CN116545650B - Network dynamic defense method - Google Patents
Network dynamic defense method Download PDFInfo
- Publication number
- CN116545650B CN116545650B CN202310348222.1A CN202310348222A CN116545650B CN 116545650 B CN116545650 B CN 116545650B CN 202310348222 A CN202310348222 A CN 202310348222A CN 116545650 B CN116545650 B CN 116545650B
- Authority
- CN
- China
- Prior art keywords
- detection
- sequence
- server
- information
- access
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 46
- 230000007123 defense Effects 0.000 title claims abstract description 29
- 238000001514 detection method Methods 0.000 claims abstract description 232
- 238000012795 verification Methods 0.000 claims abstract description 40
- 238000012216 screening Methods 0.000 claims abstract description 33
- 230000005540 biological transmission Effects 0.000 claims abstract description 30
- 238000004422 calculation algorithm Methods 0.000 claims abstract description 20
- 230000002457 bidirectional effect Effects 0.000 claims abstract description 18
- 238000004806 packaging method and process Methods 0.000 claims abstract description 13
- 230000005856 abnormality Effects 0.000 claims description 27
- 238000012360 testing method Methods 0.000 claims description 18
- 230000008569 process Effects 0.000 claims description 10
- 238000000605 extraction Methods 0.000 claims description 5
- 238000004088 simulation Methods 0.000 claims description 3
- 230000007613 environmental effect Effects 0.000 claims 1
- 238000010200 validation analysis Methods 0.000 claims 1
- 230000009286 beneficial effect Effects 0.000 description 8
- 238000005516 engineering process Methods 0.000 description 4
- 230000006399 behavior Effects 0.000 description 3
- 238000004891 communication Methods 0.000 description 3
- 235000014510 cooky Nutrition 0.000 description 3
- 230000006378 damage Effects 0.000 description 3
- 238000005538 encapsulation Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 206010000117 Abnormal behaviour Diseases 0.000 description 1
- 241000700605 Viruses Species 0.000 description 1
- 230000002159 abnormal effect Effects 0.000 description 1
- 230000009471 action Effects 0.000 description 1
- 230000004075 alteration Effects 0.000 description 1
- 238000004458 analytical method Methods 0.000 description 1
- 230000000903 blocking effect Effects 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 238000013496 data integrity verification Methods 0.000 description 1
- 238000002347 injection Methods 0.000 description 1
- 239000007924 injection Substances 0.000 description 1
- 238000009517 secondary packaging Methods 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 238000012549 training Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0807—Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0869—Network architectures or network communication protocols for network security for authentication of entities for achieving mutual authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/108—Network architectures or network communication protocols for network security for controlling access to devices or network resources when the policy decisions are valid for a limited amount of time
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3226—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
- H04L9/3228—One-time or temporary data, i.e. information which is sent for every authentication or authorization, e.g. one-time-password, one-time-token or one-time-key
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/50—Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate
Abstract
The invention provides a network dynamic defense method, which belongs to the field of network defense, and comprises the following steps: obtaining JS codes corresponding to the webpage returned by the server, and dynamically packaging the webpage returned by the server; randomly acquiring detection items, generating corresponding detection codes according to threat situations, and carrying out dynamic bidirectional detection on the client and the server; acquiring webpage transmission data, screening sensitive information, and randomly selecting an confusion algorithm to dynamically confuse the sensitive information; judging the validity of the current request for accessing the page content, and granting a disposable dynamic token to the address of the legal request. The web server returns the page dynamic package JS codes, dynamic bidirectional verification is performed on the client and the server, a dynamic confusion algorithm is used for protecting sensitive information, a disposable dynamic token is granted to a legal request address, malicious terminal access is prevented, the unpredictability of application is increased, the attack cost is greatly increased, and the safety of a network is ensured.
Description
Technical Field
The invention relates to the technical field of network defense, in particular to a network dynamic defense method.
Background
At present, under the situation that the Internet technology and the computer technology are continuously developed, china completely enters an informatization age. The arrival of the information age greatly facilitates the life and work of people, but the network has certain potential safety hazard at the same time of providing great convenience for people. And with the increasing openness and sharing of computing networks, people-to-people connections are more compact, networks have become popular in various fields of society, and the influence on society is increasing. Therefore, for some open information, the control force must be increased, so that hacking and illegal action of destroying molecules are strictly prevented. This is an intangible battle where security technology is the most critical aspect, improving network defense technology, and is fundamental to improving computer network security.
Therefore, the invention provides a network dynamic defense method.
Disclosure of Invention
The invention provides a network dynamic defense method, which is used for dynamically packaging a section of JS codes for a web server return page, completing communication with a firewall and browser side operation environment verification, randomly selecting detected items and quantity each time, dynamically and bidirectionally verifying a client and a server, protecting sensitive transmission data requested by a terminal user by using a dynamic confusion algorithm, and blocking illegal requests without tokens by granting effective one-time dynamic tokens for legal request addresses of current access page contents, thereby preventing malicious terminals from accessing, increasing the unpredictability of applications, greatly improving attack cost and ensuring the safety of a network.
The invention provides a network dynamic defense method, which comprises the following steps:
step 1: based on an access request of a client to a server, a JS code corresponding to a webpage returned by the server is obtained, and the webpage returned by the server is dynamically packaged;
step 2: before access is allowed, detection items are randomly acquired, corresponding detection codes are generated according to threat situations, and dynamic bidirectional detection is carried out on the client and the server;
step 3: in the process of allowing access, acquiring webpage transmission data, screening sensitive information, and randomly selecting an confusion algorithm to dynamically confuse the sensitive information;
step 4: after access is allowed, the validity of the request for accessing the page content is judged, and a one-time dynamic token is granted to the address of the legal request.
Preferably, the invention provides a network dynamic defense method, based on an access request of a client to a server, a JS code corresponding to a webpage returned by the server is obtained, and the webpage returned by the server is dynamically packaged, which comprises the following steps:
extracting access key information based on an access request of a client to a server;
based on the access key information and the access information-JS code comparison table, obtaining all corresponding JS codes, and constructing a JS code set;
randomly selecting a first JS code from the JS code set, packaging the access key information by using the first JS code, and sending the packaged first access information to a firewall for security verification;
if the security verification is qualified, the firewall sends an access permission signal to the client;
and if the security verification is not qualified, rejecting the access request corresponding to the first JS code.
Preferably, the present invention provides a network dynamic defense method, if security verification is qualified, after the firewall sends the access permission signal, the method further includes:
after receiving the access permission signal, the client side fails the first JS code and randomly selects a second JS code except the first JS code from the JS code set;
packaging the access key information by using the second JS code to obtain second access information, and sending the second access information to a browser side for running environment verification to obtain an environment verification result;
and if the environment verification result is qualified, sending a return signal to the client.
Preferably, the present invention provides a network dynamic defense method, if the environment verification result is qualified, after sending a return signal to the client, the method further includes:
after receiving the return signal, the client side fails the second JS code, and randomly selects a third JS code except the first JS code and the second JS code from the JS code set;
and packaging the webpage codes returned by the server by using the third JS code.
Preferably, the present invention provides a network dynamic defense method, before allowing access, acquiring detection items randomly, generating corresponding detection codes according to threat situations, and performing dynamic bidirectional detection on a client and a server, including:
the server receives the access request and sends a bidirectional verification request to the client;
after receiving the bidirectional verification request, the client sends a supported first detection item set to the server;
acquiring a second detection item set supported by a server, selecting the same detection items in the first detection item set and the second detection item set, and constructing a third detection item set;
marking a first sequence number for each detection item based on all detection items in the third detection item set, wherein each detection item is an independent item, and the types of the items contained in the third detection item set are n;
randomly screening d detection items from the third detection item set according to a random screening result d of rand (1, n), and recording a first serial number of each random screening item;
randomly screening d numbers from the number list, and randomly combining each number with each first serial number to obtain a first sequence;
based on all the first sequences, randomly combining into a second sequence;
obtaining a first detection item sequence based on the detection items and the detection number corresponding to the second sequence;
sending the first detection item sequence to a server and a client for detection, and acquiring average detection duration of server item detection and client item detection in real time;
if the average detection time length is longer than the preset detection time length, calculating a detection abnormality index;
if the detection abnormality index is larger than a preset detection abnormality index, judging that the detection process is threatened, locking an abnormality sequence in a first detection item sequence, and removing a detection item matched with the abnormality sequence;
randomly screening r detection items from the third detection item set again according to the random screening result r of rand (1, n-d), and recording a second serial number of each random screening item;
randomly screening r numbers from the number list, and randomly combining each number with each second serial number to obtain a third sequence, wherein r is greater than n1 and less than d, and n1 represents the number of removed detection items;
randomly combining the fourth sequence based on all the third sequences and the reserved first sequence;
obtaining a second detection item sequence based on the detection items and the detection number corresponding to the fourth sequence;
and sending the second detection item sequence to a server and a client for detection.
9. Preferably, the present invention provides a network dynamic defense method, if the average detection time length is longer than the preset detection time length, calculating a detection abnormality index, including:
the method comprises the steps of carrying out a first treatment on the surface of the Wherein (1)>Indicating a detected abnormality index; />Representing the number of all detection items in the first detection item sequence; />Representing the +.sup.th in the first test item sequence>Actual detection time of each detection item; />Representing the +.sup.th in the first test item sequence>The due detection time of the individual detection items, and +.>;/>Representing the +.sup.th in the first test item sequence>Detecting weights corresponding to the detection items; />Representing the +.sup.th in the first test item sequence>Actual detection times corresponding to the detection items; />A time coefficient representing a first sequence of detection items; />A detection coefficient representing a first sequence of detection items; />Representing the +.sup.th in the first test item sequence>The number of times of detection corresponding to the detection items is +.>。
Preferably, the present invention provides a network dynamic defense method, in the process of allowing access, acquiring web page transmission data, screening sensitive information, and randomly selecting a confusion algorithm to dynamically confusion the sensitive information, including:
acquiring transmission data of each webpage and splitting the transmission data to obtain head information and tail information;
inputting the head information and the tail information into a sensitive information extraction model to obtain the content of sensitive information of the head information and the tail information in corresponding webpage transmission data;
if the content of the sensitive information is greater than or equal to the content of the preset sensitive information, the corresponding webpage transmission data is sensitive data;
and randomly selecting the head information and the tail information of the confusion algorithm simulation sensitive data to obtain confusion information similar to the head and the tail of the sensitive information.
Preferably, the present invention provides a network dynamic defense method, after allowing access, judging validity of a request for accessing page content, granting a disposable dynamic token to an address of the valid request, including:
after receiving the access request, the server sends the public key to the client;
analyzing the basic information of the public key, calling the corresponding private key for decoding, and sending a decoding success signal;
the server receives the decoding success signal and sends a dynamic token;
when the dynamic token exceeds the prescribed token usage time, the dynamic token fails.
Additional features and advantages of the invention will be set forth in the description which follows, and in part will be obvious from the description, or may be learned by practice of the invention. The objectives and other advantages of the invention will be realized and attained by the structure particularly pointed out in the written description and claims thereof as well as the appended drawings.
The technical scheme of the invention is further described in detail through the drawings and the embodiments.
Drawings
The accompanying drawings are included to provide a further understanding of the invention and are incorporated in and constitute a part of this specification, illustrate the invention and together with the embodiments of the invention, serve to explain the invention. In the drawings:
fig. 1 is a flowchart of a network dynamic defense method in an embodiment of the present invention.
Detailed Description
The preferred embodiments of the present invention will be described below with reference to the accompanying drawings, it being understood that the preferred embodiments described herein are for illustration and explanation of the present invention only, and are not intended to limit the present invention.
Example 1:
an embodiment of the present invention provides a network dynamic defense method, as shown in fig. 1, including:
step 1: based on an access request of a client to a server, a JS code corresponding to a webpage returned by the server is obtained, and the webpage returned by the server is dynamically packaged;
step 2: before access is allowed, detection items are randomly acquired, corresponding detection codes are generated according to threat situations, and dynamic bidirectional detection is carried out on the client and the server;
step 3: in the process of allowing access, acquiring webpage transmission data, screening sensitive information, and randomly selecting an confusion algorithm to dynamically confuse the sensitive information;
step 4: after access is allowed, the validity of the request for accessing the page content is judged, and a one-time dynamic token is granted to the address of the legal request.
In this embodiment, dynamic encapsulation refers to randomly selecting the attribute and implementation details of the JS code hidden object, only exposing the interface to the outside, and controlling the access level of the attribute in the program to be read and modified.
In this embodiment, a threat situation refers to any file or program in the network that is not allowed malicious access, including damage or destruction of the computer, such as: leucasian software, botnet software, spyware, trojans, viruses, worms, etc., that can damage a computer by providing unauthorized access to a hacker. A relatively common way for malware to attack is for the malware to disguise itself as a legitimate file, bypassing detection.
In this embodiment, dynamic bidirectional detection refers to detecting network security in both the direction from the client to the server and the direction from the server to the client according to the randomly selected detected items and numbers.
In this embodiment, the sensitive information refers to information that reveals a risk that may increase a web page attack in the web page transmission data, and includes: personal information, version numbers of middleware and other three parts used by the system, version information of a database, passwords, session, token, cookie and other authentication information during login, IMEI of a mobile phone, mac address of a computer and some whole network unique identification types of other cabinets.
In this embodiment, the confusion algorithm mainly includes Cookie, post, data, URL and the like.
In this embodiment, dynamic confusion refers to that an algorithm in a randomly selected confusion algorithm changes a code of sensitive information, so as to achieve the purpose of protecting the sensitive information.
In this embodiment, the one-time dynamic token refers to generating an unpredictable random number combination according to a special algorithm, and a password is valid only once and can be invalid beyond a specified time, so that the purposes of resisting unauthorized access and protecting a network are achieved.
The working principle and the beneficial effects of the technical scheme are as follows: a section of JS codes is dynamically packaged on a web server return page to complete communication with a firewall and browser side operation environment verification, each time, the detected items and quantity are randomly selected, dynamic bidirectional verification of a client and a server is performed, sensitive transmission data requested by a terminal user is protected by using a dynamic confusion algorithm, and an effective one-time dynamic token is granted to a legal request address of the current access page content, so that illegal requests without tokens are blocked, malicious terminal access is prevented, the application unpredictability is increased, attack cost is greatly increased, and network safety is ensured.
Example 2:
the embodiment of the invention provides a network dynamic defense method, which is based on an access request of a client to a server, obtains a JS code corresponding to a webpage returned by the server, and dynamically packages the webpage returned by the server, and comprises the following steps:
extracting access key information based on an access request of a client to a server;
based on the access key information and the access information-JS code comparison table, obtaining all corresponding JS codes, and constructing a JS code set;
randomly selecting a first JS code from the JS code set, packaging the access key information by using the first JS code, and sending the packaged first access information to a firewall for security verification;
if the security verification is qualified, the firewall sends an access permission signal to the client;
and if the security verification is not qualified, rejecting the access request corresponding to the first JS code.
In this embodiment, the access key information refers to information including an access address, an access destination, and a public key and a private key of the access request, which are obtained by analyzing the access request.
In this embodiment, the access information-JS code reference table refers to a reference table containing access key information and all corresponding JS codes.
In this embodiment, the first access information refers to access key information encapsulated by the JS code selected randomly.
In this embodiment, the security verification means that the first access information is verified through the firewall, and whether the first access information is secure or not is verified, so as to meet the requirement of entering the network.
The working principle and the beneficial effects of the technical scheme are as follows: and dynamically packaging a section of JS codes for the web server return page, wherein the JS codes complete communication with the firewall, verify the security of an access network and ensure the security access of the web server return page.
Example 3:
the embodiment of the invention provides a network dynamic defense method, which further comprises the following steps after a firewall sends an access permission signal if security verification is qualified:
after receiving the access permission signal, the client side fails the first JS code and randomly selects a second JS code except the first JS code from the JS code set;
packaging the access key information by using the second JS code to obtain second access information, and sending the second access information to a browser side for running environment verification to obtain an environment verification result;
and if the environment verification result is qualified, sending a return signal to the client.
In this embodiment, the second access information refers to access key information packaged by randomly selecting a JS code other than the first JS code.
In this embodiment, the environment verification refers to whether the running environment on the browser side meets the running environment requirement in the second access information.
The working principle and the beneficial effects of the technical scheme are as follows: and selecting a second JS code except the first JS code from the JS code set randomly to carry out secondary packaging on the access key information, and sending the access key information to the browser side for running environment verification, so that the safe access of the web server returned pages is ensured.
Example 4:
the embodiment of the invention provides a network dynamic defense method, which further comprises the following steps after sending a return signal to a client if the environment verification result is qualified:
after receiving the return signal, the client side fails the second JS code, and randomly selects a third JS code except the first JS code and the second JS code from the JS code set;
and packaging the webpage codes returned by the server by using the third JS code.
The working principle and the beneficial effects of the technical scheme are as follows: and the third JS codes except the first JS code and the second JS code are selected randomly to encapsulate the webpage codes returned by the server, so that dynamic encapsulation is realized, the 'unpredictability' of the server behavior is increased, and the safe operation of the server is ensured.
Example 5:
the embodiment of the invention provides a network dynamic defense method, which randomly acquires detection items before access is allowed, generates corresponding detection codes according to threat situations, and carries out dynamic bidirectional detection on a client and a server, and the method comprises the following steps:
the server receives the access request and sends a bidirectional verification request to the client;
after receiving the bidirectional verification request, the client sends a supported first detection item set to the server;
acquiring a second detection item set supported by a server, selecting the same detection items in the first detection item set and the second detection item set, and constructing a third detection item set;
marking a first sequence number for each detection item based on all detection items in the third detection item set, wherein each detection item is an independent item, and the types of the items contained in the third detection item set are n;
randomly screening d detection items from the third detection item set according to a random screening result d of rand (1, n), and recording a first serial number of each random screening item;
randomly screening d numbers from the number list, and randomly combining each number with each first serial number to obtain a first sequence;
based on all the first sequences, randomly combining into a second sequence;
obtaining a first detection item sequence based on the detection items and the detection number corresponding to the second sequence;
sending the first detection item sequence to a server and a client for detection, and acquiring average detection duration of server item detection and client item detection in real time;
if the average detection time length is longer than the preset detection time length, calculating a detection abnormality index;
if the detection abnormality index is larger than a preset detection abnormality index, judging that the detection process is threatened, locking an abnormality sequence in a first detection item sequence, and removing a detection item matched with the abnormality sequence;
randomly screening r detection items from the third detection item set again according to the random screening result r of rand (1, n-d), and recording a second serial number of each random screening item;
randomly screening r numbers from the number list, and randomly combining each number with each second serial number to obtain a third sequence, wherein r is greater than n1 and less than d, and n1 represents the number of removed detection items;
randomly combining the fourth sequence based on all the third sequences and the reserved first sequence;
obtaining a second detection item sequence based on the detection items and the detection number corresponding to the fourth sequence;
and sending the second detection item sequence to a server and a client for detection.
In this embodiment, the bidirectional authentication request refers to a request sent to the client to detect network security in both the direction from the client to the server and the direction from the server to the client after the server receives the access request.
In this embodiment, the first set of detection items refers to a set of detection items supported by the client.
In this embodiment, the second set of detection items refers to a set of detection items supported by the server.
In this embodiment, the third detection item set refers to a set of detection items supported by both the client and the server.
In this embodiment, the first serial number refers to a sequential number, and the sequential number is used to mark each test item in the third test item set, so as to achieve the purpose of conveniently extracting the test items.
In this embodiment, the first sequence refers to a first sequence number corresponding to d detection items randomly screened from the third detection item set, and the first sequence number and the sequence number are obtained by randomly combining the first sequence number and the first sequence number with d numbers randomly screened from the number list, where the numbers represent the times that the detection items corresponding to the first sequence number need to be detected.
In this embodiment, the second sequence refers to a sequence including all the first sequences obtained by randomly arranging all the first sequences in order and performing end-to-end connection in order.
In this embodiment, the first detection item sequence refers to a sequence including all the selected detection items and the number of the detection items required to be made by extracting the detection items corresponding to the first serial number and the number in the second sequence.
In this embodiment, the average detection duration refers to the detection duration of each detection item obtained by calculating the number of items to be detected in total and the detection time for which the actual total bidirectional detection is performed.
In this embodiment, the preset detection duration refers to a preset average detection duration for detecting when the network is not attacked, and if the average detection duration exceeds the preset average detection duration, the detection process is possibly attacked.
In this embodiment, the detection abnormality index refers to an index that can indicate the degree of occurrence of detection abnormality obtained by detecting all detection items in the first detection item sequence and the detection time used.
In this embodiment, the preset detection abnormality index refers to an index of the degree of abnormality occurrence of detection that is preset for detection under no attack of the network.
In this embodiment, the abnormal sequence refers to a first sequence in which abnormality occurs in the detection time obtained by comparing the actual detection time length of each corresponding first sequence in the second sequence with the normal detection time length range.
In this embodiment, the second sequence number refers to a first sequence number corresponding to each of the r detection items obtained by randomly screening the r detection items from the third detection item set according to the random screening result r of rand (1, n-d).
In this embodiment, the third sequence refers to a sequence that includes a second sequence number and a number, where the number represents the number of times that the detection item corresponding to the second sequence number needs to be detected, where the second sequence number corresponds to r detection items randomly screened from the third detection item set, and the sequence is obtained by randomly combining the second sequence number with r numbers randomly screened from the number list.
In this embodiment, the fourth sequence refers to a sequence including all the third sequences and the first sequences obtained by randomly arranging all the third sequences and the reserved first sequences in order and performing end-to-end connection in order.
In this embodiment, the second detection item sequence refers to a sequence including all the selected detection items and the numbers required to be used as the detection items obtained by extracting the corresponding detection items from the second serial number, the first serial number and the corresponding numbers in the fourth sequence.
The working principle and the beneficial effects of the technical scheme are as follows: through dynamic bidirectional verification of the client and the server, malicious terminals are prevented from accessing, and the detected items and the number are randomly selected each time, so that the unpredictability of the application is improved, and the attack cost is greatly increased. Dynamic verification includes real browser morphology verification, browser fingerprints, abnormal behavior pattern detection, and data integrity verification. In the dynamic verification process, different detection codes can be generated according to threat situations, so that the unpredictability of the application is increased, the difficulty of counterfeiters or automation tools in impersonating legal clients is improved, and the safety problem that static acquisition codes are used and easily bypassed after being reversed is solved.
Example 6:
10. the embodiment of the invention provides a network dynamic defense method, if the average detection time length is longer than the preset detection time length, calculating a detection abnormality index, comprising the following steps:
the method comprises the steps of carrying out a first treatment on the surface of the Wherein (1)>Indicating a detected abnormality index; />Representing the number of all detection items in the first detection item sequence; />Representing the +.sup.th in the first test item sequence>Actual detection time of each detection item; />Representing the +.sup.th in the first test item sequence>Due time of each detection itemAnd->;/>Representing the +.sup.th in the first test item sequence>Detecting weights corresponding to the detection items; />Representing the +.sup.th in the first test item sequence>Actual detection times corresponding to the detection items; />A time coefficient representing a first sequence of detection items; />A detection coefficient representing a first sequence of detection items; />Representing the +.sup.th in the first test item sequence>The number of times of detection corresponding to the detection items is +.>。
The working principle and the beneficial effects of the technical scheme are as follows: the first detection item sequence with the average detection time length being longer than the preset detection time length is subjected to detailed calculation and analysis, so that the detection abnormality index is accurately obtained, whether abnormality occurs in detection or not and attack is received is judged, and the accuracy and efficiency of network defense are improved.
Example 7:
the embodiment of the invention provides a network dynamic defense method, which comprises the steps of acquiring webpage transmission data, screening sensitive information, randomly selecting a confusion algorithm to carry out dynamic confusion on the sensitive information in the process of allowing access, and comprises the following steps:
acquiring transmission data of each webpage and splitting the transmission data to obtain head information and tail information;
inputting the head information and the tail information into a sensitive information extraction model to obtain the content of sensitive information of the head information and the tail information in corresponding webpage transmission data;
if the content of the sensitive information is greater than or equal to the content of the preset sensitive information, the corresponding webpage transmission data is sensitive data;
and randomly selecting the head information and the tail information of the confusion algorithm simulation sensitive data to obtain confusion information similar to the head and the tail of the sensitive information.
In this embodiment, the header information refers to information in which each web page transmission data occupies ten percent of the header.
In this embodiment, the tail information refers to information that each web page transmission data occupies ten percent of the tail.
In this embodiment, the sensitive information extraction model is a model that is obtained by training header information and trailer information of one web page transmission data and corresponding sensitive information, and is capable of extracting sensitive information in the header information and the trailer information.
In this embodiment, the content of the sensitive information refers to the content of the sensitive information in the web page transmission data obtained by the length of the sensitive information obtained by the sensitive information extraction model and the length of the corresponding web page transmission data.
In this embodiment, the preset content of the sensitive information refers to a preset content of the sensitive information in the web page transmission data defined as the sensitive information, and if the preset content of the sensitive information is greater than or equal to the preset content of the sensitive information, the web page transmission data is transmitted as the sensitive information.
In this embodiment, the confusion information refers to information which is highly similar to the head information and the tail information of the sensitive information, so as to achieve the purposes of attracting enemy attacks and protecting the sensitive information.
The working principle and the beneficial effects of the technical scheme are as follows: the dynamic confusion algorithm is used for protecting the content requested by the terminal user by dynamically confusing sensitive transmission data on the webpage, mainly comprising Cookie, post, data, URL and the like, so that the man-in-the-middle attack difficulty is effectively improved, and the attack behaviors such as counterfeiting the request, malicious code injection, eavesdropping or tampering with the transaction content and the like are prevented. Different algorithms are used for each confusion, and an attacker cannot predict the confusion algorithm, so that the attack difficulty is greatly improved.
Example 8:
the embodiment of the invention provides a network dynamic defense method, which judges the validity of a request for accessing page content at present after access is allowed, grants a disposable dynamic token to an address of the legal request, and comprises the following steps:
after receiving the access request, the server sends the public key to the client;
analyzing the basic information of the public key, calling the corresponding private key for decoding, and sending a decoding success signal;
the server receives the decoding success signal and sends a dynamic token;
when the dynamic token exceeds the prescribed token usage time, the dynamic token fails.
In this embodiment, the prescribed token use time refers to a token use time prescribed in advance according to the kind of token, thereby achieving the purpose of network defense.
The working principle and the beneficial effects of the technical scheme are as follows: the legal request address of the current access page content is granted with an effective one-time dynamic token within a certain time, so that the illegal request without the token is blocked, the correct operation of service logic is ensured, an attacker is prevented from sending the illegal request, and the automatic malicious attack behaviors such as unauthorized access, webpage backdoor, replay attack, application layer DDOS and the like are resisted.
It will be apparent to those skilled in the art that various modifications and variations can be made to the present invention without departing from the spirit or scope of the invention. Thus, it is intended that the present invention also include such modifications and alterations insofar as they come within the scope of the appended claims or the equivalents thereof.
Claims (7)
1. A method of dynamic defense of a network, comprising:
step 1: based on an access request of a client to a server, a JS code corresponding to a webpage returned by the server is obtained, and the webpage returned by the server is dynamically packaged;
step 2: before access is allowed, detection items are randomly acquired, corresponding detection codes are generated according to threat situations, and dynamic bidirectional detection is carried out on the client and the server;
step 3: in the process of allowing access, acquiring webpage transmission data, screening sensitive information, and randomly selecting an confusion algorithm to dynamically confuse the sensitive information;
step 4: after the access is allowed, judging the validity of the request for accessing the page content at present, and granting a disposable dynamic token to the address of the legal request;
wherein, step 2 includes:
the server receives the access request and sends a bidirectional verification request to the client;
after receiving the bidirectional verification request, the client sends a supported first detection item set to the server;
acquiring a second detection item set supported by a server, selecting the same detection items in the first detection item set and the second detection item set, and constructing a third detection item set;
marking a first sequence number for each detection item based on all detection items in the third detection item set, wherein each detection item is an independent item, and the types of the items contained in the third detection item set are n;
randomly screening d detection items from the third detection item set according to a random screening result d of rand (1, n), and recording a first serial number of each random screening item;
randomly screening d numbers from the number list, and randomly combining each number with each first serial number to obtain a first sequence;
based on all the first sequences, randomly combining into a second sequence;
obtaining a first detection item sequence based on the detection items and the detection number corresponding to the second sequence;
sending the first detection item sequence to a server and a client for detection, and acquiring average detection duration of server item detection and client item detection in real time;
if the average detection time length is longer than the preset detection time length, calculating a detection abnormality index;
if the detection abnormality index is larger than a preset detection abnormality index, judging that the detection process is threatened, locking an abnormality sequence in a first detection item sequence, and removing a detection item matched with the abnormality sequence;
randomly screening r detection items from the third detection item set again according to the random screening result r of rand (1, n-d), and recording a second serial number of each random screening item;
randomly screening r numbers from the number list, and randomly combining each number with each second serial number to obtain a third sequence, wherein r is greater than n1 and less than d, and n1 represents the number of removed detection items;
randomly combining the fourth sequence based on all the third sequences and the reserved first sequence;
obtaining a second detection item sequence based on the detection items and the detection number corresponding to the fourth sequence;
and sending the second detection item sequence to a server and a client for detection.
2. The method of claim 1, wherein obtaining the JS code corresponding to the returned web page of the server based on the access request of the client to the server, dynamically packaging the returned web page of the server, comprises:
extracting access key information based on an access request of a client to a server;
based on the access key information and the access information-JS code comparison table, obtaining all corresponding JS codes, and constructing a JS code set;
randomly selecting a first JS code from the JS code set, packaging the access key information by using the first JS code, and sending the packaged first access information to a firewall for security verification;
if the security verification is qualified, the firewall sends an access permission signal to the client;
and if the security verification is not qualified, rejecting the access request corresponding to the first JS code.
3. The method of claim 2, further comprising, after the firewall sends the access grant signal if the security verification is acceptable:
after receiving the access permission signal, the client side fails the first JS code and randomly selects a second JS code except the first JS code from the JS code set;
packaging the access key information by using the second JS code to obtain second access information, and sending the second access information to a browser side for running environment verification to obtain an environment verification result;
and if the environment verification result is qualified, sending a return signal to the client.
4. The method of claim 3, further comprising, after sending a return signal to the client if the environmental validation result is acceptable:
after receiving the return signal, the client side fails the second JS code, and randomly selects a third JS code except the first JS code and the second JS code from the JS code set;
and packaging the webpage codes returned by the server by using the third JS code.
5. The method of claim 1, wherein calculating the detection anomaly index if the average detection time period is greater than the preset detection time period comprises:
the method comprises the steps of carrying out a first treatment on the surface of the Wherein (1)>Indicating a detected abnormality index; />Representing the number of all detection items in the first detection item sequence; />Representing the +.sup.th in the first test item sequence>Actual detection time of each detection item; />Representing the +.sup.th in the first test item sequence>The due detection time of the individual detection items, and +.>;/>Representing the +.sup.th in the first test item sequence>Detecting weights corresponding to the detection items; />Representing the +.sup.th in the first test item sequence>Actual detection times corresponding to the detection items; />A time coefficient representing a first sequence of detection items; />A detection coefficient representing a first sequence of detection items; />Representing the +.sup.th in the first test item sequence>The number of times of detection corresponding to the detection items is +.>。
6. The method of claim 1, wherein during the allowing of access, acquiring web page transmission data, screening sensitive information, and randomly selecting a confusion algorithm to dynamically confusion the sensitive information, comprising:
acquiring transmission data of each webpage and splitting the transmission data to obtain head information and tail information;
inputting the head information and the tail information into a sensitive information extraction model to obtain the content of sensitive information of the head information and the tail information in corresponding webpage transmission data;
if the content of the sensitive information is greater than or equal to the content of the preset sensitive information, the corresponding webpage transmission data is sensitive data;
and randomly selecting the head information and the tail information of the confusion algorithm simulation sensitive data to obtain confusion information similar to the head and the tail of the sensitive information.
7. The method of claim 1, wherein after allowing access, determining the legitimacy of the request currently accessing the page content, granting a one-time dynamic token to the address of the legitimate request, comprises:
after receiving the access request, the server sends the public key to the client;
analyzing the basic information of the public key, calling the corresponding private key for decoding, and sending a decoding success signal;
the server receives the decoding success signal and sends a dynamic token;
when the dynamic token exceeds the prescribed token usage time, the dynamic token fails.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310348222.1A CN116545650B (en) | 2023-04-03 | 2023-04-03 | Network dynamic defense method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310348222.1A CN116545650B (en) | 2023-04-03 | 2023-04-03 | Network dynamic defense method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN116545650A CN116545650A (en) | 2023-08-04 |
| CN116545650B true CN116545650B (en) | 2024-01-30 |
Family
ID=87451374
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310348222.1A Active CN116545650B (en) | 2023-04-03 | 2023-04-03 | Network dynamic defense method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116545650B (en) |
Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP0342597A2 (en) * | 1988-05-16 | 1989-11-23 | Hitachi, Ltd. | Abnormality system for a high voltage power supply apparatus |
| CN102404740A (en) * | 2011-11-28 | 2012-04-04 | 中国电力科学研究院 | Detecting and protecting method for confirming frame attack of wireless sensor network |
| CN110430226A (en) * | 2019-09-16 | 2019-11-08 | 腾讯科技(深圳)有限公司 | Network attack detecting method, device, computer equipment and storage medium |
| CN112905380A (en) * | 2021-03-22 | 2021-06-04 | 上海海事大学 | System anomaly detection method based on automatic monitoring log |
| CN114169540A (en) * | 2021-10-27 | 2022-03-11 | 国网江苏省电力有限公司营销服务中心 | Webpage user behavior detection method and system based on improved machine learning |
| CN114328101A (en) * | 2021-12-24 | 2022-04-12 | 武汉众智数字技术有限公司 | Method and system for positioning and repairing software fault |
| CN114499926A (en) * | 2021-12-13 | 2022-05-13 | 广东电力通信科技有限公司 | Dynamic protection method of intelligent WEB protection system |
| CN114489658A (en) * | 2021-12-14 | 2022-05-13 | 广东电力通信科技有限公司 | Packaging method based on WEB leading edge page bottom code |
| WO2022100028A1 (en) * | 2020-11-16 | 2022-05-19 | 平安科技(深圳)有限公司 | Interface traffic anomaly detection method and apparatus, terminal device, and storage medium |
| CN115277201A (en) * | 2022-07-27 | 2022-11-01 | 国网河南省电力公司信息通信公司 | Website defense system for dynamic code packaging |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP1662405A1 (en) * | 2004-11-30 | 2006-05-31 | Alcatel | Method of displaying data on a client computer |
| US20170214701A1 (en) * | 2016-01-24 | 2017-07-27 | Syed Kamran Hasan | Computer security based on artificial intelligence |
| CN105956665B (en) * | 2016-04-29 | 2017-06-06 | 北京清睿智能科技有限公司 | A kind of method of the heuristic detecting system abnormal cause based on Dynamic Uncertain cause-and-effect diagram |
-
2023
- 2023-04-03 CN CN202310348222.1A patent/CN116545650B/en active Active
Patent Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP0342597A2 (en) * | 1988-05-16 | 1989-11-23 | Hitachi, Ltd. | Abnormality system for a high voltage power supply apparatus |
| CN102404740A (en) * | 2011-11-28 | 2012-04-04 | 中国电力科学研究院 | Detecting and protecting method for confirming frame attack of wireless sensor network |
| CN110430226A (en) * | 2019-09-16 | 2019-11-08 | 腾讯科技(深圳)有限公司 | Network attack detecting method, device, computer equipment and storage medium |
| WO2022100028A1 (en) * | 2020-11-16 | 2022-05-19 | 平安科技(深圳)有限公司 | Interface traffic anomaly detection method and apparatus, terminal device, and storage medium |
| CN112905380A (en) * | 2021-03-22 | 2021-06-04 | 上海海事大学 | System anomaly detection method based on automatic monitoring log |
| CN114169540A (en) * | 2021-10-27 | 2022-03-11 | 国网江苏省电力有限公司营销服务中心 | Webpage user behavior detection method and system based on improved machine learning |
| CN114499926A (en) * | 2021-12-13 | 2022-05-13 | 广东电力通信科技有限公司 | Dynamic protection method of intelligent WEB protection system |
| CN114489658A (en) * | 2021-12-14 | 2022-05-13 | 广东电力通信科技有限公司 | Packaging method based on WEB leading edge page bottom code |
| CN114328101A (en) * | 2021-12-24 | 2022-04-12 | 武汉众智数字技术有限公司 | Method and system for positioning and repairing software fault |
| CN115277201A (en) * | 2022-07-27 | 2022-11-01 | 国网河南省电力公司信息通信公司 | Website defense system for dynamic code packaging |
Non-Patent Citations (7)
| Title |
|---|
| "Comprehensive Regularization in a Bi-directional Predictive Network for Video Anomaly Detection";mariana_luliana Georgesu;《Association for the Advancement of Artificial Intelligence》;全文 * |
| Shirley D. Moraga ; Albert A. Vinluan."eReklamo An eGovernment Portal for Citizens’ Complaints in Government Services using Web Crawling".《Asia Pacific Journal of Multidisciplinary Research》.2019,全文. * |
| 分布式入侵检测系统的融合算法;王骐;王殊;孟中楼;;华中科技大学学报(自然科学版)(第09期);全文 * |
| 吴剑刚 ; 罗政."电子政务数据防爬虫解决方案".《2022年网络安全优秀创新成果大赛论文集》 .2022,第47-50页第2.1-2.2节. * |
| 基于混合方法的多维时间序列驾驶异常点检测;衡红军;刘静;;计算机工程(第03期);全文 * |
| 罗武 ; 沈晴霓 ; 吴中海 ; 吴鹏飞 ; 董春涛."浏览器同源策略安全研究综述".《软件学报》.2021,全文. * |
| 银行互联网金融平台面临的新型威胁及防护技术研究;姚俊先;;金融电子化(第09期);全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN116545650A (en) | 2023-08-04 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Fredj et al. | An OWASP top ten driven survey on web application protection methods | |
| US7925883B2 (en) | Attack resistant phishing detection | |
| US10643259B2 (en) | Systems and methods for dynamic vendor and vendor outlet classification | |
| CN106790238A (en) | It is a kind of to forge CSRF defence authentication method and device across station request | |
| CN111274046A (en) | Service call validity detection method and device, computer equipment and computer storage medium | |
| Singh et al. | Taxonomy of attacks on web based applications | |
| Jain et al. | Session hijacking: Threat analysis and countermeasures | |
| CN114065162A (en) | Risk control method and device of business system and computer readable storage medium | |
| Onik et al. | A novel approach for network attack classification based on sequential questions | |
| Zhao et al. | Explicit authentication response considered harmful | |
| US10521613B1 (en) | Adaptive standalone secure software | |
| Aljawarneh et al. | A web client authentication system using smart card for e-systems: initial testing and evaluation | |
| Ye et al. | A system-fault-risk framework for cyber attack classification | |
| Telo | Supervised Machine Learning for Detecting Malicious URLs: An Evaluation of Different Models | |
| Lalia et al. | Implementation of web browser extension for mitigating CSRF attack | |
| CN116545650B (en) | Network dynamic defense method | |
| CN109145543A (en) | A kind of identity identifying method | |
| Thandeeswaran et al. | DPCA: Dual Phase Cloud Infrastructure Authentication | |
| Knickerbocker et al. | Humboldt: A distributed phishing disruption system | |
| Derhab et al. | Spam Trapping System: Novel security framework to fight against spam botnets | |
| Ashlam et al. | Data-mining and hashing to prevent application-layer DDoS and SQL injection attacks | |
| Orucho et al. | Security threats affecting user-data on transit in mobile banking applications: A review | |
| Braun et al. | A user-level authentication scheme to mitigate web session-based vulnerabilities | |
| Abbas et al. | A state of the art security taxonomy of internet security: threats and countermeasures | |
| Wadkar et al. | Prevention of information leakages in a web browser by monitoring system calls |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |