TW201824047A - Attack request determination method, apparatus and server - Google Patents

Abstract

Provided in the present application are an attack request determination method, apparatus and server, the method comprising: receiving an access request; extracting first request information from the access request, and matching the first request information to information in multiple types of prearranged blacklist which support multiple matching parameters; when there is a successful match with information in any type of blacklist, determining that the access request is an attack request. Technical solutions of the present invention solve problems in the prior art of determining at attack request solely by means of frequency of access of an IP address, including not being applicable to a CC attack type having low IP address access frequency, not being able to accurately distinguish different types of CC attack, and having a high false positive rate; the present invention can make a decision on an access request on the basis of multiple types of matching parameter, said decision has broader dimensionality, the decision mode is more flexible, and decision results are more accurate.

Description

   Method, device and server for determining attack request   

The present application relates to the technical field of Internet security, and in particular, to a method, a device, and a server for determining an attack request.

With the continuous development of Internet services, the pages of the website are becoming more and more complex, and the website needs to consume more and more resources to process requests. In this case, the more users you visit, the higher the system load. . Websites are susceptible to CC (Challenge Collapsar, black hole challenge) attacks. CC attacks will cause huge resource consumption, which will cause the page to open very slowly. If the CPU (Central Processing Unit, central processing unit) or bandwidth resources are Consumption, services may be unavailable, which will affect users' access to the network and the user experience will be poor.

In the prior art, CC attacks are mainly determined by statistics on the access volume of IP (Internet Protocol, Internet Protocol) addresses. If the access volume of an IP address in a certain period of time exceeds a set threshold, the CC attack is determined. IP addresses are blacklisted and blocked based on IP address.

This method can detect identifiers and detect CC attacks in the case of a large number of accesses using the same IP, but it cannot accurately identify CC attacks such as random URI (Uniform Resource Identifiers) attack types, random domain name types, and only The method of statistics from the perspective of IP is relatively single and not flexible enough. An attacker can gradually reduce the number of attacks according to the rules of IP statistics, and then create malicious attacks that do not exceed the set threshold. If the threshold is adjusted smaller, the rate of manslaughter will increase, especially in the case of wireless networks and NAT (Network Address Translation) networks, where multiple users use the same exit The problem of IP is more likely to cause accidental killing.

This application provides a method and a device for determining an attack request, in order to solve the method of determining an attack request only by the number of access times of the IP address in the prior art. It is not applicable to CC attack types with low IP address access frequency and cannot accurately identify various Types of CC attacks and high rates of manslaughter.

According to a first aspect of the embodiments of the present application, a method for determining an attack request is provided, which is applied to a server and includes: receiving an access request; extracting first request information in the access request, and converting the first request The information is respectively matched with information in various types of blacklists that are preset to support multiple matching parameters. When the information in any type of blacklist is matched successfully, it is determined that the access request is an attack request.

According to a second aspect of the embodiments of the present application, an attack request determination device is provided, which is applied on a server and includes: a receiving unit for receiving an access request; a matching unit for extracting a first of the access requests Request information, and match the first request information with preset information in various types of blacklists supporting multiple matching parameters; a first determining unit configured to match information in any type of blacklist When successful, the access request is determined to be an attack request.

According to a third aspect of the embodiments of the present application, a server is provided, including: a transceiver module for receiving an access request and extracting first request information in the access request; a blocking module and the execution A module connection, configured to match the first request information with information from various types of blacklists that are preset to support multiple matching parameters, and determine when a match with information from any type of blacklist is successful The access request is an attack request.

According to a fourth aspect of the embodiments of the present application, an apparatus for determining an attack request is provided. The apparatus is a server and includes: a processor; a memory for storing executable instructions of the processor; wherein the processing The device is configured to: receive an access request; extract first request information in the access request, and match the first request information with information in preset various types of blacklists supporting multiple matching parameters; in When the information in any type of blacklist is matched successfully, it is determined that the access request is an attack request.

According to a fifth aspect of the embodiments of the present application, a computer storage medium is provided. The storage medium stores program instructions, the instructions include: receiving an access request; extracting first request information in the access request, The first request information is matched with information in various types of blacklists that are preset to support multiple matching parameters. When the information in any type of blacklist is matched successfully, it is determined that the access request is an attack request.

As can be seen from the above technical solution, in the embodiment of the present application, various types of blacklists supporting various matching parameters are set in the server, so that not only can be judged by the number of access times of the IP address, but also based on headers, cookies, and args. The type of the CC attack is judged, so that the attack request can be more accurately judged to avoid misjudgment; the judgment dimension is wider, the judgment method is more flexible, and the judgment result is more accurate.

11‧‧‧Transceiver Module

12‧‧‧ Statistics Module

13‧‧‧Configuration Module

14‧‧‧Execution Module

15‧‧‧ blocking module

510‧‧‧Receiving unit

520‧‧‧ matching unit

530‧‧‧First determination unit

FIG. 1 is a schematic diagram of a method for determining an attack request of the present application; FIG. 2 is a flowchart of an embodiment of a method for determining an attack request of the present application; FIG. 3 is a piece of hardware of a device where the device for determining the attack request of the present application is located Structure diagram; FIG. 4 is a hardware structural diagram of a device for determining an attack request of this application; and FIG. 5 is a block diagram of an embodiment of a device for determining an attack request of this application.

The terminology used in this application is for the purpose of describing particular embodiments only and is not intended to limit the application. The singular forms "a," "the," and "the" as used in this application and the scope of the accompanying patent application are also intended to include the majority, unless the context clearly indicates otherwise. It should also be understood that the term "and / or" as used herein refers to and includes any or all possible combinations of one or more associated listed projects.

It should be understood that although the terms first, second, third, etc. may be used in this application to describe various information, these information should not be limited to these terms. These terms are only used to distinguish the same type of information from each other. For example, without departing from the scope of the present application, the first information may also be referred to as the second information, and similarly, the second information may also be referred to as the first information. Depending on the context, the word "if" as used herein can be interpreted as "at ..." or "when ..." or "responding to determination".

In the prior art, when a website is under a CC attack, an IP address is usually determined based on the received request, and then the traffic of the IP address within a certain period of time is counted. If the traffic exceeds a set threshold, the IP address is generated based on the IP address. IP blacklist to block requests from this IP address. This method can only block CC attacks that are frequently accessed by the same IP address, but the attacker can attack less than the set threshold; moreover, this method is not effective for CC attack types with low IP address access frequency. Not applicable, for example: frequent access to a large file URI, using a small number of attacks, can fill the server's exit bandwidth, affecting user access, in this case only blocking based on IP address, It is very likely to cause misjudgment to access IP addresses of other URIs. For another example, a domain name attack request against a CDN (Content Delivery Network) node will cause the CDN node to frequently query the DNS (Domain Name System), so even if the traffic (attack) is not large, Will cause the DNS server to hang. Another example is a random URI attack against a CDN node. This type of attack, which is not directly related to the traffic of the IP address, will cause the request to penetrate the source site every time, resulting in service anomalies. Another example is to simulate some very time-consuming operations when a user visits a website, such as placing an order on an e-commerce website. This kind of attack can cause the website to be paralyzed even if the traffic is relatively small. In summary, the identification method based on the traffic of IP addresses cannot accurately determine the various CC attacks mentioned above.

The embodiments of the present application propose a new method and device for determining attack requests. Various types of blacklists are determined by a preset calculation formula and request information and response information within a set period of time. Requests to be judged and blocked. This method can configure several targeted arithmetic expressions based on the characteristics of the attack type, so as to achieve the effect of effective defense against various types of CC attacks. The embodiments of the present application may be applied to a server. The server may be a physical or logical server, or two or more physical or logical servers that share different responsibilities and cooperate with each other to implement this application. Various functions of the server in this embodiment. The embodiments of the present application do not limit the types of servers, and the types and protocols of communication networks between servers.

Refer to FIG. 1, which is a schematic diagram of a scenario for determining an attack request according to an embodiment of the present application. FIG. 1 includes: a server and n computers, which are a first computer and a second computer up to an N computer, respectively. Requests for n computers.

The flow of the method for determining the attack request applied on the server is shown in Figure 2, and includes the following steps:

Step 201: Receive an access request.

In the embodiment of the present application, the request may include an application layer request such as a http (Hyper Text Transfer Protocol) request, an rrt request, or an mp request. The content of the request may include a request for a web page, a video, or a live broadcast. . In the embodiment of the present application, the http request is taken as an example for description.

Step 202: Extract the first request information in the access request, and match the first request information with the information in various types of blacklists preset to support multiple matching parameters.

In the step of this application, the server parses the received access request, and the first request information obtained may include any one or more of the following parameters, but is not limited to the following parameters: count, which corresponds to the corresponding blacklist key (blacklist key) Value, which can be understood as the number of visits of the above matching parameter). For example, the filtering information in the blacklist is IP = 111.1.1.1, then count can represent the number of visits to the address with IP = 111.1.1.1.

uri_num indicates the number of times a URI is accessed. For example, uri_num / a and uri_num / b are different URIs.

status_count, which indicates the number of times a status code is returned in a request, and requires parameters, such as status_count | 404, which indicates the number of times a status code 404 is returned in a request.

status_ratio, which indicates the ratio of the number of times a status code is returned to the total number of visits in the request, and requires parameters such as status_ratio | 404, which indicates the ratio of the number of times that a status code 404 is returned in the request to the total number of visits The total number of visits refers to the number of visits within a set time interval.

arg_num indicates the number of args in the request. It needs to take parameters. It can be expressed by arg_num | x, such as / a? x == 1 and / a? x = 2 means visited twice.

none_arg_ratio indicates the proportion of requests that do not carry an arg to the total number of requests, and requires parameters such as none_arg_ratio | x, that is, the proportion of requests that do not carry arg x to the total number of requests. The total number of requests indicates the total number of requests received during the validity period of the blacklist, that is, within a set time interval.

cookie_num, indicates the number of a cookie carried in the request, and requires parameters. For example, cookie_num | x indicates the number of cookies carried in the request as x.

none_cookie_ratio, indicates the proportion of requests that do not carry a cookie to the total number of requests, and requires parameters, such as none_cookie_ratio | x, indicates the proportion of requests that do not carry a cookie that is x to the total number of requests.

req_header_num, indicates the number of headers carried in the request, and requires parameters, such as req_header_num | x, indicates the number of headers carried in the request as x.

none_req_header_ratio indicates that the number of requests that do not carry a certain header accounts for the total number of requests. For example, none_header_ratio | x indicates the ratio of requests that do not carry a header x to the total number of requests.

resp_header_num, indicates the number of headers carried in the response, and requires parameters, such as the number of headers with x in the response.

none_req_header_ratio, indicates the proportion of responses that do not carry a certain header to the total number of requests, and requires parameters, such as none_header_ratio | x, indicates the proportion of responses that do not carry a header of x to the total number of requests.

method_ratio, which represents the ratio of the number of requests submitted in a certain way to the total number of requests, and requires parameters, such as method_ratio | POST, which represents the ratio of the number of requests submitted in the post mode to the total number of visits. You can calculate the ratio of the corresponding requests to the total requests by submitting in get, submitting in delete, submitting in head, and submitting in put.

method_count indicates the number of requests submitted in a certain way, and requires parameters, such as method_count | POST, which indicates the number of requests submitted in POST.

req_traffic, which indicates the total traffic value of the request, that is, the total traffic value consumed by the request received during the validity period of the blacklist.

resp_traafic, which indicates the total traffic value of the response, that is, the total traffic value consumed by the response sent during the validity period of the blacklist.

In the embodiment of the present application, the server may preset a blacklist that supports multiple matching parameters. The blacklist includes multiple types, instead of only the types for IP addresses as in the prior art. Setting the blacklist includes the following steps (Figure (Not shown in 2):

Step 301: Parse an access request received and / or a response sent out within a set period of time, and obtain second request information and / or response information, respectively.

In the step of the application, the set time period may be a time period divided by an execution time interval of an expression used to represent an attack condition. For example, the execution time interval is 10s, then the set time period is a time period 10s before the current time. . The second request information and response information may be any one or more of the parameters listed in step 202 above.

Step 302: Extract information corresponding to the variable from the second request information and / or response information based on a variable in a preset calculation formula.

In the embodiment of the present application, an arithmetic expression may be set in advance. The arithmetic expression is composed of a variable and an operator, and is used to represent an attack condition. In the embodiment of the present application, multiple arithmetic expressions may be set based on various types and characteristics of CC attacks. So that a blacklist covering multiple CC attack types can be generated later. In this step, the information of the variable corresponding to the expression in the second request information and / or response information is extracted.

Among them, the operators can include but are not limited to the following:

Braces: ()

Greater than sign:>

Less than sign: <

OR operator: ∥

And operator: &&

Through the above-mentioned method of setting the calculation formula, the flexibility of statistics is increased, and the calculation formula can be adjusted in time according to the type and actual situation of the attack, so as to facilitate accurate judgment of various attacks, thereby expanding the coverage of attack judgment, which can be combined at the same time. The status code, header, and traffic information are used to make judgments. The judgment dimensions are wider and the judgment results are more accurate.

Step 303: Perform the operation by using the extracted information as an input and substituting the variable in the operation expression.

After extracting the information of all the variables corresponding to the expression, the server substitutes the extracted information into the variables of the expression to perform the operation.

Step 304: When the operation result meets the attack conditions, a blacklist is generated based on the type to which the parameter in the operation formula belongs.

Because the expression represents an attack condition, when the operation result is (true), it means that the information substituted into the expression variable meets the attack condition, and then the access request corresponding to the information is most likely an attack request. Therefore, when the operation result is YES, a blacklist can be generated. When the operation result is false (false), it means that the information substituted into the expression variable does not meet the attack conditions, so the access request corresponding to the information is usually not an attack request.

As can be seen from the above description, the blacklist is generated in advance, rather than statistics and blacklist generation after receiving the request. The judgment process is also relatively simple. Only the information in the access request exists in the blacklist. That is, this method responds quickly and does not prolong the response time of the visit. It is especially suitable for scenarios with high concurrency and is especially suitable for distributed environments. It statistics all the http information of the entire distributed environment and has a wider coverage. .

Specifically, in the embodiment of the present application, the blacklist is divided into four types, and the types of the blacklist correspond to matching parameters, that is, the blacklist supports four types of matching parameters: including IP, header_x, cookie_x, and arg_x.

For example, IP = 111.1.1.1 indicates that the IP address is used as a type to generate a blacklist with an IP address of 111.1.1.1.

header_host = ww.cdn.com, which means that the host (specifying the domain name and port number of the requested server) in the header of the generated request is a blacklist of ww.cdn.com.

cookie_unc = test indicates the blacklist of unc = test in the generated cookie.

arg_user = admin, generating a blacklist of user = admin in the request parameters.

Then, in this step, it is necessary to determine the type of the blacklist to which the variable whose operation result is a yes expression, and then generate a corresponding type of blacklist according to the type of the blacklist and the substituted information.

For example, for the expression: "none_cookie_ratio | t"> 0.5, when the result of the information entered into the expression is yes, according to the variable none_cookie_ratio corresponding to the expression, it can be determined that the blacklist type is cookie_x, then " "unc = test" in the cookie.

For another example, a CC attack against a random domain name and a random URI has the following formula: ("status_ratio | 404"> 0.6 && "uri_num"> 5 && "count"> 50000) ∥ ("status_ratio | 502"> 0.6 && "count" > 100) ∥ ("status_ratio | 504"> 0.6 && "count"> 500) ∥ ("status_ratio | 503"> 0.6 && "count"> 500), that is, combined with the status code, the number of requested URIs and the number of requests To comprehensively determine whether there is a CC attack. The more matching parameters, the more flexible the judgment method, and the more accurate the judgment result.

In the procedure of the present application, since there are multiple types of blacklists and there are multiple variables in the expressions, there may be cases where the variables of an expression belong to different types of blacklists, that is, corresponding to one expression. There are two or more blacklist types. In this case, you can set the priority of the blacklist types and only generate the blacklist with the highest priority. Or you can specify, for example, only the IP blacklist is generated, or only the blacklist for the header is generated.

In the step of the present application, when there are multiple calculation formulas, the number of blacklists may also be large. When the first request information is matched with the information in the preset blacklist, if the number of blacklists is small and less than the set threshold, the first request information can be sequentially performed with the information in each blacklist. Matching. If the number of blacklists is large, the method of traversing each blacklist will be inefficient. In this case, a blacklist binary tree can be generated based on the blacklist type.

Step 203: When the information in any type of blacklist is matched successfully, it is determined that the access request is an attack request.

When the first request information matches the information in the blacklist successfully, it can be determined that the corresponding access request is an attack request. For example, in the blacklist, IP = 111.1.1.1, and the IP of the first requested information is also 111.1.1.1, then the match is successful. For another example, in the blacklist, user = admin, and the user in the first request information is also admin, then the match is successful, and the corresponding access request is determined to be an attack request.

In an embodiment, as shown in FIG. 1, the server sets a blacklist in advance: the server parses the access request and / or the response received within a set time period, and extracts the second request information and / Or response information, the second request information and response information here are any of the above matching parameters. Then the server reads the preset expression. The expression is composed of variables and operators. For example, the expression is method_count | POST> 5, then the number of requests submitted by POST in the expression needs to be changed from the first 2. Request information extracted from the information. Then the server takes the extracted second request information and / or response information as input and calculates them into the variables of the calculation formula. The above calculation formula is still used as an example. If the second request information extracted by the server is 7, since 7 > 5, the operation result is yes, indicating that it is true, and the operation result meets the attack conditions, so the server generates a blacklist based on the type of the parameter in the operation expression. The type of the expression is header, so a blacklist of type header is generated, and the matching parameters in the blacklist include method_count.

After the server has set up a blacklist, when receiving an http access request from a computer, the server extracts the first request information in the http access request, including count, uri_num, status_count and other information, and separates the extracted information. Matches with information from various preset types of blacklists, where the blacklist supports multiple matching parameters, and the matching parameters correspond to the information extracted from the access request. When the first request information matches successfully with any type of blacklist information, it is determined that the access request is an attack request. For example, the extracted first request information includes count, none_cookie_ratio | t, status_ratio | 404. And one expression is: ("count"> 1000 && "none_cookie_ratio | t"> 0.5) ∥ ("count"> 100 && "status_ratio | 404"> 0.8)

If the total number of visits to an IP in the first request information is greater than 1000, and the proportion of cookies that do not contain t is greater than 0.5, or the total number of requests for access is greater than 100, and the status code returned is greater than 0.8, both will be the same The blacklist for IP and matching parameters including count, none_cookie_ratio, and status_ratio was successfully matched, thereby determining that the access request was an attack request.

After the attack request is determined, the method provided in the embodiment of the present application may further include the following steps: determining a corresponding blocking scheme (Action) based on the successfully matched blacklist, and then blocking the attack request based on the determined blocking scheme. .

In the server, each type of blacklist corresponds to a blocking scheme, so as to make different blocking responses to different types of CC attacks.

In the embodiment of the present application, the blocking scheme may include but is not limited to the following: login: indicates a jump to a landing page; wait: indicates a jump to a waiting page; challenge: indicates a jump to a man-machine challenge page; and chaptertcha: indicates a jump to a verification code page; deny: returns the rejection page; close: directly disconnects.

The embodiments of the present application use different blocking schemes instead of direct disconnection in the prior art, so that they are applicable to different service scenarios and attack scenarios. For example, when the current attack request seriously affects the current service, you can directly disconnect the connection. If a suspected attack occurs, you can jump to the verification code page.

Among them, the expression has an execution time interval, that is, the expression generates a blacklist every execution time interval. Then, in the embodiment of the present application, the first time length of the statistical expression from the last execution time; when the first time length reaches the first set time length, that is, the execution time interval, a new blacklist is generated based on the expression; Overwrite the current blacklist with a new blacklist.

Among them, the blacklist has a validity period (expired_time), that is, the generated blacklist is valid only during the validity period. Then, in the embodiment of the present application, from the time when the blacklist is generated, the second time length of the blacklist from the time when the blacklist is generated is counted; and when the second time length reaches the second set time length, the black list is blackened. The list is set to invalid. The validity period of the blacklist is generally longer than the execution interval of the expression, so that it will not happen that the current blacklist is invalid and a new blacklist has not been generated.

Through the above methods, it can ensure that the blacklist is always generated based on the latest statistics of the request and response information, and the blacklist is adjusted in accordance with the current service and attack conditions in time, thereby ensuring the timeliness of the blacklist and ensuring more accurate determination. Attack requests, improve anti-attack efficiency and reduce accidental killing rate.

It can be seen from the prior art that the method of determining the attack request based only on the number of accesses of the IP address is not applicable to CC attack types with low IP address access frequency, and the rate of accidental killing is high. And this application not only judges by the number of visits of the IP address, but also makes CC attacks based on headers, cookies, and args, etc., so as to achieve a more accurate judgment of the attack request. You can also make judgments based on status codes / traffic information / methods, so that the judgment dimensions are wider, the judgment methods are more flexible, and the judgment results are more accurate.

Referring to FIG. 3, which is a schematic diagram of a module of a server according to an embodiment of the present application. FIG. 3 includes a transceiver module 11, a statistics module 12, a configuration module 13, an execution module 14, and a blocking module 15.

The transceiver module 11 is configured to receive an access request and send a response based on the access request, such as receiving an http access request and sending an http response, and recording and reporting request information and response information. Usually the transceiver module 11 is set based on nginx or Squid software.

The statistics module 12 is connected to the transceiver module 11 and is configured to receive the request information and response information reported by the transceiver module 11 and count information corresponding to the variables of the calculation formula from the request information and response information according to a preset calculation formula. And report the statistical result to the execution module 14.

The configuration module 13 is connected to the execution module 14 and is used to provide a dynamic expression configuration interface, and immediately sends the calculation expressions used to indicate the attack conditions to the execution module 14.

The execution module 14 is configured to analyze the calculation formula and generate a blacklist according to the calculation formula and the statistical result of the statistical module 12. Specifically, the information counted by the statistics module 12 is brought into the variables of the expression for calculation. If the result of the operation is YES, a blacklist of the corresponding type is generated based on the type of the blacklist to which the variable of the expression belongs.

The blocking module 15 is connected to the execution module 14 and is configured to match the access requests received by the transceiver module 11 according to the blacklist generated by the execution module 14 and block the access requests matching the blacklist. Off.

Corresponding to the embodiment of the method for determining an attack request in this application, this application also provides an embodiment of a device for determining an attack request.

The embodiment of the device for determining an attack request in this application may be applied to a server. The device embodiments can be implemented by software, or by a combination of hardware or software and hardware. Taking software implementation as an example, as a logical device, it is formed by reading the corresponding computer program instructions in the non-volatile memory into the memory through the processor of the device in which it is located. At the hardware level, as shown in FIG. 4, this is a hardware structure diagram of the device where the determining device for the attack request of this application is located, except for the processor, memory, network interface, and In addition to the volatile memory, the device in which the device is located in the embodiment may generally include other hardware according to the actual function of the device, which are not shown one by one in FIG. 4.

Referring to FIG. 5, which is a block diagram of an embodiment of an apparatus for determining an attack request in this application. The apparatus may be applied to a server. The apparatus includes: a receiving unit 510, a matching unit 520, and a first determining unit 530.

The receiving unit 510 is configured to receive an access request, and the matching unit 520 is configured to extract first request information in the access request, and separately compare the first request information with various types of blacklists preset to support multiple matching parameters. The first determination unit 530 is configured to determine that the access request is an attack request when the information in any type of blacklist is matched successfully. In an optional implementation manner, the device may further include (not shown in FIG. 5): a parsing unit, configured to parse an access request received within a set period of time, to obtain second request information, and / or Parse the response sent within the set time period to obtain response information; and an extraction unit, configured to obtain the response information from the second request information and / or Extracting information corresponding to the variable from the response information; an operation unit configured to substitute the extracted information as an input into a variable of the operation expression to perform an operation; a first generating unit configured to perform the operation when the operation result is When the attack condition is met, a corresponding type of blacklist is generated based on the type of the blacklist to which the variable of the expression belongs.

In another optional implementation manner, the first generating unit may include (not shown in FIG. 5): a first determining subunit, configured to determine a variable in an operation formula that meets the attack condition; a second determining subunit A unit for finding a preset blacklist type and determining a blacklist type to which the variable belongs; a generating subunit for generating a corresponding type of blacklist based on the blacklist type, and the blacklist type matches the blacklist type The parameters correspond.

In another optional implementation, the types of the blacklist include: Internet Protocol address, header_x, cookie_x, and arg_x.

In another optional implementation manner, the device may further include (not shown in FIG. 5): a storage unit, configured to store different types of blacklists and blocking schemes correspondingly.

In another optional implementation manner, the device further includes (not shown in FIG. 5): a second determining unit, configured to determine a corresponding blocking scheme based on a successfully matched blacklist; a blocking unit, configured to The blocking scheme described above blocks the determined attack request.

In another optional implementation manner, the blocking scheme includes any one of a jump page, a return rejection page, and a disconnection.

In another optional implementation manner, the device further includes (not shown in FIG. 5): a statistics unit, configured to count a time length of the operation formula since a last execution time; a second generation unit, configured to When the first time length reaches a first set time length, a new blacklist is generated based on the calculation formula; and a covering unit is configured to cover the new blacklist with the current blacklist.

For details about the implementation process of the functions and functions of the units in the foregoing device, see the implementation process of the corresponding steps in the foregoing method for details, and details are not described herein again.

As for the device embodiment, since it basically corresponds to the method embodiment, the relevant part may refer to the description of the method embodiment. The device embodiments described above are only schematic, wherein the units described as separate components may or may not be physically separated, and the components shown as units may or may not be physical units, that is, may be located One place, or it can be distributed across multiple network units. Some or all of the modules can be selected according to actual needs to achieve the purpose of the solution of this application. Those of ordinary skill in the art can understand and implement it without paying progressive labor.

It can be seen from the above embodiments that the server adds a missing file task to the file task table, and sets a field including a service time period and a file generation time in the missing file task. The data storage time and file generation time are stored in the SQL logic statement. The comparison can ensure the complementarity and non-repetition of the found normal data and missing data, and can effectively, timely, completely and accurately summarize the missing data and give back to the fund company in a timely manner, which greatly improves the operating efficiency.

Those skilled in the art will readily contemplate other embodiments of the present application after considering the specification and practicing the invention disclosed herein. This application is intended to cover any variations, uses, or adaptations of this application. These variations, uses, or adaptations follow the general principles of this application and include common general knowledge in the technical field not disclosed in this application. Or conventional technical means. The description and examples are to be regarded as merely exemplary, and the true scope and spirit of this application is indicated by the scope of the patent application below.

It should be understood that the present application is not limited to the precise structure that has been described above and shown in the drawings, and various modifications and changes can be made without departing from the scope thereof. The scope of this application is limited only by the scope of the accompanying patent applications.

Claims (23)

    A method for determining an attack request, which is applied to a server, is characterized in that it includes: receiving an access request; extracting first request information in the access request, and matching the first request information with a plurality of preset support types respectively The information in various types of blacklist parameters is matched; when the information in any type of blacklist is successfully matched, the access request is determined to be an attack request.         The method according to item 1 of the scope of patent application, wherein the method further comprises: analyzing an access request received within a set period of time, obtaining second request information, and / or sending the request within the set period of time Parse out the response to obtain response information; and extract information corresponding to the variable from the second request information and / or the response information based on a preset variable in an expression representing an attack condition; Substituting the extracted information as an input into a variable of the expression to perform an operation; when the result of the operation is consistent with the attack condition, a corresponding type of blacklist is generated based on the type of blacklist to which the variable of the expression belongs. .         The method according to item 2 of the scope of patent application, wherein the generating a blacklist of a corresponding type based on a blacklist type to which a variable of the expression belongs, includes: determining a variable in the expression that meets the attack condition; The preset black list type is searched to determine the black list type to which the variable belongs; a black list of a corresponding type is generated based on the black list type, and the black list type corresponds to the matching parameter.         The method according to item 3 of the scope of patent application, wherein the type of the blacklist includes: an Internet Protocol address, a header, a cookie, a status code, traffic information, and parameters.         The method according to item 3 of the scope of patent application, wherein the method further comprises: storing different types of blacklists and blocking schemes correspondingly.         The method according to item 5 of the scope of patent application, wherein the method further comprises: determining a corresponding blocking scheme based on a successfully matched blacklist; and blocking the determined attack request based on the blocking scheme.         The method according to item 6 of the scope of patent application, wherein the blocking scheme includes any one of a jump page, a return rejection page, and a disconnection.         The method according to any one of items 1 to 7 of the scope of patent application, wherein the method further comprises: counting a first time length of the expression from the last execution time; during the first time length When the first set time length is reached, a new blacklist is generated based on the operation formula; the new blacklist is overwritten by the new blacklist.         The method according to any one of items 1-7 of the scope of patent application, wherein the method further comprises: counting a second time length of the blacklist from when it is generated; When the time length is set, the blacklist is set to invalid.         A device for determining an attack request, which is applied to a server, is characterized in that it includes: a receiving unit for receiving an access request; a matching unit for extracting first request information in the access request, and converting the first request information The request information is matched with information in various types of blacklists that are preset to support multiple matching parameters. The first determining unit is configured to determine the access request when the information in any type of blacklist is successfully matched. Request for attack.         The device according to item 9 of the scope of patent application, wherein the device further comprises: an analysis unit configured to analyze an access request received within a set period of time, obtain second request information, and / or Parse the response sent within a set period of time to obtain response information; an extraction unit is configured to obtain the response information from the second request information and / or the response information based on a preset variable in an expression representing an attack condition Extracting information corresponding to the variable; an arithmetic unit for substituting the extracted information as an input into a variable of the arithmetic expression to perform an operation; a first generating unit for performing an operation when the operation result is consistent with the variable When an attack condition occurs, a blacklist of a corresponding type is generated based on the type of the blacklist to which the variable of the arithmetic expression belongs.         The device according to item 11 of the scope of patent application, wherein the first generating unit includes: a first determining sub-unit for determining a variable in an operation formula that meets the attack condition; a second determining sub-unit, using For finding a preset blacklist type, determining the blacklist type to which the variable belongs; generating a subunit for generating a corresponding type of blacklist based on the blacklist type, the blacklist type corresponding to the matching parameter .         The device according to item 12 of the scope of patent application, wherein the type of the blacklist includes: an Internet Protocol address, a header, a cookie, a status code, traffic information, and parameters.         The device according to item 12 of the scope of patent application, wherein the device further comprises: a storage unit, configured to store different types of blacklists and blocking schemes correspondingly.         The device according to item 14 of the scope of patent application, wherein the device further comprises: a second determining unit for determining a corresponding blocking scheme based on a successfully matched blacklist; and a blocking unit for determining the blocking scheme based on the blocking scheme. The blocking scheme blocks the determined attack request.         The device according to item 15 of the scope of patent application, wherein the blocking scheme includes any one of a jump page, a return rejection page, and a disconnection.         The device according to any one of claims 10-16, wherein the device further comprises: a statistics unit, configured to count a first time length of the operation formula from a last execution time; a second A generating unit is configured to generate a new blacklist based on the calculation formula when the first time length reaches a first set time length; a covering unit is configured to cover the new blacklist with the current blacklist.         A server is characterized in that it comprises: a transceiver module for receiving an access request and extracting the first request information in the access request; a blocking module for connecting with the execution module for connecting all The first request information is matched with preset information in various types of blacklists supporting multiple matching parameters, and when the information in any type of blacklist is matched successfully, the access request is determined to be an attack request.         The server according to item 18 of the scope of patent application, wherein the transceiver module is further configured to analyze an access request received within a set period of time, obtain second request information, and / or The response sent within the set time period is parsed to obtain response information; the server further includes: a statistics module connected to the transceiver module for receiving request information and responses reported by the transceiver module Information, according to the preset expressions used to represent the attack conditions, to count information corresponding to the variables of the expressions from the request information and response information, and report the statistical results to the execution module; the configuration module, and all The execution module connection is used to provide an operation formula configuration interface and issue the operation formula to the execution module; the execution module is used to parse the received operation formula, and according to the operation formula And the statistical results of the statistical module to generate various types of blacklists.         The server according to item 19 of the scope of patent application, wherein the execution module is configured to: use the information counted by the statistical module as an input to perform a calculation in a variable of the calculation formula; As a result, when the attack condition is met, a corresponding type of blacklist is generated based on the type of the blacklist to which the variable of the expression belongs.         According to the server of claim 18, wherein the blocking module is further configured to block the attack request.         An attack request determination device, characterized in that the device is a server and includes: a processor; a memory for storing executable instructions of the processor; wherein the processor is configured to: receive an access request Extracting the first request information in the access request, and matching the first request information with information in various types of blacklists that are preset to support multiple matching parameters; in the blacklist with any type When the information matches successfully, it is determined that the access request is an attack request.         A computer storage medium having program instructions stored in the storage medium is characterized in that the instructions include: receiving an access request; extracting first request information in the access request, and comparing the first request information with The information in various types of blacklists that are set to support multiple matching parameters are matched; when the information in any type of blacklist is successfully matched, the access request is determined to be an attack request.