CN114386037A - Malicious request defense method based on Web front-end page and related equipment - Google Patents

Malicious request defense method based on Web front-end page and related equipment Download PDF

Info

Publication number
CN114386037A
CN114386037A CN202210040638.2A CN202210040638A CN114386037A CN 114386037 A CN114386037 A CN 114386037A CN 202210040638 A CN202210040638 A CN 202210040638A CN 114386037 A CN114386037 A CN 114386037A
Authority
CN
China
Prior art keywords
request
timestamp
abnormal
data interaction
request type
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210040638.2A
Other languages
Chinese (zh)
Inventor
王潇
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Ping An Life Insurance Company of China Ltd
Original Assignee
Ping An Life Insurance Company of China Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Ping An Life Insurance Company of China Ltd filed Critical Ping An Life Insurance Company of China Ltd
Priority to CN202210040638.2A priority Critical patent/CN114386037A/en
Publication of CN114386037A publication Critical patent/CN114386037A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/554Detecting local intrusion or implementing counter-measures involving event detection and direct action

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

The invention provides a malicious request defense method based on a Web front-end page, and relates to the field of Internet application. It includes: acquiring a data interaction request aiming at a Web front-end page, determining the request type of the data interaction request, and adding a timestamp of the current data interaction request to a timestamp array corresponding to the request type; acquiring the request quantity of data interaction requests of different request types in the current monitoring time period according to the timestamp array; if the request number corresponding to the request type is larger than the request number threshold of the request type, taking the request type as an abnormal request type; if the number of the abnormal request types is larger than a first number threshold, determining that the current access is abnormal access; and exiting the current login account and sending an identity authentication request. The invention can not only defend the malicious request independently, but also judge whether the data interaction request is the malicious request more accurately.

Description

Malicious request defense method based on Web front-end page and related equipment
Technical Field
The invention relates to the field of internet application, in particular to a malicious request defense method based on a Web front-end page and related equipment.
Background
When judging whether a data interaction request generated by the Web front-end page is a malicious request, the existing Web front-end page can be judged only by means of the operation logic of a server, and the server consumes more resources by means of the logic judgment of the server, so that the server cannot effectively defend against hacker attacks (such as distributed denial of service (ddos)) and further normal access of a user to a website is influenced; meanwhile, when the existing server judges whether the data interaction request from the Web front-end page is a malicious request, the request types of the data interaction request in the Web front-end page are not distinguished, but only the total request frequency and the total request quantity of the data interaction request in the preset unit time are concerned, so that the server does not distinguish the data interaction request with relatively more calling server resources from the data interaction request with relatively less calling resources, and the server is poor in accuracy when judging whether the data interaction request from the Web front-end page is the malicious request, and therefore improvement is necessary.
Disclosure of Invention
The invention aims to provide a malicious request defense method based on a Web front-end page and a related device, which can not only defend malicious requests independently, but also judge whether data interaction requests are malicious requests more accurately.
The technical scheme of the invention is as follows: a malicious request defense method based on a Web front-end page comprises the following steps:
acquiring a data interaction request aiming at a Web front-end page, determining the request type of the data interaction request, and adding a timestamp of the current data interaction request to a timestamp array corresponding to the request type;
acquiring the request quantity of data interaction requests of different request types in the current monitoring time period according to the timestamp array;
if the request number corresponding to the request type is larger than the request number threshold of the request type, taking the request type as an abnormal request type;
if the number of the abnormal request types is larger than a first number threshold, determining that the current access is abnormal access;
and exiting the current login account, and sending an identity authentication request to realize malicious request defense.
Preferably, the obtaining the request number of data interaction requests of different request types in the current monitoring time period according to the timestamp array includes:
for each request type, acquiring a timestamp array of the request type;
filtering the timestamps of which the corresponding time is not in the current monitoring time period in the timestamp array to obtain the filtering timestamp array of the request type;
and acquiring the number of the timestamps in the filtering timestamp array as the request number of the data interaction requests of the request type.
Preferably, if the request number corresponding to the request type is greater than the request number threshold of the request type, after the request type is taken as an abnormal request type, the method further includes:
acquiring the submission duration of the abnormal request type according to the filtering timestamp array;
calculating the submission frequency of the abnormal request type according to the submission duration and the request number;
if the submission frequency is greater than the request frequency threshold of the abnormal request type, taking the abnormal request type as a malicious request type;
and if the data interaction request of the malicious request type is received, rejecting the data interaction request.
Preferably, the adding the timestamp of the current time to the timestamp array corresponding to the request type includes:
acquiring a timestamp array of the request type from a browser cache;
adding a timestamp of the current time to the obtained timestamp array to obtain an updated timestamp array;
and updating the timestamp array cached by the browser according to the updated timestamp array.
Preferably, if the request number corresponding to the request type is greater than the request number threshold of the request type, after the request type is taken as an abnormal request type, the method further includes:
marking the current monitoring time period as an abnormal period;
acquiring the number of requests of data interaction requests of different request types in a plurality of continuous non-abnormal historical monitoring time periods nearest to the current time;
for each request type, obtaining the average request number according to the request numbers of different historical monitoring time periods;
and adjusting the request quantity threshold corresponding to the request type according to the average request quantity.
Preferably, after the exiting the current login account and the sending the authentication request, the method further includes:
after the identity authentication is passed, the abnormal request count of the current user is accumulated by one, and the monitoring time period is shortened;
if the abnormal request count is greater than the preset frequency threshold, logging out of the current login account again, and marking the corresponding user as an abnormal user;
and if the login request of the abnormal user is received within a second preset time length from the current time, rejecting the login request.
Preferably, after the adding the timestamp of the current time to the timestamp array corresponding to the request type, the method further includes:
acquiring a user initiating the data interaction request, and associating a user identifier of the user with the timestamp of the current time in the timestamp array;
extracting personal timestamp arrays corresponding to different request types of the user from the timestamp arrays according to the user identification;
acquiring behavior data of the user in different request types according to the personal timestamp array; and determining whether the user is an abnormal user according to the behavior data.
The other technical scheme of the invention is as follows: a malicious request defense apparatus based on a Web front-end page, comprising:
the request acquisition module is used for acquiring a data interaction request aiming at a Web front-end page, determining the request type of the data interaction request and adding a timestamp of the current data interaction request to a timestamp array corresponding to the request type;
the request quantity monitoring module is used for acquiring the request quantity of data interaction requests of different request types in the current monitoring time period according to the timestamp array;
an abnormal request determining module, configured to take the request type as an abnormal request type if the request number corresponding to the request type is greater than a request number threshold of the request type;
the abnormal request confirming module is used for determining that the current access is abnormal access if the number of the abnormal request types is larger than a first number threshold;
and the user identity authentication module is used for exiting the current login account, sending an identity authentication request and realizing malicious request defense.
The other technical scheme of the invention is as follows: a computer device comprising a memory, a processor and a computer program stored in the memory and executable on the processor, characterized in that the processor implements the steps of the Web front-end page based malicious request defense method when executing the computer program.
The other technical scheme of the invention is as follows: a computer-readable storage medium, in which a computer program is stored which, when being executed by a processor, carries out the steps of the method for defending against malicious requests based on Web front-end pages.
The invention has the beneficial effects that:
1. the method comprises the steps of obtaining a timestamp corresponding to each data interaction request, and dividing the data interaction requests of the same type into the data interaction requests of the same type, so as to obtain respective monitoring time periods of the data interaction requests of different request types; and then, the request quantity of the data interaction requests with different request types in respective monitoring time periods is obtained in real time on the web front-end page, so that whether the current data interaction request is a malicious request or not is judged, and the application can independently complete the defense work of the malicious request under the condition of not calling server resources, thereby reducing the consumption of the server resources.
2. According to the method and the device, the data interaction requests are divided into different categories, and the data interaction requests of each request type are monitored in a targeted manner, so that whether the access request of the web front-end page is a malicious request can be judged more accurately.
Drawings
Fig. 1 is a schematic flowchart of a malicious request defense method based on a Web front-end page according to a first embodiment of the present invention;
FIG. 2 is a schematic structural diagram of a malicious request defense device based on a Web front-end page in the second embodiment of the present invention;
fig. 3 is a schematic structural diagram of an electronic device according to a third embodiment of the invention;
fig. 4 is a schematic structural diagram of a storage medium according to a fourth embodiment of the present invention.
Detailed Description
The invention is further described with reference to the following figures and embodiments.
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The terms "first", "second", "third" in the present invention are used for descriptive purposes only and are not to be construed as indicating or implying relative importance or implying any number of technical features indicated. Thus, a feature defined as "first", "second", or "third" may explicitly or implicitly include at least one of the feature. In the description of the present invention, "a plurality" means at least two, e.g., two, three, etc., unless specifically limited otherwise. All directional indicators (such as up, down, left, right, front, and back) in the embodiments of the present invention are only used to explain the relative position relationship between the components, the movement, and the like in a specific posture (as shown in the drawings), and if the specific posture is changed, the directional indicator is changed accordingly. Furthermore, the terms "comprise" and "have," as well as any variations thereof, are intended to cover non-exclusive inclusions. For example, a process, method, system, article, or apparatus that comprises a list of steps or elements is not limited to only those steps or elements listed, but may alternatively include other steps or elements not listed, or inherent to such process, method, article, or apparatus.
The server of the application can be an independent server, and can also be a cloud server providing basic cloud computing services such as cloud service, a cloud database, cloud computing, cloud functions, cloud storage, Network service, cloud communication, middleware service, domain name service, security service, Content Delivery Network (CDN), big data and an artificial intelligence platform.
Distributed denial of service (DDoS) is the most widely existing hacking method, and a hacker sends a large amount of data to a server through frequent access, and occupies service resources, thereby preventing a general user from normally accessing a website. According to the report of the U.S. computer emergency response center, no good method for really solving the problem of distributed denial of service DDoS attack exists so far.
Meanwhile, in the project operation practice, individual abnormal users are found to exist, data requests can be submitted frequently or repeatedly, although the server is not paralyzed like a hacker, some resources are consumed for the server, and abnormal user statistical data are generated.
The inventor finds that the existing Web front-end page can only limit repeated requests caused by button clicking or content input, but cannot limit repeated requests caused by related operations (such as page refreshing) of a browser interface; meanwhile, in the prior art, when it is required to determine whether a request of a Web front-end page is a malicious request, the determination can be performed only through the logic of the server, and the server consumes more resources through the above manner of the logic determination of the server, so that the server cannot effectively defend against hacker attacks (such as distributed denial of service (ddos)), thereby affecting normal access of a user to a website.
Fig. 1 is a flowchart illustrating a malicious request defense method based on a Web front-end page according to a first embodiment of the present invention. The application mainly relates to how to defend a data interaction request generated in a Web front-end page display stage, so that a user can normally access a website. It should be noted that the method of the present invention is not limited to the flow sequence shown in fig. 1 if the results are substantially the same. As shown in fig. 1, the method for defending against malicious requests based on a Web front-end page includes the steps of:
s1, acquiring a data interaction request aiming at a Web front-end page, determining the request type of the data interaction request, and adding the time stamp of the current data interaction request to the time stamp array corresponding to the request type.
In this step, the present application divides the Web page into a front-end page and a back-end page. The Web front-end page is mainly responsible for page display, and mainly refers to a functional module or button that can be directly seen and touched by a user in a Web application, and includes: the structure of the Web page, the visual appearance of the Web and the interactive realization of the Web layer. The Web backend page is implemented by business logic, and more of the Web backend page interacts with the database to process corresponding business logic, and how to implement functions, access of data, stability and performance of the platform, and the like need to be considered.
During actual work, the method divides the request generated by the web front-end page (of the user) into a data interaction request requiring to send request data to the server and a local operation request not requiring to send the request data to the server according to whether the response data of the server needs to be called or not; because the local operation request does not occupy the resources of the server, and no data interaction exists between the local operation request and the server, the normal access of a user to a Web page is not influenced, the local operation request is not considered, but the data interaction request needing to call the server response data needs to be monitored and defended, wherein the specific steps of monitoring and defending in the application can refer to the records of the steps S1-S6.
According to the method and the device, requests sent to a server by a Web front-end page are divided into different types of data interaction requests, the data interaction requests comprise browser requests based on a browser and Web requests based on a Web page, the browser requests comprise user requests generated based on the browser, such as page refreshing and historical records, the Web requests comprise requests inside the Web page, for example, in a mailbox login page, the requests generated by operations of an inbox, an outbox, accessory downloading and the like are Web requests, and the requests generated by page refreshing and the like are browser requests.
In practice, the web requests of the present application include, but are not limited to: button clicking, content inputting, website link obtaining in the webpage and the like. Browser requests include, but are not limited to: and page refreshing operation, reading links on the history page, directly reading the links determined by searching in the page and the like.
Furthermore, because the page refreshing operation often needs to acquire relatively more server resources during actual work, the page refreshing operation is further divided into page refreshing requests independently, and the page refreshing requests are specially corresponding to the refreshing operation of the user, so that the malicious requests can be defended in a more targeted manner.
Furthermore, in order to prevent hackers from forging data interaction requests, the application sets data interaction requests (including browser requests and WEB requests) to a specific format, so as to implement strict screening of the data interaction requests, such as but not limited to: request type identification, request parameters, request header information, request body information, Uniform Resource Identifier (URI); parameter information contained in a Uniform Resource Locator (URL).
In this step, the method of adding the timestamp of the current time to the timestamp array corresponding to the request type is as follows:
a. acquiring a timestamp array of the request type from a browser cache;
b. adding a timestamp of the current time to the obtained timestamp array to obtain an updated timestamp array;
c. and updating the timestamp array cached by the browser according to the updated timestamp array.
Further, after adding the timestamp of the current time to the timestamp array corresponding to the request type, the method further includes:
d. acquiring a user initiating the data interaction request, and associating a user identifier of the user with the timestamp of the current time in the timestamp array;
e. extracting personal timestamp arrays corresponding to different request types of the user from the timestamp arrays according to the user identification;
f. acquiring behavior data of the user in different request types according to the personal timestamp array;
g. and determining whether the user is an abnormal user according to the behavior data.
During actual work, the time stamps corresponding to each data interaction request need to be obtained, and the time stamps generated by the data interaction requests of the same type are combined together to form a time stamp array (namely, the time stamp array of the request type); the timestamp of the application can only contain time information, and the timestamp can also be set to a specific format so as to facilitate strict screening.
In actual work, the timestamp recorded in the application is obtained through data cache records, each data interaction request can correspondingly generate one data cache record, the name of the data interaction request, the timestamp array of the data interaction request, information such as data in a specific format of a preset standard and the like are recorded in the data cache records of the application, and each type of data cache records can be updated due to the fact that the timestamp is newly added.
Preferably, the data interaction request further includes a data cache record corresponding to each data interaction request, where the key name of the data cache record corresponds to the name identifier of each data interaction request, and the key value of the data cache record is array data with a timestamp.
In this step, the data cache record corresponding to each type of data interaction request is updated in real time, and the time span of the timestamp array in each type of data cache record is always the monitoring time period corresponding to each data interaction request.
In this step, the present application divides the data cache record into a browser cache record corresponding to the browser request and a WEB cache record corresponding to the WEB request. And adding a timestamp corresponding to the time of initiating the new request to the original timestamp array and deleting the timestamp which is not in the monitoring time period in each data interaction request.
In actual work, if a corresponding data cache record is not found in a certain data interaction request, a cache record (such as a Web cache record) is newly added to the data interaction request, and a cache value of the data cache record is initialized; and if the browser cache record is found, reading the browser cache value. Further, the browser cache record and the WEB cache record may have the same suffix when named, or may have a different suffix when named, so as to distinguish the browser cache record from the WEB cache record.
Furthermore, the key values of the data cache records of the present application may be updated in real time, and the key values (cache arrays) of the data cache records employ an inert update policy, that is, the key values of the data cache records are updated only when requested next time. Preferably, the data cache record is also set to a specific format as the data interaction request, so as to implement strict screening of the request, which may specifically refer to the setting manner of the data interaction request in step S1.
S2, acquiring the request quantity of data interaction requests of different request types in the current monitoring time period according to the timestamp array;
during actual work, the method and the device initialize the request monitor setting according to the service requirement, and set two parameters: 1. unit time T (i.e., monitoring time period); 2. the maximum number of requests M allowed per unit time T (i.e. the monitoring time period).
According to the method and the device, the monitor is built in the WEB front-end page, whether the length (number) of the timestamp arrays corresponding to the preset threshold time of each data interaction request exceeds the preset length (number) or not is judged through the monitor, if so, abnormal access is realized, and if not, normal access is realized.
In the monitor algorithm of the present application, the unit time T and the request number M of the parameters can be customized according to the service condition to limit the frequency of data interaction requests. By the monitor algorithm, the browser is adopted to cache and manage the request records, the front-end page request is monitored, and the frequent request condition is detected, so that the front-end page can perform malicious request defense work.
The method and the system have the advantages that frequently-requested defense work is placed on the client side, and compared with the traditional server for processing the defense work, server resource consumption is avoided. In addition, in the operation work of the project, the user can not generate abnormal behavior data any more, and the record of the user behavior data is more real. The operation and maintenance cost and the operation cost of the server are saved for enterprises.
In this step, the main purpose of this proposal is to obtain the number of requests for various data interaction requests in a unit time, and this application also records the number of various data interaction requests, the total number of all data interaction requests, and the time of each submission in a localstorage cache system, thereby ensuring persistent cache. The localstorage is a local cache, and can still exist when a page is refreshed and never expires.
In the step, the monitor is arranged on a WEB front-end page, and the monitor judges whether the current access behavior of the user is normal access or not in a real-time monitoring mode; meanwhile, a plurality of monitors can be arranged, and each monitor respectively monitors a data interaction request and a data cache record and a time stamp array generated by the data interaction request. Preferably, since the page refresh request is special and the server resources called each time are more, a monitor can be set for the page refresh request alone.
Further, the monitor is arranged at the front end of the page and used for judging whether the formats of the data interaction request, the data cache record and the timestamp are correct or not in real time, if the formats of the data interaction request, the data cache record and the timestamp are incorrect, the data interaction request, the data cache record and the timestamp are not normally accessed, and if the formats of the data interaction request, the data cache record and the timestamp are correct, whether the data interaction request, the data cache record and the timestamp are normally accessed or not is judged according to the subsequent steps.
In this step, the monitor judges whether the number of the data interaction requests is within a preset allowable range in a unit time T by judging the length (number) of the timestamp array in real time, the unit time T (i.e., the monitoring time period) can be determined by the time recorded by the timestamp, and the length of the timestamp array can be judged by the monitor, so that the technical scheme of the application can be realized on a front-end page.
In this step, obtaining the request quantity of the data interaction requests of different request types in the current monitoring time period includes the following steps:
s21, acquiring a time stamp array of the request type aiming at each request type;
s22, filtering the timestamps of which the corresponding time in the timestamp array is not in the current monitoring time period to obtain the filtering timestamp array of the request type;
s23, obtaining the number of the timestamps in the filtering timestamp array as the request number of the data interaction request of the request type.
During actual work, the time span of the timestamp corresponding to each data interaction request is the monitoring time period (namely, unit time T) recorded in the above step, and the end point of the timestamp array is the time corresponding to the current data interaction request, but not the timestamp in the monitoring time period, so that the timestamp in the monitoring time period can be filtered.
During actual work, the time stamps of the data interaction requests can be respectively intercepted from the data cache records according to the preset unit time T, and the time stamps generated by the current data interaction requests are added to the original existing time stamps according to the categories. Simultaneously, unit time T, this application can be acquireed by the time that each time stamp recorded, and this application still can filter the time stamp not in above-mentioned unit time T.
Preferably, the time stamp of the present application is also divided into a browser time stamp corresponding to a browser, and a Web time stamp corresponding to a Web. Furthermore, a page refreshing time stamp is specially arranged in the method, and the page refreshing time stamp is used for specially recording the page refreshing request times of the user.
In this step, the data interaction requests of the present application are divided according to request types, and the data interaction requests of each request type are respectively preset with a threshold time (also referred to as a monitoring time period), where the preset threshold time is set by a technician according to the memory size of the server response data called by each data interaction request, and the more the server resources are called, the shorter the preset threshold time is, and the smaller the number of allowed requests is, for example, the monitoring time period (also referred to as a preset threshold time) of a WEB page refresh request in the present application is 10 seconds, the number of allowed requests is 5, and further for example, the monitoring time period (also referred to as a preset threshold time) of a button click request in a WEB page is 2 seconds, and the number of allowed requests is 4.
S3, if the request number corresponding to the request type is larger than the request number threshold value of the request type, taking the request type as an abnormal request type;
in actual operation, when the data interaction request is an abnormal request type, the method further comprises the following steps:
a1, acquiring the submission duration of the abnormal request type according to the filtering timestamp array;
b1, calculating the submission frequency of the abnormal request type according to the submission duration and the request number; wherein the submission frequency of the exception request type is equal to the submission duration divided by the number of requests;
c1, if the submission frequency is greater than the request frequency threshold of the abnormal request type, taking the abnormal request type as a malicious request type;
d1, if receiving the data interaction request of the malicious request type, rejecting the data interaction request.
During actual work, the method further comprises the step of adjusting the historical monitoring time period so as to enable the method to defend against the malicious request more accurately, and the method specifically comprises the following steps:
a2, marking the current monitoring time period as an abnormal period;
b2, acquiring the number of the data interaction requests of different request types in a plurality of continuous non-abnormal historical monitoring time periods nearest to the current time;
c3, aiming at each request type, obtaining the average request quantity according to the request quantity of different historical monitoring time periods;
d4, adjusting the request quantity threshold value corresponding to the request type according to the average request quantity.
S5, if the number of the abnormal request types is larger than a first number threshold, determining that the current access is abnormal access.
During actual work, after normal access is determined, the timestamp corresponding to the current data interaction request is added into the filtered timestamp array, then the timestamp array is converted into a browser cache value, and the browser cache value is stored into a browser cache record.
The method and the device can also check whether the formats of the cache records and the data interaction requests are preset formats, so that whether the access requests of the users are malicious requests is judged.
In this step, when determining whether the data interaction request is a malicious request, the method may further determine, by using a frequency of the data interaction request, that is, a number of cache records in a unit time/a unit time preset for each data interaction request, and if a certain request frequency is higher than a preset threshold, determine that the web page request is a malicious request.
In actual work, when judging whether the access request of the user is a malicious request, the method and the device do not add proxy service equipment, and can defend the malicious request only through the webpage function of the web client under the condition of only taking the cache value.
And S6, exiting the current login account, sending an identity authentication request, and realizing malicious request defense.
In this step, the online authentication is the prior art, which is not described herein any more, and when the online authentication does not pass, the user name and the user IP address of the malicious request may be recorded, and then the user name and the user IP address are stored in the blacklist library of the server system, so that the user can be effectively prevented from being maliciously submitted again. Preferably, the local database of the WEB page may also store the blacklist information.
The exiting of the current login account and the sending of the identity authentication request further comprise:
a. after the identity authentication is passed, the abnormal request count of the current user is accumulated by one, and the monitoring time period is shortened;
b. if the abnormal request count is greater than the preset frequency threshold, logging out of the current login account again, and marking the corresponding user as an abnormal user;
c. and if the login request of the abnormal user is received within a second preset time length from the current time, rejecting the login request.
d. If the access request of the user is normal access, the page access request is sent to a server so as to perform data interaction with the server; and if the access request of the user is abnormal access, the user is allowed to perform online identity authentication within a preset time period so as to reconfirm the identity of the user.
In actual work, the technical problem to be solved by the application is how to more accurately judge whether the access request of the user is a malicious request under the condition of not occupying server resources, and in the prior art, not only the resources of the server need to be called when judging whether the access request is the malicious request, but also the types of the requests are not classified, so that whether the access request of the user is the malicious request can be judged only for all the requests in unit time in the prior art, and whether the access request of the user is the malicious request can not be pertinently judged according to the server resources to be actually called, namely, the judgment result of the prior art is not accurate.
In actual work, what the cache in the prior art stores is the number of requests and the request delivery time, while what the cache in the present application stores is the category contents such as cache key name (request name), key value (timestamp array), etc., meanwhile, the prior art only records whether the access request of the user is malicious or not by judging whether the request number in unit time exceeds a preset range or not, and does not have any record about the request needing to be classified.
Fig. 2 is a schematic structural diagram of a malicious request defense apparatus based on a Web front-end page according to a second embodiment of the present invention. As shown in fig. 2, the malicious request defense apparatus based on a Web front-end page includes:
the request acquisition module 21 is configured to acquire a data interaction request for a Web front-end page, determine a request type of the data interaction request, and add a timestamp of a current data interaction request to a timestamp array corresponding to the request type;
the request quantity monitoring module 22 is configured to obtain the request quantity of data interaction requests of different request types in the current monitoring time period according to the timestamp array;
an abnormal request determining module 23, configured to take the request type as an abnormal request type if the request number corresponding to the request type is greater than a request number threshold of the request type;
an abnormal request confirmation module 24, configured to determine that the current access is an abnormal access if the number of the abnormal request types is greater than a first number threshold;
and the user identity authentication module 25 is used for logging out of the current login account and sending an identity authentication request.
In actual operation, for specific limitations of the malicious request defense apparatus based on the Web front-end page, reference may be made to the above limitations of the malicious request defense method based on the Web front-end page, which is not described herein again. The modules in the malicious request defending device based on the Web front-end page can be wholly or partially realized by software, hardware and a combination thereof. The modules can be embedded in a hardware form or independent from a processor in the computer device, and can also be stored in a memory in the computer device in a software form, so that the processor can call and execute operations corresponding to the modules.
Fig. 3 is a schematic structural diagram of an electronic device according to a third embodiment of the present invention. As shown in fig. 3, the electronic device 30 includes a processor 31 and a memory 32 coupled to the processor 31.
The memory 32 stores program instructions for implementing the malicious request defense method based on Web front-end pages of any of the above embodiments.
The processor 31 is operative to execute program instructions stored by the memory 32 for malicious request defense processing based on Web front-end pages.
The processor 31 may also be referred to as a CPU (Central Processing Unit). The processor 31 may be an integrated circuit chip having signal processing capabilities. The processor 31 may also be a general purpose processor, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA) or other programmable logic device, discrete gate or transistor logic, discrete hardware components. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
Referring to fig. 4, fig. 4 is a schematic structural diagram of a storage medium according to a fourth embodiment of the invention. The storage medium 40 of the fourth embodiment of the present invention stores program instructions 41 capable of implementing all the methods described above, where the program instructions 41 may be stored in the storage medium in the form of a software product, and include several instructions to enable a computer device (which may be a personal computer, a server, or a network device) or a processor (processor) to execute all or part of the steps of the methods of the embodiments of the present invention. And the aforementioned storage medium includes: various media capable of storing program codes, such as a usb disk, a mobile hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, or terminal devices, such as a computer, a server, a mobile phone, and a tablet.
In the embodiments provided in the present invention, it should be understood that the disclosed system, apparatus and method may be implemented in other ways. For example, the above-described apparatus embodiments are merely illustrative, and for example, a division of a unit is merely a logical division, and an actual implementation may have another division, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.
In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit. The above description is only an embodiment of the present invention, and not intended to limit the scope of the present invention, and all modifications of equivalent structures and equivalent processes performed by the present specification and drawings, or directly or indirectly applied to other related technical fields, are included in the scope of the present invention.
It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above can be implemented by a computer program, which can be stored in a non-volatile and/or volatile computer-readable storage medium, and can include the processes of the embodiments of the methods described above when the computer program is executed. Any reference to memory, storage, database, or other medium used in the embodiments provided herein may include non-volatile and/or volatile memory, among others. Non-volatile memory can include read-only memory (ROM), Programmable ROM (PROM), Electrically Programmable ROM (EPROM), Electrically Erasable Programmable ROM (EEPROM), or flash memory. Volatile memory can include Random Access Memory (RAM) or external cache memory. By way of illustration and not limitation, RAM is available in a variety of forms such as Static RAM (SRAM), Dynamic RAM (DRAM), Synchronous DRAM (SDRAM), Double Data Rate SDRAM (DDRSDRAM), Enhanced SDRAM (ESDRAM), Synchronous Link DRAM (SLDRAM), Rambus Direct RAM (RDRAM), direct bus dynamic RAM (DRDRAM), and memory bus dynamic RAM (RDRAM).
It is obvious to those skilled in the art that for convenience and simplicity of description, the present application is only illustrated by the above-mentioned division of the functional units and modules, and in practical applications, the above-mentioned function distribution may be performed by different functional units and modules as needed, that is, the internal structure of the device is divided into different functional units or modules to perform all or part of the above-mentioned functions.

Claims (10)

1. A malicious request defense method based on a Web front-end page is characterized by comprising the following steps:
acquiring a data interaction request aiming at a Web front-end page, determining the request type of the data interaction request, and adding a timestamp of the current data interaction request to a timestamp array corresponding to the request type;
acquiring the request quantity of data interaction requests of different request types in the current monitoring time period according to the timestamp array;
if the request number corresponding to the request type is larger than the request number threshold of the request type, taking the request type as an abnormal request type;
if the number of the abnormal request types is larger than a first number threshold, determining that the current access is abnormal access;
and exiting the current login account, and sending an identity authentication request to realize malicious request defense.
2. The method for defending against malicious requests based on Web front-end pages according to claim 1, wherein the obtaining the request number of data interaction requests of different request types in a current monitoring time period according to the timestamp array comprises:
for each request type, acquiring a timestamp array of the request type;
filtering the timestamps of which the corresponding time is not in the current monitoring time period in the timestamp array to obtain the filtering timestamp array of the request type;
and acquiring the number of the timestamps in the filtering timestamp array as the request number of the data interaction requests of the request type.
3. The method for defending against malicious requests based on a Web front-end page according to claim 2, wherein if the number of requests corresponding to the request type is greater than the threshold number of requests of the request type, after the request type is regarded as an abnormal request type, further comprising:
acquiring the submission duration of the abnormal request type according to the filtering timestamp array;
calculating the submission frequency of the abnormal request type according to the submission duration and the request number;
if the submission frequency is greater than the request frequency threshold of the abnormal request type, taking the abnormal request type as a malicious request type;
and if the data interaction request of the malicious request type is received, rejecting the data interaction request.
4. The method of claim 1, wherein adding a timestamp of a current time to a timestamp array corresponding to the request type comprises:
acquiring a timestamp array of the request type from a browser cache;
adding a timestamp of the current time to the obtained timestamp array to obtain an updated timestamp array;
and updating the timestamp array cached by the browser according to the updated timestamp array.
5. The method for defending against malicious requests based on a Web front-end page according to claim 1, wherein if the number of requests corresponding to the request type is greater than the threshold number of requests corresponding to the request type, then after taking the request type as an abnormal request type, further comprising:
marking the current monitoring time period as an abnormal period;
acquiring the number of requests of data interaction requests of different request types in a plurality of continuous non-abnormal historical monitoring time periods nearest to the current time;
for each request type, obtaining the average request number according to the request numbers of different historical monitoring time periods;
and adjusting the request quantity threshold corresponding to the request type according to the average request quantity.
6. The method for defending against malicious requests based on Web front-end pages according to claim 1, wherein said exiting the current login account, after sending the authentication request, further comprises:
after the identity authentication is passed, the abnormal request count of the current user is accumulated by one, and the monitoring time period is shortened;
if the abnormal request count is greater than the preset frequency threshold, logging out of the current login account again, and marking the corresponding user as an abnormal user;
and if the login request of the abnormal user is received within a second preset time length from the current time, rejecting the login request.
7. The method for defending against malicious requests based on Web front-end pages according to claim 1, wherein after adding the timestamp of the current time to the timestamp array corresponding to the request type, further comprising:
acquiring a user initiating the data interaction request, and associating a user identifier of the user with the timestamp of the current time in the timestamp array;
extracting personal timestamp arrays corresponding to different request types of the user from the timestamp arrays according to the user identification;
acquiring behavior data of the user in different request types according to the personal timestamp array;
and determining whether the user is an abnormal user according to the behavior data.
8. A malicious request defense device based on a Web front-end page is characterized by comprising:
the request acquisition module is used for acquiring a data interaction request aiming at a Web front-end page, determining the request type of the data interaction request and adding a timestamp of the current data interaction request to a timestamp array corresponding to the request type;
the request quantity monitoring module is used for acquiring the request quantity of data interaction requests of different request types in the current monitoring time period according to the timestamp array;
an abnormal request determining module, configured to take the request type as an abnormal request type if the request number corresponding to the request type is greater than a request number threshold of the request type;
the abnormal request confirming module is used for determining that the current access is abnormal access if the number of the abnormal request types is larger than a first number threshold;
and the user identity authentication module is used for exiting the current login account, sending an identity authentication request and realizing malicious request defense.
9. A computer device comprising a memory, a processor and a computer program stored in the memory and executable on the processor, characterized in that the processor implements the steps of the method for defending against malicious requests based on Web front-end pages according to any of claims 1 to 7 when executing the computer program.
10. A computer-readable storage medium, in which a computer program is stored, which, when being executed by a processor, carries out the steps of the method for defending against malicious requests based on Web front-end pages according to any of claims 1 to 7.
CN202210040638.2A 2022-01-14 2022-01-14 Malicious request defense method based on Web front-end page and related equipment Pending CN114386037A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210040638.2A CN114386037A (en) 2022-01-14 2022-01-14 Malicious request defense method based on Web front-end page and related equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210040638.2A CN114386037A (en) 2022-01-14 2022-01-14 Malicious request defense method based on Web front-end page and related equipment

Publications (1)

Publication Number Publication Date
CN114386037A true CN114386037A (en) 2022-04-22

Family

ID=81201455

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210040638.2A Pending CN114386037A (en) 2022-01-14 2022-01-14 Malicious request defense method based on Web front-end page and related equipment

Country Status (1)

Country Link
CN (1) CN114386037A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115544417A (en) * 2022-10-10 2022-12-30 中电金信软件有限公司 Webpage form verification method and device, electronic equipment and storage medium
CN115544417B (en) * 2022-10-10 2024-05-31 中电金信软件有限公司 Method and device for verifying web form, electronic equipment and storage medium

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115544417A (en) * 2022-10-10 2022-12-30 中电金信软件有限公司 Webpage form verification method and device, electronic equipment and storage medium
CN115544417B (en) * 2022-10-10 2024-05-31 中电金信软件有限公司 Method and device for verifying web form, electronic equipment and storage medium

Similar Documents

Publication Publication Date Title
US11595792B2 (en) System and method for triggering on platform usage
US11882139B2 (en) Method and system for preventing illicit use of a telephony platform
CN110798472B (en) Data leakage detection method and device
CN108388794B (en) Page data protection method and device, computer equipment and storage medium
EP2748781B1 (en) Multi-factor identity fingerprinting with user behavior
CN106302346A (en) The safety certifying method of API Calls, device, system
EP3085023B1 (en) Communications security
CN108416665B (en) Data interaction method and device, computer equipment and storage medium
CN110636068B (en) Method and device for identifying unknown CDN node in CC attack protection
GB2543312A (en) Network identification as a service
WO2021202833A1 (en) A system and method for self-adjusting cybersecurity analysis and score generation
CN113572793B (en) Access request capturing method and device, computer equipment and storage medium
CN107196811A (en) Video website door chain control system and method
CN112491650A (en) Method for dynamically analyzing call loop condition between services and related equipment
CN114386037A (en) Malicious request defense method based on Web front-end page and related equipment
CN112287252A (en) Website domain name hijacking detection method, device, equipment and storage medium
CN112153011A (en) Detection method and device for machine scanning, electronic equipment and storage medium
CN112637316B (en) Communication method and device
US20140143371A1 (en) Method and system for capturing and managing data related to http transactions
CN113627208A (en) Code scanning login early warning method and device, computer equipment and storage medium
CN115529173A (en) Account authentication method and device, computer equipment and storage medium
CN115344534A (en) File downloading method and device, computer equipment and storage medium
CN117201163A (en) Multi-dimensional interface authentication method, device, computer equipment and storage medium
CN114978590A (en) API (application program interface) security protection method and device and readable storage medium
CN114978710A (en) Webpage data tamper-proof processing method and device and electronic equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination