CN114928452A - Access request verification method, device, storage medium and server - Google Patents
Access request verification method, device, storage medium and server Download PDFInfo
- Publication number
- CN114928452A CN114928452A CN202210536651.7A CN202210536651A CN114928452A CN 114928452 A CN114928452 A CN 114928452A CN 202210536651 A CN202210536651 A CN 202210536651A CN 114928452 A CN114928452 A CN 114928452A
- Authority
- CN
- China
- Prior art keywords
- fingerprint
- target
- malicious
- address
- request
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 45
- 238000012795 verification Methods 0.000 title claims abstract description 24
- 238000010200 validation analysis Methods 0.000 claims description 8
- 235000014510 cooky Nutrition 0.000 description 9
- 238000001914 filtration Methods 0.000 description 9
- 230000004044 response Effects 0.000 description 9
- 238000010586 diagram Methods 0.000 description 5
- 238000012545 processing Methods 0.000 description 5
- 230000008569 process Effects 0.000 description 4
- 230000009471 action Effects 0.000 description 3
- 239000003795 chemical substances by application Substances 0.000 description 3
- VYZAMTAEIAYCRO-UHFFFAOYSA-N Chromium Chemical compound [Cr] VYZAMTAEIAYCRO-UHFFFAOYSA-N 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 230000000977 initiatory effect Effects 0.000 description 2
- 239000000243 solution Substances 0.000 description 2
- 241000700605 Viruses Species 0.000 description 1
- 238000004458 analytical method Methods 0.000 description 1
- 238000003491 array Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000000605 extraction Methods 0.000 description 1
- 238000002347 injection Methods 0.000 description 1
- 239000007924 injection Substances 0.000 description 1
- 238000009434 installation Methods 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3226—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
- H04L9/3231—Biological data, e.g. fingerprint, voice or retina
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0861—Network architectures or network communication protocols for network security for authentication of entities using biometrical features, e.g. fingerprint, retina-scan
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/16—Implementing security features at a particular protocol layer
- H04L63/166—Implementing security features at a particular protocol layer at the transport layer
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/16—Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]
- H04L69/161—Implementation details of TCP/IP or UDP/IP stack architecture; Specification of modified or new header fields
- H04L69/162—Implementation details of TCP/IP or UDP/IP stack architecture; Specification of modified or new header fields involving adaptations of sockets based mechanisms
Abstract
The application provides an access request verification method, an access request verification device, a storage medium and a server, wherein the method comprises the following steps: the method comprises the steps that when a current access request sent by client equipment is received, SSL request information sent by the client equipment is obtained; generating a target JA3 fingerprint of the current access request according to the SSL request information; matching the target JA3 fingerprint with a JA3 fingerprint in a preset malicious JA3 fingerprint library to obtain a first matching result for reflecting whether the malicious JA3 fingerprint library comprises the target JA3 fingerprint; acquiring a historical fingerprint library for recording JA3 fingerprints corresponding to each historical access request, and determining the occurrence frequency and the total occurrence number of the target JA3 fingerprints in the historical fingerprint library; if the first matching result reflects that the malicious JA3 fingerprint library comprises the target JA3 fingerprint, the occurrence frequency is greater than a preset frequency threshold value or the total occurrence frequency is greater than a preset frequency threshold value, discarding the current access request.
Description
Technical Field
The present application relates to the field of computer technologies, and in particular, to a method and an apparatus for verifying an access request, a storage medium, and a server.
Background
With the development of internet technology, a large amount of spam traffic is flooded during website access, and some of the spam traffic can even cause malicious attack, such as traffic caused by virus, worm or DOS (Denial of Service) attack. In order to meet the requirements of protecting a server, installing data and the like, a junk flow filtering method is needed to be provided so as to verify and filter the access request of the junk flow to a website.
Currently, in the prior art, an access request is verified based on cookie information generated by a front-end page of a website, a corresponding device fingerprint is generated according to the cookie information, and the device fingerprint is matched with a device fingerprint pre-stored in a back-end server. If the matching is successful, the access request passes the verification; if the matching is unsuccessful, the access request can be judged as garbage flow, and the request is directly discarded so as to protect the server and the data installation. However, when the access request is verified by the prior art and the garbage flow determination is further realized, the problem of low identification accuracy exists.
Disclosure of Invention
The present application aims to solve at least one of the above technical drawbacks, in particular, the technical drawback of the prior art that the identification accuracy for malicious requests is low.
In a first aspect, an embodiment of the present application provides an access request verification method, where the method includes:
when a current access request sent by client equipment is received, acquiring secure socket protocol request information sent by the client equipment;
generating a target JA3 fingerprint of the current access request according to the secure socket protocol request information;
matching the target JA3 fingerprint with a JA3 fingerprint in a preset malicious JA3 fingerprint library to obtain a first matching result for reflecting whether the malicious JA3 fingerprint library comprises the target JA3 fingerprint;
acquiring a historical fingerprint database used for recording JA3 fingerprints corresponding to each historical access request, and determining the occurrence frequency and the total occurrence times of the target JA3 fingerprints in the historical fingerprint database;
if the first matching result reflects that the malicious JA3 fingerprint library comprises the target JA3 fingerprint, the occurrence frequency is greater than a preset frequency threshold value or the total occurrence frequency is greater than a preset frequency threshold value, discarding the current access request.
In one embodiment, the step of matching the target JA3 fingerprint with a JA3 fingerprint in a preset malicious JA3 fingerprint library is preceded by the following steps:
acquiring a target IP address of the client device;
matching a target IP address with an IP address in a preset malicious IP address library to obtain a second matching result for reflecting whether the malicious IP address library comprises the target IP address;
if the second matching result reflects that the malicious IP address library comprises the target IP address, discarding the current access request;
the step of matching the target JA3 fingerprint with JA3 fingerprints in a preset malicious JA3 fingerprint library comprises the following steps: if the second matching result reflects that the malicious IP address library does not comprise the target IP address, matching the target JA3 fingerprint with a JA3 fingerprint in the preset malicious JA3 fingerprint library;
the step of determining the frequency of occurrence and the total number of occurrences of the target JA3 fingerprint in the historical fingerprint repository comprises: and if the second matching result reflects that the malicious IP address library does not comprise the target IP address, determining the occurrence frequency and the total occurrence frequency of the target JA3 fingerprint in the historical fingerprint library.
In one embodiment, the method further comprises: if the second matching result reflects that the malicious IP address library comprises the target IP address, adding the target JA3 fingerprint to the malicious JA3 fingerprint library.
In one embodiment, before the step of matching the target IP address with the IP address in the preset malicious IP address library, the method further includes:
acquiring request header information of the current access request;
judging whether the request header information meets a preset legal request header information rule or not to obtain a judgment result;
if the judgment result reflects that the request header information does not meet the preset legal request header information rule, discarding the current access request;
the step of matching the target IP address with the IP address in a preset malicious IP address library comprises the following steps: and if the judgment result reflects that the request header information meets a preset legal request header information rule, matching the target IP address with the IP address in the preset malicious IP address library.
In one embodiment, the step of determining whether the request header information satisfies a preset legal request header information rule to obtain a determination result includes:
extracting a browser identification from the user field information of the request header information;
if the browser identification is matched with a preset legal browser identification, the request header information comprises acceptance information of client equipment or the request header information comprises a preset site access mark, determining that the request header information meets the legal request header information rule; otherwise, determining that the request header information does not satisfy the legal request header information rule.
In one embodiment, the method further comprises: and if the request header information does not meet the legal request header information rule, adding the target JA3 fingerprint into the malicious JA3 fingerprint library, and adding the target IP address into the malicious IP address library.
In one embodiment, the method further comprises: and if the first matching result reflects that the malicious JA3 fingerprint library does not comprise the target JA3 fingerprint, the occurrence frequency is less than or equal to the preset frequency threshold, and the total occurrence frequency is less than or equal to the preset frequency threshold, returning the service data corresponding to the current access request to the client equipment.
In a second aspect, an embodiment of the present application provides an access request verification apparatus, where the apparatus includes:
the system comprises a secure socket protocol information acquisition module, a secure socket protocol information acquisition module and a secure socket protocol information acquisition module, wherein the secure socket protocol information acquisition module is used for acquiring secure socket protocol request information sent by client equipment when receiving a current access request sent by the client equipment;
a target JA3 fingerprint obtaining module, configured to generate a target JA3 fingerprint of the current access request according to the secure socket protocol request information;
the fingerprint matching module is used for matching the target JA3 fingerprint with a JA3 fingerprint in a preset malicious JA3 fingerprint library to obtain a first matching result for reflecting whether the malicious JA3 fingerprint library comprises the target JA3 fingerprint;
the appearance frequency acquisition module is used for acquiring a historical fingerprint database used for recording JA3 fingerprints corresponding to each historical access request and determining the appearance frequency and the total appearance times of the target JA3 fingerprints in the historical fingerprint database;
a request verification module, configured to discard the current access request when the first matching result reflects that the malicious JA3 fingerprint library includes the target JA3 fingerprint, the occurrence frequency is greater than a preset frequency threshold, or the total occurrence frequency is greater than a preset frequency threshold.
In a third aspect, the present application provides a storage medium having stored therein computer-readable instructions, which, when executed by one or more processors, cause the one or more processors to perform the steps of the access request authentication method according to any one of the above embodiments.
In a fourth aspect, an embodiment of the present application provides a server, including: one or more processors, and a memory; the memory has stored therein computer readable instructions which, when executed by the one or more processors, perform the steps of the method of any of the above embodiments.
The embodiment of the application provides an access request verification method, an access request verification device, a storage medium and a server, wherein when the server receives a current access request sent by client equipment, the server can obtain secure socket protocol request information sent by the client equipment, and accordingly generates a target JA3 fingerprint of the current access request. After obtaining the target JA3 fingerprint of the current access request, the server may match the target JA3 fingerprint with a JA3 fingerprint in a preset malicious JA3 fingerprint library to obtain a first matching result for reflecting whether the malicious JA3 fingerprint library includes the target JA3 fingerprint. The server may also obtain a historical fingerprint repository for recording the JA3 fingerprint corresponding to each historical access request and determine the frequency of occurrence and the total number of occurrences of the target JA3 fingerprint in the historical fingerprint repository. If the first matching result reflects that the malicious JA3 fingerprint library comprises the target JA3 fingerprint, the occurrence frequency is greater than a preset frequency threshold value or the total occurrence frequency is greater than a preset frequency threshold value, the server can determine that the current access request is a garbage flow request and discard the current access request.
Since the JA3 fingerprint is a fingerprint obtained by processing secure socket protocol request information by a corresponding algorithm, different access requests initiated by the same client device correspond to the same JA3 fingerprint, and access requests initiated by different client devices correspond to different JA3 fingerprints. Therefore, the spam traffic determination based on the JA3 fingerprint can prevent a malicious request situation of falsified request information such as an IP address and a user agent field. Even if the current access request is a malicious request with a high disguising degree, the scheme provided by the application can accurately identify and intercept the current access request, so that the identification accuracy of the malicious request is improved, and the load of a server is reduced.
Meanwhile, the method and the device can judge the legality of the target JA3 fingerprint according to the matching condition of the target JA3 fingerprint and a preset malicious JA3 fingerprint library, and judge the rationality of the target JA3 fingerprint according to the occurrence frequency and the total occurrence frequency of the target JA3 fingerprint in a historical fingerprint library. Therefore, whether the current access request is a malicious request or not can be comprehensively judged by combining the legality and the rationality of the target JA3 fingerprint, the identification accuracy of the malicious request is further improved, and the load of a server is reduced.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and it is obvious for those skilled in the art that other drawings can be obtained according to the drawings without inventive exercise.
FIG. 1 is a diagram of an application environment of a method for access request validation in one embodiment;
FIG. 2 is a flowchart illustrating an access request validation method according to an embodiment;
FIG. 3 is a flowchart illustrating steps prior to the target JA3 fingerprint matching step in one embodiment;
FIG. 4 is a flowchart illustrating steps prior to a target IP address matching step in one embodiment;
FIG. 5 is a second flowchart illustrating an access request authentication method according to an embodiment;
FIG. 6 is a block diagram showing a schematic configuration of an access request authentication apparatus according to an embodiment;
fig. 7 is a schematic structural diagram of a server in an embodiment.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
As the background art shows, when the access request is verified through the prior art, and then the determination of the garbage flow is implemented, the problem of low accuracy exists. The inventors have found that the reason for this problem is that the spam traffic can be spoofed by a forged request header or the like information generation cookie. Under the condition that the cookie information is forged, the device fingerprint generated according to the cookie information is successfully matched with the device fingerprint pre-stored in the back-end server, so that the garbage flow cannot be filtered, and the accuracy of the access request verification is reduced.
Moreover, for the WEB browser, when the WEB browser accesses the website for the first time, because cookie generation and access verification are required, the access time is long, and the access experience of the user is reduced. Meanwhile, the device fingerprint adopted in the prior art includes terminal information such as a terminal identifier, a Media Access Control (MAC) address, and/or an Internet Protocol (IP) address of the client terminal, but when the Access is performed through a WEB browser, the MAC address of the client terminal is difficult to obtain, and therefore, the prior art intelligence is limited in application to terminal devices such as a mobile phone and a tablet. Moreover, the server can illegally obtain user privacy information, such as a moving track of a mouse, by reading and modifying cookie information of the access request, and therefore, the implementation manner in the prior art has a problem of low security.
In order to solve the above problem, embodiments of the present application provide an access request verification method, an access request verification device, a storage medium, and a server, which can improve identification accuracy of a malicious request and reduce a load of the server.
The access request verification method provided by the application can be applied to the application environment shown in fig. 1. As shown in FIG. 1, the application environment may include a client device 102 and a server 104. The client device 102 may be a terminal, and may be a mobile phone, a tablet, a computer device, or the like. The servers 104 may each be a single server or a cluster of multiple servers. Each server may be implemented in any manner disclosed in the prior art, and the present application is not limited thereto in particular.
The client device 102 may send an access request to the server 104 when it needs to access a certain website. Server 104 may identify the access request to determine whether the access request is a malicious request. If so, the access request may be discarded, i.e., the corresponding service data is not returned to the client device 102; if not, a 200 status code and corresponding business data may be returned to the client device 102.
In one example, the servers shown in fig. 1 may include a gateway server and a traffic server. The gateway server is used for receiving an access request sent by the client device and determining whether the access request is a malicious request. If so, the service request may be discarded, i.e., the access request is not forwarded to the service server. If not, the access request can be forwarded to the service server, so that the service server returns the 200 status code and the corresponding service data to the client device.
In one embodiment, an access request authentication method is provided, which is illustrated by way of example as applied to the server of fig. 1, and in one example, may be applied to a gateway server. Referring to fig. 2, the method may specifically include the following steps:
s210, when receiving a current access request sent by a client device, obtaining Secure Socket Layer (SSL) request information sent by the client device.
And S220, generating a target JA3 fingerprint of the current access request according to the secure socket protocol request information.
The SSL request message may include TLS (Transport Layer Security) fingerprint feature data, and the server may process the TLS fingerprint feature data through a corresponding algorithm to obtain a target JA3 fingerprint. Each JA3 fingerprint has uniqueness, different client devices and request patterns have different JA3 fingerprints, and requests initiated by the same client device in the same request manner correspond to fixed JA3 fingerprints. For example, if one access request is initiated using the requests web request package of python and another access request is initiated through a normal browser, the two access requests correspond to different JA3 fingerprints.
In one example, the TLS fingerprint data may include the following 5 arrays: TLSVersion (TLS version), Ciphers (encryption suite), Extensions (extended list), Extensions (elliptic algorithm) and elipticacervepointformat (elliptic standard), the server may generate a target JA3 fingerprint based on the aforementioned 5 tuples, and perform analysis and interception by MD5 value of the target JA3 fingerprint.
And S230, matching the target JA3 fingerprint with a JA3 fingerprint in a preset malicious JA3 fingerprint library to obtain a first matching result for reflecting whether the malicious JA3 fingerprint library comprises the target JA3 fingerprint.
The malicious JA3 fingerprint database can be preset and stored, and comprises a plurality of JA3 fingerprints for initiating malicious requests. For example, a plurality of malicious JA3 fingerprints may be obtained from public websites and stored in a server to form a malicious JA3 fingerprint repository.
Specifically, the server may match the target JA3 fingerprint with a JA3 fingerprint in the malicious JA3 fingerprint library, and obtain a first matching result. The server may determine whether the target JA3 fingerprint is present in the malicious JA3 fingerprint repository based on the first match result, thereby determining whether the target JA3 fingerprint is a malicious JA3 fingerprint.
S240, acquiring a historical fingerprint database for recording JA3 fingerprints corresponding to each historical access request, and determining the frequency of appearance and the total number of appearance of the target JA3 fingerprints in the historical fingerprint database.
Upon receiving each access request, the server may record the JA3 fingerprint corresponding to the access request to obtain a historical fingerprint repository. It should be noted that, if the JA3 fingerprints of two access requests received by the server successively are the same, the history fingerprint database may record the JA3 fingerprint twice. In one embodiment, the historical fingerprint database may further record the receiving time or the sending time of each access request, in other words, when each access request is received, the historical fingerprint database may generate a correspondence between the receiving time/the sending time of the access request and the JA3 fingerprint of the access request, and store the correspondence and the related data in the historical fingerprint database.
After obtaining the target JA3 fingerprint of the current access request, the server may match the target JA3 with each JA3 fingerprint in the historical fingerprint repository to determine the total number of occurrences and frequency of occurrences of the target JA3 fingerprint. Wherein the total number of occurrences may be the total number of target JA3 fingerprints in the historical fingerprint repository. The statistical duration of the occurrence frequency can be determined according to practical situations, and the application does not specifically limit this. For example, the server may count the number of occurrences of the target JA3 fingerprint in the previous 10 minutes and derive therefrom the frequency of occurrence of the target JA3 fingerprint per minute.
And S250, if the first matching result reflects that the malicious JA3 fingerprint library comprises the target JA3 fingerprint, the occurrence frequency is greater than a preset frequency threshold value or the total occurrence frequency is greater than a preset frequency threshold value, discarding the current access request.
It can be understood that the specific values of the preset frequency threshold and the preset number threshold can be determined according to actual situations, and the application does not specifically limit this. Specifically, when the first matching result reflects that the target JA3 fingerprint is included in the malicious JA3 fingerprint library, the target JA3 fingerprint is an illegal fingerprint, and the server may discard the current access request to intercept the current access request. When the frequency of occurrence of the target JA3 fingerprint is greater than a preset frequency threshold, it may be determined that access to the target JA3 fingerprint is not reasonable, and the server discards the current access request to intercept the current access request. When the total occurrence number of the target JA3 fingerprint is greater than a preset number threshold, it can also be determined that the access of the target JA3 fingerprint is not reasonable, and the server discards and intercepts the current access request. In one embodiment, the server may return 403 a response code to the client device after discarding the current access request.
In this embodiment, the JA3 fingerprint is obtained by processing secure socket protocol request information through a corresponding algorithm, different access requests initiated by the same client device correspond to the same JA3 fingerprint, and access requests initiated by different client devices correspond to different JA3 fingerprints. Therefore, the spam traffic determination based on the JA3 fingerprint can prevent a malicious request situation of falsified request information such as an IP address and/or a user agent field. Even if the current access request is a malicious request with a high disguising degree, the scheme provided by the application can accurately identify and intercept the current access request, so that the identification accuracy of the malicious request is improved, and the load of a server is reduced.
Meanwhile, the validity of the target JA3 fingerprint can be judged according to the matching condition of the target JA3 fingerprint and a preset malicious JA3 fingerprint library, and the reasonability of the target JA3 fingerprint is judged according to the occurrence frequency and the total occurrence frequency of the target JA3 fingerprint in a historical fingerprint library. Therefore, whether the current access request is a malicious request or not can be comprehensively judged by combining the legality and the rationality of the target JA3 fingerprint, the identification accuracy of the malicious request is further improved, and the load of a server is reduced.
In one embodiment, as shown in fig. 3, the step of matching the target JA3 fingerprint with a JA3 fingerprint in a preset malicious JA3 fingerprint library is preceded by:
s310, acquiring a target IP address of the client equipment;
s320, matching a target IP address with an IP address in a preset malicious IP address library to obtain a second matching result for reflecting whether the malicious IP address library comprises the target IP address;
s330, if the second matching result reflects that the malicious IP address library comprises the target IP address, discarding the current access request.
The step of matching the target JA3 fingerprint with JA3 fingerprints in a preset malicious JA3 fingerprint library comprises the following steps: and if the second matching result reflects that the malicious IP address library does not comprise the target IP address, matching the target JA3 fingerprint with a JA3 fingerprint in the preset malicious JA3 fingerprint library.
The step of determining the frequency of occurrence and the total number of occurrences of the target JA3 fingerprint in the historical fingerprint repository comprises: and if the second matching result reflects that the malicious IP address library does not comprise the target IP address, determining the occurrence frequency and the total occurrence frequency of the target JA3 fingerprint in the historical fingerprint library.
In particular, since verification of the target JA3 fingerprint involves data computation and database access, the load on the server is large and, to reduce the load on the server, the server may filter based on the IP information of the client device before verifying the current access request based on the target JA3 fingerprint. If the filtering is passed, further judgment can be made based on the target JA3 fingerprint so as to identify and intercept the access request with higher disguise degree; if the filtering does not pass, the current access request can be directly discarded.
Specifically, the server may obtain an IP address of the client device (i.e., a target IP address), and perform a blacklist query on the target IP address to determine whether the target IP address is a malicious IP address. In performing the blacklist query, the server may match the target IP address with each IP address in the malicious IP address repository to determine whether the target IP address is included in the malicious IP address repository. The malicious IP address library may be preset and stored, and includes IP fingerprints of a plurality of client devices for initiating a malicious request. In one embodiment, the malicious IP address repository may include IP addresses that were identified multiple times during historical accesses as malicious IPs.
If the second match result reflects that the malicious IP address repository includes the target IP address, then the target IP address may be determined to be a malicious IP address, and thus, the server may directly discard the current access request and return 403 a response code. In one embodiment, if the second match result reflects that the target IP address exists in the malicious IP address repository, the server may add the target JA3 fingerprint to the malicious JA3 fingerprint repository to update the malicious JA3 fingerprint repository. Thus, the recognition accuracy can be further improved.
If the second matching result reflects that the target IP address is not included in the malicious IP address library, the legality and the rationality of the target JA3 fingerprint can be verified, namely, the target JA3 fingerprint is matched with JA3 fingerprints in a preset malicious JA3 fingerprint library to obtain a first matching result, the occurrence frequency and the total occurrence frequency of the target JA3 fingerprint in a historical fingerprint library are determined, and the legality and the rationality of the target JA3 fingerprint are verified according to the first matching result, the total occurrence frequency and the total occurrence frequency.
In the embodiment, because the blacklist query is performed on the target IP address, and only the database access is involved, the filtering is performed based on the target IP address, and the filtering is performed based on the target JA3 fingerprint under the condition that the filtering is passed, so that the identification accuracy is improved, the high interception rate is achieved, and the load of the server can be effectively reduced.
In one embodiment, as shown in fig. 4, before the step of matching the target IP address with the IP address in the preset malicious IP address library, the method further includes:
s410, acquiring request header information of the current access request;
s420, judging whether the request header information meets a preset legal request header information rule or not to obtain a judgment result;
and S430, if the judgment result reflects that the request header information does not meet the preset legal request header information rule, discarding the current access request.
The step of matching the target IP address with the IP address in a preset malicious IP address library comprises the following steps: and if the judgment result reflects that the request header information meets a preset legal request header information rule, matching a target IP address with an IP address in the preset malicious IP address library.
Specifically, to further reduce the load on the server, the server may filter the request header information based on the current access request to determine whether the request header information satisfies the conventional request requirements before performing a blacklist lookup for the target IP address. If the filtering is passed, further judgment can be made based on the target IP address; if the filtering does not pass, the current access request can be directly discarded.
Specifically, a legal request header information rule may be preset in the server, so as to determine whether the request header information of the current access request meets the conventional request requirement through the rule. It is to be understood that the legal request header rule may be determined according to practical situations, and the application is not limited to this. For example, the legal request header rule may be used to determine whether a User Agent (UA) field in the request header includes a normal browser identifier, such as whether a browser identifier in the UA field is a Chrome browser identifier or a Safari browser identifier.
The server can obtain the request header information of the current access request, and judge whether the request header information meets the legal request header information rule or not to obtain a judgment result. If the judgment result reflects that the request header information of the current access request does not meet the legal request header information rule, the current access request can be discarded, and a response code is returned 403. In one embodiment, if the request header of the current access request does not satisfy the legal request header rule, the server may add the target JA3 fingerprint to the malicious JA3 fingerprint repository and the target IP address to the malicious IP address repository. In this way, the malicious JA3 fingerprint repository and the malicious IP address repository can be updated, so that the identification accuracy can be further improved.
If the judgment result reflects that the request header information of the current access request meets the legal request header information rule, blacklist query can be performed on the IP address of the client device, namely, the target IP address is matched with the address in the malicious IP library to obtain a second matching result, and the target IP address is verified according to the second matching result. Then, whether the validity and reasonableness of the fingerprint of the target JA3 are verified is determined according to the verification result of the target IP address.
In this embodiment, the first malicious request determination is performed based on the request header information of the current access request. And under the condition that the request header information meets a legal request header information rule, judging a secondary malicious request based on the IP address of the client equipment. And in the case that the target IP address does not exist in the malicious IP address library, judging a malicious request for the third time based on the target JA3 fingerprint. Therefore, most of the access requests with low disguise degree can be intercepted through the first malicious request judgment and the second malicious request judgment, and the access requests with high disguise degree can be intercepted through the third malicious request judgment. The identification accuracy is improved, the higher interception rate is achieved, and meanwhile the load of the server can be effectively reduced.
In one embodiment, the step of determining whether the request header information satisfies a preset legal request header information rule to obtain a determination result includes:
extracting a browser identification from user field information of the request header information;
if the browser identification is matched with a preset legal browser identification, the request header information comprises acceptance information of client equipment or the request header information comprises a preset site access mark, determining that the request header information meets the legal request header information rule; otherwise, determining that the request header information does not satisfy the legal request header information rule.
Specifically, when determining whether the request header information meets the conventional request requirement, the server may determine from the browser identifier, whether the receiving information (Accept information) of the client device is carried, and whether there is flag information for accessing a preset site. In one embodiment, the acceptance information of the client device may be a MIME (Multipurpose Internet Mail Extensions) type acceptable to a browser of the client device.
If the browser identifier included in the current access request is not a preset legal browser identifier (such as a Chrome browser identifier or a Safari browser identifier), the request header information does not include Accept information of the client device, and the request header information does not include a preset site access flag, the server may determine that the current access request does not satisfy a legal request header information rule, discard the current access request, and return a 403 response code to the client device.
If the browser identification contained in the current access request is a preset legal browser identification, the current access request can be determined to meet the legal request header information rule. And if the request header information of the current access request carries the responded Accept information, determining that the current access request meets a legal request header information rule. If the request header information of the current access request comprises the preset site access mark, the current access request can be determined to meet the legal request header information rule.
In the embodiment of the application, whether the request header information of the current access request meets the conventional request requirement is comprehensively judged by combining the browser identification of the request header information, whether the request header information carries the Accept information of the client equipment and whether the request header information comprises the preset site access mark, so that the identification accuracy of preliminary filtering can be improved.
According to the method and the device, under the condition of verifying the current access request, multiple times of encrypted information verification and Cookie interaction do not exist on the client equipment side, so that the response efficiency of the current access request can be improved, and good access experience is provided for normal access users. Meanwhile, the embodiment of the application does not relate to extraction and injection of Cookie information, so that the problem of illegally obtaining user privacy does not exist, and the access security can be improved.
In one embodiment, the access request verification method according to the embodiment of the present application further includes: and if the first matching result reflects that the malicious JA3 fingerprint library does not comprise the target JA3 fingerprint, the occurrence frequency is less than or equal to the preset frequency threshold, and the total occurrence frequency is less than or equal to the preset frequency threshold, returning service data corresponding to the current access request to the client equipment so as to normally respond to the current access request.
In one embodiment, the access request authentication method provided by the embodiment of the present application may be as shown in fig. 5. The server may obtain the IP address (i.e., the target IP address) of the client device and the request header information including the UA field, and obtain the SSL request information, entering the class I request filter, in case of receiving the current access request from the client device.
The type I request filter may determine whether the request header information meets a conventional request requirement, that is, determine whether the request header information of the current access request includes a normal browser identifier UA, whether the request header information carries the responded Accept information, and whether a preset site access flag exists. If none of the above 3 conditions is met, the server may directly intercept and discard the current access request, and return a 403 response code. If at least 1 of the 3 conditions is met, a class II request filter can be entered.
The class II request filter mainly filters IP information for blacklist lookup of target IP addresses. The blacklist is a plurality of identified malicious IP addresses that have been historically accessed. If the server determines that the target IP address is a blacklisted IP address, the server may directly discard the current access request and return 403 a response code. Otherwise, a class III request filter may be entered.
The class III request filter may generate a JA3 fingerprint (i.e., a target JA3 fingerprint) of the current access request from the SSL request information and verify the legitimacy and validity of the target JA3 fingerprint. If it is determined that the target JA3 fingerprint is not legitimate or reasonable, the current access request may be intercepted and discarded directly. If the target JA3 fingerprint is determined to be legitimate and reasonable, a 200 status code may be returned to the client device and corresponding traffic data returned.
The following describes an access request authentication device provided in an embodiment of the present application, and the access request authentication device described below and the access request authentication method described above may be referred to correspondingly.
In one embodiment, the present application provides an access request validation apparatus 500. As shown in fig. 6, the apparatus 500 includes a secure socket protocol information acquisition module 510, a target JA3 fingerprint acquisition module 520, a fingerprint matching module 530, a frequency of occurrence acquisition module 540, and a request verification module 550. Wherein:
the secure socket protocol information obtaining module 510 is configured to, when receiving a current access request sent by a client device, obtain secure socket protocol request information sent by the client device;
a target JA3 fingerprint obtaining module 520, configured to generate a target JA3 fingerprint of the current access request according to the secure socket protocol request information;
the fingerprint matching module 530 is used for matching the target JA3 fingerprint with JA3 fingerprints in a preset malicious JA3 fingerprint library to obtain a first matching result for reflecting whether the malicious JA3 fingerprint library comprises the target JA3 fingerprint;
the occurrence frequency acquisition module 540 is used for acquiring a historical fingerprint database for recording JA3 fingerprints corresponding to each historical access request, and determining the occurrence frequency and the total occurrence frequency of the target JA3 fingerprint in the historical fingerprint database;
the request verification module 550 is configured to discard the current access request if the first matching result reflects that the malicious JA3 fingerprint repository includes the target JA3 fingerprint, the occurrence frequency is greater than a preset frequency threshold, or the total occurrence number is greater than a preset number threshold.
In one embodiment, the apparatus 500 further comprises a target IP obtaining module and an IP address matching module. The target IP obtaining module is used for obtaining a target IP address of the client device. The IP address matching module is used for matching the target IP address with the IP address in a preset malicious IP address library to obtain a second matching result for reflecting whether the malicious IP address library comprises the target IP address.
The request verification module 550 is further configured to discard the current access request if the second matching result reflects that the malicious IP address repository includes the target IP address. The fingerprint matching module 530 is further configured to match the target JA3 fingerprint with a JA3 fingerprint in the preset malicious JA3 fingerprint library if the second matching result reflects that the malicious IP address library does not include the target IP address. The frequency of occurrence acquisition module 540 is further configured to determine the frequency of occurrence and the total number of occurrences of the target JA3 fingerprint in the historical fingerprint repository if the second matching result reflects that the malicious IP address repository does not include the target IP address.
In one embodiment, the apparatus 500 further comprises an update module. The update module is configured to add the target JA3 fingerprint to the malicious JA3 fingerprint repository if the second match result reflects that the malicious IP address repository includes the target IP address.
In one embodiment, the apparatus 500 further comprises a request header obtaining module and a determining module. The request head acquisition module is used for acquiring the request head information of the current access request. The judging module is used for judging whether the request header information meets a preset legal request header information rule or not so as to obtain a judging result.
The request verifying module 550 is further configured to discard the current access request when the determination result reflects that the request header information does not satisfy a preset legal request header information rule. And the IP address matching module is also used for matching the target IP address with the IP address in the preset malicious IP address library under the condition that the judgment result reflects that the request header information meets the preset legal request header information rule.
In one embodiment, the judging module includes a browser identification extracting unit and a judging unit. The browser identification extracting unit is used for extracting the browser identification from the user field information of the request header information. The judging unit is used for determining that the request header information meets the legal request header information rule under the condition that the browser identification is matched with a preset legal browser identification, the request header information comprises the receiving information of the client device or the request header information comprises a preset site access mark; otherwise, determining that the request header information does not satisfy the legal request header information rule.
In one embodiment, the apparatus 500 further comprises an update module. The updating module is used for adding the target JA3 fingerprint into the malicious JA3 fingerprint library and adding the target IP address into the malicious IP address library under the condition that the request header information does not meet the legal request header information rule.
In one embodiment, the apparatus 500 further comprises a response module. The response module is configured to, when the first matching result reflects that the malicious JA3 fingerprint library does not include the target JA3 fingerprint, the occurrence frequency is less than or equal to the preset frequency threshold, and the total occurrence frequency is less than or equal to the preset frequency threshold, return service data corresponding to the current access request to the client device.
In one embodiment, the present application further provides a storage medium having stored therein computer-readable instructions, which, when executed by one or more processors, cause the one or more processors to perform the steps of the access request validation method as described in any one of the above embodiments.
In one embodiment, the present application further provides a server having stored therein computer readable instructions, which, when executed by one or more processors, cause the one or more processors to perform the steps of the access request validation method as described in any of the above embodiments.
Schematically, as shown in fig. 7, fig. 7 is a schematic internal structural diagram of a server according to an embodiment of the present application. Referring to fig. 7, server 900 includes a processing component 902 that further includes one or more processors and memory resources, represented by memory 901, for storing instructions, such as applications, that are executable by processing component 902. The application programs stored in memory 901 may include one or more modules that each correspond to a set of instructions. Further, the processing component 902 is configured to execute instructions to perform the access request validation method of any of the embodiments described above.
The server 900 may also include a power component 903 configured to perform power management of the server 900, a wired or wireless network interface 904 configured to connect the server 900 to a network, and an input/output (I/O) interface 905. The Server 900 may operate based on an operating system stored in memory 901, such as Windows Server, Mac OS XTM, Unix, Linux, Free BSDTM, or the like.
Those skilled in the art will appreciate that the internal structure of the computer device shown in the present application is a block diagram of only a portion of the structure associated with the embodiments of the present application, and does not constitute a limitation of the computer device to which the embodiments of the present application may be applied, and that a particular computer device may include more or less components than those shown in the drawings, or may combine certain components, or have a different arrangement of components.
Finally, it should also be noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element. As used herein, the terms "a," "an," "the," and "the" can also include the plural forms as well, unless the context clearly indicates otherwise. Plural means at least two cases, such as 2, 3, 5 or 8, etc. "and/or" includes any and all combinations of the associated listed items.
The embodiments in the present description are described in a progressive manner, each embodiment focuses on differences from other embodiments, the embodiments may be combined as needed, and the same and similar parts may be referred to each other.
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present application. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the application. Thus, the present application is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
Claims (10)
1. An access request authentication method, the method comprising:
when a current access request sent by client equipment is received, acquiring secure socket protocol request information sent by the client equipment;
generating a target JA3 fingerprint of the current access request according to the secure socket protocol request information;
matching the target JA3 fingerprint with a JA3 fingerprint in a preset malicious JA3 fingerprint library to obtain a first matching result for reflecting whether the malicious JA3 fingerprint library comprises the target JA3 fingerprint;
acquiring a historical fingerprint database used for recording JA3 fingerprints corresponding to each historical access request, and determining the occurrence frequency and the total occurrence times of the target JA3 fingerprints in the historical fingerprint database;
if the first matching result reflects that the malicious JA3 fingerprint library comprises the target JA3 fingerprint, the occurrence frequency is greater than a preset frequency threshold value or the total occurrence frequency is greater than a preset frequency threshold value, discarding the current access request.
2. The access request verification method according to claim 1, wherein the step of matching the target JA3 fingerprint with a JA3 fingerprint in a preset malicious JA3 fingerprint library is preceded by the steps of:
acquiring a target IP address of the client equipment;
matching a target IP address with an IP address in a preset malicious IP address library to obtain a second matching result for reflecting whether the malicious IP address library comprises the target IP address;
if the second matching result reflects that the malicious IP address library comprises the target IP address, discarding the current access request;
the step of matching the target JA3 fingerprint with a JA3 fingerprint in a preset malicious JA3 fingerprint library comprises the following steps:
if the second matching result reflects that the malicious IP address library does not comprise the target IP address, matching the target JA3 fingerprint with JA3 fingerprints in the preset malicious JA3 fingerprint library;
the step of determining the frequency and total number of occurrences of the target JA3 fingerprint in the historical fingerprint repository comprises:
and if the second matching result reflects that the malicious IP address library does not comprise the target IP address, determining the occurrence frequency and the total occurrence times of the target JA3 fingerprint in the historical fingerprint library.
3. The method of claim 2, further comprising:
if the second matching result reflects that the malicious IP address library comprises the target IP address, adding the target JA3 fingerprint to the malicious JA3 fingerprint library.
4. The method of claim 2, wherein before the step of matching the target IP address with the IP addresses in the preset malicious IP address library, the method further comprises:
acquiring request header information of the current access request;
judging whether the request header information meets a preset legal request header information rule or not to obtain a judgment result;
if the judgment result reflects that the request header information does not meet the preset legal request header information rule, discarding the current access request;
the step of matching the target IP address with the IP address in a preset malicious IP address library comprises the following steps:
and if the judgment result reflects that the request header information meets a preset legal request header information rule, matching the target IP address with the IP address in the preset malicious IP address library.
5. The method according to claim 4, wherein the step of determining whether the request header information satisfies a predetermined legal request header information rule to obtain a determination result comprises:
extracting a browser identification from user field information of the request header information;
if the browser identification is matched with a preset legal browser identification, the request header information comprises receiving information of client equipment or the request header information comprises a preset site access mark, determining that the request header information meets the legal request header information rule; otherwise, determining that the request header information does not satisfy the legal request header information rule.
6. The method of claim 5, further comprising:
if the request header information does not meet the legal request header information rule, adding the target JA3 fingerprint to the malicious JA3 fingerprint library, and adding the target IP address to the malicious IP address library.
7. The access request authentication method according to any one of claims 1 to 5, wherein the method further comprises:
and if the first matching result reflects that the malicious JA3 fingerprint library does not comprise the target JA3 fingerprint, the occurrence frequency is less than or equal to the preset frequency threshold, and the total occurrence frequency is less than or equal to the preset frequency threshold, returning the service data corresponding to the current access request to the client equipment.
8. An access request authentication apparatus, the apparatus comprising:
the system comprises a secure socket protocol information acquisition module, a secure socket protocol information acquisition module and a secure socket protocol information acquisition module, wherein the secure socket protocol information acquisition module is used for acquiring secure socket protocol request information sent by client equipment when receiving a current access request sent by the client equipment;
a target JA3 fingerprint obtaining module, configured to generate a target JA3 fingerprint of the current access request according to the secure socket protocol request information;
the fingerprint matching module is used for matching the target JA3 fingerprint with JA3 fingerprints in a preset malicious JA3 fingerprint library to obtain a first matching result for reflecting whether the malicious JA3 fingerprint library comprises the target JA3 fingerprint or not;
the appearance frequency acquisition module is used for acquiring a historical fingerprint database used for recording JA3 fingerprints corresponding to each historical access request and determining the appearance frequency and the total appearance times of the target JA3 fingerprints in the historical fingerprint database;
a request verification module, configured to discard the current access request when the first matching result reflects that the malicious JA3 fingerprint library includes the target JA3 fingerprint, the occurrence frequency is greater than a preset frequency threshold, or the total occurrence frequency is greater than a preset frequency threshold.
9. A storage medium, characterized by: the storage medium having stored therein computer-readable instructions which, when executed by one or more processors, cause the one or more processors to perform the steps of the access request validation method recited in any of claims 1-7.
10. A server, comprising: one or more processors, and a memory;
the memory has stored therein computer readable instructions which, when executed by the one or more processors, perform the steps of the access request validation method of any of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210536651.7A CN114928452B (en) | 2022-05-17 | 2022-05-17 | Access request verification method, device, storage medium and server |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210536651.7A CN114928452B (en) | 2022-05-17 | 2022-05-17 | Access request verification method, device, storage medium and server |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114928452A true CN114928452A (en) | 2022-08-19 |
| CN114928452B CN114928452B (en) | 2024-02-13 |
Family
ID=82808249
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210536651.7A Active CN114928452B (en) | 2022-05-17 | 2022-05-17 | Access request verification method, device, storage medium and server |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114928452B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116756716A (en) * | 2023-06-20 | 2023-09-15 | 天津篱上青桑智能科技有限公司 | Security verification method, system, equipment and storage medium based on big data |
Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107426181A (en) * | 2017-06-20 | 2017-12-01 | 竞技世界(北京)网络技术有限公司 | The hold-up interception method and device of malice web access request |
| US20180255075A1 (en) * | 2017-03-06 | 2018-09-06 | International Business Machines Corporation | Creating a Multi-Dimensional Host Fingerprint for Optimizing Reputation for IPV6 |
| CN110213208A (en) * | 2018-05-09 | 2019-09-06 | 腾讯科技(深圳)有限公司 | A kind of method and apparatus and storage medium of processing request |
| CN110858831A (en) * | 2018-08-22 | 2020-03-03 | 阿里巴巴集团控股有限公司 | Safety protection method and device and safety protection equipment |
| CN111310187A (en) * | 2020-04-01 | 2020-06-19 | 深信服科技股份有限公司 | Malicious software detection method and device, electronic equipment and storage medium |
| CN112019575A (en) * | 2020-10-22 | 2020-12-01 | 腾讯科技(深圳)有限公司 | Data packet processing method and device, computer equipment and storage medium |
| CN113132406A (en) * | 2021-04-29 | 2021-07-16 | 山东云天安全技术有限公司 | Detection method, device and medium for discovering network threat based on SSH flow |
| WO2021187782A1 (en) * | 2020-03-18 | 2021-09-23 | (주)수산아이앤티 | Method for detecting malicious traffic and device therefor |
| CN113452656A (en) * | 2020-03-26 | 2021-09-28 | 百度在线网络技术(北京)有限公司 | Method and device for identifying abnormal behaviors |
-
2022
- 2022-05-17 CN CN202210536651.7A patent/CN114928452B/en active Active
Patent Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20180255075A1 (en) * | 2017-03-06 | 2018-09-06 | International Business Machines Corporation | Creating a Multi-Dimensional Host Fingerprint for Optimizing Reputation for IPV6 |
| CN107426181A (en) * | 2017-06-20 | 2017-12-01 | 竞技世界(北京)网络技术有限公司 | The hold-up interception method and device of malice web access request |
| CN110213208A (en) * | 2018-05-09 | 2019-09-06 | 腾讯科技(深圳)有限公司 | A kind of method and apparatus and storage medium of processing request |
| CN110858831A (en) * | 2018-08-22 | 2020-03-03 | 阿里巴巴集团控股有限公司 | Safety protection method and device and safety protection equipment |
| WO2021187782A1 (en) * | 2020-03-18 | 2021-09-23 | (주)수산아이앤티 | Method for detecting malicious traffic and device therefor |
| CN113452656A (en) * | 2020-03-26 | 2021-09-28 | 百度在线网络技术(北京)有限公司 | Method and device for identifying abnormal behaviors |
| CN111310187A (en) * | 2020-04-01 | 2020-06-19 | 深信服科技股份有限公司 | Malicious software detection method and device, electronic equipment and storage medium |
| CN112019575A (en) * | 2020-10-22 | 2020-12-01 | 腾讯科技(深圳)有限公司 | Data packet processing method and device, computer equipment and storage medium |
| CN113132406A (en) * | 2021-04-29 | 2021-07-16 | 山东云天安全技术有限公司 | Detection method, device and medium for discovering network threat based on SSH flow |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116756716A (en) * | 2023-06-20 | 2023-09-15 | 天津篱上青桑智能科技有限公司 | Security verification method, system, equipment and storage medium based on big data |
| CN116756716B (en) * | 2023-06-20 | 2024-03-22 | 广东笑翠鸟教育科技有限公司 | Security verification method, system, equipment and storage medium based on big data |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114928452B (en) | 2024-02-13 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109951500B (en) | Network attack detection method and device | |
| CN105939326B (en) | Method and device for processing message | |
| US9807092B1 (en) | Systems and methods for classification of internet devices as hostile or benign | |
| RU2536663C2 (en) | System and method of protecting cloud infrastructure from illegal use | |
| US8732472B2 (en) | System and method for verification of digital certificates | |
| EP3264720B1 (en) | Using dns communications to filter domain names | |
| US9531749B2 (en) | Prevention of query overloading in a server application | |
| CN106302328B (en) | Sensitive user data processing system and method | |
| US11316681B2 (en) | User identity authentication method and device, readable storage medium and computer equipment | |
| US10574658B2 (en) | Information security apparatus and methods for credential dump authenticity verification | |
| CN111756728B (en) | Vulnerability attack detection method and device, computing equipment and storage medium | |
| CN106209907B (en) | Method and device for detecting malicious attack | |
| CN112367338A (en) | Malicious request detection method and device | |
| CN110943840A (en) | Signature verification method and system | |
| CN114928452B (en) | Access request verification method, device, storage medium and server | |
| CN107786489B (en) | Access request verification method and device | |
| CN109547427B (en) | Blacklist user identification method and device, computer equipment and storage medium | |
| US11677765B1 (en) | Distributed denial of service attack mitigation | |
| US20190124111A1 (en) | Responding and processing method for dnssec negative response | |
| CN112751804A (en) | Method, device and equipment for identifying counterfeit domain name | |
| US10956543B2 (en) | System and method for protecting online resources against guided username guessing attacks | |
| Atighetchi et al. | Attribute-based prevention of phishing attacks | |
| CN107770183B (en) | Data transmission method and device | |
| CN111147625B (en) | Method, device and storage medium for acquiring local external network IP address | |
| Chiba et al. | Botprofiler: Profiling variability of substrings in http requests to detect malware-infected hosts |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |