CN117081828A

CN117081828A - Mining attack monitoring and protecting method and device for client

Info

Publication number: CN117081828A
Application number: CN202311121198.4A
Authority: CN
Inventors: 高岩; 赵红旺; 郭虎; 潘守华
Original assignee: Dongfeng Commercial Vehicle Co Ltd
Current assignee: Dongfeng Commercial Vehicle Co Ltd
Priority date: 2023-08-30
Filing date: 2023-08-30
Publication date: 2023-11-17

Abstract

The application discloses a mining attack monitoring and protecting method and device of a client, and relates to the field of information security, wherein the method comprises the steps that based on a remote situation awareness platform request, the client accesses the remote situation awareness platform to acquire mining attack information and store the mining attack information; acquiring source code data of current network resources and data packet information requested by the current network resources in a client, matching the source code data with mining attack information, and acquiring a first result according to a preset matching rule; acquiring the performance consumption state of the core processing hardware of the client, and obtaining a second result according to the comparison between the performance consumption of the core processing hardware and the set threshold value; and executing corresponding operation on the current network resource according to the first result and the second result, and performing blocking processing, marking reporting processing or non-processing. The application can better detect and protect the mining attack.

Description

Mining attack monitoring and protecting method and device for client

Technical Field

The application relates to the field of information security, in particular to a mining attack monitoring and protecting method and device for a client.

Background

The current detection protection scheme for malicious programs such as mining and the like comprises a detection mode based on mining characteristics and a mining protection mode based on a host layer. The detection mode based on the mining characteristics is that a script file downloading operation is generated by responding to flow data, and a matching result is obtained by matching preset threat information data with the flow data; determining that the flow data is matched with the feature word set in the script file through an ore mining identification model; the script file is subjected to word segmentation and denoising processing to obtain a word set of the script file; threat information is matched with each threat information department, and mining characteristic information is collected.

The mining protection mode based on the host layer is that various performance index data in the host are obtained, wherein the performance index data are behavior characteristic data used for representing abnormal changes of the host in mining behavior; determining an average value of each performance index data in a preset monitoring period, and comparing the average value with a first preset threshold value to judge whether to trigger an alarm prompt; if the alarm prompt is triggered, monitoring the communication behavior of the host computer, and judging whether the communication behavior accords with a preset mining behavior judgment rule so as to judge whether the mining behavior of the virtual currency exists according to the judgment result.

However, the detection mode based on the mining characteristics has higher requirements on the setting of characteristic values, and the detection effect depends on a characteristic library; based on the mining protection mode of the host layer, mining caused by attack of the webpage cannot be identified, and the webpage mining attack cannot be directly defended or the defending effect is not obvious. Therefore, there is a need for an effective mining attack detection protection scheme.

Disclosure of Invention

Aiming at the defects in the prior art, the application aims to provide a mining attack monitoring and protecting method and device for a client, which can better detect and protect mining attacks.

In order to achieve the above purpose, the mining attack monitoring and protecting method for the client provided by the application specifically comprises the following steps:

based on the remote situation awareness platform request, the client accesses the remote situation awareness platform to acquire and store mining attack information;

acquiring source code data of current network resources and data packet information requested by the current network resources in a client, matching the source code data with mining attack information, and acquiring a first result according to a preset matching rule;

acquiring the performance consumption state of the core processing hardware of the client, and obtaining a second result according to the comparison between the performance consumption of the core processing hardware and the set threshold value;

and executing corresponding operation on the current network resource according to the first result and the second result, and performing blocking processing, marking reporting processing or non-processing.

On the basis of the technical proposal, the method comprises the following steps,

the client comprises a website, a browser and an application program;

the mining attack information is mining characteristic information, and comprises a mine field name, a mine field IP, a domain name communication address, a wallet address and Hash of a mining Trojan horse.

On the basis of the technical scheme, the method for obtaining the source code data of the current network resource and the data packet information requested by the current network resource in the client, and matching the source code data with the mining attack information, and obtaining a first result according to a preset matching rule comprises the following specific steps:

acquiring source code data of current network resources in a client and data packet information requested by the current network resources;

characteristic information items of source code data of the current network resource are sequentially matched with mining attack information, and characteristic information items of data packet information requested by the current network resource are sequentially matched with mining attack information:

if at least one item of characteristic information of the source code data is matched with the mining attack information, or at least one item of characteristic information of the data packet information is matched with the mining attack information, the current network resource hits the first rule, otherwise, the current network resource does not hit the first rule.

The characteristic information of the source code data comprises request IP information, domain name communication address information, wallet address information and Hash information of source codes; the characteristic information of the data packet information comprises request IP information, domain name communication address information, wallet address information and hash information of the request packet.

Based on the above technical solution, the obtaining the performance consumption state of the core processing hardware of the client, and obtaining the second result according to the comparison between the performance consumption of the core processing hardware and the set threshold value, specifically includes the steps of:

setting a CPU performance occupation threshold value and setting a disposal mode, wherein the disposal mode is to block current network resources or mark the current network resources as suspicious programs and report the suspicious programs to a remote situation awareness platform;

periodically acquiring the occupancy rate of a CPU of a client, and comparing the acquired occupancy rate with a set CPU performance occupancy threshold;

based on the comparison result, if the occupancy rate exceeds the CPU performance occupancy threshold, the current network resource hits the second rule, if the occupancy rate does not exceed the CPU performance occupancy threshold, the current network resource does not hit the second rule, the occupancy rate of the CPU of the client is continuously and periodically acquired, and the acquired occupancy rate is compared with the set CPU performance occupancy threshold.

Based on the above technical solution, the performing corresponding operations on the current network resource according to the first result and the second result, and performing blocking processing, label reporting processing or non-processing, specifically includes the steps of:

if the current network resource hits the first rule and does not hit the second rule, marking the current network resource as a suspicious program and reporting the suspicious program to a remote situation awareness platform, and actively judging the current network resource by the remote situation awareness platform;

if the current network resource hits the second rule and does not hit the first rule, blocking the current network resource according to the set disposal mode, or marking the current network resource as a suspicious program and reporting the suspicious program to a remote situation awareness platform;

if the current network resource hits the first rule and hits the second rule, blocking the current network resource;

if the current network resource does not hit the first rule and does not hit the second rule, the current network resource is not processed.

On the basis of the technical scheme, after blocking the current network resource, the method further comprises the following steps:

re-opening the current network resource and loading a front-end malicious code protection module;

based on the identification of the front-end malicious code protection module to the current network resource, the mining code in the current network resource is destroyed or deleted by an inline function processing mode, a static script processing mode and a dynamic script processing mode.

Based on the technical scheme, the specific steps of the inline function processing mode comprise:

configuring a white list of the release of the inline event;

acquiring source code data of a current network resource through a client, and intercepting all document. On events based on a method for monitoring document objects;

matching the intercepted document. On event with a configured white list, if the white list is hit, releasing the current document. On event, and if the white list is not hit, destroying the code corresponding to the current document. On event.

Based on the technical scheme, the static script processing mode comprises the following specific steps:

configuring a white list of remote calling resource addresses;

acquiring source code data of a current network resource through a client, and monitoring the change of sub-nodes and attributes in a DOM tree based on a MutabionObserve function;

based on the monitoring result, when the child nodes and the attributes of the DOM tree change, intercepting the current network resources and then filtering;

the filtering process is to mark the iframe label and the script label of the current network resource, and when the src attribute exists, the src attribute is subjected to white list matching, if the white list is hit, the current network resource is released, and if the current network resource is not hit, the attribute value of the src is deleted.

Based on the technical scheme, the dynamic scenario processing mode comprises the following specific steps:

when source code data is loaded in webview of a client, detecting a dynamically generated script and intercepting a maliciously generated code part, wherein the maliciously generated code part comprises a dynamically generated src, innerHTML attribute, a rewriting document/write attribute, a rewriting setttribute attribute, a rewriting Ajax request, a rewriting Websocket request and a rewriting postMessage request.

The application provides a mining attack monitoring and protecting device of a client, which comprises the following components:

the acquisition module is used for driving the client to access the remote situation awareness platform based on the remote situation awareness platform request so as to acquire and store mining attack information;

the first judging module is used for acquiring source code data of the current network resource and data packet information requested by the current network resource in the client, matching the source code data with mining attack information and obtaining a first result according to a preset matching rule;

the second judging module is used for acquiring the performance consumption state of the core processing hardware of the client and obtaining a second result according to the comparison between the performance consumption of the core processing hardware and the set threshold value;

and the execution module is used for executing corresponding operation on the current network resource according to the first result and the second result, and carrying out blocking processing, mark reporting processing or non-processing.

Compared with the prior art, the application has the advantages that: compared with the traditional pure server-side protection mining attack, the method has the advantages that the pressure of the server-side is reduced by opening the source, and the mining attack caused by DOM type cross-site script attack can be prevented, so that the method has the advantages of traditional collaborative filtering, and meanwhile, a situation awareness model is introduced, threat information is taken as one of judgment basis, thereby detecting and protecting the mining attack better, and the mining script can be effectively destroyed without affecting other normal flow; the application has the advantage of cross-platform, and is integrated only at the client without considering the compatibility of the development language of the server.

Drawings

In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings required for the description of the embodiments will be briefly described below, and it is apparent that the drawings in the following description are only some embodiments of the present application, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.

FIG. 1 is a schematic diagram of a conventional cross-site scripting attack protection scheme;

FIG. 2 is a schematic diagram of a cross-site scripting attack protection scheme according to the present application;

fig. 3 is a flowchart of a mining attack monitoring and protecting method of a client according to an embodiment of the present application.

Detailed Description

For the purpose of making the objects, technical solutions and advantages of the embodiments of the present application more apparent, the technical solutions of the embodiments of the present application will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present application, and it is apparent that the described embodiments are some embodiments of the present application, but not all embodiments of the present application.

Firstly, it should be noted that the current webpage mining attack is mainly performed in the following three ways: 1. cross-site attack; 2. an advertising alliance; 3. phishing websites. In order to aim at the attack mode, the method protects the browser and the like from mining attack by protecting the server side codes and injecting the safety codes or browser plug-ins.

The conventional cross-site scripting attack protection scheme is shown in fig. 1, and the cross-site scripting attack protection scheme of the application is shown in fig. 2.

Referring to fig. 3, the mining attack monitoring and protecting method for a client provided by the embodiment of the application specifically includes the following steps:

s1: based on the remote situation awareness platform request, the client accesses the remote situation awareness platform to acquire and store mining attack information;

the method is used for detecting whether the mining suspicious program exists in the loading resource or not by arranging a related situation awareness module in the client. In a specific implementation, the client includes a website, a browser, and an application.

The mining attack can be carried out through websites, browser plug-ins and webview (core view class in WebKit framework) in application programs, and based on the mining attack monitoring and protecting method, the mining attack monitoring and protecting method mainly covers loading mining codes, advertisement alliances and fishing attacks by using cross-site scripts.

In the application, the mining attack information is mining characteristic information, including mining site names, mining site IP (Internet Protocol ), domain name communication addresses, wallet addresses and Hash of mining Trojan horses.

3. In order to identify the attack characteristics of mining, mining alarm rules are preset, and the rules are deployed in a remote situation awareness platform so as to be updated dynamically. The client initiates a request to the remote situation awareness platform, acquires latest mining attack information, including mining characteristics such as mining field names, mining field IP, domain name communication addresses, wallet addresses, hash of mining Trojan horses and the like, and stores the acquired mining attack information in a local mining information module.

S2: acquiring source code data of current network resources and data packet information requested by the current network resources in a client, matching the source code data with mining attack information, and acquiring a first result according to a preset matching rule;

in the application, source code data of current network resources in a client and data packet information requested by the current network resources are acquired and matched with mining attack information, and a first result is obtained according to a preset matching rule, and the method specifically comprises the following steps:

s201: acquiring source code data of current network resources in a client and data packet information requested by the current network resources;

s202: characteristic information items of source code data of the current network resource are sequentially matched with mining attack information, and characteristic information items of data packet information requested by the current network resource are sequentially matched with mining attack information:

The client acquires source code data and requested data packet information of the current network resource, sequentially matches each item of characteristic information of the source code data with mining attack information, if one item can be matched, the client can judge that the current network resource hits a first rule, the current network resource is marked, otherwise, the current network resource does not hit the first rule.

And matching each item of characteristic information of the data packet information with mining attack information in sequence, if one item can be matched, judging that the current network resource hits the first rule, marking the current network resource, otherwise, the current network resource does not hit the first rule.

S3: acquiring the performance consumption state of the core processing hardware of the client, and obtaining a second result according to the comparison between the performance consumption of the core processing hardware and the set threshold value;

in the application, the performance consumption state of the core processing hardware of the client is obtained, and a second result is obtained according to the comparison between the performance consumption of the core processing hardware and a set threshold value, and the specific steps comprise:

s301: setting a CPU (central processing unit) performance occupation threshold value and setting a disposal mode, wherein the disposal mode is to block current network resources or mark the current network resources as suspicious programs and report the suspicious programs to a remote situation awareness platform;

s302: periodically acquiring the occupancy rate of a CPU of a client, and comparing the acquired occupancy rate with a set CPU performance occupancy threshold;

s303: based on the comparison result, if the occupancy rate exceeds the CPU performance occupancy threshold, the current network resource hits the second rule, if the occupancy rate does not exceed the CPU performance occupancy threshold, the current network resource does not hit the second rule, the occupancy rate of the CPU of the client is continuously and periodically acquired, and the acquired occupancy rate is compared with the set CPU performance occupancy threshold.

Namely, by arranging a CPU performance monitoring module in the client, the CPU performance monitoring module is used for detecting whether abnormal performance occupation exists in the loading resource. Presetting a CPU performance occupation threshold and a disposal mode, when the occupation rate of the CPU exceeds the CPU performance occupation threshold, indicating that the current network resource hits the second rule, and if the occupation rate does not exceed the CPU performance occupation threshold, indicating that the current network resource does not hit the second rule.

S4: and executing corresponding operation on the current network resource according to the first result and the second result, and performing blocking processing, marking reporting processing or non-processing.

In the application, according to the first result and the second result, corresponding operation is executed on the current network resource, and blocking processing, mark reporting processing or non-processing is carried out, and the specific steps comprise:

if the current network resource hits the first rule and does not hit the second rule, marking the current network resource as a suspicious program and reporting the suspicious program to a remote situation awareness platform, and actively judging the current network resource by the remote situation awareness platform; the situation awareness platform personnel manually check whether the first rule hit is false report or not;

if the current network resource hits the second rule and does not hit the first rule, blocking the current network resource according to the set disposal mode, or marking the current network resource as a suspicious program and reporting the suspicious program to a remote situation awareness platform, and sending characteristic information of the current network resource to the remote situation awareness platform;

if the current network resource hits the first rule and hits the second rule, blocking the current network resource; and when the blocking operation is performed on the current network resource, directly closing the accessed website.

In one possible implementation, since the mining attack may be a cross-site attack or an advertisement alliance, the original code of the network resource is not malicious code, and in order to protect the user from normally accessing the resource, the mining code may be damaged or deleted and then the resource may be opened continuously.

Therefore, in the present application, after the blocking operation is performed on the current network resource, the method further includes:

s501: re-opening the current network resource and loading a front-end malicious code protection module;

s502: based on the identification of the front-end malicious code protection module to the current network resource, the mining code in the current network resource is destroyed or deleted by an inline function processing mode, a static script processing mode and a dynamic script processing mode.

In the application, the specific steps of the processing mode of the inline function comprise:

s5021: configuring a white list of the release of the inline event; if the white list is not configured separately, all the inline events are not released by default.

S5022: acquiring source code data of a current network resource through a client, and intercepting all document. On events based on a method for monitoring document objects; document objects are computer terms. Each HTML Document loaded into the browser will become a Document object.

S5023: matching the intercepted document. On event with a configured white list, if the white list is hit, releasing the current document. On event, if the white list is not hit, destroying the code corresponding to the current document. On event, and if the "on error" is changed into "on_error".

In the application, the specific steps of the static script processing mode comprise:

s5121: configuring a white list of remote call resource addresses, if the white list is not independently configured, defaulting to be incapable of introducing remote resources;

s5122: acquiring source code data of a current network resource through a client, and monitoring variation of sub-nodes and attributes in a DOM (Document Object Model ) tree based on a MuationObserve function (a constructor);

s5123: based on the monitoring result, when the child nodes and the attributes of the DOM tree change, intercepting the current network resources and then filtering;

the filtering process is to mark an iframe tag (an HTML tag) and a script tag (used for defining a client script) of a current network resource, and when a src attribute (an image tag of a web page) exists, white list matching is adopted on the src attribute, if the white list is hit, the current network resource is released, if the white list is not hit, the attribute value of the src is deleted, for example "< script src=common.js >" is deleted and then is "< script src= >).

In the application, the specific steps of the dynamic scenario processing mode comprise:

when source code data is loaded in webview of a client, a dynamically generated script is detected, and a maliciously generated code part is intercepted, wherein the maliciously generated code part comprises a dynamically generated src, innerHTML attribute (a character string), a rewriting document/write attribute (a character string), a rewriting setttwrite attribute (an attribute value for setting an element), a rewriting Ajax (a web page development technology) request, a rewriting Websocket (a protocol for full duplex communication on a single TCP connection) request, and a rewriting postMessage (a common function for putting a message into a message queue) request.

In the application, the characteristic value of the malicious code identified by the front-end malicious code protection module can be uploaded to the remote situation awareness platform, and the matching hit flow of the first rule is directly bypassed and the resource blocking flow is directly entered when the network resource containing the malicious code is subsequently opened again.

For the mining attack monitoring and protecting method, filtering is carried out on a DOM (cross site scripting attack) by aiming at a client, and a cross site attack code filtering module is deployed, wherein the module comprises three functions: 1. processing an inline function; 2. static script processing; 3. dynamic scenario processing.

The inline function processing is a method for monitoring document objects, intercepting all document. On-events, extracting on-events to compare with a blacklist, and prohibiting execution and alarming if the on-events exist in the blacklist.

Static script processing is to monitor changes in child nodes and attributes in the DOM tree using a mutationonserve function. When DOM nodes or attributes change, the DOM nodes or attributes are intercepted and then filtered. The iframe tag, the script tag, and the like are marked in the filtering process, white list matching is performed on the src attribute if the sec attribute exists, and the non-malicious input is determined if the src attribute exists in the white list.

The dynamic script processing is dynamically generated aiming at the script, so that the script needs to be captured before the script is inserted into a DOM tree and the malicious script is filtered, but the Mutabserve method can only monitor the change of the neutron node in the DOM and can not filter the script before the script is executed, and therefore, the following measures need to be taken for the dynamically generated script: interception of dynamically generated src, inc html attributes, rewrite document, write attributes, rewrite setttdocument attributes, rewrite Ajax requests, rewrite Websocket requests, rewrite postMessage requests.

Furthermore, the application arranges a threat perception module in the client, and limits the operation of the mining script by using a blacklist mode, wherein the blacklist comprises characteristic information such as mine name information, mine IP information, mine domain name information and the like, and can protect common webpage mining attacks (such as mine blacklists as Coinhive, JSEcoin, cryptoLoot, deepMiner, webmine, browserMine, coinimp, cryptoWebMiner, PPoi, mineral miners and Kitty/Me0w miners); the blacklist has a dynamic modification function.

Furthermore, in the client deployment, the first CPU monitoring module monitors the CPU occupancy rate when a user opens a new page by calling the chrome.

Further, a second CPU monitoring module is deployed at the client, the module needs to create a timer, sends a request at fixed time and records execution time, and when a new page is opened by a user, if the recorded time has a larger difference value from the previous recorded time and the difference value recorded for several times is not obviously reduced, the page is considered to have larger performance loss and is suspected to be an ore-mining program.

Compared with the traditional pure server filtering, the mining attack monitoring and protecting method for the client can reduce the pressure of the server and effectively prevent DOM type cross-site script attack, and has better effect than the pure client filtering in preventing non-DOM type cross-site script attack; the application not only has the advantages of traditional collaborative filtering, but also can prevent an attacker from bypassing the client filtering by grabbing HTTP (hypertext transfer protocol) and modifying, thereby better defending against cross-site scripting attack.

The application provides a mining attack monitoring and protecting device for a client, which comprises an acquisition module, a first judging module, a second judging module and an executing module.

The acquisition module is used for driving the client to access the remote situation awareness platform based on the remote situation awareness platform request so as to acquire and store mining attack information; the first judging module is used for acquiring source code data of current network resources in the client and data packet information requested by the current network resources, matching the source code data with mining attack information, and obtaining a first result according to a preset matching rule; the second judging module is used for acquiring the performance consumption state of the core processing hardware of the client and obtaining a second result according to the comparison between the performance consumption of the core processing hardware and the set threshold value; and the execution module is used for executing corresponding operation on the current network resource according to the first result and the second result, and carrying out blocking processing, mark reporting processing or non-processing.

The foregoing is only a specific embodiment of the application to enable those skilled in the art to understand or practice the application. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the application. Thus, the present application is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.

The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

Claims

1. The mining attack monitoring and protecting method for the client is characterized by comprising the following steps of:

2. The mining attack monitoring and protection method for a client according to claim 1, wherein:

the client comprises a website, a browser and an application program;

3. The mining attack monitoring and protecting method of claim 1, wherein the steps of obtaining source code data of current network resources and data packet information requested by the current network resources in the client, and matching the source code data with mining attack information, and obtaining a first result according to a preset matching rule comprise:

4. The mining attack monitoring and protecting method of a client according to claim 3, wherein the step of obtaining the performance consumption state of the core processing hardware of the client and obtaining the second result according to the comparison between the performance consumption of the core processing hardware and the set threshold value comprises the following specific steps:

5. The mining attack monitoring and protecting method of a client according to claim 4, wherein the steps of performing a blocking process, a mark reporting process or a non-processing on a current network resource according to the first result and the second result include:

6. The mining attack monitoring and protection method of a client according to claim 1, further comprising, after the blocking operation on the current network resource:

7. The mining attack monitoring and protecting method of a client according to claim 6, wherein the specific steps of the inline function processing mode include:

configuring a white list of the release of the inline event;

8. The mining attack monitoring and protecting method of a client according to claim 6, wherein the specific steps of the static script processing mode include:

configuring a white list of remote calling resource addresses;

9. The mining attack monitoring and protecting method of a client according to claim 6, wherein the specific steps of the dynamic scenario processing mode include:

10. The mining attack monitoring and protecting device for the client side is characterized by comprising the following components: