CN112448939B - Security protection method, device and storage medium - Google Patents
Security protection method, device and storage medium Download PDFInfo
- Publication number
- CN112448939B CN112448939B CN201910837456.6A CN201910837456A CN112448939B CN 112448939 B CN112448939 B CN 112448939B CN 201910837456 A CN201910837456 A CN 201910837456A CN 112448939 B CN112448939 B CN 112448939B
- Authority
- CN
- China
- Prior art keywords
- target
- request
- connection request
- login authentication
- address
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0815—Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
Abstract
The embodiment of the application provides a safety protection method, a safety protection device and a storage medium. The method comprises the following steps: if a first connection request initiated to a target server is monitored, releasing the first connection request, wherein the first connection request is from the target request; determining whether the target request end performs login authentication with the target server end in the first connection process; and if the target request end does not carry out login authentication with the target service end, intercepting a subsequent connection request initiated by the target request end to the target service end. According to the method, a first connection request initiated to the target server is regarded as suspicious traffic, a first release strategy is adopted for the suspicious traffic, whether the suspicious traffic can be trusted is judged based on whether the suspicious traffic is logged in with the target server or not, so that subsequent access control can be carried out on the suspicious traffic according to a judgment result, the blocking leakage rate and the blocking error rate are reduced, an attack surface is reduced, and the safety of a communication process is improved.
Description
Technical Field
The present application relates to the field of security technologies, and in particular, to a security protection method, device, and storage medium.
Background
With the continuous development of cloud computing technology, more and more enterprise users or individual users select cloud computing resources to reduce service cost, which can also effectively improve service quality.
Users can implement a wide variety of services based on cloud computing resources. Currently, in order to ensure the security of these services, dangerous traffic for these services is usually intercepted by means of a white list or a black list. For example, traffic in the white list is cleared, and traffic not in the white list is intercepted; alternatively, traffic in the blacklist is intercepted and traffic not in the blacklist is released.
However, the intercepting result of the dangerous flow in the method is not ideal, and the problems of blocking leakage or blocking error and the like often occur.
Disclosure of Invention
Aspects of the present application provide a security protection method, apparatus, and storage medium for improving security of a communication process.
The embodiment of the application provides a safety protection method, which comprises the following steps:
if a first connection request initiated to a target server is monitored, releasing the first connection request, wherein the first connection request is from the target request;
determining whether the target request end carries out login authentication with the target server end in the first connection process based on the first connection process between the target request end and the target server end;
and if the target request end does not carry out login authentication with the target service end, intercepting a subsequent connection request initiated by the target request end to the target service end.
The embodiment of the application also provides a safety protection device, which comprises a memory and a processor;
the memory is used for storing one or more computer instructions;
the processor is coupled to the memory for executing the one or more computer instructions for:
if a first connection request initiated to a target server is monitored, releasing the first connection request, wherein the first connection request is from the target request;
determining whether the target request end carries out login authentication with the target server end in the first connection process based on the first connection process between the target request end and the target server end;
and if the target request end does not carry out login authentication with the target service end, intercepting a subsequent connection request initiated by the target request end to the target service end.
The embodiment of the application also provides a safety protection method, which comprises the following steps:
if a first connection request initiated to a target server is monitored, releasing the first connection request, wherein the first connection request is from the target request;
determining whether the target request end carries out login authentication with the target server end in the first connection process based on the first connection process between the target request end and the target server end;
and if the target request end does not carry out login authentication with the target service end, marking the target request end.
The embodiment of the application also provides a safety protection device, which comprises a memory and a processor;
the memory is used for storing one or more computer instructions;
the processor is coupled to the memory for executing the one or more computer instructions for:
if a first connection request initiated to a target server is monitored, releasing the first connection request, wherein the first connection request is from the target request;
determining whether the target request end carries out login authentication with the target server end in the first connection process based on the first connection process between the target request end and the target server end;
and if the target request end does not carry out login authentication with the target service end, marking the target request end.
Embodiments of the present application also provide a computer-readable storage medium storing computer instructions that, when executed by one or more processors, cause the one or more processors to perform the aforementioned security protection method.
In the embodiment of the application, if the first connection request initiated to the target server is monitored, the first connection request is released, the first connection process is monitored, and if the target request end initiating the first connection request in the first connection process is determined not to carry out login authentication with the target server, the subsequent connection request initiated to the target server by the target request end is intercepted. According to the embodiment of the application, the first connection request initiated to the target server is regarded as suspicious traffic, a first release strategy is adopted for the suspicious traffic, and whether the suspicious traffic can be trusted is judged based on whether the suspicious traffic is logged in with the target server or not, so that subsequent access control can be carried out on the suspicious traffic according to a judgment result, thereby reducing the blocking rate and the blocking rate by mistake, reducing the attack surface and improving the safety of the communication process.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this specification, illustrate embodiments of the application and together with the description serve to explain the application and do not constitute a limitation on the application. In the drawings:
FIG. 1 is a flow chart of a method for protecting safety according to an embodiment of the present application;
FIG. 2 is a flow chart illustrating another method for protecting security according to an embodiment of the present application;
FIG. 3 is a flow chart of a method for protecting security according to another embodiment of the present application;
fig. 4 is a schematic structural diagram of a safety device according to another embodiment of the present application.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the technical solutions of the present application will be clearly and completely described below with reference to specific embodiments of the present application and corresponding drawings. It will be apparent that the described embodiments are only some, but not all, embodiments of the application. All other embodiments, which can be made by those skilled in the art based on the embodiments of the application without making any inventive effort, are intended to be within the scope of the application.
In the prior art, a white list or a black list is generally adopted for safety protection, however, the problem of blocking by mistake or blocking by omission often occurs. To at least partially solve the foregoing problems with the prior art, in some embodiments of the application: and regarding the first connection request initiated to the target server as suspicious traffic, adopting a first release strategy for the suspicious traffic, judging whether the suspicious traffic can be trusted based on whether the suspicious traffic is logged in with the target server, and thus, performing subsequent access control on the suspicious traffic according to a judgment result, thereby reducing the blocking leakage rate and the blocking error rate and improving the safety of the communication process.
The following describes in detail the technical solutions provided by the embodiments of the present application with reference to the accompanying drawings.
Fig. 1 is a flow chart of a safety protection method according to an embodiment of the application. As shown in fig. 1, the method includes:
100. if a first connection request initiated to a target server is monitored, releasing the first connection request, wherein the first connection request is from the target request;
101. determining whether the target request end performs login authentication with the target service end in the first connection process based on the first connection process between the target request end and the target service end;
102. if the target request end does not carry out login authentication with the target service end, intercepting a subsequent connection request initiated by the target request end to the target service end.
The safety protection method provided by the embodiment of the application can be applied to various communication scenes. For example, the method and the device can be applied to providing security protection for cloud assets of users in a cloud computing scene, and can also be applied to providing security protection for devices or data with security requirements in a common communication scene, and the embodiment is not limited to this.
In the embodiment of the application, the target server can be used for providing network services needing login authentication. In different application scenarios, the physical implementation form of the target service end may be different, for example, in a cloud computing scenario, the target service end may be a physical machine or a virtual machine that provides a network service that needs to perform login authentication in the cloud, which is not limited in this embodiment.
The network services that may be provided by the target server and that need to be authenticated for login include, but are not limited to: one or more of secure shell protocol SSH services, remote desktop protocol RDP services, relational type database MySQL services, or remote data Redis services.
In the case where the target server is exposed to the internet, it may receive connection requests originating from different requesting ends. The physical implementation forms of the request end may also be different in different application scenarios, for example, in a cloud computing scenario, the request end may be a physical machine or a virtual machine outside the cloud, or may be a physical machine or a virtual machine in the cloud, which is not limited in this embodiment. The execution main body of the safety protection method provided by the embodiment of the application can be connected in series between the request end and the target service end so as to carry out safety protection on the target service end.
In the embodiment of the application, the first connection request existing in each connection request initiated to the target server is mainly focused. Wherein, the first connection request refers to a connection request of which the credibility cannot be determined.
Based on this, in the embodiment of the present application, the first connection request may occur when the usage scenario of the network service changes, for example, when the developer is going on business, the developer needs to log in the target server on the non-working computer outside the office, and the new computer initiated connection request used by the developer is regarded as the first connection request. The first connection request may also occur in the case where the target server is attacked, for example, in the case where a hacker tries to attack the target server through his computer, the connection request initiated by the hacker's computer will be regarded as the first connection request. Of course, the present embodiment is not limited thereto, and the first connection request may also occur in other cases.
For the first connection request, in the embodiment of the application, release can be performed. Releasing refers to allowing the first connection request to be transmitted to the target server, i.e. conducting the transmission channel of the first connection request.
And for the target server, under the condition of receiving the first connection request, the first connection process with the target request end can be released, and login authentication can be carried out on the target request end in the first connection process. In the embodiment of the application, the first connection process between the target request end and the target service end can be monitored, and the login authentication result of the target service end to the target request end in the first connection process can be determined.
In this embodiment, the number of actual data packets transmitted between the target request end and the target service end may be counted in the first connection process; if the number of the actual data packets is smaller than or equal to the number of the basic data packets required by the target server for login authentication, determining that the target request end does not perform login authentication with the target server.
Based on the network service type corresponding to the first connection request, the number of basic data packets required by the target server for login authentication can be determined. For example, when the network service type corresponding to the first connection request is SSH service, the number of basic data packets required for login authentication by the target server is 60. For another example, when the network service type corresponding to the first connection request is RDP service, the number of basic data packets required by the target server for login authentication is 25. Of course, these are merely exemplary, and the number of basic data packets required for login authentication of the target service end when providing each network service can be flexibly adjusted according to practical situations.
Accordingly, whether the target request end performs login authentication with the target server end can be determined by comparing the actual data packet number in the first connection process with the basic data packet number corresponding to the target server end.
If the actual number of data packets in the first connection process is 61 when the network service type corresponding to the first connection request is RDP service, which indicates that a content data packet is transmitted between the target server and the target request terminal on the basis of finishing login authentication, the target request terminal and the target server can be determined to perform login authentication; if the number of the actual data packets in the first connection process is 3, which indicates that login authentication is not completed, it can be determined that the target request end does not perform login authentication with the target server end.
The implementation mode is particularly suitable for a scene of adopting encrypted communication between the target request end and the target service end, and because the data packet transmitted between the target request end and the target service end is in an encrypted state, the information related to the login authentication result cannot be obtained from the data packet, so that the login authentication result can be more conveniently determined based on the actual data packet quantity. Of course, the implementation is also applicable to a scenario where plaintext communication is adopted between the target request end and the target service end.
Under the scene that clear text communication can be adopted between the target request end and the target service end, a more convenient implementation mode can be adopted in the embodiment of the application to determine the login authentication result of the target service end to the target request end in the first connection process:
monitoring an authentication result data packet returned by the target server to the target request end in the first connection process; if the authentication result data packet carries an authentication failed identifier, determining that the target request end does not carry out login authentication with the target server end.
Based on the plaintext communication mode between the target request end and the target service end, an authentication result data packet in the communication process of the two parties can be searched. For example, if the target server provides MySQL network service, the technical solution according to the embodiment of the present application monitors that the following interaction process exists between the target client (client) and the target server (server):
client->server:auth packet
server- > client OK packet (header field 0xff in the packet)
The target request end and the target service end can be determined to not carry out login authentication based on the authentication failed identification carried in the header field in the OK packet.
If the technical solution according to the embodiment of the present application monitors that the following interaction process exists between the target client (client) and the target server (server):
client->server:auth packet
server- > client OK packet (header field 0x00/0xfe,server status field 0x0002 in the packet)
The target request end can be determined to have logged in with the target server end based on the authentication passing identifier carried in the header field and the server status field in the OK packet.
Therefore, the login authentication result of the target server to the target request end can be accurately and rapidly determined under the condition of plaintext communication.
Of course, when it is impossible to determine what communication method is adopted between the target request end and the target service end, whether an authentication result data packet returned from the target service end to the target request end can be monitored in the first connection process can be tried, if so, the login authentication result can be determined continuously based on the authentication result data packet, and if not, the implementation manner of determining the login authentication result based on the actual number of data packets can be adopted continuously.
In practical application, the login authentication mode of the target server may be login password authentication. The target server monitors whether the target request end provides information such as a login account number and a password in the first connection process, and if the information for login authentication is not provided, the target server can determine that the target request end does not perform login authentication with the target server; if the target request end provides the information for login authentication, but the information is incorrect, the target request end can be prompted to perform login authentication again, and if the correct information is not provided within the preset times, the target server end can also determine that the target request end and the target server end do not perform login authentication; if the information is correct, the target server can determine that the target request end and the target server carry out login authentication, namely pass the login authentication.
For the condition that the target request end does not carry out login authentication with the target service end, the connection request initiated by the target request end can be determined to be not trusted, and accordingly, the subsequent connection request initiated by the target request end to the target service end can be intercepted. The interception refers to not allowing the connection request initiated by the target request end to be transmitted to the target service end, i.e. blocking the transmission channel of the connection request initiated by the target request.
In the embodiment of the application, the first connection request initiated to the target server is regarded as suspicious traffic, a first release strategy is adopted for the suspicious traffic, and whether the suspicious traffic can be trusted is judged based on whether the suspicious traffic is logged in with the target server or not, so that subsequent access control can be carried out on the suspicious traffic according to a judgment result, thereby reducing the blocking leakage rate and the blocking error rate and improving the safety of the communication process.
In the above or the following embodiments, the address white list and the address black list corresponding to the target service end may be preset, and of course, in each case that the target service end is used to provide different network services, the address white list and the address black list corresponding to the target service end may not be identical.
Recording the address of a request end trusted by a target server end in an address white list; and recording the address of the request end which is not trusted by the target server end in the address blacklist. The address of the requesting end may be IPv4, IPv6, MAC, etc., which is not limited in this embodiment.
Based on the above, each connection request initiated to the target server can be monitored; acquiring the address of a request end corresponding to each connection request; if there is a connection request whose address of the corresponding request end is not contained in the preset address white list and address black list, determining the connection request as the first connection request.
Of course, the method of simultaneously presetting the address whitelist and the address blacklist to determine the first connection is not limited to the above method of simultaneously presetting the address whitelist and the address blacklist, and in this embodiment, a method of presetting the address whitelist or just presetting the address blacklist, which is a single-class address list, may also be adopted, and the connection request whose address of the corresponding request end is not included in the preset single-class address list is determined as the first connection request. This embodiment is not limited thereto. The method comprises the steps of simultaneously presetting an address white list and an address black list to determine the first connection request, wherein the number of the determined first connection requests is smaller, so that the calculation amount required in the subsequent process of determining the credibility of the first connection request is smaller, the occupied calculation resources are smaller, and the processing efficiency is higher.
It should be noted that the address whitelist or the address blacklist described above or below is merely a name for convenience of description, and in this embodiment, the storage structure or storage form of the addresses of the trusted and untrusted requesting ends of the target server is not limited.
In addition, the embodiment of the present application is not limited to the implementation manner of determining the first connection request based on the address whitelist and/or the address blacklist, for example, the connection request corresponding to the address of the requesting end that is not included in the access record may be determined as the first connection request according to the access record of the target server, which is not limited in this embodiment.
Based on the determined first connection request, it may be continuously determined whether the target request end performs login authentication with the target server end in the first connection process.
If the target request end does not carry out login authentication with the target service end, updating the address of the target request end to an address blacklist; and based on the updated address blacklist, intercepting a subsequent connection request initiated by the target request end to the target service end.
If the target request end and the target service end perform login authentication, updating the address of the target request end to an address white list; and based on the updated address white list, releasing a subsequent connection request initiated by the target request end to the target service end.
And updating the address white list and the address black list corresponding to the target server according to the credibility identification result of the first connection request, so that the freshness of the address white list and the address black list corresponding to the target server can be effectively ensured.
Based on the address white list and the address black list corresponding to the target server with freshness in the embodiment, fig. 2 shows a flow diagram of a security protection method, and as shown in fig. 2, the method may include:
200. monitoring a connection request initiated to a target server;
201. judging whether the address of the request end corresponding to the connection request exists in an address white list, if so, executing step 206; if not, go to step 202;
202. judging whether the address of the request end corresponding to the connection request exists in an address blacklist, if so, executing step 207, and if not, executing step 203;
203. releasing the connection request, determining whether the request end performs login authentication with the target service end in the connection process based on the connection process between the target service end and the request end corresponding to the connection request, and if yes, executing step 204; if not, go to step 205;
204. updating the address of the request end corresponding to the connection request to an address white list;
205. updating the address of the request end corresponding to the connection request to an address blacklist;
206. releasing the connection request;
207. the connection request is intercepted.
The order of steps 201 and 202 is not limited to the order shown in fig. 2, that is, whether the connection request is the first connection request may be determined using the address whitelist first, the address blacklist first, or both the address whitelist and the address blacklist.
In this embodiment, the address whitelist and the address blacklist corresponding to the target server are updated according to the result of confirming the credibility of the first connection request, so that the situation that the address whitelist and the address blacklist corresponding to the target server flexibly adapt to the use scene of the target server can be ensured, the attack surface can be reduced to the greatest extent, and the success rate of safety protection can be improved.
Fig. 3 is a flow chart of a safety protection method according to another embodiment of the application. As shown in fig. 3, the method includes:
300. if a first connection request initiated to a target server is monitored, releasing the first connection request, wherein the first connection request is from the target request;
301. determining whether the target request end performs login authentication with the target service end in the first connection process based on the first connection process between the target request end and the target service end;
302. and if the target request end does not carry out login authentication with the target service end, marking the target request end.
Compared with the security protection method provided in the embodiment corresponding to fig. 1, the security protection method provided in this embodiment is different in the processing manner in the case that the target request end does not perform login authentication with the target server end.
In this embodiment, if the target request end does not perform login authentication with the target server end, the target request end is marked. The specific form of the marking is not limited in this embodiment, and may be marked as a suspicious object, an untrusted object, or the like, for example.
For subsequent connection requests of the marked target requesting end, interception can be performed, and other processing can be performed based on the marking. For example, the selective interception may be performed according to a security level of the network service provided by the target server. When the security level of the network service is higher, the subsequent connection request initiated by the marked request end can be intercepted, and when the security level of the network service is lower, the subsequent connection request initiated by the marked request end can be released.
Of course, the present embodiment is not limited to the above application manner for the marking performed for the target request end, and the marking may also be used as a reference base for other processing procedures.
It should be noted that, for further technical details in the present embodiment, reference should be made to the related descriptions in the foregoing embodiment, which are not repeated herein, but should not cause loss of the protection scope of the present application.
Fig. 4 is a schematic structural diagram of a safety device according to another embodiment of the present application. As shown in fig. 3, the apparatus includes: a memory 40 and a processor 41.
Memory 40 is used to store computer programs and may be configured to store various other data to support operations on the safety shield apparatus. Examples of such data include instructions for any application or method operating on the security guard, contact data, phonebook data, messages, pictures, video, and the like.
The memory 40 may be implemented by any type or combination of volatile or nonvolatile memory devices such as Static Random Access Memory (SRAM), electrically erasable programmable read-only memory (EEPROM), erasable programmable read-only memory (EPROM), programmable read-only memory (PROM), read-only memory (ROM), magnetic memory, flash memory, magnetic or optical disk.
A processor 41 coupled to the memory 40 for executing the computer program in the memory for:
if a first connection request initiated to a target server is monitored, releasing the first connection request, wherein the first connection request is from the target request;
determining whether the target request end performs login authentication with the target service end in the first connection process based on the first connection process between the target request end and the target service end;
if the target request end does not carry out login authentication with the target service end, intercepting a subsequent connection request initiated by the target request end to the target service end.
In an alternative embodiment, the processor 41 is configured to, when determining whether the target request end performs login authentication with the target service end in the first connection process based on the first connection process between the target request end and the target service end:
counting the number of actual data packets transmitted by a target request end and a target service end in a first connection process;
if the number of the actual data packets is smaller than or equal to the number of the basic data packets required by the target server for login authentication, determining that the target request end does not perform login authentication with the target server.
In an alternative embodiment, the processor 41 is configured to, when determining whether the target request end performs login authentication with the target service end in the first connection process based on the first connection process between the target request end and the target service end:
monitoring an authentication result data packet returned by the target server to the target request end in the first connection process;
if the authentication result data packet carries an authentication failed identifier, determining that the target request end does not carry out login authentication with the target server end.
In an alternative embodiment, processor 41 is further configured to:
monitoring a connection request initiated to a target server;
acquiring an address of a request end corresponding to a connection request;
if the address of the request end corresponding to the connection request is not found from the preset address white list and the address black list, the connection request is determined to be the first connection request.
In an alternative embodiment, when performing the login authentication of the target server if the target request end does not budget the target server, the processor 41 is configured to:
if the target request end does not carry out login authentication with the target service end, updating the address of the target request end to an address blacklist;
and based on the updated address blacklist, intercepting a subsequent connection request initiated by the target request end to the target service end.
In an alternative embodiment, processor 41 is further configured to:
if the target request end has performed login authentication with the target service end, updating the address of the target request end to an address white list;
and based on the updated address white list, releasing a subsequent connection request initiated by the target request end to the target service end.
In an alternative embodiment, the target server provides a secure shell protocol SSH service, a remote desktop protocol RDP service, a relational type database MySQL service, or a remote data Redis service.
In an alternative embodiment, the login authentication is login password authentication.
Further, as shown in fig. 4, the safety device further includes: communication component 42, power component 43, and the like. Only some of the components are schematically shown in fig. 4, which does not mean that the safety shield apparatus includes only the components shown in fig. 3.
Wherein the communication component 42 is configured to facilitate wired or wireless communication between the device in which the communication component is located and other devices. The device in which the communication component is located may access a wireless network based on a communication standard, such as WiFi,2G, 3G, 4G, or 5G, or a combination thereof. In one exemplary embodiment, the communication component receives a broadcast signal or broadcast-related information from an external broadcast management system via a broadcast channel. In one exemplary embodiment, the communication component may be implemented based on Near Field Communication (NFC) technology, radio Frequency Identification (RFID) technology, infrared data association (IrDA) technology, ultra Wideband (UWB) technology, bluetooth (BT) technology, or other technologies to facilitate short range communications.
Wherein the power supply assembly 43 provides power to various components of the device in which the power supply assembly is located. The power components may include a power management system, one or more power sources, and other components associated with generating, managing, and distributing power for the devices in which the power components are located.
Additionally, in still other embodiments, based on the configuration of the safety shield apparatus shown in FIG. 4, processor 41 may be configured to:
if a first connection request initiated to a target server is monitored, releasing the first connection request, wherein the first connection request is from the target request;
determining whether the target request end performs login authentication with the target service end in the first connection process based on the first connection process between the target request end and the target service end;
and if the target request end does not carry out login authentication with the target service end, marking the target request end.
This differs from the embodiments of the safety guards described above in the manner in which processor 41 processes the target request without login authentication with the target server.
In this embodiment, if the target client does not perform login authentication with the target server, the processor 41 may mark the target client. The specific form of the marking is not limited in this embodiment, and may be marked as a suspicious object, an untrusted object, or the like, for example.
For subsequent connection requests of the marked target requesting end, interception can be performed, and other processing can be performed based on the marking. For example, the selective interception may be performed according to a security level of the network service provided by the target server. When the security level of the network service is higher, the subsequent connection request initiated by the marked request end can be intercepted, and when the security level of the network service is lower, the subsequent connection request initiated by the marked request end can be released.
Of course, the application of the marking for the target request end is not limited to the above-mentioned application, and the marking can be used as a reference basis for other processing procedures.
It should be noted that, for further technical details in the present embodiment, reference should be made to the related descriptions in the foregoing embodiment, which are not repeated herein, but should not cause loss of the protection scope of the present application.
Accordingly, embodiments of the present application also provide a computer readable storage medium storing a computer program, where the computer program when executed is capable of implementing the steps of the method embodiments described above that may be performed by a safety protection device.
It will be appreciated by those skilled in the art that embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
In one typical configuration, a computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.
The memory may include volatile memory in a computer-readable medium, random Access Memory (RAM) and/or nonvolatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM). Memory is an example of computer-readable media.
Computer readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of storage media for a computer include, but are not limited to, phase change memory (PRAM), static Random Access Memory (SRAM), dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), read Only Memory (ROM), electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium, which can be used to store information that can be accessed by a computing device. Computer-readable media, as defined herein, does not include transitory computer-readable media (transmission media), such as modulated data signals and carrier waves.
It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article or apparatus that comprises the element.
The foregoing is merely exemplary of the present application and is not intended to limit the present application. Various modifications and variations of the present application will be apparent to those skilled in the art. Any modification, equivalent replacement, improvement, etc. which come within the spirit and principles of the application are to be included in the scope of the claims of the present application.
Claims (15)
1. A method of safeguarding comprising:
if a first connection request initiated to a target server is monitored, releasing the first connection request, wherein the first connection request is from the target request;
based on a first connection process between the target request end and the target service end, if the number of actual data packets transmitted between the target request end and the target service end is smaller than or equal to the number of basic data packets required by login authentication of the target service end, determining that the target request end and the target service end do not perform login authentication in the first connection process;
and if the target request end does not carry out login authentication with the target service end, intercepting a subsequent connection request initiated by the target request end to the target service end.
2. The method as recited in claim 1, further comprising:
monitoring a connection request initiated to the target server;
acquiring an address of a request end corresponding to the connection request;
if the address of the request end corresponding to the connection request is not found out from a preset address white list and an address black list, the connection request is determined to be the first connection request.
3. The method of claim 2, wherein intercepting the subsequent connection request initiated by the target request end to the target service end if the target request end does not perform login authentication with the target service end comprises:
if the target request end does not carry out login authentication with the target service end, updating the address of the target request end to the address blacklist;
and based on the updated address blacklist, intercepting a subsequent connection request initiated by the target request end to the target service end.
4. A method according to claim 3, further comprising:
if the target request end has performed login authentication with the target service end, updating the address of the target request end to the address white list;
and based on the updated address white list, releasing a subsequent connection request initiated by the target request end to the target service end.
5. The method of claim 1, wherein the target server provides a secure shell protocol SSH service, a remote desktop protocol RDP service, a relational type database MySQL service, or a remote data dis service.
6. The method of claim 1, wherein the login authentication is a login password authentication.
7. A safety shield apparatus, comprising a memory and a processor;
the memory is used for storing one or more computer instructions;
the processor is coupled to the memory for executing the one or more computer instructions for:
if a first connection request initiated to a target server is monitored, releasing the first connection request, wherein the first connection request is from the target request;
based on a first connection process between the target request end and the target service end, if the number of actual data packets transmitted between the target request end and the target service end is smaller than or equal to the number of basic data packets required by login authentication of the target service end, determining that the target request end and the target service end do not perform login authentication in the first connection process;
and if the target request end does not carry out login authentication with the target service end, intercepting a subsequent connection request initiated by the target request end to the target service end.
8. The apparatus of claim 7, wherein the processor is further configured to:
monitoring a connection request initiated to the target server;
acquiring an address of a request end corresponding to the connection request;
if the address of the request end corresponding to the connection request is not found out from a preset address white list and an address black list, the connection request is determined to be the first connection request.
9. The apparatus of claim 8, wherein the processor, when performing the operation of intercepting a subsequent connection request initiated by the target request end to the target service end if the target request end does not perform login authentication with the target service end, is configured to:
if the target request end does not carry out login authentication with the target service end, updating the address of the target request end to the address blacklist;
and based on the updated address blacklist, intercepting a subsequent connection request initiated by the target request end to the target service end.
10. The apparatus of claim 9, wherein the processor is further configured to:
if the target request end has performed login authentication with the target service end, updating the address of the target request end to the address white list;
and based on the updated address white list, releasing a subsequent connection request initiated by the target request end to the target service end.
11. The apparatus of claim 7, wherein the target service provides a secure shell protocol SSH service, a remote desktop protocol RDP service, a relational type database MySQL service, or a remote data Redis service.
12. The apparatus of claim 7, wherein the login authentication is a login password authentication.
13. A method of safeguarding comprising:
if a first connection request initiated to a target server is monitored, releasing the first connection request, wherein the first connection request is from the target request;
based on a first connection process between the target request end and the target service end, if the number of actual data packets transmitted between the target request end and the target service end is smaller than or equal to the number of basic data packets required by login authentication of the target service end, determining that the target request end and the target service end do not perform login authentication in the first connection process;
and if the target request end does not carry out login authentication with the target service end, marking the target request end.
14. A safety shield apparatus, comprising a memory and a processor;
the memory is used for storing one or more computer instructions;
the processor is coupled to the memory for executing the one or more computer instructions for:
if a first connection request initiated to a target server is monitored, releasing the first connection request, wherein the first connection request is from the target request;
based on a first connection process between the target request end and the target service end, if the number of actual data packets transmitted between the target request end and the target service end is smaller than or equal to the number of basic data packets required by login authentication of the target service end, determining that the target request end and the target service end do not perform login authentication in the first connection process;
and if the target request end does not carry out login authentication with the target service end, marking the target request end.
15. A computer-readable storage medium storing computer instructions that, when executed by one or more processors, cause the one or more processors to perform the safeguarding method of any one of claims 1-6 or 13.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910837456.6A CN112448939B (en) | 2019-09-05 | 2019-09-05 | Security protection method, device and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910837456.6A CN112448939B (en) | 2019-09-05 | 2019-09-05 | Security protection method, device and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112448939A CN112448939A (en) | 2021-03-05 |
| CN112448939B true CN112448939B (en) | 2023-08-22 |
Family
ID=74733084
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910837456.6A Active CN112448939B (en) | 2019-09-05 | 2019-09-05 | Security protection method, device and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112448939B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113328883B (en) * | 2021-05-27 | 2023-03-24 | 中国电信股份有限公司 | Terminal management method and device, storage medium and electronic equipment |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2013055037A1 (en) * | 2011-10-10 | 2013-04-18 | (주)잉카인터넷 | System and method for controlling location information-based authentication |
| CN104661218A (en) * | 2013-11-18 | 2015-05-27 | 财团法人资讯工业策进会 | Base station and user equipment authentication method thereof |
| CN105939519A (en) * | 2015-08-27 | 2016-09-14 | 杭州迪普科技有限公司 | Authentication method and device |
| CN106658498A (en) * | 2016-12-05 | 2017-05-10 | 上海斐讯数据通信技术有限公司 | Portal approved quick roaming method and WiFi device |
| CN107148021A (en) * | 2017-05-27 | 2017-09-08 | 上海斐讯数据通信技术有限公司 | A kind of wireless access authentication method and a kind of radio reception device |
-
2019
- 2019-09-05 CN CN201910837456.6A patent/CN112448939B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2013055037A1 (en) * | 2011-10-10 | 2013-04-18 | (주)잉카인터넷 | System and method for controlling location information-based authentication |
| CN104661218A (en) * | 2013-11-18 | 2015-05-27 | 财团法人资讯工业策进会 | Base station and user equipment authentication method thereof |
| CN105939519A (en) * | 2015-08-27 | 2016-09-14 | 杭州迪普科技有限公司 | Authentication method and device |
| CN106658498A (en) * | 2016-12-05 | 2017-05-10 | 上海斐讯数据通信技术有限公司 | Portal approved quick roaming method and WiFi device |
| CN107148021A (en) * | 2017-05-27 | 2017-09-08 | 上海斐讯数据通信技术有限公司 | A kind of wireless access authentication method and a kind of radio reception device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112448939A (en) | 2021-03-05 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9867051B2 (en) | System and method of verifying integrity of software | |
| US8953479B2 (en) | System and method for license enforcement for data center monitoring applications | |
| EP3013086B1 (en) | Method, apparatus and electronic device for connection management | |
| CN111209575B (en) | Data protection method, generation method, transmission method, device and storage medium | |
| WO2016165505A1 (en) | Connection control method and apparatus | |
| CN111901285B (en) | Credibility verification method, system, equipment and storage medium | |
| US20210314156A1 (en) | Authentication method, content delivery network cdn, and content server | |
| US20210136569A1 (en) | Wireless carrier network-enabled protection of high value data | |
| US11552925B1 (en) | Systems and methods of controlling internet access using encrypted DNS | |
| US20210234836A1 (en) | A proxy network with self-erasing processing elements | |
| CN112448939B (en) | Security protection method, device and storage medium | |
| CN107135190B (en) | Data flow attribution identification method and device based on transport layer secure connection | |
| US10936674B2 (en) | Policy-based trusted peer-to-peer connections | |
| US20190007306A1 (en) | Device and method for controlling route of traffic flow | |
| CN111431957A (en) | File processing method, device, equipment and system | |
| CN107623916B (en) | Method and equipment for WiFi network security monitoring | |
| US11937169B2 (en) | Mobile office realization method, apparatus, device, and medium | |
| CN114095177B (en) | Information security processing method and device, electronic equipment and storage medium | |
| CN105392112A (en) | MTC device information protection method, device and system | |
| CN115134175A (en) | Security communication method and device based on authorization strategy | |
| CN104380686A (en) | Method and system used for applying NG firewall, NG firewall client-side and NG firewall servicer | |
| CN108768987B (en) | Data interaction method, device and system | |
| WO2020057360A1 (en) | Method and apparatus for improving security of terminal, and computer-readable storage medium | |
| CN112583777B (en) | Method and device for realizing user login | |
| US11977620B2 (en) | Attestation of application identity for inter-app communications |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |