CN111800390A - Abnormal access detection method, device, gateway equipment and storage medium - Google Patents
Abnormal access detection method, device, gateway equipment and storage medium Download PDFInfo
- Publication number
- CN111800390A CN111800390A CN202010538249.3A CN202010538249A CN111800390A CN 111800390 A CN111800390 A CN 111800390A CN 202010538249 A CN202010538249 A CN 202010538249A CN 111800390 A CN111800390 A CN 111800390A
- Authority
- CN
- China
- Prior art keywords
- url
- hash value
- web request
- request
- access
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 55
- 230000002159 abnormal effect Effects 0.000 title claims abstract description 54
- 238000000034 method Methods 0.000 claims description 40
- 238000004590 computer program Methods 0.000 claims description 19
- 230000000977 initiatory effect Effects 0.000 claims description 10
- 239000000126 substance Substances 0.000 claims description 3
- 238000004891 communication Methods 0.000 abstract description 4
- 230000008569 process Effects 0.000 description 14
- 230000006399 behavior Effects 0.000 description 12
- 238000010586 diagram Methods 0.000 description 10
- 230000004044 response Effects 0.000 description 10
- 230000006870 function Effects 0.000 description 6
- 238000012545 processing Methods 0.000 description 5
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 238000012795 verification Methods 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 2
- 230000005856 abnormality Effects 0.000 description 1
- 230000002547 anomalous effect Effects 0.000 description 1
- 238000013475 authorization Methods 0.000 description 1
- 238000005336 cracking Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3236—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
Abstract
The embodiment of the invention is suitable for the technical field of communication, and provides an abnormal access detection method, an abnormal access detection device, gateway equipment and a storage medium, wherein the abnormal access detection comprises the following steps: receiving a first Uniform Resource Locator (URL) in a first global area network (WWAN) WEB request; determining whether the first URL carries a first hashed HASH value; under the condition that the first URL carries the first HASH value, detecting whether the first HASH value is the same as the second HASH value or not to obtain a detection result; the second HASH value is obtained by the gateway device and spliced in a second URL; the access objects of the first URL and the second URL are the same; and under the condition that the detection result represents that the first HASH value is different from the second HASH value, determining that the first WEB request is an abnormal access request.
Description
Technical Field
The present invention belongs to the field of communications technologies, and in particular, to an abnormal access detection method, an abnormal access detection apparatus, a gateway device, and a storage medium.
Background
Related art may implement unauthorized access through Uniform Resource Locator (URL) concatenation. Unauthorized access can access data outside the user's rights and even modify the data, thus posing a significant threat to the security of the data. At present, the related technology can not effectively detect URL splicing behaviors, and can only detect unauthorized access of users through complex authority verification.
Disclosure of Invention
In view of this, embodiments of the present invention provide an abnormal access detection method, apparatus, switch, and storage medium, so as to at least solve the problem that the related art cannot effectively detect the URL splicing behavior of the user.
The technical scheme of the embodiment of the invention is realized as follows:
in a first aspect, an embodiment of the present invention provides an abnormal access detection method, which is applied to a gateway device, and the method includes:
receiving a first URL in a first World Wide Web (WEB) request;
determining whether the first URL carries a first HASH (HASH) value;
under the condition that the first URL carries the first HASH value, detecting whether the first HASH value is the same as the second HASH value or not to obtain a detection result; the second HASH value is obtained by the gateway device and spliced in a second URL; the access objects of the first URL and the second URL are the same;
and under the condition that the detection result represents that the first HASH value is different from the second HASH value, determining that the first WEB request is an abnormal access request.
In the above scheme, the method further comprises:
determining whether the first URL is in a set first data table or not under the condition that the first URL does not carry the first HASH value; when the first URL is stored in the first data table, the corresponding first WEB request is a normal access request;
and determining that the first WEB request is an abnormal access request under the condition that the first URL is not in the set first data table.
In the above scheme, before receiving the first WEB request, the method further includes:
determining the first data table;
the determining the first data table includes:
receiving a second WEB request for accessing the object; a third URL in the second WEB request does not carry a HASH value;
determining the number of users initiating the second WEB request according to the received second WEB request;
and writing the third URL into the first data table under the condition that the number of the users is larger than a set value.
In the foregoing solution, when determining, according to the received second WEB request, the number of users initiating the second WEB request, the method includes:
and writing the third URL into a second data table when the second WEB request is received for the first time, and updating the number of users corresponding to the third URL in the second data table in real time according to the received second WEB request.
In the above scheme, the method further comprises:
obtaining the second HASH value based on a fourth URL;
splicing the second HASH value in the fourth URL to obtain a second URL, so that the terminal equipment accesses the access object according to the second URL; wherein the content of the first and second substances,
and the fourth URL is a resource address corresponding to the access object.
In the foregoing solution, the obtaining the second HASH value based on the fourth URL includes:
acquiring the second HASH value based on the fourth URL and setting information; the setting information at least comprises a corresponding random code when the terminal equipment logs in the gateway equipment.
In the foregoing solution, the setting information further includes any one or more of the following items:
the terminal equipment logs in the user information used by the gateway equipment;
and the terminal equipment accesses the key carried in the WEB request of the access object.
In a second aspect, an embodiment of the present invention provides an abnormal access detection apparatus, where the apparatus includes:
the receiving module is used for receiving a first URL in the first WEB request;
a first determining module, configured to determine whether the first URL carries a first HASH value;
a detection module, configured to detect whether the first HASH value is the same as the second HASH value when the first URL carries the first HASH value, so as to obtain a detection result; the second HASH value is obtained by the gateway device and spliced in a second URL; the access objects of the first URL and the second URL are the same;
and the second determining module is used for determining that the first WEB request is an abnormal access request under the condition that the detection result represents that the first HASH value is different from the second HASH value.
In a third aspect, an embodiment of the present invention provides a gateway device, including a processor and a memory, where the processor and the memory are connected to each other, where the memory is used to store a computer program, and the computer program includes program instructions, and the processor is configured to call the program instructions to execute the steps of the method for detecting an abnormal access provided in the first aspect of the embodiment of the present invention.
In a fourth aspect, an embodiment of the present invention provides a computer-readable storage medium, including: the computer-readable storage medium stores a computer program. The computer program, when executed by a processor, implements the steps of the method for anomalous access detection as provided in the first aspect of the embodiment of the invention.
The embodiment of the invention receives a first URL in a first WEB request; determining whether the first URL carries a first HASH value; under the condition that the first URL carries the first HASH value, detecting whether the first HASH value is the same as the second HASH value or not to obtain a detection result; the second HASH value is obtained by the gateway equipment and spliced in the second URL; the access objects of the first URL and the second URL are the same; and under the condition that the detection result represents that the first HASH value is different from the second HASH value, determining that the first WEB request is an abnormal access request. In the embodiment of the present invention, the gateway device can detect whether the WEB request is a URL splicing behavior by detecting whether the first HASH value is the same as the second HASH value, and intercept the WEB request if the WEB request is the URL splicing behavior. The gateway equipment can protect all data of the WEB server which passes through the gateway equipment proxy, and avoids illegal access, tampering and leakage of the data in the WEB server.
Drawings
Fig. 1 is a schematic diagram of a network topology according to an embodiment of the present invention;
fig. 2 is a schematic flow chart illustrating an implementation of another abnormal access detection method according to an embodiment of the present invention;
fig. 3 is a schematic flow chart illustrating an implementation of another abnormal access detection method according to an embodiment of the present invention;
fig. 4 is a schematic flow chart illustrating an implementation of another abnormal access detection method according to an embodiment of the present invention;
fig. 5 is a schematic flow chart illustrating an implementation of another abnormal access detection method according to an embodiment of the present invention;
FIG. 6 is a flow chart illustrating a process of determining a second data table according to an embodiment of the present invention;
FIG. 7 is a diagram illustrating an abnormal access detection process according to an embodiment of the present invention;
fig. 8 is a block diagram illustrating an abnormal access detection apparatus according to an embodiment of the present invention;
fig. 9 is a schematic hardware structure diagram of a gateway device according to an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
It will be understood that the terms "comprises" and/or "comprising," when used in this specification and the appended claims, specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof.
The technical means described in the embodiments of the present invention may be arbitrarily combined without conflict.
In addition, in the embodiments of the present invention, "first", "second", and the like are used for distinguishing similar objects, and are not necessarily used for describing a specific order or a sequential order.
In order to explain the technical means of the present invention, the following description will be given by way of specific examples.
Referring to fig. 1, fig. 1 is a schematic diagram of a network topology provided in an embodiment of the present invention, where the network topology includes: terminal devices, gateway devices, and World Wide Web (WEB) servers.
The terminal device can be an electronic device such as a mobile phone, a tablet computer, a computer, and the like.
In the embodiment of the present invention, the gateway device is used as a reverse proxy server, the reverse proxy server (gateway device) is located between the terminal device and the WEB server, the reverse proxy server (gateway device) is equivalent to the WEB server for the terminal device, and the terminal device can obtain the resources of the WEB server by directly accessing the reverse proxy server (gateway device).
The reverse proxy process of the reverse proxy server is as follows: the WEB request sent by the terminal equipment to the WEB server is sent to the reverse proxy server, and the reverse proxy server forwards the WEB request to the WEB server after receiving the WEB request of the terminal equipment. And after receiving the WEB request, the WEB server responds to the WEB request and sends a WEB response to the reverse proxy server. And the reverse proxy server receives the WEB response, rewrites the URL address in the WEB response and sends the rewritten WEB response to the terminal equipment. The reverse proxy server needs to rewrite a URL address in the WEB response, for example, an internal network address of an enterprise is 1.1.1.1, in the reverse proxy process, a hyperlink address in the WEB response obtained by the reverse proxy server is 1.1.1.1, and the terminal device cannot click to access the internal network address, and the terminal device can click to access only when the internal network address is rewritten to the www.xx.com format. Therefore, the reverse proxy server needs to rewrite the URL address in the WEB response to the URL address accessible to the terminal device.
The URL address carries parameters, such as user information, host name, and port number, in addition to the resource address of the access object. The parameters and the resource address are spliced together to form a complete URL address, and the mobile terminal can access the access object through the URL address. Since the parameters are not hidden, it is not difficult for network hackers to steal the parameters, and the network hackers can obtain complete URL addresses by URL splicing, thereby realizing unauthorized access. Therefore, the related art can illegally access, tamper and reveal data in the WEB server through URL splicing. However, the related art cannot recognize the URL splicing behavior of the hacker, and can detect the unauthorized access of the hacker only through complicated authority verification.
In the embodiment of the present invention, when rewriting a URL address in a WEB response, the gateway device obtains a HASH value of the URL address, and splices the HASH value in the URL address. The HASH value is a group of binary values obtained by encrypting the file content through a certain HASH algorithm, and the HASH values obtained by different file contents are different, so that the HASH value can be used for judging the uniqueness of the file content. The Hash Algorithm may be an information Digest Algorithm (MD5, Message Digest Algorithm5) or a Secure Hash Algorithm (SHA, Secure Hash Algorithm). And then the gateway equipment sends the WEB response carrying the rewritten URL address to the terminal equipment, and after the terminal equipment receives the WEB response, if the terminal equipment needs to access an access object corresponding to the URL address, the terminal equipment can access the access object only through the URL address carrying the HASH value. In addition, the gateway device is used as a reverse proxy server and externally represented as a WEB server, and the difference is that the gateway device does not store the real data of any WEB page, and the real data of all WEB pages are stored on the WEB server. Therefore, the attack on the gateway equipment can not damage the webpage information, and the security of the WEB server is enhanced. Secondly, the gateway device is used for transferring the WEB request of the terminal device, so that the loads of a network and a WEB server can be reduced, and the access efficiency is improved.
In practical applications, the gateway device may be a zero trust gateway device, where zero trust is a network architecture, and the core idea of the zero trust network architecture is "untrusted and always authenticated", that is, an enterprise should not trust any person, device, and system inside or outside the network, and should authenticate any person, device, and system attempting to access the enterprise system before authorization. Here, the zero trust gateway device is used to authenticate users, devices, and systems in addition to HASH values for URL addresses. The zero trust gateway receives the WEB request sent by the terminal equipment, verifies the terminal equipment and the user corresponding to the WEB request, and only the terminal equipment and the user which pass the verification need to have enough authority to access the WEB server. Through the zero trust gateway equipment, the security of data in the WEB server can be improved, and the data in the WEB server is prevented from being illegally accessed, tampered and leaked.
Fig. 2 is a schematic diagram of an implementation flow of an abnormal access detection method provided in an embodiment of the present invention, where an execution subject of the method is the gateway device in fig. 1. Referring to fig. 2, the abnormal access detecting method includes:
s101, receiving a first URL in the first WEB request.
The WEB requests sent to the WEB server by the terminal equipment are all sent to the gateway equipment, and the gateway equipment receives the WEB requests sent by the terminal equipment and acquires the first URL in the first WEB request. In practical application, a WEB request consists of four parts, namely a request line (request line), a request header (header), a null line and request data. Where the URL is located in the request line.
Because the first WEB request needs to pass through the gateway device, all contents in the first WEB request are plaintext for the gateway, the gateway device analyzes the first WEB request sent by the terminal device, acquires a first URL in the first WEB request, wherein the first URL refers to a resource address of an access object corresponding to the first WEB request, and can be positioned to a resource position where the access object is located on a WEB server corresponding to the access object according to the resource address.
S102, determining whether the first URL carries a first HASH value.
Here, the first HASH value is a HASH value carried in the first URL. In an embodiment of the present invention, a location of the first HASH value in the first URL may be set, and if the first URL carries the first HASH value, but the location of the carried first HASH value in the first URL does not match the set location, it is determined that the first URL does not carry the first HASH value. For example, suppose the first URL is "https:// www.xxxxx.com/6264858. html", if the first HASH value is set in the first URL at a position midway between com and html, and the first HASH value is 6264858, then the first URL is considered to carry the first HASH value. Determining that the first URL carries the first HASH value only if the first HASH value is located correctly in the first URL.
S103, under the condition that the first URL carries the first HASH value, detecting whether the first HASH value is the same as the second HASH value or not to obtain a detection result; the second HASH value is obtained by the gateway device and spliced in a second URL; the access objects of the first URL and the second URL are the same.
And if the first URL carries the first HASH value, detecting whether the first HASH value is the same as the second HASH value, and obtaining a detection result. The second HASH value is a HASH value in the second URL, and the access objects of the first URL and the second URL are the same, that is, the first URL and the second URL may be different except for the HASH value or the position of the HASH value in the URL, and the other parameters are the same.
The second HASH value is obtained by the gateway device and is spliced in the second URL, and as for the generation method of the second URL, referring to fig. 3, in an embodiment, the abnormal access detection method further includes:
s301, obtaining the second HASH value based on a fourth URL.
In practical applications, the gateway device may obtain the second Hash value of the fourth URL according to a Hash-based Message Authentication Code (HMAC) Algorithm, an information Digest Algorithm (MD5, Message Digest Algorithm5), or a Secure Hash Algorithm (SHA). Here, the fourth URL is a resource address corresponding to the access object, that is, a URL address not carrying a HASH value.
Further, the obtaining the second HASH value based on the fourth URL includes:
acquiring the second HASH value based on the fourth URL and setting information; the setting information at least comprises a corresponding random code when the terminal equipment logs in the gateway equipment.
The terminal equipment can send the WEB request to the gateway equipment after logging in the gateway equipment. In the embodiment of the invention, when the terminal equipment logs in the gateway equipment, the gateway equipment sends a random code generated randomly to the terminal equipment, and the terminal equipment can successfully log in the gateway equipment after being verified by the random code.
The gateway equipment can acquire the second HASH value based on the random code and the fourth URL, so that the random codes generated by the gateway equipment are different when the terminal equipment logs in the gateway equipment every time, and the second HASH value acquired by the gateway equipment every time is different, so that the difficulty of cracking the second HASH value is increased, and the security of data in the WEB server is improved.
Further, the setting information further includes any one or more of the following items:
the terminal equipment logs in the user information used by the gateway equipment;
and the terminal equipment accesses the key carried in the WEB request of the access object.
When the terminal device logs in the gateway device, the terminal device needs a random code and user information capable of representing the user identity, such as an identity card number, a user name and the like.
And the key carried in the WEB request for accessing the access object by the terminal equipment can be a login password for logging in the gateway equipment by the terminal equipment or a login password for logging in the WEB server by the terminal equipment.
S302, the second HASH value is spliced in the fourth URL to obtain the second URL, so that the terminal equipment accesses the access object according to the second URL; and the fourth URL is a resource address corresponding to the access object.
The gateway device may stitch the second HASH value in the fourth URL by string stitching, for example, assuming that the fourth URL is "https:// www.xxxxx.com.html" and the second HASH value is 6264858, the second URL carrying the second HASH value is obtained by string stitching, and the second URL is "https:// www.xxxxx.com/6264858. html".
And the gateway equipment sends the second URL carrying the second HASH value to the terminal equipment so that the terminal equipment accesses the access object according to the second URL. That is, the terminal device can only access the access object through the second URL carrying the second HSAH value, and the terminal device cannot access the access object according to the fourth URL any more. In this way, since other terminals cannot know the second HASH value except the terminal device, the second URL cannot be spliced out, and thus the unauthorized access behavior cannot be made.
In practical applications, the gateway device may store the second HASH value in the gateway device in advance, and read the second HASH value when detecting whether the first HASH value and the second HASH value are the same.
And S104, determining that the first WEB request is an abnormal access request under the condition that the detection result represents that the first HASH value is different from the second HASH value.
If the detection result indicates that the first HASH value is different from the second HASH value, it indicates that the first WEB request is not sent by the terminal device, and the first URL in the first WEB request is generated by the URL splicing behavior of other terminal devices, so that it is determined that the first WEB request is an abnormal access request.
In practical application, for an abnormal access request, the gateway device can intercept the abnormal access request and send early warning information to the terminal device.
The embodiment of the invention receives a first URL in a first WEB request; determining whether the first URL carries a first HASH value; under the condition that the first URL carries the first HASH value, detecting whether the first HASH value is the same as the second HASH value or not to obtain a detection result; the second HASH value is obtained by the gateway equipment and spliced in the second URL; the access objects of the first URL and the second URL are the same; and under the condition that the detection result represents that the first HASH value is different from the second HASH value, determining that the first WEB request is an abnormal access request. In the embodiment of the invention, the gateway device can detect the URL splicing behavior by detecting whether the first HASH value is the same as the second HASH value, and intercept unauthorized access caused by the URL splicing behavior. The gateway equipment can protect all WEB servers which pass through the gateway equipment proxy, and illegal access, tampering and leakage of data in the WEB servers are avoided.
Further, referring to fig. 4, in the above embodiment, the abnormal access detection method further includes:
s401, under the condition that the first URL does not carry the first HASH value, determining whether the first URL is in a set first data table; when the first URL is stored in the first data table, the corresponding first WEB request is a normal access request.
In the above embodiment, all URLs carry HASH values, and access is normal only if the HASH values are correct. However, in some cases, the URLs in some WEB requests do not carry HASH values, but these accesses are normal. For example, in the home page of a part of Office Automation (OA), a user is used to directly input home addresses for access from a use point of view, and the home addresses do not need to be data-protected and can be accessed by any user.
In the embodiment of the invention, the URLs corresponding to all normal access requests are written into the set first database, and under the condition that the first URL does not carry the first HASH value, whether the first URL is in the set first data table is determined, and if the first URL is in the set first data table, the WEB request corresponding to the first URL is a normal access request.
According to the embodiment of the invention, the first data table is required to be determined in advance, and the abnormality detection can be carried out on the WEB request according to the first data table.
Referring to fig. 5, in an embodiment, before receiving the first WEB request, the method for detecting abnormal access further includes:
determining the first data table.
The determining the first data table includes:
s501, receiving a second WEB request about the access object; and the third URL in the second WEB request does not carry a HASH value.
In the embodiment of the present invention, the third URL does not carry a HASH value.
S502, determining the number of users initiating the second WEB request according to the received second WEB request.
The second WEB request carries user identity information, and the user information in the second WEB request is recorded every time the second WEB request is received. And determining the number of users initiating the second WEB request, and recording the corresponding number of users as 1 for multiple accesses of the same user. For example, if the user a initiates the second WEB request 3 times, and the user B initiates the WEB request 2 times, the number of users initiating the second WEB request is 2.
And S503, writing the third URL into the first data table under the condition that the number of the users is larger than a set value.
If the number of the users initiating the second WEB request is larger than the set value, the number of the users initiating the second WEB request is large, the second WEB request can be considered to be a normal access request, a third URL in the second WEB request is written into a first data table, and the WEB request corresponding to the URL in the first data table is a normal access request.
Further, when determining the number of users initiating the second WEB request according to the received second WEB request, the method includes:
and writing the third URL into a second data table when the second WEB request is received for the first time, and updating the number of users corresponding to the third URL in the second data table in real time according to the received second WEB request.
And writing the third URL into the second data table when the second WEB request is received for the first time, and recording user information corresponding to the third URL in the second data table, wherein the number of users corresponds to the number of different user information in the second data table. And the gateway equipment updates the number of users corresponding to the third URL in the second data table in real time according to the received second WEB request, and writes the third URL into the first data table under the condition that the number of users corresponding to the third URL is greater than a set value.
S402, determining the first WEB request as an abnormal access request under the condition that the first URL is not in the set first data table.
And if the first URL is not in the set first data table, determining that the first WEB request corresponding to the first URL is an abnormal access request.
For those URLs which are not in the set first data table, the number of visitors is small, and the access is possible to be a hacker access behavior, and the WEB requests corresponding to the URLs are determined as abnormal access requests. In practical application, for the URLs which are not written into the first data table, the user can log in the gateway device to apply for writing the URLs into the first data table, and the administrator can log in the gateway device to approve or reject the application of the user.
Referring to fig. 6, fig. 6 is a schematic diagram of a process for determining a second data table according to an embodiment of the present invention, where the process for determining the second data table includes:
s601, obtaining the URL in the WEB request.
And S602, judging whether the URL carries a HASH value.
If the HASH value is carried, the flow is ended. If the HASH value is not carried, step S603 is performed.
S603, judging whether the URL and the corresponding user information are stored in a database.
Here, the database refers to the second data table in the above embodiment.
If the URL and corresponding user information are stored in the database, the process ends. If the URL and the corresponding user information are not stored in the database, step S604 is performed.
S604, writing the URL and the corresponding user information into the database.
Referring to fig. 7, fig. 7 is a schematic diagram of an abnormal access detection process provided by an application embodiment of the present invention, where the abnormal access detection process includes:
s701, the gateway equipment receives a WEB request.
And S702, judging whether the URL in the WEB request carries a HASH value.
If the HASH value is carried, S703 is performed. If no HASH value is carried, S706 is performed.
And S703, judging whether the HASH value is correct.
If the HASH value is correct, S704 is performed. If the HASH value is erroneous, S705 is performed.
S704, determining the WEB request as a normal access request.
S705, determining the WEB request as an abnormal access request.
S706, judging whether the URL in the WEB request is in a white list.
Here, the white list is the first data table set in the above embodiment.
If the URL is in the white list, S704 is performed. If the URL is not in the white list, S705 is performed.
In the application embodiment of the invention, the gateway device receives the WEB request sent by the terminal device, acquires the URL in the WEB request, judges whether the HASH value in the URL is correct, determines the WEB request as a normal access request under the condition that the HASH value is correct, and otherwise determines the WEB request as an abnormal access request. And for the URL not carrying the HASH value, determining that the WEB request is a normal access request and otherwise determining that the WEB request is an abnormal access request by judging whether the URL is in a white list or not and determining that the URL is in the white list. The embodiment of the invention can detect the URL splicing behavior and intercept unauthorized access caused by the URL splicing behavior. The gateway equipment can protect all WEB servers which pass through the gateway equipment proxy, and illegal access, tampering and leakage of data in the WEB servers are avoided.
It should be understood that, the sequence numbers of the steps in the foregoing embodiments do not imply an execution sequence, and the execution sequence of each process should be determined by its function and inherent logic, and should not constitute any limitation to the implementation process of the embodiments of the present invention.
Referring to fig. 8, fig. 8 is a schematic diagram of an abnormal access detection apparatus according to an embodiment of the present invention, as shown in fig. 8, the apparatus includes: the device comprises a receiving module, a first determining module, a detecting module and a second determining module.
The receiving module is used for receiving a first Uniform Resource Locator (URL) in a first global area network (WWAN) WEB request;
a first determining module, configured to determine whether the first URL carries a first hashed HASH value;
a detection module, configured to detect whether the first HASH value is the same as the second HASH value when the first URL carries the first HASH value, so as to obtain a detection result; the second HASH value is obtained by the gateway device and spliced in a second URL; the access objects of the first URL and the second URL are the same;
and the second determining module is used for determining that the first WEB request is an abnormal access request under the condition that the detection result represents that the first HASH value is different from the second HASH value.
The device further comprises:
a third determining module, configured to determine whether the first URL is in a set first data table when the first URL does not carry the first HASH value; when the first URL is stored in the first data table, the corresponding first WEB request is a normal access request;
and the fourth determining module is used for determining that the first WEB request is an abnormal access request under the condition that the first URL is not in the set first data table.
Before receiving the first WEB request, the apparatus further includes:
a fifth determining module, configured to determine the first data table;
the device further comprises:
the second receiving module is used for receiving a second WEB request for accessing the object; a third URL in the second WEB request does not carry a HASH value;
a sixth determining module, configured to determine, according to the received second WEB request, the number of users who initiate the second WEB request;
and the writing module is used for writing the third URL into the first data table under the condition that the number of the users is larger than a set value.
The write module is specifically configured to: and writing the third URL into a second data table when the second WEB request is received for the first time, and updating the number of users corresponding to the third URL in the second data table in real time according to the received second WEB request.
The device further comprises:
an obtaining module, configured to obtain the second HASH value based on a fourth URL;
the splicing module is used for splicing the second HASH value into the fourth URL to obtain the second URL, so that the terminal device accesses the access object according to the second URL; wherein the content of the first and second substances,
and the fourth URL is a resource address corresponding to the access object.
The acquisition module is specifically configured to: acquiring the second HASH value based on the fourth URL and setting information; the setting information at least comprises a corresponding random code when the terminal equipment logs in the gateway equipment.
The setting information further comprises any one or more of the following items:
the terminal equipment logs in the user information used by the gateway equipment;
and the terminal equipment accesses the key carried in the WEB request of the access object.
It should be noted that: in the abnormal access detection apparatus provided in the foregoing embodiment, when performing abnormal access detection, only the division of the modules is exemplified, and in practical applications, the processing may be distributed to different modules according to needs, that is, the internal structure of the apparatus may be divided into different modules to complete all or part of the processing described above. In addition, the abnormal access detection apparatus provided in the above embodiment and the abnormal access detection method embodiment belong to the same concept, and specific implementation processes thereof are described in the method embodiment and are not described herein again.
Fig. 9 is a schematic diagram of a gateway device according to an embodiment of the present invention. The gateway apparatus includes: cell phones, tablets, servers, etc. As shown in fig. 9, the gateway apparatus of this embodiment includes: a processor, a memory, and a computer program stored in the memory and executable on the processor. The processor, when executing the computer program, implements the steps in the various method embodiments described above, such as steps 101 to 104 shown in fig. 1. Alternatively, the processor, when executing the computer program, implements the functions of the modules in the above device embodiments, such as the functions of the receiving module, the first determining module, the detecting module, and the second determining module shown in fig. 8.
Illustratively, the computer program may be partitioned into one or more modules that are stored in the memory and executed by the processor to implement the invention. The one or more modules may be a series of computer program instruction segments capable of performing specific functions, which are used to describe the execution of the computer program in the gateway device.
The gateway device may include, but is not limited to, a processor, a memory. Those skilled in the art will appreciate that fig. 9 is merely an example of a gateway device and is not intended to be limiting and may include more or fewer components than shown, or some components may be combined, or different components, e.g., the gateway device may also include input-output devices, network access devices, buses, etc.
The Processor may be a Central Processing Unit (CPU), other general purpose Processor, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), an off-the-shelf Programmable Gate Array (FPGA) or other Programmable logic device, discrete Gate or transistor logic, discrete hardware components, etc. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
The memory may be an internal storage unit of the gateway device, such as a hard disk or a memory of the gateway device. The memory may also be an external storage device of the gateway device, such as a plug-in hard disk, a Smart Media Card (SMC), a Secure Digital (SD) Card, a Flash memory Card (Flash Card), and the like, provided on the gateway device. Further, the memory may also include both an internal storage unit and an external storage device of the gateway device. The memory is used for storing the computer program and other programs and data required by the gateway device. The memory may also be used to temporarily store data that has been output or is to be output.
It will be apparent to those skilled in the art that, for convenience and brevity of description, only the above-mentioned division of the functional units and modules is illustrated, and in practical applications, the above-mentioned function distribution may be performed by different functional units and modules according to needs, that is, the internal structure of the apparatus is divided into different functional units or modules to perform all or part of the above-mentioned functions. Each functional unit and module in the embodiments may be integrated in one processing unit, or each unit may exist alone physically, or two or more units are integrated in one unit, and the integrated unit may be implemented in a form of hardware, or in a form of software functional unit. In addition, specific names of the functional units and modules are only for convenience of distinguishing from each other, and are not used for limiting the protection scope of the present application. The specific working processes of the units and modules in the system may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.
In the above embodiments, the descriptions of the respective embodiments have respective emphasis, and reference may be made to the related descriptions of other embodiments for parts that are not described or illustrated in a certain embodiment.
Those of ordinary skill in the art will appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.
In the embodiments provided by the present invention, it should be understood that the disclosed apparatus/gateway device and method may be implemented in other ways. For example, the above-described apparatus/gateway device embodiments are merely illustrative, and for example, the division of the modules or units is only one logical division, and there may be other divisions when actually implemented, for example, multiple units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.
The integrated modules/units, if implemented in the form of software functional units and sold or used as separate products, may be stored in a computer readable storage medium. Based on such understanding, all or part of the flow of the method according to the embodiments of the present invention may also be implemented by a computer program, which may be stored in a computer-readable storage medium, and when the computer program is executed by a processor, the steps of the method embodiments may be implemented. Wherein the computer program comprises computer program code, which may be in the form of source code, object code, an executable file or some intermediate form, etc. The computer-readable medium may include: any entity or device capable of carrying the computer program code, recording medium, usb disk, removable hard disk, magnetic disk, optical disk, computer Memory, Read-Only Memory (ROM), Random Access Memory (RAM), electrical carrier wave signals, telecommunications signals, software distribution medium, and the like. It should be noted that the computer readable medium may contain content that is subject to appropriate increase or decrease as required by legislation and patent practice in jurisdictions, for example, in some jurisdictions, computer readable media does not include electrical carrier signals and telecommunications signals as is required by legislation and patent practice.
The above-mentioned embodiments are only used for illustrating the technical solutions of the present invention, and not for limiting the same; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; such modifications and substitutions do not substantially depart from the spirit and scope of the embodiments of the present invention, and are intended to be included within the scope of the present invention.
Claims (10)
1. An abnormal access detection method applied to a gateway device is characterized by comprising the following steps:
receiving a first Uniform Resource Locator (URL) in a first global area network (WWAN) WEB request;
determining whether the first URL carries a first hashed HASH value;
under the condition that the first URL carries the first HASH value, detecting whether the first HASH value is the same as the second HASH value or not to obtain a detection result; the second HASH value is obtained by the gateway device and spliced in a second URL; the access objects of the first URL and the second URL are the same;
and under the condition that the detection result represents that the first HASH value is different from the second HASH value, determining that the first WEB request is an abnormal access request.
2. The method of claim 1, further comprising:
determining whether the first URL is in a set first data table or not under the condition that the first URL does not carry the first HASH value; when the first URL is stored in the first data table, the corresponding first WEB request is a normal access request;
and determining that the first WEB request is an abnormal access request under the condition that the first URL is not in the set first data table.
3. The method according to claim 2, wherein before receiving the first WEB request, the method further comprises:
determining the first data table;
the determining the first data table includes:
receiving a second WEB request for accessing the object; a third URL in the second WEB request does not carry a HASH value;
determining the number of users initiating the second WEB request according to the received second WEB request;
and writing the third URL into the first data table under the condition that the number of the users is larger than a set value.
4. The method according to claim 3, wherein when determining the number of users initiating the second WEB request according to the received second WEB request, the method comprises:
and writing the third URL into a second data table when the second WEB request is received for the first time, and updating the number of users corresponding to the third URL in the second data table in real time according to the received second WEB request.
5. The method of claim 1, further comprising:
obtaining the second HASH value based on a fourth URL;
splicing the second HASH value in the fourth URL to obtain a second URL, so that the terminal equipment accesses the access object according to the second URL; wherein the content of the first and second substances,
and the fourth URL is a resource address corresponding to the access object.
6. The method of claim 5, wherein obtaining the second HASH value based on a fourth URL comprises:
acquiring the second HASH value based on the fourth URL and setting information; the setting information at least comprises a corresponding random code when the terminal equipment logs in the gateway equipment.
7. The method of claim 6, wherein the setting information further comprises any one or more of:
the terminal equipment logs in the user information used by the gateway equipment;
and the terminal equipment accesses the key carried in the WEB request of the access object.
8. An abnormal access detection apparatus, comprising:
the receiving module is used for receiving a first URL in the first WEB request;
a first determining module, configured to determine whether the first URL carries a first HASH value;
a detection module, configured to detect whether the first HASH value is the same as the second HASH value when the first URL carries the first HASH value, so as to obtain a detection result; the second HASH value is obtained by the gateway device and spliced in a second URL; the access objects of the first URL and the second URL are the same;
and the second determining module is used for determining that the first WEB request is an abnormal access request under the condition that the detection result represents that the first HASH value is different from the second HASH value.
9. A gateway device comprising a memory, a processor, and a computer program stored in the memory and executable on the processor, wherein the processor implements the abnormal access detection method of any one of claims 1 to 7 when executing the computer program.
10. A computer-readable storage medium, characterized in that the computer-readable storage medium stores a computer program comprising program instructions that, when executed by a processor, cause the processor to perform the abnormal access detection method according to any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010538249.3A CN111800390A (en) | 2020-06-12 | 2020-06-12 | Abnormal access detection method, device, gateway equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010538249.3A CN111800390A (en) | 2020-06-12 | 2020-06-12 | Abnormal access detection method, device, gateway equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN111800390A true CN111800390A (en) | 2020-10-20 |
Family
ID=72804432
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010538249.3A Pending CN111800390A (en) | 2020-06-12 | 2020-06-12 | Abnormal access detection method, device, gateway equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111800390A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115189904A (en) * | 2022-05-06 | 2022-10-14 | 国网湖北省电力有限公司信息通信公司 | SDP-based power Internet of things and networking method |
| CN115499274A (en) * | 2022-09-30 | 2022-12-20 | 中国银行股份有限公司 | Splicing parameter gateway routing method and system, electronic equipment and storage medium |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20060149730A1 (en) * | 2004-12-30 | 2006-07-06 | Curtis James R | Client authenticated web browser with access approval mechanism |
| GB0617113D0 (en) * | 2006-08-31 | 2006-10-11 | Purepages Group Ltd | Improvements in and relating to internet content filtering |
| CN101695164A (en) * | 2009-09-28 | 2010-04-14 | 华为技术有限公司 | Verification method, device and system for controlling resource access |
| US20110035437A1 (en) * | 2009-08-10 | 2011-02-10 | Hitachi, Ltd. | Gateway System and Control Method |
| US20190334948A1 (en) * | 2016-12-16 | 2019-10-31 | Huawei Technologies Co., Ltd. | Webshell detection method and apparatus |
-
2020
- 2020-06-12 CN CN202010538249.3A patent/CN111800390A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20060149730A1 (en) * | 2004-12-30 | 2006-07-06 | Curtis James R | Client authenticated web browser with access approval mechanism |
| GB0617113D0 (en) * | 2006-08-31 | 2006-10-11 | Purepages Group Ltd | Improvements in and relating to internet content filtering |
| US20110035437A1 (en) * | 2009-08-10 | 2011-02-10 | Hitachi, Ltd. | Gateway System and Control Method |
| CN101695164A (en) * | 2009-09-28 | 2010-04-14 | 华为技术有限公司 | Verification method, device and system for controlling resource access |
| US20190334948A1 (en) * | 2016-12-16 | 2019-10-31 | Huawei Technologies Co., Ltd. | Webshell detection method and apparatus |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115189904A (en) * | 2022-05-06 | 2022-10-14 | 国网湖北省电力有限公司信息通信公司 | SDP-based power Internet of things and networking method |
| CN115499274A (en) * | 2022-09-30 | 2022-12-20 | 中国银行股份有限公司 | Splicing parameter gateway routing method and system, electronic equipment and storage medium |
| CN115499274B (en) * | 2022-09-30 | 2024-03-22 | 中国银行股份有限公司 | Splicing parameter gateway routing method and system, electronic equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11165579B2 (en) | Decentralized data authentication | |
| CN108632253B (en) | Client data security access method and device based on mobile terminal | |
| US20190050598A1 (en) | Secure data storage | |
| CN108989346B (en) | Third-party valid identity escrow agile authentication access method based on account hiding | |
| CN108259514B (en) | Vulnerability detection method and device, computer equipment and storage medium | |
| CN110908786A (en) | Intelligent contract calling method, device and medium | |
| US20210399897A1 (en) | Protection of online applications and webpages using a blockchain | |
| CN114372276A (en) | Data security protection method and device, electronic equipment and storage medium | |
| CN111800390A (en) | Abnormal access detection method, device, gateway equipment and storage medium | |
| CN111367923A (en) | Data processing method, data processing device, node equipment and storage medium | |
| EP3696698A1 (en) | Method of protecting a software program against tampering | |
| CN110443039A (en) | Detection method, device and the electronic equipment of plug-in security | |
| CN114040411A (en) | Equipment binding method and device, electronic equipment and storage medium | |
| CN112632573A (en) | Intelligent contract execution method, device and system, storage medium and electronic equipment | |
| CN113378147A (en) | Method for user to log in service platform | |
| CN116996305A (en) | Multi-level security authentication method, system, equipment, storage medium and entry gateway | |
| CN109302442B (en) | Data storage proving method and related equipment | |
| CN115114657A (en) | Data protection method, electronic device and computer storage medium | |
| CN112149097B (en) | Identity authentication method, device, equipment and storage medium | |
| CN111046440B (en) | Tamper verification method and system for secure area content | |
| CN113596014A (en) | Access vulnerability detection method and device and electronic equipment | |
| CN108449753B (en) | Method for reading data in trusted computing environment by mobile phone device | |
| CN111459899A (en) | Log sharing method and device and terminal equipment | |
| CN112738005A (en) | Access processing method, device, system, first authentication server and storage medium | |
| CN111711612B (en) | Communication control method, method and device for processing communication request |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20201020 |