CN112398788A - Bidirectional verification method, device and system for machine behavior, storage medium and electronic device - Google Patents
Bidirectional verification method, device and system for machine behavior, storage medium and electronic device Download PDFInfo
- Publication number
- CN112398788A CN112398788A CN201910755476.9A CN201910755476A CN112398788A CN 112398788 A CN112398788 A CN 112398788A CN 201910755476 A CN201910755476 A CN 201910755476A CN 112398788 A CN112398788 A CN 112398788A
- Authority
- CN
- China
- Prior art keywords
- behavior
- information
- request
- query request
- valid
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0807—Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3297—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving time stamps, e.g. generation of time stamps
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Storage Device Security (AREA)
Abstract
The invention provides a bidirectional verification method, a device, a system, a storage medium and an electronic device for machine behaviors, wherein the method comprises the following steps: receiving behavior credential information reported by a first device, wherein the behavior credential information is generated when the first device initiates a target behavior request to a second device; judging whether the behavior voucher information is valid or not; when the behavior voucher information is valid, storing the behavior voucher information; and when the second equipment receives the target behavior request, checking the target behavior request according to the behavior certificate information. The invention solves the technical problem that the machine behavior can only be verified through the account password in the related technology.
Description
Technical Field
The invention relates to the field of network security, in particular to a bidirectional verification method, a device, a system, a storage medium and an electronic device for machine behaviors.
Background
In the related art, when a service system manager manages a server or a remote device, a remote login management mode is usually adopted, and different remote management methods are adopted according to different services. Such as: for the management of the Windows operating system of the server, a C/S mode is usually adopted, and a terminal is connected to a Telnet server program of a managed server through a Telnet (remote terminal protocol) client program to perform management. When Web service systems such as websites, mails, forums, OA (Office Automation) systems, etc. are managed, a B/S mode is usually adopted, and a browser is used at a terminal to perform login management through a management page provided by a corresponding Web service.
In any remote management mode, security check is performed in a single-end authentication mode of 'user name + password' in the aspect of security protection, so that the problem of illegal login is solved. However, in terms of actual security effect, the current security protection means cannot achieve the expected effect, and the cases of taking the legal user name and password for illegal login by means of weak password guessing, blasting and the like account for more than 30% of the cases of successful overall attack, and the login mode in the related technology has serious security defects.
In view of the above problems in the related art, no effective solution has been found at present.
Disclosure of Invention
The embodiment of the invention provides a bidirectional verification method, a device, a system, a storage medium and an electronic device for machine behaviors.
According to an embodiment of the invention, a bidirectional verification method for machine behavior is provided, which includes: receiving behavior credential information reported by a first device, wherein the behavior credential information is generated when the first device initiates a target behavior request to a second device; judging whether the behavior voucher information is valid or not; when the behavior voucher information is valid, storing the behavior voucher information; and when the second equipment receives the target behavior request, checking the target behavior request according to the behavior certificate information.
Optionally, the behavior credential information includes: the determining, by the IP address of the first device, the device identifier of the first device, and the first timestamp, whether the behavior credential information is valid includes: decrypting the behavior credential information; determining that the behavior credential information is invalid when decryption of the behavior credential information fails; when the behavior certificate information is decrypted successfully, judging whether the behavior certificate information is expired or not according to the first timestamp; when the behavior voucher information is not expired, determining that the behavior voucher information is valid; and when the behavior voucher information is expired, determining that the behavior voucher information is invalid.
Optionally, verifying the target behavior request according to the behavior credential information includes: receiving a query request of the second device: judging whether the query request is valid; and when the query request is valid, issuing the behavior credential information to the second device according to the query request so that the second device verifies the target behavior request according to the behavior credential information.
Optionally, the querying request includes a second timestamp, and determining whether the querying request is valid includes: decrypting the query request; when the decryption of the query request fails, determining that the query request is invalid; when the query request is decrypted successfully, judging whether the query request is expired according to the second timestamp; when the query request is not expired, determining that the query request is valid; determining that the query request is invalid when the query request expires.
Optionally, verifying the target behavior request according to the behavior credential information includes: receiving verification request information reported by the second equipment; verifying whether the behavior certificate information is legal or not according to the verification request information; when the behavior certificate information is legal, sending first indication information to the second equipment; and when the behavior credential information is illegal, sending second indication information to the second device, wherein the first indication information is used for indicating that the target behavior request is allowed on the second device, and the second indication information is used for indicating that the target behavior request is blocked or alarmed on the second device.
Optionally, the verifying whether the behavior credential information is legal according to the verification request information includes: judging whether the first equipment is legal equipment allowed by the second equipment or not according to the verification request information; when the first device is a legal device allowed by the second device, determining that the behavior voucher information is legal; and when the first equipment is not legal equipment allowed by the second equipment, determining that the behavior credential information is illegal.
Optionally, verifying that the target behavior request includes one of the following according to the behavior credential information: verifying the web access behavior according to the behavior credential information; and verifying the remote desktop protocol RDP login behavior according to the behavior certificate information.
According to another embodiment of the present invention, there is provided a bidirectional verification apparatus for machine behavior, including: a receiving module, configured to receive behavior credential information reported by a first device, where the behavior credential information is generated when the first device initiates a target behavior request to a second device; the judging module is used for judging whether the behavior voucher information is effective or not; the storage module is used for storing the behavior voucher information when the behavior voucher information is valid; and the verification module is used for verifying the target behavior request according to the behavior certificate information when the second equipment receives the target behavior request.
Optionally, the behavior credential information includes: the IP address of the first device, the device identifier of the first device, and the first timestamp, and the determining module includes: the decryption unit is used for decrypting the behavior certificate information; the processing unit is used for determining that the behavior certificate information is invalid when the decryption of the behavior certificate information fails; when the behavior certificate information is decrypted successfully, judging whether the behavior certificate information is expired or not according to the first timestamp; the determining unit is used for determining that the behavior voucher information is valid when the behavior voucher information is not expired; and when the behavior voucher information is expired, determining that the behavior voucher information is invalid.
Optionally, the verification module includes: a first receiving unit, configured to receive an inquiry request of the second device: the judging unit is used for judging whether the query request is valid or not; and the issuing unit is used for issuing the behavior certificate information to the second equipment according to the query request when the query request is valid so that the second equipment can verify the target behavior request according to the behavior certificate information.
Optionally, the query request includes a second timestamp, and the determining unit includes: the decryption subunit is used for decrypting the query request; the processing subunit is used for determining that the query request is invalid when the decryption of the query request fails; when the query request is decrypted successfully, judging whether the query request is expired according to the second timestamp; the determining subunit is used for determining that the query request is valid when the query request is not expired; determining that the query request is invalid when the query request expires.
Optionally, the verification module includes: a second receiving unit, configured to receive check request information reported by the second device; the first checking unit is used for checking whether the behavior certificate information is legal or not according to the checking request information; the determining unit is used for sending first indication information to the second equipment when the behavior credential information is legal; and when the behavior credential information is illegal, sending second indication information to the second device, wherein the first indication information is used for indicating that the target behavior request is allowed on the second device, and the second indication information is used for indicating that the target behavior request is blocked or alarmed on the second device.
Optionally, the verification unit includes: a judging subunit, configured to judge, according to the verification request information, whether the first device is a legal device allowed by the second device; the verification subunit is configured to determine that the behavior credential information is valid when the first device is a valid device allowed by the second device; and when the first equipment is not legal equipment allowed by the second equipment, determining that the behavior credential information is illegal.
Optionally, the verification unit includes one of: the second checking unit is used for checking the web access behavior according to the behavior certificate information; and the third verification unit is used for verifying the remote desktop protocol RDP login behavior according to the behavior certificate information.
According to another embodiment of the present invention, there is provided a bidirectional verification system for machine behavior, including: the system comprises a first device, a second device and a central control server connected with the first device and the second device, wherein the first device is used for initiating a target behavior request to the second device; the second device is used for responding to a target behavior request initiated by the first device; the central control server comprises the device according to the embodiment.
According to a further embodiment of the present invention, there is also provided a storage medium having a computer program stored therein, wherein the computer program is arranged to perform the steps of any of the above method embodiments when executed.
According to yet another embodiment of the present invention, there is also provided an electronic device, including a memory in which a computer program is stored and a processor configured to execute the computer program to perform the steps in any of the above method embodiments.
According to the invention, the behavior voucher information reported by the first equipment is received, whether the behavior voucher information is valid or not is judged, the behavior voucher information is stored when the behavior voucher information is valid, finally, when the second equipment receives the target behavior request, the target behavior request is verified according to the behavior voucher information, and the equipment access is controlled through bidirectional association verification, so that the technical problem that the machine behavior can only be verified through an account number password in the related technology is solved. Illegal behaviors created by weak passwords, password leakage or password blasting and the like can be avoided, and the security of remote login is improved.
Drawings
The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the invention and together with the description serve to explain the invention without limiting the invention. In the drawings:
FIG. 1 is a block diagram of a hardware architecture of a bidirectional verification server for machine behavior according to an embodiment of the present invention;
FIG. 2 is a flow diagram of a method for bi-directional verification of machine behavior in accordance with an embodiment of the present invention;
FIG. 3 is a flowchart of receiving dotting report according to an embodiment of the present invention;
FIG. 4 is a flowchart of a central control server dotting check according to an embodiment of the present invention;
FIG. 5 is a block diagram of a bi-directional verification device for machine behavior according to an embodiment of the present invention;
FIG. 6 is a block diagram of a system for bi-directional verification of machine behavior according to an embodiment of the invention.
Detailed Description
In order to make the technical solutions better understood by those skilled in the art, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only partial embodiments of the present application, but not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application. It should be noted that the embodiments and features of the embodiments in the present application may be combined with each other without conflict.
It should be noted that the terms "first," "second," and the like in the description and claims of this application and in the drawings described above are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used is interchangeable under appropriate circumstances such that the embodiments of the application described herein are capable of operation in sequences other than those illustrated or described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
Example 1
The method provided by the first embodiment of the present application may be executed in a server, a computer, a terminal, or a similar computing device. Taking the example of running on a server, fig. 1 is a hardware structure block diagram of a bidirectional verification server for machine behavior according to an embodiment of the present invention. As shown in fig. 1, the server 10 may include one or more (only one shown in fig. 1) processors 102 (the processors 102 may include, but are not limited to, a processing device such as a microprocessor MCU or a programmable logic device FPGA) and a memory 104 for storing data, and optionally may also include a transmission device 106 for communication functions and an input-output device 108. It will be understood by those skilled in the art that the structure shown in fig. 1 is only an illustration, and is not intended to limit the structure of the server. For example, the server 10 may also include more or fewer components than shown in FIG. 1, or have a different configuration than shown in FIG. 1.
The memory 104 may be used to store computer programs, for example, software programs and modules of application software, such as a computer program corresponding to a bidirectional checking method of machine behavior in the embodiment of the present invention, and the processor 102 executes various functional applications and data processing by running the computer programs stored in the memory 104, thereby implementing the methods described above. The memory 104 may include high speed random access memory, and may also include non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory. In some examples, memory 104 may further include memory located remotely from processor 102, which may be connected to server 10 via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The transmission device 106 is used for receiving or transmitting data via a network. Specific examples of the network described above may include a wireless network provided by a communication provider of the server 10. In one example, the transmission device 106 includes a Network adapter (NIC), which can be connected to other Network devices through a base station so as to communicate with the internet. In one example, the transmission device 106 may be a Radio Frequency (RF) module, which is used for communicating with the internet in a wireless manner.
In this embodiment, a bidirectional verification method for a machine behavior is provided, and fig. 2 is a flowchart of a bidirectional verification method for a machine behavior according to an embodiment of the present invention, as shown in fig. 2, the flowchart includes the following steps:
step S202, receiving behavior voucher information reported by a first device, wherein the behavior voucher information is generated when the first device initiates a target behavior request to a second device;
the behavior credential information of this embodiment is dotting information uploaded to the server when the first device initiates the target behavior request.
Step S204, judging whether the behavior certificate information is valid;
step S206, when the behavior voucher information is valid, the behavior voucher information is saved;
step S208, when the second device receives the target behavior request, the target behavior request is verified according to the behavior certificate information.
Through the steps, the behavior voucher information reported by the first equipment is received, whether the behavior voucher information is valid or not is judged, the behavior voucher information is stored when the behavior voucher information is valid, finally, when the second equipment receives the target behavior request, the target behavior request is verified according to the behavior voucher information, the equipment access is controlled through bidirectional association verification, and the technical problem that the machine behavior can only be verified through account number passwords in the related technology is solved. Illegal behaviors created by weak passwords, password leakage or password blasting and the like can be avoided, and the security of remote login is improved.
The behavior credential information of this embodiment may include dynamic behavior information and static information, where the dynamic behavior information may include behavior chain information, process chain information, login window interface, and the like, and the static information includes an IP address, a Uniform Resource Locator (URL) address, a MAC address, and a device identifier (such as a machine unique identifier, MID) of the device.
The scheme of this embodiment may be applied to various different login, access, connection and other modes, such as a C/S mode, a B/S mode and the like, where a communication manner between the first device and the second device may also be a relay or direct connection communication manner, and may be any information transmission and data exchange manner such as C direct connection S or S direct connection C (similar to B/S), and the following description is given by way of example:
in the C/S mode scene, when the Windows operating system of the server is managed, the C/S mode can be adopted, and the terminal is connected to the Telnet server program of the managed server end through the Telnet client program for management.
In the B/S mode scenario, when Web service systems such as websites, mails, forums, OAs, etc. are managed, the B/S mode is usually adopted, and a browser is used at a terminal to perform login management through a management page provided by a corresponding Web service.
In one implementation of this embodiment, the behavior credential information includes: the IP address of the first device, the device identifier of the first device, and the first timestamp, and determining whether the behavior credential information is valid includes:
s11, decrypting the behavior certificate information;
s12, when the decryption of the behavior voucher information fails, determining that the behavior voucher information is invalid; when the behavior certificate information is decrypted successfully, judging whether the behavior certificate information is expired according to the first timestamp;
the first timestamp of this embodiment is a time when the first device starts the target behavior request, or triggers the target behavior request, or is an upload time, and whether the first timestamp is expired may be determined according to the system time of the central control server, and if the first timestamp is later than the system time, or is earlier than the system time by too long, both the first timestamp and the second timestamp are expired.
S13, when the behavior voucher information is not expired, determining that the behavior voucher information is valid; and when the behavior voucher information is expired, determining that the behavior voucher information is invalid.
Fig. 3 is a flowchart of receiving dotting report according to the embodiment of the present invention, and besides checking the timestamp, the present invention may also check an interface parameter (the interface parameter is necessary information collection of the client, and includes process information of remote login, url information of web access, and the like, and is used to check whether the device reported by dotting is legal), check whether a field in the behavior credential information conforms to a predetermined rule (e.g., whether the field is complete, and the like), and if the check is passed, store the field in the local database, and write the key into the redis.
In this embodiment, the verification may be performed on the server side, or on the second device side. The following is illustrated by way of example:
in one example of this embodiment, verifying the target-action request according to the action credential information includes:
s21, receiving the query request from the second device:
s22, judging whether the query request is valid;
optionally, the querying request includes a second timestamp, and determining whether the querying request is valid includes: decrypting the query request; when the decryption of the query request fails, determining that the query request is invalid; when the query request is decrypted successfully, judging whether the query request is expired according to the second timestamp; when the query request is not expired, determining that the query request is valid; when the query request expires, the query request is determined to be invalid.
And S23, when the query request is valid, issuing behavior certificate information to the second device according to the query request, so that the second device verifies the target behavior request according to the behavior certificate information.
The second device configures a legal device list locally, the behavior certificate information carries the IP address and the device identification of the first device, and whether the first device is in the legal device list is judged according to the IP address and the device identification, so that access control can be realized.
In another example of this embodiment, verifying the target-action request based on the action credential information comprises:
s31, receiving the verification request information reported by the second equipment;
s32, checking whether the behavior voucher information is legal or not according to the checking request information;
s33, when the behavior voucher information is legal, first indication information is sent to the second equipment; and when the behavior credential information is illegal, sending second indication information to the second device, wherein the first indication information is used for indicating that the target behavior request is allowed on the second device, and the second indication information is used for indicating that the target behavior request is blocked or alarmed on the second device.
Fig. 4 is a flowchart of the central control server dotting verification according to the embodiment of the present invention, and in addition to verifying the timestamp, the interface parameter, the decrypted field, and the like may also be verified, and after the verification is successful, the field carried by the behavior credential information is returned to the second device.
Optionally, the verifying whether the behavior credential information is legal according to the verification request information includes: judging whether the first equipment is legal equipment allowed by the second equipment or not according to the verification request information; when the first equipment is legal equipment allowed by the second equipment, determining that the behavior voucher information is legal; and when the first equipment is not legal equipment allowed by the second equipment, determining that the behavior credential information is illegal.
The server side configures a legal device list for the second device, the behavior certificate information carries the IP address and the device identification of the first device, and whether the first device is in the legal device list or not is judged according to the IP address and the device identification, so that the second device can be helped to realize access control.
Optionally, the target behavior request of this embodiment may be a behavior request among various machines, and the target behavior request verified according to the behavior credential information may be, but is not limited to: verifying the web access behavior according to the behavior credential information; and verifying Remote Desktop Protocol (RDP) login behaviors according to the behavior certificate information.
A complete implementation of this embodiment is described below by way of an example of this embodiment, and the process includes:
s1, when the client detects the initiation of some behaviors (such as web access, RDP login and the like), the information is integrated with the inherent information (such as IP of the sender, unique identification of the sender and the like) of the client, encrypted and sent to the central control unit
S2, after receiving the information, the central control compares the time stamps according to the time of the central control, if the time difference of the time stamps is too much, the current time is invalid (preventing replay attack), if the time stamps are valid, the current time is stored in the central control in different forms according to different classifications
S3, when the server detects the connection behavior (such as web access, RDP login, etc.), according to the behavior characteristics, the server centrally controls to inquire whether the behavior has a dotting occurrence, if so, the server compares whether the initiator client is in the permission list according to the dotting information, if so, the initiator client is put through the permission list, otherwise, the server prevents the behavior from continuing.
By using the dotting mechanism of the embodiment, an effective trust mechanism can be built between the client and the server, so that behaviors occurring at two ends can be corresponded, and whether the behavior is a legal behavior is judged. Taking windows remote connection as an example, when a client detects that a remote connection client exists, dotting corresponding information to a central control, when a server detects that the connection exists, inquiring whether the connection is in an allowed range by the central control, if so, passing the connection, and if not, blocking the connection, thereby achieving the effect of admission.
Through the above description of the embodiments, those skilled in the art can clearly understand that the method according to the above embodiments can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware, but the former is a better implementation mode in many cases. Based on such understanding, the technical solutions of the present invention may be embodied in the form of a software product, which is stored in a storage medium (e.g., ROM/RAM, magnetic disk, optical disk) and includes instructions for enabling a terminal device (e.g., a mobile phone, a computer, a server, or a network device) to execute the method according to the embodiments of the present invention.
Example 2
In this embodiment, a bidirectional verification apparatus and system for machine behavior are also provided, which are used to implement the foregoing embodiments and preferred embodiments, and are not described again after being described. As used below, the term "module" may be a combination of software and/or hardware that implements a predetermined function. Although the means described in the embodiments below are preferably implemented in software, an implementation in hardware, or a combination of software and hardware is also possible and contemplated.
Fig. 5 is a block diagram of a bidirectional verification apparatus for machine behavior according to an embodiment of the present invention, as shown in fig. 5, the apparatus includes: a receiving module 50, a determining module 52, a storing module 54, a checking module 56, wherein,
a receiving module 50, configured to receive behavior credential information reported by a first device, where the behavior credential information is generated when the first device initiates a target behavior request to a second device;
a judging module 52, configured to judge whether the behavior credential information is valid;
a saving module 54, configured to save the behavior credential information when the behavior credential information is valid;
a checking module 56, configured to, when the second device receives the target behavior request, check the target behavior request according to the behavior credential information.
Optionally, the behavior credential information includes: the IP address of the first device, the device identifier of the first device, and the first timestamp, and the determining module includes: the decryption unit is used for decrypting the behavior certificate information; the processing unit is used for determining that the behavior certificate information is invalid when the decryption of the behavior certificate information fails; when the behavior certificate information is decrypted successfully, judging whether the behavior certificate information is expired or not according to the first timestamp; the determining unit is used for determining that the behavior voucher information is valid when the behavior voucher information is not expired; and when the behavior voucher information is expired, determining that the behavior voucher information is invalid.
Optionally, the verification module includes: a first receiving unit, configured to receive an inquiry request of the second device: the judging unit is used for judging whether the query request is valid or not; and the issuing unit is used for issuing the behavior certificate information to the second equipment according to the query request when the query request is valid so that the second equipment can verify the target behavior request according to the behavior certificate information.
Optionally, the query request includes a second timestamp, and the determining unit includes: the decryption subunit is used for decrypting the query request; the processing subunit is used for determining that the query request is invalid when the decryption of the query request fails; when the query request is decrypted successfully, judging whether the query request is expired according to the second timestamp; the determining subunit is used for determining that the query request is valid when the query request is not expired; determining that the query request is invalid when the query request expires.
Optionally, the verification module includes: a second receiving unit, configured to receive check request information reported by the second device; the first checking unit is used for checking whether the behavior certificate information is legal or not according to the checking request information; the determining unit is used for sending first indication information to the second equipment when the behavior credential information is legal; and when the behavior credential information is illegal, sending second indication information to the second device, wherein the first indication information is used for indicating that the target behavior request is allowed on the second device, and the second indication information is used for indicating that the target behavior request is blocked or alarmed on the second device.
Optionally, the verification unit includes: a judging subunit, configured to judge, according to the verification request information, whether the first device is a legal device allowed by the second device; the verification subunit is configured to determine that the behavior credential information is valid when the first device is a valid device allowed by the second device; and when the first equipment is not legal equipment allowed by the second equipment, determining that the behavior credential information is illegal.
Optionally, the verification unit includes one of: the second checking unit is used for checking the web access behavior according to the behavior certificate information; and the third verification unit is used for verifying the remote desktop protocol RDP login behavior according to the behavior certificate information.
Fig. 6 is a block diagram of a bidirectional verification system of machine behavior according to an embodiment of the present invention, as shown in fig. 6, the system includes: the system comprises a first device 60, a second device 62 and a central control server 64 connected with the first device and the second device, wherein the first device 60 is used for initiating a target behavior request to the second device; the second device 62 is configured to respond to a target behavior request initiated by the first device; the central control server 64 includes the devices according to the above embodiments.
It should be noted that, the above modules may be implemented by software or hardware, and for the latter, the following may be implemented, but not limited to: the modules are all positioned in the same processor; alternatively, the modules are respectively located in different processors in any combination.
Example 3
Embodiments of the present invention also provide a storage medium having a computer program stored therein, wherein the computer program is arranged to perform the steps of any of the above method embodiments when executed.
Alternatively, in the present embodiment, the storage medium may be configured to store a computer program for executing the steps of:
s1, receiving behavior credential information reported by a first device, where the behavior credential information is generated when the first device initiates a target behavior request to a second device;
s2, judging whether the behavior voucher information is valid;
s3, when the behavior voucher information is valid, saving the behavior voucher information;
and S4, when the second device receives the target behavior request, verifying the target behavior request according to the behavior credential information.
Optionally, in this embodiment, the storage medium may include, but is not limited to: various media capable of storing computer programs, such as a usb disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a removable hard disk, a magnetic disk, or an optical disk.
Embodiments of the present invention also provide an electronic device comprising a memory having a computer program stored therein and a processor arranged to run the computer program to perform the steps of any of the above method embodiments.
Optionally, the electronic apparatus may further include a transmission device and an input/output device, wherein the transmission device is connected to the processor, and the input/output device is connected to the processor.
Optionally, in this embodiment, the processor may be configured to execute the following steps by a computer program:
s1, receiving behavior credential information reported by a first device, where the behavior credential information is generated when the first device initiates a target behavior request to a second device;
s2, judging whether the behavior voucher information is valid;
s3, when the behavior voucher information is valid, saving the behavior voucher information;
and S4, when the second device receives the target behavior request, verifying the target behavior request according to the behavior credential information.
Optionally, the specific examples in this embodiment may refer to the examples described in the above embodiments and optional implementation manners, and this embodiment is not described herein again.
The above-mentioned serial numbers of the embodiments of the present application are merely for description and do not represent the merits of the embodiments.
In the above embodiments of the present application, the descriptions of the respective embodiments have respective emphasis, and for parts that are not described in detail in a certain embodiment, reference may be made to related descriptions of other embodiments.
In the embodiments provided in the present application, it should be understood that the disclosed technology can be implemented in other ways. The above-described embodiments of the apparatus are merely illustrative, and for example, the division of the units is only one type of division of logical functions, and there may be other divisions when actually implemented, for example, a plurality of units or components may be combined or may be integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, units or modules, and may be in an electrical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.
The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application may be substantially implemented or contributed to by the prior art, or all or part of the technical solution may be embodied in a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a removable hard disk, a magnetic or optical disk, and other various media capable of storing program codes.
The foregoing is only a preferred embodiment of the present application and it should be noted that those skilled in the art can make several improvements and modifications without departing from the principle of the present application, and these improvements and modifications should also be considered as the protection scope of the present application.
Claims (10)
1. A method for bi-directional verification of machine behavior, comprising:
receiving behavior credential information reported by a first device, wherein the behavior credential information is generated when the first device initiates a target behavior request to a second device;
judging whether the behavior voucher information is valid or not;
when the behavior voucher information is valid, storing the behavior voucher information;
and when the second equipment receives the target behavior request, checking the target behavior request according to the behavior certificate information.
2. The method of claim 1, wherein the behavior credential information comprises: the determining, by the IP address of the first device, the device identifier of the first device, and the first timestamp, whether the behavior credential information is valid includes:
decrypting the behavior credential information;
determining that the behavior credential information is invalid when decryption of the behavior credential information fails; when the behavior certificate information is decrypted successfully, judging whether the behavior certificate information is expired or not according to the first timestamp;
when the behavior voucher information is not expired, determining that the behavior voucher information is valid; and when the behavior voucher information is expired, determining that the behavior voucher information is invalid.
3. The method of claim 1, wherein verifying the target behavior request based on the behavior credential information comprises:
receiving a query request of the second device:
judging whether the query request is valid;
and when the query request is valid, issuing the behavior credential information to the second device according to the query request so that the second device verifies the target behavior request according to the behavior credential information.
4. The method of claim 3, wherein the query request includes a second timestamp, and wherein determining whether the query request is valid comprises:
decrypting the query request;
when the decryption of the query request fails, determining that the query request is invalid; when the query request is decrypted successfully, judging whether the query request is expired according to the second timestamp;
when the query request is not expired, determining that the query request is valid; determining that the query request is invalid when the query request expires.
5. The method of claim 1, wherein verifying the target behavior request based on the behavior credential information comprises:
receiving verification request information reported by the second equipment;
verifying whether the behavior certificate information is legal or not according to the verification request information;
when the behavior certificate information is legal, sending first indication information to the second equipment; and when the behavior credential information is illegal, sending second indication information to the second device, wherein the first indication information is used for indicating that the target behavior request is allowed on the second device, and the second indication information is used for indicating that the target behavior request is blocked or alarmed on the second device.
6. The method of claim 5, wherein verifying whether the behavior credential information is legitimate according to the verification request information comprises:
judging whether the first equipment is legal equipment allowed by the second equipment or not according to the verification request information;
when the first device is a legal device allowed by the second device, determining that the behavior voucher information is legal; and when the first equipment is not legal equipment allowed by the second equipment, determining that the behavior credential information is illegal.
7. A bi-directional verification apparatus for machine behavior, comprising:
a receiving module, configured to receive behavior credential information reported by a first device, where the behavior credential information is generated when the first device initiates a target behavior request to a second device;
the judging module is used for judging whether the behavior voucher information is effective or not;
the storage module is used for storing the behavior voucher information when the behavior voucher information is valid;
and the verification module is used for verifying the target behavior request according to the behavior certificate information when the second equipment receives the target behavior request.
8. A system for bi-directional verification of machine behavior, comprising: a first device, a second device, a central control server connected with the first device and the second device, wherein,
the first device is used for initiating a target behavior request to the second device;
the second device is used for responding to a target behavior request initiated by the first device;
the central control server comprising the apparatus of claim 8.
9. A storage medium, in which a computer program is stored, wherein the computer program is arranged to perform the method of any of claims 1 to 6 when executed.
10. An electronic device comprising a memory and a processor, wherein the memory has stored therein a computer program, and wherein the processor is arranged to execute the computer program to perform the method of any of claims 1 to 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910755476.9A CN112398788A (en) | 2019-08-15 | 2019-08-15 | Bidirectional verification method, device and system for machine behavior, storage medium and electronic device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910755476.9A CN112398788A (en) | 2019-08-15 | 2019-08-15 | Bidirectional verification method, device and system for machine behavior, storage medium and electronic device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN112398788A true CN112398788A (en) | 2021-02-23 |
Family
ID=74601854
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910755476.9A Pending CN112398788A (en) | 2019-08-15 | 2019-08-15 | Bidirectional verification method, device and system for machine behavior, storage medium and electronic device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112398788A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114915424A (en) * | 2022-04-22 | 2022-08-16 | 京东城市(北京)数字科技有限公司 | Interactive certificate generation method and device, electronic equipment and storage medium |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20100306547A1 (en) * | 2009-05-28 | 2010-12-02 | Fallows John R | System and methods for providing stateless security management for web applications using non-http communications protocols |
| CN106790183A (en) * | 2016-12-30 | 2017-05-31 | 广州华多网络科技有限公司 | Logging on authentication method of calibration, device |
-
2019
- 2019-08-15 CN CN201910755476.9A patent/CN112398788A/en active Pending
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20100306547A1 (en) * | 2009-05-28 | 2010-12-02 | Fallows John R | System and methods for providing stateless security management for web applications using non-http communications protocols |
| CN106790183A (en) * | 2016-12-30 | 2017-05-31 | 广州华多网络科技有限公司 | Logging on authentication method of calibration, device |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114915424A (en) * | 2022-04-22 | 2022-08-16 | 京东城市(北京)数字科技有限公司 | Interactive certificate generation method and device, electronic equipment and storage medium |
| CN114915424B (en) * | 2022-04-22 | 2024-05-17 | 京东城市(北京)数字科技有限公司 | Interactive credential generation method and device, electronic equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107534856B (en) | Method and apparatus for managing profile of terminal in wireless communication system | |
| CN103596173B (en) | Wireless network authentication method, client and service end wireless network authentication device | |
| CN102801616B (en) | Message sending and receiving method, device and system | |
| EP2879421B1 (en) | Terminal identity verification and service authentication method, system, and terminal | |
| CN108243176B (en) | Data transmission method and device | |
| CN103856941A (en) | Wireless network monitoring method and related device | |
| CN112640385B (en) | non-SI device and SI device for use in SI system and corresponding methods | |
| CN112640387B (en) | non-SI device, method, and computer readable and/or microprocessor executable medium for wireless connection | |
| CN105262748A (en) | Wide area network user terminal identity authentication method and system | |
| CN109729000B (en) | Instant messaging method and device | |
| CN102143492B (en) | Method for establishing virtual private network (VPN) connection, mobile terminal and server | |
| CN104883255A (en) | Password resetting method and device | |
| CN105722072A (en) | Business authorization method, device, system and router | |
| CN111065090A (en) | Method for establishing network connection and wireless routing equipment | |
| CN101090321B (en) | Device and method for discovering emulated clients | |
| US8887310B2 (en) | Secure consumer programming device | |
| CN112398788A (en) | Bidirectional verification method, device and system for machine behavior, storage medium and electronic device | |
| CN112395586A (en) | File access control method, device, system, storage medium and electronic device | |
| CN114221822B (en) | Distribution network method, gateway device and computer readable storage medium | |
| CN112887178B (en) | Terminal network access method, device, equipment and storage medium of LoRaWAN server | |
| CN112398786B (en) | Method and device for identifying penetration attack, system, storage medium and electronic device | |
| CN113812125B (en) | Verification method and device for login behavior, system, storage medium and electronic device | |
| CN114501441A (en) | User authentication method and device | |
| KR101203742B1 (en) | Wireless internet service system and method thereof | |
| KR20140095050A (en) | Method and apparatus for supporting single sign-on in a mobile communication system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20210223 |