CN114338216A - Multidimensional brute-force attack prevention method, apparatus, device, medium, and program product - Google Patents
Multidimensional brute-force attack prevention method, apparatus, device, medium, and program product Download PDFInfo
- Publication number
- CN114338216A CN114338216A CN202111682637.XA CN202111682637A CN114338216A CN 114338216 A CN114338216 A CN 114338216A CN 202111682637 A CN202111682637 A CN 202111682637A CN 114338216 A CN114338216 A CN 114338216A
- Authority
- CN
- China
- Prior art keywords
- access
- request
- access request
- attack
- prevention
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 230000002265 prevention Effects 0.000 title claims abstract description 96
- 238000000034 method Methods 0.000 title claims abstract description 48
- 238000001514 detection method Methods 0.000 claims abstract description 61
- 230000004044 response Effects 0.000 claims abstract description 48
- 238000011217 control strategy Methods 0.000 claims abstract description 15
- 238000012216 screening Methods 0.000 claims abstract description 14
- 238000011282 treatment Methods 0.000 claims description 15
- 238000004590 computer program Methods 0.000 claims description 7
- 238000012163 sequencing technique Methods 0.000 claims description 5
- 238000000605 extraction Methods 0.000 claims description 4
- 230000006399 behavior Effects 0.000 description 7
- 230000008569 process Effects 0.000 description 4
- 230000009471 action Effects 0.000 description 3
- 238000004364 calculation method Methods 0.000 description 3
- 238000004891 communication Methods 0.000 description 3
- 239000000284 extract Substances 0.000 description 3
- 238000011269 treatment regimen Methods 0.000 description 3
- 230000002776 aggregation Effects 0.000 description 2
- 238000004220 aggregation Methods 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 238000007670 refining Methods 0.000 description 2
- 230000006870 function Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
Images
Landscapes
- Computer And Data Communications (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a multidimensional brute-force attack prevention and control method, a multidimensional brute-force attack prevention and control device, multidimensional brute-force attack prevention and control equipment, multidimensional brute-force attack prevention and control medium and a program product, wherein the method comprises the following steps: receiving a user access request transmitted by a risk decision module, and extracting an access account, an access IP and access terminal information from a request message corresponding to the user access request; screening a failure request in the user access request according to the access IP and the access terminal information, and recording response information corresponding to the user access request based on the access account and the failure request; and generating an attack detection result of the user access request according to the response information, and transmitting the attack detection result to the risk decision module so as to execute the target prevention and control strategy sent by the risk decision module. According to the invention, the response information corresponding to the user access request is recorded by analyzing the user access request, and the detection result of the brute force attack is finally generated so as to execute the corresponding prevention strategy, so that the accuracy of the brute force attack detection is improved.
Description
Technical Field
The present invention relates to the field of network security, and in particular, to a method, an apparatus, a device, a medium, and a program product for preventing and treating multidimensional brute force attacks.
Background
With the increasing of network scale, the behavior of using a network to perform a brute force attack is frequently seen, however, an effective prevention and treatment method is lacking for the current behavior of the brute force attack, the existing mainstream prevention and treatment method generally judges whether the access request of the user has the brute force attack according to whether the access request of the user has an aggregation characteristic, and then refuses to respond to the access request when the access request of the user is determined to have the brute force attack, so as to prevent and treat the brute force attack behavior, but the existing method for preventing and treating the brute force attack based on the aggregation characteristic has lower accuracy, and is easy to cause misjudgment, thereby affecting the user experience.
Disclosure of Invention
The invention mainly aims to provide a method, a device, equipment, a medium and a program product for preventing and treating multidimensional brute force attack, and aims to solve the technical problem that the existing method for preventing and treating brute force attack is low in accuracy.
In addition, in order to achieve the above object, the present invention further provides a multidimensional brute force attack prevention and treatment method, including the following steps:
receiving a user access request transmitted by a risk decision module, and extracting an access account, an access IP and access terminal information from a request message corresponding to the user access request;
screening a failure request in the user access request according to the access IP and the access terminal information, and recording response information corresponding to the user access request based on the access account and the failure request;
and generating a detection result of the brunt attack of the user access request according to the response information, and transmitting the detection result of the brunt attack to the risk decision module so as to execute the target prevention and control strategy sent by the risk decision module.
Optionally, the access terminal information includes an international mobile subscriber identity IMSI and an international mobile equipment identity IMEI, and the step of screening a failure request in the user access request according to the access IP and the access terminal information includes:
judging whether the user access request corresponds to a unique client or not according to the IMSI and the IMEI;
if the user access request corresponds to a unique client, randomly extracting a first access request and a second access request in the user access request;
and if the first access IP corresponding to the first access request is different from the second access IP corresponding to the second access request, determining that the first access request and the second access request are failed requests.
Optionally, the step of screening a failure request in the user access request according to the access IP and the access terminal information further includes:
if a target request message corresponding to a target access request contains agent information, determining that the target access request is a failure request, wherein the target access request belongs to the user access request;
if the target request message corresponding to the target access request does not contain the proxy information, scanning an access port to judge whether the access port belongs to a preset proxy port, wherein the access port belongs to the access terminal information in the target request message;
and if the access port belongs to the preset proxy port, determining that the target access request is a failure request.
Optionally, the step of recording response information corresponding to the user access request based on the access account and the failure request includes:
sequencing the access account numbers according to a preset rule to obtain an account number sequence, randomly extracting a first access account number and a second access account number which are adjacent in the account number sequence, and calculating a Hamming distance between the first access account number and the second access account number;
if the Hamming distance is smaller than a first preset threshold value, determining the first access account and the second access account as traversal accounts, and calculating the quantity proportion of the traversal accounts to the access accounts to obtain the account traversal rate;
and calculating the quantity proportion of the failure requests to the access requests to obtain a request failure rate, wherein response information corresponding to the user access requests comprises the account number traversal rate, the request failure rate and the quantity of the access requests.
Optionally, the step of generating a detection result of the swipe attack of the user access request according to the response information includes:
if the number of the access requests is smaller than a second preset threshold value, determining that the detection result of the brunt attack of the user access request is a non-brunt attack;
if the number of the access requests is larger than or equal to a second preset threshold, judging whether the account traversal rate is larger than a first policy threshold, and whether the request failure rate is larger than a second policy threshold;
and if the account traversal rate is greater than the first policy threshold value or the request failure rate is greater than the second policy threshold value, determining that the detection result of the quick-swiping attack of the user access request is quick-swiping attack.
Optionally, the step of transmitting the detection result of the brute force attack to the risk decision module to execute the target prevention and treatment policy sent by the risk decision module includes:
transmitting the detection result of the brunt attack to the risk decision module so that the risk decision module generates a target prevention strategy based on the brunt attack;
and receiving the target prevention and control strategy sent by the risk decision module, and executing the target prevention and control strategy.
In addition, to achieve the above object, the present invention also provides a multidimensional brute force attack prevention and treatment apparatus, comprising:
the extraction module is used for receiving the user access request transmitted by the risk decision module and extracting an access account, an access IP and access terminal information from a request message corresponding to the user access request;
the response information recording module is used for screening a failure request in the user access request according to the access IP and the access terminal information, and recording response information corresponding to the user access request based on the access account and the failure request;
and the prevention strategy execution module is used for generating an attack detection result of the user access request according to the response information and transmitting the attack detection result to the risk decision module so as to execute the target prevention strategy sent by the risk decision module.
In addition, to achieve the above object, the present invention also provides a multidimensional brute-force attack prevention and treatment apparatus, comprising: the multi-dimensional brunt-brushing attack prevention and control method comprises a memory, a processor and a multi-dimensional brunt-brushing attack prevention and control program which is stored on the memory and can run on the processor, wherein when the multi-dimensional brunt-brushing attack prevention and control program is executed by the processor, the steps of the multi-dimensional brunt-brushing attack prevention and control method are realized.
In addition, to achieve the above object, the present invention further provides a medium having a multidimensional brute force attack prevention program stored thereon, wherein the multidimensional brute force attack prevention program, when executed by a processor, implements the steps of the multidimensional brute force attack prevention method as described above.
In addition, to achieve the above object, the present invention also provides a computer program product, which includes a computer program, and when the computer program is executed by a processor, the computer program implements the steps of the multidimensional brunt-brushing attack prevention method as described above.
The embodiment of the invention provides a method, a device, equipment and a medium for preventing and treating multi-dimensional brute force attack. In the embodiment of the invention, the multidimensional brute-force attack prevention and treatment program receives the user access request transmitted by the risk decision module, extracts the access account number, the access IP and the access terminal information from the request message corresponding to the user access request, then, according to the access IP and the access terminal information, screening the failure request in the user access request, recording response information corresponding to the user access request based on the access account and the failure request, finally generating a detection result of the brunt attack of the user access request according to the response information, and transmitting the detection result of the brunt attack to a risk decision module, according to the invention, the corresponding response information of the user access request is recorded by analyzing the user access request, and the detection result of the brute force attack is finally generated to execute the corresponding prevention strategy, so that the accuracy of the brute force attack detection is improved.
Drawings
Fig. 1 is a schematic hardware structure diagram of an embodiment of a multidimensional brute-force attack prevention and treatment device according to an embodiment of the present invention;
FIG. 2 is a flowchart illustrating a multi-dimensional brute force attack prevention method according to a first embodiment of the present invention;
FIG. 3 is a schematic flow chart illustrating a method for preventing and treating multi-dimensional brute force attacks according to a second embodiment of the present invention;
fig. 4 is a functional module diagram of an embodiment of the multi-dimensional brute force attack prevention and treatment apparatus of the present invention.
The implementation, functional features and advantages of the objects of the present invention will be further explained with reference to the accompanying drawings.
Detailed Description
It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
In the following description, suffixes such as "module", "component", or "unit" used to denote elements are used only for facilitating the explanation of the present invention, and have no specific meaning in itself. Thus, "module", "component" or "unit" may be used mixedly.
The multidimensional brute force attack prevention and control terminal (also called a terminal, equipment or terminal equipment) in the embodiment of the invention can be a personal computer (terminal equipment with a program compiling function).
As shown in fig. 1, the terminal may include: a processor 1001, such as a CPU (Central Processing Unit), a communication bus 1002, and a memory 1003. Wherein a communication bus 1002 is used to enable connective communication between these components. The memory 1003 may be a high-speed RAM memory or a non-volatile memory (e.g., a disk memory). The memory 1003 may alternatively be a storage device separate from the processor 1001.
Those skilled in the art will appreciate that the terminal structure shown in fig. 1 is not intended to be limiting and may include more or fewer components than those shown, or some components may be combined, or a different arrangement of components.
As shown in fig. 1, a multidimensional brute-force attack prevention program may be included in the memory 1003 as a kind of computer storage medium.
In the terminal shown in fig. 1, the processor 1001 may be configured to call the multidimensional brute-force attack prevention program stored in the memory 1003, and perform the following operations:
receiving a user access request transmitted by a risk decision module, and extracting an access account, an access IP and access terminal information from a request message corresponding to the user access request;
screening a failure request in the user access request according to the access IP and the access terminal information, and recording response information corresponding to the user access request based on the access account and the failure request;
and generating a detection result of the brunt attack of the user access request according to the response information, and transmitting the detection result of the brunt attack to the risk decision module so as to execute the target prevention and control strategy sent by the risk decision module.
Further, the target request further includes a target IP, and the processor 1001 may be configured to call the multidimensional brute-force attack prevention program stored in the memory 1003, and further perform the following operations:
judging whether the user access request corresponds to a unique client or not according to the IMSI and the IMEI;
if the user access request corresponds to a unique client, randomly extracting a first access request and a second access request in the user access request;
and if the first access IP corresponding to the first access request is different from the second access IP corresponding to the second access request, determining that the first access request and the second access request are failed requests.
Further, the target request further includes a target URL, and the processor 1001 may be configured to call the multidimensional brute-force attack prevention program stored in the memory 1003, and further perform the following operations:
if a target request message corresponding to a target access request contains agent information, determining that the target access request is a failure request, wherein the target access request belongs to the user access request;
if the target request message corresponding to the target access request does not contain the proxy information, scanning an access port to judge whether the access port belongs to a preset proxy port, wherein the access port belongs to the access terminal information in the target request message;
and if the access port belongs to the preset proxy port, determining that the target access request is a failure request.
Further, the processor 1001 may be configured to call the multidimensional brute-force attack prevention program stored in the memory 1003, and further perform the following operations:
sequencing the access account numbers according to a preset rule to obtain an account number sequence, randomly extracting a first access account number and a second access account number which are adjacent in the account number sequence, and calculating a Hamming distance between the first access account number and the second access account number;
if the Hamming distance is smaller than a first preset threshold value, determining the first access account and the second access account as traversal accounts, and calculating the quantity proportion of the traversal accounts to the access accounts to obtain the account traversal rate;
and calculating the quantity proportion of the failure requests to the access requests to obtain a request failure rate, wherein response information corresponding to the user access requests comprises the account number traversal rate, the request failure rate and the quantity of the access requests.
Further, the processor 1001 may be configured to call the multidimensional brute-force attack prevention program stored in the memory 1003, and further perform the following operations:
if the number of the access requests is smaller than a second preset threshold value, determining that the detection result of the brunt attack of the user access request is a non-brunt attack;
if the number of the access requests is larger than or equal to a second preset threshold, judging whether the account traversal rate is larger than a first policy threshold, and whether the request failure rate is larger than a second policy threshold;
and if the account traversal rate is greater than the first policy threshold value or the request failure rate is greater than the second policy threshold value, determining that the detection result of the quick-swiping attack of the user access request is quick-swiping attack.
Further, the processor 1001 may be configured to call the multidimensional brute-force attack prevention program stored in the memory 1003, and further perform the following operations:
transmitting the detection result of the brunt attack to the risk decision module so that the risk decision module generates a target prevention strategy based on the brunt attack;
and receiving the target prevention and control strategy sent by the risk decision module, and executing the target prevention and control strategy.
Based on the hardware structure of the equipment, the embodiment of the multi-dimensional brute force attack prevention and control method is provided.
Referring to fig. 2, in a first embodiment of the multi-dimensional brute force attack prevention method of the present invention, the multi-dimensional brute force attack prevention method includes:
step S10, receiving a user access request transmitted by a risk decision module, and extracting an access account, an access IP and access terminal information from a request message corresponding to the user access request;
it should be noted that the technical solution of the present invention is a method for preventing and treating malicious act of swiping a credit card, a ticketing system and a short message swipe, and any kind of act of swiping a credit card can cause bad influence on the party being swiped by an storm by executing corresponding act of swiping prevention and treatment strategies for different act of swiping a credit card.
It can be understood that the normal browsing behavior or the swipe behavior needs to be implemented by a web application of the terminal, and the access terminal information in this embodiment refers to information of the terminal that implements the browsing behavior or the swipe behavior, and includes an IMSI (International Mobile Subscriber Identity), an IMEI (International Mobile Equipment Identity), an Equipment unique identification number, and the like, when a user initiates an access request (i.e., a user access request in this embodiment) through the web application of the terminal, the user access request is passed through the risk decision module to the multidimensional swipe attack prevention program, the user access request passed through the risk decision module is received, and the access account, the access IP, and the access terminal information are extracted from a request message corresponding to the user access request, where in a short time, since the server may receive a large number of user access requests, therefore, the user access request in this embodiment may also be multiple, so as to screen out a request that may be a brute force attack through the information such as the access account, the access IP, and the access terminal information.
Step S20, according to the access IP and the access terminal information, screening a failure request in the user access request, and recording response information corresponding to the user access request based on the access account and the failure request;
it should be noted that the swipe attack may be implemented in a multi-terminal manner and a second-to-IP manner, specifically, the multi-terminal manner is that a plurality of terminals perform high-frequency access to a web application (or a website) to implement the swipe attack, and the second-to-IP manner means that the same terminal forwards a request through a proxy server, and the proxy server switches different IPs for different requests when forwarding the request, so that a request receiving party receives a plurality of requests of different IPs, but the requests may come from the same terminal. Aiming at the two implementation modes of the quick swiping attack, the requests sent in the two modes are used as the failure requests to count the failure requests in the user access requests, and then the response information corresponding to the user access requests is recorded based on the access account and the related data of the failure requests, wherein the response information comprises the account traversal rate, the request failure rate, the number of the access requests and the like.
Step S30, generating a detection result of the hack attack of the user access request according to the response information, and transmitting the detection result of the hack attack to the risk decision module, so as to execute the target prevention and cure policy sent by the risk decision module.
It can be known that, by calculating data, such as the account traversal rate, the request failure rate, and the number of access requests, included in the response information, when the data satisfies a certain condition, it is determined that the user access request corresponding to the response information is a swipe attack, and when the data does not satisfy the certain condition, it is determined that the user access request corresponding to the response information is not a swipe attack, for example, if the number of access requests is greater than or equal to a second preset threshold, the account traversal rate is greater than a first policy threshold, or the request failure rate is greater than a second policy threshold, it is determined that the swipe attack detection result of the user access request is a swipe attack; if the number of the access requests is smaller than a second preset threshold value, determining that the detection result of the brute force attack of the user access requests is a non-brute force attack; and if the number of the access requests is greater than or equal to a second preset threshold, the account traversal rate is less than or equal to a first policy threshold, and the request failure rate is less than or equal to a second policy threshold, determining that the detection result of the brunt attack of the access requests of the user is a non-brunt attack. And when the detection result of the brute force attack is that the user access request is the brute force attack, transmitting the detection result of the brute force attack to the risk decision module, and when the risk decision module receives the detection result of the brute force attack, feeding back a corresponding prevention strategy according to the type of the brute force attack in the detection result so as to realize the prevention and the treatment of the brute force attack.
Further, in a possible embodiment, the access terminal information includes an international mobile subscriber identity IMSI and an international mobile equipment identity IMEI, and the step S20 is to filter a failed request in the user access request according to the access IP and the access terminal information, where the step of refining includes:
step a1, according to the IMSI and the IMEI, judging whether the user access request corresponds to a unique client;
step a2, if the user access request corresponds to a unique client, randomly extracting a first access request and a second access request in the user access request;
step a3, if a first access IP corresponding to the first access request is different from a second access IP corresponding to the second access request, determining that the first access request and the second access request are failed requests.
It should be noted that, in the web application installed with the multidimensional brute force attack prevention program proposed by the present invention, the terminal information included in the user Access request sent to the application needs to have information capable of proving the terminal identity, for example, a plurality of feature information such as IMSI, IMEI, APPID, MAC (Media Access Control), terminal ID, user ID in the system, mobile phone number, (user) certificate number, etc., once one of the above features is hit, the user Access request sent by the same terminal is considered, and whether the user Access request corresponds to a unique client is determined through IMSI and IMEI, specifically, the user Access request has a high-frequency feature, that is, the server receives a plurality of requests each including terminal information in a short time, if the IMSI and IMEI in the terminal information included in the plurality of requests verify that the requests are from the unique client, two requests (i.e., the first access request and the second access request in this embodiment) in the user access requests are randomly extracted, and if a first access IP corresponding to the first access request is different from a second access IP corresponding to the second access request, it is indicated that the randomly extracted first access request and the second access request are access requests generated by the same terminal in a form of second-cut IP, and these requests are determined as failed requests.
Further, in a possible embodiment, in the step S20, the step of screening the failed request in the user access request according to the access IP and the access terminal information further includes:
step b1, if the target request message corresponding to the target access request contains proxy information, determining that the target access request is a failure request, wherein the target access request belongs to the user access request;
b2, if the target request message corresponding to the target access request does not contain proxy information, scanning an access port to judge whether the access port belongs to a preset proxy port, wherein the access port belongs to access terminal information in the target request message;
step b3, if the access port belongs to the preset proxy port, determining that the target access request is a failure request.
It should be noted that, the method for generating the access request by the same terminal in the form of second-cut IP may be that the user terminal sends multiple requests to the proxy server, then the proxy server modifies the IP in the requests, so that the multiple requests of the same IP generated by the user terminal are converted into multiple requests of different IPs, and the requests of different IPs are forwarded to the server of the web application through the proxy server, so when the target request message corresponding to the target access request in the user access request contains proxy information, it can be confirmed that the target access request is forwarded through the proxy server, in this case, the target access request can be considered as a failed request, if the proxy server hides its proxy information, that is, the target request message corresponding to the target access request does not contain proxy information, the access port is scanned, and judging whether the access port belongs to a preset proxy port, wherein the access port belongs to the access terminal information in the target request message, and if the access port belongs to the preset proxy port, determining that the target access request is a failure request, wherein the preset proxy port is an available port of a proxy server capable of providing second switching IP service.
Further, in a possible embodiment, in the step S20, based on the access account and the failure request, response information corresponding to the user access request is recorded, and the detailed step includes:
step c1, sequencing the access account numbers according to a preset rule to obtain an account number sequence, randomly extracting a first access account number and a second access account number which are adjacent in the account number sequence, and calculating a Hamming distance between the first access account number and the second access account number;
step c2, if the hamming distance is smaller than a first preset threshold, determining that the first access account and the second access account are traversal accounts, and calculating the quantity proportion of the traversal accounts to the access accounts to obtain an account traversal rate;
step c3, calculating the quantity ratio of the failure request and the access request to obtain a request failure rate, wherein the response information corresponding to the user access request comprises the account number traversal rate, the request failure rate and the quantity of the access request.
Therefore, after the access account is extracted from the request message corresponding to the user access request, the extracted access account is sorted according to a preset rule to obtain an account sequence, wherein the access account sorting method may be sorting according to ASCII code values. Then, randomly extracting a first access account and a second access account which are adjacent in the account sequence, and calculating a hamming distance between the first access account and the second access account, specifically, the hamming distance refers to the number of different characters of two character strings with equal length at corresponding positions, so that the similarity of the two character strings can be represented by dividing the hamming distance by the length of the character string with equal length, a threshold value can be set, for example, 0.3, when the similarity of the two character strings is lower than 0.3, the two character strings are considered to be similar, the first access account and the second access account are generated in a traversal mode, that is, the first access account and the second access account are traversal accounts, and the quantity ratio of the traversal accounts to the access accounts is calculated to obtain an account traversal rate, and the quantity ratio of a failure request to the access request is calculated to obtain a request failure rate, wherein response information corresponding to the user access request includes an account traversal rate, a number ratio of the failure request to the user access request, and a number ratio of the failure request to the user access account traversal rate, Request failure rate and number of access requests.
In this embodiment, the multidimensional brute-force attack prevention and treatment program receives the user access request transparently transmitted by the risk decision module, extracts the access account, the access IP and the access terminal information from the request message corresponding to the user access request, then, according to the access IP and the access terminal information, screening the failure request in the user access request, recording response information corresponding to the user access request based on the access account and the failure request, finally generating a detection result of the brunt attack of the user access request according to the response information, and transmitting the detection result of the brunt attack to a risk decision module, according to the invention, the corresponding response information of the user access request is recorded by analyzing the user access request, and the detection result of the brute force attack is finally generated to execute the corresponding prevention strategy, so that the accuracy of the brute force attack detection is improved.
Further, referring to fig. 3, a second embodiment of the multi-dimensional brunt-force attack prevention and treatment method according to the present invention is provided on the basis of the above-mentioned embodiment of the present invention.
This embodiment is a step of the first embodiment, which is a refinement of step S30, and the difference between this embodiment and the above-described embodiment of the present invention is:
step S31, if the number of the access requests is smaller than a second preset threshold, determining that the detection result of the brunt attack of the user access requests is a non-brunt attack;
step S32, if the number of access requests is greater than or equal to a second preset threshold, determining whether the account traversal rate is greater than a first policy threshold, and whether the request failure rate is greater than a second policy threshold;
step S33, if the account traversal rate is greater than the first policy threshold, or the request failure rate is greater than the second policy threshold, determining that the detection result of the swipe attack of the user access request is a swipe attack.
It can be known that, by calculating data, such as the account traversal rate, the request failure rate, and the number of access requests, included in the response information, when the data satisfies a certain condition, it is determined that the user access request corresponding to the response information is a swipe attack, and when the data satisfies a certain condition, it is determined that the user access request corresponding to the response information is a swipe attack, for example, if the number of access requests is greater than or equal to a second preset threshold, the account traversal rate is greater than a first policy threshold, or the request failure rate is greater than a second policy threshold, it is determined that a swipe attack detection result of the user access request is a swipe attack; if the number of the access requests is smaller than a second preset threshold value, determining that the detection result of the brute force attack of the user access requests is a non-brute force attack; and if the number of the access requests is greater than or equal to a second preset threshold, the account traversal rate is less than or equal to a first policy threshold, and the request failure rate is less than or equal to a second policy threshold, determining that the detection result of the brunt attack of the access requests of the user is a non-brunt attack.
Further, in a possible embodiment, in the step S30, the detection result of the brute force attack is transmitted to the risk decision module to execute the objective prevention strategy sent by the risk decision module, and the step of refining includes:
step S34, transmitting the detection result of the brute force attack to the risk decision module so that the risk decision module generates a target prevention strategy based on the brute force attack;
step S35, receiving the target prevention and treatment strategy sent by the risk decision module, and executing the target prevention and treatment strategy.
And after receiving the detection result of the brute force attack, if the detection result of the brute force attack is that the user access request is the brute force attack, the risk decision module feeds back a corresponding prevention strategy according to the type of the brute force attack in the detection result so as to realize the prevention and the treatment of the brute force attack.
In the embodiment, the detection result of the quick-swiping attack of the user access request is determined by calculating the data corresponding to the access request, so that the accuracy of the quick-swiping attack detection is improved.
In addition, referring to fig. 4, an embodiment of the present invention further provides a multidimensional brute force attack prevention and treatment apparatus, where the multidimensional brute force attack prevention and treatment apparatus includes:
the extraction module 10 is configured to receive a user access request transparently transmitted by the risk decision module, and extract an access account, an access IP, and access terminal information from a request message corresponding to the user access request;
a response information recording module 20, configured to filter a failure request in the user access request according to the access IP and the access terminal information, and record response information corresponding to the user access request based on the access account and the failure request;
and the prevention and control policy execution module 30 is configured to generate a detection result of the hacking attack of the user access request according to the response information, and transmit the detection result of the hacking attack to the risk decision module, so as to execute the target prevention and control policy sent by the risk decision module.
Optionally, the access terminal information includes an international mobile subscriber identity IMSI and an international mobile equipment identity IMEI, and the response information recording module 20 includes:
a first judging unit, configured to judge whether the user access request corresponds to a unique client according to the IMSI and the IMEI;
the random extraction unit is used for extracting a first access request and a second access request in the user access request at random if the user access request corresponds to a unique client;
a first determining unit, configured to determine that a first access IP corresponding to the first access request is different from a second access IP corresponding to the second access request, where the first access request and the second access request are failure requests.
Optionally, the response information recording module 20 further includes:
a second determining unit, configured to determine that a target access request is a failure request if a target request message corresponding to the target access request includes proxy information, where the target access request belongs to the user access request;
a scanning unit, configured to scan an access port to determine whether the access port belongs to a preset proxy port if a target request message corresponding to the target access request does not include proxy information, where the access port belongs to access terminal information in the target request message;
a third determining unit, configured to determine that the target access request is a failure request if the access port belongs to the preset proxy port.
Optionally, the response information recording module 20 includes:
the hamming distance calculation unit is used for sequencing the access account numbers according to a preset rule to obtain an account number sequence, randomly extracting a first access account number and a second access account number which are adjacent in the account number sequence, and calculating the hamming distance between the first access account number and the second access account number;
the first quantity proportion calculation unit is used for determining the first access account and the second access account as traversal accounts if the Hamming distance is smaller than a first preset threshold, and calculating the quantity proportion of the traversal accounts to the access accounts to obtain the account traversal rate;
and the second quantity proportion calculation unit is used for calculating the quantity proportion of the failure requests and the access requests to obtain a request failure rate, wherein the response information corresponding to the user access requests comprises the account number traversal rate, the request failure rate and the quantity of the access requests.
Optionally, the prevention and control policy execution module 30 includes:
a fourth determining unit, configured to determine that a detection result of the brunt attack of the access request of the user is a non-brunt attack if the number of the access requests is smaller than a second preset threshold;
a second determining unit, configured to determine whether the account traversal rate is greater than a first policy threshold and whether the request failure rate is greater than a second policy threshold if the number of access requests is greater than or equal to a second preset threshold;
and a fifth determining unit, configured to determine that a detection result of the swipe attack of the user access request is a swipe attack if the account traversal rate is greater than the first policy threshold or the request failure rate is greater than the second policy threshold.
Optionally, the prevention and control policy executing module 30 further includes:
a target prevention and control strategy generation unit, configured to transmit the detection result of the brute-force attack to the risk decision module, so that the risk decision module generates a target prevention and control strategy based on the brute-force attack;
and the target prevention and control strategy execution unit is used for receiving the target prevention and control strategy sent by the risk decision module and executing the target prevention and control strategy.
In addition, an embodiment of the present invention further provides a medium, where a multidimensional brute force attack prevention program is stored on the medium, and when executed by a processor, the multidimensional brute force attack prevention program implements operations in the multidimensional brute force attack prevention method provided in the foregoing embodiment.
The method executed by each program module can refer to each embodiment of the method of the present invention, and is not described herein again.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity/action/object from another entity/action/object without necessarily requiring or implying any actual such relationship or order between such entities/actions/objects; the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or system that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or system. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, method, article, or system that comprises the element.
For the apparatus embodiment, since it is substantially similar to the method embodiment, it is described relatively simply, and reference may be made to some descriptions of the method embodiment for relevant points. The above-described apparatus embodiments are merely illustrative, in that elements described as separate components may or may not be physically separate. Some or all of the modules can be selected according to actual needs to achieve the purpose of the scheme of the invention. One of ordinary skill in the art can understand and implement it without inventive effort.
The above-mentioned serial numbers of the embodiments of the present invention are merely for description and do not represent the merits of the embodiments.
Through the above description of the embodiments, those skilled in the art will clearly understand that the method of the above embodiments can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware, but in many cases, the former is a better implementation manner. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium (e.g., ROM/RAM, magnetic disk, optical disk) as described above and includes instructions for enabling a terminal device (e.g., a mobile phone, a computer, a server, an air conditioner, or a network device) to execute the multidimensional brute force attack prevention method according to the embodiments of the present invention.
The above description is only a preferred embodiment of the present invention, and not intended to limit the scope of the present invention, and all modifications of equivalent structures and equivalent processes, which are made by using the contents of the present specification and the accompanying drawings, or directly or indirectly applied to other related technical fields, are included in the scope of the present invention.
Claims (10)
1. A multi-dimensional violence attack prevention and treatment method is characterized by comprising the following steps:
receiving a user access request transmitted by a risk decision module, and extracting an access account, an access IP and access terminal information from a request message corresponding to the user access request;
screening a failure request in the user access request according to the access IP and the access terminal information, and recording response information corresponding to the user access request based on the access account and the failure request;
and generating a detection result of the brunt attack of the user access request according to the response information, and transmitting the detection result of the brunt attack to the risk decision module so as to execute the target prevention and control strategy sent by the risk decision module.
2. The method as claimed in claim 1, wherein the access terminal information includes an international mobile subscriber identity IMSI and an international mobile equipment identity IMEI, and the step of screening the failed request in the user access request according to the access IP and the access terminal information includes:
judging whether the user access request corresponds to a unique client or not according to the IMSI and the IMEI;
if the user access request corresponds to a unique client, randomly extracting a first access request and a second access request in the user access request;
and if the first access IP corresponding to the first access request is different from the second access IP corresponding to the second access request, determining that the first access request and the second access request are failed requests.
3. The method as claimed in claim 1, wherein the step of screening the failed request in the user access request according to the access IP and the access terminal information further comprises:
if a target request message corresponding to a target access request contains agent information, determining that the target access request is a failure request, wherein the target access request belongs to the user access request;
if the target request message corresponding to the target access request does not contain the proxy information, scanning an access port to judge whether the access port belongs to a preset proxy port, wherein the access port belongs to the access terminal information in the target request message;
and if the access port belongs to the preset proxy port, determining that the target access request is a failure request.
4. The method according to claim 1, wherein the step of recording response information corresponding to the user access request based on the access account and the failure request comprises:
sequencing the access account numbers according to a preset rule to obtain an account number sequence, randomly extracting a first access account number and a second access account number which are adjacent in the account number sequence, and calculating a Hamming distance between the first access account number and the second access account number;
if the Hamming distance is smaller than a first preset threshold value, determining the first access account and the second access account as traversal accounts, and calculating the quantity proportion of the traversal accounts to the access accounts to obtain the account traversal rate;
and calculating the quantity proportion of the failure requests to the access requests to obtain a request failure rate, wherein response information corresponding to the user access requests comprises the account number traversal rate, the request failure rate and the quantity of the access requests.
5. The method as claimed in claim 4, wherein the step of generating the detection result of the swipe attack on the user access request according to the response information comprises:
if the number of the access requests is smaller than a second preset threshold value, determining that the detection result of the brunt attack of the user access request is a non-brunt attack;
if the number of the access requests is larger than or equal to a second preset threshold, judging whether the account traversal rate is larger than a first policy threshold, and whether the request failure rate is larger than a second policy threshold;
and if the account traversal rate is greater than the first policy threshold value or the request failure rate is greater than the second policy threshold value, determining that the detection result of the quick-swiping attack of the user access request is quick-swiping attack.
6. The method as claimed in claim 5, wherein the step of transmitting the detection result of the brute force attack to the risk decision module to execute the target prevention strategy sent by the risk decision module comprises:
transmitting the detection result of the brunt attack to the risk decision module so that the risk decision module generates a target prevention strategy based on the brunt attack;
and receiving the target prevention and control strategy sent by the risk decision module, and executing the target prevention and control strategy.
7. A multidimensional brute force attack prevention and control device, characterized in that the multidimensional brute force attack prevention and control device comprises:
the extraction module is used for receiving the user access request transmitted by the risk decision module and extracting an access account, an access IP and access terminal information from a request message corresponding to the user access request;
the response information recording module is used for screening a failure request in the user access request according to the access IP and the access terminal information, and recording response information corresponding to the user access request based on the access account and the failure request;
and the prevention strategy execution module is used for generating an attack detection result of the user access request according to the response information and transmitting the attack detection result to the risk decision module so as to execute the target prevention strategy sent by the risk decision module.
8. A multidimensional brute force attack prevention and treatment apparatus, comprising: a memory, a processor and a multi-dimensional brunt-brushing attack prevention program stored on the memory and executable on the processor, the multi-dimensional brunt-brushing attack prevention program, when executed by the processor, implementing the steps of the multi-dimensional brunt-brushing attack prevention method according to any one of claims 1 to 6.
9. A medium having a multidimensional brute-force attack prevention program stored thereon, wherein the multidimensional brute-force attack prevention program, when executed by a processor, implements the steps of the multidimensional brute-force attack prevention method according to any one of claims 1 to 6.
10. A computer program product, characterized in that the computer program product comprises a computer program which, when being executed by a processor, carries out the steps of the method of multi-dimensional brunt-brush attack prevention as defined in any one of claims 1 to 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111682637.XA CN114338216B (en) | 2021-12-31 | 2021-12-31 | Multidimensional brushing attack prevention and control method, device, equipment and medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111682637.XA CN114338216B (en) | 2021-12-31 | 2021-12-31 | Multidimensional brushing attack prevention and control method, device, equipment and medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114338216A true CN114338216A (en) | 2022-04-12 |
| CN114338216B CN114338216B (en) | 2024-03-26 |
Family
ID=81022054
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111682637.XA Active CN114338216B (en) | 2021-12-31 | 2021-12-31 | Multidimensional brushing attack prevention and control method, device, equipment and medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114338216B (en) |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104866953A (en) * | 2015-04-28 | 2015-08-26 | 北京嘀嘀无限科技发展有限公司 | Identification method and identification device for false orders |
| CN106157041A (en) * | 2016-07-26 | 2016-11-23 | 上海携程商务有限公司 | Prevent the method that brush is single |
| CN108550052A (en) * | 2018-04-03 | 2018-09-18 | 杭州呯嘭智能技术有限公司 | Brush list detection method and system based on user behavior data feature |
| CN109598563A (en) * | 2019-01-24 | 2019-04-09 | 北京三快在线科技有限公司 | Brush single detection method, device, storage medium and electronic equipment |
| CN110992072A (en) * | 2018-11-30 | 2020-04-10 | 北京嘀嘀无限科技发展有限公司 | Abnormal order prediction method and system |
| CN111768258A (en) * | 2019-06-05 | 2020-10-13 | 北京京东尚科信息技术有限公司 | Method, device, electronic equipment and medium for identifying abnormal order |
| CN112907263A (en) * | 2021-03-22 | 2021-06-04 | 北京太火红鸟科技有限公司 | Abnormal order quantity detection method, device, equipment and storage medium |
-
2021
- 2021-12-31 CN CN202111682637.XA patent/CN114338216B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104866953A (en) * | 2015-04-28 | 2015-08-26 | 北京嘀嘀无限科技发展有限公司 | Identification method and identification device for false orders |
| CN106157041A (en) * | 2016-07-26 | 2016-11-23 | 上海携程商务有限公司 | Prevent the method that brush is single |
| CN108550052A (en) * | 2018-04-03 | 2018-09-18 | 杭州呯嘭智能技术有限公司 | Brush list detection method and system based on user behavior data feature |
| CN110992072A (en) * | 2018-11-30 | 2020-04-10 | 北京嘀嘀无限科技发展有限公司 | Abnormal order prediction method and system |
| CN109598563A (en) * | 2019-01-24 | 2019-04-09 | 北京三快在线科技有限公司 | Brush single detection method, device, storage medium and electronic equipment |
| CN111768258A (en) * | 2019-06-05 | 2020-10-13 | 北京京东尚科信息技术有限公司 | Method, device, electronic equipment and medium for identifying abnormal order |
| CN112907263A (en) * | 2021-03-22 | 2021-06-04 | 北京太火红鸟科技有限公司 | Abnormal order quantity detection method, device, equipment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114338216B (en) | 2024-03-26 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9860270B2 (en) | System and method for determining web pages modified with malicious code | |
| Ludl et al. | On the effectiveness of techniques to detect phishing sites | |
| CN105791255B (en) | Computer risk identification method and system based on account clustering | |
| US11887124B2 (en) | Systems, methods and computer program products for securing electronic transactions | |
| US10142308B1 (en) | User authentication | |
| CN106549980B (en) | Malicious C & C server determination method and device | |
| US10091219B2 (en) | Methods and apparatus for detecting remote control of a client device | |
| US9639689B1 (en) | User authentication | |
| US9092782B1 (en) | Methods and apparatus for risk evaluation of compromised credentials | |
| CN104519018A (en) | Method, device and system for preventing malicious requests for server | |
| CN110266676B (en) | Method and device for preventing malicious attack | |
| CN104980402B (en) | Method and device for identifying malicious operation | |
| Rajalingam et al. | Prevention of phishing attacks based on discriminative key point features of webpages | |
| CN107046516B (en) | Wind control method and device for identifying mobile terminal identity | |
| CN108234454B (en) | Identity authentication method, server and client device | |
| US11489813B2 (en) | Systems and methods for detecting and dynamically rate limiting account discovery and takeover attempts | |
| Mishra et al. | Intelligent phishing detection system using similarity matching algorithms | |
| Faris et al. | Phishing web page detection methods: URL and HTML features detection | |
| CN106878335A (en) | A kind of method and system for login authentication | |
| CN110912945B (en) | Network attack entry point detection method and device, electronic equipment and storage medium | |
| US11677765B1 (en) | Distributed denial of service attack mitigation | |
| CN114301711B (en) | Anti-riot brushing method, device, equipment, storage medium and computer program product | |
| CN112702321A (en) | Distributed transaction current limiting method, device, equipment and storage medium | |
| CN111949952B (en) | Method for processing verification code request and computer-readable storage medium | |
| CN106921626B (en) | User registration method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |