CN113676479A - Data defense method, defense device, terminal device and readable storage medium - Google Patents

Data defense method, defense device, terminal device and readable storage medium Download PDF

Info

Publication number
CN113676479A
CN113676479A CN202110961168.9A CN202110961168A CN113676479A CN 113676479 A CN113676479 A CN 113676479A CN 202110961168 A CN202110961168 A CN 202110961168A CN 113676479 A CN113676479 A CN 113676479A
Authority
CN
China
Prior art keywords
data
address
access
defense
request
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202110961168.9A
Other languages
Chinese (zh)
Inventor
肖军
欧怀谷
王枭卿
丁倩
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Yundun Smart Security Technology Co ltd
Original Assignee
Yundun Smart Security Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Yundun Smart Security Technology Co ltd filed Critical Yundun Smart Security Technology Co ltd
Priority to CN202110961168.9A priority Critical patent/CN113676479A/en
Publication of CN113676479A publication Critical patent/CN113676479A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1491Countermeasures against malicious traffic using deception as countermeasure, e.g. honeypots, honeynets, decoys or entrapment

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer And Data Communications (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The embodiment of the invention discloses a data defense method, defense equipment, terminal equipment and a readable storage medium, which are applied to the technical field of network security and can provide security guarantee for data to be accessed. The method provided by the embodiment of the invention comprises the following steps: the defense equipment receives a first access request sent by terminal equipment, wherein the first access request comprises an address of data to be accessed; and under the condition that the first access request is determined to be an attack request by the defense device, if the defense device determines that the address of the data to be accessed belongs to the address of preset access data, outputting a first response message according to the first access request, wherein the first response message comprises a link address of a data defense system (DWS), or access data of a uniform resource positioning system (url) address related to the DWS.

Description

Data defense method, defense device, terminal device and readable storage medium
Technical Field
The present invention relates to the field of network security technologies, and in particular, to a data defense method, a defense device, a terminal device, and a readable storage medium.
Background
With the continuous development and popularization of the Internet (Internet), the Internet has become an indispensable communication platform for people. At present, many services rely on the internet, for example, online banking, online shopping, online tour, etc., many malicious attackers attack a World Wide Web (Web) server for bad purposes, and a imagination tries to acquire information of others through various means to earn benefits.
In the prior art, a main protection mechanism is a Web Application protection system (Waf). The Waf detects illegal content in the request and blocks the request. A Web service security mechanism similar to the present invention has a Web sandbox, and by setting up an application system with multiple vulnerabilities, an attacker can discover its existence and attack it. By analyzing the log, the presence of the attack behavior and the attacker can be found, but the Web sandbox has the following disadvantages:
1. statically, a sandbox can only play a role if an attacker discovers the sandbox; 2. the method only has detection capability and does not have protection capability, namely when the attack occurs, the method does not have the protection capability on the access page and only can determine the attack subject and the attack behavior; 3. hysteresis, an attacker may have already attacked other targets before the sandbox is attacked.
Disclosure of Invention
The embodiment of the invention provides a data defense method, defense equipment, terminal equipment and a readable storage medium, which are used for solving the technical problem that security protection cannot be provided for data to be accessed.
A first aspect of an embodiment of the present invention provides a data defense method, which may include:
the defense equipment receives a first access request sent by terminal equipment, wherein the first access request comprises an address of data to be accessed;
and under the condition that the defense device determines that the first access request is an attack request, if the defense device determines that the address of the data to be accessed belongs to the address of the preset access data, outputting a first response message according to the first access request, wherein the first response message comprises a link address of a data defense system (DWS) or access data of a uniform resource positioning system (url) address related to the DWS.
Optionally, if the defense device determines that the address of the data to be accessed belongs to the address of the preset access data, the defense device outputs an address including a DWS according to the first access request, including: and the defense equipment determines that the address of the data to be accessed belongs to the address of the preset access data, and then sends a first response message to the terminal equipment, wherein the first response message comprises a link address of the DWS, and the link address of the DWS is used for the terminal equipment to access the data.
Optionally, if the defense device determines that the address of the data to be accessed belongs to the address of the preset access data, the defense device outputs an address including a DWS according to the first access request, including: the defense equipment determines that the address of the data to be accessed belongs to the address of the preset access data, and then determines a URL (uniform resource locator) address of the DWS; the defense device determines the access data about the url address of the DWS according to the first access request; the defense device sends a first reply message to the terminal device, the first reply message including the access data regarding the url address of the DWS.
Optionally, the determining that the first access request is an attack request includes: under the condition that the first access request is successfully matched with a preset character string matching rule and/or a regular matching rule, the defense device determines that the first access request is an attack request; or, if the defense device receives access requests of which the number is larger than a first preset number within a preset time length, determining that the first access requests are attack requests, wherein the access requests of which the number is larger than the first preset number comprise the first access requests; or, if the defense device receives access requests larger than a first preset number within a preset time length and access responses corresponding to the access requests larger than a second preset number are not present as request objects, determining that the first access request is an attack request, wherein the access requests larger than the first preset number comprise the first access request, and the first preset number is larger than the second preset number; or, the defense device sends a first request to the terminal device, receives a request result sent by the terminal device, and determines that the first access request is an attack request if the request result is matched with a request result of a preset attack device.
Optionally, the domain name of the first reply message is the domain name of the data to be accessed.
A second aspect of the embodiments of the present invention provides a data defense method, which may include:
the method comprises the steps that terminal equipment sends a first access request to defense equipment, wherein the first access request comprises an address of data to be accessed;
the terminal equipment receives a first response message sent by the defense equipment, wherein the first response message comprises a link address of the DWS or access data of a URL address of the DWS.
Optionally, in a case that the first reply message includes a link address of the DWS, the method further includes: the terminal device accesses access data obtained about the link address of the DWS based on the link address of the DWS.
A third aspect of an embodiment of the present invention provides a defense apparatus, which may include:
the terminal equipment comprises a transceiving module, a receiving and sending module and a processing module, wherein the transceiving module is used for receiving a first access request sent by the terminal equipment, and the first access request comprises an address of data to be accessed;
and the processing module is used for outputting a first response message according to the first access request under the condition that the first access request is determined to be an attack request and if the address of the data to be accessed belongs to the address of the preset access data, wherein the first response message comprises the link address of the data defense system DWS or the access data of the URL address of the uniform resource positioning system related to the DWS.
Optionally, the processing module is specifically configured to determine that the address of the data to be accessed belongs to an address of preset access data, and then determine a url address of a uniform resource locator system related to the DWS; determining the access data about the url address of the DWS according to the first access request;
optionally, the transceiver module is specifically configured to send a first response message to the terminal device, where the first response message includes the access data about the url address of the DWS.
Optionally, the processing module is specifically configured to determine that the first access request is an attack request when the first access request is successfully matched with a preset string matching rule and/or a regular matching rule; or the like, or, alternatively,
the processing module is specifically configured to determine that the first access request is an attack request if the defense device receives access requests greater than a first preset number within a preset time period, where the access requests greater than the first preset number include the first access request; or the like, or, alternatively,
the processing module is specifically configured to determine that the first access request is an attack request if the defense device receives access requests greater than a first preset number within a preset time period and access responses corresponding to the access requests greater than a second preset number are not present as request objects, where the access requests greater than the first preset number include the first access request, and the first preset number is greater than the second preset number; or the like, or, alternatively,
the transceiver module is also used for sending a first request to the terminal equipment, receiving a request result sent by the terminal equipment,
the processing module is specifically configured to determine that the first access request is an attack request if the request result matches a request result of a preset attack device.
Optionally, the domain name of the first reply message is the domain name of the data to be accessed.
A fourth aspect of the embodiments of the present invention provides a terminal device, which may include:
the receiving and sending module is used for sending a first access request to the defense equipment, wherein the first access request comprises an address of data to be accessed; and receiving a first response message sent by the defense device, wherein the first response message comprises a link address of the DWS or access data of the URL address of the DWS.
Optionally, the terminal device may further include: and the processing module is used for accessing and obtaining the access data related to the link address of the DWS according to the link address of the DWS.
A fifth aspect of an embodiment of the present invention provides a server, which may include:
a memory storing executable program code;
and a processor and transceiver coupled to the memory;
the processor calls the executable program code stored in the memory, which when executed by the processor causes the processor and the transceiver to implement the method according to the first aspect of embodiments of the present invention.
A sixth aspect of an embodiment of the present invention provides a user terminal, which may include:
a memory storing executable program code;
and a processor and transceiver coupled to the memory;
the processor calls the executable program code stored in the memory, which when executed by the processor causes the processor and the transceiver to implement the method according to the second aspect of the embodiments of the present invention.
A further aspect of embodiments of the present invention provides a computer-readable storage medium having stored thereon executable program code, which when executed by a processor, implements a method according to the first or second aspect of embodiments of the present invention.
In another aspect, the present invention discloses a computer program product, which when run on a computer, causes the computer to execute the method of any one of the first and second aspects of the present invention.
In another aspect, an embodiment of the present invention discloses an application publishing platform, where the application publishing platform is configured to publish a computer program product, where when the computer program product runs on a computer, the computer is caused to execute any one of the methods disclosed in the first aspect or the second aspect of the embodiment of the present invention.
Compared with the prior art, the embodiment of the invention has the following beneficial effects:
in the embodiment of the invention, a defense device receives a first access request sent by a terminal device, wherein the first access request comprises an address of data to be accessed; and under the condition that the defense device determines that the first access request is an attack request, if the defense device determines that the address of the data to be accessed belongs to the address of the preset access data, outputting a first response message according to the first access request, wherein the first response message comprises a link address of a data defense system (DWS) or access data of a uniform resource positioning system (url) address related to the DWS. That is, after receiving the attack request, the defense device outputs the link address of the data defense system DWS, or the access data of the url address of the unified resource locator system related to the DWS, instead of the data to be accessed, thereby preventing the data to be accessed from being attacked and providing security guarantee for the data to be accessed.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the following briefly introduces the embodiments and the drawings used in the description of the prior art, and obviously, the drawings in the following description are only some embodiments of the present invention, and other drawings can be obtained according to the drawings.
Fig. 1 is a schematic diagram of a deployment manner of a defense device according to an embodiment of the present invention;
fig. 2 is a schematic diagram of a deployment manner of a defense device according to an embodiment of the present invention;
fig. 3 is a schematic diagram of a deployment manner of a defense device according to an embodiment of the present invention;
FIG. 4 is a flowchart illustrating a data defense method according to an embodiment of the present invention;
FIG. 5 is a flowchart illustrating a data defense method according to an embodiment of the present invention;
FIG. 6 is a schematic structural diagram of a data defense system of a defense apparatus according to an embodiment of the present invention;
FIG. 7 is a schematic diagram of one embodiment of a defense apparatus in an embodiment of the invention;
fig. 8 is a schematic diagram of an embodiment of a terminal device in the embodiment of the present invention;
FIG. 9 is a schematic structural diagram of a defense apparatus in an embodiment of the invention;
fig. 10 is a block diagram of a structure of a relevant part of a terminal device according to an embodiment of the present invention.
Detailed Description
The embodiment of the invention provides a data defense method, terminal equipment and a computer readable storage medium, which are used for providing security guarantee for data to be accessed.
In order to make the technical solutions of the present invention better understood by those skilled in the art, the technical solutions in the embodiments of the present invention will be described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all embodiments. The embodiments based on the present invention should fall into the protection scope of the present invention.
The terms "first" and "second," and the like, in the description and in the claims of the present invention are used for distinguishing between different objects and not for describing a particular order of the objects. For example, the first hint message and the second hint message, etc. are used to distinguish between different hint messages, rather than to describe a particular order of hint messages.
It should be noted that, in the embodiments of the present invention, words such as "exemplary" or "for example" are used to indicate examples, illustrations or explanations. Any embodiment or design described as "exemplary" or "e.g.," an embodiment of the present invention is not necessarily to be construed as preferred or advantageous over other embodiments or designs. Rather, use of the word "exemplary" or "such as" is intended to present concepts related in a concrete fashion.
In the following, a brief description of the terms referred to in the present application is given, as follows:
(1) spoofing Web system (DWS): a real Web system containing a plurality of vulnerabilities is provided for an attacker (such as terminal equipment) to detect and attack, so that a protection object (such as access data) is protected, or the attack on the protection object is delayed. Among them, the DWS is an integral part of the entire spoofing system.
(2) Decoy (concept): when an attacker detects and attacks the protection object, the DWS information is provided for the attacker, and the vulnerability on the DWS is exposed to the attacker, so that the attacker is attracted to attack the DWS.
The spoofed Web system may also be referred to as a data defense system, etc., and is not specifically limited herein.
The Web service platform is most vulnerable. Meanwhile, attacks on the ww an server can be said to be various in shape and variety, and common attacks include trojan horse hanging, Structured Query Language (SQL) injection, buffer overflow, sniffing, and attacks on Web server vulnerabilities by using Internet Information Services (IIS), and the like.
In the prior art, Web is static and has no protection capability, namely when an attack occurs, the Web does not have the protection capability for accessing a page and can only determine an attack subject and an attack behavior. In addition, the mainstream data defense method is to block the aggressive access request, but the blocking will cause the attacker to change the attack mode, and use more concealed attack request to bypass the protection, such as Intrusion Prevention System (IPS) and firewall.
It will be appreciated that current security mechanisms for Web attacks are generally divided into detection and handling, as follows:
detection is typically by-pass Detection systems such as Intrusion Detection Systems (IDS). The treatment usually comprises IPS, Waf and other devices, and has the functions of detection and plugging.
Detection is typically feature detection (string/regular match, etc.) and behavior detection. Blocking is generally to discard attack requests in the access requests, or to discard all access requests of a malicious terminal device for a period of time.
In order to solve the above problem, embodiments of the present invention provide a data defense method, which can enable an attack request to be responded in time, discover an intentionally exposed vulnerability, and then target the exposed vulnerability. Because vulnerability scanning and penetration attack can be smoothly carried out, an attacker can be prevented from adopting a hidden attack mode, and the detection and protection difficulty is prevented from being improved.
The following describes the technical solutions of the present application and how to solve the above technical problems with specific embodiments. The following several specific embodiments may be combined with each other, and details of the same or similar concepts or processes may not be repeated in some embodiments. Embodiments of the present application will be described below with reference to the accompanying drawings.
In this embodiment, the terminal device may be a Mobile Phone (Mobile Phone), a tablet computer (Pad), a computer with a wireless transceiving function, a Virtual Reality (VR) terminal device, an Augmented Reality (AR) terminal device, a wireless terminal device in Industrial Control (Industrial Control), a wireless terminal device in self driving (self driving), a wireless terminal device in remote medical (remote medical), a wireless terminal device in smart grid (smart grid), a wireless terminal device in transportation safety (transportation safety), a wireless terminal device in smart city (smart city), a wireless terminal device in smart home (smart home), or the like.
By way of example and not limitation, in the embodiments of the present application, the terminal device may also be a wearable device. Wearable equipment can also be called wearable intelligent equipment, is the general term of applying wearable technique to carry out intelligent design, develop the equipment that can dress to daily wearing, like glasses, gloves, wrist-watch, dress and shoes etc.. A wearable device is a portable device that is worn directly on the body or integrated into the clothing or accessories of the user. The wearable device is not only a hardware device, but also realizes powerful functions through software support, data interaction and cloud interaction. The generalized wearable smart device includes full functionality, large size, and can implement full or partial functionality without relying on a smart phone, such as: smart watches or smart glasses and the like, and only focus on a certain type of application functions, and need to be used in cooperation with other devices such as smart phones, such as various smart bracelets for physical sign monitoring, smart jewelry and the like.
The defense device may also be referred to as a data defense device, a defense system, or a spoofing system, etc., and is not particularly limited herein.
Please refer to fig. 1, wherein fig. 1 is a schematic diagram illustrating a deployment manner of a defense apparatus according to an embodiment of the present invention. The defense device 102 may be deployed on a Web server 103, and the defense device 102 may be integrated with software (Apache) in the Web server, for example.
Referring to fig. 2, fig. 2 is a schematic diagram illustrating a deployment manner of a defense device according to an embodiment of the present invention. The defense device 102 may be a separate device that connects communication between the Web server 103 and the terminal device 101. For example, the defense device 102 is integrated with the Waf or reverse proxy.
Referring to fig. 3, fig. 3 is a schematic diagram illustrating a deployment manner of a defense device according to an embodiment of the present invention. The defense device 102 may also be integrated with some security systems in the cloud, such as the Web security mechanism of a Software-as-a-Service (SaaS), which is typically Waf, the cloud.
In the above three deployment manners, the defense device 102 may provide the data defense capability by analyzing the traffic of the Web server, which is not limited in the embodiment of the present invention.
The technical solution of the present application is further described below by way of an embodiment, and as shown in fig. 4, a flow diagram of a data defense method provided by an embodiment of the present invention may include:
401. the terminal equipment sends a first access request to the defense equipment.
The defense equipment receives a first access request sent by the terminal equipment.
Wherein the first access request comprises an address of data to be accessed; for example, the address of the data to be accessed is a uniform resource locator (url) address.
402. And under the condition that the defense device determines that the first access request is an attack request, if the defense device determines that the address of the data to be accessed belongs to the address of the preset access data, outputting a first response message according to the first access request.
The terminal equipment receives the first response message sent by the defense equipment.
Wherein the first reply message includes a link address of the data defense system DWS or access data regarding a uniform resource locator system url address of the DWS. It will be appreciated that access data obtained by the defense device regarding the url address of the DWS is obtained by the server.
Optionally, the defense device determines that the address of the data to be accessed belongs to an address of preset access data, and outputs an address including a DWS according to the first access request, which may include but is not limited to the following implementation manners:
(1) and the defense equipment determines that the address of the data to be accessed belongs to the address of the preset access data, and then sends a first response message to the terminal equipment.
Wherein the first reply message includes a link address of the DWS, and the link address of the DWS is used for data access by the terminal device.
Illustratively, after the defense device determines that the address of the data to be accessed (also called a protection object) belongs to the address of the login page, link addresses of the login page in DWS are implanted into the first response content, wherein the link addresses of the DWS contain high-order holes and are easy to attack. Therefore, the terminal device (also referred to as an attacker) can easily discover the vulnerabilities through the first access request, and may select the pages for attack.
In the embodiment of the invention, the attack request is guided to attack the link address of the implanted DWS, so that the vulnerability discovery and the normal operation of the attack are interfered, and the data to be accessed are effectively protected.
(2) The defense equipment determines that the address of the data to be accessed belongs to the address of the preset access data, and then determines a URL (uniform resource locator) address of the DWS; the defense equipment acquires the access data of the url address of the DWS according to the first access request; the defense device sends a first response message to the terminal device.
Wherein the first reply message includes the access data regarding the url address of the DWS.
Optionally, the obtaining, by the defense device, the access data about the url address of the DWS according to the first access request may include: the defense device sends a processed first access request to a Web server, wherein the processed first access request comprises a url address related to the DWS; and receiving access data which is sent by the Web server and is about the url address of the DWS.
Illustratively, a url (e.g., url-b) address in a DWS is configured by the defense device for a particular url (e.g., url-a) address of data to be accessed. And when the first access request is to perform detection, bug scanning, attack and the like on the data to be accessed, forwarding the first access request for accessing the url-a address to the url-b address. In this way, according to the first access request, access data (which may include vulnerability information and the like) about the url-a address should be theoretically acquired, and access data about the url-b address is actually acquired, so that the access data about the url-a address is effectively protected from attack.
In the embodiment of the invention, the defense device forwards the url address of the data to be accessed to the corresponding url address in the DWS, and the attack request acquires the data of the corresponding url address in the DWS, so that protection can be provided for the specific data to be accessed.
Optionally, the determining that the first access request is an attack request may include, but is not limited to, the following implementation manners:
(1) and under the condition that the first access request is successfully matched with a preset character string matching rule and/or a regular matching rule, the defense device determines that the first access request is an attack request.
Illustratively, the defense device acquires a first access request, extracts field characteristics of the access request, judges whether the first access request can be matched with a preset character string matching rule and/or a regular matching rule according to the field characteristics of the access request, and if the first access request is matched with the preset character string matching rule and/or the regular matching rule, the access request is an attack request.
In the embodiment of the invention, through character string matching and/or regular matching, whether the first access request is an attack request can be quickly judged, the misjudgment rate is reduced, and the data protection of subsequent defense equipment is facilitated.
Or the like, or, alternatively,
(2) if the defense device receives access requests with the number larger than the first preset number within the preset time length, the first access requests are determined to be attack requests, and the access requests with the number larger than the first preset number comprise the first access requests.
Illustratively, the preset duration is 1 second and the first preset number is 100. That is, when an access request of a single access terminal Internet Protocol (IP) address exceeds 100 times within 1 second, it is determined that the access request is an attack request.
In the embodiment of the invention, whether the first access request is an attack request or not can be quickly judged by detecting the number of the access requests in unit time, so that the misjudgment rate is reduced, and the subsequent defense equipment can conveniently protect data.
Or the like, or, alternatively,
(3) if the defense device receives access requests with a quantity greater than a first preset quantity within a preset time length and access responses corresponding to the quantity greater than a second preset quantity are not present as request objects, determining that the first access requests are attack requests, wherein the access requests with the quantity greater than the first preset quantity comprise the first access requests, and the first preset quantity is greater than the second preset quantity;
illustratively, the predetermined duration is 1 second, the first predetermined number is 100, and the second predetermined number is 95. That is, if an access request of a single access terminal IP address receives more than 100 times of access requests within 1 second and an access response exceeding 95 times is that the request object does not exist (404), it is determined that the access request is an attack request.
In the embodiment of the invention, whether the first access request is an attack request or not can be quickly judged by detecting the number of the access requests in unit time and the response content of the access requests, so that the misjudgment rate is reduced, and the subsequent defense equipment can conveniently protect data.
Or the like, or, alternatively,
(4) the defense device sends a first request to the terminal device, receives a request result sent by the terminal device, and determines that the first access request is an attack request if the request result is matched with a request result of a preset attack device.
Illustratively, a particular question submitted by a javascript (js) request indicates that the access request is an attack request if the given answer is a preset specific result, and thus the terminal can be detected as a bursusite scanner.
In the embodiment of the invention, whether the first access request is an attack request can be quickly judged by detecting whether the response of the access request is consistent with the preset content, so that the misjudgment rate is reduced, and the subsequent defense equipment can conveniently protect the data.
Optionally, the domain name of the first reply message is the domain name of the data to be accessed.
Illustratively, the defense device changes the domain name of the first reply message to the domain name of the data to be accessed while sending the first reply message.
In the embodiment of the invention, the domain name of the first response message is changed into the domain name of the data to be accessed, that is, the first access request is informed that the response message comes from the data to be accessed, so that the security of the data to be accessed is ensured.
Optionally, in a case that the first reply message includes a link address of the DWS, the method further includes: the terminal device accesses access data obtained about the link address of the DWS based on the link address of the DWS.
Optionally, the accessing, by the terminal device, the access data about the link address of the DWS according to the link address of the DWS includes: the terminal equipment sends a second access request to the defense equipment, wherein the second access request comprises a link address of the DWS; the terminal device receives a second response message including access data regarding the link address of the DWS.
Illustratively, the terminal device sends an access request, namely a second access request, to the defense device according to the link address of the DWS, the defense device sends the second access request to the server, then receives access data about the link address of the DWS sent by the server, the defense device sends a second response message to the terminal device, the second response message includes the access data about the link address of the DWS, and the terminal device receives the second response message to obtain the access data about the link address of the DWS.
In the embodiment of the invention, the terminal equipment accesses and obtains the access data related to the link address of the DWS, thereby facilitating the subsequent security guarantee for the data to be accessed.
In the embodiment of the invention, a defense device receives a first access request sent by a terminal device, wherein the first access request comprises an address of data to be accessed; and under the condition that the first access request is determined to be an attack request by the defense device, if the defense device determines that the address of the data to be accessed belongs to the address of preset access data, outputting a first response message according to the first access request, wherein the first response message comprises a link address of a data defense system (DWS), or access data of a uniform resource positioning system (url) address related to the DWS. That is, after receiving the attack request, the defense device outputs the link address of the data defense system DWS, or the access data of the url address of the unified resource locator system related to the DWS, instead of the data to be accessed, so that the data to be accessed is output and prevented from being attacked, and safety guarantee is provided for the data to be accessed.
It can be understood that when an attacker scans and infiltrates the vulnerability of the protected object, the vulnerability and the vulnerability of the DWS are exposed to the attacker, or the vulnerability of the protected object is covered, so that the attacker is guided to attack the DWS, and the vulnerability discovery and the normal attack are interfered, thereby effectively protecting high-value access data. The traditional protection mode is to block attack requests, but blocking can cause an attacker to change the attack mode, and a more hidden attack request is adopted to bypass protection, such as an IPS and a firewall. The invention can ensure that an attacker can obtain response in time, discover the deliberately exposed real loophole and mislead the attacker to aim at the exposed loophole. Because vulnerability scanning and penetration attack can be smoothly carried out, the hidden attack mode is prevented from being adopted to improve the detection and protection difficulty, and therefore the data to be accessed is prevented from being attacked, and safety guarantee is provided for the data to be accessed.
As shown in fig. 5, fig. 5 is a schematic flow chart of a data defense method provided in an embodiment of the present invention, and the SQL injection mode is taken as an example to illustrate the working mode of the defense device:
501. and the terminal equipment sends an attack request to the defense equipment.
For example, the terminal device, assuming that the scanner tries to find the injectable parameters, sends three attack requests in sequence to detect whether the user _ name of the data to be accessed is injectable,
the first attack request is:
Get login.jspuser_name=168768'&password=400360
the second attack request is:
Get login.jspuser_name=168768”&password=400360
the third attack request is:
Getlogin.jspuser_name=
168768'%2b(select*from(select(sleep(20)))a)%2b'&password=400360
502. and the defense equipment determines a response message according to the attack request.
Illustratively, in a normal case, the following fields are included in the response message of the attack target to the first request:
javax.servlet.ServletException:
com.mysql.jdbc.exceptions.jdbc4.MySQLSyntaxErrorException:You have an error in your SQL syntax;check the manual that corresponds to your MySQL server version for the right syntax to use near'400360''at line 1。
responding to the first attack request, wherein the response message does not comprise a statement such as 'error in SQL syntax';
responding to the second attack request, wherein the response message comprises 'error in SQL syntax';
and delaying the corresponding sleep function time for the response message of the third attack request.
503. And the defense equipment sends the response message to the terminal equipment.
For example, the scanner may determine that the first attack request cannot be executed correctly according to "You have an error in your SQL syntax";
the scanner may determine that the second attack request can be executed normally according to the fact that the response message of the second attack request does not contain statements such as 'error in SQL syntax';
the scanner may determine that the third attack request can be executed normally according to a parameter value of sleep in a response message of the third attack request.
According to the response messages of the three requests, the scanner judges that the attack mode can be changed, and uses a more hidden attack request to bypass protection, namely the user _ name of the data to be accessed can be used for injection, so that the data to be accessed cannot be protected.
The embodiment of the invention can respond to the first attack request, wherein the response message does not comprise an error in SQL syntax statement; responding to the second attack request, wherein the response message comprises 'error in SQL syntax'; and delaying the response of the corresponding sleep function time for the third attack request. Therefore, the scanner is perturbed to attack the user _ name parameter in the DWS as an injection point.
By adopting the method, the scanner (such as a burpesite scanner) can be effectively defended, the condition that the scanner changes an attack mode is avoided by informing the DWS of the existence of the SQL injection point, the protection is bypassed by adopting a more concealed attack request, and the safety protection is provided for the data to be accessed.
As shown in fig. 6, fig. 6 is a schematic structural diagram of a data defense system of a defense device in an embodiment of the present invention.
The data defense system is divided into two parts, one is a core execution part and the other is a Web server part. The core execution part executes tasks such as client authentication, response implantation, flow forwarding and the like; the Web server part provides a real Web system for an attacker to discover the vulnerability and execute various attacks.
The functional modules of the core execution part are introduced as follows:
(a) and the Web attack detection module finds the attack request by analyzing the access flow. Mainly based on feature detection, for example using the detection features of Waf.
(b) The client active verification module is used for completing verification by the terminal equipment by implanting an active verification code into a response message of the client, namely the terminal equipment. And (4) inspecting whether the terminal equipment can finish verification, whether the verification result is correct and whether the verification result is a suspicious verification result. Therefore, the attributes of the terminal equipment, including whether the terminal equipment is a normal browser or not, whether the terminal equipment is a crawler or belongs to a certain scanner or not, are judged.
(c) The client flow identification module analyzes the flow of the access request, can find attacks bypassing feature detection in modes of coding and the like, can distinguish a scanner from a crawler, and reduces the false alarm rate of detection.
(d) The system configuration module is a data defense system configuration file reading part and comprises two parts. One is basic information of the guard object, which may include a domain name, an IP of the guard object, and an access port (e.g., 80 or 8080) of the guard object. The second is some url addresses of the guard object that need to be protected, and other url addresses in the DWS that are used to protect the url addresses.
(e) And the system running state module is mainly used for recording the state of each terminal device, including the flow size of the access request, the flow behavior data of the access request, whether the access request is an attack request, whether the terminal device performs active verification, an active verification result and the like. And the Web attack detection module, the client active identification module and the client flow identification module send detection results to the system operation state module.
(f) And the induction implantation module analyzes the flow of the access request, selects a response message of a proper type for implantation, implants the content into page links in the DWS, and the page links contain various vulnerabilities, such as Cross Site Scripting (XSS), SQL injection vulnerabilities and the like.
(g) The flow forwarding module comprises two functions: one is that an attack request for a specific protection url address is forwarded to the url address corresponding to the DWS, for example: the attack request for the url-a address mentioned above is forwarded to the url-b address and answered by the DWS. And secondly, when the attack request accesses the DWS page link implanted by the induction implantation module, the attack request sends the access request to the DWS. Besides, the traffic forwarding module is responsible for sending a response message from the protected object to the terminal device and sending a response message returned from the DWS to the terminal device. In addition, the domain name of the response message needs to be changed into the domain name of the protection object, that is, the terminal device is informed that the response message comes from the protection object.
The Web server portion of the data defense system contains the complete Web service functionality, including the Web service software, such as reverse proxy server (Nginx) and Apache, and the complete data layer. The Web server deploys pages of types such as asp, php, jsp and the like for cheating. The dynamic page type of the DWS is consistent with the dynamic page type of the guard object. The function of the evidence obtaining system is divided into two parts, namely, the newly added file is detected and copied to another folder or sent to another host for storage. The added file is likely to be an uploaded web background management script (Webshell) file, and the purpose of copying or sending the added file to another host is to prevent an attacker from deleting the file after acquiring the right. The second function is to record the system call when the new file is running and try to record the running result of the webshell.
The database includes various types of common databases, such as a relational database management system (Mysql, DB2), an Oracle software system limited company system (Oracle), and the like, and a file system. An attacker can test and attack the database, including obtaining various information (table information, user information, administrator account numbers and passwords) of the database, and perform various operations on the database, including obtaining database content information, tampering with the database information, and the like. Through the operations, an attacker can perform operations such as data acquisition, data destruction, Webshell file writing, right lifting and the like. Based on a file system, an attacker can upload a Webshell file and access the Webshell file to acquire system information, external connection, system privilege lifting and the like.
In the embodiment of the present invention, the traffic forwarding module is configured to receive a first access request sent by a terminal device, where the first access request includes an address of data to be accessed;
and the induction implantation module is used for outputting a first response message according to the first access request under the condition that the Web attack detection module determines that the first access request is an attack request and if the address of the data to be accessed belongs to the address of preset access data, wherein the first response message comprises a link address of a data defense system (DWS) or access data of a uniform resource positioning system (url) address related to the DWS.
As shown in fig. 7, a diagram of an embodiment of a defense device in an embodiment of the present invention may include:
a transceiver module 701, configured to receive a first access request sent by a terminal device, where the first access request includes an address of data to be accessed;
a processing module 702, configured to, when it is determined that the first access request is an attack request, if it is determined that the address of the to-be-accessed data belongs to an address of preset access data, output a first response message according to the first access request, where the first response message includes a link address of a data defense system DWS, or access data of a url address of a uniform resource locator system related to the DWS.
Optionally, the processing module 702 is specifically configured to determine that the address of the data to be accessed belongs to an address of preset access data, and then determine a url address of a uniform resource locator system related to the DWS; determining the access data about the url address of the DWS according to the first access request;
the transceiver module 701 is specifically configured to send a first reply message to the terminal device, where the first reply message includes the access data about the url address of the DWS.
Optionally, the processing module 702 is specifically configured to determine that the first access request is an attack request under the condition that the first access request is successfully matched with a preset string matching rule and/or a regular matching rule; or the like, or, alternatively,
the processing module 702 is specifically configured to receive access requests greater than a first preset number within a preset time period, determine that the first access request is an attack request, where the access requests greater than the first preset number include the first access request; or the like, or, alternatively,
the processing module 702 is specifically configured to receive, within a preset time duration, access requests greater than a first preset number, and determine that the first access request is an attack request if access responses greater than a second preset number are not present as request objects, where the access requests greater than the first preset number include the first access request, and the first preset number is greater than the second preset number; or the like, or, alternatively,
a transceiver module 701, configured to specifically send a first request to the terminal device, and receive a request result sent by the terminal device;
the processing module 702 is specifically configured to determine that the first access request is an attack request if the request result matches a request result of a preset attack device.
Optionally, the domain name of the first reply message is the domain name of the data to be accessed.
As shown in fig. 8, which is a schematic diagram of an embodiment of a terminal device in the embodiment of the present invention, the method may include:
a transceiver module 801, configured to send a first access request to a defense device, where the first access request includes an address of data to be accessed; and the first reply message is also used for receiving the first reply message sent by the defense device, and the first reply message comprises the link address of the DWS or the access data of the URL address of the DWS.
Optionally, the terminal device may further include: and a processing module 802, configured to access, according to the link address of the DWS, access data that is obtained regarding the link address of the DWS.
Fig. 9 is a schematic structural diagram of a defense device provided in an embodiment of the present invention. Referring to fig. 9, may include: memory 901, processor 902, and transceiver 903; the memory 901 is coupled to the processor 902, the memory 901 is coupled to the transceiver 903; wherein the processor 902 may call the executable program code stored in the memory 901;
in this embodiment of the present invention, the transceiver 903 is configured to receive a first access request sent by a terminal device, where the first access request includes an address of data to be accessed;
a processor 902, configured to, if it is determined that the first access request is an attack request, output a first response message according to the first access request if it is determined that the address of the data to be accessed belongs to an address of preset access data, where the first response message includes a link address of a data defense system DWS, or access data of a url address of a uniform resource locator system related to the DWS.
Optionally, the processor 902 is specifically configured to determine that the address of the data to be accessed belongs to an address of preset access data, and then determine a url address of a uniform resource locator system related to the DWS; determining the access data about the url address of the DWS according to the first access request;
the transceiver 903 is specifically configured to send a first reply message to the terminal device, where the first reply message includes the access data about the url address of the DWS.
Optionally, the processor 902 is specifically configured to determine that the first access request is an attack request when the first access request is successfully matched with a preset string matching rule and/or a regular matching rule; or the like, or, alternatively,
the processor 902 is specifically configured to determine that the first access request is an attack request if the defense device receives access requests greater than a first preset number within a preset time period, where the access requests greater than the first preset number include the first access request; or the like, or, alternatively,
the processor 902 is specifically configured to determine that the first access request is an attack request if the defense apparatus receives access requests greater than a first preset number within a preset time period and access responses corresponding to the access requests greater than a second preset number are not present as request objects, where the access requests greater than the first preset number include the first access request, and the first preset number is greater than the second preset number; or the like, or, alternatively,
the transceiver 903 is specifically configured to send a first request to the terminal device, receive a request result sent by the terminal device, and determine that the first access request is an attack request if the request result matches a request result of a preset attack device.
Optionally, the domain name of the first reply message is the domain name of the data to be accessed.
Fig. 10 is a block diagram showing a structure of a part related to a terminal device provided by an embodiment of the present invention. Referring to fig. 10, the terminal device includes: radio Frequency (RF) circuit 1010, memory 1020, input unit 1030, display unit 1060, sensor 1050, audio circuit 1060, wireless fidelity (WiFi) module 1060, processor 1080, and power source 1090. Those skilled in the art will appreciate that the terminal device configuration shown in fig. 10 is not intended to be limiting and may include more or fewer components than those shown, or some components may be combined, or a different arrangement of components.
The following specifically describes each constituent component of the terminal device with reference to fig. 10:
RF circuit 1010 may be used for receiving and transmitting signals during information transmission and reception or during a call, and in particular, for processing downlink information of a base station after receiving the downlink information to processor 1080; in addition, the data for designing uplink is transmitted to the base station. In general, RF circuit 1010 includes, but is not limited to, an antenna, at least one Amplifier, a transceiver, a coupler, a Low Noise Amplifier (LNA), a duplexer, and the like. In addition, the RF circuitry 1010 may also communicate with networks and other devices via wireless communications. The wireless communication may use any communication standard or protocol, including but not limited to Global System for Mobile communication (GSM), General Packet Radio Service (GPRS), Code Division Multiple Access (CDMA), Wideband Code Division Multiple Access (WCDMA), Long Term Evolution (LTE), email, Short Messaging Service (SMS), and the like.
The memory 1020 can be used for storing software programs and modules, and the processor 1080 executes various functional applications and data processing of the terminal device by operating the software programs and modules stored in the memory 1020. The memory 1020 may mainly include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program required by at least one function (such as a sound playing function, an image playing function, etc.), and the like; the storage data area may store data (such as audio data, a phonebook, etc.) created according to the use of the terminal device, and the like. Further, the memory 1020 may include high speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other volatile solid state storage device.
The input unit 1030 may be used to receive input numeric or character information and generate key signal inputs related to user settings and function control of the terminal device. Specifically, the input unit 1030 may include a touch panel 1031 and other input devices 1032. The touch panel 1031, also referred to as a touch screen, may collect touch operations by a user (e.g., operations by a user on or near the touch panel 1031 using any suitable object or accessory such as a finger, a stylus, etc.) and drive corresponding connection devices according to a preset program. Alternatively, the touch panel 1031 may include two parts, a touch detection device and a touch controller. The touch detection device detects the touch direction of a user, detects a signal brought by touch operation and transmits the signal to the touch controller; the touch controller receives touch information from the touch sensing device, converts the touch information into touch point coordinates, sends the touch point coordinates to the processor 1080, and can receive and execute commands sent by the processor 1080. In addition, the touch panel 1031 may be implemented by various types such as a resistive type, a capacitive type, an infrared ray, and a surface acoustic wave. The input unit 1030 may include other input devices 1032 in addition to the touch panel 1031. In particular, other input devices 1032 may include, but are not limited to, one or more of a physical keyboard, function keys (such as volume control keys, switch keys, etc.), a track ball, a mouse, a joystick, or the like.
The display unit 1040 may be used to display information input by a user or information provided to the user and various menus of the terminal device. The Display unit 1040 may include a Display panel 1041, and optionally, the Display panel 1041 may be configured in the form of a Liquid Crystal Display (LCD), an Organic Light-Emitting Diode (OLED), or the like. Further, the touch panel 1031 can cover the display panel 1041, and when the touch panel 1031 detects a touch operation on or near the touch panel 1031, the touch operation is transmitted to the processor 1080 to determine the type of the touch event, and then the processor 1080 provides a corresponding visual output on the display panel 1041 according to the type of the touch event. Although in fig. 10, touch panel 1031 and display panel 1041 are two separate components to implement input and output functions of the terminal device, in some embodiments, touch panel 1031 and display panel 1041 may be integrated to implement input and output functions of the terminal device.
The terminal device may also include at least one sensor 1050, such as a light sensor, motion sensor, and other sensors. Specifically, the light sensor may include an ambient light sensor that adjusts the brightness of the display panel 1041 according to the brightness of ambient light, and a proximity sensor that turns off the display panel 1041 and/or the backlight when the terminal device moves to the ear. As one of the motion sensors, the accelerometer sensor can detect the magnitude of acceleration in each direction (generally, three axes), detect the magnitude and direction of gravity when stationary, and can be used for applications (such as horizontal and vertical screen switching, related games, magnetometer attitude calibration) for recognizing the attitude of the terminal device, and related functions (such as pedometer and tapping) for vibration recognition; as for other sensors such as a gyroscope, a barometer, a hygrometer, a thermometer, and an infrared sensor, which can be configured in the terminal device, detailed description is omitted here.
Audio circuitry 1060, speaker 1061, microphone 1062 may provide an audio interface between the user and the terminal device. The audio circuit 1060 can transmit the electrical signal converted from the received audio data to the speaker 1061, and the electrical signal is converted into a sound signal by the speaker 1061 and output; on the other hand, the microphone 1062 converts the collected sound signal into an electrical signal, which is received by the audio circuit 1060 and converted into audio data, which is then processed by the audio data output processor 1080 and then transmitted to, for example, another terminal device via the RF circuit 1010, or output to the memory 1020 for further processing.
WiFi belongs to short-distance wireless transmission technology, and the terminal equipment can help a user to send and receive e-mails, browse webpages, access streaming media and the like through the WiFi module 1040, and provides wireless broadband internet access for the user. Although fig. 10 shows the WiFi module 1040, it is understood that it does not belong to the essential constitution of the terminal device, and may be omitted entirely as needed within the scope not changing the essence of the invention.
The processor 1080 is a control center of the terminal device, connects various parts of the whole terminal device by using various interfaces and lines, and executes various functions of the terminal device and processes data by operating or executing software programs and/or modules stored in the memory 1020 and calling data stored in the memory 1020, thereby monitoring the whole terminal device. Optionally, processor 1080 may include one or more processing units; preferably, the processor 1080 may integrate an application processor, which handles primarily the operating system, user interfaces, applications, etc., and a modem processor, which handles primarily the wireless communications. It is to be appreciated that the modem processor described above may not be integrated into processor 1080.
The terminal device also includes a power supply 1090 (e.g., a battery) for powering the various components, which may preferably be logically coupled to the processor 1080 via a power management system that may be configured to manage charging, discharging, and power consumption.
Although not shown, the terminal device may further include a camera, a bluetooth module, and the like, which are not described herein.
In an embodiment of the present invention, the RF circuit 1010 is configured to send a first access request to the defense device, where the first access request includes an address of data to be accessed; and the first reply message is also used for receiving the first reply message sent by the defense device, and the first reply message comprises the link address of the DWS or the access data of the URL address of the DWS.
Optionally, the processor 1080 is configured to access, according to the link address of the DWS, access data that is obtained regarding the link address of the DWS.
In the above embodiments, the implementation may be wholly or partially realized by software, hardware, firmware, or any combination thereof. When implemented in software, may be implemented in whole or in part in the form of a computer program product.
The computer program product includes one or more computer instructions. When loaded and executed on a computer, cause the processes or functions described in accordance with the embodiments of the invention to occur, in whole or in part. The computer may be a general purpose computer, a special purpose computer, a network of computers, or other programmable device. The computer instructions may be stored in a computer readable storage medium or transmitted from one computer readable storage medium to another, for example, from one website site, computer, server, or data center to another website site, computer, server, or data center via wired (e.g., coaxial cable, fiber optic, Digital Subscriber Line (DSL)) or wireless (e.g., infrared, wireless, microwave, etc.). The computer-readable storage medium can be any available medium that a computer can store or a data storage device, such as a server, a data center, etc., that is integrated with one or more available media. The usable medium may be a magnetic medium (e.g., floppy Disk, hard Disk, magnetic tape), an optical medium (e.g., DVD), or a semiconductor medium (e.g., Solid State Disk (SSD)), among others.
It is clear to those skilled in the art that, for convenience and brevity of description, the specific working processes of the above-described systems, apparatuses and units may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.
In the embodiments provided in the present invention, it should be understood that the disclosed system, apparatus and method may be implemented in other ways. For example, the above-described apparatus embodiments are merely illustrative, and for example, the division of the units is only one logical division, and other divisions may be realized in practice, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.
The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: various media capable of storing program codes, such as a usb disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk.
The above-mentioned embodiments are only used for illustrating the technical solutions of the present invention, and not for limiting the same; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.

Claims (10)

1. A method of data defense, comprising:
the defense equipment receives a first access request sent by terminal equipment, wherein the first access request comprises an address of data to be accessed;
and under the condition that the first access request is determined to be an attack request by the defense device, if the defense device determines that the address of the data to be accessed belongs to the address of preset access data, outputting a first response message according to the first access request, wherein the first response message comprises a link address of a data defense system (DWS), or access data of a uniform resource positioning system (url) address related to the DWS.
2. The method of claim 1, wherein the defense device determines that the address of the data to be accessed belongs to an address of preset access data, and then outputs an address including a DWS according to the first access request, comprising:
and the defense equipment determines that the address of the data to be accessed belongs to the address of preset access data, and then sends a first response message to the terminal equipment, wherein the first response message comprises a link address of the DWS, and the link address of the DWS is used for the terminal equipment to access the data.
3. The method of claim 1, wherein the defense device determines that the address of the data to be accessed belongs to an address of preset access data, and then outputs an address including a DWS according to the first access request, comprising:
the defense equipment determines that the address of the data to be accessed belongs to the address of preset access data, and then determines a uniform resource positioning system url address related to DWS;
the defense equipment acquires the access data of the url address of the DWS according to the first access request;
the defense device sends a first reply message to the terminal device, wherein the first reply message comprises the access data about the url address of the DWS.
4. The method of any of claims 1-3, wherein the determining that the first access request is an attack request comprises:
under the condition that the first access request is successfully matched with a preset character string matching rule and/or a regular matching rule, the defense device determines that the first access request is an attack request; or the like, or, alternatively,
if the defense device receives access requests with the number larger than a first preset number within a preset time length, determining that the first access requests are attack requests, wherein the access requests with the number larger than the first preset number comprise the first access requests; or the like, or, alternatively,
if the defense device receives access requests with a quantity greater than a first preset quantity within a preset time length and access responses corresponding to the quantity greater than a second preset quantity are not request objects, determining that the first access requests are attack requests, wherein the access requests with the quantity greater than the first preset quantity comprise the first access requests, and the first preset quantity is greater than the second preset quantity; or the like, or, alternatively,
the defense device sends a first request to the terminal device, receives a request result sent by the terminal device, and determines that the first access request is an attack request if the request result is matched with a request result of a preset attack device.
5. The method according to claim 2 or 3,
and the domain name of the first response message is the domain name of the data to be accessed.
6. A method of data defense, comprising:
the method comprises the steps that terminal equipment sends a first access request to defense equipment, wherein the first access request comprises an address of data to be accessed;
and the terminal equipment receives a first response message sent by the defense equipment, wherein the first response message comprises a link address of a data defense system (DWS) or access data of a uniform resource positioning system (url) address related to the DWS.
7. The content according to claim 6, wherein in case the first reply message comprises a link address of a DWS, the method further comprises:
and the terminal equipment accesses and obtains access data related to the link address of the DWS according to the link address of the DWS.
8. A defensive device, comprising:
the terminal equipment comprises a transceiving module, a receiving and sending module and a processing module, wherein the transceiving module is used for receiving a first access request sent by the terminal equipment, and the first access request comprises an address of data to be accessed;
and the processing module is used for outputting a first response message according to the first access request under the condition that the first access request is determined to be an attack request and if the address of the data to be accessed belongs to the address of preset access data, wherein the first response message comprises a link address of a data defense system (DWS) or access data of a uniform resource positioning system (url) address related to the DWS.
9. A terminal device, comprising:
the defense device comprises a receiving and sending module, a processing module and a processing module, wherein the receiving and sending module is used for sending a first access request to the defense device, and the first access request comprises an address of data to be accessed;
the receiving and sending module is further configured to receive a first reply message sent by the defense device, where the first reply message includes a link address of the data defense system DWS or access data of the url address of the uniform resource locator system related to the DWS.
10. A computer readable storage medium having executable program code stored thereon, wherein the executable program code when executed by a processor implements a method as claimed in any one of claims 1 to 5 or 6 to 7.
CN202110961168.9A 2021-08-20 2021-08-20 Data defense method, defense device, terminal device and readable storage medium Pending CN113676479A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110961168.9A CN113676479A (en) 2021-08-20 2021-08-20 Data defense method, defense device, terminal device and readable storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110961168.9A CN113676479A (en) 2021-08-20 2021-08-20 Data defense method, defense device, terminal device and readable storage medium

Publications (1)

Publication Number Publication Date
CN113676479A true CN113676479A (en) 2021-11-19

Family

ID=78544534

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110961168.9A Pending CN113676479A (en) 2021-08-20 2021-08-20 Data defense method, defense device, terminal device and readable storage medium

Country Status (1)

Country Link
CN (1) CN113676479A (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103957195A (en) * 2014-04-04 2014-07-30 上海聚流软件科技有限公司 DNS system and defense method and device for DNS attack
CN109347794A (en) * 2018-09-06 2019-02-15 国家电网有限公司 A kind of Web server safety defense method
CN111385236A (en) * 2018-12-27 2020-07-07 北京卫达信息技术有限公司 Dynamic defense system based on network spoofing
CN112383546A (en) * 2020-11-13 2021-02-19 腾讯科技(深圳)有限公司 Method for processing network attack behavior, related device and storage medium
US20210250375A1 (en) * 2020-04-22 2021-08-12 Baidu Online Network Technology (Beijing) Co., Ltd. Network attack defense method, apparatus, device, system and storage medium

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103957195A (en) * 2014-04-04 2014-07-30 上海聚流软件科技有限公司 DNS system and defense method and device for DNS attack
CN109347794A (en) * 2018-09-06 2019-02-15 国家电网有限公司 A kind of Web server safety defense method
CN111385236A (en) * 2018-12-27 2020-07-07 北京卫达信息技术有限公司 Dynamic defense system based on network spoofing
US20210250375A1 (en) * 2020-04-22 2021-08-12 Baidu Online Network Technology (Beijing) Co., Ltd. Network attack defense method, apparatus, device, system and storage medium
CN112383546A (en) * 2020-11-13 2021-02-19 腾讯科技(深圳)有限公司 Method for processing network attack behavior, related device and storage medium

Similar Documents

Publication Publication Date Title
US10397262B2 (en) Device, system, and method of detecting overlay malware
CN104125216B (en) A kind of method, system and terminal for lifting credible performing environment security
US9681304B2 (en) Network and data security testing with mobile devices
KR20180080227A (en) Dynamic Honeypot System
CN103368958A (en) Method, device and system for detecting webpage
CN107040540B (en) Cloud privacy data display method and device, server and mobile terminal
WO2013142573A1 (en) System and method for crowdsourcing of mobile application reputations
WO2013059138A1 (en) System and method for whitelisting applications in a mobile network environment
CN106657165B (en) Network attack defense method, server and terminal
CN106713266B (en) Method, device, terminal and system for preventing information leakage
CN106791168A (en) Information of mobile terminal guard method, device and mobile terminal
CN109873794B (en) Protection method for denial of service attack and server
CN107347059B (en) Vulnerability detection method and detection terminal
Schmidt et al. Malicious software for smartphones
BalaGanesh et al. Smart devices threats, vulnerabilities and malware detection approaches: a survey
CN116633527A (en) Protection method and device for weak password blasting attack, medium and electronic equipment
Babu et al. Cyber security with IoT
WO2014198118A1 (en) Method and device for protecting privacy information with browser
CN106453526A (en) Mobile terminal and short message secrecy maintaining method and device
CN113676479A (en) Data defense method, defense device, terminal device and readable storage medium
US20140366156A1 (en) Method and device for protecting privacy information with browser
WO2015062326A1 (en) Page access control method, device and system
RU95934U1 (en) MOBILE PHONE ACTIVITY REMOTE CONTROL DEVICE
Sheik Abdullah et al. Big Data and Analytics
CN106339630B (en) A kind of method, apparatus and terminal for freezing application

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20211119

RJ01 Rejection of invention patent application after publication