CN114611108A - Data processing method and storage medium - Google Patents

Data processing method and storage medium Download PDF

Info

Publication number
CN114611108A
CN114611108A CN202011406579.3A CN202011406579A CN114611108A CN 114611108 A CN114611108 A CN 114611108A CN 202011406579 A CN202011406579 A CN 202011406579A CN 114611108 A CN114611108 A CN 114611108A
Authority
CN
China
Prior art keywords
target
flow
parameter
traffic
normalized
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202011406579.3A
Other languages
Chinese (zh)
Inventor
彭晨晨
董志成
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tencent Technology Shenzhen Co Ltd
Original Assignee
Tencent Technology Shenzhen Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tencent Technology Shenzhen Co Ltd filed Critical Tencent Technology Shenzhen Co Ltd
Priority to CN202011406579.3A priority Critical patent/CN114611108A/en
Publication of CN114611108A publication Critical patent/CN114611108A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computing Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The embodiment of the application discloses a data processing method and a storage medium, wherein the method comprises the following steps: acquiring a flow sequence in a target link, and acquiring a target flow for a target user according to the flow sequence, wherein the flow sequence comprises at least two flows, the target flow belongs to the flow sequence, and the target flow comprises at least two flows; carrying out normalization processing on each flow in the target flows to generate normalized target flows; and analyzing the behavior characteristics of the target user according to the normalized target flow, and determining the enumeration vulnerability state of the target user according to the behavior characteristics. By the method and the device, the coverage of enumeration detection can be increased, and the data security is improved.

Description

Data processing method and storage medium
Technical Field
The present application relates to the field of internet technologies, and in particular, to a data processing method and a storage medium.
Background
Enumeration is widely applied to penetration testing and APT attack, currently, enumeration detection is basically based on a wind control system, interface monitoring is carried out depending on business, however, short-term abnormal access of partial interfaces is mainly aimed at enumeration, high threat scenes such as sensitive information batch leakage caused by common interface enumeration are uncovered, and therefore, currently, enumeration detection can only be aimed at partial interfaces or specific types of enumeration detection, the coverage area is small, full coverage cannot be achieved, and huge potential safety hazards are caused.
Disclosure of Invention
Embodiments of the present application provide a data processing method and a storage medium, which can increase a coverage of enumeration detection and improve data security.
An aspect of the present application provides a data processing method, which may include:
acquiring a flow sequence in a target link, and acquiring a target flow for a target user according to the flow sequence, wherein the flow sequence comprises at least two flows, the target flow belongs to the flow sequence, and the target flow comprises at least two flows;
carrying out normalization processing on each flow in the target flows to generate normalized target flows;
and analyzing the behavior characteristics of the target user according to the normalized target flow, and determining the enumeration vulnerability state of the target user according to the behavior characteristics.
Wherein, the data processing method further comprises:
extracting response information of each flow in a flow sequence of a target link, and determining the information type of the response information;
and determining the sensitivity degree of the flow corresponding to one user or each of at least two users according to the information type and the flow quantity of the response information, and determining a target user from one user or at least two users according to the priority of the sensitivity degree.
The acquiring a traffic sequence in a target link and acquiring a target traffic for a target user according to the traffic sequence includes:
determining a time threshold corresponding to the flow sequence, determining a target time period according to the time threshold and the current time, and acquiring the flow sequence in the target time period from a target link;
acquiring a user identifier of each flow in the flow sequence, and dividing the flows with the same user identifier into a flow set corresponding to the user identifier;
the method comprises the steps of obtaining a target user identification corresponding to a target user, obtaining a target flow set corresponding to the target user identification, and determining the flow in the target flow set as the target flow of the target user.
Wherein, the normalizing each flow in the target flow to generate a normalized target flow includes:
acquiring to-be-processed flow in the target flow, wherein the to-be-processed flow is any one of the target flows; each flow comprises cookie information and a uniform resource locator;
acquiring cookie information in the flow to be processed, and carrying out normalization processing on the cookie information to generate normalized cookie information;
acquiring a uniform resource locator in the traffic to be processed, and performing normalization processing on the uniform resource locator to generate a normalized uniform resource locator;
determining the normalized cookie information and the normalized uniform resource locator as normalized traffic to be processed;
and when all the target flows are determined as the flows to be processed, determining all the normalized flows to be processed as the normalized target flows.
The acquiring cookie information in the flow to be processed, performing normalization processing on the cookie information to generate normalized cookie information, includes:
determining a first parameter in a cookie in the flow to be processed, extracting a first parameter value corresponding to the first parameter, and storing the first parameter and the first parameter value in a parameter list; the first parameter is used for identifying personal identity information of the target user;
and zeroing the first parameter value in the cookie information to generate normalized cookie information.
The acquiring the uniform resource locator in the traffic to be processed, performing normalization processing on the uniform resource locator, and generating a normalized uniform resource locator includes:
if the access method of the traffic to be processed is a GET method, determining a second parameter in a uniform resource locator in the traffic to be processed, extracting a second parameter value corresponding to the second parameter, and storing the second parameter and the second parameter value in a parameter list;
zeroing a second parameter value in the uniform resource locator to generate a normalized uniform resource locator;
if the access method of the traffic to be processed is a POST method, determining a third parameter in a uniform resource locator in the traffic to be processed and a POST parameter in the traffic to be processed, extracting a third parameter value corresponding to the third parameter and a POST parameter value corresponding to the POST parameter, and storing the third parameter and the third parameter value, the POST parameter and the POST parameter value into a parameter list;
and setting zero to the third parameter value and the POST parameter value in the uniform resource locator to generate a normalized uniform resource locator and a normalized POST parameter.
Analyzing the behavior characteristics of the target user according to the normalized target traffic, and determining the enumeration vulnerability state of the target user according to the behavior characteristics, wherein the analyzing comprises:
dividing the normalized target flow into one or at least two sets to be detected; the normalized target flow in each set to be detected is the same;
acquiring a parameter list corresponding to the normalized target flow in each set to be detected; the parameter list is used for storing parameters in the target flow and parameter values corresponding to the parameters;
detecting the unrepeated change times of the parameter value of each parameter in the parameter list, and taking the change times with the maximum parameter value in the detection list as the change times of the to-be-detected set;
when the change times of any one set to be detected is smaller than the time threshold, the target user does not have the enumeration bug, and when the change times of any one set to be detected is larger than or equal to the time threshold, the target user has the enumeration bug.
Wherein, the data processing method further comprises:
the enumeration vulnerability state comprises existence of enumeration vulnerability and nonexistence of enumeration vulnerability;
and when the target user has the enumeration vulnerability, sending alarm information to the target user to prompt the target user to perform enumeration vulnerability interception.
An aspect of an embodiment of the present application provides a data processing apparatus, which may include:
a traffic acquiring unit, configured to acquire a traffic sequence in a target link, and acquire a target traffic for a target user according to the traffic sequence, where the traffic sequence includes at least two traffics, the target traffic belongs to the traffic sequence, and the target traffic includes at least two traffics;
the flow processing unit is used for carrying out normalization processing on each flow in the target flow to generate normalized target flow;
and the behavior analysis unit is used for analyzing the behavior characteristics of the target user according to the normalized target flow and determining the enumeration vulnerability state of the target user according to the behavior characteristics.
Wherein the data processing apparatus further comprises:
the priority determining unit is used for extracting response information of each flow in a flow sequence of a target link and determining the information type of the response information;
and determining the sensitivity degree of the flow corresponding to one user or each of at least two users according to the information type and the flow quantity of the response information, and determining a target user from one user or at least two users according to the priority of the sensitivity degree.
The flow acquiring unit is specifically configured to:
determining a time threshold corresponding to the flow sequence, determining a target time period according to the time threshold and the current time, and acquiring the flow sequence in the target time period from a target link;
acquiring a user identifier of each flow in the flow sequence, and dividing the flows with the same user identifier into a flow set corresponding to the user identifier;
the method comprises the steps of obtaining a target user identification corresponding to a target user, obtaining a target flow set corresponding to the target user identification, and determining the flow in the target flow set as the target flow of the target user.
Wherein, the flow processing unit includes:
a to-be-processed flow obtaining subunit, configured to obtain a to-be-processed flow in the target flows, where the to-be-processed flow is any one of the target flows; each flow comprises cookie information and a uniform resource locator;
the first normalization processing subunit is configured to acquire cookie information in the flow to be processed, and perform normalization processing on the cookie information to generate normalized cookie information;
the second normalization processing subunit is configured to obtain a uniform resource locator in the traffic to be processed, perform normalization processing on the uniform resource locator, and generate a normalized uniform resource locator;
determining the normalized cookie information and the normalized uniform resource locator as normalized traffic to be processed;
and when all the target flows are determined as the flows to be processed, determining all the normalized flows to be processed as the normalized target flows.
Wherein the first normalization processing subunit is specifically configured to:
determining a first parameter in a cookie in the flow to be processed, extracting a first parameter value corresponding to the first parameter, and storing the first parameter and the first parameter value in a parameter list; the first parameter is used for identifying personal identity information of the target user;
and zeroing the first parameter value in the cookie information to generate normalized cookie information.
Wherein the second normalization processing subunit is specifically configured to:
if the access method of the traffic to be processed is a GET method, determining a second parameter in a uniform resource locator in the traffic to be processed, extracting a second parameter value corresponding to the second parameter, and storing the second parameter and the second parameter value in a parameter list;
zeroing a second parameter value in the uniform resource locator to generate a normalized uniform resource locator;
if the access method of the traffic to be processed is a POST method, determining a third parameter in a uniform resource locator in the traffic to be processed and a POST parameter in the traffic to be processed, extracting a third parameter value corresponding to the third parameter and a POST parameter value corresponding to the POST parameter, and storing the third parameter and the third parameter value, the POST parameter and the POST parameter value into a parameter list;
and setting zero to the third parameter value and the POST parameter value in the uniform resource locator to generate a normalized uniform resource locator and a normalized POST parameter.
Wherein the behavior analysis unit is specifically configured to:
dividing the normalized target flow into one or at least two sets to be detected; the normalized target flow in each set to be detected is the same;
acquiring a parameter list corresponding to the normalized target flow in each set to be detected; the parameter list is used for storing parameters in the target flow and parameter values corresponding to the parameters;
detecting the unrepeated change times of the parameter value of each parameter in the parameter list, and taking the change times with the maximum parameter value in the detection list as the change times of the to-be-detected set;
when the change times of any one set to be detected is smaller than the time threshold, the target user does not have the enumeration bug, and when the change times of any one set to be detected is larger than or equal to the time threshold, the target user has the enumeration bug.
Wherein the data processing apparatus further comprises:
the enumeration vulnerability state comprises existence of enumeration vulnerability and nonexistence of enumeration vulnerability;
and the alarm unit is used for sending alarm information to the target user when the target user has the enumeration vulnerability so as to prompt the target user to intercept the enumeration vulnerability.
An aspect of the embodiments of the present application provides a computer-readable storage medium storing a plurality of instructions adapted to be loaded by a processor and to perform the above-mentioned method steps.
An aspect of an embodiment of the present application provides a computer device, including a processor and a memory; wherein the memory stores a computer program adapted to be loaded by the processor and to perform the above-mentioned method steps.
An aspect of an embodiment of the present application provides a computer program product or a computer program, which includes computer instructions stored in a computer-readable storage medium. The computer instructions are read by a processor of the computer device from a computer-readable storage medium, and the computer instructions are executed by the processor to cause the computer device to perform the above-mentioned method steps.
In the embodiment of the application, a traffic sequence in a target link is obtained, a target traffic for a target user is obtained according to the traffic sequence, each traffic in the target traffic is normalized to generate a normalized target traffic, behavior characteristics of the target user are further analyzed according to the normalized target traffic, and finally, an enumeration vulnerability state of the target user is determined according to the behavior characteristics. By analyzing the flow in the target link, whether the target user has enumeration bugs or not can be determined, the batch leakage of sensitive information is prevented, meanwhile, the enumeration bug detection is not specific to a specific enumeration type, the coverage rate of the enumeration bug detection is improved, and the data security is improved.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present application, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
FIG. 1 is a block diagram of a system architecture for data processing according to an embodiment of the present disclosure;
fig. 2 is a schematic flowchart of a data processing method according to an embodiment of the present application;
fig. 3 is a schematic diagram illustrating an example of a data processing method according to an embodiment of the present application;
fig. 4 is a schematic flowchart of a data processing method according to an embodiment of the present application;
fig. 5 is a schematic structural diagram of a data processing apparatus according to an embodiment of the present application;
fig. 6 is a schematic structural diagram of a computer device according to an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
Fig. 1 is a block diagram of a data processing system according to an embodiment of the present invention. The server 10f establishes a connection with a user terminal cluster through the switch 10e and the communication bus 10d, and the user terminal cluster may include: user terminal 10a, user terminal 10 b. The method comprises the steps that a server 10f obtains a flow sequence in a target link, obtains target flow aiming at a target user according to the flow sequence, the flow sequence comprises at least two flows, the target flow belongs to the flow sequence, the target flow comprises at least two flows, the server 10f normalizes each flow in the target flow to generate normalized target flow, the server 10f analyzes behavior characteristics of the target user according to the normalized target flow, and determines an enumeration vulnerability state of the target user according to the behavior characteristics. The database 10g is configured to store the normalized target traffic and parameters extracted from the target traffic in the normalization process, and when detecting that an enumeration vulnerability exists in the target user, the server 10f sends alarm information to a corresponding user terminal.
The user terminal related to the embodiment of the application comprises: terminal equipment such as tablet personal computers, smart phones, Personal Computers (PCs), notebook computers, palmtop computers and the like.
Referring to fig. 2, a flow chart of a data processing method according to an embodiment of the present application is schematically shown. As shown in fig. 2, the method of the embodiment of the present application may include the following steps S101 to S103.
S101, acquiring a flow sequence in a target link, and acquiring target flow for a target user according to the flow sequence;
specifically, the data processing device obtains a flow sequence in a target link, and obtains a target flow for a target user according to the flow sequence, it can be understood that the data processing device may be the server 10f in fig. 1, the flow sequence may be completed by a flow acquisition component, the flow acquisition component may be deployed in a plurality of core links, and collects a complete flow in a flow-through link in a light splitting manner, and the flow sequence is collected in the light splitting manner, which does not affect a normal service of the user, for example, the flow acquisition component may be deployed on a core link of a WeChat or qq to collect a login request of the user. Meanwhile, the flow acquisition assembly can acquire the flow in the target link at regular time, for example, the flow in the previous minute can be acquired every minute, and the acquisition frequency can be preset. The traffic sequence may include at least two traffics of one or at least two users, where the traffic sequence is a series of access requests of the users over time, and there may be access requests of multiple users in the traffic sequence, and a target traffic for a target user is obtained according to the traffic sequence, specifically, the traffic sequence may be classified according to a source IP address in the traffic to obtain the target traffic of the target user, where the target traffic belongs to the traffic sequence, and the target traffic includes at least two traffics.
S102, carrying out normalization processing on each flow in the target flow to generate normalized target flow;
specifically, the data processing device performs normalization processing on each flow in the target flow to generate a normalized target flow, where the normalization processing is to extract parameters in the flow and set the parameters to zero, each flow includes cookie information and a Uniform Resource Locator (URL), and if an access method in the flow is a POST method, the flow also includes parameter information corresponding to POST beacon, the normalization processing on the flow includes normalization processing on the cookie information, the uniform resource locator and the parameter information in the POST method, and the normalized target flow is generated through the normalization processing, and parameter values corresponding to the parameters in the normalized target flow are all 0.
S103, analyzing the behavior characteristics of the target user according to the normalized target flow, and determining the enumeration vulnerability state of the target user according to the behavior characteristics.
Specifically, the data processing device analyzes the behavior characteristics of the target user according to the normalized target traffic, and determines an enumerated vulnerability state of the target user according to the behavior characteristics, where it can be understood that the enumerated vulnerability state includes existence of an enumerated vulnerability and nonexistence of the enumerated vulnerability, and analyzes the behavior of the user through the normalized target traffic and the parameter value obtained from the target traffic, and specifically, the enumerated vulnerability state of the target user can be determined through variation of the parameter value, please refer to fig. 3, which provides an exemplary schematic diagram of a data processing method for the embodiment of the present application, as shown in fig. 3, a domain name and a parameter of an access request traffic of the target user are ". qq.com/api ═ 1& lan _ ip 10.1.1", that is, the parameter in the target traffic includes "sweet" and "lan _ ip", extracting the parameters "sweet" and "lan _ ip" from the target traffic, and normalizing the target flow to generate normalized target flow, wherein the normalized target flow is 0 and the lan _ ip is 0, all the same normalized target flows of the target user are obtained, 10 unrepeated values of the parameter value of the parameter 'free' exist in the extracted parameter values, only 1 value of the parameter 'lan _ ip' exists, finally, the change frequency of the parameter 'free' is 10 times, the change frequency of the parameter 'lan _ ip' is 1, and if the change frequency of the parameter 'free' is greater than a frequency threshold value, the target user is known to have enumeration aiming at a lan _ ip field outside. When it is determined that the enumeration vulnerability exists in the target user, alarm information can be sent to the target user to prompt the target user to perform enumeration vulnerability interception, and the specific alarm prompt can be a voice prompt or a text box prompt.
In the embodiment of the application, a traffic sequence in a target link is obtained, a target traffic for a target user is obtained according to the traffic sequence, each traffic in the target traffic is normalized to generate a normalized target traffic, behavior characteristics of the target user are further analyzed according to the normalized target traffic, and finally, an enumeration vulnerability state of the target user is determined according to the behavior characteristics. By analyzing the flow in the target link, whether the target user has enumeration bugs or not can be determined, the batch leakage of sensitive information is prevented, meanwhile, the enumeration bug detection is not specific to a specific enumeration type, the coverage rate of the enumeration bug detection is improved, and the data security is improved.
Referring to fig. 4, a flow chart of a data processing method according to an embodiment of the present application is schematically shown. As shown in fig. 4, the method of the embodiment of the present application may include the following steps S201 to S207.
S201, extracting response information of each flow in a flow sequence of a target link, and determining the information type of the response information; and determining the sensitivity degree of the flow corresponding to one user or each of at least two users according to the information type and the flow quantity of the response information, and determining a target user from one user or at least two users according to the priority of the sensitivity degree.
Specifically, the data processing device extracts response information of each flow in a flow sequence of a target link, determines an information type of the response information, the response information is feedback information of a user for a request, the type of the response information includes a user name password, personal identity data, financial data and the like, the user name password can be password information of an account, the personal identity information can be an identity number, a mobile phone number and the like, the financial data can be a bank card number, and further determines a sensitivity degree of the flow corresponding to one user or each of at least two users according to the information type and the flow quantity of the response information, the sensitivity degree reflects the possibility of enumerating the vulnerability of the target user, the higher the sensitivity degree reflects the higher the possibility of enumerating the vulnerability, the higher the priority of the user is, the user with the higher priority can preferentially perform enumeration vulnerability detection, the traffic quantity is the quantity of traffic to which the user belongs in the traffic sequence, specifically, the greater the traffic quantity, the higher the sensitivity, and the target user is determined from one user or at least two users according to the priority of the sensitivity, the specific target user may be the user with the highest sensitivity, it should be noted that the selection of the target user may also adopt other screening rules, or according to a time sequence, or select the designated user as the target user.
S202, determining a time threshold corresponding to a flow sequence, determining a target time period according to the time threshold and the current time, and acquiring the flow sequence in the target time period from a target link; acquiring a user identifier of each flow in the flow sequence, and dividing the flows with the same user identifier into a flow set corresponding to the user identifier; the method comprises the steps of obtaining a target user identification corresponding to a target user, obtaining a target flow set corresponding to the target user identification, and determining the flow in the target flow set as the target flow of the target user.
Specifically, the time threshold is the time length of the data processing device for collecting the flow, the target time period is the specific time period for collecting the flow, for example, the time threshold is one minute, the target time period is the previous minute before the current time, that is, a traffic sequence within the previous minute before the current time is obtained from the target link, and a user identifier of each traffic in the traffic sequence is obtained, where the user identifier may specifically be a source IP address, or a user name, the different users have different user identifications, the traffic with the same user identification is divided into the traffic sets corresponding to the user identifications, that is, each user identifier corresponds to a traffic set, one or at least two traffics of a user are stored in the traffic set, a target user identifier corresponding to a target user is obtained, a target traffic set corresponding to the target user identifier is obtained, and the traffic in the target traffic set is determined as the target traffic of the target user.
S203, acquiring the flow to be processed in the target flow;
specifically, the data processing device obtains a flow to be processed in the target flows, where the flow to be processed is any one of the target flows, and each flow includes cookie information and a uniform resource locator.
S204, obtaining cookie information in the flow to be processed, and carrying out normalization processing on the cookie information to generate normalized cookie information;
specifically, the flow rate includes cookie information and a uniform resource locator, the data processing device determines a first parameter in a cookie in the flow rate to be processed, extracts a first parameter value corresponding to the first parameter, stores the first parameter and the first parameter value in a parameter list, sets the first parameter value in the cookie information to zero, and generates normalized cookie information.
The first parameter is used to identify the personal identity information of the target user, for example, if all cookie information of a user logged in a website using QQ includes a uin field, the first parameter is "uin", if a value of the uin field is "uin ═ 3", a parameter value "3" corresponding to the uin field is extracted, the first parameter and the first parameter value "uin ═ 3" are stored in a parameter list, a parameter value of the uin field in the cookie is set to zero, that is, the "uin ═ 3" is normalized to "uin ═ 0", and it should be noted that if the cookie information in the flow to be processed does not include the first parameter, the flow to be processed is subjected to vacancy processing.
S205, acquiring a uniform resource locator in the traffic to be processed, and performing normalization processing on the uniform resource locator to generate a normalized uniform resource locator;
specifically, the data processing device obtains a uniform resource locator in the traffic to be processed, and performs normalization processing on the uniform resource locator to generate a normalized uniform resource locator, where it can be understood that the access method in the traffic includes a GET method and a POST method.
If the access method of the traffic to be processed is a GET method, determining a second parameter in a uniform resource locator in the traffic to be processed, extracting a second parameter value corresponding to the second parameter, storing the second parameter and the second parameter value into a parameter list, and setting the second parameter value in the uniform resource locator to zero to generate a normalized uniform resource locator; specifically, the second parameter in the uniform resource locator may be extracted through a parameter assigner, where the parameter assigner may be an equal sign "═ or": when the access method of the flow to be processed is a GET method, the parameter assignment character is as ═ e ", for example, the uniform resource locator in the traffic to be processed is ". q.com/apifreid ═ 1& lan _ ip ═ 10.1.1.1", the data processing device detects "═ in the uniform resource locator, the left side of" ═ is the second parameter, the right side of "═ is the second parameter value corresponding to the second parameter, namely, the second parameter in the flow to be processed comprises "sweet" and "lan _ ip", the parameter value of the second parameter "sweet" is 1, and the parameter value of the second parameter "lan _ ip" is 10.1.1.1, extracting the second parameter value corresponding to the second parameter, storing the second parameter and the second parameter value into a parameter list, setting the second parameter value in the uniform resource locator to zero, namely, the domain name and the parameter are kept unchanged, the parameter values are all changed into 0, and the normalized uniform resource locator is' qq.
If the access method of the traffic to be processed is a POST method, determining a third parameter in a uniform resource locator in the traffic to be processed and a POST parameter in the traffic to be processed, extracting a third parameter value corresponding to the third parameter and a POST parameter value corresponding to the POST parameter, storing the third parameter, the third parameter value, the POST parameter and the POST parameter value into a parameter list, setting the third parameter value and the POST parameter value in the uniform resource locator to zero, generating a normalized uniform resource locator and a normalized POST parameter, wherein the extraction of the third parameter in the POST method is the same as the extraction of the second parameter in the GET method, and the third parameter and the POST parameter are extracted through a parameter assignment character ": "extract, specifically, when the access method of the traffic to be processed is the POST method, the parameter assignment character is": "for example, the POST level in the POST method in the traffic to be processed is {" a ": 3, the data processing device detects ": ",": the left side of the POST parameter is "POST parameter", the right side of the POST parameter is "POST parameter value corresponding to POST parameter", that is, the POST parameter in the traffic to be processed is "a", the parameter value of POST parameter "a" is 3, and the POST parameter value is set to zero, that is, normalized POST level is { "a": 0}.
The data processing equipment traverses all the flows in the target flow, takes each flow as the flow to be processed, normalizes cookie information and uniform resource locators in the flow to be processed to generate normalized cookie information and normalized uniform resource locators, determines the normalized cookie information and the normalized uniform resource locators corresponding to the flow to be processed as the normalized flow to be processed, and determines all the normalized flow to be processed as the normalized target flow when all the flows in the target flow are determined as the flow to be processed.
S206, analyzing the behavior characteristics of the target user according to the normalized target flow, and determining the enumeration vulnerability state of the target user according to the behavior characteristics;
specifically, the data processing device divides the normalized target traffic into one or at least two sets to be detected according to the normalized uniform resource locator, the normalized COOKIE and the normalized POST parameter, specifically, the normalized target traffic includes one or at least two normalized traffics, and the normalized target traffic is divided into the same sets to be detected, where the normalized uniform resource locator, the normalized COOKIE and the normalized POST parameter in each set to be detected are the same, and it should be noted that if the access method of the target traffic is the GET method, the POST parameter does not exist in the set to be detected.
The method comprises the steps of obtaining a parameter list corresponding to normalized target flow in each set to be detected, wherein the parameter list is used for storing parameters in the target flow and parameter values corresponding to the parameters, the parameters comprise a first parameter, a second parameter, a third parameter and a POST parameter, the number of times of change of the parameter values of each parameter in the parameter list is not repeated, the number of times of change with the largest parameter value in the parameter list is used as the number of times of change of the set to be detected, when the number of times of change of any set to be detected is smaller than a number threshold value, the target user does not have enumeration bugs, when the number of times of change of any set to be detected is larger than or equal to the number threshold value, the target user has enumeration bugs, and the number threshold value can be preset.
For example, if the target flow rate of the target user is ". qq.com/api is 1& lan _ ip is 10.1.1.1", the normalized target flow rate after normalization processing is ". qq.com/api is 0& lan _ ip is 0", a to-be-detected set corresponding to the normalized target flow rate is obtained, the to-be-detected set is one set of one or at least two to-be-detected sets, parameters "sweet" and "lan _ ip" are obtained from a parameter list corresponding to the target flow rate, and parameter values corresponding to the parameters, the number of changes of the parameter values of the parameters "sweet" and "lan _ ip" in the parameter list is not repeated is detected, if it is known from the extracted parameter values that the parameter values of "sweet" have 10 values that are not repeated, and the parameter "lan _ ip" has only 1 value, the number of changes of the parameter "sweet" is 10, and the number of changes of the parameter "lan _ ip" is 1, if the change times of the parameter "sweet" is greater than the time threshold, it can be known that the target user has enumeration for the lan _ ip field.
And S207, when the enumeration vulnerability exists in the target user, sending alarm information to the target user to prompt the target user to perform enumeration vulnerability interception.
Specifically, the enumerated bug state includes existence of an enumerated bug and absence of an enumerated bug, when it is detected that the enumerated bug exists in the target user, the data processing device may send an alarm message to the target user to prompt the target user to intercept the enumerated bug, the user may adopt measures such as blocking or access restriction, and the specific alarm prompt may be a voice prompt or a text popup prompt.
In the embodiment of the application, a traffic sequence in a target link is obtained, a target traffic for a target user is obtained according to the traffic sequence, each traffic in the target traffic is normalized to generate a normalized target traffic, behavior characteristics of the target user are further analyzed according to the normalized target traffic, and finally, an enumeration vulnerability state of the target user is determined according to the behavior characteristics. By analyzing the flow in the target link, whether the target user has enumeration bugs or not can be determined, the batch leakage of sensitive information is prevented, meanwhile, the enumeration bug detection is not specific to a specific enumeration type, the coverage rate of the enumeration bug detection is improved, and the data security is improved.
Referring to fig. 5, a schematic structural diagram of a data processing apparatus is provided in an embodiment of the present application. The data processing device may be a computer program (comprising program code) running on a computer device, e.g. an application software; the device can be used for executing the corresponding steps in the method provided by the embodiment of the application. As shown in fig. 5, the data processing apparatus 1 according to the embodiment of the present application may include: a flow acquiring unit 11, a flow processing unit 12 and a behavior analyzing unit 13.
A traffic acquiring unit 11, configured to acquire a traffic sequence in a target link, and acquire a target traffic for a target user according to the traffic sequence, where the traffic sequence includes at least two traffics, the target traffic belongs to the traffic sequence, and the target traffic includes at least two traffics;
a flow processing unit 12, configured to perform normalization processing on each flow in the target flows to generate normalized target flows;
and the behavior analysis unit 13 is configured to analyze the behavior characteristics of the target user according to the normalized target traffic, and determine an enumerated vulnerability state of the target user according to the behavior characteristics.
Referring to fig. 5, the data processing apparatus 1 according to the embodiment of the present application may further include: a priority determination unit 14.
A priority determining unit 14, configured to extract response information of each traffic in a traffic sequence of a target link, and determine an information type of the response information;
and determining the sensitivity degree of the flow corresponding to one user or each of at least two users according to the information type and the flow quantity of the response information, and determining a target user from one user or at least two users according to the priority of the sensitivity degree.
The flow acquiring unit 11 is specifically configured to:
determining a time threshold corresponding to the flow sequence, determining a target time period according to the time threshold and the current time, and acquiring the flow sequence in the target time period from a target link;
acquiring a user identifier of each flow in the flow sequence, and dividing the flows with the same user identifier into a flow set corresponding to the user identifier;
the method comprises the steps of obtaining a target user identification corresponding to a target user, obtaining a target flow set corresponding to the target user identification, and determining the flow in the target flow set as the target flow of the target user.
Referring to fig. 5, the traffic processing unit 12 according to the embodiment of the present application may include: a flow acquiring subunit 121 to be processed, a first normalization processing subunit 122, and a second normalization processing subunit 123.
A to-be-processed flow obtaining subunit 121, configured to obtain a to-be-processed flow in the target flows, where the to-be-processed flow is any one of the target flows; each flow comprises cookie information and a uniform resource locator;
a first normalization processing subunit 122, configured to obtain cookie information in the flow to be processed, and perform normalization processing on the cookie information to generate normalized cookie information;
a second normalization processing subunit 123, configured to obtain a uniform resource locator in the traffic to be processed, and perform normalization processing on the uniform resource locator to generate a normalized uniform resource locator;
determining the normalized cookie information and the normalized uniform resource locator as normalized traffic to be processed;
and when all the target flows are determined as the flows to be processed, determining all the normalized flows to be processed as the normalized target flows.
The first normalization processing subunit 122 is specifically configured to:
determining a first parameter in a cookie in the flow to be processed, extracting a first parameter value corresponding to the first parameter, and storing the first parameter and the first parameter value in a parameter list; the first parameter is used for identifying personal identity information of the target user;
and zeroing the first parameter value in the cookie information to generate normalized cookie information.
The second normalization processing subunit 123 is specifically configured to:
if the access method of the traffic to be processed is a GET method, determining a second parameter in a uniform resource locator in the traffic to be processed, extracting a second parameter value corresponding to the second parameter, and storing the second parameter and the second parameter value in a parameter list;
zeroing a second parameter value in the uniform resource locator to generate a normalized uniform resource locator;
if the access method of the traffic to be processed is a POST method, determining a third parameter in a uniform resource locator in the traffic to be processed and a POST parameter in the traffic to be processed, extracting a third parameter value corresponding to the third parameter and a POST parameter value corresponding to the POST parameter, and storing the third parameter and the third parameter value, the POST parameter and the POST parameter value into a parameter list;
and setting zero to the third parameter value and the POST parameter value in the uniform resource locator to generate a normalized uniform resource locator and a normalized POST parameter.
The behavior analysis unit 13 is specifically configured to:
dividing the normalized target flow into one or at least two sets to be detected; the normalized target flow in each set to be detected is the same;
acquiring a parameter list corresponding to the normalized target flow in each set to be detected; the parameter list is used for storing parameters in the target flow and parameter values corresponding to the parameters;
detecting the unrepeated change times of the parameter value of each parameter in the parameter list, and taking the change times with the maximum parameter value in the parameter list as the change times of the to-be-detected set;
when the change times of any one set to be detected is smaller than the time threshold, the target user does not have the enumeration bug, and when the change times of any one set to be detected is larger than or equal to the time threshold, the target user has the enumeration bug.
Referring to fig. 5, the data processing apparatus 1 according to the embodiment of the present application may further include: and an alarm unit 15.
The enumeration vulnerability state comprises existence of enumeration vulnerability and nonexistence of enumeration vulnerability;
and the warning unit 15 is configured to send warning information to the target user when the target user has an enumeration vulnerability, so as to prompt the target user to perform enumeration vulnerability interception.
In the embodiment of the application, a traffic sequence in a target link is obtained, a target traffic for a target user is obtained according to the traffic sequence, each traffic in the target traffic is normalized to generate a normalized target traffic, behavior characteristics of the target user are further analyzed according to the normalized target traffic, and finally, an enumeration vulnerability state of the target user is determined according to the behavior characteristics. By analyzing the flow in the target link, whether the target user has enumeration bugs or not can be determined, the batch leakage of sensitive information is prevented, meanwhile, the enumeration bug detection is not specific to a specific enumeration type, the coverage rate of the enumeration bug detection is improved, and the data security is improved.
Referring to fig. 6, a schematic structural diagram of a computer device is provided in an embodiment of the present application. As shown in fig. 6, the computer apparatus 1000 may include: at least one processor 1001, such as a CPU, at least one network interface 1004, a user interface 1003, memory 1005, at least one communication bus 1002. Wherein a communication bus 1002 is used to enable connective communication between these components. The user interface 1003 may include a Display screen (Display), and the optional user interface 1003 may also include a standard wired interface or a wireless interface. The network interface 1004 may optionally include a standard wired interface, a wireless interface (e.g., WI-FI interface). The Memory 1005 may be a Random Access Memory (RAM) or a non-volatile Memory (NVM), such as at least one disk Memory. The memory 1005 may optionally be at least one memory device located remotely from the processor 1001. As shown in fig. 6, the memory 1005, which is a kind of computer storage medium, may include therein an operating system, a network communication module, a user interface module, and a data processing application program.
In the computer apparatus 1000 shown in fig. 6, a network interface 1004 may provide a network communication function, and a user interface 1003 is mainly used as an interface for providing input for a user; the processor 1001 may be configured to call a data processing application stored in the memory 1005, so as to implement the description of the data processing method in the embodiment corresponding to any one of fig. 2 to fig. 4, which is not described herein again.
It should be understood that the computer device 1000 described in this embodiment of the present application may perform the description of the data processing method in the embodiment corresponding to any one of fig. 2 to fig. 4, and may also perform the description of the data processing device in the embodiment corresponding to fig. 5, which is not described herein again. In addition, the beneficial effects of the same method are not described in detail.
Furthermore, it is to be noted here that: an embodiment of the present application further provides a computer-readable storage medium, where a computer program executed by the aforementioned data processing apparatus is stored in the computer-readable storage medium, and the computer program includes program instructions, and when the processor executes the program instructions, the description of the data processing method in any one of the embodiments corresponding to fig. 2 to fig. 4 can be performed, so that details are not repeated here. In addition, the beneficial effects of the same method are not described in detail. For technical details not disclosed in embodiments of the computer-readable storage medium referred to in the present application, reference is made to the description of embodiments of the method of the present application. As an example, program instructions may be deployed to be executed on one computing device or on multiple computing devices at one site or distributed across multiple sites and interconnected by a communication network, which may comprise a block chain system.
It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above can be implemented by a computer program, which can be stored in a computer-readable storage medium, and when executed, can include the processes of the embodiments of the methods described above. The storage medium may be a magnetic disk, an optical disk, an NVM or a RAM.
The above disclosure is only for the purpose of illustrating the preferred embodiments of the present application and should not be taken as limiting the scope of the present application, so that the present application will be covered by the appended claims.

Claims (10)

1. A data processing method, comprising:
acquiring a flow sequence in a target link, and acquiring a target flow for a target user according to the flow sequence, wherein the flow sequence comprises at least two flows, the target flow belongs to the flow sequence, and the target flow comprises at least two flows;
carrying out normalization processing on each flow in the target flows to generate normalized target flows;
and analyzing the behavior characteristics of the target user according to the normalized target flow, and determining the enumeration vulnerability state of the target user according to the behavior characteristics.
2. The method of claim 1, wherein the data processing method further comprises:
extracting response information of each flow in a flow sequence of a target link, and determining the information type of the response information;
and determining the sensitivity degree of the flow corresponding to one user or each of at least two users according to the information type and the flow quantity of the response information, and determining a target user from one user or at least two users according to the priority of the sensitivity degree.
3. The method of claim 1, wherein the obtaining a traffic sequence in a target link, and obtaining a target traffic for a target user according to the traffic sequence comprises:
determining a time threshold corresponding to the flow sequence, determining a target time period according to the time threshold and the current time, and acquiring the flow sequence in the target time period from a target link;
acquiring a user identifier of each flow in the flow sequence, and dividing the flows with the same user identifier into a flow set corresponding to the user identifier;
the method comprises the steps of obtaining a target user identification corresponding to a target user, obtaining a target flow set corresponding to the target user identification, and determining the flow in the target flow set as the target flow of the target user.
4. The method of claim 1, wherein the normalizing each of the target traffic volumes to generate a normalized target traffic volume comprises:
acquiring to-be-processed flow in the target flow, wherein the to-be-processed flow is any one of the target flows; each flow comprises cookie information and a uniform resource locator;
acquiring cookie information in the flow to be processed, and carrying out normalization processing on the cookie information to generate normalized cookie information;
acquiring a uniform resource locator in the traffic to be processed, and performing normalization processing on the uniform resource locator to generate a normalized uniform resource locator;
determining the normalized cookie information and the normalized uniform resource locator as normalized traffic to be processed;
and when all the target flows are determined as the flows to be processed, determining all the normalized flows to be processed as the normalized target flows.
5. The method of claim 4, wherein the obtaining cookie information in the traffic to be processed and normalizing the cookie information to generate normalized cookie information comprises:
determining a first parameter in a cookie in the flow to be processed, extracting a first parameter value corresponding to the first parameter, and storing the first parameter and the first parameter value in a parameter list; the first parameter is used for identifying personal identity information of the target user;
and zeroing the first parameter value in the cookie information to generate normalized cookie information.
6. The method according to claim 4, wherein the obtaining the uniform resource locator in the traffic to be processed, performing normalization processing on the uniform resource locator, and generating a normalized uniform resource locator comprises:
if the access method of the traffic to be processed is a GET method, determining a second parameter in a uniform resource locator in the traffic to be processed, extracting a second parameter value corresponding to the second parameter, and storing the second parameter and the second parameter value in a parameter list;
zeroing a second parameter value in the uniform resource locator to generate a normalized uniform resource locator;
if the access method of the traffic to be processed is a POST method, determining a third parameter in a uniform resource locator in the traffic to be processed and a POST parameter in the traffic to be processed, extracting a third parameter value corresponding to the third parameter and a POST parameter value corresponding to the POST parameter, and storing the third parameter and the third parameter value, the POST parameter and the POST parameter value into a parameter list;
and setting zero to the third parameter value and the POST parameter value in the uniform resource locator to generate a normalized uniform resource locator and a normalized POST parameter.
7. The method according to claim 1, wherein the analyzing the behavior feature of the target user according to the normalized target traffic and determining an enumeration vulnerability state of the target user according to the behavior feature comprises:
dividing the normalized target flow into one or at least two sets to be detected; the normalized target flow in each set to be detected is the same;
acquiring a parameter list corresponding to the normalized target flow in each set to be detected; the parameter list is used for storing parameters in the target flow and parameter values corresponding to the parameters;
detecting the unrepeated change times of the parameter value of each parameter in the parameter list, and taking the change times with the maximum parameter value in the detection list as the change times of the to-be-detected set;
when the change times of any one set to be detected is smaller than the time threshold, the target user does not have the enumeration bug, and when the change times of any one set to be detected is larger than or equal to the time threshold, the target user has the enumeration bug.
8. The method of claim 1, wherein the data processing method further comprises:
the enumeration vulnerability state comprises existence of enumeration vulnerability and nonexistence of enumeration vulnerability;
and when the target user has the enumeration vulnerability, sending alarm information to the target user to prompt the target user to perform enumeration vulnerability interception.
9. A data processing apparatus, characterized by comprising:
a traffic acquiring unit, configured to acquire a traffic sequence in a target link, and acquire a target traffic for a target user according to the traffic sequence, where the traffic sequence includes at least two traffics, the target traffic belongs to the traffic sequence, and the target traffic includes at least two traffics;
the flow processing unit is used for carrying out normalization processing on each flow in the target flow to generate normalized target flow;
and the behavior analysis unit is used for analyzing the behavior characteristics of the target user according to the normalized target flow and determining the enumeration vulnerability state of the target user according to the behavior characteristics.
10. A computer-readable storage medium, characterized in that the computer storage medium stores a computer program comprising program instructions which, when executed by a processor, perform the method according to any of claims 1-8.
CN202011406579.3A 2020-12-04 2020-12-04 Data processing method and storage medium Pending CN114611108A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011406579.3A CN114611108A (en) 2020-12-04 2020-12-04 Data processing method and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011406579.3A CN114611108A (en) 2020-12-04 2020-12-04 Data processing method and storage medium

Publications (1)

Publication Number Publication Date
CN114611108A true CN114611108A (en) 2022-06-10

Family

ID=81856330

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011406579.3A Pending CN114611108A (en) 2020-12-04 2020-12-04 Data processing method and storage medium

Country Status (1)

Country Link
CN (1) CN114611108A (en)

Similar Documents

Publication Publication Date Title
CN112417439B (en) Account detection method, device, server and storage medium
US10721245B2 (en) Method and device for automatically verifying security event
US10904286B1 (en) Detection of phishing attacks using similarity analysis
CN110417778B (en) Access request processing method and device
CN109586282B (en) Power grid unknown threat detection system and method
CN111400357A (en) Method and device for identifying abnormal login
CN109547426B (en) Service response method and server
CN102984161A (en) Identification method and device for reliable website
CN113014549A (en) HTTP-based malicious traffic classification method and related equipment
CN110135162A (en) The recognition methods of the back door WEBSHELL, device, equipment and storage medium
CN111611519A (en) Method and device for detecting personal abnormal behaviors
CN110955890B (en) Method and device for detecting malicious batch access behaviors and computer storage medium
CN113364784B (en) Detection parameter generation method and device, electronic equipment and storage medium
CN108804501B (en) Method and device for detecting effective information
CN111314326B (en) Method, device, equipment and medium for confirming HTTP vulnerability scanning host
CN113765850B (en) Internet of things abnormality detection method and device, computing equipment and computer storage medium
CN102984162A (en) Identifying method and collecting system for credible websites
CN112685255A (en) Interface monitoring method and device, electronic equipment and storage medium
CN110691090B (en) Website detection method, device, equipment and storage medium
CN116738369A (en) Traffic data classification method, device, equipment and storage medium
CN115314322A (en) Vulnerability detection confirmation method, device, equipment and storage medium based on flow
CN115643044A (en) Data processing method, device, server and storage medium
CN114611108A (en) Data processing method and storage medium
CN104363256B (en) A kind of identification and control method, equipment and system of mobile phone viruses
CN112948831A (en) Application program risk identification method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination