CN113132373B - Web attack defense method of active interference strategy - Google Patents
Web attack defense method of active interference strategy Download PDFInfo
- Publication number
- CN113132373B CN113132373B CN202110400119.8A CN202110400119A CN113132373B CN 113132373 B CN113132373 B CN 113132373B CN 202110400119 A CN202110400119 A CN 202110400119A CN 113132373 B CN113132373 B CN 113132373B
- Authority
- CN
- China
- Prior art keywords
- attacker
- client
- resources
- functions
- defense
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0807—Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1466—Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
Abstract
The invention relates to a Web attack defense method of an active interference strategy, and relates to the technical field of network security. Because the Bypass attack and Bypass of the attacker cannot be completely avoided by other defense measures such as WAF and the like, the method can further supplement the existing defense measures, and can always consume a large amount of resources on the equipment of the attacker unless the attacker closes the webpage, thereby achieving the defense effect. Because the Web server only embeds corresponding codes in the interface returned to the client of the attacker, the consumption of the server can be ignored, and the performance consumption of the server is reduced.
Description
Technical Field
The invention relates to the technical field of network security, in particular to a Web attack defense method for an active interference strategy.
Background
With the increase of the computing power of the server and the popularization of cloud computing, individuals, enterprises and the like have more opportunities to open own services in the internet, wherein most of the services are Web services. The development of the Web technology promotes the birth of various Web applications, but meanwhile, network attack events aiming at the Web applications are also endless. Various attacks seriously compromise the security and reliability of the service, and various protective measures are brought forward.
For Web attacks, the current solution is to use WAF (WebApplicationFirewall), i.e. a Web application firewall. The WAF can detect the flow from the visitor to the Web service in real time and can block the attack behavior according to the relevant rules, but actually, the attacker still can achieve the effect of bypassing the WAF by transforming the attack load of the attacker, thereby achieving the purpose of attacking the Web service.
Disclosure of Invention
Technical problem to be solved
The technical problem to be solved by the invention is as follows: how to further thwart the malicious behavior of an attacker in the existing Web defense technology.
(II) technical scheme
In order to solve the technical problem, the invention provides a Web attack defense method of an active interference strategy, which comprises the following steps:
step 1, determining the influence range of a client script
When the client accesses various Web services and executes various functions, monitoring the performance indexes of the equipment, and determining some performance indexes as target influence ranges as the influence ranges of the client scripts;
step 2, collecting client API function
Collecting API functions which can affect equipment, screening and verifying the API functions, and obtaining the API functions which finally meet the requirements;
step 3, code deployment
Deploying the acquired API functions to a server, wherein the functions can be utilized in a single form or a combined form, debugging corresponding parameters, and embedding the debugged script codes into a normal Web page when determining that an attacker attacks the Web service, so that the equipment of the attacker can be influenced finally;
and 4, after the attacker triggers, executing the following steps:
(1) Attacking of attackers
The confirmation mechanism of the primary attack is matched characteristic load or sensitive file access detection;
after the attacker is confirmed, recording the characteristics of the attacker, wherein the characteristics comprise parameters in a client access request header; at the server, recording the remote IP of the client as a characteristic; in addition, the server side returns Token to the client side, and sets LocalStorage to determine the unique identity of the attacker;
(2) Initiation of proactive jamming policy defense
After the defense is triggered, the characteristics of the attacker are recorded, and then corresponding script codes are embedded into any access request matched with the characteristics, so that the performance of the client equipment of the attacker is reduced correspondingly.
Preferably, the target influence range determined in step 1 includes the following indexes: CPU occupancy rate, memory occupancy rate, disk occupancy rate and network throughput occupancy rate.
Preferably, step 2 is specifically:
collecting client API functions: collecting functions related to numerical calculation and resource access in all API functions opened by a client, specifically functions related to calculation resources, storage resources, memory resources and network resources;
screening client API functions: further screening each collected function, checking whether the function needs manual authorization of a client side, discarding the function needing interaction with an attacker and authorized by the attacker, and executing the rest functions at the client side;
and (3) verification: each API function that produces the preset amount of resource usage can be finally utilized by attempting to individually utilize the remaining functions to see whether the preset amount of resource consumption can be performed.
Preferably, the recorded characteristics of the attacker comprise Cookie, accept, user-Agent, accept-Encoding and Accept-Language.
Preferably, after the active interference policy defense is started, if the same feature does not make other malicious requests for the Web service within a preset time, the active interference defense for the feature is cancelled at the server.
Preferably, all the utilized API functions are executed asynchronously in an infinite loop during the defense process.
Preferably, in step 2, the finally determined utilized API function includes: 1) Performing operations on the overlarge numerical value, including encryption and encoding; 2) Establishing a large amount of hidden canvas and multimedia resources; 3) And loading remote resources including video resources, picture resources and audio resources in local.
Preferably, the performance of the client device of the attacker is finally reduced correspondingly, including the increase of the CPU occupancy rate, the increase of the memory occupancy rate, the increase of the disk occupancy rate and the increase of the network throughput occupancy rate, which affects the normal use of the client device.
Preferably, the script code includes javascript and webissue code.
The invention also provides application of the method in the technical field of network security.
(III) advantageous effects
The invention provides a defense method for a Web attacker by adopting an active interference strategy, which can further prevent the malicious attacker from accessing Web service. Corresponding script codes are inserted into a front-end interface returned by the Web service, an API function provided by an attacker client is called, a large amount of useless operation, storage and the like are carried out, and equipment resources of the attacker are consumed. Meanwhile, the system can also collect relevant fingerprints and environmental information, access and operate local resources of attackers, and can facilitate forensics investigation in the future. The existing experiment proves that the performance of the equipment where the client of the attacker is located can be obviously reduced by the method, the malicious request initiated by the attacker to the Web can be effectively prevented, and the existing defense method is improved.
It can be seen that the invention has the following technical effects:
(1) Because the Bypass attack and Bypass of the attacker cannot be completely avoided by other defense measures such as WAF and the like, the method can further supplement the existing defense measures, and can always consume a large amount of resources on the equipment of the attacker unless the attacker closes the webpage, thereby achieving the defense effect.
(2) Because the Web server only embeds corresponding codes in the interface returned to the attacker client, the consumption of the server can be ignored, and the performance consumption of the server is reduced.
Drawings
FIG. 1 is a partial flow chart of the Web attack defense method of the active interference strategy of the present invention, which shows the establishment and deployment flow design of the present invention, relating to the preparation process before the defense of the active interference strategy;
fig. 2 is a flowchart after the attack is triggered after the defense is effectively deployed, and details of a mechanism and a flow after the attack triggers the defense method are given.
Detailed Description
In order to make the objects, contents, and advantages of the present invention more apparent, the following detailed description of the present invention will be made in conjunction with the accompanying drawings and examples.
The invention aims to provide a method for actively interfering a Web attacker. The method can further block the malicious behavior of an attacker on the basis of the existing Web defense technology. Through the API provided by the Web client, the identity of an attacker is simulated by utilizing a front-end script code, additional operations such as various infinite loop function operations are performed locally at the client of the attacker, other URL access requests are initiated, a large number of meaningless data files are cached, the performance of equipment of the attacker is seriously consumed by the actions, and the purpose of hindering the attacker is finally achieved. The method is a defense means for the Web attacker in the conventional Internet environment.
The method comprises the steps of firstly collecting API functions which are provided by a client and occupy larger resources, including computing resources, storage resources, memory resources, network resources and the like, then screening functions which do not need active authorization of the client, reserving the API functions which can be directly executed, then verifying the influence effect of each API on the performance of client equipment, finally utilizing API codes meeting requirements and then deploying the API codes to a server side, and waiting for triggering of an attacker.
Fig. 1 is a partial flow chart of the implementation of the present solution, which relates to a preparation process before active interference policy defense. The method specifically comprises the following steps:
step 1, determining the influence range of client script
When the client accesses various Web services and executes various functions, the performance index of the equipment is monitored, and the target influence range with larger fluctuation is determined. The target influence range determined in this embodiment includes the following indexes:
(1) CPU occupancy rate
Any code execution is accompanied with occupation of CPU operation, so that various calculation functions and drawing functions can be infinitely circularly executed, and parameters are set to be larger data, so that the occupation rate of a large amount of CPUs can be improved.
(2) Memory occupancy rate
When a function is called in a recursive manner, or complex elements are rendered on the same page, the memory occupancy will rise significantly.
(3) Occupancy rate of disk (local storage occupancy rate)
Some functions can load remote resources to the local, and due to the cache policy of the client, under the condition that records are not cleared manually, data always occupies disk resources, so that the disk of an attacker is consumed persistently.
(4) Occupancy rate of network throughput (network IO)
The function interacting with the URL occupies the network throughput of the equipment, the selectable modes are methods such as GET, POST and the like, and the performance of the attacker network can be greatly reduced by utilizing the method to interact data with various URLs for a long time.
(5) Others are
In addition, the equipment of the attacker can be used as a springboard to detect other resources of the local intranet and the intranet, such as other Web resources of the intranet, and the result is returned to the server. Even if an attacker does not use a renderable client, a large amount of garbage data can be returned to the attacker, thereby causing certain influence.
Step 2, collecting client API function
And acquiring the API functions which can obviously influence the equipment, screening and obtaining the API functions which finally meet the requirements.
(1) Collecting
In all API functions opened by the client, functions related to numerical calculation and resource access (specifically, functions related to calculation resources, storage resources, memory resources, and network resources) are collected.
(2) Screening
Each collected function is further screened to see if it requires manual authorization by the client, and for functions that require interaction with an attacker and are authorized by him, the functions are discarded, and the remaining functions should ensure that they are easy to execute at the client, after which they can be further verified.
(3) Authentication
The remaining functions are tried to be utilized separately to see whether the consumption of a large amount of resources can be performed, and each function which can generate a large amount of resource occupation can be finally utilized.
Step 3, code deployment
Collected API functions are deployed to a server and can be utilized in a single form or a combination of forms. And debugging the corresponding parameters, and embedding the debugged script codes (javascript and Webassertion codes) into the normal Web page when determining that the attacker attacks the Web service, so that the equipment of the attacker can be influenced finally.
In this step, the acquired API function is debugged, and after the corresponding parameters are set, the API function is deployed at the server to wait for the trigger of the attacker, and the whole trigger flow is shown in fig. 2. Fig. 2 is a detailed mechanism after an attacker triggers the defense method, and relates to execution of various functions, achieved effects, influences on the attacker, and the like.
And 4, executing the following steps after the attacker triggers:
(1) Attacking of attackers
The confirmation of the initial attack is similar to the attack confirmation mechanism of other defense methods, such as matching feature loads, sensitive file access detection and the like.
After confirming that the client is the attacker, recording the characteristics of the attacker so as to ensure that other normal clients are not accidentally injured. The universal characteristic is that the client accesses parameters in a request header, such as Cookie, accept, user-Agent, accept-Encoding and Accept-Language; at the server, recording the remote IP of the client as a characteristic; in addition, the server can also return Token to the client, set LocalStorage and the like, and the unique identity of the attacker can be determined according to the Token and the LocalStorage and the like.
(2) Initiation of proactive jamming policy defense
After the defense is triggered, the characteristics of the attacker are recorded, and then the corresponding script code is embedded into any access request matched with the characteristics.
Cancellation of active interference policy defense: if the same characteristic does not make other malicious requests for the Web service for a long time, active interference defense for the characteristic is cancelled at the server side.
The final effect is:
all the utilized API functions can be executed infinitely and circularly, and the method utilized in this embodiment is: 1) Operations on the overlarge numerical values, such as encryption, encoding and the like; 2) A large amount of hidden canvas, multimedia resources and the like are established; 3) And loading remote resources including video resources, picture resources, audio resources and the like to the local.
Finally, the performance of the client equipment of the attacker is greatly reduced, including the increase of the CPU occupancy rate, the increase of the memory occupancy rate, the increase of the disk occupancy rate, the increase of the network throughput occupancy rate and the like, so that the normal use of the client equipment is influenced, and the final defense purpose of the active interference strategy is realized.
The above description is only a preferred embodiment of the present invention, and it should be noted that, for those skilled in the art, several modifications and variations can be made without departing from the technical principle of the present invention, and these modifications and variations should also be regarded as the protection scope of the present invention.
Claims (7)
1. A Web attack defense method for an active interference strategy is characterized by comprising the following steps:
step 1, determining the influence range of a client script
When the client accesses various Web services and executes various functions, the performance indexes of the equipment are monitored, and a target influence range is determined as the influence range of the client script, wherein the target influence range comprises the following performance indexes: CPU occupancy rate, memory occupancy rate, disk occupancy rate and network throughput occupancy rate;
step 2, collecting client API function
Collecting API functions which can affect equipment, screening and verifying the API functions, and obtaining the API functions which finally meet the requirements;
the step 2 specifically comprises the following steps:
collecting client API functions: collecting functions related to numerical calculation and resource access in all API functions opened by a client, specifically functions related to calculation resources, storage resources, memory resources and network resources;
screening client API functions: further screening each collected function, checking whether the function needs manual authorization of the client, discarding the function needing interaction with an attacker and authorized by the attacker, wherein the rest functions can be executed at the client;
and (3) verification: trying to utilize the remaining functions individually to check whether the preset amount of resources can be consumed, wherein each API function capable of generating the preset amount of resource occupation can be utilized finally;
step 3, code deployment
Deploying the acquired API functions to a server, wherein the functions can be utilized in a single form or a combined form, debugging corresponding parameters, and embedding the debugged script codes into a normal Web page when determining that an attacker attacks the Web service, so that the equipment of the attacker can be influenced finally;
and 4, after the attacker triggers, executing the following steps:
(1) Attacking of attackers
The confirmation mechanism of the primary attack is matched characteristic load or sensitive file access detection;
after the attacker is confirmed, recording the characteristics of the attacker, wherein the characteristics comprise parameters in a client access request header; at the server, recording the remote IP of the client as a characteristic; in addition, the server returns Token to the client, and sets LocalStorage to determine the unique identity of the attacker;
(2) Initiation of proactive jamming policy defense
After the defense is triggered, the characteristics of the attacker are recorded, and then corresponding script codes are embedded into any access request matched with the characteristics, so that the performance of the client equipment of the attacker is reduced correspondingly.
2. The method of claim 1, wherein the recorded characteristics of the attacker include Cookie, accept, user-Agent, accept-Encoding, accept-Language.
3. The method of claim 2, wherein after the active interference policy defense is initiated, if the same feature has not been requested for another malicious request to the Web service within a predetermined time, the active interference defense is cancelled at the server for the feature.
4. The method of claim 3, wherein during the defense, all utilized API functions are executed asynchronously loop-free.
5. The method of claim 1, wherein in step 2, the finally determined utilized API function comprises: 1) Performing operations on the overlarge numerical value, including encryption and encoding; 2) Establishing a large amount of hidden canvas and multimedia resources; 3) And loading remote resources including video resources, picture resources and audio resources in local.
6. The method of claim 2, wherein the performance of the ultimate attacker client device decreases accordingly, including increased CPU utilization, increased memory utilization, increased disk utilization, and increased network throughput, affecting its normal use.
7. The method of claim 1, wherein the scripting code comprises javascript and Webassembly code.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202110400119.8A CN113132373B (en) | 2021-04-14 | 2021-04-14 | Web attack defense method of active interference strategy |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202110400119.8A CN113132373B (en) | 2021-04-14 | 2021-04-14 | Web attack defense method of active interference strategy |
Publications (2)
Publication Number | Publication Date |
---|---|
CN113132373A CN113132373A (en) | 2021-07-16 |
CN113132373B true CN113132373B (en) | 2022-12-02 |
Family
ID=76776287
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202110400119.8A Active CN113132373B (en) | 2021-04-14 | 2021-04-14 | Web attack defense method of active interference strategy |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN113132373B (en) |
Families Citing this family (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN114244600B (en) * | 2021-12-15 | 2023-11-24 | 杭州默安科技有限公司 | Method for interfering malicious program |
CN115051847B (en) * | 2022-06-07 | 2024-01-19 | 中国电子信息产业集团有限公司第六研究所 | Method, device and electronic equipment for determining attack level of denial of service attack |
CN115086030A (en) * | 2022-06-14 | 2022-09-20 | 中国电信股份有限公司 | Fingerprint attack protection method and device for HTTPS encrypted traffic, electronic equipment and medium |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104967628A (en) * | 2015-07-16 | 2015-10-07 | 浙江大学 | Deceiving method of protecting web application safety |
CN109347794A (en) * | 2018-09-06 | 2019-02-15 | 国家电网有限公司 | A kind of Web server safety defense method |
CN110611564A (en) * | 2019-07-30 | 2019-12-24 | 云南昆钢电子信息科技有限公司 | System and method for defending API replay attack based on timestamp |
CN111917691A (en) * | 2019-05-10 | 2020-11-10 | 张长河 | WEB dynamic self-adaptive defense system and method based on false response |
CN112491892A (en) * | 2020-11-27 | 2021-03-12 | 杭州安恒信息安全技术有限公司 | Network attack inducing method, device, equipment and medium |
Family Cites Families (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8196204B2 (en) * | 2008-05-08 | 2012-06-05 | Lawrence Brent Huston | Active computer system defense technology |
US9497215B2 (en) * | 2014-07-23 | 2016-11-15 | Cisco Technology, Inc. | Stealth mitigation for simulating the success of an attack |
-
2021
- 2021-04-14 CN CN202110400119.8A patent/CN113132373B/en active Active
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104967628A (en) * | 2015-07-16 | 2015-10-07 | 浙江大学 | Deceiving method of protecting web application safety |
CN109347794A (en) * | 2018-09-06 | 2019-02-15 | 国家电网有限公司 | A kind of Web server safety defense method |
CN111917691A (en) * | 2019-05-10 | 2020-11-10 | 张长河 | WEB dynamic self-adaptive defense system and method based on false response |
CN110611564A (en) * | 2019-07-30 | 2019-12-24 | 云南昆钢电子信息科技有限公司 | System and method for defending API replay attack based on timestamp |
CN112491892A (en) * | 2020-11-27 | 2021-03-12 | 杭州安恒信息安全技术有限公司 | Network attack inducing method, device, equipment and medium |
Also Published As
Publication number | Publication date |
---|---|
CN113132373A (en) | 2021-07-16 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN113132373B (en) | Web attack defense method of active interference strategy | |
Burnett et al. | Encore: Lightweight measurement of web censorship with cross-origin requests | |
Borders et al. | Quantifying information leaks in outbound web traffic | |
CA2789824C (en) | System and method for near-real time network attack detection, and system and method for unified detection via detection routing | |
Lam et al. | Puppetnets: Misusing web browsers as a distributed attack infrastructure | |
CN109495423A (en) | A kind of method and system preventing network attack | |
US11770385B2 (en) | Systems and methods for malicious client detection through property analysis | |
Xu et al. | Detecting infection onset with behavior-based policies | |
CN107634967A (en) | A kind of the CSRFToken systems of defense and method of CSRF attacks | |
Qassrawi et al. | Client honeypots: Approaches and challenges | |
US11503072B2 (en) | Identifying, reporting and mitigating unauthorized use of web code | |
CN111464526A (en) | Network intrusion detection method, device, equipment and readable storage medium | |
CN107465702A (en) | Method for early warning and device based on wireless network invasion | |
CN110933082B (en) | Method, device and equipment for identifying lost host and storage medium | |
CN113518064A (en) | Defense method and device for challenging black hole attack, computer equipment and storage medium | |
Pham et al. | Understanding website behavior based on user agent | |
Maes et al. | Browser protection against cross-site request forgery | |
CN107294994B (en) | CSRF protection method and system based on cloud platform | |
RU2673711C1 (en) | Method for detecting anomalous events on basis of convolution array of safety events | |
CN107682346A (en) | A kind of fast positioning and identifying system and method for CSRF attacks | |
CN112637171A (en) | Data traffic processing method, device, equipment, system and storage medium | |
CN113542287A (en) | Network request management method and device | |
Seifert et al. | Application of divide-and-conquer algorithm paradigm to improve the detection speed of high interaction client honeypots | |
Simmons et al. | Preventing unauthorized islanding: cyber-threat analysis | |
KR102521895B1 (en) | Network security device and network security method based on event history |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |