CN118157885A - Remote access processing method, device, equipment and storage medium - Google Patents

Remote access processing method, device, equipment and storage medium Download PDF

Info

Publication number
CN118157885A
CN118157885A CN202211559575.8A CN202211559575A CN118157885A CN 118157885 A CN118157885 A CN 118157885A CN 202211559575 A CN202211559575 A CN 202211559575A CN 118157885 A CN118157885 A CN 118157885A
Authority
CN
China
Prior art keywords
remote access
port
message
service
access
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202211559575.8A
Other languages
Chinese (zh)
Inventor
贾彬
谭合力
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
360 Digital Security Technology Group Co Ltd
Original Assignee
360 Digital Security Technology Group Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 360 Digital Security Technology Group Co Ltd filed Critical 360 Digital Security Technology Group Co Ltd
Priority to CN202211559575.8A priority Critical patent/CN118157885A/en
Publication of CN118157885A publication Critical patent/CN118157885A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0245Filtering by information in the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer And Data Communications (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application belongs to the technical field of information security, and discloses a remote access processing method, a device, equipment and a storage medium. When the remote access message is intercepted, the access protocol type and the target server corresponding to the remote access message are acquired; replacing sensitive data in the remote access message by a sensitive filtering strategy corresponding to the access protocol type to obtain a secure access message; the secure access message is forwarded to the target server. Because the remote access information is intercepted, and after the interception, the sensitive information is filtered by adopting different strategies according to the access protocol type corresponding to the remote access information, the front interception of the remote service access is realized, the filtration of malicious attacks and dangerous operations is ensured, and the effective protection of domain penetration attacks is realized.

Description

远程访问处理方法、装置、设备及存储介质Remote access processing method, device, equipment and storage medium

技术领域Technical Field

本发明涉及信息安全技术领域,尤其涉及一种远程访问处理方法、装置、设备及存储介质。The present invention relates to the field of information security technology, and in particular to a remote access processing method, device, equipment and storage medium.

背景技术Background technique

在企业网络信息化建设中,由于内部资产及用户量庞大,大多数企业选择AD(Active Directory)域作为用户和主机统一管理的方案,然而由于防护体系不完善,攻击者往往通过攻击域控进而攻击企业内部核心设备,获取企业机密数据。In the construction of enterprise network informatization, due to the huge number of internal assets and users, most enterprises choose AD (Active Directory) domain as a solution for unified management of users and hosts. However, due to the imperfect protection system, attackers often attack the domain control and then attack the core equipment within the enterprise to obtain the company's confidential data.

域渗透以RPC(Remote Procedure Call)远程提权、NTML Relay等攻击方式为代表,不需要经过ISP(Internet Service Provider)防火墙、出口网关防火墙的审查,而大多数企业往往在内网域环境的防护相对薄弱,传统的安全防护体系(如:防火墙、IDS(intrusion detection system))已经不足以抵挡目前的域渗透威胁,对此类攻击手段防护的效果并不理想。Domain penetration is represented by attacks such as RPC (Remote Procedure Call) remote privilege escalation and NTML Relay, which do not require review by ISP (Internet Service Provider) firewalls and export gateway firewalls. However, most companies tend to have relatively weak protection in their intranet environments. Traditional security protection systems (such as firewalls and IDS (intrusion detection systems)) are no longer sufficient to resist current domain penetration threats, and the protection against such attacks is not ideal.

上述内容仅用于辅助理解本发明的技术方案,并不代表承认上述内容是现有技术。The above contents are only used to assist in understanding the technical solution of the present invention and do not constitute an admission that the above contents are prior art.

发明内容Summary of the invention

本发明的主要目的在于提供一种远程访问处理方法、装置、设备及存储介质,旨在解决现有技术对以远程访问为基础的域渗透攻击防护效果不理想的技术问题。The main purpose of the present invention is to provide a remote access processing method, device, equipment and storage medium, aiming to solve the technical problem that the existing technology has unsatisfactory protection effect on domain penetration attacks based on remote access.

为实现上述目的,本发明提供了一种远程访问处理方法,所述方法包括以下步骤:To achieve the above object, the present invention provides a remote access processing method, the method comprising the following steps:

在拦截到远程访问消息时,获取所述远程访问消息对应的访问协议类型及目标服务器;When a remote access message is intercepted, obtaining an access protocol type and a target server corresponding to the remote access message;

通过所述访问协议类型对应的敏感过滤策略对所述远程访问消息中的敏感数据进行替换,获得安全访问消息;Replacing sensitive data in the remote access message by a sensitive filtering policy corresponding to the access protocol type to obtain a secure access message;

将所述安全访问消息转发至所述目标服务器。The secure access message is forwarded to the target server.

可选的,所述通过所述访问协议类型对应的敏感过滤策略对所述远程访问消息中的敏感数据进行替换,获得安全访问消息的步骤,包括:Optionally, the step of replacing sensitive data in the remote access message by using a sensitive filtering policy corresponding to the access protocol type to obtain a secure access message includes:

若所述访问协议类型为请求响应类型,则检测所述远程访问消息是否为服务查询信息;If the access protocol type is a request response type, detecting whether the remote access message is a service query message;

若所述远程访问消息不为服务查询信息,则从所述远程访问消息中提取访问服务标识及请求访问端口;If the remote access message is not service query information, extracting the access service identifier and the requested access port from the remote access message;

获取所述访问服务标识对应的端口替换规则;Obtaining a port replacement rule corresponding to the access service identifier;

根据所述请求访问端口与所述端口替换规则确定真实服务端口;Determine the real service port according to the requested access port and the port replacement rule;

将所述远程访问消息中的请求访问端口替换为所述真实服务端口,获得安全访问消息。The requested access port in the remote access message is replaced with the real service port to obtain a secure access message.

可选的,所述若所述访问协议类型为请求响应类型,则检测所述远程访问消息是否为服务查询信息的步骤,包括:Optionally, if the access protocol type is a request response type, the step of detecting whether the remote access message is service query information includes:

若所述访问协议类型为请求响应类型,则从所述远程访问消息中提取请求访问端口;If the access protocol type is a request-response type, extracting the requested access port from the remote access message;

若服务查询端口与所述请求访问端口一致,则判定所述远程访问消息为服务查询信息。If the service query port is consistent with the requested access port, the remote access message is determined to be service query information.

可选的,所述若所述访问协议类型为请求响应类型,则检测所述远程访问消息是否为服务查询信息的步骤之后,还包括:Optionally, if the access protocol type is a request response type, after the step of detecting whether the remote access message is service query information, the method further includes:

若所述远程访问消息为服务查询信息,则将所述远程访问消息转发至所述目标服务器,并获取所述目标服务器根据所述远程访问消息反馈的服务查询响应;If the remote access message is a service query message, forwarding the remote access message to the target server, and obtaining a service query response fed back by the target server according to the remote access message;

对所述服务查询响应进行端口替换,获得替换响应信息;Performing port replacement on the service query response to obtain replacement response information;

将所述替换响应信息发送至所述远程访问消息对应的消息发送端。The replacement response information is sent to a message sending end corresponding to the remote access message.

可选的,所述对所述服务查询响应进行端口替换,获得替换响应信息的步骤,包括:Optionally, the step of performing port replacement on the service query response to obtain replacement response information includes:

从所述服务查询响应中提取服务标识信息及真实服务端口;Extracting service identification information and real service port from the service query response;

检测是否存在所述服务标识信息对应的端口替换规则;Detecting whether there is a port replacement rule corresponding to the service identification information;

若存在所述服务标识信息对应的端口替换规则,则根据所述端口替换规则及所述真实服务端口确定服务对外端口;If there is a port replacement rule corresponding to the service identification information, determining the service external port according to the port replacement rule and the real service port;

将所述服务查询响应中的真实服务端口替换为所述服务对外端口,获得替换响应信息。The real service port in the service query response is replaced with the service external port to obtain replacement response information.

可选的,所述检测是否存在所述服务标识信息对应的端口替换规则的步骤,包括:Optionally, the step of detecting whether there is a port replacement rule corresponding to the service identification information includes:

在预设替换规则库中查找所述服务标识信息对应的端口替换规则;Searching for a port replacement rule corresponding to the service identification information in a preset replacement rule library;

若可查找到所述服务标识信息对应的端口替换规则,则判定存在所述服务标识信息对应的端口替换规则。If the port replacement rule corresponding to the service identification information can be found, it is determined that the port replacement rule corresponding to the service identification information exists.

可选的,所述通过所述访问协议类型对应的敏感过滤策略对所述远程访问消息中的敏感数据进行替换,获得安全访问消息的步骤,包括:Optionally, the step of replacing sensitive data in the remote access message by using a sensitive filtering policy corresponding to the access protocol type to obtain a secure access message includes:

若所述访问协议类型为管道连接类型,则检测所述远程访问消息中包含的指令是否为管道启动指令;If the access protocol type is a pipeline connection type, detecting whether the instruction included in the remote access message is a pipeline start instruction;

若为管道启动指令,则检测所述远程访问消息对应的访问目标是否为敏感目标;If it is a pipeline start instruction, detecting whether the access target corresponding to the remote access message is a sensitive target;

若所述访问目标为敏感目标,则对所述远程访问消息进行管道名替换,获得安全访问消息。If the access target is a sensitive target, the remote access message is replaced with a pipe name to obtain a secure access message.

可选的,所述检测所述远程访问消息中包含的指令是否为管道启动指令的步骤,包括:Optionally, the step of detecting whether the instruction included in the remote access message is a pipeline start instruction includes:

从所述远程访问消息中提取远程访问参数;extracting remote access parameters from the remote access message;

若所述远程访问参数为启动对象类型,则判定所述远程访问消息中包含的指令为管道启动指令。If the remote access parameter is a startup object type, it is determined that the instruction included in the remote access message is a pipeline startup instruction.

可选的,所述若所述访问目标为敏感目标,则对所述远程访问消息进行管道名替换,获得安全访问消息的步骤,包括:Optionally, if the access target is a sensitive target, the step of replacing the pipe name of the remote access message to obtain a secure access message includes:

若所述访问目标为敏感目标,则查找所述目标服务器对应的管道替换规则;If the access target is a sensitive target, searching for a pipeline replacement rule corresponding to the target server;

将所述访问目标与所述管道替换规则匹配,获得待替换管道;Matching the access target with the pipeline replacement rule to obtain the pipeline to be replaced;

根据所述待替换管道对所述远程访问消息进行管道名替换,获得安全访问消息。The remote access message is replaced with a pipe name according to the pipe to be replaced to obtain a secure access message.

可选的,所述若所述访问协议类型为管道连接类型,则检测所述远程访问消息中包含的指令是否为管道启动指令的步骤,包括:Optionally, if the access protocol type is a pipe connection type, the step of detecting whether the instruction included in the remote access message is a pipe start instruction includes:

若所述访问协议类型为管道连接类型,则获取所述远程访问消息对应的发送者IP;If the access protocol type is a pipe connection type, obtaining the sender IP corresponding to the remote access message;

检测所述发送者IP是否存在于访问黑名单中;Check whether the sender's IP address is in the access blacklist;

若不存在于所述访问黑名单中,则检测所述远程访问消息中包含的指令是否为管道启动指令。If it does not exist in the access blacklist, it is detected whether the instruction included in the remote access message is a pipeline start instruction.

可选的,所述若所述访问目标为敏感目标,则对所述远程访问消息进行管道名替换,获得安全访问消息的步骤之后,还包括:Optionally, if the access target is a sensitive target, after the step of replacing the pipe name of the remote access message to obtain a secure access message, the method further includes:

获取所述发送者IP对应的历史管道替换次数;Obtain the historical number of pipeline replacements corresponding to the sender IP;

并将所述历史管道替换次数进行加一处理,获得当前替换次数;and adding one to the historical pipeline replacement times to obtain the current replacement times;

若所述当前替换次数大于预设替换阈值,则将所述发送者IP添加至所述访问黑名单中。If the current number of replacements is greater than a preset replacement threshold, the sender IP is added to the access blacklist.

此外,为实现上述目的,本发明还提出一种远程访问处理装置,所述远程访问处理装置包括以下模块:In addition, to achieve the above object, the present invention also proposes a remote access processing device, which includes the following modules:

消息拦截模块,用于在拦截到远程访问消息时,获取所述远程访问消息对应的访问协议类型及目标服务器;A message interception module, used to obtain the access protocol type and target server corresponding to the remote access message when intercepting the remote access message;

敏感过滤模块,用于通过所述访问协议类型对应的敏感过滤策略对所述远程访问消息中的敏感数据进行替换,获得安全访问消息;A sensitive filtering module, used to replace sensitive data in the remote access message by a sensitive filtering policy corresponding to the access protocol type to obtain a secure access message;

消息转发模块,用于将所述安全访问消息转发至所述目标服务器。The message forwarding module is used to forward the security access message to the target server.

可选的,所述敏感过滤模块,还用于若所述访问协议类型为请求响应类型,则检测所述远程访问消息是否为服务查询信息;若所述远程访问消息不为服务查询信息,则从所述远程访问消息中提取访问服务标识及请求访问端口;获取所述访问服务标识对应的端口替换规则;根据所述请求访问端口与所述端口替换规则确定真实服务端口;将所述远程访问消息中的请求访问端口替换为所述真实服务端口,获得安全访问消息。Optionally, the sensitive filtering module is also used to detect whether the remote access message is service query information if the access protocol type is a request response type; if the remote access message is not service query information, extract the access service identifier and the requested access port from the remote access message; obtain the port replacement rule corresponding to the access service identifier; determine the real service port according to the requested access port and the port replacement rule; replace the requested access port in the remote access message with the real service port to obtain a secure access message.

可选的,所述敏感过滤模块,还用于若所述访问协议类型为请求响应类型,则从所述远程访问消息中提取请求访问端口;获取所述目标服务器对应的服务查询端口;若服务查询端口与所述请求访问端口一致,则判定所述远程访问消息为服务查询信息。Optionally, the sensitive filtering module is also used to extract the request access port from the remote access message if the access protocol type is a request response type; obtain the service query port corresponding to the target server; and if the service query port is consistent with the request access port, determine that the remote access message is service query information.

可选的,所述敏感过滤模块,还用于若所述远程访问消息为服务查询信息,则将所述远程访问消息转发至所述目标服务器,并获取所述目标服务器根据所述远程访问消息反馈的服务查询响应;对所述服务查询响应进行端口替换,获得替换响应信息;将所述替换响应信息发送至所述远程访问消息对应的消息发送端。Optionally, the sensitive filtering module is also used to forward the remote access message to the target server if the remote access message is service query information, and obtain a service query response fed back by the target server based on the remote access message; perform port replacement on the service query response to obtain replacement response information; and send the replacement response information to the message sending end corresponding to the remote access message.

可选的,所述敏感过滤模块,还用于从所述服务查询响应中提取服务标识信息及真实服务端口;检测是否存在所述服务标识信息对应的端口替换规则;若存在所述服务标识信息对应的端口替换规则,则根据所述端口替换规则及所述真实服务端口确定服务对外端口;将所述服务查询响应中的真实服务端口替换为所述服务对外端口,获得替换响应信息;将所述替换响应信息发送至所述远程访问消息的消息发送端。Optionally, the sensitive filtering module is also used to extract service identification information and the real service port from the service query response; detect whether there is a port replacement rule corresponding to the service identification information; if there is a port replacement rule corresponding to the service identification information, determine the service external port according to the port replacement rule and the real service port; replace the real service port in the service query response with the service external port to obtain replacement response information; and send the replacement response information to the message sending end of the remote access message.

可选的,所述敏感过滤模块,还用于在预设替换规则库中查找所述服务标识信息对应的端口替换规则;若可查找到所述服务标识信息对应的端口替换规则,则判定存在所述服务标识信息对应的端口替换规则。Optionally, the sensitive filtering module is further used to search for a port replacement rule corresponding to the service identification information in a preset replacement rule library; if the port replacement rule corresponding to the service identification information can be found, it is determined that there is a port replacement rule corresponding to the service identification information.

可选的,所述敏感过滤模块,还用于若所述访问协议类型为管道连接类型,则检测所述远程访问消息中包含的指令是否为管道启动指令;若为管道启动指令,则检测所述远程访问消息对应的访问目标是否为敏感目标;若所述访问目标为敏感目标,则对所述远程访问消息进行管道名替换,获得安全访问消息。Optionally, the sensitive filtering module is also used to detect whether the instruction contained in the remote access message is a pipeline startup instruction if the access protocol type is a pipeline connection type; if it is a pipeline startup instruction, detect whether the access target corresponding to the remote access message is a sensitive target; if the access target is a sensitive target, replace the remote access message with a pipeline name to obtain a secure access message.

此外,为实现上述目的,本发明还提出一种远程访问处理设备,所述远程访问处理设备包括:处理器、存储器及存储在所述存储器上并可在所述处理器上运行的远程访问处理程序,所述远程访问处理程序被执行时实现如上所述的远程访问处理方法的步骤。In addition, to achieve the above-mentioned purpose, the present invention also proposes a remote access processing device, which includes: a processor, a memory, and a remote access processing program stored in the memory and executable on the processor, and the remote access processing program implements the steps of the remote access processing method described above when executed.

此外,为实现上述目的,本发明还提出一种计算机可读存储介质,所述计算机可读存储介质上存储有远程访问处理程序,所述远程访问处理程序执行时实现如上所述的远程访问处理方法的步骤。In addition, to achieve the above object, the present invention also proposes a computer-readable storage medium, on which a remote access processing program is stored, and when the remote access processing program is executed, the steps of the remote access processing method described above are implemented.

本发明通过在拦截到远程访问消息时,获取远程访问消息对应的访问协议类型及目标服务器;通过访问协议类型对应的敏感过滤策略对远程访问消息中的敏感数据进行替换,获得安全访问消息;将安全访问消息转发至目标服务器。由于对远程访问消息拦截,并在拦截之后,根据远程访问消息对应的访问协议类型采用不同的策略进行敏感信息过滤,实现了对远程服务访问的前置拦截,保证可以对恶意攻击及危险操作进行过滤,从而实现了对域渗透攻击的有效防护。The present invention obtains the access protocol type and target server corresponding to the remote access message when intercepting the remote access message; replaces the sensitive data in the remote access message by the sensitive filtering strategy corresponding to the access protocol type to obtain the secure access message; and forwards the secure access message to the target server. Since the remote access message is intercepted, and after the interception, different strategies are used to filter sensitive information according to the access protocol type corresponding to the remote access message, the pre-interception of remote service access is realized, and malicious attacks and dangerous operations can be filtered, thereby achieving effective protection against domain penetration attacks.

附图说明BRIEF DESCRIPTION OF THE DRAWINGS

图1是本发明实施例方案涉及的硬件运行环境的电子设备的结构示意图;FIG1 is a schematic diagram of the structure of an electronic device in a hardware operating environment according to an embodiment of the present invention;

图2为本发明远程访问处理方法第一实施例的流程示意图;FIG2 is a flow chart of a first embodiment of a remote access processing method according to the present invention;

图3为本发明远程访问处理方法第二实施例的流程示意图;3 is a schematic flow chart of a second embodiment of a remote access processing method according to the present invention;

图4为本发明一实施例的端口替换流程示意图;FIG4 is a schematic diagram of a port replacement process according to an embodiment of the present invention;

图5为本发明远程访问处理方法第三实施例的流程示意图;5 is a schematic flow chart of a third embodiment of a remote access processing method according to the present invention;

图6为本发明一实施例的管道名替换示意图;FIG6 is a schematic diagram of replacing a pipe name according to an embodiment of the present invention;

图7为本发明一实施例的远程服务器访问示意图;FIG7 is a schematic diagram of remote server access according to an embodiment of the present invention;

图8为本发明远程访问处理装置第一实施例的结构框图。FIG8 is a structural block diagram of a first embodiment of a remote access processing device according to the present invention.

本发明目的的实现、功能特点及优点将结合实施例,参照附图做进一步说明。The realization of the purpose, functional features and advantages of the present invention will be further explained in conjunction with embodiments and with reference to the accompanying drawings.

具体实施方式Detailed ways

应当理解,此处所描述的具体实施例仅用以解释本发明,并不用于限定本发明。It should be understood that the specific embodiments described herein are only used to explain the present invention, and are not used to limit the present invention.

参照图1,图1为本发明实施例方案涉及的硬件运行环境的远程访问处理设备结构示意图。Refer to FIG. 1 , which is a schematic diagram of the structure of a remote access processing device in a hardware operating environment according to an embodiment of the present invention.

如图1所示,该电子设备可以包括:处理器1001,例如中央处理器(CentralProcessing Unit,CPU),通信总线1002、用户接口1003,网络接口1004,存储器1005。其中,通信总线1002用于实现这些组件之间的连接通信。用户接口1003可以包括显示屏(Display)、输入单元比如键盘(Keyboard),可选用户接口1003还可以包括标准的有线接口、无线接口。网络接口1004可选的可以包括标准的有线接口、无线接口(如无线保真(WIreless-FIdelity,WI-FI)接口)。存储器1005可以是高速的随机存取存储器(RandomAccess Memory,RAM),也可以是稳定的非易失性存储器(Non-Volatile Memory,NVM),例如磁盘存储器。存储器1005可选的还可以是独立于前述处理器1001的存储装置。As shown in FIG1 , the electronic device may include: a processor 1001, such as a central processing unit (CPU), a communication bus 1002, a user interface 1003, a network interface 1004, and a memory 1005. Among them, the communication bus 1002 is used to realize the connection and communication between these components. The user interface 1003 may include a display screen (Display), an input unit such as a keyboard (Keyboard), and the optional user interface 1003 may also include a standard wired interface and a wireless interface. The network interface 1004 may optionally include a standard wired interface and a wireless interface (such as a wireless fidelity (WIreless-FIdelity, WI-FI) interface). The memory 1005 may be a high-speed random access memory (Random Access Memory, RAM), or a stable non-volatile memory (Non-Volatile Memory, NVM), such as a disk storage. The memory 1005 may also be a storage device independent of the aforementioned processor 1001.

本领域技术人员可以理解,图1中示出的结构并不构成对电子设备的限定,可以包括比图示更多或更少的部件,或者组合某些部件,或者不同的部件布置。Those skilled in the art will appreciate that the structure shown in FIG. 1 does not limit the electronic device and may include more or fewer components than shown in the figure, or combine certain components, or arrange the components differently.

如图1所示,作为一种存储介质的存储器1005中可以包括操作系统、网络通信模块、用户接口模块以及远程访问处理程序。As shown in FIG. 1 , the memory 1005 as a storage medium may include an operating system, a network communication module, a user interface module, and a remote access processing program.

在图1所示的电子设备中,网络接口1004主要用于与网络服务器进行数据通信;用户接口1003主要用于与用户进行数据交互;本发明电子设备中的处理器1001、存储器1005可以设置在远程访问处理设备中,所述电子设备通过处理器1001调用存储器1005中存储的远程访问处理程序,并执行本发明实施例提供的远程访问处理方法。In the electronic device shown in FIG1 , the network interface 1004 is mainly used for data communication with a network server; the user interface 1003 is mainly used for data interaction with a user; the processor 1001 and the memory 1005 in the electronic device of the present invention can be set in a remote access processing device, and the electronic device calls the remote access processing program stored in the memory 1005 through the processor 1001, and executes the remote access processing method provided in an embodiment of the present invention.

本发明实施例提供了一种远程访问处理方法,参照图2,图2为本发明一种远程访问处理方法第一实施例的流程示意图。An embodiment of the present invention provides a remote access processing method. Referring to FIG. 2 , FIG. 2 is a flow chart of a first embodiment of a remote access processing method of the present invention.

本实施例中,所述远程访问处理方法包括以下步骤:In this embodiment, the remote access processing method includes the following steps:

步骤S10:在拦截到远程访问消息时,获取所述远程访问消息对应的访问协议类型及目标服务器。Step S10: when a remote access message is intercepted, the access protocol type and the target server corresponding to the remote access message are obtained.

需要说明的是,本实施例的执行主体可以是所述远程访问处理设备,所述远程访问处理设备可以是个人电脑、服务器等电子设备,当然,也可以是其他可实现相同或相似功能的电子设备,本实施例对此不加以限制,在本实施例及下述各实施例中,以远程访问处理设备为例对本发明远程访问处理方法进行说明。It should be noted that the execution subject of this embodiment can be the remote access processing device, and the remote access processing device can be an electronic device such as a personal computer, a server, or of course, other electronic devices that can achieve the same or similar functions. This embodiment does not limit this. In this embodiment and the following embodiments, the remote access processing method of the present invention is described by taking the remote access processing device as an example.

需要说明的是,服务端可以是对远程服务器进行统一管理的服务器,其主要可以作为远程服务的注册中心,其主要用于为用户提供远程服务的查询功能(例如:查询某远程服务的服务名称、访问地址、访问端口等远程服务的相关信息),以及将消息转发至对应的远程服务器,远程访问处理设备可以是服务端本身,也可以是可对服务端接收/发送的消息进行拦截处理的代理服务器。It should be noted that the server can be a server that performs unified management of remote servers. It can mainly serve as a registration center for remote services. It is mainly used to provide users with remote service query functions (for example: querying the service name, access address, access port and other relevant information of a remote service), and forwarding messages to the corresponding remote server. The remote access processing device can be the server itself, or it can be a proxy server that can intercept and process messages received/sent by the server.

在具体实现中,远程访问消息可以是用户端在需要使用远程服务时,发送至服务端的消息。目标服务器可以是用户端实际要访问的服务器,通过远程访问消息所需要访问的服务的归属可以确定目标服务器,例如:在用户端发送远程访问消息查询远程服务的信息时,该查询服务由服务端提供,则该目标服务器为服务端;在访问某具体的远程服务时,则提供该远程服务的远程服务器为目标服务器。In a specific implementation, a remote access message may be a message sent by a user end to a server end when the user end needs to use a remote service. The target server may be the server that the user end actually wants to access, and the target server may be determined by the attribution of the service that the remote access message needs to access. For example, when a user end sends a remote access message to query information about a remote service, and the query service is provided by the server end, the target server is the server end; when accessing a specific remote service, the remote server that provides the remote service is the target server.

在具体实现中,访问协议类型可以分类两种,分别是请求响应类型及管道连接类型,例如:以windows系统为例,其远程访问协议可以分为:ncacn_ip_tcp及ncacn_np两种,其中,ncacn_ip_tcp为请求响应类型,ncacn_np为管道连接类型。In the specific implementation, the access protocol type can be classified into two types, namely the request response type and the pipe connection type. For example, taking the Windows system as an example, its remote access protocol can be divided into two types: ncacn_ip_tcp and ncacn_np. Among them, ncacn_ip_tcp is the request response type, and ncacn_np is the pipe connection type.

在实际使用中,远程访问消息对应的访问协议类型可以通过拦截到该远程访问消息的方式进行确定,不同访问协议类型传输的远程访问消息可以通过不同的方式进行拦截;In actual use, the access protocol type corresponding to the remote access message can be determined by intercepting the remote access message, and remote access messages transmitted by different access protocol types can be intercepted in different ways;

例如:针对请求响应类型传输的远程访问消息,远程访问处理设备可以拦截用户端接收到的请求,并检测拦截到的请求中的协议类型是否为远程访问协议;针对管道连接类型传输的远程访问消息,远程访问处理设备可以通过对命名管道文件系统(named pipefile system,NPFS)进行挂载拦截。For example: for remote access messages transmitted in the form of request-response type, the remote access processing device can intercept the request received by the user end and detect whether the protocol type in the intercepted request is the remote access protocol; for remote access messages transmitted in the form of pipe connection type, the remote access processing device can intercept by mounting a named pipe file system (NPFS).

步骤S20:通过所述访问协议类型对应的敏感过滤策略对所述远程访问消息中的敏感数据进行替换,获得安全访问消息。Step S20: Replace sensitive data in the remote access message using a sensitive filtering policy corresponding to the access protocol type to obtain a secure access message.

可以理解的是,针对不同访问协议类型传输的远程访问消息的格式是不同的,在此基础上,其中包含的敏感数据的类型可能不同,且敏感数据所处的位置也可能不同,在对敏感数据进行替换时,所需要的方式也不同,因此,可以先根据访问协议类型查找到对应的敏感过滤策略,然后根据敏感过滤策略对远程访问消息中的敏感数据进行替换,从而获得安全访问消息。It is understandable that the formats of remote access messages transmitted for different access protocol types are different. On this basis, the types of sensitive data contained therein may be different, and the locations of the sensitive data may also be different. When replacing sensitive data, the required methods are also different. Therefore, you can first find the corresponding sensitive filtering policy according to the access protocol type, and then replace the sensitive data in the remote access message according to the sensitive filtering policy to obtain a secure access message.

步骤S30:将所述安全访问消息转发至所述目标服务器。Step S30: forwarding the security access message to the target server.

可以理解的是,在对敏感数据进行替换之后,则可以保证该远程访问消息安全,因此,可以直接将安全访问消息转发至目标服务器,由目标服务器进行具体的处理。It is understandable that after the sensitive data is replaced, the remote access message can be guaranteed to be secure, and therefore, the secure access message can be directly forwarded to the target server for specific processing by the target server.

在实际使用中,将安全访问消息转发至目标服务器时,可以根据访问协议类型的不同,选择不同的消息转发方式(如通过管道或ALPC等方式)将安全访问消息转发至目标服务器,调用目标服务器中服务进行处理。In actual use, when forwarding the security access message to the target server, different message forwarding methods (such as through pipelines or ALPC, etc.) can be selected according to the different access protocol types to forward the security access message to the target server and call the service in the target server for processing.

在具体实现中,在将安全访问消息转发至目标服务器进行处理之后,若目标服务器还会反馈对应的数据,则远程访问处理设备还可以拦截目标服务器反馈的数据进行进一步处理,并在处理完毕之后,再反馈至用户端。In a specific implementation, after forwarding the security access message to the target server for processing, if the target server also feeds back corresponding data, the remote access processing device can also intercept the data fed back by the target server for further processing, and feed it back to the user end after processing.

本实施例通过在拦截到远程访问消息时,获取远程访问消息对应的访问协议类型及目标服务器;通过访问协议类型对应的敏感过滤策略对远程访问消息中的敏感数据进行替换,获得安全访问消息;将安全访问消息转发至目标服务器。由于对远程访问消息拦截,并在拦截之后,根据远程访问消息对应的访问协议类型采用不同的策略进行敏感信息过滤,实现了对远程服务访问的前置拦截,保证可以对恶意攻击及危险操作进行过滤,从而实现了对域渗透攻击的有效防护。This embodiment obtains the access protocol type and target server corresponding to the remote access message when intercepting the remote access message; replaces the sensitive data in the remote access message by the sensitive filtering policy corresponding to the access protocol type to obtain a secure access message; and forwards the secure access message to the target server. Since the remote access message is intercepted and after the interception, different policies are used to filter sensitive information according to the access protocol type corresponding to the remote access message, the pre-interception of remote service access is achieved, ensuring that malicious attacks and dangerous operations can be filtered, thereby achieving effective protection against domain penetration attacks.

参考图3,图3为本发明一种远程访问处理方法第二实施例的流程示意图。Refer to FIG. 3 , which is a flow chart of a second embodiment of a remote access processing method according to the present invention.

基于上述第一实施例,本实施例远程访问处理方法的所述步骤S20,包括:Based on the first embodiment, step S20 of the remote access processing method of this embodiment includes:

步骤S201:若所述访问协议类型为请求响应类型,则检测所述远程访问消息是否为服务查询信息。Step S201: If the access protocol type is a request response type, then detecting whether the remote access message is service query information.

需要说明的是,若访问协议类型为请求响应类型,则表示用户端是通过请求-响应此种形式调用远程服务的,而远程服务的访问端口一般是由服务端对注册在服务端中的远程服务进行统一分配和管理的,此种调用方式,用户端需要先从服务端获取某远程服务的具体访问端口号,则此时远程访问消息可能是用于访问服务端查询远程服务的访问端口号,因此,需要检测远程访问消息是否为服务查询信息。It should be noted that if the access protocol type is a request-response type, it means that the user end calls the remote service in the form of request-response, and the access port of the remote service is generally uniformly allocated and managed by the server for the remote service registered in the server. In this calling method, the user end needs to first obtain the specific access port number of a remote service from the server. At this time, the remote access message may be used to access the server to query the access port number of the remote service. Therefore, it is necessary to detect whether the remote access message is service query information.

在具体实现中,为了准确的判断远程访问消息是否为服务查询信息,本实施例所述步骤S201,可以包括:In a specific implementation, in order to accurately determine whether the remote access message is service query information, step S201 in this embodiment may include:

若所述访问协议类型为请求响应类型,则从所述远程访问消息中提取请求访问端口;If the access protocol type is a request-response type, extracting the requested access port from the remote access message;

若服务查询端口与所述请求访问端口一致,则判定所述远程访问消息为服务查询信息。If the service query port is consistent with the requested access port, the remote access message is determined to be service query information.

需要说明的是,服务端可以预先指定一固定端口作为服务查询端口,通过该固定端口提供远程服务的端口号查询功能,以便于远程调用者查询远程服务的具体端口号,因此,若远程访问消息中提取到的请求访问端口与服务查询端口一致,则表示用户端是在进行端口查询,则此时可以判定远程访问消息为服务查询信息。It should be noted that the server can pre-specify a fixed port as a service query port, and provide a port number query function for the remote service through the fixed port, so that the remote caller can query the specific port number of the remote service. Therefore, if the requested access port extracted from the remote access message is consistent with the service query port, it means that the user end is performing a port query, and at this time it can be determined that the remote access message is service query information.

进一步的,由于查询服务端口的过程中,数据是通过请求及响应的方式在用户端和服务端之间传输的,该数据可能会被恶意攻击者拦截,从而获取到远程服务的具体访问端口,从而进行攻击,为了保证安全性,可以对部分重要的远程服务的端口进行替换,本实施例所述步骤步骤S201之后,还可以包括:Furthermore, since during the process of querying the service port, data is transmitted between the user end and the server end in the form of request and response, the data may be intercepted by malicious attackers, thereby obtaining the specific access port of the remote service and launching an attack. In order to ensure security, some important remote service ports may be replaced. After step S201, the steps described in this embodiment may also include:

若所述远程访问消息为服务查询信息,则将所述远程访问消息转发至所述目标服务器,并获取所述目标服务器根据所述远程访问消息反馈的服务查询响应;If the remote access message is a service query message, forwarding the remote access message to the target server, and obtaining a service query response fed back by the target server according to the remote access message;

对所述服务查询响应进行端口替换,获得替换响应信息;Performing port replacement on the service query response to obtain replacement response information;

将所述替换响应信息发送至所述远程访问消息对应的消息发送端。The replacement response information is sent to a message sending end corresponding to the remote access message.

需要说明的是,若远程访问消息为服务查询信息,则此时表示用户端需要查询远程服务的服务访问端口,因此,可以将远程访问消息转发至目标服务器(此时目标服务器为服务端),则目标服务器可以从远程访问消息中提取服务标识信息,然后根据服务标识信息查找到对应的信息,并封装成服务查询响应,则此时为了保证真实端口不泄露,远程访问处理设备可以拦截服务查询响应,然后对其进行端口替换,将其中包含的远程服务的服务访问端口替换为可控的其他端口号,并在替换之后,再将替换响应信息发送至远程访问消息对应的消息发送端(即上述用户端)。It should be noted that if the remote access message is service query information, it means that the user end needs to query the service access port of the remote service. Therefore, the remote access message can be forwarded to the target server (the target server is the server end at this time), and the target server can extract the service identification information from the remote access message, and then find the corresponding information according to the service identification information, and encapsulate it into a service query response. At this time, in order to ensure that the real port is not leaked, the remote access processing device can intercept the service query response, and then replace the port thereof, and replace the service access port of the remote service contained therein with other controllable port numbers, and after the replacement, send the replacement response information to the message sending end corresponding to the remote access message (that is, the above-mentioned user end).

在实际使用中,将服务查询响应中的真实服务端口替换为服务对外端口,获得替换响应信息可以是将服务查询响应中的真实服务端口替换为服务对外端口,并将替换完毕的服务查询响应作为替换响应信息。In actual use, the real service port in the service query response is replaced with the service external port, and the replacement response information is obtained by replacing the real service port in the service query response with the service external port, and using the replaced service query response as the replacement response information.

在具体实现中,为了保证替换后的端口可以正常进行复原,保证后续用户端可以正常访问到远程服务,则此时,本实施例所述对所述服务查询响应进行端口替换,获得替换响应信息的步骤,可以包括:In a specific implementation, in order to ensure that the replaced port can be restored normally and that the subsequent user terminal can access the remote service normally, at this time, the step of performing port replacement on the service query response and obtaining replacement response information in this embodiment may include:

从所述服务查询响应中提取服务标识信息及真实服务端口;Extracting service identification information and real service port from the service query response;

检测是否存在所述服务标识信息对应的端口替换规则;Detecting whether there is a port replacement rule corresponding to the service identification information;

若存在所述服务标识信息对应的端口替换规则,则根据所述端口替换规则及所述真实服务端口确定服务对外端口;If there is a port replacement rule corresponding to the service identification information, determining the service external port according to the port replacement rule and the real service port;

将所述服务查询响应中的真实服务端口替换为所述服务对外端口,获得替换响应信息。The real service port in the service query response is replaced with the service external port to obtain replacement response information.

需要说明的是,服务标识信息可以是用户端查询的远程服务的唯一标识,真实服务端口可以是访问用户查询的远程服务的真实端口。若存在服务标识信息对应的端口替换规则,则表示该服务标识信息对应的远程服务十分重要,需要进行端口替换。It should be noted that the service identification information can be the unique identification of the remote service queried by the user, and the real service port can be the real port of the remote service queried by the access user. If there is a port replacement rule corresponding to the service identification information, it means that the remote service corresponding to the service identification information is very important and port replacement is required.

在具体实现中,根据端口替换规则及真实服务端口确定服务对外端口可以是真实服务端口与对外服务端口之间的映射关系,在该映射关系中查找真实服务端口对应的服务对外端口。In a specific implementation, determining the service external port according to the port replacement rule and the real service port may be a mapping relationship between the real service port and the external service port, and searching the service external port corresponding to the real service port in the mapping relationship.

进一步的,由于远程访问处理设备可能作为代理服务器同时管理多个不同的服务端,而不同的服务端对不同的可能都会具有不同的替换规则,为了避免出现误判现象Furthermore, since the remote access processing device may act as a proxy server to manage multiple different servers at the same time, and different servers may have different replacement rules for different situations, in order to avoid misjudgment

本实施例所述检测是否存在所述服务标识信息对应的端口替换规则的步骤,包括:The step of detecting whether there is a port replacement rule corresponding to the service identification information in this embodiment includes:

在预设替换规则库中查找所述服务标识信息对应的端口替换规则;Searching for a port replacement rule corresponding to the service identification information in a preset replacement rule library;

若可查找到所述服务标识信息对应的端口替换规则,则判定存在所述服务标识信息对应的端口替换规则。If the port replacement rule corresponding to the service identification information can be found, it is determined that the port replacement rule corresponding to the service identification information exists.

需要说明的是,预设替换规则库可以是存储有不同服务标识信息对应的端口替换规则的数据库。若在预设替换规则库中可以查找到服务标识信息对应的端口替换规则,则表示远程访问处理设备的管理人员已经为其设置了对应的端口替换规则,并存入了预设替换规则库中,因此,可以判定存在所述服务标识信息对应的端口替换规则。It should be noted that the preset replacement rule base may be a database storing port replacement rules corresponding to different service identification information. If the port replacement rule corresponding to the service identification information can be found in the preset replacement rule base, it means that the administrator of the remote access processing device has set the corresponding port replacement rule for it and stored it in the preset replacement rule base. Therefore, it can be determined that there is a port replacement rule corresponding to the service identification information.

为了便于理解,现结合图4进行说明,但不对本方案进行限定,图4为本实施例的端口替换流程示意图,如图4所示,客户端(即用户端)若需要查询某远程服务的端口号(即服务访问端口),则会根据该远程服务的服务标识信息(Target UUID)生成请求,并发送至服务端,服务端中的EPM模块会响应该请求,在其服务列表中查找对应的条目,若成功查找到,则会根据该条目生成Towwer形式的服务查询响应,并尝试反馈至客户端,此时远程访问处理设备中的EPM Filter模块会拦截到该Towwer形式的服务查询响应,并从中提取服务标识信息,根据服务标识信息查找对应的端口替换规则,并根据端口替换规则对服务查询响应中的端口号进行修改替换,并在替换完毕之后,将替换得到的替换响应信息发送至消息发送端(即发送该远程访问消息的用户端)。For ease of understanding, the present invention is described in conjunction with FIG. 4 , but the present solution is not limited thereto. FIG. 4 is a schematic diagram of the port replacement process of the present embodiment. As shown in FIG. 4 , if the client (i.e., the user end) needs to query the port number of a remote service (i.e., the service access port), a request will be generated according to the service identification information (Target UUID) of the remote service, and sent to the server end. The EPM module in the server end will respond to the request and search for the corresponding entry in its service list. If the entry is successfully found, a service query response in the form of Tower will be generated according to the entry, and an attempt will be made to feed it back to the client end. At this time, the EPM Filter module in the remote access processing device will intercept the service query response in the form of Tower, extract the service identification information therefrom, search for the corresponding port replacement rule according to the service identification information, and modify and replace the port number in the service query response according to the port replacement rule. After the replacement is completed, the replacement response information obtained by the replacement will be sent to the message sending end (i.e., the user end that sends the remote access message).

步骤S202:若所述远程访问消息不为服务查询信息,则从所述远程访问消息中提取访问服务标识及请求访问端口。Step S202: If the remote access message is not service query information, extracting the access service identifier and the requested access port from the remote access message.

需要说明的是,若远程访问消息不为服务查询信息,则表示此时用户端是在访问具体的远程服务,但是,由于用户端在查询远程服务时,所获取到的远程服务的访问端口是被替换过的,若不进行处理,其实时无法正常访问到远程服务的,则此时可以从远程访问消息中提取访问服务标识及请求访问端口,以便还原出真实的服务访问端口。其中,访问服务标识可以是远程访问消息需要访问的远程服务的服务标识信息,请求访问端口可以是远程访问信息需要中包含的服务访问端口。It should be noted that if the remote access message is not service query information, it means that the user end is accessing a specific remote service at this time. However, since the access port of the remote service obtained by the user end when querying the remote service has been replaced, if it is not processed, it cannot access the remote service normally in real time. At this time, the access service identifier and the requested access port can be extracted from the remote access message to restore the real service access port. Among them, the access service identifier can be the service identifier information of the remote service that the remote access message needs to access, and the requested access port can be the service access port required by the remote access information.

步骤S203:获取所述访问服务标识对应的端口替换规则。Step S203: Acquire the port replacement rule corresponding to the access service identifier.

需要说明的是,获取访问服务标识对应的端口替换规则可以是在预设替换规则库中查找访问服务标识对应的端口替换规则。It should be noted that obtaining the port replacement rule corresponding to the access service identifier may be searching for the port replacement rule corresponding to the access service identifier in a preset replacement rule library.

可以理解的是,若查找不到访问服务标识对应的端口替换规则,则表示此时需要访问的远程服务并非重要的远程服务,其服务访问端口被发送至用户端时,并未进行过替换,此时可以不再执行后续步骤,而是直接将远程访问消息作为安全访问消息。It is understandable that if the port replacement rule corresponding to the access service identifier cannot be found, it means that the remote service that needs to be accessed at this time is not an important remote service, and its service access port has not been replaced when it was sent to the user end. At this time, the subsequent steps can be no longer executed, and the remote access message can be directly used as a security access message.

步骤S204:根据所述请求访问端口与所述端口替换规则确定真实服务端口。Step S204: determining the real service port according to the requested access port and the port replacement rule.

需要说明的是,从端口替换规则中提取真实服务端口与对外服务端口之间的映射关系,将请求访问端口作为服务对外端口查找对应的真实服务端口。It should be noted that the mapping relationship between the real service port and the external service port is extracted from the port replacement rule, and the requested access port is used as the service external port to find the corresponding real service port.

步骤S205:将所述远程访问消息中的请求访问端口替换为所述真实服务端口,获得安全访问消息。Step S205: Replace the requested access port in the remote access message with the real service port to obtain a secure access message.

在实际使用中,将远程访问消息中的请求访问端口替换为真实服务端口,获得安全访问消息可以是将远程访问消息中包含的的请求访问端口替换为真实服务端口,并将替换完毕的远程访问消息作为安全访问消息。In actual use, the requested access port in the remote access message is replaced with the real service port, and the secure access message is obtained by replacing the requested access port contained in the remote access message with the real service port, and using the replaced remote access message as the secure access message.

本实施例通过若所述访问协议类型为请求响应类型,则检测所述远程访问消息是否为服务查询信息;若所述远程访问消息不为服务查询信息,则从所述远程访问消息中提取访问服务标识及请求访问端口;获取所述访问服务标识对应的端口替换规则;根据所述请求访问端口与所述端口替换规则确定真实服务端口;将所述远程访问消息中的请求访问端口替换为所述真实服务端口,获得安全访问消息。由于在访问时,并不会将远程服务的真实访问端口进行暴露在外部,而是将对外访问端口暴露在外部,使得恶意攻击者无法获取到远程服务的真实访问端口,避免了恶意攻击者对远程服务的攻击。This embodiment detects whether the remote access message is a service query message if the access protocol type is a request response type; if the remote access message is not a service query message, extracts the access service identifier and the requested access port from the remote access message; obtains the port replacement rule corresponding to the access service identifier; determines the real service port according to the requested access port and the port replacement rule; replaces the requested access port in the remote access message with the real service port to obtain a secure access message. Since the real access port of the remote service is not exposed to the outside during access, but the external access port is exposed to the outside, malicious attackers cannot obtain the real access port of the remote service, thus avoiding malicious attackers' attacks on the remote service.

参考图5,图5为本发明一种远程访问处理方法第三实施例的流程示意图。Refer to FIG. 5 , which is a flowchart of a third embodiment of a remote access processing method according to the present invention.

基于上述第一实施例,本实施例远程访问处理方法的所述步骤S20,包括:Based on the first embodiment, step S20 of the remote access processing method of this embodiment includes:

步骤S201':若所述访问协议类型为管道连接类型,则检测所述远程访问消息中包含的指令是否为管道启动指令。Step S201 ′: If the access protocol type is a pipe connection type, detecting whether the instruction included in the remote access message is a pipe start instruction.

需要说明的是,用户端在使用管道连接类型协议进行消息传递时,是无需获取端口,可以直接通过管道进行连接,从而调用远程服务的,而恶意攻击者在通过管道连接进行攻击时,是通过打开某管道,通过对其进行篡改从而实现攻击的,因此,在访问协议类型为管道连接类型时,可以检测远程访问消息中包含的指令是否为管道启动指令,即是否为打开某个管道的指令。It should be noted that when the user end uses the pipe connection type protocol for message transmission, it does not need to obtain the port and can directly connect through the pipe to call the remote service. When a malicious attacker attacks through a pipe connection, he or she opens a pipe and tamper with it to achieve the attack. Therefore, when the access protocol type is the pipe connection type, it is possible to detect whether the instruction contained in the remote access message is a pipe startup instruction, that is, whether it is an instruction to open a pipe.

在具体实现中,为了准确的判定远程访问消息中包含的指令是否为管道启动指令,本实施例所述检测所述远程访问消息中包含的指令是否为管道启动指令的步骤,可以包括:In a specific implementation, in order to accurately determine whether the instruction included in the remote access message is a pipeline start instruction, the step of detecting whether the instruction included in the remote access message is a pipeline start instruction in this embodiment may include:

从所述远程访问消息中提取远程访问参数;extracting remote access parameters from the remote access message;

若所述远程访问参数为启动对象类型,则判定所述远程访问消息中包含的指令为管道启动指令。If the remote access parameter is a startup object type, it is determined that the instruction included in the remote access message is a pipeline startup instruction.

需要说明的是,打开某管道时,其命令中传入的参数会是一个对象,该对象的类型为启动对象类型,因此,可以从远程访问消息中提取远程访问参数,然后判断远程访问参数是否为启动对象类型,从而确定远程访问消息中包含的指令是否为管道启动指令。It should be noted that when a pipe is opened, the parameter passed in the command will be an object whose type is a startup object type. Therefore, the remote access parameter can be extracted from the remote access message, and then it can be determined whether the remote access parameter is a startup object type, thereby determining whether the instruction contained in the remote access message is a pipe startup instruction.

在具体实现中,判断远程访问参数是否为启动对象类型可以是尝试将远程访问参数转化为启动对象类型对应的格式,若可以成功转化,则可以判定远程访问参数为启动对象类型。In a specific implementation, determining whether the remote access parameter is a startup object type may include attempting to convert the remote access parameter into a format corresponding to the startup object type. If the conversion is successful, the remote access parameter may be determined to be a startup object type.

例如:以windows系统的远程调用为例,管道启动指令中传入的参数会是一个IRP_MJ_CREATE请求对象,因此,可以通过检测远程访问参数是否为IRP_MJ_CREATE请求对象,若是,则可以判定远程访问消息中包含的指令为管道启动指令。For example, taking the remote call of Windows system as an example, the parameter passed in the pipe start instruction will be an IRP_MJ_CREATE request object. Therefore, it is possible to detect whether the remote access parameter is an IRP_MJ_CREATE request object. If so, it can be determined that the instruction contained in the remote access message is a pipe start instruction.

进一步的,为了应对恶意攻击者的循环攻击方式,避免因循环攻击消耗过多的设备资源,本实施例所述步骤S201',可以包括:Furthermore, in order to deal with the cyclic attack method of the malicious attacker and avoid consuming too many device resources due to the cyclic attack, the step S201' in this embodiment may include:

若所述访问协议类型为管道连接类型,则获取所述远程访问消息对应的发送者IP;If the access protocol type is a pipe connection type, obtaining the sender IP corresponding to the remote access message;

检测所述发送者IP是否存在于访问黑名单中;Check whether the sender's IP address is in the access blacklist;

若不存在于所述访问黑名单中,则检测所述远程访问消息中包含的指令是否为管道启动指令。If it does not exist in the access blacklist, it is detected whether the instruction included in the remote access message is a pipeline start instruction.

需要说明的是,发送者IP可以是发送远程访问消息的设备的IP地址。获取远程访问消息对应的发送者IP可以是从远程访问消息中提取发送者IP,也可以是进行IP追溯,获取远程访问消息的发送者IP。访问黑名单可以是存储有恶意攻击者的IP地址的数据表。It should be noted that the sender IP may be the IP address of the device that sends the remote access message. Obtaining the sender IP corresponding to the remote access message may be extracting the sender IP from the remote access message, or performing IP tracing to obtain the sender IP of the remote access message. The access blacklist may be a data table storing the IP addresses of malicious attackers.

可以理解的是,若发送者IP不存在于访问黑名单中,则表示该远程访问消息的发送者,还并未被认定为恶意攻击者,因此,可以继续执行后续步骤。而若是发送者IP存在于访问黑名单中,则表示该远程访问消息的发送者,已经被认定为恶意攻击者,此时可以不再进行后续处理,而是直接清除该远程访问消息,避免为其浪费过多的设备资源。It is understandable that if the sender IP does not exist in the access blacklist, it means that the sender of the remote access message has not been identified as a malicious attacker, so the subsequent steps can be continued. If the sender IP exists in the access blacklist, it means that the sender of the remote access message has been identified as a malicious attacker, and no further processing is required at this time, but the remote access message can be directly cleared to avoid wasting too many device resources for it.

步骤S202':若为管道启动指令,则检测所述远程访问消息对应的访问目标是否为敏感目标。Step S202': If it is a pipeline start instruction, then detect whether the access target corresponding to the remote access message is a sensitive target.

可以理解的是,若远程访问消息中包含的指令为管道启动指令,则此时需要对其进行进一步检测,以确定该远程访问消息是否为恶意攻击者进行攻击时发起的,因此,可以获取远程访问消息对应的访问目标,然后判断该访问目标是否为敏感目标。It is understandable that if the instruction contained in the remote access message is a pipeline startup instruction, it needs to be further detected to determine whether the remote access message is initiated by a malicious attacker. Therefore, the access target corresponding to the remote access message can be obtained, and then it can be determined whether the access target is a sensitive target.

在具体实现中,检测远程访问消息对应的访问目标是否为敏感目标可以是从远程访问消息中提取其访问的管道的管道名,检测该管道名是否处于预设敏感管道列表中,若是,则可以判定远程访问消息对应的访问目标是否为敏感目标,其中,预设敏感管道列表中包含有个敏感管道的名称,预设敏感管道列表可以由远程访问处理设备的管理人员进行设置。In a specific implementation, detecting whether the access target corresponding to the remote access message is a sensitive target can be by extracting the pipe name of the pipe accessed by the remote access message from the remote access message, and detecting whether the pipe name is in a preset sensitive pipe list. If so, it can be determined whether the access target corresponding to the remote access message is a sensitive target, wherein the preset sensitive pipe list includes the name of a sensitive pipe, and the preset sensitive pipe list can be set by the administrator of the remote access processing device.

步骤S203':若所述访问目标为敏感目标,则对所述远程访问消息进行管道名替换,获得安全访问消息。Step S203': if the access target is a sensitive target, the remote access message is replaced with a pipe name to obtain a secure access message.

可以理解的是,若访问目标为敏感目标,则表示该远程访问消息有极大可能是恶意攻击者发起的,继续让其进行访问,则远程服务器可能会受到攻击,因此,可以对远程访问消息进行管道名替换,并将替换后的远程访问消息作为安全访问消息,将其访问的管道转移至其预设的安全的管道中,从而保证远程服务器不会受到攻击。It is understandable that if the access target is a sensitive target, it means that the remote access message is very likely to be initiated by a malicious attacker. If the attacker continues to access the remote server, the remote server may be attacked. Therefore, the pipe name of the remote access message can be replaced, and the replaced remote access message can be used as a secure access message. The access pipe can be transferred to the preset secure pipe, thereby ensuring that the remote server will not be attacked.

进一步的,为了及时发现恶意攻击者,避免因恶意攻击者的循环攻击方式,避免因循环攻击消耗过多的设备资源,本实施例所述步骤S203'之后,还可以包括:Furthermore, in order to timely discover malicious attackers, avoid cyclic attacks by malicious attackers, and avoid consuming too many device resources due to cyclic attacks, after step S203' described in this embodiment, the following may also be included:

获取所述发送者IP对应的历史管道替换次数;Obtain the historical number of pipeline replacements corresponding to the sender IP;

并将所述历史管道替换次数进行加一处理,获得当前替换次数;and adding one to the historical pipeline replacement times to obtain the current replacement times;

若所述当前替换次数大于预设替换阈值,则将所述发送者IP添加至所述访问黑名单中。If the current number of replacements is greater than a preset replacement threshold, the sender IP is added to the access blacklist.

需要说明的是,历史管道替换次数可以是此前对该发送者IP发送的远程访问消息进行管道名替换的次数。预设替换阈值可以由远程访问处理设备的管理人员根据实际需要预先进行设置,例如:将预设替换阈值设置为5。It should be noted that the historical pipe replacement times may be the times that pipe names of remote access messages sent by the sender IP have been replaced. The preset replacement threshold may be pre-set by the administrator of the remote access processing device according to actual needs, for example, the preset replacement threshold may be set to 5.

可以理解的是,若当前替换次数大于预设替换阈值,则表示该发送者IP已经多次尝试打开敏感的管道,因此,可以判定该发送者为恶意攻击者,因此,可以将发送者添加至访问黑名单中。It can be understood that if the current number of replacements is greater than the preset replacement threshold, it means that the sender IP has tried to open sensitive pipes many times. Therefore, the sender can be determined to be a malicious attacker, and therefore, the sender can be added to the access blacklist.

为了便于理解,现结合图6进行说明,但不对本方案进行限定,图6为本实施例的管道名替换示意图,如图6所示,远程访问处理设备通过预先对NPFS设备进行挂载,拦截类型为管道连接类型的远程访问消息(即IPR请求),然后提取其中的远程访问参数,检测其中的远程访问参数是否为IRP_MJ_CREATE请求对象,若不是,则直接将其发送至NPFS进行管道连接;若是,则从中提取管道名,并在判定该管道名处于预设敏感管道列表中(即EaLength>0)时,更改其中的管道名,在更改完成之后,再将修改后的远程访问消息发送至NPFS进行管道连接。For ease of understanding, an explanation is now given in conjunction with FIG. 6 , but this solution is not limited thereto. FIG. 6 is a schematic diagram of pipe name replacement in this embodiment. As shown in FIG. 6 , the remote access processing device mounts the NPFS device in advance, intercepts remote access messages of pipe connection type (i.e., IPR requests), extracts remote access parameters therein, and detects whether the remote access parameters therein are IRP_MJ_CREATE request objects. If not, it is directly sent to NPFS for pipe connection; if so, the pipe name is extracted therefrom, and when it is determined that the pipe name is in the preset sensitive pipe list (i.e., EaLength>0), the pipe name therein is changed. After the change is completed, the modified remote access message is sent to NPFS for pipe connection.

为了便于理解,现结合图7进行说明,但不对本方案进行限定,图7为本实施例的远程服务器访问示意图,如图7所示,远程访问处理设备至少包括EPM Filter、PIPE Filter、RPC Proxy三个模块,客户端在进行RPC调用时,会发送远程访问消息到服务端,服务端会将远程访问消息发送至远程访问处理设备,远程访问处理设备设备根据访问协议类型选择对应的模块进行处理,并在处理完毕之后,将消息发送至RPC Proxy模块,由RPC Proxy模块转发至真正的远程服务器(RPC Server)。For ease of understanding, the present invention is now described in conjunction with FIG. 7 , but this solution is not limited thereto. FIG. 7 is a schematic diagram of remote server access of this embodiment. As shown in FIG. 7 , the remote access processing device includes at least three modules: EPM Filter, PIPE Filter, and RPC Proxy. When the client makes an RPC call, it sends a remote access message to the server, and the server sends the remote access message to the remote access processing device. The remote access processing device selects a corresponding module for processing according to the access protocol type, and after processing, sends the message to the RPC Proxy module, which forwards the message to the real remote server (RPC Server) by the RPC Proxy module.

本实施例通过若所述访问协议类型为管道连接类型,则检测所述远程访问消息中包含的指令是否为管道启动指令;若为管道启动指令,则检测所述远程访问消息对应的访问目标是否为敏感目标;若所述访问目标为敏感目标,则对所述远程访问消息进行管道名替换,获得安全访问消息。由于对管道连接过程中的指令进行了识别,在远程访问者在尝试通过管道打开敏感目标时,对其进行管道名替换,从而实现了对危险操作的过滤,提高了远程访问过程中的安全性,实现了对域渗透攻击的有效防护。In this embodiment, if the access protocol type is a pipe connection type, then the instruction contained in the remote access message is detected as a pipe start instruction; if it is a pipe start instruction, then the access target corresponding to the remote access message is detected as a sensitive target; if the access target is a sensitive target, then the pipe name of the remote access message is replaced to obtain a secure access message. Since the instructions in the pipe connection process are identified, when the remote visitor attempts to open a sensitive target through a pipe, the pipe name is replaced, thereby filtering dangerous operations, improving the security of the remote access process, and achieving effective protection against domain penetration attacks.

此外,本发明实施例还提出一种存储介质,所述存储介质上存储有远程访问处理程序,所述远程访问处理程序被处理器执行时实现如上文所述的远程访问处理方法的步骤。In addition, an embodiment of the present invention further provides a storage medium, on which a remote access processing program is stored. When the remote access processing program is executed by a processor, the steps of the remote access processing method described above are implemented.

参照图5,图5为本发明远程访问处理装置第一实施例的结构框图。5, which is a structural block diagram of a first embodiment of a remote access processing device according to the present invention.

如图5所示,本发明实施例提出的远程访问处理装置包括:As shown in FIG5 , the remote access processing device proposed in the embodiment of the present invention includes:

消息拦截模块10,用于在拦截到远程访问消息时,获取所述远程访问消息对应的访问协议类型及目标服务器;The message interception module 10 is used to obtain the access protocol type and target server corresponding to the remote access message when intercepting the remote access message;

敏感过滤模块20,用于通过所述访问协议类型对应的敏感过滤策略对所述远程访问消息中的敏感数据进行替换,获得安全访问消息;A sensitive filtering module 20, configured to replace sensitive data in the remote access message by a sensitive filtering policy corresponding to the access protocol type to obtain a secure access message;

消息转发模块30,用于将所述安全访问消息转发至所述目标服务器。The message forwarding module 30 is used to forward the security access message to the target server.

本实施例通过在拦截到远程访问消息时,获取远程访问消息对应的访问协议类型及目标服务器;通过访问协议类型对应的敏感过滤策略对远程访问消息中的敏感数据进行替换,获得安全访问消息;将安全访问消息转发至目标服务器。由于对远程访问消息拦截,并在拦截之后,根据远程访问消息对应的访问协议类型采用不同的策略进行敏感信息过滤,实现了对远程服务访问的前置拦截,保证可以对恶意攻击及危险操作进行过滤,从而实现了对域渗透攻击的有效防护。This embodiment obtains the access protocol type and target server corresponding to the remote access message when intercepting the remote access message; replaces the sensitive data in the remote access message by the sensitive filtering policy corresponding to the access protocol type to obtain a secure access message; and forwards the secure access message to the target server. Since the remote access message is intercepted and after the interception, different policies are used to filter sensitive information according to the access protocol type corresponding to the remote access message, the pre-interception of remote service access is achieved, ensuring that malicious attacks and dangerous operations can be filtered, thereby achieving effective protection against domain penetration attacks.

进一步的,所述敏感过滤模块20,还用于若所述访问协议类型为请求响应类型,则检测所述远程访问消息是否为服务查询信息;若所述远程访问消息不为服务查询信息,则从所述远程访问消息中提取访问服务标识及请求访问端口;获取所述访问服务标识对应的端口替换规则;根据所述请求访问端口与所述端口替换规则确定真实服务端口;将所述远程访问消息中的请求访问端口替换为所述真实服务端口,获得安全访问消息。Furthermore, the sensitive filtering module 20 is also used to detect whether the remote access message is service query information if the access protocol type is a request response type; if the remote access message is not a service query information, extract the access service identifier and the requested access port from the remote access message; obtain the port replacement rule corresponding to the access service identifier; determine the real service port according to the requested access port and the port replacement rule; replace the requested access port in the remote access message with the real service port to obtain a secure access message.

进一步的,所述敏感过滤模块20,还用于若所述访问协议类型为请求响应类型,则从所述远程访问消息中提取请求访问端口;获取所述目标服务器对应的服务查询端口;若服务查询端口与所述请求访问端口一致,则判定所述远程访问消息为服务查询信息。Furthermore, the sensitive filtering module 20 is also used to extract the request access port from the remote access message if the access protocol type is a request response type; obtain the service query port corresponding to the target server; if the service query port is consistent with the request access port, determine that the remote access message is service query information.

进一步的,所述敏感过滤模块20,还用于若所述远程访问消息为服务查询信息,则将所述远程访问消息转发至所述目标服务器,并获取所述目标服务器根据所述远程访问消息反馈的服务查询响应;对所述服务查询响应进行端口替换,获得替换响应信息;将所述替换响应信息发送至所述远程访问消息对应的消息发送端。Furthermore, the sensitive filtering module 20 is also used to forward the remote access message to the target server if the remote access message is service query information, and obtain a service query response fed back by the target server based on the remote access message; perform port replacement on the service query response to obtain replacement response information; and send the replacement response information to the message sending end corresponding to the remote access message.

进一步的,所述敏感过滤模块20,还用于从所述服务查询响应中提取服务标识信息及真实服务端口;检测是否存在所述服务标识信息对应的端口替换规则;若存在所述服务标识信息对应的端口替换规则,则根据所述端口替换规则及所述真实服务端口确定服务对外端口;将所述服务查询响应中的真实服务端口替换为所述服务对外端口,获得替换响应信息;将所述替换响应信息发送至所述远程访问消息的消息发送端。Furthermore, the sensitive filtering module 20 is also used to extract service identification information and a real service port from the service query response; detect whether there is a port replacement rule corresponding to the service identification information; if there is a port replacement rule corresponding to the service identification information, determine the service external port according to the port replacement rule and the real service port; replace the real service port in the service query response with the service external port to obtain replacement response information; and send the replacement response information to the message sending end of the remote access message.

进一步的,所述敏感过滤模块20,还用于在预设替换规则库中查找所述服务标识信息对应的端口替换规则;若可查找到所述服务标识信息对应的端口替换规则,则判定存在所述服务标识信息对应的端口替换规则。Furthermore, the sensitive filtering module 20 is also used to search for a port replacement rule corresponding to the service identification information in a preset replacement rule library; if the port replacement rule corresponding to the service identification information can be found, it is determined that there is a port replacement rule corresponding to the service identification information.

进一步的,所述敏感过滤模块20,还用于若所述访问协议类型为管道连接类型,则检测所述远程访问消息中包含的指令是否为管道启动指令;若为管道启动指令,则检测所述远程访问消息对应的访问目标是否为敏感目标;若所述访问目标为敏感目标,则对所述远程访问消息进行管道名替换,获得安全访问消息。Furthermore, the sensitive filtering module 20 is also used to detect whether the instruction contained in the remote access message is a pipeline startup instruction if the access protocol type is a pipeline connection type; if it is a pipeline startup instruction, detect whether the access target corresponding to the remote access message is a sensitive target; if the access target is a sensitive target, replace the remote access message with a pipeline name to obtain a secure access message.

进一步的,所述敏感过滤模块20,还用于从所述远程访问消息中提取远程访问参数;若所述远程访问参数为启动对象类型,则判定所述远程访问消息中包含的指令为管道启动指令。Furthermore, the sensitive filtering module 20 is further configured to extract a remote access parameter from the remote access message; if the remote access parameter is a startup object type, then determine that the instruction contained in the remote access message is a pipeline startup instruction.

进一步的,所述敏感过滤模块20,还用于若所述访问目标为敏感目标,则查找所述目标服务器对应的管道替换规则;将所述访问目标与所述管道替换规则匹配,获得待替换管道;根据所述待替换管道对所述远程访问消息进行管道名替换,获得安全访问消息。Furthermore, the sensitive filtering module 20 is also used to find the pipe replacement rule corresponding to the target server if the access target is a sensitive target; match the access target with the pipe replacement rule to obtain the pipe to be replaced; replace the pipe name of the remote access message according to the pipe to be replaced to obtain a secure access message.

进一步的,所述敏感过滤模块20,还用于若所述访问协议类型为管道连接类型,则获取所述远程访问消息对应的发送者IP;检测所述发送者IP是否存在于访问黑名单中;若不存在于所述访问黑名单中,则检测所述远程访问消息中包含的指令是否为管道启动指令。Furthermore, the sensitive filtering module 20 is also used to obtain the sender IP corresponding to the remote access message if the access protocol type is a pipeline connection type; detect whether the sender IP exists in the access blacklist; if it does not exist in the access blacklist, detect whether the instruction contained in the remote access message is a pipeline startup instruction.

进一步的,所述敏感过滤模块20,还用于获取所述发送者IP对应的历史管道替换次数;并将所述历史管道替换次数进行加一处理,获得当前替换次数;若所述当前替换次数大于预设替换阈值,则将所述发送者IP添加至所述访问黑名单中。Furthermore, the sensitive filtering module 20 is also used to obtain the historical pipeline replacement times corresponding to the sender IP; and add one to the historical pipeline replacement times to obtain the current replacement times; if the current replacement times is greater than a preset replacement threshold, the sender IP is added to the access blacklist.

应当理解的是,以上仅为举例说明,对本发明的技术方案并不构成任何限定,在具体应用中,本领域的技术人员可以根据需要进行设置,本发明对此不做限制。It should be understood that the above is only an example and does not constitute any limitation on the technical solution of the present invention. In specific applications, technicians in this field can make settings as needed, and the present invention does not limit this.

需要说明的是,以上所描述的工作流程仅仅是示意性的,并不对本发明的保护范围构成限定,在实际应用中,本领域的技术人员可以根据实际的需要选择其中的部分或者全部来实现本实施例方案的目的,此处不做限制。It should be noted that the workflow described above is merely illustrative and does not limit the scope of protection of the present invention. In practical applications, technicians in this field can select part or all of them according to actual needs to achieve the purpose of the present embodiment, and no limitation is made here.

另外,未在本实施例中详尽描述的技术细节,可参见本发明任意实施例所提供的远程访问处理方法,此处不再赘述。In addition, for technical details not fully described in this embodiment, reference may be made to the remote access processing method provided in any embodiment of the present invention, and will not be repeated here.

此外,需要说明的是,在本文中,术语“包括”、“包含”或者其任何其他变体意在涵盖非排他性的包含,从而使得包括一系列要素的过程、方法、物品或者系统不仅包括那些要素,而且还包括没有明确列出的其他要素,或者是还包括为这种过程、方法、物品或者系统所固有的要素。在没有更多限制的情况下,由语句“包括一个……”限定的要素,并不排除在包括该要素的过程、方法、物品或者系统中还存在另外的相同要素。In addition, it should be noted that, in this article, the terms "include", "comprises" or any other variations thereof are intended to cover non-exclusive inclusion, so that a process, method, article or system including a series of elements includes not only those elements, but also includes other elements not explicitly listed, or also includes elements inherent to such process, method, article or system. In the absence of further restrictions, an element defined by the sentence "comprises a ..." does not exclude the existence of other identical elements in the process, method, article or system including the element.

上述本发明实施例序号仅仅为了描述,不代表实施例的优劣。The serial numbers of the above embodiments of the present invention are only for description and do not represent the advantages or disadvantages of the embodiments.

通过以上的实施方式的描述,本领域的技术人员可以清楚地了解到上述实施例方法可借助软件加必需的通用硬件平台的方式来实现,当然也可以通过硬件,但很多情况下前者是更佳的实施方式。基于这样的理解,本发明的技术方案本质上或者说对现有技术做出贡献的部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质(如只读存储器(Read Only Memory,ROM)/RAM、磁碟、光盘)中,包括若干指令用以使得一台终端设备(可以是手机,计算机,服务器,或者网络设备等)执行本发明各个实施例所述的方法。Through the description of the above implementation methods, those skilled in the art can clearly understand that the above-mentioned embodiment methods can be implemented by means of software plus a necessary general hardware platform, and of course by hardware, but in many cases the former is a better implementation method. Based on such an understanding, the technical solution of the present invention is essentially or the part that contributes to the prior art can be embodied in the form of a software product, which is stored in a storage medium (such as a read-only memory (ROM)/RAM, a magnetic disk, or an optical disk), and includes a number of instructions for a terminal device (which can be a mobile phone, a computer, a server, or a network device, etc.) to execute the methods described in each embodiment of the present invention.

以上仅为本发明的优选实施例,并非因此限制本发明的专利范围,凡是利用本发明说明书及附图内容所作的等效结构或等效流程变换,或直接或间接运用在其他相关的技术领域,均同理包括在本发明的专利保护范围内。The above are only preferred embodiments of the present invention, and are not intended to limit the patent scope of the present invention. Any equivalent structure or equivalent process transformation made using the contents of the present invention specification and drawings, or directly or indirectly applied in other related technical fields, are also included in the patent protection scope of the present invention.

本发明公开了A1、一种远程访问处理方法,所述远程访问处理方法包括协以下步骤:The present invention discloses A1, a remote access processing method, the remote access processing method comprising the following steps:

在拦截到远程访问消息时,获取所述远程访问消息对应的访问协议类型及目标服务器;When a remote access message is intercepted, obtaining an access protocol type and a target server corresponding to the remote access message;

通过所述访问协议类型对应的敏感过滤策略对所述远程访问消息中的敏感数据进行替换,获得安全访问消息;Replacing sensitive data in the remote access message by a sensitive filtering policy corresponding to the access protocol type to obtain a secure access message;

将所述安全访问消息转发至所述目标服务器。The secure access message is forwarded to the target server.

A2、如A1所述的远程访问处理方法,所述通过所述访问协议类型对应的敏感过滤策略对所述远程访问消息中的敏感数据进行替换,获得安全访问消息的步骤,包括:A2. The remote access processing method as described in A1, wherein the step of replacing the sensitive data in the remote access message by the sensitive filtering policy corresponding to the access protocol type to obtain a secure access message comprises:

若所述访问协议类型为请求响应类型,则检测所述远程访问消息是否为服务查询信息;If the access protocol type is a request response type, detecting whether the remote access message is a service query message;

若所述远程访问消息不为服务查询信息,则从所述远程访问消息中提取访问服务标识及请求访问端口;If the remote access message is not service query information, extracting the access service identifier and the requested access port from the remote access message;

获取所述访问服务标识对应的端口替换规则;Obtaining a port replacement rule corresponding to the access service identifier;

根据所述请求访问端口与所述端口替换规则确定真实服务端口;Determine the real service port according to the requested access port and the port replacement rule;

将所述远程访问消息中的请求访问端口替换为所述真实服务端口,获得安全访问消息。The requested access port in the remote access message is replaced with the real service port to obtain a secure access message.

A3、如A2所述的远程访问处理方法,所述若所述访问协议类型为请求响应类型,则检测所述远程访问消息是否为服务查询信息的步骤,包括:A3. The remote access processing method as described in A2, wherein if the access protocol type is a request response type, the step of detecting whether the remote access message is service query information comprises:

若所述访问协议类型为请求响应类型,则从所述远程访问消息中提取请求访问端口;If the access protocol type is a request-response type, extracting the requested access port from the remote access message;

若服务查询端口与所述请求访问端口一致,则判定所述远程访问消息为服务查询信息。If the service query port is consistent with the requested access port, the remote access message is determined to be service query information.

A4、如A2所述的远程访问处理方法,所述若所述访问协议类型为请求响应类型,则检测所述远程访问消息是否为服务查询信息的步骤之后,还包括:A4. The remote access processing method as described in A2, wherein if the access protocol type is a request response type, after the step of detecting whether the remote access message is service query information, the method further comprises:

若所述远程访问消息为服务查询信息,则将所述远程访问消息转发至所述目标服务器,并获取所述目标服务器根据所述远程访问消息反馈的服务查询响应;If the remote access message is a service query message, forwarding the remote access message to the target server, and obtaining a service query response fed back by the target server according to the remote access message;

对所述服务查询响应进行端口替换,获得替换响应信息;Performing port replacement on the service query response to obtain replacement response information;

将所述替换响应信息发送至所述远程访问消息对应的消息发送端。The replacement response information is sent to a message sending end corresponding to the remote access message.

A5、如A4所述的远程访问处理方法,所述对所述服务查询响应进行端口替换,获得替换响应信息的步骤,包括:A5. The remote access processing method as described in A4, wherein the step of performing port replacement on the service query response and obtaining replacement response information comprises:

从所述服务查询响应中提取服务标识信息及真实服务端口;Extracting service identification information and real service port from the service query response;

检测是否存在所述服务标识信息对应的端口替换规则;Detecting whether there is a port replacement rule corresponding to the service identification information;

若存在所述服务标识信息对应的端口替换规则,则根据所述端口替换规则及所述真实服务端口确定服务对外端口;If there is a port replacement rule corresponding to the service identification information, determining the service external port according to the port replacement rule and the real service port;

将所述服务查询响应中的真实服务端口替换为所述服务对外端口,获得替换响应信息。The real service port in the service query response is replaced with the service external port to obtain replacement response information.

A6、如A5所述的远程访问处理方法,所述检测是否存在所述服务标识信息对应的端口替换规则的步骤,包括:A6. In the remote access processing method described in A5, the step of detecting whether there is a port replacement rule corresponding to the service identification information comprises:

在预设替换规则库中查找所述服务标识信息对应的端口替换规则;Searching for a port replacement rule corresponding to the service identification information in a preset replacement rule library;

若可查找到所述服务标识信息对应的端口替换规则,则判定存在所述服务标识信息对应的端口替换规则。If the port replacement rule corresponding to the service identification information can be found, it is determined that the port replacement rule corresponding to the service identification information exists.

A7、如A1所述的远程访问处理方法,所述通过所述访问协议类型对应的敏感过滤策略对所述远程访问消息中的敏感数据进行替换,获得安全访问消息的步骤,包括:A7. The remote access processing method as described in A1, wherein the step of replacing the sensitive data in the remote access message by the sensitive filtering policy corresponding to the access protocol type to obtain a secure access message comprises:

若所述访问协议类型为管道连接类型,则检测所述远程访问消息中包含的指令是否为管道启动指令;If the access protocol type is a pipeline connection type, detecting whether the instruction included in the remote access message is a pipeline start instruction;

若为管道启动指令,则检测所述远程访问消息对应的访问目标是否为敏感目标;If it is a pipeline start instruction, detecting whether the access target corresponding to the remote access message is a sensitive target;

若所述访问目标为敏感目标,则对所述远程访问消息进行管道名替换,获得安全访问消息。If the access target is a sensitive target, the remote access message is replaced with a pipe name to obtain a secure access message.

A8、如A7所述的远程访问处理方法,所述检测所述远程访问消息中包含的指令是否为管道启动指令的步骤,包括:A8. The remote access processing method as described in A7, wherein the step of detecting whether the instruction contained in the remote access message is a pipeline start instruction comprises:

从所述远程访问消息中提取远程访问参数;extracting remote access parameters from the remote access message;

若所述远程访问参数为启动对象类型,则判定所述远程访问消息中包含的指令为管道启动指令。If the remote access parameter is a startup object type, it is determined that the instruction included in the remote access message is a pipeline startup instruction.

A9、如A7所述的远程访问处理方法,所述若所述访问目标为敏感目标,则对所述远程访问消息进行管道名替换,获得安全访问消息的步骤,包括:A9. The remote access processing method as described in A7, wherein if the access target is a sensitive target, the step of replacing the pipe name of the remote access message to obtain a secure access message comprises:

若所述访问目标为敏感目标,则查找所述目标服务器对应的管道替换规则;If the access target is a sensitive target, searching for a pipeline replacement rule corresponding to the target server;

将所述访问目标与所述管道替换规则匹配,获得待替换管道;Matching the access target with the pipeline replacement rule to obtain the pipeline to be replaced;

根据所述待替换管道对所述远程访问消息进行管道名替换,获得安全访问消息。The remote access message is replaced with a pipe name according to the pipe to be replaced to obtain a secure access message.

A10、如A7所述的远程访问处理方法,所述若所述访问协议类型为管道连接类型,则检测所述远程访问消息中包含的指令是否为管道启动指令的步骤,包括:A10. The remote access processing method as described in A7, wherein if the access protocol type is a pipe connection type, the step of detecting whether the instruction included in the remote access message is a pipe start instruction comprises:

若所述访问协议类型为管道连接类型,则获取所述远程访问消息对应的发送者IP;If the access protocol type is a pipe connection type, obtaining the sender IP corresponding to the remote access message;

检测所述发送者IP是否存在于访问黑名单中;Check whether the sender's IP address is in the access blacklist;

若不存在于所述访问黑名单中,则检测所述远程访问消息中包含的指令是否为管道启动指令。If it does not exist in the access blacklist, it is detected whether the instruction included in the remote access message is a pipeline start instruction.

A11、如A10所述的远程访问处理方法,所述若所述访问目标为敏感目标,则对所述远程访问消息进行管道名替换,获得安全访问消息的步骤之后,还包括:A11. The remote access processing method as described in A10, wherein if the access target is a sensitive target, the remote access message is replaced with a pipe name, and after the step of obtaining a secure access message, the method further comprises:

获取所述发送者IP对应的历史管道替换次数;Obtain the historical number of pipeline replacements corresponding to the sender IP;

并将所述历史管道替换次数进行加一处理,获得当前替换次数;and adding one to the historical pipeline replacement times to obtain the current replacement times;

若所述当前替换次数大于预设替换阈值,则将所述发送者IP添加至所述访问黑名单中。If the current number of replacements is greater than a preset replacement threshold, the sender IP is added to the access blacklist.

本发明还公开了B12、一种远程访问处理装置,所述远程访问处理装置包括以下模块:The present invention also discloses B12, a remote access processing device, the remote access processing device comprising the following modules:

消息拦截模块,用于在拦截到远程访问消息时,获取所述远程访问消息对应的访问协议类型及目标服务器;A message interception module, used to obtain the access protocol type and target server corresponding to the remote access message when intercepting the remote access message;

敏感过滤模块,用于通过所述访问协议类型对应的敏感过滤策略对所述远程访问消息中的敏感数据进行替换,获得安全访问消息;A sensitive filtering module, used to replace sensitive data in the remote access message by a sensitive filtering policy corresponding to the access protocol type to obtain a secure access message;

消息转发模块,用于将所述安全访问消息转发至所述目标服务器。The message forwarding module is used to forward the security access message to the target server.

B13、如B12所述的远程访问处理装置,所述敏感过滤模块,还用于若所述访问协议类型为请求响应类型,则检测所述远程访问消息是否为服务查询信息;若所述远程访问消息不为服务查询信息,则从所述远程访问消息中提取访问服务标识及请求访问端口;获取所述访问服务标识对应的端口替换规则;根据所述请求访问端口与所述端口替换规则确定真实服务端口;将所述远程访问消息中的请求访问端口替换为所述真实服务端口,获得安全访问消息。B13. In the remote access processing device as described in B12, the sensitive filtering module is also used to detect whether the remote access message is service query information if the access protocol type is a request response type; if the remote access message is not a service query information, extract the access service identifier and the requested access port from the remote access message; obtain the port replacement rule corresponding to the access service identifier; determine the real service port according to the requested access port and the port replacement rule; replace the requested access port in the remote access message with the real service port to obtain a secure access message.

B14、如B13所述的远程访问处理装置,所述敏感过滤模块,还用于若所述访问协议类型为请求响应类型,则从所述远程访问消息中提取请求访问端口;获取所述目标服务器对应的服务查询端口;若服务查询端口与所述请求访问端口一致,则判定所述远程访问消息为服务查询信息。B14. In the remote access processing device as described in B13, the sensitive filtering module is also used to extract the request access port from the remote access message if the access protocol type is a request response type; obtain the service query port corresponding to the target server; and determine that the remote access message is service query information if the service query port is consistent with the request access port.

B15、如B13所述的远程访问处理装置,所述敏感过滤模块,还用于若所述远程访问消息为服务查询信息,则将所述远程访问消息转发至所述目标服务器,并获取所述目标服务器根据所述远程访问消息反馈的服务查询响应;对所述服务查询响应进行端口替换,获得替换响应信息;将所述替换响应信息发送至所述远程访问消息对应的消息发送端。B15. In the remote access processing device as described in B13, the sensitive filtering module is also used to forward the remote access message to the target server if the remote access message is service query information, and obtain the service query response fed back by the target server based on the remote access message; perform port replacement on the service query response to obtain replacement response information; and send the replacement response information to the message sending end corresponding to the remote access message.

B16、如B15所述的远程访问处理装置,所述敏感过滤模块,还用于从所述服务查询响应中提取服务标识信息及真实服务端口;检测是否存在所述服务标识信息对应的端口替换规则;若存在所述服务标识信息对应的端口替换规则,则根据所述端口替换规则及所述真实服务端口确定服务对外端口;将所述服务查询响应中的真实服务端口替换为所述服务对外端口,获得替换响应信息;将所述替换响应信息发送至所述远程访问消息的消息发送端。B16. In the remote access processing device as described in B15, the sensitive filtering module is also used to extract service identification information and the real service port from the service query response; detect whether there is a port replacement rule corresponding to the service identification information; if there is a port replacement rule corresponding to the service identification information, determine the service external port according to the port replacement rule and the real service port; replace the real service port in the service query response with the service external port to obtain replacement response information; and send the replacement response information to the message sending end of the remote access message.

B17、如B16所述的远程访问处理装置,所述敏感过滤模块,还用于在预设替换规则库中查找所述服务标识信息对应的端口替换规则;若可查找到所述服务标识信息对应的端口替换规则,则判定存在所述服务标识信息对应的端口替换规则。B17. In the remote access processing device as described in B16, the sensitive filtering module is further used to search for a port replacement rule corresponding to the service identification information in a preset replacement rule library; if the port replacement rule corresponding to the service identification information can be found, it is determined that there is a port replacement rule corresponding to the service identification information.

B18、如B12所述的远程访问处理装置,所述敏感过滤模块,还用于若所述访问协议类型为管道连接类型,则检测所述远程访问消息中包含的指令是否为管道启动指令;若为管道启动指令,则检测所述远程访问消息对应的访问目标是否为敏感目标;若所述访问目标为敏感目标,则对所述远程访问消息进行管道名替换,获得安全访问消息。B18. In the remote access processing device as described in B12, the sensitive filtering module is also used to detect whether the instruction contained in the remote access message is a pipeline startup instruction if the access protocol type is a pipeline connection type; if it is a pipeline startup instruction, detect whether the access target corresponding to the remote access message is a sensitive target; if the access target is a sensitive target, replace the remote access message with a pipeline name to obtain a secure access message.

本发明还公开了C19、一种远程访问处理设备,所述远程访问处理设备包括:处理器、存储器及存储在所述存储器上并可在所述处理器上运行的远程访问处理程序,所述远程访问处理程序被执行时实现如上所述的远程访问处理方法的步骤。The present invention also discloses C19, a remote access processing device, which includes: a processor, a memory, and a remote access processing program stored in the memory and executable on the processor, and the remote access processing program implements the steps of the remote access processing method described above when executed.

本发明还公开了D20、一种计算机可读存储介质,所述计算机可读存储介质上存储有远程访问处理程序,所述远程访问处理程序执行时实现如上所述的远程访问处理方法的步骤。The present invention also discloses D20, a computer-readable storage medium, on which a remote access processing program is stored, and when the remote access processing program is executed, the steps of the remote access processing method described above are implemented.

Claims (10)

1.一种远程访问处理方法,其特征在于,所述远程访问处理方法包括协以下步骤:1. A remote access processing method, characterized in that the remote access processing method comprises the following steps: 在拦截到远程访问消息时,获取所述远程访问消息对应的访问协议类型及目标服务器;When a remote access message is intercepted, obtaining an access protocol type and a target server corresponding to the remote access message; 通过所述访问协议类型对应的敏感过滤策略对所述远程访问消息中的敏感数据进行替换,获得安全访问消息;Replacing sensitive data in the remote access message by a sensitive filtering policy corresponding to the access protocol type to obtain a secure access message; 将所述安全访问消息转发至所述目标服务器。The secure access message is forwarded to the target server. 2.如权利要求1所述的远程访问处理方法,其特征在于,所述通过所述访问协议类型对应的敏感过滤策略对所述远程访问消息中的敏感数据进行替换,获得安全访问消息的步骤,包括:2. The remote access processing method according to claim 1, wherein the step of replacing the sensitive data in the remote access message by the sensitive filtering policy corresponding to the access protocol type to obtain a secure access message comprises: 若所述访问协议类型为请求响应类型,则检测所述远程访问消息是否为服务查询信息;If the access protocol type is a request response type, detecting whether the remote access message is a service query message; 若所述远程访问消息不为服务查询信息,则从所述远程访问消息中提取访问服务标识及请求访问端口;If the remote access message is not service query information, extracting the access service identifier and the requested access port from the remote access message; 获取所述访问服务标识对应的端口替换规则;Obtaining a port replacement rule corresponding to the access service identifier; 根据所述请求访问端口与所述端口替换规则确定真实服务端口;Determine the real service port according to the requested access port and the port replacement rule; 将所述远程访问消息中的请求访问端口替换为所述真实服务端口,获得安全访问消息。The requested access port in the remote access message is replaced with the real service port to obtain a secure access message. 3.如权利要求2所述的远程访问处理方法,其特征在于,所述若所述访问协议类型为请求响应类型,则检测所述远程访问消息是否为服务查询信息的步骤,包括:3. The remote access processing method according to claim 2, wherein if the access protocol type is a request response type, the step of detecting whether the remote access message is service query information comprises: 若所述访问协议类型为请求响应类型,则从所述远程访问消息中提取请求访问端口;If the access protocol type is a request-response type, extracting the requested access port from the remote access message; 若服务查询端口与所述请求访问端口一致,则判定所述远程访问消息为服务查询信息。If the service query port is consistent with the requested access port, the remote access message is determined to be service query information. 4.如权利要求2所述的远程访问处理方法,其特征在于,所述若所述访问协议类型为请求响应类型,则检测所述远程访问消息是否为服务查询信息的步骤之后,还包括:4. The remote access processing method according to claim 2, characterized in that after the step of detecting whether the remote access message is service query information if the access protocol type is a request response type, it further comprises: 若所述远程访问消息为服务查询信息,则将所述远程访问消息转发至所述目标服务器,并获取所述目标服务器根据所述远程访问消息反馈的服务查询响应;If the remote access message is a service query message, forwarding the remote access message to the target server, and obtaining a service query response fed back by the target server according to the remote access message; 对所述服务查询响应进行端口替换,获得替换响应信息;Performing port replacement on the service query response to obtain replacement response information; 将所述替换响应信息发送至所述远程访问消息对应的消息发送端。The replacement response information is sent to a message sending end corresponding to the remote access message. 5.如权利要求4所述的远程访问处理方法,其特征在于,所述对所述服务查询响应进行端口替换,获得替换响应信息的步骤,包括:5. The remote access processing method according to claim 4, wherein the step of performing port replacement on the service query response to obtain replacement response information comprises: 从所述服务查询响应中提取服务标识信息及真实服务端口;Extracting service identification information and real service port from the service query response; 检测是否存在所述服务标识信息对应的端口替换规则;Detecting whether there is a port replacement rule corresponding to the service identification information; 若存在所述服务标识信息对应的端口替换规则,则根据所述端口替换规则及所述真实服务端口确定服务对外端口;If there is a port replacement rule corresponding to the service identification information, determining the service external port according to the port replacement rule and the real service port; 将所述服务查询响应中的真实服务端口替换为所述服务对外端口,获得替换响应信息。The real service port in the service query response is replaced with the service external port to obtain replacement response information. 6.如权利要求5所述的远程访问处理方法,其特征在于,所述检测是否存在所述服务标识信息对应的端口替换规则的步骤,包括:6. The remote access processing method according to claim 5, wherein the step of detecting whether there is a port replacement rule corresponding to the service identification information comprises: 在预设替换规则库中查找所述服务标识信息对应的端口替换规则;Searching for a port replacement rule corresponding to the service identification information in a preset replacement rule library; 若可查找到所述服务标识信息对应的端口替换规则,则判定存在所述服务标识信息对应的端口替换规则。If the port replacement rule corresponding to the service identification information can be found, it is determined that there is a port replacement rule corresponding to the service identification information. 7.如权利要求1所述的远程访问处理方法,其特征在于,所述通过所述访问协议类型对应的敏感过滤策略对所述远程访问消息中的敏感数据进行替换,获得安全访问消息的步骤,包括:7. The remote access processing method according to claim 1, wherein the step of replacing the sensitive data in the remote access message by the sensitive filtering policy corresponding to the access protocol type to obtain a secure access message comprises: 若所述访问协议类型为管道连接类型,则检测所述远程访问消息中包含的指令是否为管道启动指令;If the access protocol type is a pipeline connection type, detecting whether the instruction included in the remote access message is a pipeline start instruction; 若为管道启动指令,则检测所述远程访问消息对应的访问目标是否为敏感目标;If it is a pipeline start instruction, detecting whether the access target corresponding to the remote access message is a sensitive target; 若所述访问目标为敏感目标,则对所述远程访问消息进行管道名替换,获得安全访问消息。If the access target is a sensitive target, the remote access message is replaced with a pipe name to obtain a secure access message. 8.一种远程访问处理装置,其特征在于,所述远程访问处理装置包括以下模块:8. A remote access processing device, characterized in that the remote access processing device comprises the following modules: 消息拦截模块,用于在拦截到远程访问消息时,获取所述远程访问消息对应的访问协议类型及目标服务器;A message interception module, used to obtain the access protocol type and target server corresponding to the remote access message when intercepting the remote access message; 敏感过滤模块,用于通过所述访问协议类型对应的敏感过滤策略对所述远程访问消息中的敏感数据进行替换,获得安全访问消息;A sensitive filtering module, used to replace sensitive data in the remote access message by a sensitive filtering policy corresponding to the access protocol type to obtain a secure access message; 消息转发模块,用于将所述安全访问消息转发至所述目标服务器。A message forwarding module is used to forward the security access message to the target server. 9.一种远程访问处理设备,其特征在于,所述远程访问处理设备包括:处理器、存储器及存储在所述存储器上并可在所述处理器上运行的远程访问处理程序,所述远程访问处理程序被执行时实现如权利要求1-7中任一项所述的远程访问处理方法的步骤。9. A remote access processing device, characterized in that the remote access processing device comprises: a processor, a memory, and a remote access processing program stored in the memory and executable on the processor, wherein when the remote access processing program is executed, the steps of the remote access processing method according to any one of claims 1 to 7 are implemented. 10.一种计算机可读存储介质,其特征在于,所述计算机可读存储介质上存储有远程访问处理程序,所述远程访问处理程序执行时实现如权利要求1-7中任一项所述的远程访问处理方法的步骤。10. A computer-readable storage medium, characterized in that a remote access processing program is stored on the computer-readable storage medium, and the remote access processing program implements the steps of the remote access processing method according to any one of claims 1 to 7 when executed.
CN202211559575.8A 2022-12-06 2022-12-06 Remote access processing method, device, equipment and storage medium Pending CN118157885A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211559575.8A CN118157885A (en) 2022-12-06 2022-12-06 Remote access processing method, device, equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211559575.8A CN118157885A (en) 2022-12-06 2022-12-06 Remote access processing method, device, equipment and storage medium

Publications (1)

Publication Number Publication Date
CN118157885A true CN118157885A (en) 2024-06-07

Family

ID=91290866

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211559575.8A Pending CN118157885A (en) 2022-12-06 2022-12-06 Remote access processing method, device, equipment and storage medium

Country Status (1)

Country Link
CN (1) CN118157885A (en)

Similar Documents

Publication Publication Date Title
US10284603B2 (en) System and method for providing network and computer firewall protection with dynamic address isolation to a device
US11652792B2 (en) Endpoint security domain name server agent
US10003610B2 (en) System for tracking data security threats and method for same
JP7299415B2 (en) Security vulnerability protection methods and devices
US10542006B2 (en) Network security based on redirection of questionable network access
US9571523B2 (en) Security actuator for a dynamically programmable computer network
US9325738B2 (en) Methods and apparatus for blocking unwanted software downloads
CN110311929B (en) Access control method and device, electronic equipment and storage medium
US7707401B2 (en) Systems and methods for a protocol gateway
US7818565B2 (en) Systems and methods for implementing protocol enforcement rules
US20040111623A1 (en) Systems and methods for detecting user presence
US20190081952A1 (en) System and Method for Blocking of DNS Tunnels
EP3852329B1 (en) Document tracking method, gateway device and server
US11736528B2 (en) Low latency cloud-assisted network security with local cache
CN116566654A (en) Protection system for block chain management server
US9705898B2 (en) Applying group policies
CN115174243A (en) Malicious IP address blocking processing method, device, equipment and storage medium
CN114826790B (en) Block chain monitoring method, device, equipment and storage medium
CN118157885A (en) Remote access processing method, device, equipment and storage medium
CN117544335A (en) Bait activation method, device, equipment and storage medium
CN115022008A (en) Access risk assessment method, device, equipment and medium
CN113992412B (en) Implementation method of cloud native firewall and related equipment
Lind et al. Privacy surviving data retention in Europe
JP4710889B2 (en) Attack packet countermeasure system, attack packet countermeasure method, attack packet countermeasure apparatus, and attack packet countermeasure program
CN118916124A (en) Application program interface safety protection method and device and electronic equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination