CN111698197A - Method, system, service system and storage medium for collecting information of named Web applications - Google Patents

Method, system, service system and storage medium for collecting information of named Web applications Download PDF

Info

Publication number
CN111698197A
CN111698197A CN202010118699.7A CN202010118699A CN111698197A CN 111698197 A CN111698197 A CN 111698197A CN 202010118699 A CN202010118699 A CN 202010118699A CN 111698197 A CN111698197 A CN 111698197A
Authority
CN
China
Prior art keywords
access request
information
access
request
web application
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202010118699.7A
Other languages
Chinese (zh)
Inventor
丁玲明
周恒磊
邓乐
孙会林
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Unionpay Co Ltd
Original Assignee
China Unionpay Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Unionpay Co Ltd filed Critical China Unionpay Co Ltd
Priority to CN202010118699.7A priority Critical patent/CN111698197A/en
Publication of CN111698197A publication Critical patent/CN111698197A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/56Provisioning of proxy services
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/60Scheduling or organising the servicing of application requests, e.g. requests for application data transmissions using the analysis and optimisation of the required network resources

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer And Data Communications (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention relates to a method for collecting information of a named Web application, which comprises the following steps: receiving an access request from a client, wherein the access request comprises a Web request, and transferring the access request to a proxy server when the access request is abnormal; the proxy server returns response data corresponding to the access request to the client, wherein the response data comprises a code which runs to collect the information of the named Web application; and receiving information of the named Web application.

Description

Method, system, service system and storage medium for collecting information of named Web applications
Technical Field
The present invention relates to a network security technology, and more particularly, to a method, system, service system, and storage medium for collecting information of a named Web application.
Background
In recent years, due to the popularization of network attack techniques and tools, enterprises are increasingly subjected to network attacks (e.g., distributed denial of service attack events, server intrusion and horse hanging events, data leakage events, etc.). However, the attacker generally implements the network attack through a multi-level agent, so that tracing through the IP address is difficult to locate the real attacker behind the agent.
Disclosure of Invention
In view of the above, the present invention provides a network security technology based on a mechanism for collecting information of a named Web application, and specifically, the network security technology comprises:
according to an aspect of the present invention, there is provided a method of collecting information of a named Web application, comprising the steps of: receiving an access request from a client, wherein the access request comprises a Web request, and transferring the access request to a proxy server when the access request is abnormal; the proxy server returns response data corresponding to the access request to the client, wherein the response data comprises a code which runs to collect the information of the named Web application; and receiving information of the named Web application.
In some embodiments of the invention, optionally, the access request is abnormal if the access request exceeds a reasonable amount within a predetermined time.
In some embodiments of the present invention, optionally, if the access request from a specific Web interface is abnormal, the access request from the specific Web interface is transferred to the proxy server.
In some embodiments of the present invention, optionally, if the access request from a specific address is abnormal, the access request from the specific address is transferred to the proxy server.
In some embodiments of the present invention, optionally, the address includes: IP address, MAC address.
In some embodiments of the invention, optionally, the code is run in a browser environment if the accessed response data corresponds to the Web request.
In some embodiments of the invention, optionally, the named Web application is a social networking application.
In some embodiments of the invention, optionally, the information of the named Web application is identity information of the social networking application in JSON format.
In some embodiments of the present invention, optionally, the information of the named Web application is recorded information under a specific account obtained by logging in the social network application with the specific account through a URL request.
In some embodiments of the present invention, optionally, the recording information includes: IP address of the initiating access, user of the recent access and user of the message.
According to another aspect of the present invention, there is provided a system for collecting information of a named Web application, comprising: a transceiver module configured to receive an access request from a client, wherein the access request comprises a Web request; a determination module configured to determine whether the access request is abnormal; a transfer module configured to transfer the access request to a proxy server when the access request is abnormal; a proxy server configured to return response data corresponding to the access request to the client, the response data including code operative to collect information of the named Web application; and a tracing module configured to receive information of the named Web application.
In some embodiments of the present invention, optionally, the determining module determines that the access request is abnormal if the access request exceeds a reasonable amount within a predetermined time.
In some embodiments of the present invention, optionally, if the determining module determines that the access request from a specific Web interface is abnormal, the transferring module transfers the access request from the specific Web interface to the proxy server.
In some embodiments of the present invention, optionally, if the determining module determines that the access request from a specific address is abnormal, the transferring module transfers the access request from the specific address to the proxy server.
In some embodiments of the present invention, optionally, the address includes: IP address, MAC address.
In some embodiments of the invention, optionally, the code is run in a browser environment if the accessed response data corresponds to the Web request.
In some embodiments of the invention, optionally, the named Web application is a social networking application.
In some embodiments of the present invention, optionally, the information of the named Web application received by the tracing module is identity information of the social network application in JSON format.
In some embodiments of the present invention, optionally, the information of the named Web application received by the tracing module is record information under a specific account obtained by logging in the social network application with the specific account through a URL request.
In some embodiments of the present invention, optionally, the recording information includes: IP address of the initiating access, user of the recent access and user of the message.
According to another aspect of the present invention, there is provided a service system comprising any one of the systems for collecting information of a named Web application as described above and a client initiating an access request to the system for collecting information of a named Web application.
According to another aspect of the present invention, there is provided a computer readable storage medium having instructions stored therein, wherein the instructions, when executed by a processor, cause the processor to perform any one of the methods as described above.
Drawings
The above and other objects and advantages of the present invention will become more apparent from the following detailed description when taken in conjunction with the accompanying drawings, in which like or similar elements are designated by like reference numerals.
Fig. 1 shows a schematic diagram of the principle of a network attack.
FIG. 2 illustrates a system for collecting information for a named Web application according to one embodiment of the present invention.
FIG. 3 shows a flow diagram for collecting information for a named Web application, according to one embodiment of the invention.
Fig. 4 illustrates a method of collecting information of a named Web application according to one embodiment of the invention.
Detailed Description
For the purposes of brevity and explanation, the principles of the present invention are described herein with reference primarily to exemplary embodiments thereof. However, those skilled in the art will readily appreciate that the same principles are equally applicable to all types of methods, systems, service systems, and storage media for collecting information for a named Web application, and that these same or similar principles may be implemented therein, with any such variations not departing from the true spirit and scope of the present patent application.
In the context of the present application, the term Web application refers to an application that provides Web services in a non-anonymous manner, i.e. the user to which it belongs can be reexamined on the basis of some information in the application. As an example of a named Web application, it may include a social networking application (e.g., microblog, Facebook, Twitter, people Web, etc.), a Web forum application, a Web chat room application, and so forth. The information of a named Web application generally refers to all data through which the user to which the application belongs can be reexamined.
Fig. 1 shows a schematic diagram of the principle of a network attack. As shown in fig. 1, currently, when an attacker 10 attacks a server 30, the attack is generally implemented by a multi-level agent 20 (e.g., including agents 201, 202, 20N), so as to hide the IP address information of the attacker 10 itself. The IP address of the last level agent 20N, as seen from the attack log on the server 30, cannot locate the actual IP address or associated information (e.g., location, operator, etc.) of the attacker 10 through the IP.
At present, security companies mainly locate attackers by comparing information such as network attack means and used malicious software program characteristics with an attack history library. However, the above solutions all have technical implementation difficulties, for example, accumulation of the attack history library requires collection of a large amount of data, and extraction of identity feature information of the malware program also has difficulty.
Fig. 3 is a schematic flowchart illustrating a process of collecting information of a named Web application according to an embodiment of the present invention, which can perform tracing to a network attack and identity positioning on an attacker 10 by means of draining attack traffic and inserting JavaScript function code. The scheme can work in at least the following scenarios: for example, attacker 10 may launch a DDoS attack on a target WEB application, for example, and attacker 10 may confirm whether the work anomaly has been performed by accessing the attacked WEB application through a browser. As another example, the attacker 10 tampers with a page (i.e., a black page) such as a target WEB application, and accesses the black page through a browser to confirm whether the tampering is successful. In addition, regardless of the attack implemented by the attacker 10, the attacker subsequently accesses the WEB page targeted by the attack.
For the purpose of promoting the reader's understanding of the following technical solutions, the basic principles of the present invention will now be described by way of example with reference to fig. 3. As noted above, attacks from attacker 10 are all forwarded through proxy 20 (only one level of proxy is schematically shown, and this may be more than the actual case), and proxy 20 forwards the attack traffic to server 30. The server 30 may have some traffic screening mechanism that can identify and pull attack traffic to the proxy server 40. The proxy server 40 may return corresponding response data according to the attack traffic, and executable code is embedded in the response data. Generally, the attacker 10 is not interested in the general response data, however, the attacker 10 may also launch web page access through the attack route to confirm whether the attack works. In the present application, this web page access is also identified as attack traffic, and thus the response data returned by the proxy server 40 is also embedded with executable code. When attacker 10 renders the returned response data on the local machine using a browser, the embedded executable code therein will also automatically activate to gather information on the machine such as social networks and send to server 30 (or other information gathering servers as well). The operator of the server 30 can hereby determine the identity of the attacker 10. It should be noted that the above fig. 3 and its corresponding example are only shown for the purpose of illustrating the principle of the present invention, and the scope of protection of the present invention is far beyond this.
According to an aspect of the present invention, a method of collecting information of a named Web application is provided. Fig. 4 illustrates a method of collecting information of a named Web application according to one embodiment of the invention. As shown, this includes the following steps. First, an access request is received from a client in step 41, wherein the access request comprises a Web request. The access request from the client may be directly from the actual client, may be from the controlled proxy (where the controlled proxy does not initiate the access request at its own discretion), or may be from the proxy server (where the proxy server provides proxy forwarding services).
If the access request is directly from the actual client, the access request should be normal in most cases, but the possibility that the actual client directly initiates a network attack is not excluded. The principles of the present application may be applied to direct access requests and indirect access requests, with a distinction being made only in the normality of the access requests, as will be described in detail below.
If the access request is initiated via a multi-level proxy 20 as shown in fig. 1 (a cyber attack is also considered a special access request in the context of the present application), the last level proxy 20N will be considered a client because the method does not seek to reexamine the actual originator of the access request directly through the multi-level proxy 20. Further, if the access request is from a proxy server (e.g., a VPN server), then the server at the proxy server that initiated the request will be considered the client.
If the access request includes a Web request, which may be a normal request sent by a normal user, the Web request will be processed according to a normal processing procedure. The Web request may also be sent by an actual initiator of the abnormal access, and at this time, if the access request is determined to be abnormal according to the method described below and is processed according to the abnormal access, the Web request is also considered to be abnormal access because of being homologous to other access requests, and is also processed according to the method described below. Of course, other access requests that are the attack traffic itself may also be Web requests, which may be handled equally as per the method of the present application, and the scope of protection of the present application covers such cases.
Next, it is judged in step 42 whether the access request is an abnormal request, and the access request is transferred to the proxy server when the access request is abnormal. Some examples of the invention are not limited to the manner in which the request for an exception is detected, and the case of the request for an exception may include: for example, a significant attack feature is detected in the request traffic (in this case, an access request from the client may be determined to be abnormal), the client that has issued the request has a past bad record (in this case, an access request from the client may be determined to be abnormal within a certain period of time), and the clients in the same area issue a large number of requests (in this case, an access request from the area is determined to be abnormal). Although some examples of the invention do not care how to process a normal access request, as will be appreciated by those skilled in the art, if the access request is normal, the access request should be processed according to a normal flow (e.g., in step 43). The handling of normal access requests is not specifically illustrated in some instances of the present invention, as will be appreciated by those skilled in the art upon reading the context of the present application.
Some examples of the invention divert anomalous access requests (traffic) to proxy servers, thereby relieving the pressure of the servers that are actually providing the service. The server that really provides service can continue to provide service for other users who normally access, and the quality of service is not affected by the abnormal access. In some examples of the invention, the front end of a server that really provides services may use a Nginx proxy, an Apache proxy, and/or an application layer load balancing hardware device, which in turn may pull exception access to the proxy server. When an attack event is detected, such as a firewall, intrusion prevention system, etc., a proxy IP address used by an attacker may be extracted and written into a configuration file of a proxy server (Nginx or Apache). When the traffic of an incoming access request from a boundary matches a particular attack address, for example JavaScript code may be embedded in the return traffic.
The proxy server of the present application may also be a virtual system customized to the actual server providing the service, so that the client initiating the abnormal access will not feel that the proxy server (virtual system) provides the service, and thus the server providing the service is considered to provide the service. This way, the vigilance of the actual initiator initiating the abnormal access may be further reduced, thus being more advantageous for locating the actual initiator initiating the abnormal access. The transfer of the application can be that the flow of the attacked target is dragged to the proxy server through a network layer scheme or an application layer scheme, and the proxy server acts as a security defense environment.
Next, the proxy server returns response data corresponding to the access request to the client in step 44, the response data including code running to collect information for the named Web application. When the proxy server receives the abnormal access, the proxy server can process the abnormal access, and the processing can be disguised as normal processing or false processing. Accordingly, the proxy server may return response data including a normal processing result or a false processing result. In addition, code (which may be JavaScript code, for example) is included in the response data, and information of the named Web application may be collected when the code is run at the client. If the access request is initiated via a multi-level proxy 20 as shown in fig. 1 (a network attack is also considered a special access request in the context of the present application), the last level proxy 20N will be considered a client that can collect information on the named Web application on the proxy 20N if the code is run at the proxy 20N. Of course, the multi-level proxy 20 may return reply data including the code to the attacker 10 in stages in the opposite direction from the originating request. At this time, if the code is run on any level-one proxy, the code can collect the information of the named Web application on the level-one proxy; in particular, if the code is run on the device of attacker 10, it may collect information of the named Web application on the device of attacker 10, which will help to identify the attacker.
Finally, information is received in step 45 that designates the Web application. As noted above, this information of the named Web application may be collected from the attacker 10's device, and thus the actual attacker 10 may be traced according to this information.
In some embodiments of the invention, an access request is abnormal if it exceeds a reasonable amount within a predetermined time. DDoS attacks are made by issuing a large number of requests to a server at the same time to crash the server, so that the attack behavior can be identified according to the characteristics of the DDoS attack. This scheme includes the following possible scenarios. If the total access requests received by the server over a period of time exceeds a reasonable amount, all access requests may be transferred to the proxy server over a preset period of time (e.g., a short period of time). In this case it may be that the server needs to be taken back briefly, but can entice an attacker to obtain response data comprising the code described above and thereby trace its identity. This approach is suitable for a case where a specific attack feature or the like cannot be identified in a short time.
In some embodiments of the invention, if an access request from a particular address is abnormal, the access request from that address may be transferred to the proxy server for a predetermined period of time (e.g., a longer period of time). Generally, the number of agents initiating a DDoS attack is limited, and thus abnormal access of the agents can be identified in this way and access requests of the agents are transferred to the proxy server; in some examples of the present application, the agent described herein refers to a last level agent. In this case, the server transfers only the traffic of the client corresponding to the abnormal access to the proxy server, and thus the normal service of the server is not affected. This approach is suitable for a case where a specific attack feature or the like can be identified in a short time. In some embodiments of the invention, the address comprises an IP address, a MAC address, or the like.
In some embodiments of the invention, if the access request from the specific Web interface is abnormal, the access request from the specific Web interface is transferred to the proxy server. In some cases, the anomalous access is initiated through a particular Web interface, and thus access requests from the particular Web interface may be transferred to the proxy server. In this way, normal access requests from other Web interfaces will be responded, thereby ensuring the availability of the server to some extent.
In some embodiments of the invention, the code runs in a browser environment if the accessed response data corresponds to a Web request. When an attacker 10, as shown in fig. 1, determines whether an attack works by accessing an attacked page, it sends a Web request, and the proxy server returns response data corresponding to the Web request, the response data including a code that can run silently in a browser environment, so that an access request to a personal homepage of a social network application can be initiated. Once attacker 10 presents the reply data through the browser on the local machine, the code therein will run automatically.
In some embodiments of the invention, the named Web application is a social networking application, such as microblog, Facebook, Twitter, people's Web, and the like. In some examples of the invention, if the browser of the attacker 10 stores the identity information of the social network, the code will carry the information to initiate specific personal homepage access, and the user can determine the real identity of the attacker 10 by looking at the access source of a specific social account.
In some embodiments of the invention, the information that names the Web application is identity information in the JSON format of the social networking application. For example, when the embedded JavaScript code executes, the social networking information may be obtained from the social networking list, for example, a URL request and parameters for obtaining JSON information may be sent. The browser then initiates a cross-domain request with a Cookie of the target social network using elements such as SCRIPT, IMG, IFRAME, etc. When the social network contains the personal identity information in the JSON format, the personal identity information can be directly read through codes at a browser end, and related information can be sent to a remote server in an asynchronous mode. Specifically, the WEB service may be started on the server and an API interface may be provided, and when the attacker identity information is acquired, the information may be transmitted to the server through the API interface, and the server may record the attacker identity information and store the information in a database for subsequent query or alarm.
In some embodiments of the invention, the information that names the Web application is recorded information under a particular account obtained by a URL requesting to log in to the social networking application with the particular account. For example, the embedded JavaScript code may, upon execution, first retrieve social networking information from the social networking list, e.g., access to a particular social networking account URL request and parameters. The browser then initiates a cross-domain request with a Cookie of the target social network using elements such as SCRIPT, IMG, IFRAME, etc. For the case that the social network does not verify the access source refer and does not add Token against CSRF (cross-site request forgery), access to a specific social network account and message leaving information can be initiated through URL request, and the server (or its functional module) logs in the relevant social network periodically to obtain the record information under the account. Specifically, a timing task may be started, and the following related operations may be performed at intervals (e.g., every 10 minutes): and reading an available social network list, logging in the social network through a registered account, and acquiring the latest access source record and message information. Because the social network account has no friends, no access to others, and no message records, other users accessing the social network account can be determined as real attackers.
In some embodiments of the invention, the log information includes the IP address from which the access was initiated, the user who has recently accessed, the user who left the message, and the like. For example, the latest information of the access IP address, the access user, the message user, and the like may be acquired.
According to another aspect of the present invention, a system for collecting information for a named Web application is provided. Fig. 2 shows a system for collecting information of a named Web application according to an embodiment of the present invention, and as shown in the figure, the system 50 includes a transceiver module 301, a determination module 302, a transfer module 303, a proxy server 40, and a tracing module 304. Wherein the transceiving module 301, the determining module 302, the transferring module 303 and the tracing module 304 are included in the server 30 (in other examples of the present invention, the tracing module 304 may also belong to other servers). The server 30 and the proxy server 40 may communicate, either geographically isolated or located in close geographic proximity. In some cases, the server 30 and the proxy 40 may be hosted in the same physical entity, with both being only different functionalities of the physical entity (e.g., two service spaces are virtually emulated on some large server). In addition, the proxy server 40 may also be part of the server 30.
Transceiver module 301 is configured to receive an access request from a client. The access request from the client may be directly from the actual client, may be from the controlled proxy (where the controlled proxy does not initiate the access request at its own discretion), or may be from the proxy server (where the proxy server provides proxy forwarding services).
If the access request is directly from the actual client, the access request should be normal in most cases, but the possibility that the actual client directly initiates a network attack is not excluded. The principles of the present application may be applied to direct access requests and indirect access requests, with a distinction being made only in the normality of the access requests.
If the access request is initiated via the multi-level proxy 20 (in the context of this application, a network attack is also considered a special access request), the last level proxy 20N will be considered a client, since the method does not seek to refer back to the actual initiator of the access request directly through the multi-level proxy 20. Further, if the access request is from a proxy server (e.g., a VPN server), then the server at the proxy server that initiated the request will be considered the client.
The access request includes a Web request, which may be a normal request sent by a normal user, and then will be processed subsequently according to a normal processing procedure. The Web request may also be sent by an actual initiator of the abnormal access, and at this time, if the access request is determined to be abnormal according to the method described below and is processed according to the abnormal access, the Web request is also considered to be abnormal access because of being homologous to other access requests, and is also processed according to the method described below. Of course, other access requests that are the attack traffic itself may also be Web requests, which may be handled equally as per the method of the present application, and the scope of protection of the present application covers such cases.
The determination module 302 is configured to determine whether the access request is anomalous. Some examples of the invention are not limited to the manner in which the request for an exception is detected, and the case of the request for an exception may include: for example, a significant attack feature is detected in the request traffic (in this case, the determining module 302 may determine that the access request from the client is abnormal), the client initiating the request has past bad records (in this case, the determining module 302 may determine that the access request from the client is abnormal within a certain time period), and the clients in the same region initiate a large number of requests (in this case, the determining module 302 may determine that the access request from the region is abnormal). Although some examples of the invention do not care how to process normal access requests, as will be appreciated by those skilled in the art, if an access request is normal, the access request should be processed according to a normal flow at this time. The handling of normal access requests is not specifically illustrated in some instances of the present invention, as will be appreciated by those skilled in the art upon reading the context of the present application.
A transfer module 303 configured to transfer the access request to the proxy server 40 when the access request is abnormal, thereby relieving the server 30 of stress. The server 30 can continue to serve other normally accessed users and the quality of service is not affected by the abnormal access. In some examples of the invention, the front end of the server that actually provides the service may use a Nginx proxy, Apache proxy, and/or an application layer load balancing hardware device, which in turn may pull exception access to the proxy server 40. When the determination module 302 detects an attack event, a proxy IP address used by the attacker may be extracted and written into a configuration file of the proxy server 40(Nginx or Apache). When the traffic of an incoming access request from a boundary matches a particular attack address, for example JavaScript code may be embedded in the return traffic.
The proxy 40 of the present application may also be a virtual system customized to the server 30, such that clients initiating an abnormal access will not be perceived as being served by the proxy 40 (virtual system), and thus are considered to be served by the server 30. This way, the vigilance of the actual initiator initiating the abnormal access may be further reduced, thus being more advantageous for locating the actual initiator initiating the abnormal access. The transfer of the application can be that the flow of the attacked target is dragged to the proxy server through a network layer scheme or an application layer scheme, and the proxy server acts as a security defense environment.
The proxy server 40 is configured to return response data corresponding to the access request to the client, including code that operates to collect information for the named Web application. The proxy server 40 may process the abnormal access when it receives it, and this process may be disguised as a normal process or a dummy process. Accordingly, the proxy server 40 may return response data including a normal processing result or a false processing result. In addition, code (which may be JavaScript code, for example) is included in the response data, and information of the named Web application may be collected when the code is run at the client. If the access request is initiated via a multi-level proxy 20 (in the context of this application, a network attack is also considered a special access request), the last level proxy 20N will be considered a client, which can collect information of the named Web application on the proxy 20N if the code is run at the proxy 20N. Of course, the multi-level proxy 20 may return reply data including the code to the attacker 10 in stages in the opposite direction from the originating request. At this time, if the code is run on any level-one proxy, the code can collect the information of the named Web application on the level-one proxy; in particular, if the code is run on the device of attacker 10, it may collect information of the named Web application on the device of attacker 10, which will help to identify the attacker.
The tracing module 304 is configured to receive information that names the Web application. As noted above, this information of the named Web application may be collected from the attacker 10's device, and thus the actual attacker 10 may be traced according to this information.
In some embodiments of the invention, the determination module 302 determines that the access request is abnormal if the access request exceeds a reasonable amount within a predetermined time. DDoS attacks are made by placing a large number of requests simultaneously to the server 30 to paralyze the server 30 for denial of service, and thus attack behavior can be identified based on this characteristic of DDoS attacks. This scheme includes the following possible scenarios. If the total access requests received by the server 30 over a period of time exceeds a reasonable amount, then all of the access requests may be transferred to the proxy server 40 for a preset period of time (e.g., a short period of time). In this case it may be that the server 30 needs to be taken back briefly, but may entice the attacker 10 to obtain reply data comprising the code described above and thereby trace its identity. This approach is suitable for a case where a specific attack feature or the like cannot be identified in a short time.
In some embodiments of the present invention, if the determining module 302 determines that the access request from the specific address is abnormal, the transferring module 303 transfers the access request from the specific address to the proxy server 40, and then the access request from the address may be transferred to the proxy server 40 within a preset period of time (e.g., a longer period of time). In general, the number of agents that launch a DDoS attack is limited, and thus an abnormal access by an agent can be identified in this manner and an access request by the agent transferred to the proxy server 40; in some examples of the present application, the agent described herein refers to a last level agent. In this case, the server 30 transfers only the traffic of the client corresponding to the abnormal access to the proxy server 40, and thus does not affect the normal service of the server 30. This approach is suitable for a case where a specific attack feature or the like can be identified in a short time. In some embodiments of the invention, the address comprises an IP address, a MAC address, or the like.
In some embodiments of the present invention, if the determination module 302 determines that the access request from the specific Web interface is abnormal, the transfer module 303 transfers the access request from the specific Web interface to the proxy server 40. In some cases, the anomalous access is initiated through a particular Web interface, and thus access requests from the particular Web interface may be transferred to the proxy server 40. In this manner, normal access requests from other Web interfaces will be responded to, thereby ensuring the availability of the server 30 to some extent.
In some embodiments of the invention, the code runs in a browser environment if the accessed response data corresponds to a Web request. When the attacker 10 determines whether the attack works by accessing the attacked page, it sends a Web request, and the proxy server 40 returns response data corresponding to the Web request, the response data including a code that can run silently in the context of the browser 101, so that it can initiate an access request to the personal homepage of the social network application. The code may establish a client traceback module 102 on the local machine at attacker 10, the code in which will run automatically once attacker 10 presents the reply data through browser 101 on the local machine.
In some embodiments of the invention, the named Web application is a social networking application. E.g., microblog, Facebook, Twitter, man-net, etc. In some examples of the invention, if the browser 101 of the attacker 10 stores the identity information of the social network, the code will carry information to initiate specific personal homepage access, and the user can determine the real identity of the attacker 10 by looking at the access source of a specific social account.
In some embodiments of the present invention, the information of the named Web application received by the tracing module 304 is identity information in JSON format of a social networking application. For example, when the embedded JavaScript code executes, the social networking information may be obtained from the social networking list, for example, a URL request and parameters for obtaining JSON information may be sent. Browser 1O1 then initiates the cross-domain request with a Cookie that takes the target social network on using elements such as SCRIPT, IMG, IFRAME, etc. When the social network contains the personal identity information in the JSON format, the personal identity information can be directly read by the code at the browser 101 side, and the related information can be sent to the remote server 30 in an asynchronous mode. Specifically, a WEB service may be started on the server 30 and an API interface is provided, when the attacker identity information is obtained, the information may be transmitted to the server 30 through the API interface (of course, an independent other server may be selected, the tracing module 304 belongs to the server instead of the server 30, and the scheme is included in the protection scope of the present application), and the server 30 may record the attacker identity information and store the information in a database for subsequent query or alarm.
In some embodiments of the present invention, the information of the named Web application received by the tracing module 304 is recorded information under a specific account obtained by logging in the social network application with the specific account through a URL request. For example, the embedded JavaScript code may, upon execution, first retrieve social networking information from the social networking list, e.g., access to a particular social networking account URL request and parameters. The browser 101 then initiates a cross-domain request with a Cookie of the target social network using elements such as SCRIPT, IMG, IFRAME, etc. For the case that the social network does not verify the access source Referer, and Token against CSRF (cross-site request forgery) is not added, access to a specific social network account and message leaving information may be initiated through a URL request, and the server 30 (or its functional module) periodically logs in to the relevant social network to obtain the record information under the account. Specifically, the tracing module 304 may start a timing task, and perform the following related operations at intervals (e.g., every 10 minutes): and reading an available social network list, logging in the social network through a registered account, and acquiring the latest access source record and message information. Because the social network account has no friends, no access to others, and no message records, other users accessing the social network account can be determined as real attackers.
In some embodiments of the invention, recording the information comprises: IP address of the initiating access, user of the recent access and user of the message. For example, the latest information of the access IP address, the access user, the message user, and the like may be acquired.
One example of code according to the above of the present application is shown below:
Figure BDA0002392182600000151
where, tracetothe source.com is the address of the server to which the tracing module 304 belongs, and thissansweb.com is the web address of the social networking application.
According to another aspect of the present invention, there is provided a service system comprising a system for collecting information of a named Web application as any one of the above and a client, the client initiating an access request to the system for collecting information of a named Web application.
According to another aspect of the present invention, there is provided a computer readable storage medium having instructions stored therein, wherein the instructions, when executed by a processor, cause the processor to perform any of the methods as described above. Computer-readable media, as referred to herein, includes all types of computer storage media, which can be any available media that can be accessed by a general purpose or special purpose computer. By way of example, computer-readable media may comprise RAM, ROM, E2PROM, CD-ROM or other optical disk storage, magnetic disk storage or other magnetic storage devices, or any other transitory or non-transitory medium that can be used to carry or store desired program code means in the form of instructions or data structures and that can be accessed by a general-purpose or special-purpose computer, or a general-purpose or special-purpose processor. Disk (disk) and disc (disc), as used herein, includes Compact Disc (CD), laser disc, optical disc, Digital Versatile Disc (DVD), floppy disk and blu-ray disc where disks usually reproduce data magnetically, while discs reproduce data optically with lasers. Combinations of the above should also be included within the scope of computer-readable media.
Therefore, the invention provides a network security technology for tracing the source of the attacker based on the information of the named Web application of the probing attacker, and the technology provides a technical idea for subsequently determining the identity of the attacker and researching the responsibility of the attacker in some scenes. The scheme based on the application can lock the attacker with lower cost, and can also maintain the availability of the server to a certain extent. It should be noted that some of the block diagrams shown in the figures are functional entities and do not necessarily correspond to physically or logically separate entities. These functional entities may be implemented in the form of software, or in one or more hardware modules or integrated circuits, or in different networks and/or processor means and/or microcontroller means.
The above examples have mainly explained the method, system, service system and storage medium of collecting information of a named Web application of the present invention. Although only a few embodiments of the present invention have been described, those skilled in the art will appreciate that the present invention may be embodied in many other forms without departing from the spirit or scope thereof. Accordingly, the present examples and embodiments are to be considered as illustrative and not restrictive, and various modifications and substitutions may be made therein without departing from the spirit and scope of the present invention as defined by the appended claims.

Claims (22)

1. A method of collecting information for a named Web application, the method comprising:
receiving an access request from a client, wherein the access request comprises a Web request, and transferring the access request to a proxy server when the access request is abnormal;
the proxy server returns response data corresponding to the access request to the client, wherein the response data comprises a code which runs to collect the information of the named Web application; and
and receiving the information of the named Web application.
2. The method of claim 1, wherein the access request is abnormal if the access request exceeds a reasonable amount within a predetermined time.
3. The method of claim 2, wherein if the access request from a specific Web interface is abnormal, transferring the access request from the specific Web interface to the proxy server.
4. The method of claim 2, wherein if the access request from a specific address is abnormal, transferring the access request from the specific address to the proxy server.
5. The method of claim 4, wherein the address comprises: IP address, MAC address.
6. The method of claim 1, wherein the code runs in a browser environment if the accessed response data corresponds to the Web request.
7. The method of claim 6, wherein the named Web application is a social networking application.
8. The method of claim 7, wherein the information of the named Web application is identity information of the social networking application in a JSON format.
9. The method of claim 7, wherein the information of the named Web application is recorded information under a specific account obtained by a URL request to log in the social networking application with the specific account.
10. The method of claim 9, wherein the recording information comprises: IP address of the initiating access, user of the recent access and user of the message.
11. A system for collecting information for a named Web application, the system comprising:
a transceiver module configured to receive an access request from a client, wherein the access request comprises a Web request;
a determination module configured to determine whether the access request is abnormal;
a transfer module configured to transfer the access request to a proxy server when the access request is abnormal;
a proxy server configured to return response data corresponding to the access request to the client, the response data including code operative to collect information of the named Web application; and
a tracing module configured to receive information of the named Web application.
12. The system of claim 11, wherein the determination module determines that the access request is anomalous if the access request exceeds a reasonable amount within a predetermined time.
13. The system according to claim 12, wherein if the determining module determines that the access request from a specific Web interface is abnormal, the transferring module transfers the access request from the specific Web interface to the proxy server.
14. The system of claim 12, wherein the transfer module transfers the access request from the specific address to the proxy server if the determination module determines that the access request from the specific address is abnormal.
15. The system of claim 14, wherein the address comprises: IP address, MAC address.
16. The system of claim 11, wherein the code runs in a browser environment if the accessed response data corresponds to the Web request.
17. The system of claim 16, wherein the named Web application is a social networking application.
18. The system of claim 17, wherein the information of the named Web application received by the tracing module is identity information of the social networking application in JSON format.
19. The system of claim 17, wherein the information of the named Web application received by the tracing module is recorded information under a specific account obtained by logging in the social network application with the specific account through a URL request.
20. The system of claim 19, wherein the logging information comprises: IP address of the initiating access, user of the recent access and user of the message.
21. A service system, characterized in that the system comprises a system for collecting information of a named Web application according to any of claims 11-20 and a client, which initiates an access request to the system for collecting information of a named Web application.
22. A computer-readable storage medium having instructions stored therein, which when executed by a processor, cause the processor to perform the method of any one of claims 1-11.
CN202010118699.7A 2020-02-26 2020-02-26 Method, system, service system and storage medium for collecting information of named Web applications Pending CN111698197A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010118699.7A CN111698197A (en) 2020-02-26 2020-02-26 Method, system, service system and storage medium for collecting information of named Web applications

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010118699.7A CN111698197A (en) 2020-02-26 2020-02-26 Method, system, service system and storage medium for collecting information of named Web applications

Publications (1)

Publication Number Publication Date
CN111698197A true CN111698197A (en) 2020-09-22

Family

ID=72476264

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010118699.7A Pending CN111698197A (en) 2020-02-26 2020-02-26 Method, system, service system and storage medium for collecting information of named Web applications

Country Status (1)

Country Link
CN (1) CN111698197A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114389890A (en) * 2022-01-20 2022-04-22 网宿科技股份有限公司 User request proxy method, server and storage medium

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050278779A1 (en) * 2004-05-25 2005-12-15 Lucent Technologies Inc. System and method for identifying the source of a denial-of-service attack
US20140143866A1 (en) * 2012-11-19 2014-05-22 Korea Internet & Security Agency Method of inspecting mass websites at high speed
CN104869136A (en) * 2014-02-25 2015-08-26 晶赞广告(上海)有限公司 High-concurrency safe transmission method of Internet advertisement monitoring information
CN106888181A (en) * 2015-12-15 2017-06-23 精硕科技(北京)股份有限公司 The collecting method and system of a kind of energy defending DDoS (Distributed Denial of Service)
CN107707576A (en) * 2017-11-28 2018-02-16 深信服科技股份有限公司 A kind of network defense method and system based on Honeypot Techniques
CN108900598A (en) * 2018-06-26 2018-11-27 杭州朗和科技有限公司 Network request forwarding and response method, device, system, medium and electronic equipment
CN108959572A (en) * 2018-07-04 2018-12-07 北京知道创宇信息技术有限公司 A kind of network source tracing method, device, electronic equipment and storage medium
CN109768993A (en) * 2019-03-05 2019-05-17 中国人民解放军32082部队 A kind of high covering Intranet honey pot system

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050278779A1 (en) * 2004-05-25 2005-12-15 Lucent Technologies Inc. System and method for identifying the source of a denial-of-service attack
US20140143866A1 (en) * 2012-11-19 2014-05-22 Korea Internet & Security Agency Method of inspecting mass websites at high speed
CN104869136A (en) * 2014-02-25 2015-08-26 晶赞广告(上海)有限公司 High-concurrency safe transmission method of Internet advertisement monitoring information
CN106888181A (en) * 2015-12-15 2017-06-23 精硕科技(北京)股份有限公司 The collecting method and system of a kind of energy defending DDoS (Distributed Denial of Service)
CN107707576A (en) * 2017-11-28 2018-02-16 深信服科技股份有限公司 A kind of network defense method and system based on Honeypot Techniques
CN108900598A (en) * 2018-06-26 2018-11-27 杭州朗和科技有限公司 Network request forwarding and response method, device, system, medium and electronic equipment
CN108959572A (en) * 2018-07-04 2018-12-07 北京知道创宇信息技术有限公司 A kind of network source tracing method, device, electronic equipment and storage medium
CN109768993A (en) * 2019-03-05 2019-05-17 中国人民解放军32082部队 A kind of high covering Intranet honey pot system

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
张景峰, 中国铁道出版社 *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114389890A (en) * 2022-01-20 2022-04-22 网宿科技股份有限公司 User request proxy method, server and storage medium
CN114389890B (en) * 2022-01-20 2023-10-20 网宿科技股份有限公司 User request proxy method, server and storage medium

Similar Documents

Publication Publication Date Title
US11245662B2 (en) Registering for internet-based proxy services
KR102130122B1 (en) Systems and methods for detecting online fraud
US10084816B2 (en) Protocol based detection of suspicious network traffic
KR101689299B1 (en) Automated verification method of security event and automated verification apparatus of security event
CN105939326B (en) Method and device for processing message
US8850567B1 (en) Unauthorized URL requests detection
US20170093917A1 (en) Centralized management and enforcement of online behavioral tracking policies
EP3557843B1 (en) Content delivery network (cdn) bot detection using compound feature sets
CN110505235B (en) System and method for detecting malicious request bypassing cloud WAF
EP2611106A1 (en) System for automated prevention of fraud
CN111786966A (en) Method and device for browsing webpage
JP2010508598A (en) Method and apparatus for detecting unwanted traffic in one or more packet networks utilizing string analysis
CN103701793A (en) Method and device for identifying server broiler chicken
US11509691B2 (en) Protecting from directory enumeration using honeypot pages within a network directory
US11729214B1 (en) Method of generating and using credentials to detect the source of account takeovers
CN109361574B (en) JavaScript script-based NAT detection method, system, medium and equipment
Besel et al. Full cycle analysis of a large-scale botnet attack on Twitter
US20210051176A1 (en) Systems and methods for protection from phishing attacks
CN102098285B (en) Method and device for preventing phishing attacks
CN111698197A (en) Method, system, service system and storage medium for collecting information of named Web applications
CN116781331A (en) Reverse proxy-based honeypot trapping network attack tracing method and device
Bhardwaj et al. Types of hacking attack and their countermeasure
US10320784B1 (en) Methods for utilizing fingerprinting to manage network security and devices thereof
Laurens et al. Using disposable domain names to detect online card transaction fraud
Tyagi et al. Detection of fast flux network based social bot using analysis based techniques

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination