CN111327588A - Network access security detection method, system, terminal and readable storage medium - Google Patents
Network access security detection method, system, terminal and readable storage medium Download PDFInfo
- Publication number
- CN111327588A CN111327588A CN202010046394.XA CN202010046394A CN111327588A CN 111327588 A CN111327588 A CN 111327588A CN 202010046394 A CN202010046394 A CN 202010046394A CN 111327588 A CN111327588 A CN 111327588A
- Authority
- CN
- China
- Prior art keywords
- detecting
- access
- external access
- login
- detection logic
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/12—Applying verification of the received information
Abstract
The application provides a network access security detection method, a system, a terminal and a readable storage medium, wherein the network access security detection method comprises the following steps: instrumentation external access request detection logic; responding to an external access event; and detecting the external access event and operating according to the access request detection logic. According to the embodiment of the invention, the external access request detection logic is inserted through the IAST technology, the original logic of the target program is not damaged, the request, the code data stream, the code control stream and the like are acquired through the pile points, and whether the security threat exists is judged based on the comprehensive analysis of the request, the code, the data stream and the control stream. As the stub points are started together with the server, no other additional equipment or operation is needed, no influence is caused on the existing development process, and the requirements of quick iteration and quick delivery of software products in agile development and DevOps modes are met.
Description
Technical Field
The invention belongs to the technical field of network security detection, and particularly relates to a network access security detection method, a network access security detection system, a network access security detection terminal and a readable storage medium.
Background
The server side of the website is a control platform for managing the content of the website information and is responsible for operations such as adding, deleting, modifying, inquiring and the like of the website information. Because the server side has such abundant functions, the server side is often cracked and maliciously attacked by lawbreakers.
Whether the login request of the server side has a threat or not is judged, a specific service code needs to be detected, the coupling is strong, and the universality are lacked. For the above problems, the method mainly comprises the steps of performing proxy on the request traffic or acquiring the request traffic by using a network mirror image, and then analyzing whether the login request has a threat.
However, the prior art has the following problems: for deploying the network agent, a request jumps from a browser end through a route, then reaches a network agent layer, and finally reaches a server end interface, and the network agent layer can increase the number of jump nodes of the request, and possibly causes related problems such as network instability and the like; for deploying network mirror images, additional switch ports need to be occupied and switch configuration needs to be modified, and deployment difficulty is high.
Content of application
The technical problem to be solved by the present application is to provide a method, a system, a terminal and a readable storage medium for detecting network access security, and aims to solve the problems that the existing detection method needs to deploy a network agent to bring unstable influence to a network, or the deployment of a network mirror image needs to occupy an extra switch port and modify the configuration of a switch.
In order to solve the above technical problem, the present application is implemented as follows, and a network access security detection method includes the following steps:
instrumentation external access request detection logic;
responding to an external access event;
and detecting the external access event and operating according to the access request detection logic.
Further, the detecting the external access event and operating according to the access request detection logic includes:
detecting whether login is successful;
if not, acquiring login failure times;
and if the login failure times are larger than or equal to a preset first time threshold value, early warning is carried out.
Further, the detecting the external access event and operating according to the access request detection logic further includes:
and detecting the time length between the current login failure and the last login failure, if the time length is more than or equal to a preset time threshold, deleting the login failure times before the current login failure, and accumulating the login failure times again.
Further, the detecting the external access event and operating according to the access request detection logic includes:
detecting whether login is successful;
if so, extracting the access information and detecting the access information.
Further, the access information includes a password, the detecting the external access event and operating according to the access request detection logic includes:
detecting whether the strength of the login password meets a preset strong password rule or not;
if not, early warning is carried out.
Further, the accessing information includes an IP address and/or a browser type, and the detecting the external access event and operating according to the access request detecting logic includes:
detecting whether the IP address and/or the browser type are/is a pre-stored common IP address and/or a common browser type;
if not, detecting the historical login success times of the IP address and/or the browser type, and if the historical login success times are smaller than a preset second time threshold value, carrying out early warning.
Further, the detecting the external access event and operating according to the access request detection logic further includes:
and if the historical login success times are larger than or equal to a preset second time threshold value, adding the IP address and/or the browser type into a commonly-used IP address and/or commonly-used browser type database.
A network access security detection system, comprising:
the instrumentation module is used for instrumentation external access request detection logic;
the response module is used for receiving and responding to the external access event;
a detection module to detect the external access event;
and the execution module is used for operating according to the access request detection logic.
A terminal comprising a processor and a memory, wherein the processor is configured to execute a computer program stored in the memory to perform the network access security detection method as described above.
A computer-readable storage medium, on which a computer program is stored which, when executed by a processor, implements a network access security detection method as described above.
Compared with the prior art, the application has the advantages that: according to the embodiment of the invention, the external access request detection logic is inserted through the IAST technology, the original logic of the target program is not damaged, the request, the code data stream, the code control stream and the like are acquired through the pile points, and whether the security threat exists is judged based on the comprehensive analysis of the request, the code, the data stream and the control stream. As the stub points are started together with the server, no other additional equipment or operation is needed, no influence is caused on the existing development process, and the requirements of quick iteration and quick delivery of software products in agile development and DevOps modes are met.
Drawings
Fig. 1 is a schematic flow chart illustrating an implementation process of a network access security detection method according to an embodiment of the present invention.
Fig. 2 is a schematic flow chart illustrating an implementation of another network access security detection method according to an embodiment of the present invention.
Fig. 3 is a schematic flow chart illustrating an implementation of another network access security detection method according to an embodiment of the present invention.
Fig. 4 is a schematic structural diagram of a network access security detection system according to an embodiment of the present invention.
Fig. 5 is a schematic structural diagram of a terminal for network access security detection according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the present application is further described in detail with reference to the following embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the present application and are not intended to limit the present application.
Fig. 1 is a schematic flow chart illustrating an implementation of a network access security detection method according to a first embodiment of the present invention. The network access security detection method provided by the embodiment is mainly applied to network equipment in the internet, including a network terminal, server equipment or a cloud server. The method mainly comprises the following steps as shown in figure 1:
s101, instrumentation external access request detection logic.
The embodiment of the invention adopts an Interactive Application Security Testing (IAST) technology to add corresponding detection logic. Specifically, a pile insertion mode is adopted, pile points are set in a network protocol stack, namely, a probe (a section of program code) containing the detection logic of the invention is inserted into a specific position under the condition that the original logic of a target program is complete, a request, a code data stream, a code control stream and the like are obtained through the probe, and whether the security threat exists or not is judged based on the comprehensive analysis of the request, the code, the data stream and the control stream. As the stub points are started together with the server, no other additional equipment or operation is needed, no influence is caused on the existing development process, and the requirements of quick iteration and quick delivery of software products in agile development and DevOps modes are met.
And S102, responding to an external access event.
And when an external access event is received, starting the probe to detect. The external access event may be a login request or a data access request after login. The embodiment of the invention keeps responding to all external access events and performs dynamic detection.
S103, detecting the external access event and operating according to the access request detection logic.
The probe detects specific access events and then performs corresponding processing operations according to preset detection logic. For example, for the login event, as shown in the flowchart of fig. 2, wherein the steps of S201, S202, and S203 are the same as those of S101 to S103, specifically, S203 includes the following steps:
s2031, whether the login is successful is detected.
Whether the login is successful or not can be judged through the Set-Cookie field of the request response, if the login is failed, the next step S2032 is carried out, and if the login is successful, the step S2034 is skipped.
S2032, if the login fails, acquiring login failure times.
S2033, if the login failure times are larger than or equal to a preset first time threshold value, early warning is carried out. The user can customize the threshold of the maximum login failure times, generally, after login of the user fails for three to five times, the user can choose to forget the password or reset the password, the operation times exceeding the threshold are likely to represent malicious behaviors of hackers in violently cracking the password, and early warning information can be sent to a security administrator or recorded in a database to wait for subsequent observation.
In addition, the time length between the current login failure and the last login failure can be detected at the same time, if the time length is larger than or equal to the preset time threshold, the login failure times before the current login failure are deleted, and the login failure times are accumulated again. The login times are deleted regularly, so that the accuracy of the judgment result can be improved.
S2034, if the login is successful, extracting the access information, and detecting the access information.
If the login is successful, access information, such as a password, an IP address, a browser type and the like, is extracted, and then the accessed information is detected. Wherein the access information may include, but is not limited to, the following fields:
(1) URL: a fully qualified name representing the currently requested resource.
(2) IP: representing the IP address of the current request.
(3) User-Agent: representing the currently requested browser or proxy information.
(4) Request PayLoad: representing data sent to the server on current request.
(5) Refer: representing the source address of the current request, indicating where to link to the current web page.
(6) Cookie: identity information currently requested.
(7) Set-Cookie: cookie information set on behalf of the server.
According to the embodiment of the invention, the external access request detection logic is inserted through the IAST technology, the original logic of the target program is not damaged, the request, the code data stream, the code control stream and the like are acquired through the pile points, and whether the security threat exists is judged based on the comprehensive analysis of the request, the code, the data stream and the control stream. As the stub points are started together with the server, no other additional equipment or operation is needed, no influence is caused on the existing development process, and the requirements of quick iteration and quick delivery of software products in agile development and DevOps modes are met.
The detection logic of the present invention is further described below with specific access information.
Taking the password information as an example, the detection logic includes: detecting whether the strength of the login password meets a preset strong password rule or not; if not, early warning is carried out. Password strength refers to the difficulty of passwords. Generally, pure numbers, pure letters or common fields, such as 123456, admin, and the like are easy-to-break weak and weak passwords with low strength, and are easy to guess and crack by hackers. Therefore, the password intensity rule can be determined in advance, and when the password used by the user does not accord with the password intensity rule, early warning is performed, for example, the user is reminded to modify the password.
Taking the IP address and/or browser type as an example, the detection logic includes: detecting whether the IP address and/or the browser type are/is a pre-stored common IP address and/or a common browser type; if not, detecting the historical login success times of the IP address and/or the browser type, and if the historical login success times are smaller than a preset second time threshold, performing early warning, for example, reporting to a security administrator that a login request action is available, and determining whether a risk exists or not and whether the risk needs to be added to a common address by the security administrator. And if the historical login success times are larger than or equal to a preset second time threshold value, adding the IP address and/or the browser type into a commonly-used IP address and/or commonly-used browser type database.
Based on the above embodiments, the present invention provides a preferred embodiment as shown in FIG. 3, which includes steps 301-309, wherein step 304 goes to step 3041-3042 if the condition is NO, step 306 goes to 3061 if the condition is NO, step 307 goes to step 3017-3072 if the condition is NO, and step 308 goes to step 3081-3082 if the condition is NO. For specific logic processing, reference may be made to the description, and details of the present invention are not repeated.
Fig. 4 is a schematic structural diagram of a network access security detection system according to an embodiment of the present invention. For convenience of explanation, only portions related to the embodiments of the present invention are shown. The network access security detection system illustrated in fig. 4 may be the subject of execution of the foregoing method embodiments. The network access security detection system illustrated in fig. 4 mainly includes: the instrumentation module 401, the response module 402, the detection module 403, and the execution module 404, wherein the detailed descriptions of the functional modules are as follows:
and an instrumentation module 401 for instrumenting external access request detection logic.
A response module 402 for receiving and responding to an external access event.
A detecting module 403, configured to detect the external access event.
An execution module 404, configured to operate according to the access request detection logic.
It should be noted that, in the embodiment of the network access security detection system illustrated in fig. 4, the division of the functional modules is only an example, and in practical applications, the above function distribution may be performed by different functional modules according to needs, for example, configuration requirements of corresponding hardware or convenience of implementation of software, that is, the internal structure of the apparatus is divided into different functional modules to perform all or part of the functions described above. In addition, in practical applications, the corresponding functional modules in this embodiment may be implemented by corresponding hardware, or may be implemented by corresponding hardware executing corresponding software. The principles described above may be applied to various embodiments provided by the present specification. Details of the embodiments of the present invention are not shown in the foregoing description of the embodiments shown in fig. 1 and 2.
Referring to fig. 5, fig. 5 is a schematic structural diagram of a terminal for network access security detection according to an embodiment of the present invention. The terminal described in this embodiment includes: a processor (processor)501, a memory (memory)502, a Communications Interface (Communications Interface)503, and a bus 504.
The processor 501, the memory 502 and the communication interface 503 complete mutual communication through the bus 504;
the communication interface 503 is used for the terminal to connect to a wireless communication network;
the processor 501 is configured to call the computer program in the memory 502 to execute the method provided by the foregoing method embodiments, for example, including: instrumentation external access request detection logic; responding to an external access event; and detecting the external access event and operating according to the access request detection logic.
It will be understood by those skilled in the art that all or part of the steps carried by the method for implementing the foregoing embodiments may be implemented by hardware related to instructions of a program, which may be stored in a computer readable storage medium, and when executed, the program includes one or a combination of the steps of the method embodiments.
The storage medium mentioned above may be a read-only memory, a magnetic or optical disk, etc. Although embodiments of the present invention have been shown and described above, it is understood that the above embodiments are exemplary and should not be construed as limiting the present invention, and that variations, modifications, substitutions and alterations can be made to the above embodiments by those of ordinary skill in the art within the scope of the present invention.
Claims (10)
1. A network access security detection method is characterized by comprising the following steps:
instrumentation external access request detection logic;
responding to an external access event;
and detecting the external access event and operating according to the access request detection logic.
2. The network access security detection method of claim 1, wherein the detecting the external access event and operating in accordance with the access request detection logic comprises:
detecting whether login is successful;
if not, acquiring login failure times;
and if the login failure times are larger than or equal to a preset first time threshold value, early warning is carried out.
3. The network access security detection method of claim 2, wherein the detecting the external access event and operating in accordance with the access request detection logic further comprises:
and detecting the time length between the current login failure and the last login failure, if the time length is more than or equal to a preset time threshold, deleting the login failure times before the current login failure, and accumulating the login failure times again.
4. The network access security detection method of claim 1, wherein the detecting the external access event and operating in accordance with the access request detection logic comprises:
detecting whether login is successful;
if so, extracting the access information and detecting the access information.
5. The network access security detection method of claim 4, wherein the access information comprises a password, and the detecting the external access event and operating in accordance with the access request detection logic comprises:
detecting whether the strength of the login password meets a preset strong password rule or not;
if not, early warning is carried out.
6. The method of claim 4, wherein the access information comprises an IP address and/or a browser type, and the detecting the external access event and operating according to the access request detection logic comprises:
detecting whether the IP address and/or the browser type are/is a pre-stored common IP address and/or a common browser type;
if not, detecting the historical login success times of the IP address and/or the browser type, and if the historical login success times are smaller than a preset second time threshold value, carrying out early warning.
7. The network access security detection method of claim 6, wherein the detecting the external access event and operating in accordance with the access request detection logic further comprises:
and if the historical login success times are larger than or equal to a preset second time threshold value, adding the IP address and/or the browser type into a commonly-used IP address and/or commonly-used browser type database.
8. A network access security detection system, comprising:
the instrumentation module is used for instrumentation external access request detection logic;
the response module is used for receiving and responding to the external access event;
a detection module to detect the external access event;
and the execution module is used for operating according to the access request detection logic.
9. A terminal comprising a processor and a memory, wherein the processor is configured to execute a computer program stored in the memory to perform the network access security detection method of any one of claims 1-8.
10. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the network access security detection method according to any one of claims 1 to 4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010046394.XA CN111327588A (en) | 2020-01-16 | 2020-01-16 | Network access security detection method, system, terminal and readable storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010046394.XA CN111327588A (en) | 2020-01-16 | 2020-01-16 | Network access security detection method, system, terminal and readable storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN111327588A true CN111327588A (en) | 2020-06-23 |
Family
ID=71172532
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010046394.XA Pending CN111327588A (en) | 2020-01-16 | 2020-01-16 | Network access security detection method, system, terminal and readable storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111327588A (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115051820A (en) * | 2022-03-01 | 2022-09-13 | 深圳开源互联网安全技术有限公司 | Multi-dimensional violence-breaking-preventing method, device, equipment and readable storage medium |
| CN115086007A (en) * | 2022-06-13 | 2022-09-20 | 北京融讯智晖技术有限公司 | Network safety monitoring system based on video cloud command system |
| CN115203060A (en) * | 2022-09-14 | 2022-10-18 | 深圳开源互联网安全技术有限公司 | IAST-based security test method and device |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102739653A (en) * | 2012-06-06 | 2012-10-17 | 奇智软件(北京)有限公司 | Detection method and device aiming at webpage address |
| US20120311712A1 (en) * | 2011-06-01 | 2012-12-06 | International Business Machines Corporation | Testing web applications for file upload vulnerabilities |
| CN104363251A (en) * | 2014-12-12 | 2015-02-18 | 北京奇虎科技有限公司 | Website security detecting method and device |
| CN106682489A (en) * | 2015-11-09 | 2017-05-17 | 广州市动景计算机科技有限公司 | Password security detection method, password security reminding method and corresponding devices |
| CN108427879A (en) * | 2018-03-22 | 2018-08-21 | 平安科技(深圳)有限公司 | Account safety management method, device, computer equipment and storage medium |
| CN108628747A (en) * | 2018-05-09 | 2018-10-09 | 深圳壹账通智能科技有限公司 | H5 application testing methods, device, computer equipment and storage medium |
-
2020
- 2020-01-16 CN CN202010046394.XA patent/CN111327588A/en active Pending
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20120311712A1 (en) * | 2011-06-01 | 2012-12-06 | International Business Machines Corporation | Testing web applications for file upload vulnerabilities |
| CN102739653A (en) * | 2012-06-06 | 2012-10-17 | 奇智软件(北京)有限公司 | Detection method and device aiming at webpage address |
| CN104363251A (en) * | 2014-12-12 | 2015-02-18 | 北京奇虎科技有限公司 | Website security detecting method and device |
| CN106682489A (en) * | 2015-11-09 | 2017-05-17 | 广州市动景计算机科技有限公司 | Password security detection method, password security reminding method and corresponding devices |
| CN108427879A (en) * | 2018-03-22 | 2018-08-21 | 平安科技(深圳)有限公司 | Account safety management method, device, computer equipment and storage medium |
| CN108628747A (en) * | 2018-05-09 | 2018-10-09 | 深圳壹账通智能科技有限公司 | H5 application testing methods, device, computer equipment and storage medium |
Non-Patent Citations (1)
| Title |
|---|
| LIQIUMAN180688: "一文洞悉DAST、SAST、IAST---Web应用安全测试技术对比浅谈", 《CSDN》 * |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115051820A (en) * | 2022-03-01 | 2022-09-13 | 深圳开源互联网安全技术有限公司 | Multi-dimensional violence-breaking-preventing method, device, equipment and readable storage medium |
| CN115051820B (en) * | 2022-03-01 | 2024-03-22 | 深圳开源互联网安全技术有限公司 | Multi-dimensional anti-violent cracking method, device, equipment and readable storage medium |
| CN115086007A (en) * | 2022-06-13 | 2022-09-20 | 北京融讯智晖技术有限公司 | Network safety monitoring system based on video cloud command system |
| CN115086007B (en) * | 2022-06-13 | 2024-03-22 | 北京融讯智晖技术有限公司 | Network security monitoring system based on video cloud command system |
| CN115203060A (en) * | 2022-09-14 | 2022-10-18 | 深圳开源互联网安全技术有限公司 | IAST-based security test method and device |
| CN115203060B (en) * | 2022-09-14 | 2022-12-13 | 深圳开源互联网安全技术有限公司 | IAST-based security testing method and device |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109768992B (en) | Webpage malicious scanning processing method and device, terminal device and readable storage medium | |
| CN111327588A (en) | Network access security detection method, system, terminal and readable storage medium | |
| CN109586282B (en) | Power grid unknown threat detection system and method | |
| CN105808399B (en) | Remote debugging method and device | |
| CN112261172B (en) | Service addressing access method, device, system, equipment and medium | |
| CN110888838B (en) | Request processing method, device, equipment and storage medium based on object storage | |
| CN111447204B (en) | Weak password detection method, device, equipment and medium | |
| CN109948334B (en) | Vulnerability detection method and system, electronic equipment and storage medium | |
| WO2021027600A1 (en) | Single log-in method, apparatus and device, and computer-readable storage medium | |
| CN112703496B (en) | Content policy based notification to application users regarding malicious browser plug-ins | |
| CN109669795A (en) | Crash info processing method and processing device | |
| CN111404937B (en) | Method and device for detecting server vulnerability | |
| CN111858083A (en) | Remote service calling method and device, electronic equipment and storage medium | |
| CN110674376A (en) | Interface parameter checking method, device, equipment and computer readable storage medium | |
| CN116668079A (en) | Network system vulnerability scanning method | |
| CN111556080A (en) | Network node monitoring method, device, medium and electronic equipment | |
| CN114465741B (en) | Abnormality detection method, abnormality detection device, computer equipment and storage medium | |
| CN113709136B (en) | Access request verification method and device | |
| CN115051867B (en) | Illegal external connection behavior detection method and device, electronic equipment and medium | |
| CN111314326A (en) | Method, device, equipment and medium for confirming HTTP vulnerability scanning host | |
| CN112543186B (en) | Network behavior detection method and device, storage medium and electronic equipment | |
| CN114760083B (en) | Method, device and storage medium for issuing attack detection file | |
| CN109409090B (en) | Website background detection method and device and server | |
| CN114706774A (en) | Interface test method, device, equipment and storage medium | |
| CN114386010A (en) | Application login method and device, electronic equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20200623 |