CN112953921A - Scanning behavior identification method, device, equipment and storage medium - Google Patents
Scanning behavior identification method, device, equipment and storage medium Download PDFInfo
- Publication number
- CN112953921A CN112953921A CN202110143477.5A CN202110143477A CN112953921A CN 112953921 A CN112953921 A CN 112953921A CN 202110143477 A CN202110143477 A CN 202110143477A CN 112953921 A CN112953921 A CN 112953921A
- Authority
- CN
- China
- Prior art keywords
- terminal
- target
- access request
- information
- fingerprint information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 53
- 230000006399 behavior Effects 0.000 claims description 133
- 238000012795 verification Methods 0.000 claims description 56
- 238000004590 computer program Methods 0.000 claims description 11
- 230000000903 blocking effect Effects 0.000 claims description 5
- 238000004891 communication Methods 0.000 description 7
- 230000002159 abnormal effect Effects 0.000 description 6
- 238000010586 diagram Methods 0.000 description 5
- 230000006870 function Effects 0.000 description 5
- 230000008569 process Effects 0.000 description 4
- 238000012545 processing Methods 0.000 description 4
- 230000005540 biological transmission Effects 0.000 description 2
- 238000004422 calculation algorithm Methods 0.000 description 2
- 235000014510 cooky Nutrition 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000004044 response Effects 0.000 description 2
- 208000033748 Device issues Diseases 0.000 description 1
- 230000005856 abnormality Effects 0.000 description 1
- 239000003795 chemical substances by application Substances 0.000 description 1
- 238000004883 computer application Methods 0.000 description 1
- 238000012790 confirmation Methods 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000000977 initiatory effect Effects 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0807—Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/12—Applying verification of the received information
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/14—Session management
- H04L67/141—Setup of application sessions
Abstract
The application discloses a scanning behavior identification method, which comprises the following steps: acquiring a target access request of a first terminal to a second terminal; and under the condition that the target access request carries target fingerprint information, determining whether the current access behavior is a scanning behavior or not based on the target fingerprint information. By applying the technical scheme provided by the application, whether the current access behavior is the scanning behavior or not is accurately identified through the fingerprint information carried in the access request, and the safety of a computer network can be effectively guaranteed. The application also discloses a scanning behavior recognition device, equipment and a storage medium, and the scanning behavior recognition device, the equipment and the storage medium have corresponding technical effects.
Description
Technical Field
The present application relates to the field of computer application technologies, and in particular, to a scanning behavior recognition method, apparatus, device, and storage medium.
Background
With the rapid development of computer technology, computer networks are more and more widely used. Computer networks may provide a variety of business services to users. In computer networks, network security issues are receiving increasing attention. However, malicious persons always exist on the network, and the network vulnerability is continuously detected through scanning behaviors, which brings great potential safety hazards to the normal operation of the computer network.
At present, scanning behaviors are mostly identified by a rule detection mode. The method needs to preset rules, and if a malicious person acquires the rules, the malicious person may avoid the rules through various means, so that the malicious scanning behavior of the malicious person cannot be accurately identified, and the security of the computer network cannot be guaranteed.
Disclosure of Invention
The application aims to provide a scanning behavior identification method, a scanning behavior identification device, scanning behavior identification equipment and a storage medium, so that whether a current access behavior is a scanning behavior or not is accurately identified, and the security of a computer network is guaranteed.
In order to solve the technical problem, the application provides the following technical scheme:
a scanning behavior recognition method, comprising:
acquiring a target access request of a first terminal to a second terminal;
and under the condition that the target access request carries target fingerprint information, determining whether the current access behavior is a scanning behavior or not based on the target fingerprint information.
In one embodiment of the present application, the method further includes:
and under the condition that the target access request does not carry the target fingerprint information, issuing a fingerprint generation instruction to the first terminal so that the first terminal executes the fingerprint generation instruction to generate fingerprint information, and carrying the fingerprint information in the access request to the second terminal.
In a specific embodiment of the present application, the acquiring a target access request from a first terminal to a second terminal includes:
under the condition that a first terminal and a second terminal establish handshake connection, acquiring a target access request of the first terminal to the second terminal;
correspondingly, after the issuing of the fingerprint generation instruction to the first terminal, the method further includes:
and disconnecting the current handshake connection between the first terminal and the second terminal.
In one embodiment of the present application, the method further includes:
generating verification information;
and sending the verification information to the first terminal so that the first terminal obtains encrypted information based on the fingerprint information and the verification information after executing the fingerprint generation instruction to generate the fingerprint information, and the encrypted information is carried in an access request to the second terminal.
In a specific embodiment of the present application, in a case that the target access request carries the target fingerprint information, the method further includes:
determining whether target verification information corresponding to the target fingerprint information is expired;
if the verification is overdue, generating new verification information;
and sending the new verification information to the first terminal so that the first terminal obtains encrypted information based on the fingerprint information and the verification information after executing the fingerprint generation instruction to generate the fingerprint information, and the encrypted information is carried in an access request to the second terminal.
In one embodiment of the present application, the method further includes:
determining whether the number of continuous access requests of the first terminal, which do not carry the fingerprint information, reaches a preset number threshold under the condition that the target access request does not carry the target fingerprint information;
if the number threshold is reached, then it is determined that the current access behavior is a scanning behavior.
In one embodiment of the present application,
the target fingerprint information includes kernel-driven features, and/or palette-on-buffer features, and/or audio features.
In a specific embodiment of the present application, in a case that it is determined that the current access behavior is a scan behavior, the method further includes:
and performing blocking operation on the first terminal.
A scanning behavior recognition device, comprising:
the access request acquisition module is used for acquiring a target access request of the first terminal to the second terminal;
and the scanning behavior identification module is used for determining whether the current access behavior is a scanning behavior or not based on the target fingerprint information under the condition that the target access request carries the target fingerprint information.
A scanning behavior recognition device, comprising:
a memory for storing a computer program;
a processor for implementing the steps of the scanning behavior recognition method according to any one of the above when executing the computer program.
A computer-readable storage medium, having stored thereon a computer program which, when being executed by a processor, carries out the steps of the scanning behavior recognition method of any of the preceding claims.
By applying the technical scheme provided by the embodiment of the application, after the target access request of the first terminal to the second terminal is obtained, whether the current access behavior is the scanning behavior is determined based on the target fingerprint information under the condition that the target access request carries the target fingerprint information. Whether the current access behavior is the scanning behavior is accurately identified through the fingerprint information carried in the access request, and the safety of a computer network can be effectively guaranteed.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present application, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
Fig. 1 is a flowchart illustrating an implementation of a scanning behavior recognition method in an embodiment of the present application;
fig. 2 is a schematic diagram illustrating a specific process of a scanning behavior recognition method in an embodiment of the present application;
FIG. 3 is a schematic diagram illustrating another specific process of a scanning behavior recognition method in an embodiment of the present application;
fig. 4 is a schematic structural diagram of a scanning behavior recognition apparatus according to an embodiment of the present application;
fig. 5 is a schematic structural diagram of a scanning behavior recognition device in an embodiment of the present application.
Detailed Description
The core of the application is to provide a scanning behavior identification method, and the method can be applied to security protection equipment such as a firewall. The first terminal accesses a second terminal in the computer network, and the access flow passes through the safety protection device. In one application scenario, the first terminal may be a client (client) and the second terminal may be a server (server).
When a first terminal initiates a target access request to a second terminal, the target access request from the first terminal to the second terminal can be acquired, whether the target access request carries target fingerprint information or not is determined, and if the target access request carries the target fingerprint information, whether a current access behavior is a scanning behavior or not can be determined based on the target fingerprint information. Whether the current access behavior is a scanning behavior can be accurately identified through the fingerprint information carried in the access request, and the security of a computer network is guaranteed.
In order that those skilled in the art will better understand the disclosure, the following detailed description will be given with reference to the accompanying drawings. It is to be understood that the embodiments described are only a few embodiments of the present application and not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
Referring to fig. 1, there is shown a flowchart of an implementation of a scanning behavior identification method provided in an embodiment of the present application, where the method may include the following steps:
s110: and acquiring a target access request of the first terminal to the second terminal.
In practical application, when a first terminal needs to access data to a second terminal, a corresponding access request can be sent out, and the access request of the first terminal to the second terminal reaches the safety protection device first. After the target access request of the first terminal to the second terminal is acquired, the operation of step S120 may be continuously performed.
In a specific embodiment of the present application, the first terminal may establish a communication connection with the second terminal, for example, after the three-way handshake connection, send an access request to the second terminal, where the access request may specifically be an HTTP (HyperText Transfer Protocol) request.
Any access traffic to the second terminal will pass through the security device, which may monitor the access request to the second terminal. If the first terminal sends a target access request to the second terminal, the target access request can be intercepted and is not sent to the second terminal.
S120: and under the condition that the target access request carries target fingerprint information, determining whether the current access request is a scanning behavior or not based on the target fingerprint information.
In the embodiment of the application, after the target access request of the first terminal to the second terminal is acquired, whether the target access request carries target fingerprint information or not can be judged. Specifically, the header of the target access request may be parsed to determine whether the target access request carries target fingerprint information. If the target access request carries target fingerprint information, whether the current access behavior is a scanning behavior can be further determined based on the target fingerprint information.
Fingerprint (fingerprint) refers to locating a user through various information of the terminal, such as system font, screen resolution, plug-in, etc. Taking a browser as an example, since positioning can be performed by fingerprint information of the browser, anonymity cannot be obtained even if a privacy window mode of the browser is used.
Corresponding attribute information can be obtained from the target fingerprint information carried in the target access request through analysis, so that whether the current access behavior is a scanning behavior or not can be determined. The target fingerprint information may include kernel-driven features, and/or palette-on-buffer features, and/or audio features.
Whether the first terminal is a scanner or not can be further judged through the identification result of whether the current access behavior is the scanning behavior or not. If the current access behavior is identified as a scanning behavior, it may be determined that the first terminal is a scanner, and if the current access behavior is not identified as a scanning behavior, it may be determined that the first terminal is not a scanner, and may be a browser or other device with data access.
And under the condition that the current access behavior is determined not to be the scanning behavior, the access behavior of the first terminal to the second terminal is considered to be the normal access behavior, and the target access request can be sent to the second terminal, so that the first terminal can interact with the second terminal to access data. The information returned by the second terminal can be forwarded to the first terminal through the safety protection device.
And under the condition that the current access behavior is determined to be the scanning behavior, the access behavior of the first terminal to the second terminal is considered to be abnormal, and the target access request can be rejected. Specifically, the target access request may be directly discarded, or rejection information may be returned to the first terminal. This may provide security for the second terminal.
By applying the method provided by the embodiment of the application, after the target access request of the first terminal to the second terminal is obtained, whether the current access behavior is the scanning behavior is determined based on the target fingerprint information under the condition that the target access request carries the target fingerprint information. Whether the current access behavior is the scanning behavior is accurately identified through the fingerprint information carried in the access request, and the safety of a computer network can be effectively guaranteed.
In one embodiment of the present application, the method may further comprise the steps of:
and under the condition that the target access request does not carry the target fingerprint information, issuing a fingerprint generation instruction to the first terminal so that the first terminal executes the fingerprint generation instruction to generate the fingerprint information, and carrying the fingerprint information in the access request to the second terminal.
In the embodiment of the application, after a target access request of a first terminal to a second terminal is acquired, whether the target access request carries target fingerprint information is judged. If the target access request does not carry the target fingerprint information, a fingerprint generation instruction can be issued to the first terminal, for example, a fingerprint generation script is sent to the first terminal. The fingerprint generation script may be a JS script. JS (JavaScript for short) is a lightweight, interpreted or just-in-time high-level programming language with function priority, is a dynamic scripting language based on prototype programming and multiple paradigms, and supports object-oriented, command-oriented and declarative styles.
In practical applications, the browser or a partial scanner or the like can parse and execute the JS script.
The safety protection equipment issues the fingerprint generation instruction to the first terminal, the fingerprint generation instruction can carry a fingerprint generation script, and after the first terminal receives the fingerprint generation instruction, if the first terminal can analyze the fingerprint generation script, the fingerprint generation script can be executed to generate fingerprint information. If the fingerprint information is generated after obtaining the attribute webdriver (web page kernel driver software) + colorDepth (bit depth of palette on buffer) + audio fingerprint) through the fingerprint generation script, the generated fingerprint information may include kernel driver features, and/or palette features on buffer, and/or audio features. After the first terminal generates the fingerprint information, the page can be automatically refreshed, the second terminal resource is requested again, and the fingerprint information can be carried in the follow-up access request sent to the second terminal. If the fingerprint information is put in the cookie, it will carry it when it initiates the access request again.
Further, after the safety protection device obtains the access request, whether the current access behavior is a scanning behavior or not can be determined based on the fingerprint information carried by the safety protection device, and whether the access behavior is abnormal or not can be accurately identified.
If the first terminal cannot analyze the fingerprint generation script, the first terminal cannot execute the fingerprint generation instruction to generate the fingerprint information, and any fingerprint information cannot be carried in subsequent access requests sent to the second terminal. Further, after the security protection device acquires the access request, the security protection device judges that the access request does not carry any fingerprint information, can issue a fingerprint generation instruction to the first terminal again, and repeatedly executes corresponding steps.
In a specific embodiment of the present application, when a handshake connection is established between a first terminal and a second terminal, a target access request from the first terminal to the second terminal is obtained, and accordingly, after a fingerprint generation instruction is issued to the first terminal, the current handshake connection between the first terminal and the second terminal may also be disconnected.
After the handshake connection between the first terminal and the second terminal is established, the first terminal initiates an access request to the second terminal, and after the security protection device acquires a target access request from the first terminal to the second terminal, if the target access request is determined not to carry target fingerprint information, a fingerprint generation instruction is issued to the first terminal, so that the first terminal executes the fingerprint generation instruction to generate fingerprint information, and the reinitiated access request to the second terminal carries the fingerprint information. In the process, the first terminal and the second terminal are still in a handshake connection state, and because the security protection device does not send the target access request to the second terminal, the first terminal cannot receive the response information of the second terminal, and can continue to initiate the access request by using the current port, and connection abnormality may occur after repeating the process for multiple times. Therefore, in the embodiment of the application, after the security protection device issues the fingerprint generation instruction to the first terminal, the current handshake connection between the first terminal and the second terminal may be disconnected, so as to prevent the first terminal from accessing the second terminal again by using the current port, which may cause an abnormal connection state. The handshake connection may be re-established when the first terminal again needs access to the second terminal.
In a specific embodiment of the present application, under the condition that the target access request does not carry the target fingerprint information, it may be determined whether the number of consecutive access requests of the first terminal that do not carry the fingerprint information reaches a preset number threshold, and if the number threshold is reached, it is determined that the current access behavior is a scanning behavior.
The time threshold value can be set and adjusted according to actual conditions. When a target access request from a first terminal to a second terminal is obtained and no target fingerprint information is carried in the target access request, whether the number of continuous access requests from the first terminal to the second terminal, which do not carry any fingerprint information, reaches a preset number threshold value or not can be determined. Whether the continuous access requests of the same terminal are based on a triple (sip, dip, dport) can be judged, wherein the sip represents a source IP address, the dip represents a destination IP address, and the dport represents a destination port number.
In the embodiment of the application, the security protection device sends a fingerprint generation instruction to the first terminal when acquiring an access request from the first terminal to the second terminal and determining that the access request does not carry fingerprint information, if the first terminal can analyze and execute a fingerprint generation script carried in the fingerprint generation instruction, the retransmitted access request carries the fingerprint information, and if the first terminal is not a browser, the first terminal is likely not to analyze and execute the fingerprint generation script, and the retransmitted access request does not carry the fingerprint information.
Therefore, if the number of consecutive access requests, which do not carry any fingerprint information, from the first terminal to the second terminal reaches the threshold number, it can be determined that the current access behavior is a scanning behavior, and the first terminal is not a browser and may be a scanner. If the first terminal and the second terminal have handshake connection, the current handshake connection can be disconnected to ensure the security of the computer network. Further, logging may be performed to perform a lockout operation for the first terminal. If the IP (Internet Protocol) address of the first terminal is added to the blacklist, the access request of the first terminal is directly rejected.
If the number of times of the continuous access requests of the first terminal to the second terminal, which do not carry any fingerprint information, does not reach the number threshold, the fingerprint generation script sent to the first terminal before may be damaged or otherwise abnormal in the transmission process, and under such a condition, the operation of issuing the fingerprint generation instruction to the first terminal may be repeatedly executed. Therefore, the misjudgment of the first terminal caused by the network transmission problem can be avoided, and the normal data access of the first terminal to the second terminal is prevented from being influenced.
In one embodiment of the present application, the method may further comprise the steps of:
the first step is as follows: generating verification information;
the second step is that: and sending the verification information to the first terminal so that the first terminal obtains the encrypted information based on the fingerprint information and the verification information after executing the fingerprint generation instruction to generate the fingerprint information, and the encrypted information is carried in the access request to the second terminal.
For convenience of description, the above two steps are combined for illustration.
In the embodiment of the application, after a target access request of a first terminal to a second terminal is acquired, whether the target access request carries target fingerprint information is judged, and if the target access request does not carry the target fingerprint information, verification information can be generated and sent to the first terminal. The check information generated by different terminals can be different, the check information generated by the same terminal at different time can be different, and the check information generated in the same time period can be the same.
After the fingerprint generation instruction is sent to the first terminal, the first terminal obtains verification information and the fingerprint generation instruction, can execute the fingerprint generation instruction to generate fingerprint information, then obtains encryption information based on the fingerprint information and the verification information, and carries the encryption information in an access request to the second terminal.
The verification information may include a token. After the first terminal generates the fingerprint information, the fingerprint information and the token may be subjected to xor processing and the like to obtain the encrypted information, and the encrypted information is carried in the access request to the second terminal. Therefore, after the security protection device obtains the access request, the encryption information can be obtained, the token is used for carrying out anti-exception or processing on the encryption information, fingerprint information can be obtained, whether the current access behavior is a scanning behavior or not can be determined based on the fingerprint information, whether the access behavior of the first terminal is abnormal or not is identified, and whether data access of the first terminal to the second terminal is allowed or not is determined.
The verification information may include a token and a key. After the first terminal generates the fingerprint information, the fingerprint information and the token can be encrypted by using the key to obtain encrypted information, and the encrypted information is carried in the access request to the second terminal. Therefore, after the security protection device obtains the access request, the encryption information can be obtained, the encryption information is decrypted by using the secret key, fingerprint information can be obtained, whether the current access behavior is a scanning behavior or not can be determined based on the fingerprint information, whether the access behavior of the first terminal is abnormal or not is identified, and whether data access of the first terminal to the second terminal is allowed or not is determined.
In the case that there is a handshake connection between the first terminal and the second terminal, after both the verification information and the fingerprint generation instruction are sent to the first terminal, the current handshake connection between the first terminal and the second terminal may be disconnected.
In an embodiment of the present application, in a case that the target access request carries target fingerprint information, the method may further include the following steps:
the method comprises the following steps: determining whether target verification information corresponding to the target fingerprint information is expired, and if so, executing a second step;
step two: generating new checking information;
step three: and sending the new verification information to the first terminal so that the first terminal obtains the encrypted information based on the fingerprint information and the verification information after executing the fingerprint generation instruction to generate the fingerprint information, and the encrypted information is carried in the access request to the second terminal.
For convenience of description, the above three steps are combined for illustration.
After a target access request from a first terminal to a second terminal is obtained, if the target access request carries target fingerprint information, target verification information corresponding to the target fingerprint information can be obtained first. The target verification information may include a token. And analyzing the header of the target access request to obtain target fingerprint information and target verification information carried in the header. The target fingerprint information corresponds to the target verification information.
The time efficiency can be set for the verification information. After the target verification information corresponding to the target fingerprint information is obtained, whether the target verification information is expired or not can be determined, and if the target verification information is not expired, the step of determining whether the current access behavior is the scanning behavior or not based on the target fingerprint information can be continuously executed. And under the condition that the target verification information is determined to be out of date, generating new verification information and sending the new verification information to the first terminal, so that the first terminal can obtain the encrypted information based on the fingerprint information and the new verification information after executing a fingerprint generation instruction to generate the fingerprint information and carry the encrypted information in an access request to the second terminal.
Under the condition that the first terminal and the second terminal have handshake connection, after the new verification information is sent to the first terminal, the current handshake connection between the first terminal and the second terminal can be disconnected, so that the first terminal is prevented from continuously initiating data access to the second terminal by using the current port.
In one embodiment of the present application, in the case where it is determined that the current access behavior is a scanning behavior, a blocking operation may also be performed on the first terminal. If the IP address of the first terminal is added to the blacklist, when the access request of the first terminal to the second terminal is obtained again, the access request is directly rejected. So as to guarantee the security of the computer network.
In an embodiment of the application, the target access request may be a first access request of a current handshake connection, the target access request carries target fingerprint information, and based on the target fingerprint information, when it is determined that the current access behavior is not a scanning behavior, after the target access request is sent to the second terminal, in a current handshake connection state, it may be considered that the access behaviors of the first terminal to the second terminal are not scanning behaviors, and each received access request of the first terminal to the second terminal may be directly sent to the second terminal.
After the first terminal and the second terminal establish handshake connection, only the first access request initiated by the first terminal is intercepted, and if the first access request carries target fingerprint information and the current access behavior is determined not to be a scanning behavior based on the target fingerprint information, the first access request is sent to the second terminal. And then in the current handshake connection state, if the first terminal has an access request to the second terminal, the safety protection device can directly send the access request to the second terminal, and does not perform interception, confirmation and other processing on the access request. And the data access efficiency is improved.
Certainly, in practical application, the target access request may be any access request initiated by the first terminal to the second terminal, that is, as long as there is an access request from the first terminal to the second terminal, the access request is intercepted, confirmed, and the like, so as to ensure the security of the computer network.
For convenience of understanding, the scheme of the embodiment of the present application is described again by taking the specific flows shown in fig. 2 and fig. 3 as an example, where the first terminal is a client and the second terminal is a server.
In fig. 2, after the client establishes the three-way handshake connection with the server, the client initiates an access request to the server. The safety protection device intercepts the access request, determines that the access request does not carry fingerprint information, generates a unique token, sends the token, the secret key and the fingerprint generation script to the client, and then disconnects the current handshake connection. For security reasons, the fingerprint generation script may be sent in a single packet. The client executes the fingerprint generating script to generate fingerprint information, encrypts the fingerprint information and the unique token and puts the encrypted fingerprint information and the unique token into the cookie.
And after the client establishes three-way handshake connection with the server again, the client initiates an access request to the server. The safety protection equipment intercepts the access request, determines that the access request carries fingerprint information, and determines whether the current access behavior is a scanning behavior based on the fingerprint information. If so, the verification fails, the access request is rejected, error information is returned 405 to the client, and meanwhile, the current handshake connection can be disconnected, logs are recorded, and linkage blocking and other actions are executed. If not, the verification is successful, the access request is sent to the server, the response information of the server is forwarded to the client, the data access of the client to the server is realized, and when the client has the access request in the current handshake connection state, the safety protection equipment can directly forward the access request to the server.
In fig. 3, after the client establishes the three-way handshake connection with the server, the security protection device intercepts a target access request of the client to the server, and determines whether the target access request carries target fingerprint information.
And if the target fingerprint information is carried, obtaining a token corresponding to the target fingerprint information, and determining whether the token is expired. If the token has not expired, it is determined whether the current access behavior is a scanning behavior based on the target fingerprint information. And if the scanning behavior is not the scanning behavior, putting through the target access request so as to enable the client to perform data access on the server. If the client is a scanning behavior, the client is considered to be a scanner and the like, the target access request can be rejected, and the current handshake connection is disconnected. If the token is expired, a unique token is generated, the token and the fingerprint generation script are sent to the client, and meanwhile, error information can be returned 202, and the current handshake connection is disconnected.
And if the target fingerprint information is not carried, determining whether the number of continuous access requests which do not carry any fingerprint information reaches a preset number threshold. If so, the target access request is denied and the current handshake connection is disconnected. And if not, generating a unique token, sending the token and the fingerprint generation script to the client, and disconnecting the current handshake connection.
According to the embodiment of the application, additional agents do not need to be deployed, whether the access behavior of the first terminal to the second terminal is the scanning behavior or not can be accurately identified through the safety protection equipment, and the safety of a computer network is guaranteed.
Corresponding to the above method embodiments, the present application further provides a scanning behavior recognition apparatus, and the scanning behavior recognition apparatus described below and the scanning behavior recognition method described above may be referred to in correspondence with each other.
Referring to fig. 4, the apparatus may include the following modules:
an access request obtaining module 410, configured to obtain a target access request from a first terminal to a second terminal;
the scanning behavior identification module 420 is configured to, when the target access request carries target fingerprint information, determine whether the current access behavior is a scanning behavior based on the target fingerprint information.
By applying the device provided by the embodiment of the application, after the target access request of the first terminal to the second terminal is acquired, whether the current access behavior is the scanning behavior is determined based on the target fingerprint information under the condition that the target access request carries the target fingerprint information. Whether the current access behavior is the scanning behavior is accurately identified through the fingerprint information carried in the access request, and the safety of a computer network can be effectively guaranteed.
In one embodiment of the present application, the method further includes:
and the instruction issuing module is used for issuing a fingerprint generation instruction to the first terminal under the condition that the target access request does not carry the target fingerprint information, so that the first terminal executes the fingerprint generation instruction to generate the fingerprint information and carries the fingerprint information in the access request to the second terminal.
In a specific embodiment of the present application, the access request obtaining module 410 is configured to:
under the condition that a handshake connection is established between a first terminal and a second terminal, acquiring a target access request of the first terminal to the second terminal;
the apparatus further comprises a handshake disconnection module configured to:
and after the fingerprint generation instruction is issued to the first terminal, the current handshake connection between the first terminal and the second terminal is disconnected.
In one embodiment of the present application, the method further includes:
the verification information generating module is used for generating verification information;
and the verification information sending module is used for sending the verification information to the first terminal so that the first terminal obtains the encrypted information based on the fingerprint information and the verification information after executing the fingerprint generating instruction to generate the fingerprint information, and carries the encrypted information in the access request to the second terminal.
In one embodiment of the present application, the method further includes:
the verification information timeliness determining module is used for determining whether target verification information corresponding to the target fingerprint information is overdue or not under the condition that the target access request carries the target fingerprint information, and if the target verification information is overdue, triggering the verification information generating module to generate new verification information;
and the verification information sending module is further used for sending the new verification information to the first terminal so that the first terminal obtains the encrypted information based on the fingerprint information and the verification information after executing the fingerprint generating instruction to generate the fingerprint information, and carries the encrypted information in the access request to the second terminal.
In a specific embodiment of the present application, the system further includes a request number determining module, configured to:
under the condition that the target access request does not carry target fingerprint information, determining whether the number of continuous access requests of the first terminal which do not carry any fingerprint information reaches a preset number threshold;
if the threshold number of times is reached, the trigger scan behavior identification module 420 determines that the current access behavior is a scan behavior.
In one embodiment of the present application, the target fingerprint information includes kernel-driven features, and/or palette-on-buffer features, and/or audio features.
In an embodiment of the present application, the system further comprises a lockout module configured to:
and performing blocking operation on the first terminal under the condition that the current access behavior is determined to be the scanning behavior.
Corresponding to the above method embodiment, an embodiment of the present application further provides a scanning behavior recognition device, including:
a memory for storing a computer program;
and the processor is used for realizing the steps of the scanning behavior identification method when executing the computer program.
As shown in fig. 5, in order to illustrate a schematic structural diagram of the scanning behavior recognition device, the scanning behavior recognition device may include: a processor 10, a memory 11, a communication interface 12 and a communication bus 13. The processor 10, the memory 11 and the communication interface 12 all communicate with each other through a communication bus 13.
In the embodiment of the present application, the processor 10 may be a Central Processing Unit (CPU), an application specific integrated circuit, a digital signal processor, a field programmable gate array or other programmable logic device, etc.
The processor 10 may call a program stored in the memory 11, and in particular, the processor 10 may perform operations in an embodiment of the scanning behavior recognition method.
The memory 11 is used for storing one or more programs, the program may include program codes, the program codes include computer operation instructions, in this embodiment, the memory 11 stores at least the program for implementing the following functions:
acquiring a target access request of a first terminal to a second terminal;
and under the condition that the target access request carries target fingerprint information, determining whether the current access behavior is a scanning behavior or not based on the target fingerprint information.
In one possible implementation, the memory 11 may include a program storage area and a data storage area, wherein the program storage area may store an operating system, an application program required by at least one function (such as a request resolution function, a connection control function), and the like; the storage data area may store data created during use, such as access request data, behavior recognition data, and the like.
Further, the memory 11 may include high speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device or other volatile solid state storage device.
The communication interface 12 may be an interface of a communication module for connecting with other devices or systems.
Of course, it should be noted that the structure shown in fig. 5 does not constitute a limitation of the scanning behavior recognition device in the embodiment of the present application, and in practical applications, the scanning behavior recognition device may include more or less components than those shown in fig. 5, or some components may be combined.
Corresponding to the above method embodiments, the present application further provides a computer-readable storage medium, on which a computer program is stored, and the computer program, when executed by a processor, implements the steps of the scanning behavior identification method.
The embodiments are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same or similar parts among the embodiments are referred to each other.
Those of skill would further appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both, and that the various illustrative components and steps have been described above generally in terms of their functionality in order to clearly illustrate this interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
The steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. A software module may reside in Random Access Memory (RAM), memory, Read Only Memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art.
The principle and the implementation of the present application are explained in the present application by using specific examples, and the above description of the embodiments is only used to help understanding the technical solution and the core idea of the present application. It should be noted that, for those skilled in the art, it is possible to make several improvements and modifications to the present application without departing from the principle of the present application, and such improvements and modifications also fall within the scope of the claims of the present application.
Claims (11)
1. A scanning behavior recognition method, comprising:
acquiring a target access request of a first terminal to a second terminal;
and under the condition that the target access request carries target fingerprint information, determining whether the current access behavior is a scanning behavior or not based on the target fingerprint information.
2. The method of claim 1, further comprising:
and under the condition that the target access request does not carry the target fingerprint information, issuing a fingerprint generation instruction to the first terminal so that the first terminal executes the fingerprint generation instruction to generate fingerprint information, and carrying the fingerprint information in the access request to the second terminal.
3. The method of claim 2, wherein obtaining the target access request from the first terminal to the second terminal comprises:
under the condition that a first terminal and a second terminal establish handshake connection, acquiring a target access request of the first terminal to the second terminal;
correspondingly, after the issuing of the fingerprint generation instruction to the first terminal, the method further includes:
and disconnecting the current handshake connection between the first terminal and the second terminal.
4. The method of claim 2, further comprising:
generating verification information;
and sending the verification information to the first terminal so that the first terminal obtains encrypted information based on the fingerprint information and the verification information after executing the fingerprint generation instruction to generate the fingerprint information, and the encrypted information is carried in an access request to the second terminal.
5. The method according to claim 1, wherein in case that the target access request carries the target fingerprint information, further comprising:
determining whether target verification information corresponding to the target fingerprint information is expired;
if the verification is overdue, generating new verification information;
and sending the new verification information to the first terminal so that the first terminal obtains encrypted information based on the fingerprint information and the verification information after executing the fingerprint generation instruction to generate the fingerprint information, and the encrypted information is carried in an access request to the second terminal.
6. The method of claim 1, further comprising:
determining whether the number of continuous access requests of the first terminal, which do not carry the fingerprint information, reaches a preset number threshold under the condition that the target access request does not carry the target fingerprint information;
if the number threshold is reached, then it is determined that the current access behavior is a scanning behavior.
7. The method of claim 1,
the target fingerprint information includes kernel-driven features, and/or palette-on-buffer features, and/or audio features.
8. The method of any of claims 1 to 7, where determining that the current access behavior is a scan behavior, further comprising:
and performing blocking operation on the first terminal.
9. A scanning behavior recognition apparatus, comprising:
the access request acquisition module is used for acquiring a target access request of the first terminal to the second terminal;
and the scanning behavior identification module is used for determining whether the current access behavior is a scanning behavior or not based on the target fingerprint information under the condition that the target access request carries the target fingerprint information.
10. A scanning behavior recognition device, comprising:
a memory for storing a computer program;
a processor for implementing the steps of the scanning behavior recognition method according to any one of claims 1 to 8 when executing the computer program.
11. A computer-readable storage medium, characterized in that a computer program is stored on the computer-readable storage medium, which computer program, when being executed by a processor, carries out the steps of the scanning behavior recognition method according to one of the claims 1 to 8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110143477.5A CN112953921A (en) | 2021-02-02 | 2021-02-02 | Scanning behavior identification method, device, equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110143477.5A CN112953921A (en) | 2021-02-02 | 2021-02-02 | Scanning behavior identification method, device, equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN112953921A true CN112953921A (en) | 2021-06-11 |
Family
ID=76241635
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110143477.5A Pending CN112953921A (en) | 2021-02-02 | 2021-02-02 | Scanning behavior identification method, device, equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112953921A (en) |
Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP2013522936A (en) * | 2010-01-21 | 2013-06-13 | アリババ・グループ・ホールディング・リミテッド | Block malicious access |
| US9032217B1 (en) * | 2012-03-28 | 2015-05-12 | Amazon Technologies, Inc. | Device-specific tokens for authentication |
| CN107135212A (en) * | 2017-04-25 | 2017-09-05 | 武汉大学 | Man-machine identifying device and method under a kind of Web environment of Behavior-based control difference |
| CN108400955A (en) * | 2017-02-06 | 2018-08-14 | 腾讯科技(深圳)有限公司 | A kind of means of defence and system of network attack |
| CN108521408A (en) * | 2018-03-22 | 2018-09-11 | 平安科技(深圳)有限公司 | Resist method of network attack, device, computer equipment and storage medium |
| CN110636068A (en) * | 2019-09-24 | 2019-12-31 | 杭州安恒信息技术股份有限公司 | Method and device for identifying unknown CDN node in CC attack protection |
| CN110958239A (en) * | 2019-11-26 | 2020-04-03 | 腾讯科技(深圳)有限公司 | Method and device for verifying access request, storage medium and electronic device |
| CN111447201A (en) * | 2020-03-24 | 2020-07-24 | 深信服科技股份有限公司 | Scanning behavior recognition method and device, electronic equipment and storage medium |
| CN111586005A (en) * | 2020-04-29 | 2020-08-25 | 杭州迪普科技股份有限公司 | Scanner scanning behavior identification method and device |
-
2021
- 2021-02-02 CN CN202110143477.5A patent/CN112953921A/en active Pending
Patent Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP2013522936A (en) * | 2010-01-21 | 2013-06-13 | アリババ・グループ・ホールディング・リミテッド | Block malicious access |
| US9032217B1 (en) * | 2012-03-28 | 2015-05-12 | Amazon Technologies, Inc. | Device-specific tokens for authentication |
| CN108400955A (en) * | 2017-02-06 | 2018-08-14 | 腾讯科技(深圳)有限公司 | A kind of means of defence and system of network attack |
| CN107135212A (en) * | 2017-04-25 | 2017-09-05 | 武汉大学 | Man-machine identifying device and method under a kind of Web environment of Behavior-based control difference |
| CN108521408A (en) * | 2018-03-22 | 2018-09-11 | 平安科技(深圳)有限公司 | Resist method of network attack, device, computer equipment and storage medium |
| CN110636068A (en) * | 2019-09-24 | 2019-12-31 | 杭州安恒信息技术股份有限公司 | Method and device for identifying unknown CDN node in CC attack protection |
| CN110958239A (en) * | 2019-11-26 | 2020-04-03 | 腾讯科技(深圳)有限公司 | Method and device for verifying access request, storage medium and electronic device |
| CN111447201A (en) * | 2020-03-24 | 2020-07-24 | 深信服科技股份有限公司 | Scanning behavior recognition method and device, electronic equipment and storage medium |
| CN111586005A (en) * | 2020-04-29 | 2020-08-25 | 杭州迪普科技股份有限公司 | Scanner scanning behavior identification method and device |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109413060B (en) | Message processing method, device, equipment and storage medium | |
| US7886339B2 (en) | Radius security origin check | |
| CN112468481B (en) | Single-page and multi-page web application identity integrated authentication method based on CAS | |
| CN107948204A (en) | One key login method and system, relevant device and computer-readable recording medium | |
| CN106576041A (en) | Method of mutual verification between a client and a server | |
| CN108322416B (en) | Security authentication implementation method, device and system | |
| US11895144B2 (en) | Systems and methods for network security | |
| CN108664395A (en) | Applied program testing method, device, equipment and storage medium | |
| EP3193523A1 (en) | Methods and apparatuses for avoiding damage in network attacks | |
| CN110557358A (en) | Honeypot server communication method, SSLStrip man-in-the-middle attack perception method and related device | |
| US7917941B2 (en) | System and method for providing physical web security using IP addresses | |
| US20170034164A1 (en) | Multifactor authentication for mail server access | |
| CN112600908A (en) | Method, device, equipment and storage medium for acquiring communication link | |
| CN111182537A (en) | Network access method, device and system for mobile application | |
| CN113132317B (en) | Identity authentication method, system and device | |
| CN114124556B (en) | Network access control method, device, equipment and storage medium | |
| CN112311722B (en) | Access control method, device, equipment and computer readable storage medium | |
| US11729192B2 (en) | Malware detection using document object model inspection | |
| CN110166471A (en) | A kind of portal authentication method and device | |
| CN112491836B (en) | Communication system, method, device and electronic equipment | |
| CN112910915A (en) | Trusted connection authentication method, device, equipment and computer readable storage medium | |
| CN109587134B (en) | Method, apparatus, device and medium for secure authentication of interface bus | |
| CN116647345A (en) | Method and device for generating permission token, storage medium and computer equipment | |
| CN114157472B (en) | Network access control method, device, equipment and storage medium | |
| CN112953921A (en) | Scanning behavior identification method, device, equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20210611 |