. Wherein the communication bus 604 is used for implementing direct connection communication of these components, the communication interface 602 is used for communicating signaling or data with other node devices, and the memory 603 stores machine-readable instructions executable by the processor 601. When the electronic device is in operation, the processor 601 communicates with the memory 603 via the communication bus 604, and the machine-readable instructions, when called by the processor 601, perform the service masquerading method described above.
For example, the processor 601 of the embodiment of the present application may implement the following method by reading the computer program from the memory 603 through the communication bus 603 and executing the computer program: step S201: the server performs a handshake process of establishing a connection with the client through the masquerading service. Step S202: after the connection with the client is established, the server receives a request message for requesting service, which is sent by the client, through the disguise service so as to handshake with the client. Step S203: the server judges whether the request message accords with the reliable request rule or not through the disguise service. Step S204: and if the request message does not accord with the reliable request rule, the server returns a response message defined by the masquerading service to the client through the masquerading service.
The processor 601 may be an integrated circuit chip having signal processing capabilities. The processor 601 may be a general-purpose processor, including a Central Processing Unit (CPU), a Network Processor (NP), and the like; but also Digital Signal Processors (DSPs), Application Specific Integrated Circuits (ASICs), Field-Programmable Gate arrays (FPGAs) or other Programmable logic devices, discrete Gate or transistor logic devices, discrete hardware components. Which may implement or perform the various methods, steps, and logic blocks disclosed in the embodiments of the present application. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
The Memory 603 may include, but is not limited to, a Random Access Memory (RAM), a Read Only Memory (ROM), a Programmable Read Only Memory (PROM), an Erasable Read Only Memory (EPROM), an electrically Erasable Read Only Memory (EEPROM), and the like.
It will be appreciated that the configuration shown in fig. 6 is merely illustrative and that the electronic device may include more or fewer components than shown in fig. 6 or have a different configuration than shown in fig. 6. The components shown in fig. 6 may be implemented in hardware, software, or a combination thereof. In this embodiment, the electronic device may be, but is not limited to, an entity device such as a desktop, a notebook computer, a smart phone, an intelligent wearable device, and a vehicle-mounted device, and may also be a virtual device such as a virtual machine. In addition, the electronic device is not necessarily a single device, but may also be a combination of multiple devices, such as a server cluster, and the like. In the embodiment of the present application, the server in the service masquerading method may be implemented by using the electronic device shown in fig. 6.
Embodiments of the present application further provide a computer program product comprising a computer program stored on a non-transitory computer readable storage medium, the computer program comprising program instructions, which when executed by a computer, the computer is capable of performing the steps of the service disguising method in the above embodiments, for example, including: a handshake process of establishing connection with the client through the disguise service; after the connection with the client is established, receiving a request message for requesting service, which is sent by the client, through the camouflage service; judging whether the request message accords with a reliable request rule or not; and if the request message does not accord with the reliable request rule, returning a response message defined by the masquerading service to the client through the masquerading service.
In the embodiments provided in the present application, it should be understood that the disclosed apparatus and method may be implemented in other ways. The above-described embodiments of the apparatus are merely illustrative, and for example, the division of the units is only one logical division, and there may be other divisions when actually implemented, and for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection of devices or units through some communication interfaces, and may be in an electrical, mechanical or other form.
In addition, units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
Furthermore, the functional modules in the embodiments of the present application may be integrated together to form an independent part, or each module may exist separately, or two or more modules may be integrated to form an independent part.
In this document, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions.
The above description is only an example of the present application and is not intended to limit the scope of the present application, and various modifications and changes may be made by those skilled in the art. Any modification, equivalent replacement, improvement and the like made within the spirit and principle of the present application shall be included in the protection scope of the present application.
Claims (10)
1. A service masquerading method is applied to a server and comprises the following steps:
a handshake process of establishing connection with the client through the disguise service;
after the connection with the client is established, receiving a request message for requesting service, which is sent by the client, through the camouflage service;
judging whether the request message accords with a reliable request rule or not;
and if the request message does not accord with the reliable request rule, returning a response message defined by the masquerading service to the client through the masquerading service.
2. The service masquerading method as claimed in claim 1 or 2, wherein after said determining whether the request packet complies with a reliable request rule, the service masquerading method further comprises:
if the request message conforms to the reliable request rule, forwarding the request message to a real service through the camouflage service;
and forwarding the response message of the real service to the client through the disguise service.
3. The service masquerading method of claim 1, wherein the request message is constructed by a real service request message;
the judging whether the request message conforms to the reliable request rule includes:
and judging whether the characteristics of the request message are matched with the characteristics of the real service, if so, determining that the request message conforms to the reliable request rule, otherwise, determining that the request message does not conform to the reliable request rule.
4. The service masquerading method of claim 1, wherein the request packet carries features related to the masquerading service;
the judging whether the request message conforms to the reliable request rule includes:
and judging whether the request message carries predefined characteristics, if so, the request message conforms to the reliable request rule, otherwise, the request message does not conform to the reliable request rule.
5. The service masquerading method of claim 4, wherein before the receiving, by the masquerading service, the request packet for requesting a service sent by the client, the service masquerading method further comprises:
and sending the predefined characteristics to a normal client.
6. The service masquerading method of claim 1, wherein the request packet carries features related to a predefined service;
the judging whether the request message conforms to the reliable request rule includes:
and judging whether the characteristics of the request message are matched with the characteristics of the predefined service, if so, determining that the request message conforms to the reliable request rule, otherwise, determining that the request message does not conform to the reliable request rule.
7. The service masquerading method of claim 6, wherein before the receiving, by the masquerading service, the request packet for requesting a service sent by the client, the service masquerading method further comprises:
sending the characteristics of the predefined service to a normal client.
8. The service masquerading method of claim 7, wherein prior to the sending the characteristics of the predefined service to a normal client, the service masquerading method further comprises:
receiving client data sent by the client and sending server data to the client;
determining the predefined service based on the client data and the server data.
9. A service disguising device, applied to a server, comprising:
the handshake module is used for establishing a handshake process of connection with the client through the disguise service;
the first receiving module is used for receiving a request message for requesting service, which is sent by the client, through the camouflage service after the connection with the client is established;
the judging module is used for judging whether the request message accords with a reliable request rule or not;
and the return module is used for returning a response message defined by the masquerading service to the client through the masquerading service if the request message does not accord with the reliable request rule.
10. A non-transitory computer-readable storage medium storing computer instructions which, when executed by a computer, cause the computer to perform the service disguising method as recited in any one of claims 1-8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911402159.5A CN111131293A (en) | 2019-12-30 | 2019-12-30 | Service disguising method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911402159.5A CN111131293A (en) | 2019-12-30 | 2019-12-30 | Service disguising method and device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN111131293A true CN111131293A (en) | 2020-05-08 |
Family
ID=70505866
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201911402159.5A Pending CN111131293A (en) | 2019-12-30 | 2019-12-30 | Service disguising method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111131293A (en) |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20170078328A1 (en) * | 2015-09-10 | 2017-03-16 | Openwave Mobility Inc. | Intermediate network entity |
| CN107070929A (en) * | 2017-04-20 | 2017-08-18 | 中国电子技术标准化研究院 | A kind of industry control network honey pot system |
| CN107332823A (en) * | 2017-06-06 | 2017-11-07 | 北京明朝万达科技股份有限公司 | A kind of server camouflage method and system based on machine learning |
| CN109413046A (en) * | 2018-09-29 | 2019-03-01 | 深圳开源互联网安全技术有限公司 | A kind of network protection method, system and terminal device |
-
2019
- 2019-12-30 CN CN201911402159.5A patent/CN111131293A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20170078328A1 (en) * | 2015-09-10 | 2017-03-16 | Openwave Mobility Inc. | Intermediate network entity |
| CN107070929A (en) * | 2017-04-20 | 2017-08-18 | 中国电子技术标准化研究院 | A kind of industry control network honey pot system |
| CN107332823A (en) * | 2017-06-06 | 2017-11-07 | 北京明朝万达科技股份有限公司 | A kind of server camouflage method and system based on machine learning |
| CN109413046A (en) * | 2018-09-29 | 2019-03-01 | 深圳开源互联网安全技术有限公司 | A kind of network protection method, system and terminal device |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110445770B (en) | Network attack source positioning and protecting method, electronic equipment and computer storage medium | |
| US11082436B1 (en) | System and method for offloading packet processing and static analysis operations | |
| CN109302426B (en) | Unknown vulnerability attack detection method, device, equipment and storage medium | |
| CN104052734B (en) | It the attack detecting that is identified using global device-fingerprint and prevents | |
| CN105430011B (en) | A kind of method and apparatus detecting distributed denial of service attack | |
| US11671402B2 (en) | Service resource scheduling method and apparatus | |
| EP2136526A1 (en) | Method, device for identifying service flows and method, system for protecting against a denial of service attack | |
| CN110855709A (en) | Access control method, device, equipment and medium for security access gateway | |
| CN114095258B (en) | Attack defense method, attack defense device, electronic equipment and storage medium | |
| CN104796406A (en) | Method and device for identifying application | |
| CN111314328A (en) | Network attack protection method and device, storage medium and electronic equipment | |
| JP7462757B2 (en) | Network security protection method and protection device | |
| US10237287B1 (en) | System and method for detecting a malicious activity in a computing environment | |
| CN114726579B (en) | Method, device, equipment, storage medium and program product for defending network attack | |
| CN111131293A (en) | Service disguising method and device | |
| CN113783892B (en) | Reflection attack detection method, system, device and computer readable storage medium | |
| CN115883170A (en) | Network flow data monitoring and analyzing method and device, electronic equipment and storage medium | |
| KR101041997B1 (en) | System for counterplaning web firewall using conative detection?interception and method therefor | |
| CN111064731B (en) | Identification method and identification device for access authority of browser request and terminal | |
| CN112532617B (en) | Detection method, device, equipment and medium for HTTP Flood attack | |
| CN113328976B (en) | Security threat event identification method, device and equipment | |
| CN114629691A (en) | Data processing method, device and storage medium | |
| KR102046612B1 (en) | The system for defending dns amplification attacks in software-defined networks and the method thereof | |
| CN113206852A (en) | Safety protection method, device, equipment and storage medium | |
| CN113726799B (en) | Processing method, device, system and equipment for application layer attack |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20200508 |