CN116248329A - Anti-riot cracking method, terminal equipment and storage medium - Google Patents

Anti-riot cracking method, terminal equipment and storage medium Download PDF

Info

Publication number
CN116248329A
CN116248329A CN202211618634.4A CN202211618634A CN116248329A CN 116248329 A CN116248329 A CN 116248329A CN 202211618634 A CN202211618634 A CN 202211618634A CN 116248329 A CN116248329 A CN 116248329A
Authority
CN
China
Prior art keywords
login
cracking
login information
riot
source
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202211618634.4A
Other languages
Chinese (zh)
Inventor
秦良骏
陈奋
陈荣有
龚利军
孙晓波
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Xiamen Fuyun Information Technology Co ltd
Original Assignee
Xiamen Fuyun Information Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Xiamen Fuyun Information Technology Co ltd filed Critical Xiamen Fuyun Information Technology Co ltd
Priority to CN202211618634.4A priority Critical patent/CN116248329A/en
Publication of CN116248329A publication Critical patent/CN116248329A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0807Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0815Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/22Parsing or analysis of headers
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/321Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2463/00Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
    • H04L2463/144Detection or countermeasures against botnets
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/50Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate

Abstract

The invention relates to an anti-riot cracking method, terminal equipment and a storage medium, wherein the method comprises the following steps: s1: configuring a security policy; s2: analyzing the protocol according to a protocol analysis mode corresponding to the configured security policy to obtain corresponding login information; s3: based on the configured security policy and the parsed login information, different anti-riot cracking algorithms are respectively adopted to detect in real time, and whether the login information is cracked by violence or not is judged. The invention combines multiple detection algorithms, can effectively improve the capacity of the server for preventing violent cracking, and can timely give an alarm to users and intercept attackers after violent cracking is detected.

Description

Anti-riot cracking method, terminal equipment and storage medium
Technical Field
The present invention relates to the field of computer security technologies, and in particular, to an anti-riot cracking method, a terminal device, and a storage medium.
Background
With the development of the Internet, a large number of foolproof hacking tools are developed, the threshold of any hacking means is reduced greatly, and the tool production of brute force cracking is very easy. The software technology content of brute force cracking is not high, the principle is that the software is tested one by one until the correct password is tested, but the cracking mode is not high in success probability and long in time consumption. In the actual situation of the network, although many servers have undergone layer-by-layer security protection, the attacker can also apply brute force cracking to quickly break through after simply adjusting the attack mode.
The existing server is resistant to violent cracking, mainly through the following means:
1) Limiting bandwidth to narrow the network from outside to inside and delaying the cracking process of an attacker;
2) Setting a security policy, limiting connection frequency, defining the connection times of the same user in a specific time period, and refusing connection if the connection times exceeds the limit;
3) Setting a security policy to limit the number of trial and error, and rejecting the connection of the user for a short period of time after the number of password trials of the user exceeds a prescribed number.
Based on the anti-riot cracking means, an attacker often initiates distributed riot cracking to the target, and through a plurality of zombie computers, attacks the target at the same time, and controls a certain attack frequency, so that a certain difficulty is caused to the limitation of the riot cracking.
Disclosure of Invention
In order to solve the problems, the invention provides an anti-riot cracking method, a terminal device and a storage medium.
The specific scheme is as follows:
an anti-violent breaking method comprising the steps of:
s1: configuring a security policy;
s2: analyzing the protocol according to a protocol analysis mode corresponding to the configured security policy to obtain corresponding login information;
s3: based on the configured security policy and the parsed login information, different anti-riot cracking algorithms are respectively adopted to detect in real time, and whether the login information is cracked by violence or not is judged.
Further, the security policy is configured at the client in a manner of being downloaded to the client after the cloud configuration.
Further, the security policy includes: configuring a monitoring port, configuring a time period, configuring a failure logging time threshold, configuring a distributed attack time period, configuring the failure logging time of the distributed attack, configuring whether an alarm is given, configuring whether interception and interception time length are set, and configuring a protocol analysis mode.
Further, the protocol analysis mode comprises a packet grabbing mode and a log mode;
the analysis process of the packet grabbing mode comprises the following steps: establishing an original socket, setting bpf filter rules on the original socket, analyzing a network data packet head to obtain data types, and capturing network data packets with the data types of 0x0800 and 0x86 dd; analyzing the captured network data packet and extracting login information;
the log mode parsing process includes: acquiring a log file storage path of a service through a configuration file of the service; analyzing the obtained log file and extracting login information.
Further, the login information includes a login user name, a source ip address, a source port, a destination ip address, and a destination port.
Further, the anti-riot cracking algorithm comprises an anti-riot cracking algorithm of a single attacker, comprising the following steps:
s301: extracting the following parameters based on the configured security policy and the parsed login information: time period, failure login frequency threshold value, login user name, source ip address and source port;
s302: two cache dictionary tables are constructed, namely: dictionary table 1 with source ip port as key and login user name as value, dictionary table 2 with source ip as key and login user name login times as value;
s303: cleaning the databank of the dictionary table 2 at regular time according to the time interval corresponding to the time period;
s304: based on the analyzed login information, searching whether a key exists in the dictionary table 1 as a source ip port in the login information, and if so, updating a corresponding value into a login user name in the login information; otherwise, the source ip port in the login information is used as a key, and the login user name in the login information is used as a value to be added to the dictionary table 1;
s305: based on the analyzed login information, searching whether a key exists in the dictionary table 2 as a source ip in the login information, if so, adding 1 to login times of login user names in the corresponding value, and entering S316; otherwise, the source ip in the login information is used as a key, the value of the login times of the login user name in the value is set to be 1, and then the value is added to the dictionary table 2, and the S316 is entered;
s306: judging whether the login times of the login user names corresponding to the source ip in the login information in the dictionary table 2 are larger than a threshold value of the failed login times, and if so, generating an alarm and intercepting.
Further, the alarming content comprises: the generation time of the brute force cracking behavior, a login user name, an attacker ip address, an attacker port, an attacker ip address and an attacker port.
Further, a source ip address in login information is obtained, and the ip address interception rule is written into a firewall policy of the system; and according to the set interception duration, the firewall policy of the system is queried regularly, and after the interception duration is met, the ip address interception rule is deleted from the firewall policy, so that the purpose of deblocking is achieved.
Further, the anti-riot cracking algorithm includes an anti-riot cracking algorithm of a distributed attacker, including: extracting parameters based on configured security policies: time period and failed login frequency threshold; judging whether the sum of the failed login times of a plurality of IPs in the time period is larger than a threshold value of the failed login times, and if so, generating an alarm and intercepting.
Further, the anti-riot cracking algorithm includes an anti-riot cracking algorithm of a distributed attacker, including: and classifying and caching the currently acquired failed log according to the ips, and reading all the failed log of each ip from the cache when a set time threshold is reached, and identifying whether the failed log is violently cracked or not according to a single attacker violent cracking detection algorithm.
An anti-riot cracking terminal device comprises a processor, a memory and a computer program stored in the memory and capable of running on the processor, wherein the steps of the method according to the embodiment of the invention are realized when the processor executes the computer program.
A computer readable storage medium storing a computer program which, when executed by a processor, implements the steps of the method described above for embodiments of the present invention.
By adopting the technical scheme, the violent cracking behavior can be found in time through the combination of multiple detection means and algorithms, and the user is notified to automatically intercept and block an attacker.
Drawings
Fig. 1 is a flowchart of a first embodiment of the present invention.
Figure 2 is a flow chart of an anti-brute force algorithm for a single attacker in this embodiment.
FIG. 3 is a flow chart of an anti-riot hacking algorithm of a distributed attacker in this embodiment.
Detailed Description
For further illustration of the various embodiments, the invention is provided with the accompanying drawings. The accompanying drawings, which are incorporated in and constitute a part of this disclosure, illustrate embodiments and together with the description, serve to explain the principles of the embodiments. With reference to these matters, one of ordinary skill in the art will understand other possible embodiments and advantages of the present invention.
The invention will now be further described with reference to the drawings and detailed description.
Embodiment one:
the embodiment of the invention provides an anti-riot cracking method, as shown in fig. 1, comprising the following steps:
s1: and configuring a security policy.
In the embodiment, the security policy is configured at the client in a manner of being downloaded to the client after the cloud configuration, so that the simultaneous configuration of a plurality of clients can be facilitated.
The security policy configured in this embodiment includes:
■ Configuration of a monitoring port: the service ports are configured, so that a plurality of service ports can be monitored simultaneously for packet grabbing analysis, and the method can be suitable for a host and a docker environment;
■ Configuration time period: configuring the connection time of the same user in a specific time period;
■ Configuring a failure login frequency threshold value: configuring a frequency threshold value of failed login of the same user, and intercepting and blocking if the frequency threshold value is exceeded;
■ Configuring a distributed attack time period: configuring the duration of connection in a specific time period for distributed attack;
■ Configuring the number of failed login times of distributed attack: configuring the number of failed login times of a user for distributed attack;
■ Whether the configuration alarms: when detecting violent cracking, a user can select various alarm modes including forms of logs, short messages, mails and the like;
■ Whether interception is configured, and the interception duration is as follows: when the violent cracking is detected, the system intercepts and blocks the ip subjected to the violent cracking for a certain period of time, and then the ip is unsealed;
■ Configuration protocol parsing mode: parsing may be performed using one of a packet grabbing mode and a log mode.
S2: and resolving the protocol according to a protocol resolving mode corresponding to the configured security policy to obtain corresponding login information.
According to the configured protocol analysis mode, the embodiment supports analysis of a packet grabbing mode and a log mode. The two analysis modes can respectively cope with different system environments, and when the network environment is relatively simple, the requirement on system response is higher, and a packet grabbing mode can be adopted; when the network environment is complex, the requirement on the system response is low, and a log mode can be adopted.
(1) Bag grabbing mode
■ Establishing an original socket, setting bpf filter rules (namely configured monitoring ports) on the original socket, analyzing a network data packet head to obtain data types, and capturing network data packets with the data types of 0x0800 and 0x86 dd;
■ And analyzing the captured network data packet and extracting login information. The login information comprises login user name, source ip address, source port, destination ip address, destination port and other information.
(2) Log mode
■ Acquiring a log file storage path of a service through a configuration file of the service;
■ Analyzing the obtained log file in real time, and extracting login information.
S3: based on the configured security policy and the parsed login information, different anti-riot cracking algorithms are respectively adopted to detect in real time, and whether the login information is cracked by violence or not is judged.
In this embodiment, two anti-riot cracking algorithms are provided, namely an anti-riot cracking algorithm for a single attacker and an anti-riot cracking algorithm for distributed attackers. The embodiment combines the two anti-riot cracking algorithms to perform real-time detection, so that high operation and low delay can be realized, and the anti-riot cracking capability of the system is effectively improved.
(1) As shown in fig. 2, the single attacker's anti-riot cracking algorithm comprises the following steps:
s301: extracting the following parameters based on the configured security policy and the parsed login information: time period, failure login frequency threshold value, login user name, source ip address and source port;
s302: two cache dictionary tables are constructed, namely: dictionary table 1 with source ip port as key and login user name as value, dictionary table 2 with source ip as key and login user name login times as value;
s303: cleaning the databank of the dictionary table 2 at regular time according to the time interval corresponding to the time period;
s304: based on the analyzed login information, searching whether a key exists in the dictionary table 1 as a source ip port in the login information, and if so, updating a corresponding value into a login user name in the login information; otherwise, the source ip port in the login information is used as a key, and the login user name in the login information is used as a value to be added to the dictionary table 1;
s305: based on the analyzed login information, searching whether a key exists in the dictionary table 2 as a source ip in the login information, if so, adding 1 to login times of login user names in the corresponding value, and entering S316; otherwise, the source ip in the login information is used as a key, the value of the login times of the login user name in the value is set to be 1, and then the value is added to the dictionary table 2, and the S316 is entered;
s306: judging whether the login times of the login user names corresponding to the source ip in the login information in the dictionary table 2 are larger than a threshold value of the failed login times, and if so, generating an alarm and intercepting.
(2) Referring to fig. 3, the main flow of the anti-riot cracking algorithm for distributed aggressors is as follows:
the distributed violent cracking can be performed by a plurality of computers to launch attacks on the target server in a short time, and an attacker can control a certain attack frequency in order to bypass the security policy, for example, each computer attacks once at intervals of a plurality of seconds, so that the violent cracking algorithm of a single attacker can be invalid. From the practical attack result, a large number of failed log entries of different ips are generated in a short time, and the log entries are repeated after a certain frequency interval. Therefore, when detecting data, if the sum of a plurality of ip failed logins exceeds the threshold of the failed logins in a set time period, the distributed violent cracking can be considered to be currently carried out, and the warning and interception can be carried out. However, if the attacker controls the distributed brute force cracking force (i.e. the number of attacking computers), multiple user names are adopted to crack simultaneously, and at this time, the total threshold value of the failed login times of multiple ips may not be reached, so that the currently acquired failed login logs need to be classified and cached according to ips, and when the preset time threshold value is reached, all the failed login logs of each ip are read from the cache, and whether the identification is brute force cracking is performed according to a single attacker brute force cracking detection algorithm.
When the system detects the violent cracking behavior, the user can be informed in time in the forms of alarm logs, short messages, mails and the like according to the configuration of the user. The alarm content comprises: the generation time of the brute force cracking behavior, the login user name, the attacker ip address, the attacker port and other detailed information.
When the system detects the violent cracking behavior, the attacker can be blocked and intercepted according to the configuration of the user, and the main steps are as follows:
■ Obtaining an attacker ip address, namely a source ip address in login information, and writing the ip address interception rule into a firewall policy of the system;
■ And according to the set interception duration, the firewall policy of the system is queried regularly, and after the interception duration is met, the ip address rule is deleted from the firewall policy, so that the purpose of deblocking is achieved.
The embodiment of the invention combines multiple detection algorithms, can effectively improve the capacity of the server for preventing violent cracking, timely gives an alarm to users and intercepts attackers after violent cracking is detected, can realize automation in the whole flow, and meets the demands of the current market for the products.
Embodiment two:
the invention also provides a terminal device for preventing violent cracking, which comprises a memory, a processor and a computer program stored in the memory and capable of running on the processor, wherein the steps in the method embodiment of the first embodiment of the invention are realized when the processor executes the computer program.
Further, as an executable scheme, the anti-riot-breaking terminal device may be a computing device such as a desktop computer, a notebook computer, a palm computer, and a cloud server. The anti-riot cracking terminal device may include, but is not limited to, a processor, a memory. It will be appreciated by those skilled in the art that the above-described composition structure of the anti-riot cracking terminal device is merely an example of the anti-riot cracking terminal device, and does not constitute limitation of the anti-riot cracking terminal device, and may include more or fewer components than the above-described components, or may combine some components, or different components, for example, the anti-riot cracking terminal device may further include an input/output device, a network access device, a bus, and the like, which is not limited by the embodiment of the present invention.
Further, as an implementation, the processor may be a central processing unit (Central Processing Unit, CPU), other general purpose processor, digital signal processor (Digital Signal Processor, DSP), application specific integrated circuit (Application Specific Integrated Circuit, ASIC), field programmable gate array (Field-Programmable Gate Array, FPGA) or other programmable logic device, discrete gate or transistor logic device, discrete hardware components, etc. The general processor may be a microprocessor or the processor may be any conventional processor or the like, which is a control center of the anti-riot cracking terminal device, and various interfaces and lines are used to connect various parts of the entire anti-riot cracking terminal device.
The memory may be used to store the computer program and/or the module, and the processor may implement various functions of the anti-violent breaking terminal device by running or executing the computer program and/or the module stored in the memory and invoking data stored in the memory. The memory may mainly include a storage program area and a storage data area, wherein the storage program area may store an operating system, at least one application program required for a function; the storage data area may store data created according to the use of the cellular phone, etc. In addition, the memory may include high-speed random access memory, and may also include non-volatile memory, such as a hard disk, memory, plug-in hard disk, smart Media Card (SMC), secure Digital (SD) Card, flash Card (Flash Card), at least one disk storage device, flash memory device, or other volatile solid-state storage device.
The present invention also provides a computer readable storage medium storing a computer program which when executed by a processor implements the steps of the above-described method of an embodiment of the present invention.
The modules/units integrated in the anti-riot terminal device may be stored in a computer readable storage medium if implemented in the form of software functional units and sold or used as a stand alone product. Based on such understanding, the present invention may implement all or part of the flow of the method of the above embodiment, or may be implemented by a computer program to instruct related hardware, where the computer program may be stored in a computer readable storage medium, and when the computer program is executed by a processor, the computer program may implement the steps of each of the method embodiments described above. Wherein the computer program comprises computer program code which may be in source code form, object code form, executable file or some intermediate form etc. The computer readable medium may include: any entity or device capable of carrying the computer program code, a recording medium, a U disk, a removable hard disk, a magnetic disk, an optical disk, a computer Memory, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a software distribution medium, and so forth.
While the invention has been particularly shown and described with reference to a preferred embodiment, it will be understood by those skilled in the art that various changes in form and details may be made therein without departing from the spirit and scope of the invention as defined by the appended claims.

Claims (12)

1. A method of preventing violent cracking comprising the steps of:
s1: configuring a security policy;
s2: analyzing the protocol according to a protocol analysis mode corresponding to the configured security policy to obtain corresponding login information;
s3: based on the configured security policy and the parsed login information, different anti-riot cracking algorithms are respectively adopted to detect in real time, and whether the login information is cracked by violence or not is judged.
2. The method of claim 1, wherein: the security policy is configured at the client in a manner of being downloaded to the client after cloud configuration.
3. The method of claim 1, wherein: the security policy includes: configuring a monitoring port, configuring a time period, configuring a failure logging time threshold, configuring a distributed attack time period, configuring the failure logging time of the distributed attack, configuring whether an alarm is given, configuring whether interception and interception time length are set, and configuring a protocol analysis mode.
4. The method of claim 1, wherein: the protocol analysis mode comprises a packet grabbing mode and a log mode;
the analysis process of the packet grabbing mode comprises the following steps: establishing an original socket, setting bpf filter rules on the original socket, analyzing a network data packet head to obtain data types, and capturing network data packets with the data types of 0x0800 and 0x86 dd; analyzing the captured network data packet and extracting login information;
the log mode parsing process includes: acquiring a log file storage path of a service through a configuration file of the service; analyzing the obtained log file and extracting login information.
5. The method of claim 1, wherein: the login information includes a login user name, a source ip address, a source port, a destination ip address, and a destination port.
6. The method of claim 1, wherein: the anti-riot cracking algorithm comprises an anti-riot cracking algorithm of a single attacker, and comprises the following steps:
s301: extracting the following parameters based on the configured security policy and the parsed login information: time period, failure login frequency threshold value, login user name, source ip address and source port;
s302: two cache dictionary tables are constructed, namely: dictionary table 1 with source ip port as key and login user name as value, dictionary table 2 with source ip as key and login user name login times as value;
s303: cleaning the databank of the dictionary table 2 at regular time according to the time interval corresponding to the time period;
s304: based on the analyzed login information, searching whether a key exists in the dictionary table 1 as a source ip port in the login information, and if so, updating a corresponding value into a login user name in the login information; otherwise, the source ip port in the login information is used as a key, and the login user name in the login information is used as a value to be added to the dictionary table 1;
s305: based on the analyzed login information, searching whether a key exists in the dictionary table 2 as a source ip in the login information, if so, adding 1 to login times of login user names in the corresponding value, and entering S316; otherwise, the source ip in the login information is used as a key, the value of the login times of the login user name in the value is set to be 1, and then the value is added to the dictionary table 2, and the S316 is entered;
s306: judging whether the login times of the login user names corresponding to the source ip in the login information in the dictionary table 2 are larger than a threshold value of the failed login times, and if so, generating an alarm and intercepting.
7. The method of claim 6, wherein: the content of the alarm includes: the generation time of the brute force cracking behavior, a login user name, an attacker ip address, an attacker port, an attacker ip address and an attacker port.
8. The method of claim 6, wherein: the interception mode is as follows: acquiring a source ip address in login information, and writing the ip address interception rule into a firewall policy of the system; and according to the set interception duration, the firewall policy of the system is queried regularly, and after the interception duration is met, the ip address interception rule is deleted from the firewall policy, so that the purpose of deblocking is achieved.
9. The method of claim 1, wherein: the anti-riot cracking algorithm comprises an anti-riot cracking algorithm of a distributed attacker, comprising: extracting parameters based on configured security policies: time period and failed login frequency threshold; judging whether the sum of the failed login times of a plurality of IPs in the time period is larger than a threshold value of the failed login times, and if so, generating an alarm and intercepting.
10. The method of claim 1, wherein: the anti-riot cracking algorithm comprises an anti-riot cracking algorithm of a distributed attacker, comprising: and classifying and caching the currently acquired failed log according to the ips, and reading all the failed log of each ip from the cache when a set time threshold is reached, and identifying whether the failed log is violently cracked or not according to a single attacker violent cracking detection algorithm.
11. An anti-riot cracking terminal device, characterized in that: comprising a processor, a memory and a computer program stored in the memory and running on the processor, which processor, when executing the computer program, carries out the steps of the method according to any one of claims 1 to 10.
12. A computer-readable storage medium storing a computer program, characterized in that: the computer program implementing the steps of the method according to any one of claims 1 to 10 when executed by a processor.
CN202211618634.4A 2022-12-15 2022-12-15 Anti-riot cracking method, terminal equipment and storage medium Pending CN116248329A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211618634.4A CN116248329A (en) 2022-12-15 2022-12-15 Anti-riot cracking method, terminal equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211618634.4A CN116248329A (en) 2022-12-15 2022-12-15 Anti-riot cracking method, terminal equipment and storage medium

Publications (1)

Publication Number Publication Date
CN116248329A true CN116248329A (en) 2023-06-09

Family

ID=86623221

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211618634.4A Pending CN116248329A (en) 2022-12-15 2022-12-15 Anti-riot cracking method, terminal equipment and storage medium

Country Status (1)

Country Link
CN (1) CN116248329A (en)

Similar Documents

Publication Publication Date Title
JP6894003B2 (en) Defense against APT attacks
CN109829310B (en) Similar attack defense method, device, system, storage medium and electronic device
US9106680B2 (en) System and method for protocol fingerprinting and reputation correlation
Yu et al. Discriminating DDoS flows from flash crowds using information distance
US20170257339A1 (en) Logical / physical address state lifecycle management
US10110627B2 (en) Adaptive self-optimzing DDoS mitigation
WO2021139643A1 (en) Method and apparatus for detecting encrypted network attack traffic, and electronic device
US20160381070A1 (en) Protocol based detection of suspicious network traffic
US20030115485A1 (en) Hash-based systems and methods for detecting, preventing, and tracing network worms and viruses
WO2018099206A1 (en) Apt detection method, system, and device
US9253153B2 (en) Anti-cyber hacking defense system
US10951649B2 (en) Statistical automatic detection of malicious packets in DDoS attacks using an encoding scheme associated with payload content
US20180248908A1 (en) Algorithmically detecting malicious packets in ddos attacks
US20090178140A1 (en) Network intrusion detection system
US20230283631A1 (en) Detecting patterns in network traffic responses for mitigating ddos attacks
Steadman et al. Dnsxd: Detecting data exfiltration over dns
Manna et al. Review of syn-flooding attack detection mechanism
US10142360B2 (en) System and method for iteratively updating network attack mitigation countermeasures
CN111526121A (en) Intrusion prevention method and device, electronic equipment and computer readable medium
US7469418B1 (en) Deterring network incursion
Liu et al. Loocipher ransomware detection using lightweight packet characteristics
CN111131309A (en) Distributed denial of service detection method and device and model creation method and device
US11330011B2 (en) Avoidance of over-mitigation during automated DDOS filtering
US8819285B1 (en) System and method for managing network communications
Hategekimana et al. Hardware isolation technique for irc-based botnets detection

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination