CN114679320A - Server protection method and device and readable storage medium - Google Patents
Server protection method and device and readable storage medium Download PDFInfo
- Publication number
- CN114679320A CN114679320A CN202210318399.2A CN202210318399A CN114679320A CN 114679320 A CN114679320 A CN 114679320A CN 202210318399 A CN202210318399 A CN 202210318399A CN 114679320 A CN114679320 A CN 114679320A
- Authority
- CN
- China
- Prior art keywords
- access request
- server
- access
- learning model
- daily
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 75
- 230000004044 response Effects 0.000 claims description 62
- 238000004590 computer program Methods 0.000 claims description 13
- 238000012545 processing Methods 0.000 claims description 11
- 230000007123 defense Effects 0.000 claims description 4
- 230000000694 effects Effects 0.000 abstract description 7
- 230000006870 function Effects 0.000 abstract description 4
- 238000010586 diagram Methods 0.000 description 4
- 230000008569 process Effects 0.000 description 4
- 230000009471 action Effects 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 3
- 230000002159 abnormal effect Effects 0.000 description 2
- 230000006399 behavior Effects 0.000 description 2
- 238000004891 communication Methods 0.000 description 2
- 230000010365 information processing Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000001681 protective effect Effects 0.000 description 2
- 238000005070 sampling Methods 0.000 description 2
- 241000700605 Viruses Species 0.000 description 1
- 238000013473 artificial intelligence Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000002708 enhancing effect Effects 0.000 description 1
- 230000001788 irregular Effects 0.000 description 1
- 230000007774 longterm Effects 0.000 description 1
- 238000010801 machine learning Methods 0.000 description 1
- 230000005055 memory storage Effects 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000004806 packaging method and process Methods 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
- 238000009877 rendering Methods 0.000 description 1
- 238000012216 screening Methods 0.000 description 1
- 230000002123 temporal effect Effects 0.000 description 1
- 230000001052 transient effect Effects 0.000 description 1
- 230000003612 virological effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application discloses a server protection method and device and a readable storage medium, and relates to the technical field of information. The server protection method provided by the application acquires the characteristic value in the request information by establishing the learning model, and judges whether the request information meets the standard according to whether the characteristic value belongs to the characteristic value range corresponding to the daily request information in the learning model, thereby achieving the protection effect, compared with the prior server protection method in the form of a feature library, the method provided by the application carries out the auditing and protection of the request information in a mode of establishing a learning model, so the characteristics of the request information do not need to be recorded, when a request is made for a brand-new IP address or an unregistered user, the current protection method cannot perform effective protection because no record exists, in the application, whether the request information is attack information or not can be judged according to the model data, and the attack information is intercepted, so that the protection function is enhanced, and the safety performance is higher.
Description
Technical Field
The present application relates to the field of information technologies, and in particular, to a server protection method and apparatus, and a readable storage medium.
Background
In recent years, with the popularization of the internet and the development of information technology, the information security problem in the big data era becomes one of the current popular information technology problems, and the current common internet Application security (WAF) defense method judges the feature information carried in the missing scanning software through a feature library to judge the compliance of the data source in the request information. The hardware WAF maintains a feature library and is special for continuously recording and updating the features of the attack information.
The existing WAF distinguishes whether the current access behavior is vulnerability scanning or not through the feature library, once the missing scanning request carries features filled with junk characters or features which do not exist in the feature library, the WAF cannot identify, and at the moment, the missing scanning behavior bypasses the WAF and reaches a site server at the rear end, so that the server is possibly attacked and lost, and therefore the defense performance is poor, and the security is low.
Therefore, it is an urgent problem to be solved by those skilled in the art to find a server protection method with higher security performance and more reliability.
Disclosure of Invention
The application aims to provide a server protection method so as to solve the problem that the current server protection method cannot defend attack information which is not in a feature library or is filled.
In order to solve the above technical problem, the present application provides a server protection method, including:
receiving an access request sent by a target object;
judging whether a learning model is established in a server, wherein the learning model is a model established according to a daily access request acquired when the server carries out daily business and a characteristic value corresponding to the daily access request;
if the learning model is established, acquiring a characteristic value of the access request according to the learning model, and comparing the characteristic value of the access request with the characteristic value of the daily access request to judge whether the access request is safe or not;
if the access request is determined to be unsafe, intercepting the access request;
and if the learning model is not established, establishing a corresponding temporary model according to the feedback information of the access request.
Preferably, the establishing of the learning model comprises the following steps:
when the server carries out daily business, collecting characteristic values of the daily access requests in the server, wherein the characteristic values comprise access times in each preset time period, the server generates the access request number with a response code of 404, the proportion of the access requests with the response code of 404 to the total access requests and the size of a response packet;
generating an access frequency standard range in a learning model in the preset time period according to the median, the maximum value and the minimum value corresponding to each data acquired in each preset time period, wherein the server generates the access request number standard range with a response code of 404, the access request with the response code of 404 accounts for the proportion standard range of the total access request, and the size standard range of the response packet.
Preferably, the obtaining the characteristic value of the access request according to the learning model, and comparing the characteristic value of the access request with the characteristic value of the daily access request to determine whether the access request is safe includes:
acquiring the number of access times of the access request in a preset time period, generating the number of the access requests with a response code of 404 by a server, wherein the access requests with the response code of 404 account for the proportion of the total access requests and the size of a response packet;
respectively judging the number of times of access of the access request in the preset time period, the number of access requests with response codes 404 generated by the server, the proportion of the access requests with the response codes 404 to the total access requests, and whether the size of the response packet is included in each standard range corresponding to the daily access request recorded in the learning model;
if so, determining that the access request is safe;
if not, determining that the access request is not safe.
Preferably, before the determining whether the learning model is established in the server, the method further includes:
judging whether the server is a monitorable server or not;
if yes, the step of judging whether the learning model is established in the server is carried out.
Preferably, after the respectively determining the number of accesses of the access request in the preset time period, the number of access requests with response codes 404 generated by the server, the proportion of the access requests with the response codes 404 to the total access requests, and whether the size of the response packet is included in each standard range corresponding to the daily access request recorded in the learning model, the method further includes:
according to the obtained access times of the access request within the preset time period, the server generates the access request number with a response code of 404, the access request with the response code of 404 accounts for the proportion of the total access request, and the learning model is correspondingly modified according to the size of the response packet and the judgment result.
Preferably, the method further comprises:
and when the access request is determined to be safe, sending the access request to the server and carrying out normal service processing.
Preferably, after receiving the access request sent by the target object, the method further includes:
recording the IP address of the access request;
and after the access request is determined to be unsafe, blackening the IP address.
In order to solve the above problem, the present application further provides a server protection device, including:
the receiving module is used for receiving an access request sent by a target object;
the judging module is used for judging whether a learning model is established in the server or not, and the learning model is a model established by a characteristic value corresponding to a daily access request according to the acquired daily access request when the server performs daily business;
the acquisition module is used for acquiring the characteristic value of the access request according to the learning model, comparing the characteristic value of the access request with the characteristic value of the daily access request, judging whether the access request is safe or not, and if the access request is judged to be unsafe, starting the interception module;
the intercepting module is used for intercepting the access request;
and the establishing module is used for establishing a corresponding temporary model according to the feedback information of the access request.
In order to solve the above problem, the present application further provides a server protection device, including a memory for storing a computer program;
a processor for implementing the steps of the server guard method as described above when executing the computer program.
To solve the above problem, the present application further provides a computer-readable storage medium, on which a computer program is stored, and the computer program, when executed by a processor, implements the steps of the server protection method as described above.
The server protection method provided by the application acquires the characteristic value in the request information by establishing the learning model, judges whether the request information meets the standard or not by judging whether the characteristic value belongs to the characteristic value range corresponding to the daily request information in the learning model or not so as to achieve the protection effect, establishes the learning model according to the feedback information of the request information for the server which does not establish the learning model, and then performs corresponding information processing according to the learning model, compared with the prior server protection method in the form of a characteristic library, the method provided by the application performs auditing and protection of the request information in the mode of establishing the learning model, so that the request information characteristic does not need to be recorded, and when a brand-new IP address or an unrecorded user requests, the current protection method can not perform effective protection due to no record, in the application, whether the request information is attack information or not can be judged according to the model data, and the attack information is intercepted, so that the protection function is enhanced, and the safety performance is higher.
The server protection device and the computer readable storage medium provided by the application correspond to the server protection method, and the beneficial effects are as above.
Drawings
In order to more clearly illustrate the embodiments of the present application, the drawings needed for the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and that other drawings can be obtained by those skilled in the art without inventive effort.
Fig. 1 is a flowchart of a server protection method according to an embodiment of the present application;
fig. 2 is a schematic diagram of a server protection device according to an embodiment of the present application;
fig. 3 is a block diagram of a server protection device according to another embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all the embodiments. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments in the present application without any creative effort belong to the protection scope of the present application.
The core of the application is to provide a server protection method so as to solve the problem that the current server protection method cannot defend attack information which is not in a feature library or is filled.
The WAF is a product that provides protection specifically for Web applications by enforcing a series of security policies against HTTP/HTTPs. The server protection method provided by the application is still realized based on the WAF, and the core idea lies in that a learning model is utilized, so that the effect of reducing the server risk is achieved.
In order that those skilled in the art will better understand the disclosure, the following detailed description will be given with reference to the accompanying drawings.
Fig. 1 is a flowchart of a server protection method provided in an embodiment of the present application, and as shown in fig. 1, the method includes:
s11: receiving an access request sent by a target object;
it should be noted that, in this embodiment, the target object is a user side that sends an access request, that is, a personal host, and the individual host initiates access to the server through the internet, where the access is a piece of request information, and specific content in the access request is not limited in this embodiment, for example, the access request may have an attachment, or there are multiple access requests, and the like.
S12: judging whether a learning model is established in the server, if so, entering S13, and if not, entering S15;
it should be noted that, when the learning model is a model established according to the collected daily access requests and the feature values corresponding to the daily access requests when the server performs daily business, the learning model in this embodiment refers to a model established by monitoring daily data in the server through the learning capability of hardware, and thus data in the access requests corresponding to the daily data can be collected according to the model, in this embodiment, specific content and establishing process of the learning model are not limited, it is understood that one or more items corresponding to the feature values of the daily access requests, that is, server normal operation data in the daily access requests, may be selected as the feature values, for example, the number of access requests received in a unit time, or the size of a data packet corresponding to a single access request, and the data itself fluctuates, therefore, the data of the daily access request described in the learning model is generally in a single range, and is not particularly limited in this embodiment, and the characteristic value may be changed to a certain extent depending on the server.
How to judge whether the learning model is established in the server is generally performed by detecting firewall application of the server, and the relation with the invention point of the application is small, and is not described herein again.
S13: obtaining a characteristic value of the access request according to the learning model, comparing the characteristic value of the access request with a characteristic value of a daily access request, judging whether the access request is safe or not, and entering S14 if the access request is unsafe;
it should be noted that, the feature value of the access request, that is, the preset data corresponding to the access request of this time acquired according to the correspondence between the request and the feature value in the learning model, is not specifically limited in this embodiment, and it can be understood that, when the feature value of the access request is the same as the feature value of the daily access request, or according to the above-mentioned statement in the general learning model, the feature value range of the daily access request is described, that is, when the feature value of the access request is within the range, it is determined that the access request is normal, and if the feature value of the access request is not within the range, it is determined that the access request is abnormal.
S14: intercepting an access request;
after it is determined that the access request is abnormal, the access request is intercepted to avoid the server from being damaged, and in this embodiment, a specific intercepting manner, processing after intercepting the access request, and the like are not specifically limited.
S15: and establishing a corresponding temporary model according to the feedback information of the access request.
It should be noted that, when the server has not established a learning model, it is generally possible to establish a temporary model based on the feedback information of the access request at this time, and it is understood that the temporary model plays the same role as the learning model, but because it is not established based on daily business data, the data in the temporary model is based on the access request at this time only, and the feedback information in this embodiment is understood as the feature value corresponding to this embodiment, and may adopt the same algorithm as the learning model or a temporary model rather than formal, so that in consideration of the temporal and immediate properties, a different algorithm may be adopted, and is not limited specifically here.
The server protection method provided by the application acquires the characteristic value in the request information by establishing the learning model, judges whether the request information meets the standard or not by judging whether the characteristic value belongs to the characteristic value range corresponding to the daily request information in the learning model or not so as to achieve the protection effect, establishes the learning model according to the feedback information of the request information for the server which does not establish the learning model, and then performs corresponding information processing according to the learning model, compared with the prior server protection method in the form of a characteristic library, the method provided by the application performs auditing and protection of the request information in the mode of establishing the learning model, so that the request information characteristic does not need to be recorded, and when a brand-new IP address or an unrecorded user requests, the current protection method can not perform effective protection due to no record, in the application, whether the request information is attack information or not can be judged according to the model data, and the attack information is intercepted, so that the protection function is enhanced, and the safety performance is higher.
In the above embodiment, specific contents and an establishment method of the learning model are not limited, and a preferred scheme is proposed herein, where the establishment of the learning model includes the following steps:
when the server carries out daily business, collecting characteristic values of daily access requests in the server, wherein the characteristic values comprise access times in each preset time period, the server generates an access request number with a response code of 404, the proportion of the access requests with the response code of 404 in the total access requests and the size of a response packet;
and generating an access frequency standard range in the preset time period in the learning model according to the median, the maximum value and the minimum value corresponding to each data acquired in each preset time period, wherein the server generates an access request number standard range with a response code of 404, the access request with the response code of 404 accounts for the proportion standard range of the total access request, and the size standard range of the response packet.
It should be noted that, because of the multiple access means adopted by most attack information, when the user side accesses the server and sends a normal access request, the website response code is obtained to be 2xx or 3 xx. If fictitious and irregular access requests are sent, most of website response codes are 404, and most of attack information is often attached with attack attachments with viruses, so that the number of accesses in each preset time period is limited in the embodiment, the server generates the number of access requests with the response codes of 404, the access requests with the response codes of 404 account for the proportion of the total access requests, and the size of a response packet is sampled and modeled, so that the standards of the access requests are checked according to the 4 data.
When a client server is considered, if an access request carries an attack instruction, multiple attacks are usually associated, so that whether the access request is the attack request can be effectively identified by the access times in the acquisition time period, and when the access request carries a viral instruction, a fictional access is usually sent out, so that the attack request can be effectively identified by obtaining 404 codes, and in consideration of the special situation that multiple normal requests exist in a short time, the request proportion of the response code 404 requests in the total is added into the characteristic value, and finally, the response packet size of the access request with the attack attachment is added into the characteristic value for modeling, so that the condition that the access request carries the attack instruction in a larger range can be covered by the 4 data, and the safety and the applicability of the server protection in the application are enhanced.
In the foregoing embodiment, how to establish the learning model is defined, and in consideration of sampling the characteristic value of the access request according to the learning model, a preferred scheme is proposed herein, where obtaining the characteristic value of the access request according to the learning model, and comparing the characteristic value of the access request with the characteristic value of the daily access request, and determining whether the access request is safe includes:
acquiring the access times of the access requests in a preset time period, generating an access request number with a response code of 404 by the server, wherein the access request with the response code of 404 accounts for the proportion of the total access request, and the size of a response packet;
respectively judging whether the number of access times of the access request in a preset time period, the number of access requests with response codes of 404 generated by the server, the proportion of the access requests with the response codes of 404 to the total access request and the size of a response packet are all contained in each standard range corresponding to the daily access request recorded in the learning model;
if so, determining that the access request is safe;
if not, the access request is determined to be unsafe.
It should be noted that the parameters of the access request collected in this embodiment are the same as the parameters in the learning model, and because the influence on the time period is considered, the time period for the learning model to collect the access request once is the same as the time period for the access request collected in this embodiment, and it can be understood that the time period starts when the access request is sent to the server, and details are not described hereinafter.
According to the learning model established in the above embodiment, in the present embodiment, sampling and defining are performed on the access request by using the specific learning model, and parameters in the learning model are collected to determine whether the access request meets the criteria, so that specific determination can be performed on the access request of a new address or the access request subjected to packaging according to the number of requests, response packets, and the like, thereby enhancing the security performance of the server.
Considering that a protective firewall is arranged outside a server, namely, the firewall is firstly passed through and then enters the server, the protective firewall is generally arranged in a certain internet node, and since one internet power saving comprises a plurality of servers, a preferred scheme is proposed, and before judging whether a learning model is established in the server, the method further comprises the following steps:
judging whether the server is a monitorable server or not;
if yes, the step of judging whether the learning model is established in the server is carried out.
It can be understood that the monitorable server, that is, the server recorded in the firewall and needing protection, is generally embodied in the form of network protocol, and therefore the server not included in the node under the protection protocol is not protected, in the above embodiment, only the case where the server is the monitorable server is given, it can be understood that, when the server is not the monitorable server, the auditing of the access request can be directly ended, that is, the whole step is ended, and in this embodiment, the specific way how to judge whether the server is the monitorable server is not limited, for example, querying by means of domain name or screening by the protocol in the server.
By judging whether the server is a monitorable server or not, the workload of the whole protection system is reduced, and the protection system is prevented from wasting resources in a non-protection server.
Considering dynamic changes in the server and information transmission, a preferred scheme is proposed herein, after respectively determining whether the number of accesses of the access request in a preset time period, the number of access requests of which the server generates a response code 404, the proportion of the access request of which the response code 404 accounts for the total access request, and the size of the response packet are all included in each standard range corresponding to the daily access request recorded in the learning model, the method further includes:
according to the access times within the preset time period of the obtained access request, the server generates an access request number with a response code of 404, the proportion of the access request with the response code of 404 in the total access request, the size of the response packet and the judgment result, and correspondingly modifies the learning model.
It can be understood that, because the network protocol in the server, or the network speed of the user, and the user base number of the server itself, and so on, the received request information in the server and the corresponding parameters in the request information are dynamically changed, when a new access request is judged to be in accordance with the specification, the parameter range in the learning model can be dynamically modified according to the information of the request, and in consideration of the security problem, the parameters in the learning model can be modified after the regular access request is counted every other week or month, and the purpose of dynamically adjusting the learning model is achieved.
In the above embodiment, only the subsequent processing when the access request is not secure is limited, and a preferred solution is proposed herein, the method further includes:
and when the access request is determined to be safe, the access request is sent to the server and normal service processing is carried out.
It can be understood that, after it is determined that the access request is secure, the access request is normally processed, so as to improve the experience of a normal access user, and it can be understood that, in consideration of the experience of the normal access user, the server protection method in the foregoing embodiment may be performed in an asynchronous manner.
In view of long-term protection against an attacking user, a preferred solution is proposed herein, after receiving an access request sent by a target object, the method further comprising:
recording an IP address of the access request;
and after the access request is determined to be unsafe, blackening the IP address.
By means of recording the IP address of the access request, the IP address is blackened after the access request is detected to be an aggressive request, so that the access request cannot be attacked by the same user subsequently, and the workload of a protection system is reduced.
In the foregoing embodiments, a server protection method is described in detail, and the present application also provides embodiments corresponding to a server protection device. It should be noted that the present application describes the embodiments of the apparatus portion from two perspectives, one from the perspective of the function module and the other from the perspective of the hardware.
Fig. 2 is a schematic diagram of a server protection device according to an embodiment of the present application, where the server protection device includes:
a receiving module 10, configured to receive an access request sent by a target object;
the judging module 11 is used for judging whether a learning model is established in the server, and when the learning model is used for carrying out daily business on the server, according to the acquired daily access request and a model established by a characteristic value corresponding to the daily access request, if the learning model is established, the obtaining module is started, and if the learning model is not established, the establishing module is started;
the acquisition module 12 is configured to acquire a feature value of the access request according to the learning model, compare the feature value of the access request with a feature value of a daily access request, determine whether the access request is safe, and if the access request is determined to be unsafe, start the interception module;
an interception module 13, configured to intercept an access request;
and the establishing module 14 is used for establishing a corresponding temporary model according to the feedback information of the access request.
Since the embodiment of the apparatus portion and the embodiment of the method portion correspond to each other, reference is made to the description of the embodiment of the method portion for the embodiment of the apparatus portion and the corresponding advantageous effects, which are not repeated herein.
Fig. 3 is a structural diagram of a server protection device according to another embodiment of the present application, and as shown in fig. 3, the server protection device includes: a memory 20 for storing a computer program;
a processor 21 for implementing the steps of the server guarding method as mentioned in the above embodiments when executing the computer program.
The server protection device provided by the embodiment may include, but is not limited to, a smart phone, a tablet computer, a notebook computer, a desktop computer, or the like.
The processor 21 may include one or more processing cores, such as a 4-core processor, an 8-core processor, and the like. The Processor 21 may be implemented in at least one hardware form of Digital Signal Processor (DSP), Field-Programmable Gate Array (FPGA), and Programmable Logic Array (PLA). The processor 21 may also include a main processor and a coprocessor, where the main processor is a processor for Processing data in an awake state, and is also called a Central Processing Unit (CPU); a coprocessor is a low power processor for processing data in a standby state. In some embodiments, the processor 21 may be integrated with a Graphics Processing Unit (GPU) which is responsible for rendering and drawing the content required to be displayed on the display screen. In some embodiments, the processor 21 may further include an Artificial Intelligence (AI) processor for processing computational operations related to machine learning.
The memory 20 may include one or more computer-readable storage media, which may be non-transitory. Memory 20 may also include high speed random access memory, as well as non-volatile memory, such as one or more magnetic disk storage devices, flash memory storage devices. In this embodiment, the memory 20 is at least used for storing the following computer program 201, wherein after being loaded and executed by the processor 21, the computer program can implement the relevant steps of the server protection method disclosed in any of the foregoing embodiments. In addition, the resources stored in the memory 20 may also include an operating system 202, data 203, and the like, and the storage manner may be a transient storage manner or a permanent storage manner. Operating system 202 may include, among others, Windows, Unix, Linux, and the like. The data 203 may include, but is not limited to, data and the like involved in the server guard method described above.
In some embodiments, the server guard may also include a display screen 22, an input-output interface 23, a communication interface 24, a power supply 25, and a communication bus 26.
Those skilled in the art will appreciate that the configuration shown in FIG. 3 is not intended to be limiting of server guards and may include more or fewer components than those shown.
The server protection device provided by the embodiment of the application comprises a memory and a processor, and when the processor executes a program stored in the memory, the following method can be realized: the server guard method mentioned in the above embodiments.
Since the embodiment of the apparatus portion and the embodiment of the method portion correspond to each other, reference is made to the description of the embodiment of the method portion for the embodiment of the apparatus portion and the corresponding advantageous effects, which are not repeated herein.
Finally, the application also provides a corresponding embodiment of the computer readable storage medium. The computer-readable storage medium has stored thereon a computer program which, when being executed by a processor, carries out the steps as set forth in the above-mentioned method embodiments.
It is to be understood that if the method in the above embodiments is implemented in the form of software functional units and sold or used as a stand-alone product, it can be stored in a computer readable storage medium. Based on such understanding, the technical solutions of the present application may be substantially or partially implemented in the form of a software product, which is stored in a storage medium and executes all or part of the steps of the methods of the embodiments of the present application, or all or part of the technical solutions. And the aforementioned storage medium includes: various media capable of storing program codes, such as a usb disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk.
Since the embodiment of the readable storage medium portion corresponds to the embodiment of the method portion, reference is made to the description of the embodiment of the method portion for the embodiment of the apparatus portion and the corresponding advantageous effects thereof, which are not repeated herein.
The detailed description is given above of a server protection method, a server protection device, and a readable storage medium provided by the present application. The embodiments are described in a progressive manner in the specification, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other. The device disclosed by the embodiment corresponds to the method disclosed by the embodiment, so that the description is simple, and the relevant points can be referred to the method part for description. It should be noted that, for those skilled in the art, it is possible to make several improvements and modifications to the present application without departing from the principle of the present application, and such improvements and modifications also fall within the scope of the claims of the present application.
It is further noted that, in the present specification, relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
Claims (10)
1. A server protection method, comprising:
receiving an access request sent by a target object;
judging whether a learning model is established in a server, wherein the learning model is a model established according to a daily access request acquired when the server carries out daily business and a characteristic value corresponding to the daily access request;
if the learning model is established, acquiring a characteristic value of the access request according to the learning model, and comparing the characteristic value of the access request with the characteristic value of the daily access request to judge whether the access request is safe or not;
if the access request is determined to be unsafe, intercepting the access request;
and if the learning model is not established, establishing a corresponding temporary model according to the feedback information of the access request.
2. The server defense method according to claim 1, wherein the establishment of the learning model comprises the steps of:
when the server carries out daily business, collecting a characteristic value of the daily access request in the server, wherein the characteristic value comprises the number of access times in each preset time period, the server generates the number of the access requests with response codes of 404, the proportion of the access requests with the response codes of 404 to the total access requests and the size of a response packet;
generating an access frequency standard range in the learning model within the preset time period according to the median, the maximum value and the minimum value corresponding to each data acquired within each preset time period, wherein the server generates the access request number standard range with a response code of 404, the access request with the response code of 404 accounts for the proportion standard range of the total access request, and the size standard range of the response packet.
3. The server protection method according to claim 2, wherein the obtaining a feature value of the access request according to the learning model, and comparing the feature value of the access request with a feature value of the daily access request to determine whether the access request is secure includes:
acquiring the number of access times of the access request in a preset time period, wherein the server generates the number of the access requests with response codes of 404, the access requests with the response codes of 404 account for the proportion of the total access requests, and the size of a response packet;
respectively judging the number of times of access of the access request in the preset time period, the number of access requests with response codes 404 generated by the server, the proportion of the access requests with the response codes 404 to the total access requests, and whether the size of the response packet is included in each standard range corresponding to the daily access request recorded in the learning model;
if so, determining that the access request is safe;
if not, determining that the access request is not safe.
4. The server defense method according to claim 1, further comprising, before said determining whether a learning model has been established in the server:
judging whether the server is a monitorable server or not;
if yes, the step of judging whether the learning model is established in the server is carried out.
5. The server protection method according to claim 3, wherein after the separately determining whether the number of access times of the access request in the preset time period, the number of access requests with response codes 404 generated by the server, the proportion of the access requests with the response codes 404 to the total access requests, and the size of the response packet are all included in each of the standard ranges corresponding to the daily access requests recorded in the learning model, the method further comprises:
according to the obtained access times of the access request within the preset time period, the server generates the access request number with a response code of 404, the access request with the response code of 404 accounts for the proportion of the total access request, and the learning model is correspondingly modified according to the size of the response packet and the judgment result.
6. The server securing method according to claim 5, further comprising:
and when the access request is determined to be safe, sending the access request to the server and carrying out normal service processing.
7. The server protection method according to any one of claims 1 to 6, further comprising, after the receiving the access request sent by the target object:
recording the IP address of the access request;
and after the access request is determined to be unsafe, blackening the IP address.
8. A server guard, comprising:
the receiving module is used for receiving an access request sent by a target object;
the judging module is used for judging whether a learning model is established in the server or not, and the learning model is a model established by a characteristic value corresponding to a daily access request according to the acquired daily access request when the server performs daily business;
the acquisition module is used for acquiring the characteristic value of the access request according to the learning model, comparing the characteristic value of the access request with the characteristic value of the daily access request, judging whether the access request is safe or not, and if the access request is judged to be unsafe, starting the interception module;
the intercepting module is used for intercepting the access request;
and the establishing module is used for establishing a corresponding temporary model according to the feedback information of the access request.
9. A server guard comprising a memory for storing a computer program;
a processor for implementing the steps of the server guard method as claimed in any one of claims 1 to 7 when executing the computer program.
10. A computer-readable storage medium, characterized in that a computer program is stored on the computer-readable storage medium, which computer program, when being executed by a processor, carries out the steps of the server guarding method according to any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210318399.2A CN114679320A (en) | 2022-03-29 | 2022-03-29 | Server protection method and device and readable storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210318399.2A CN114679320A (en) | 2022-03-29 | 2022-03-29 | Server protection method and device and readable storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114679320A true CN114679320A (en) | 2022-06-28 |
Family
ID=82075250
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210318399.2A Pending CN114679320A (en) | 2022-03-29 | 2022-03-29 | Server protection method and device and readable storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114679320A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115865522A (en) * | 2023-02-10 | 2023-03-28 | 中航金网(北京)电子商务有限公司 | Information transmission control method and device, electronic equipment and storage medium |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108449368A (en) * | 2018-06-26 | 2018-08-24 | 北京云枢网络科技有限公司 | A kind of application layer attack detection method, device and electronic equipment |
| US20180262521A1 (en) * | 2017-03-13 | 2018-09-13 | Molbase (Shanghai) Biotechnology Co., Ltd | Method for web application layer attack detection and defense based on behavior characteristic matching and analysis |
| CN110166462A (en) * | 2019-05-25 | 2019-08-23 | 深圳市元征科技股份有限公司 | Access control method, system, electronic equipment and computer storage medium |
| CN111641658A (en) * | 2020-06-09 | 2020-09-08 | 杭州安恒信息技术股份有限公司 | Request intercepting method, device, equipment and readable storage medium |
| CN113934611A (en) * | 2021-09-07 | 2022-01-14 | 中云网安科技有限公司 | Statistical method and device for access information, electronic equipment and readable storage medium |
| CN113949527A (en) * | 2021-09-07 | 2022-01-18 | 中云网安科技有限公司 | Abnormal access detection method and device, electronic equipment and readable storage medium |
| CN113949526A (en) * | 2021-09-07 | 2022-01-18 | 中云网安科技有限公司 | Access control method and device, storage medium and electronic equipment |
-
2022
- 2022-03-29 CN CN202210318399.2A patent/CN114679320A/en active Pending
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20180262521A1 (en) * | 2017-03-13 | 2018-09-13 | Molbase (Shanghai) Biotechnology Co., Ltd | Method for web application layer attack detection and defense based on behavior characteristic matching and analysis |
| CN108449368A (en) * | 2018-06-26 | 2018-08-24 | 北京云枢网络科技有限公司 | A kind of application layer attack detection method, device and electronic equipment |
| CN110166462A (en) * | 2019-05-25 | 2019-08-23 | 深圳市元征科技股份有限公司 | Access control method, system, electronic equipment and computer storage medium |
| CN111641658A (en) * | 2020-06-09 | 2020-09-08 | 杭州安恒信息技术股份有限公司 | Request intercepting method, device, equipment and readable storage medium |
| CN113934611A (en) * | 2021-09-07 | 2022-01-14 | 中云网安科技有限公司 | Statistical method and device for access information, electronic equipment and readable storage medium |
| CN113949527A (en) * | 2021-09-07 | 2022-01-18 | 中云网安科技有限公司 | Abnormal access detection method and device, electronic equipment and readable storage medium |
| CN113949526A (en) * | 2021-09-07 | 2022-01-18 | 中云网安科技有限公司 | Access control method and device, storage medium and electronic equipment |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115865522A (en) * | 2023-02-10 | 2023-03-28 | 中航金网(北京)电子商务有限公司 | Information transmission control method and device, electronic equipment and storage medium |
| CN115865522B (en) * | 2023-02-10 | 2023-06-02 | 中航金网(北京)电子商务有限公司 | Information transmission control method and device, electronic equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109450955B (en) | Traffic processing method and device based on network attack | |
| CN105577608B (en) | Network attack behavior detection method and device | |
| US10095866B2 (en) | System and method for threat risk scoring of security threats | |
| US20170289186A1 (en) | System and method to protect a webserver against application exploits and attacks | |
| US20180054458A1 (en) | System and method for mitigating distributed denial of service attacks in a cloud environment | |
| RU2666289C1 (en) | System and method for access request limits | |
| WO2014142791A1 (en) | Event correlation based on confidence factor | |
| CN110598404A (en) | Security risk monitoring method, monitoring device, server and storage medium | |
| CN112532631A (en) | Equipment safety risk assessment method, device, equipment and medium | |
| CN108183884B (en) | Network attack determination method and device | |
| CN111565203A (en) | Method, device and system for protecting service request and computer equipment | |
| CN108737344B (en) | Network attack protection method and device | |
| CN114679320A (en) | Server protection method and device and readable storage medium | |
| CN112929376A (en) | Flow data processing method and device, computer equipment and storage medium | |
| CN114003904B (en) | Information sharing method, device, computer equipment and storage medium | |
| JP5607513B2 (en) | Detection device, detection method, and detection program | |
| CN115017502A (en) | Flow processing method and protection system | |
| US10757118B2 (en) | Method of aiding the detection of infection of a terminal by malware | |
| CN109190376B (en) | Webpage Trojan horse detection method and system, electronic equipment and storage medium | |
| CN113765914B (en) | CC attack protection method, system, computer equipment and readable storage medium | |
| CN114726579B (en) | Method, device, equipment, storage medium and program product for defending network attack | |
| CN115688100A (en) | Method, device, equipment and medium for placing bait file | |
| KR101923054B1 (en) | Wire and wireless gateway for detecting malignant action autonomously based on signature and method thereof | |
| CN112202821B (en) | Identification defense system and method for CC attack | |
| CN113328976B (en) | Security threat event identification method, device and equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |