WO2020248687A1 - Method and apparatus for preventing malicious attack - Google Patents

Method and apparatus for preventing malicious attack Download PDF

Info

Publication number
WO2020248687A1
WO2020248687A1 PCT/CN2020/084321 CN2020084321W WO2020248687A1 WO 2020248687 A1 WO2020248687 A1 WO 2020248687A1 CN 2020084321 W CN2020084321 W CN 2020084321W WO 2020248687 A1 WO2020248687 A1 WO 2020248687A1
Authority
WO
WIPO (PCT)
Prior art keywords
identification rule
rule
prevention strategy
request message
identification
Prior art date
Application number
PCT/CN2020/084321
Other languages
French (fr)
Chinese (zh)
Inventor
郭旭阳
Original Assignee
深圳前海微众银行股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 深圳前海微众银行股份有限公司 filed Critical 深圳前海微众银行股份有限公司
Publication of WO2020248687A1 publication Critical patent/WO2020248687A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Definitions

  • the present invention relates to the technical field of financial technology (Fintech), in particular to a method and device for preventing malicious attacks.
  • the present invention provides a method and device for preventing malicious attacks, which are used to solve the current judgment rule corresponding to a single prevention strategy. After a malicious user tries multiple times, it is easy to crack the prevention strategy, thereby bypassing the prevention strategy, thereby affecting the security of the system Sexual issues.
  • the present invention provides a method for preventing malicious attacks, including:
  • Receive the first request message sent by the user terminal when the first request message matches the recognition rule in the recognition rule set, determine that the first request message is a suspicious message, and select the prevention strategy from the matching recognition rule Determine the target prevention strategy, the prevention strategy corresponding to the identification rule is updated according to the historical matching times of the identification rule; use the target prevention strategy to process the first request message, and send the processing result to the user end.
  • the prevention strategy corresponding to the identification rule is updated according to the historical matching times of the identification rule, including: updating the identification rule according to the matching times of the identification rule in the historical time period
  • the current risk value, the risk level of the identification rule is updated according to the updated risk value of the identification rule
  • the identification rule correspondence is updated according to the updated risk level of the identification rule and the level correspondence between the identification rule and the prevention strategy Preventive strategies.
  • the identification rule corresponds to a plurality of prevention strategies, and each prevention strategy corresponds to a matching probability, and the matching probability is the probability that the prevention strategy is selected as the target prevention strategy;
  • the description of determining the target prevention strategy from the prevention strategies corresponding to the matching identification rules includes: determining the target prevention strategy from the multiple prevention strategies corresponding to the matching identification rules according to the matching probability.
  • the step of using the target prevention strategy to process the first request message and sending the processing result to the client includes: using the target prevention strategy to determine the first request message The response message corresponding to the request message is sent to the user end, so that the user end sends a second request message different from the first request message.
  • the request messages corresponding to M users are normal request messages, and M is a preset integer.
  • the present invention provides a device for preventing malicious attacks, including:
  • the receiving module is used to receive the first request message sent by the user terminal;
  • the identification module is configured to determine that the first request message is a suspicious message when the first request message matches the identification rule in the identification rule set, and determine the target prevention strategy from the prevention strategy corresponding to the matched identification rule, The prevention strategy corresponding to the identification rule is updated according to the historical matching times of the identification rule;
  • the processing module is configured to use the target prevention strategy to process the first request message and send the processing result to the client.
  • the identification module is specifically configured to: update the current risk value of the identification rule according to the matching times of the identification rule in the historical time period, and update the risk value according to the identification rule
  • the risk level of the identification rule is updated, and the prevention strategy corresponding to the identification rule is updated according to the updated risk level of the identification rule and the level correspondence between the identification rule and the prevention strategy.
  • the identification rule corresponds to a plurality of prevention strategies, and each prevention strategy corresponds to a matching probability, and the matching probability is the probability that the prevention strategy is selected as the target prevention strategy;
  • the identification module is specifically used to determine a target prevention strategy from a plurality of prevention strategies corresponding to the matching identification rule according to the matching probability.
  • the processing module is specifically configured to: use the target prevention strategy to determine a response message corresponding to the first request message, and send the response message to the user end, so that all The client sends a second request message that is different from the first request message.
  • the identification module is further configured to: when the first request message does not match the identification rule in the identification rule set, determine that the first request message is normal.
  • the device further includes an analysis module; the analysis module is specifically configured to: when the same verification information exists in the request messages corresponding to the M users, generate a new identification based on the verification information. Rule, adding the new identification rule to the identification rule set, the request messages corresponding to the M users are normal request messages, and M is a preset integer.
  • the present invention provides a computer device including a memory, a processor, and a computer program stored in the memory and capable of running on the processor.
  • the processor implements the method for preventing malicious attacks when the program is executed. step.
  • the present invention provides a computer-readable storage medium that stores a computer program executable by a computer device.
  • the program runs on the computer device, the computer device executes the method for preventing malicious attacks. step.
  • the prevention strategy corresponding to each identification rule is not single, when the request message matches the identification rule in the identification rule set, the target prevention strategy determined from the prevention strategy corresponding to the identification rule is different; Secondly, the prevention strategy corresponding to the identification rule will be updated according to the historical matching times of the identification rule, so the selected target identification strategy will also change randomly.
  • a malicious user attacks it is difficult to bypass the prevention strategy even after multiple attempts. Can improve the security of the system.
  • malicious users find that the prevention strategy is random, they may also reduce the number of malicious attempts, which may reduce the network load.
  • Figure 1 is a schematic diagram of an application scenario provided by an embodiment of the present invention.
  • FIG. 2 is a schematic flowchart of a method for preventing malicious attacks according to an embodiment of the present invention
  • FIG. 3 is a schematic flowchart of a method for updating a prevention strategy according to an embodiment of the present invention
  • FIG. 4 is a schematic diagram of a corresponding relationship between an identification rule and a prevention strategy provided by an embodiment of the present invention
  • FIG. 5 is a schematic flowchart of a method for preventing malicious attacks according to an embodiment of the present invention.
  • FIG. 6 is a schematic structural diagram of a device for preventing malicious attacks according to an embodiment of the present invention.
  • FIG. 7 is a schematic structural diagram of a computer device provided by an embodiment of the present invention.
  • Conditional probability refers to the occurrence probability of event A under the condition that another event B has occurred.
  • the conditional probability is expressed as: P(A
  • Uniform distribution The random variable X has n different values, and n different values have the same probability.
  • the method for preventing malicious attacks in the embodiment of the present invention can be applied to the application scenario shown in FIG. 1, and the application scenario includes the client 101 and the application server 102.
  • the user terminal 101 is an electronic device with network communication capabilities, such as a smart phone, a tablet computer, or a portable personal computer.
  • the application server 102 may be a business server of a financial institution such as a bank.
  • the application server 102 stores the identification rule set and the prevention strategy corresponding to each identification rule in the identification rule set.
  • the identification rules in the identification rule set can be set according to the actual business of the financial institution, and each identification rule in the identification rule set corresponds to The prevention strategy is updated based on the historical matching times of the identification rules.
  • the application server 102 receives the request message sent by the client 101, and then compares the request message with the recognition rules in the recognition rule set. When the request message matches one of the recognition rules, it determines the request message as a suspicious message and matches The recognition rule as the target recognition rule. Then, the target prevention strategy is determined from the prevention strategies corresponding to the target recognition rule, the target prevention strategy is used to process the request message, and the processing result is sent to the client 101. When the request message does not match the recognition rules in the recognition rule set, the request message is determined to be a normal message.
  • the embodiment of the present invention provides a method for preventing malicious attacks, and the process of the method can be executed by a malicious attack preventing device, such as the application server 102 in FIG. 1.
  • a malicious attack preventing device such as the application server 102 in FIG. 1.
  • the method includes the following steps:
  • Step 201 Receive a first request message sent by a user terminal.
  • the first request message may include the personal identity information of the user, the Internet Protocol (IP) address of the user end, the device number, and the number of historical requests, etc.
  • IP Internet Protocol
  • the validity of the data in the first request message may be verified first.
  • the format of the login password is preset to be a combination of characters and numbers
  • the login password in the first request message is all numbers or all characters, it can be directly determined
  • the login password is invalid, so the prompt message can be returned directly to the client.
  • the request message is received, the data in the request message is first determined to be valid, and then the subsequent identification steps are performed, so the validity and accuracy of the subsequent request message matching the identification rule can be guaranteed.
  • Step 202 When the first request message matches the recognition rule in the recognition rule set, determine that the first request message is a suspicious message, and determine the target prevention strategy from the prevention strategy corresponding to the matched recognition rule.
  • the identification rule set may include preset identification rules, and the identification rules in the identification rule set may also be updated according to actual needs.
  • the identification rule is used to determine whether the user's request message is suspicious.
  • the identification rule can be an incorrect login password, an incorrect verification code, an incorrect registration information, and no login in the past 7 days.
  • the identification rule matches the identification rule, it indicates that the first request message is a suspicious message, that is, the first request message may be sent by a malicious attacker, and there is a certain risk, and further verification is required.
  • the identification rule corresponds to one or more prevention strategies.
  • the prevention strategy may be to refuse to log in, re-enter the login password, re-enter the verification code, mobile phone number verification, face verification, etc.
  • the prevention strategy corresponding to the identification rule can be updated according to the number of historical matching of the identification rule.
  • the number of historical matching is the number of matching of the identification rule with the request message in the historical setting period.
  • Step 203 Use the target prevention strategy to process the first request message, and send the processing result to the client.
  • the target prevention strategy may be used to determine the response message corresponding to the first request message, and then the response message is sent to the user end, so that the user end can send a second request message that is different from the first request message. Request message.
  • the first request message is set as a login request message
  • the first request message includes the user's account and login password
  • a certain identification rule is that the login password is incorrect.
  • the target prevention strategy corresponding to the identification rule can be determined. If the target prevention strategy corresponding to the identification rule is: enter a mobile phone number for verification, then according to the target prevention strategy, it can be determined that the response message is: enter a mobile phone number. In this way, the response message can be sent to the user terminal, and after receiving the response message, the user terminal can enter the mobile phone number to log in, instead of entering the login password.
  • the prevention strategy corresponding to each identification rule is not single, when the request message matches the identification rule in the identification rule set, the target prevention strategy determined from the prevention strategy corresponding to the identification rule is also different; secondly, the identification rule The corresponding prevention strategy will be updated according to the historical matching times of the identification rules, so the selected target identification strategy will also change randomly. In this case, when a malicious user attacks, it is difficult to bypass the prevention strategy even after multiple attempts , Which can improve the safety of the system. In addition, when malicious users find that the prevention strategy is random, they may also reduce the number of malicious attempts, which may reduce the network load.
  • step 202 there are many ways to update the prevention strategy corresponding to the identification rule according to the historical matching times of the identification rule, and the embodiment of the present invention provides a possible implementation manner.
  • the method includes the following steps:
  • Step 301 Update the current risk value of the identification rule according to the matching times of the identification rule in the historical time period.
  • the identification rule has an initial risk value
  • the initial risk value of the identification rule may be set in advance according to the severity of the identification rule.
  • the historical time period may be a set time period in the past. By counting the number of times the identification rule is matched with the request message in the past period of time, the number of matching times of the identification rule in the historical time period is obtained.
  • S i1 to identify rules i risk value updated S i0 for the identification rules i current risk values
  • m i7 is the number of times the last 7 days
  • the identification rules i and the request message matches m i30 is identified in the last 30 days
  • the number of times that rule i matches the request message When the number of recent matches of an identification rule increases, it needs attention. Therefore, the risk value of the identification rule increases. When the number of recent matches of the identification rule decreases, it may be safer and the risk value of the identification rule can be reduced.
  • Step 302 Update the risk level of the identification rule according to the updated risk value of the identification rule.
  • the identification rules can be divided into different risk levels according to the risk values of the identification rules. For example, the higher the risk value, the higher the risk level.
  • the corresponding risk level is level 1
  • the corresponding risk level is level 2.
  • the corresponding risk level is level 3.
  • the corresponding risk level is level 4.
  • the risk level of the identification rule will also change accordingly. For example, the risk level before the update of the identification rule is level 1, and if the risk value after the update of the identification rule is 80 points, it can be determined that the risk level after the update of the identification rule is level 2.
  • Step 303 Update the prevention strategy corresponding to the identification rule according to the updated risk level of the identification rule and the level correspondence between the identification rule and the prevention strategy.
  • prevention strategies with similar prevention strengths can be combined into one type of prevention strategy, and there may be duplicate prevention strategies between different types of prevention strategies.
  • the prevention strategy is divided into different prevention levels.
  • the level correspondence between identification rules and prevention strategies can be one level of identification rule corresponding to one level of prevention strategy, or one level of identification rule corresponding to multiple levels This is not specifically limited in the embodiment of the present invention.
  • the set identification rules are classified into identification rule type 1, identification rule type 2, identification rule type three, and identification rule type four according to the risk level from high to low risk level.
  • the prevention strategy is based on the high level of prevention To the low level of prevention, it is divided into prevention strategy one, prevention strategy two, prevention strategy three, and prevention strategy four.
  • Identification rule category one corresponds to prevention strategy category one
  • identification rule category two corresponds to prevention strategy category one and prevention strategy category two
  • identification rule category three corresponds to prevention strategy category two and prevention strategy category three
  • identification rule category four corresponds to prevention strategy category three and Prevention strategy category four. If the target recognition rule currently belongs to the recognition rule category 1, the corresponding prevention strategy is the prevention strategy category 1.
  • the corresponding prevention strategies are the prevention strategy category 1 and the prevention strategy category 2.
  • the prevention strategy corresponding to the identification rule is updated according to the level correspondence between the identification rule and the prevention strategy, so that the prevention strategy corresponding to the identification rule is randomized, so that malicious users can avoid brute force cracking the prevention strategy and improve the system safety.
  • the recognition rule category 1 is called the recognition rule category A
  • the recognition rule category 2 is called the recognition rule category B
  • the recognition rule category 3 is called the recognition rule category C
  • the recognition rule category 4 is called the recognition rule Class D.
  • the prevention strategy category 1 is called the prevention strategy category a
  • the prevention strategy category 2 is called the prevention strategy category b
  • the prevention strategy category 3 is called the prevention strategy category c
  • the prevention strategy category 4 is called the prevention strategy category d.
  • the target prevention strategy when determining the target prevention strategy from the prevention strategies corresponding to the matching identification rules, the target prevention strategy may be determined from the multiple prevention strategies corresponding to the matching identification rules according to the matching probability.
  • the identification rule corresponds to a plurality of prevention strategies
  • each prevention strategy corresponds to a matching probability
  • the matching probability is the probability that the prevention strategy is selected as the target prevention strategy.
  • the matching probability can be set according to the actual situation.
  • the set prevention strategy category a includes n prevention strategies
  • the prevention strategy category b includes m prevention strategies.
  • identification rule class B the matching probability of identification rule class B and prevention strategy class a is P(a
  • B) 1. Since the recognition rule class B matches the prevention strategy class b more closely, you can set P(b
  • the matching probability between the recognition rule k and each prevention strategy in the prevention strategy class a That is, when the recognition rule is k, the probability that each prevention strategy in the prevention strategy class a is selected as the target strategy is Identify the matching probability between rule k and each prevention strategy in prevention strategy class b That is, when the recognition rule is k, the probability that each prevention strategy in the prevention strategy class b is selected as the target strategy is By setting the matching probability of the prevention strategy, the selected prevention strategy is more matched with the identification rule. Secondly, when one type of identification rule corresponds to one or more types of prevention strategies, it can ensure that users cannot brute force the prevention strategy to a greater extent, thereby improving the security of the system.
  • the request message when the request message is a normal request message, some potential risks still need to be considered. These risks are generally not seen through the request behavior of a single user, and need to integrate the aggregate behavior of multiple users. determination. For example, in an account opening scenario, when the back of an ID card is used by a user, it cannot be determined that the back of the ID card is at risk. When the back of the same ID is used for multiple different user account opening requests and all are judged to be approved, the issuing authority on the back of the ID and the authenticity of the validity period of the ID need to be considered.
  • the embodiment of the present invention can also analyze normal request messages.
  • a new recognition rule is generated according to the verification information, and the new recognition rule is added to the recognition rule set.
  • the request messages corresponding to the M users are normal request messages.
  • M users are opening an account, and the back of the ID card in the account opening request message is the same, a new identification rule can be generated: the same back side of the ID card is received again when opening an account. Then add the new recognition rule to the recognition rule set. Further, it is also possible to set a corresponding prevention strategy for the new identification rule.
  • potential risks are discovered from the aggregate behaviors of multiple users, and new identification rules are generated, and the new identification rules are used to supplement the identification rule set, which can improve the accuracy of preventing malicious attacks. Sex.
  • the method may be executed by a malicious attack preventing device, such as the application server 102 in FIG. 1. As shown in Figure 5, the method includes the following steps:
  • Step 501 Receive a first request message sent by a user terminal.
  • Step 502 It is judged whether the first request message matches the identification rule in the identification rule set, if yes, step 503 is executed, otherwise, step 508 is executed.
  • Step 503 Determine that the first request message is a suspicious message.
  • the offline audit module of the device for preventing malicious attacks can count the number of times each identification rule matches the request message, and the statistical result can be used to update the prevention strategy corresponding to the identification rule.
  • Step 504 Determine a target prevention strategy from the prevention strategies corresponding to the matched identification rules.
  • each identification rule may correspond to multiple prevention strategies, there may be a matching probability between the identification rule and each prevention strategy, and the target prevention strategy is determined from the multiple prevention strategies according to the matching probability.
  • the multiple prevention strategies corresponding to each identification rule can be updated regularly according to the historical matching times of the identification rule.
  • Step 505 Determine the response message corresponding to the first request message using the target prevention strategy.
  • Step 506 Send the response message to the client.
  • Step 507 Receive a second request message sent by the user terminal.
  • the first request message and the second request message may be different.
  • Step 508 Determine that the first request message is normal.
  • the offline audit module of the device for preventing malicious attacks can analyze normal request messages.
  • new identification rules can be generated based on the verification information, and then The new recognition rule is added to the recognition rule set.
  • the prevention strategy corresponding to each identification rule is not single, when the request message matches the identification rule in the identification rule set, the target prevention strategy determined from the prevention strategy corresponding to the identification rule is different Secondly, the prevention strategy corresponding to the identification rule will be updated according to the historical matching times of the identification rule, so the selected target identification strategy will also change randomly.
  • a malicious user attacks it is difficult to bypass the prevention strategy even after multiple attempts , Which can improve the security of the system.
  • malicious users find that the prevention strategy is random, they may also reduce the number of malicious attempts, thereby reducing network load.
  • an embodiment of the present invention also provides a device for preventing malicious attacks.
  • the device 600 includes:
  • the receiving module 601 is configured to receive the first request message sent by the user terminal;
  • the identification module 602 is configured to determine that the first request message is a suspicious message when the first request message matches the identification rule in the identification rule set, and determine the target prevention strategy from the prevention strategy corresponding to the matching identification rule , The prevention strategy corresponding to the identification rule is updated according to the historical matching times of the identification rule;
  • the processing module 603 is configured to use the target prevention strategy to process the first request message and send the processing result to the client.
  • the identification module 602 is specifically configured to:
  • the identification rule corresponds to a plurality of prevention strategies, and each prevention strategy corresponds to a matching probability, and the matching probability is the probability that the prevention strategy is selected as the target prevention strategy;
  • the identification module 602 is specifically configured to:
  • the target prevention strategy is determined from the multiple prevention strategies corresponding to the matching identification rules.
  • processing module 603 is specifically configured to:
  • the target prevention strategy is used to determine the response message corresponding to the first request message, and the response message is sent to the user end, so that the user end sends a second request message different from the first request message .
  • the identification module 602 is further configured to:
  • it further includes an analysis module 604;
  • the analysis module 604 is specifically configured to:
  • the request messages corresponding to M users are normal request messages, and M is a preset integer;
  • the new recognition rule is added to the recognition rule set.
  • an embodiment of the present invention also provides a computer device, as shown in FIG. 7, including at least one processor 701 and a memory 702 connected to the at least one processor.
  • the embodiment of the present invention does not limit the processing.
  • the connection between the processor 701 and the memory 702 in FIG. 7 is taken as an example.
  • the bus can be divided into address bus, data bus, control bus, etc.
  • the memory 702 stores instructions that can be executed by at least one processor 701. By executing the instructions stored in the memory 702, the at least one processor 701 can execute the steps included in the aforementioned method for preventing malicious attacks.
  • the processor 701 is the control center of the computer equipment, which can use various interfaces and lines to connect various parts of the computer equipment, and prevent maliciousness by running or executing instructions stored in the memory 702 and calling data stored in the memory 702. attack.
  • the processor 701 may include one or more processing units, and the processor 701 may integrate an application processor and a modem processor.
  • the application processor mainly processes the operating system, user interface, and application programs.
  • the adjustment processor mainly deals with wireless communication. It can be understood that the foregoing modem processor may not be integrated into the processor 701.
  • the processor 701 and the memory 702 may be implemented on the same chip, and in some embodiments, they may also be implemented on separate chips.
  • the processor 701 may be a general-purpose processor, such as a central processing unit (CPU), a digital signal processor, an application specific integrated circuit (ASIC), a field programmable gate array or other programmable logic devices, discrete gates or transistors Logic devices and discrete hardware components can implement or execute the methods, steps, and logic block diagrams disclosed in the embodiments of the present invention.
  • the general-purpose processor may be a microprocessor or any conventional processor. The steps of the method disclosed in the embodiments of the present invention may be directly embodied as being executed and completed by a hardware processor, or executed and completed by a combination of hardware and software modules in the processor.
  • the memory 702 as a non-volatile computer-readable storage medium, can be used to store non-volatile software programs, non-volatile computer-executable programs, and modules.
  • the memory 702 may include at least one type of storage medium, such as flash memory, hard disk, multimedia card, card-type memory, random access memory (Random Access Memory, RAM), static random access memory (Static Random Access Memory, SRAM), Programmable Read Only Memory (PROM), Read Only Memory (ROM), Electrically Erasable Programmable Read-Only Memory (EEPROM), magnetic memory, disk , CD, etc.
  • the memory 702 is any other medium that can be used to carry or store desired program codes in the form of instructions or data structures and that can be accessed by a computer, but is not limited thereto.
  • the memory 702 in the embodiment of the present invention may also be a circuit or any other device capable of realizing a storage function for storing program instructions and/or data.
  • the embodiments of the present invention provide a computer-readable storage medium that stores a computer program executable by a computer device.
  • the program runs on the computer device, the computer device is executed to prevent malicious Steps of the method of attack.
  • the embodiments of the present invention may be provided as methods or computer program products. Therefore, the present invention may adopt the form of a complete hardware embodiment, a complete software embodiment, or an embodiment combining software and hardware. Moreover, the present invention may adopt the form of a computer program product implemented on one or more computer-usable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) containing computer-usable program codes.
  • a computer-usable storage media including but not limited to disk storage, CD-ROM, optical storage, etc.
  • These computer program instructions can also be stored in a computer-readable memory that can guide a computer or other programmable data processing equipment to work in a specific manner, so that the instructions stored in the computer-readable memory produce an article of manufacture including the instruction device.
  • the device implements the functions specified in one process or multiple processes in the flowchart and/or one block or multiple blocks in the block diagram.
  • These computer program instructions can also be loaded on a computer or other programmable data processing equipment, so that a series of operation steps are executed on the computer or other programmable equipment to produce computer-implemented processing, so as to execute on the computer or other programmable equipment.
  • the instructions provide steps for implementing functions specified in a flow or multiple flows in the flowchart and/or a block or multiple blocks in the block diagram.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

A method and apparatus for preventing a malicious attack, wherein same relate to the technical field of fintech, and are used to solve the problem in the prior art of low security caused by a determination rule corresponding to a single prevention strategy. The method comprises: receiving a first request message sent by a user end; when the first request message matches an identification rule in an identification rule set, determining a target prevention strategy from among prevention strategies corresponding to the matched identification rule; and processing the first request message by means of the target prevention strategy, and updating, according to the number of times that the identification rule is historically matched, the prevention strategies corresponding to the identification rule. Since prevention strategies corresponding to an identification rule are not single, and can be updated according to the number of times that same is historically matched, when initiating an attack, it is difficult for a malicious user to bypass the prevention strategies even with multiple attempts, such that the security of a system can be improved.

Description

一种预防恶意攻击的方法及装置Method and device for preventing malicious attacks
相关申请的交叉引用Cross references to related applications
本申请要求在2019年06月12日提交中国专利局、申请号为201910506914.8、申请名称为“一种预防恶意攻击的方法及装置”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。This application claims the priority of a Chinese patent application filed with the Chinese Patent Office on June 12, 2019, the application number is 201910506914.8, and the application name is "a method and device for preventing malicious attacks", the entire content of which is incorporated herein by reference Applying.
技术领域Technical field
本发明涉及金融科技(Fintech)技术领域,尤其涉及一种预防恶意攻击的方法及装置。The present invention relates to the technical field of financial technology (Fintech), in particular to a method and device for preventing malicious attacks.
背景技术Background technique
随着计算机技术的发展,越来越多的技术应用在金融领域,传统金融业正在逐步向金融科技(Fintech)转变,但由于金融行业的安全性、实时性要求,也对技术提出的更高的要求。目前,针对金融系统的恶意攻击,主要采用点对点的方式进行打击,即预先设定判定规则和对应的预防策略,当用户的行为数据命中判定规则时,采用对应的预防策略进行处理。然而,由于该方法中判定规则对应单一的预防策略,因此,恶意用户通过多次尝试后容易破解预防策略,进而绕过预防策略,从而影响系统的安全性。With the development of computer technology, more and more technologies are applied in the financial field. The traditional financial industry is gradually shifting to Fintech. However, due to the security and real-time requirements of the financial industry, higher technology is also proposed. Requirements. At present, malicious attacks on the financial system are mainly attacked in a point-to-point manner, that is, a predetermined judgment rule and corresponding prevention strategy are set in advance. When the user's behavior data hits the judgment rule, the corresponding prevention strategy is used for processing. However, since the determination rule in this method corresponds to a single prevention strategy, it is easy for malicious users to crack the prevention strategy after multiple attempts, and then bypass the prevention strategy, thereby affecting the security of the system.
发明内容Summary of the invention
本发明提供了一种预防恶意攻击的方法及装置,用以解决目前判定规则对应单一的预防策略,当恶意用户多次尝试后,容易破解预防策略,进而绕过预防策略,从而影响系统的安全性的问题。The present invention provides a method and device for preventing malicious attacks, which are used to solve the current judgment rule corresponding to a single prevention strategy. After a malicious user tries multiple times, it is easy to crack the prevention strategy, thereby bypassing the prevention strategy, thereby affecting the security of the system Sexual issues.
第一方面,本发明提供了一种预防恶意攻击的方法,包括:In the first aspect, the present invention provides a method for preventing malicious attacks, including:
接收用户端发送的第一请求消息,在所述第一请求消息与识别规则集合中的识别规则匹配时,确定所述第一请求消息为可疑消息,并从匹配的识别 规则对应的预防策略中确定目标预防策略,所述识别规则对应的预防策略是根据所述识别规则的历史匹配次数更新的;采用所述目标预防策略对所述第一请求消息进行处理,并发送处理结果至所述用户端。Receive the first request message sent by the user terminal, when the first request message matches the recognition rule in the recognition rule set, determine that the first request message is a suspicious message, and select the prevention strategy from the matching recognition rule Determine the target prevention strategy, the prevention strategy corresponding to the identification rule is updated according to the historical matching times of the identification rule; use the target prevention strategy to process the first request message, and send the processing result to the user end.
在一种可能的实现方式中,所述识别规则对应的预防策略是根据所述识别规则的历史匹配次数更新的,包括:根据所述识别规则在历史时间段的匹配次数,更新所述识别规则当前的风险值,根据所述识别规则更新后的风险值更新所述识别规则的风险等级,根据所述识别规则更新后的风险等级及识别规则与预防策略的等级对应关系更新所述识别规则对应的预防策略。In a possible implementation manner, the prevention strategy corresponding to the identification rule is updated according to the historical matching times of the identification rule, including: updating the identification rule according to the matching times of the identification rule in the historical time period The current risk value, the risk level of the identification rule is updated according to the updated risk value of the identification rule, and the identification rule correspondence is updated according to the updated risk level of the identification rule and the level correspondence between the identification rule and the prevention strategy Preventive strategies.
在一种可能的实现方式中,所述识别规则对应多个预防策略,每个预防策略对应的一个匹配概率,所述匹配概率为预防策略被选中作为目标预防策略的概率;具体实施中,所述从匹配的识别规则对应的预防策略中确定目标预防策略,包括:根据匹配概率从匹配的识别规则对应的多个预防策略中确定目标预防策略。In a possible implementation manner, the identification rule corresponds to a plurality of prevention strategies, and each prevention strategy corresponds to a matching probability, and the matching probability is the probability that the prevention strategy is selected as the target prevention strategy; The description of determining the target prevention strategy from the prevention strategies corresponding to the matching identification rules includes: determining the target prevention strategy from the multiple prevention strategies corresponding to the matching identification rules according to the matching probability.
在一种可能的实现方式中,所述采用所述目标预防策略对所述第一请求消息进行处理,并发送处理结果至所述用户端,包括:采用所述目标预防策略确定所述第一请求消息对应的应答消息,将所述应答消息发送至所述用户端,以使所述用户端发送区别于所述第一请求消息的第二请求消息。In a possible implementation manner, the step of using the target prevention strategy to process the first request message and sending the processing result to the client includes: using the target prevention strategy to determine the first request message The response message corresponding to the request message is sent to the user end, so that the user end sends a second request message different from the first request message.
在一种可能的实现方式中,在所述第一请求消息与所述识别规则集合中的识别规则不匹配时,还确定所述第一请求消息正常。In a possible implementation manner, when the first request message does not match the recognition rule in the recognition rule set, it is further determined that the first request message is normal.
在一种可能的实现方式中,当M个用户对应的请求消息中存在相同的验证信息时,根据所述验证信息生成新的识别规则,将所述新的识别规则添加至所述识别规则集合中,所述M个用户对应的请求消息为正常的请求消息,M为预设整数。In a possible implementation manner, when the same verification information exists in the request messages corresponding to M users, a new identification rule is generated according to the verification information, and the new identification rule is added to the set of identification rules Wherein, the request messages corresponding to the M users are normal request messages, and M is a preset integer.
第二方面,本发明提供了一种预防恶意攻击的装置,包括:In the second aspect, the present invention provides a device for preventing malicious attacks, including:
接收模块,用于接收用户端发送的第一请求消息;The receiving module is used to receive the first request message sent by the user terminal;
识别模块,用于在所述第一请求消息与识别规则集合中的识别规则匹配时,确定所述第一请求消息为可疑消息,并从匹配的识别规则对应的预防策 略中确定目标预防策略,所述识别规则对应的预防策略是根据所述识别规则的历史匹配次数更新的;The identification module is configured to determine that the first request message is a suspicious message when the first request message matches the identification rule in the identification rule set, and determine the target prevention strategy from the prevention strategy corresponding to the matched identification rule, The prevention strategy corresponding to the identification rule is updated according to the historical matching times of the identification rule;
处理模块,用于采用所述目标预防策略对所述第一请求消息进行处理,并发送处理结果至所述用户端。The processing module is configured to use the target prevention strategy to process the first request message and send the processing result to the client.
在一种可能的实现方式中,所述识别模块具体用于:根据所述识别规则在历史时间段的匹配次数,更新所述识别规则当前的风险值,根据所述识别规则更新后的风险值更新所述识别规则的风险等级,根据所述识别规则更新后的风险等级及识别规则与预防策略的等级对应关系更新所述识别规则对应的预防策略。In a possible implementation manner, the identification module is specifically configured to: update the current risk value of the identification rule according to the matching times of the identification rule in the historical time period, and update the risk value according to the identification rule The risk level of the identification rule is updated, and the prevention strategy corresponding to the identification rule is updated according to the updated risk level of the identification rule and the level correspondence between the identification rule and the prevention strategy.
在一种可能的实现方式中,所述识别规则对应多个预防策略,每个预防策略对应的一个匹配概率,所述匹配概率为预防策略被选中作为目标预防策略的概率;具体实施中,所述识别模块具体用于:根据匹配概率从匹配的识别规则对应的多个预防策略中确定目标预防策略。In a possible implementation manner, the identification rule corresponds to a plurality of prevention strategies, and each prevention strategy corresponds to a matching probability, and the matching probability is the probability that the prevention strategy is selected as the target prevention strategy; The identification module is specifically used to determine a target prevention strategy from a plurality of prevention strategies corresponding to the matching identification rule according to the matching probability.
在一种可能的实现方式中,所述处理模块具体用于:采用所述目标预防策略确定所述第一请求消息对应的应答消息,将所述应答消息发送至所述用户端,以使所述用户端发送区别于所述第一请求消息的第二请求消息。In a possible implementation manner, the processing module is specifically configured to: use the target prevention strategy to determine a response message corresponding to the first request message, and send the response message to the user end, so that all The client sends a second request message that is different from the first request message.
在一种可能的实现方式中,所述识别模块还用于:在所述第一请求消息与所述识别规则集合中的识别规则不匹配时,确定所述第一请求消息正常。In a possible implementation manner, the identification module is further configured to: when the first request message does not match the identification rule in the identification rule set, determine that the first request message is normal.
在一种可能的实现方式中,所述装置还包括分析模块;所述分析模块具体用于:当M个用户对应的请求消息中存在相同的验证信息时,根据所述验证信息生成新的识别规则,将所述新的识别规则添加至所述识别规则集合中,所述M个用户对应的请求消息为正常的请求消息,M为预设整数。In a possible implementation, the device further includes an analysis module; the analysis module is specifically configured to: when the same verification information exists in the request messages corresponding to the M users, generate a new identification based on the verification information. Rule, adding the new identification rule to the identification rule set, the request messages corresponding to the M users are normal request messages, and M is a preset integer.
第三方面,本发明提供了一种计算机设备,包括存储器、处理器及存储在存储器上并可在处理器上运行的计算机程序,所述处理器执行所述程序时实现预防恶意攻击的方法的步骤。In a third aspect, the present invention provides a computer device including a memory, a processor, and a computer program stored in the memory and capable of running on the processor. The processor implements the method for preventing malicious attacks when the program is executed. step.
第四方面,本发明提供了一种计算机可读存储介质,其存储有可由计算机设备执行的计算机程序,当所述程序在计算机设备上运行时,使得所述计 算机设备执行预防恶意攻击的方法的步骤。In a fourth aspect, the present invention provides a computer-readable storage medium that stores a computer program executable by a computer device. When the program runs on the computer device, the computer device executes the method for preventing malicious attacks. step.
本发明中,由于每个识别规则对应的预防策略并不是单一的,故当请求消息与识别规则集合中的识别规则匹配时,从识别规则对应的预防策略中确定的目标预防策略是不同的;其次,识别规则对应的预防策略会根据识别规则的历史匹配次数进行更新,故选择的目标识别策略也会随机变化,当恶意用户攻击时,即使通过多次尝试也很难绕过预防策略,从而能够提高系统的安全性。另外,恶意用户在发现预防策略随机时,还可能会降低恶意尝试的次数,从而可能会减少网络负载。In the present invention, since the prevention strategy corresponding to each identification rule is not single, when the request message matches the identification rule in the identification rule set, the target prevention strategy determined from the prevention strategy corresponding to the identification rule is different; Secondly, the prevention strategy corresponding to the identification rule will be updated according to the historical matching times of the identification rule, so the selected target identification strategy will also change randomly. When a malicious user attacks, it is difficult to bypass the prevention strategy even after multiple attempts. Can improve the security of the system. In addition, when malicious users find that the prevention strategy is random, they may also reduce the number of malicious attempts, which may reduce the network load.
附图说明Description of the drawings
为了更清楚地说明本发明实施例中的技术方案,下面将对实施例描述中所需要使用的附图作简要介绍,显而易见地,下面描述中的附图仅仅是本发明的一些实施例,对于本领域的普通技术人员来讲,在不付出创造性劳动性的前提下,还可以根据这些附图获得其他的附图。In order to more clearly describe the technical solutions in the embodiments of the present invention, the following will briefly introduce the drawings needed in the description of the embodiments. Obviously, the drawings in the following description are only some embodiments of the present invention. For those of ordinary skill in the art, other drawings may be obtained from these drawings without creative labor.
图1为本发明实施例提供的应用场景示意图;Figure 1 is a schematic diagram of an application scenario provided by an embodiment of the present invention;
图2为本发明实施例提供的一种预防恶意攻击的方法的流程示意图;2 is a schematic flowchart of a method for preventing malicious attacks according to an embodiment of the present invention;
图3为本发明实施例提供的一种更新预防策略的方法的流程示意图;FIG. 3 is a schematic flowchart of a method for updating a prevention strategy according to an embodiment of the present invention;
图4为本发明实施例提供的一种识别规则与预防策略的对应关系示意图;FIG. 4 is a schematic diagram of a corresponding relationship between an identification rule and a prevention strategy provided by an embodiment of the present invention;
图5为本发明实施例提供的一种预防恶意攻击的方法的流程示意图;FIG. 5 is a schematic flowchart of a method for preventing malicious attacks according to an embodiment of the present invention;
图6为本发明实施例提供的一种预防恶意攻击的装置的结构示意图;FIG. 6 is a schematic structural diagram of a device for preventing malicious attacks according to an embodiment of the present invention;
图7为本发明实施例提供的一种计算机设备的结构示意图。FIG. 7 is a schematic structural diagram of a computer device provided by an embodiment of the present invention.
具体实施方式Detailed ways
为了使本发明的目的、技术方案及有益效果更加清楚明白,以下结合附图及实施例,对本发明进行进一步详细说明。应当理解,此处所描述的具体实施例仅仅用以解释本发明,并不用于限定本发明。In order to make the objectives, technical solutions and beneficial effects of the present invention clearer, the following further describes the present invention in detail with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described here are only used to explain the present invention, but not to limit the present invention.
为了方便理解,下面对本发明实施例中涉及的名词进行解释。To facilitate understanding, the terms involved in the embodiments of the present invention are explained below.
条件概率:是指事件A在另外一个事件B已经发生的条件下的发生概率。条件概率表示为:P(A|B),读作“在B的条件下A的概率”。Conditional probability: refers to the occurrence probability of event A under the condition that another event B has occurred. The conditional probability is expressed as: P(A|B), read as "the probability of A under the condition of B".
均匀分布:随机变量X有n个不同的取值,n个不同的取值都具有相同的概率。Uniform distribution: The random variable X has n different values, and n different values have the same probability.
本发明实施例中的预防恶意攻击的方法可以应用于如图1所示的应用场景中,在该应用场景中包括用户端101和应用服务器102。用户端101是具备网络通信能力的电子设备,例如可以是智能手机、平板电脑或便携式个人计算机等。应用服务器102可以是银行等金融机构的业务服务器。应用服务器102中保存识别规则集合和识别规则集合中每个识别规则对应的预防策略,其中,识别规则集合中的识别规则可以根据金融机构的实际业务进行设置,识别规则集合中每个识别规则对应的预防策略根据识别规则的历史匹配次数进行更新。应用服务器102接收到用户端101发送的请求消息,然后将请求消息与识别规则集合中的识别规则进行比对,当请求消息与其中一条识别规则匹配时,将请求消息确定为可疑消息,将匹配的识别规则作为目标识别规则。然后从目标识别规则对应的预防策略中确定目标预防策略,采用目标预防策略对请求消息进行处理,并发送处理结果至用户端101。当请求消息与识别规则集合中的识别规则都不匹配时,将请求消息确定为正常消息。The method for preventing malicious attacks in the embodiment of the present invention can be applied to the application scenario shown in FIG. 1, and the application scenario includes the client 101 and the application server 102. The user terminal 101 is an electronic device with network communication capabilities, such as a smart phone, a tablet computer, or a portable personal computer. The application server 102 may be a business server of a financial institution such as a bank. The application server 102 stores the identification rule set and the prevention strategy corresponding to each identification rule in the identification rule set. The identification rules in the identification rule set can be set according to the actual business of the financial institution, and each identification rule in the identification rule set corresponds to The prevention strategy is updated based on the historical matching times of the identification rules. The application server 102 receives the request message sent by the client 101, and then compares the request message with the recognition rules in the recognition rule set. When the request message matches one of the recognition rules, it determines the request message as a suspicious message and matches The recognition rule as the target recognition rule. Then, the target prevention strategy is determined from the prevention strategies corresponding to the target recognition rule, the target prevention strategy is used to process the request message, and the processing result is sent to the client 101. When the request message does not match the recognition rules in the recognition rule set, the request message is determined to be a normal message.
基于图1所示的应用场景,本发明实施例提供了一种预防恶意攻击的方法,该方法的流程可以由预防恶意攻击的装置执行,例如图1中的应用服务器102。如图2所示,该方法包括以下步骤:Based on the application scenario shown in FIG. 1, the embodiment of the present invention provides a method for preventing malicious attacks, and the process of the method can be executed by a malicious attack preventing device, such as the application server 102 in FIG. 1. As shown in Figure 2, the method includes the following steps:
步骤201,接收用户端发送的第一请求消息。Step 201: Receive a first request message sent by a user terminal.
具体地,第一请求消息中可以包括用户的个人身份信息、用户端的网络互联协议(Internet Protocol,IP)地址、设备号和历史请求次数等。Specifically, the first request message may include the personal identity information of the user, the Internet Protocol (IP) address of the user end, the device number, and the number of historical requests, etc.
示例性地,在接收到用户端的第一请求消息后,可以先对第一请求消息中的数据的有效性进行验证。比如,当用户的第一请求消息用于登录,且登录密码的格式预设为字符和数字的组合,则当第一请求消息中的登录密码全 部为数字或全部为字符时,可以直接判断该登录密码是无效的,从而可以直接向用户端返回提示信息。采用该种方式,由于在接收到请求消息时,先确定请求消息中数据是有效的,再执行后续的识别步骤,因此能够保证后续进行识别规则匹配的请求消息的有效性和准确性。Exemplarily, after receiving the first request message from the user terminal, the validity of the data in the first request message may be verified first. For example, when the user's first request message is used to log in, and the format of the login password is preset to be a combination of characters and numbers, when the login password in the first request message is all numbers or all characters, it can be directly determined The login password is invalid, so the prompt message can be returned directly to the client. In this way, when the request message is received, the data in the request message is first determined to be valid, and then the subsequent identification steps are performed, so the validity and accuracy of the subsequent request message matching the identification rule can be guaranteed.
步骤202,在第一请求消息与识别规则集合中的识别规则匹配时,确定第一请求消息为可疑消息,并从匹配的识别规则对应的预防策略中确定目标预防策略。Step 202: When the first request message matches the recognition rule in the recognition rule set, determine that the first request message is a suspicious message, and determine the target prevention strategy from the prevention strategy corresponding to the matched recognition rule.
本申请实施例中,识别规则集合中可以包括预先设置的识别规则,且识别规则集合中的识别规则也可以根据实际需求进行更新。其中,识别规则用于判断用户的请求消息是否可疑,例如,识别规则可以是登录密码错误、验证码错误、注册信息错误、近7天没有登录等。当第一请求消息与识别规则匹配时,说明第一请求消息为可疑消息,即第一请求消息可能是恶意攻击方发送的,存在一定的风险,需要进一步进行验证。In the embodiment of the present application, the identification rule set may include preset identification rules, and the identification rules in the identification rule set may also be updated according to actual needs. Among them, the identification rule is used to determine whether the user's request message is suspicious. For example, the identification rule can be an incorrect login password, an incorrect verification code, an incorrect registration information, and no login in the past 7 days. When the first request message matches the identification rule, it indicates that the first request message is a suspicious message, that is, the first request message may be sent by a malicious attacker, and there is a certain risk, and further verification is required.
另外,识别规则对应一个或多个预防策略,例如,预防策略可以是拒绝登录、再次输入登录密码、再次输入验证码、手机号验证、刷脸验证等。识别规则对应的预防策略可以根据识别规则的历史匹配次数进行更新,历史匹配次数即历史设定时段内识别规则与请求消息匹配的次数。In addition, the identification rule corresponds to one or more prevention strategies. For example, the prevention strategy may be to refuse to log in, re-enter the login password, re-enter the verification code, mobile phone number verification, face verification, etc. The prevention strategy corresponding to the identification rule can be updated according to the number of historical matching of the identification rule. The number of historical matching is the number of matching of the identification rule with the request message in the historical setting period.
在一种可选地实施方式中,在第一请求消息与识别规则集合中的识别规则不匹配时,确定第一请求消息正常。In an optional implementation manner, when the first request message does not match the recognition rule in the recognition rule set, it is determined that the first request message is normal.
步骤203,采用目标预防策略对第一请求消息进行处理,并发送处理结果至用户端。Step 203: Use the target prevention strategy to process the first request message, and send the processing result to the client.
在一种可选地实施方式中,可以先采用目标预防策略确定第一请求消息对应的应答消息,再将应答消息发送至用户端,以便于用户端能够发送区别于第一请求消息的第二请求消息。In an optional implementation manner, the target prevention strategy may be used to determine the response message corresponding to the first request message, and then the response message is sent to the user end, so that the user end can send a second request message that is different from the first request message. Request message.
示例性地,设定第一请求消息为登录请求消息,第一请求消息中包括用户的账号和登录密码,某一识别规则为登录密码错误。具体实施中,当用户的登录密码错误时,可以确定第一请求消息匹配该识别规则,进而确定该识 别规则对应的目标预防策略。若该识别规则对应的目标预防策略为:输入手机号码进行验证,则根据目标预防策略可以确定应答消息为:输入手机号码。如此,可以将应答消息发送给用户端,而用户端在接收到应答消息后,可以输入手机号码进行登录,而不再输入登录密码。Exemplarily, the first request message is set as a login request message, the first request message includes the user's account and login password, and a certain identification rule is that the login password is incorrect. In specific implementation, when the user's login password is wrong, it can be determined that the first request message matches the identification rule, and then the target prevention strategy corresponding to the identification rule can be determined. If the target prevention strategy corresponding to the identification rule is: enter a mobile phone number for verification, then according to the target prevention strategy, it can be determined that the response message is: enter a mobile phone number. In this way, the response message can be sent to the user terminal, and after receiving the response message, the user terminal can enter the mobile phone number to log in, instead of entering the login password.
由于每个识别规则对应的预防策略并不是单一的,故当请求消息与识别规则集合中的识别规则匹配时,从识别规则对应的预防策略中确定的目标预防策略也是不同的;其次,识别规则对应的预防策略会根据识别规则的历史匹配次数进行更新,故选择的目标识别策略也会随机变化,在这种情况下,当恶意用户攻击时,即使通过多次尝试也很难绕过预防策略,从而能够提高系统的安全性。另外,恶意用户在发现预防策略随机时,还可能会降低恶意尝试的次数,从而可能会减少网络负载。Since the prevention strategy corresponding to each identification rule is not single, when the request message matches the identification rule in the identification rule set, the target prevention strategy determined from the prevention strategy corresponding to the identification rule is also different; secondly, the identification rule The corresponding prevention strategy will be updated according to the historical matching times of the identification rules, so the selected target identification strategy will also change randomly. In this case, when a malicious user attacks, it is difficult to bypass the prevention strategy even after multiple attempts , Which can improve the safety of the system. In addition, when malicious users find that the prevention strategy is random, they may also reduce the number of malicious attempts, which may reduce the network load.
在上述步骤202中,根据识别规则的历史匹配次数更新识别规则对应的预防策略的方式有多种,本发明实施例提供一种可能地实施方式。如图3所示,该方法包括以下步骤:In the above step 202, there are many ways to update the prevention strategy corresponding to the identification rule according to the historical matching times of the identification rule, and the embodiment of the present invention provides a possible implementation manner. As shown in Figure 3, the method includes the following steps:
步骤301,根据识别规则在历史时间段的匹配次数,更新识别规则当前的风险值。Step 301: Update the current risk value of the identification rule according to the matching times of the identification rule in the historical time period.
具体地,识别规则具有初始风险值,识别规则的初始风险值可以为预先根据识别规则的严重程度设置的。相应地,历史时间段可以是过去的设定时间段,通过统计过去一段时间内识别规则与请求消息的匹配次数,获得识别规则在历史时间段的匹配次数。Specifically, the identification rule has an initial risk value, and the initial risk value of the identification rule may be set in advance according to the severity of the identification rule. Correspondingly, the historical time period may be a set time period in the past. By counting the number of times the identification rule is matched with the request message in the past period of time, the number of matching times of the identification rule in the historical time period is obtained.
示例性地,统计在过去7天内和过去30天内识别规则i与请求消息匹配的次数,然后采用下述公式(1)确定识别规则i更新后的风险值:Exemplarily, count the number of times the identification rule i matches the request message in the past 7 days and the past 30 days, and then use the following formula (1) to determine the risk value after the identification rule i is updated:
Figure PCTCN2020084321-appb-000001
Figure PCTCN2020084321-appb-000001
其中,S i1为识别规则i更新后的风险值,S i0为识别规则i当前的风险值,m i7为在过去7天内识别规则i与请求消息匹配的次数,m i30为在过去30天内识别规则i与请求消息匹配的次数。当识别规则近期被匹配的次数增多时,需 要引起关注,所以识别规则的风险值提高,当识别规则近期匹配的次数减少时,说明可能较为安全,可以降低识别规则的风险值。 Wherein, S i1 to identify rules i risk value updated, S i0 for the identification rules i current risk values, m i7 is the number of times the last 7 days, the identification rules i and the request message matches, m i30 is identified in the last 30 days The number of times that rule i matches the request message. When the number of recent matches of an identification rule increases, it needs attention. Therefore, the risk value of the identification rule increases. When the number of recent matches of the identification rule decreases, it may be safer and the risk value of the identification rule can be reduced.
步骤302,根据识别规则更新后的风险值更新识别规则的风险等级。Step 302: Update the risk level of the identification rule according to the updated risk value of the identification rule.
具体地,根据识别规则的风险值可以将识别规则划分为不同的风险等级。比如设定风险值越高风险等级越高,当风险值位于90-100分之间时,对应的风险等级为等级1,当风险值位于70-90分之间时,对应的风险等级为等级2,当风险值位于50-70分之间时,对应的风险等级为等级3,当风险值位于0-50分之间时,对应的风险等级为等级4。Specifically, the identification rules can be divided into different risk levels according to the risk values of the identification rules. For example, the higher the risk value, the higher the risk level. When the risk value is between 90-100 points, the corresponding risk level is level 1, and when the risk value is between 70-90 points, the corresponding risk level is level 2. When the risk value is between 50-70 points, the corresponding risk level is level 3. When the risk value is between 0-50 points, the corresponding risk level is level 4.
当识别规则的风险值发生变化后,识别规则的风险等级也会相应变化。比如,识别规则更新前的风险等级为等级1,若识别规则更新后的风险值为80分,则可以确定识别规则更新后的风险等级为等级2。When the risk value of the identification rule changes, the risk level of the identification rule will also change accordingly. For example, the risk level before the update of the identification rule is level 1, and if the risk value after the update of the identification rule is 80 points, it can be determined that the risk level after the update of the identification rule is level 2.
步骤303,根据识别规则更新后的风险等级及识别规则与预防策略的等级对应关系更新识别规则对应的预防策略。Step 303: Update the prevention strategy corresponding to the identification rule according to the updated risk level of the identification rule and the level correspondence between the identification rule and the prevention strategy.
具体地,可以将预防力度相似的预防策略合并为一类预防策略,不同类的预防策略之间可以存在重复的预防策略。根据预防策略的预防力度将预防策略划分为不同的预防等级,识别规则与预防策略的等级对应关系可以一个等级的识别规则对应一个等级的预防策略,也可以是一个等级的识别规则对应多个等级的预防策略,对此,本发明实施例不做具体限定。Specifically, prevention strategies with similar prevention strengths can be combined into one type of prevention strategy, and there may be duplicate prevention strategies between different types of prevention strategies. According to the prevention strength of the prevention strategy, the prevention strategy is divided into different prevention levels. The level correspondence between identification rules and prevention strategies can be one level of identification rule corresponding to one level of prevention strategy, or one level of identification rule corresponding to multiple levels This is not specifically limited in the embodiment of the present invention.
示例性地,如图4所示,设定识别规则按照风险等级高至风险等级低分为识别规则类一、识别规则类二、识别规则类三、识别规则类四,预防策略按照预防等级高至预防等级低分为预防策略类一、预防策略类二、预防策略类三、预防策略类四。识别规则类一对应预防策略类一,识别规则类二对应预防策略类一和预防策略类二,识别规则类三对应预防策略类二和预防策略类三、识别规则类四对应预防策略类三和预防策略类四。若目标识别规则当前属于识别规则类一,则对应的预防策略为预防策略类一。更新目标识别规则的风险等级后,若目标识别规则属于识别规则类二,则对应的预防策略为预防策略类一和预防策略类二。由于目标识别规则更新风险等级后,根据识 别规则与预防策略的等级对应关系更新识别规则对应的预防策略,使得识别规则对应的预防策略随机化,从而能够避免恶意用户暴力破解预防策略,提高系统的安全性。Illustratively, as shown in Figure 4, the set identification rules are classified into identification rule type 1, identification rule type 2, identification rule type three, and identification rule type four according to the risk level from high to low risk level. The prevention strategy is based on the high level of prevention To the low level of prevention, it is divided into prevention strategy one, prevention strategy two, prevention strategy three, and prevention strategy four. Identification rule category one corresponds to prevention strategy category one, identification rule category two corresponds to prevention strategy category one and prevention strategy category two, identification rule category three corresponds to prevention strategy category two and prevention strategy category three, identification rule category four corresponds to prevention strategy category three and Prevention strategy category four. If the target recognition rule currently belongs to the recognition rule category 1, the corresponding prevention strategy is the prevention strategy category 1. After updating the risk level of the target recognition rule, if the target recognition rule belongs to the recognition rule category 2, the corresponding prevention strategies are the prevention strategy category 1 and the prevention strategy category 2. After the target identification rules update the risk level, the prevention strategy corresponding to the identification rule is updated according to the level correspondence between the identification rule and the prevention strategy, so that the prevention strategy corresponding to the identification rule is randomized, so that malicious users can avoid brute force cracking the prevention strategy and improve the system safety.
为了便于描述,下面将识别规则类一称为识别规则类A,将识别规则类二称为识别规则类B,将识别规则类三称为识别规则类C,将识别规则类四称为识别规则类D。且,将预防策略类一称为预防策略类a,将预防策略类二称为预防策略类b,将预防策略类三称为预防策略类c,将预防策略类四称为预防策略类d。For ease of description, the following will refer to the recognition rule category 1 as the recognition rule category A, the recognition rule category 2 as the recognition rule category B, the recognition rule category 3 as the recognition rule category C, and the recognition rule category 4 as the recognition rule Class D. Moreover, the prevention strategy category 1 is called the prevention strategy category a, the prevention strategy category 2 is called the prevention strategy category b, the prevention strategy category 3 is called the prevention strategy category c, and the prevention strategy category 4 is called the prevention strategy category d.
可选地,在上述步骤202中,从匹配的识别规则对应的预防策略中确定目标预防策略时,可以根据匹配概率从匹配的识别规则对应的多个预防策略中确定目标预防策略。Optionally, in the above step 202, when determining the target prevention strategy from the prevention strategies corresponding to the matching identification rules, the target prevention strategy may be determined from the multiple prevention strategies corresponding to the matching identification rules according to the matching probability.
示例性地,识别规则对应多个预防策略,每个预防策略对应一个匹配概率,匹配概率为预防策略被选中作为目标预防策略的概率。其中,匹配概率可以根据实际情况进行设置。比如,基于图4所示的实施例,设定预防策略类a中包括n个预防策略,预防策略类b中包括m个预防策略。针对识别规则类A,识别规则类A与预防策略类a的匹配概率为P(A)=1。识别规则类A中每个识别规则j与预防策略类a中每个预防策略的匹配概率
Figure PCTCN2020084321-appb-000002
即当识别规则为j时,预防策略类a中每个预防策略被选中作为目标策略的概率为
Figure PCTCN2020084321-appb-000003
Exemplarily, the identification rule corresponds to a plurality of prevention strategies, each prevention strategy corresponds to a matching probability, and the matching probability is the probability that the prevention strategy is selected as the target prevention strategy. Among them, the matching probability can be set according to the actual situation. For example, based on the embodiment shown in FIG. 4, the set prevention strategy category a includes n prevention strategies, and the prevention strategy category b includes m prevention strategies. For the recognition rule class A, the matching probability of the recognition rule class A and the prevention strategy class a is P(A)=1. Identify the matching probability of each identification rule j in the identification rule class A with each prevention strategy in the prevention strategy class a
Figure PCTCN2020084321-appb-000002
That is, when the identification rule is j, the probability that each prevention strategy in the prevention strategy class a is selected as the target strategy is
Figure PCTCN2020084321-appb-000003
针对识别规则类B,识别规则类B与预防策略类a的匹配概率为P(a|B),识别规则类B与预防策略类b的匹配概率为P(b|B),其中,P(a|B)+P(b|B)=1。由于识别规则类B与预防策略类b更匹配,因此可以设置P(b|B)为一个较大的概率,P(a|B)为一个较小的概率,即P(b|B)>P(a|B)。For identification rule class B, the matching probability of identification rule class B and prevention strategy class a is P(a|B), and the matching probability of identification rule class B and prevention strategy class b is P(b|B), where P( a|B)+P(b|B)=1. Since the recognition rule class B matches the prevention strategy class b more closely, you can set P(b|B) to a larger probability and P(a|B) to a smaller probability, that is, P(b|B)> P(a|B).
针对识别规则类B中任意一个识别规则k,识别规则k与预防策略类a中每个预防策略的匹配概率
Figure PCTCN2020084321-appb-000004
即当识别规则为k时,预防策略类a中每个预防策略被选中作为目标策略的概率为
Figure PCTCN2020084321-appb-000005
识别 规则k与预防策略类b中每个预防策略的匹配概率
Figure PCTCN2020084321-appb-000006
即当识别规则为k时,预防策略类b中每个预防策略被选中作为目标策略的概率为
Figure PCTCN2020084321-appb-000007
通过设置预防策略的匹配概率,使选取的预防策略与识别规则更匹配。其次,一类识别规则对应一类或多类预防策略时,能够较大程度地保证用户无法暴力破解预防策略,从而提高系统的安全性。 For any recognition rule k in the recognition rule class B, the matching probability between the recognition rule k and each prevention strategy in the prevention strategy class a
Figure PCTCN2020084321-appb-000004
That is, when the recognition rule is k, the probability that each prevention strategy in the prevention strategy class a is selected as the target strategy is
Figure PCTCN2020084321-appb-000005
Identify the matching probability between rule k and each prevention strategy in prevention strategy class b
Figure PCTCN2020084321-appb-000006
That is, when the recognition rule is k, the probability that each prevention strategy in the prevention strategy class b is selected as the target strategy is
Figure PCTCN2020084321-appb-000007
By setting the matching probability of the prevention strategy, the selected prevention strategy is more matched with the identification rule. Secondly, when one type of identification rule corresponds to one or more types of prevention strategies, it can ensure that users cannot brute force the prevention strategy to a greater extent, thereby improving the security of the system.
在一种可选地实施方式中,当请求消息为正常的请求消息时,仍旧需要考虑一些潜在的风险,这些风险一般通过单个用户的请求行为无法看出,需要综合多个用户的聚集行为进行判定。比如,在开户场景中,一个身份证背面被一个用户使用时,不能确定该身份证背面有风险。当同一身份证背面被用于多个不同的用户开户请求且都判定为通过时,则需要考虑该身份证背面的签发机关和身份证有效期的真实性。In an optional implementation, when the request message is a normal request message, some potential risks still need to be considered. These risks are generally not seen through the request behavior of a single user, and need to integrate the aggregate behavior of multiple users. determination. For example, in an account opening scenario, when the back of an ID card is used by a user, it cannot be determined that the back of the ID card is at risk. When the back of the same ID is used for multiple different user account opening requests and all are judged to be approved, the issuing authority on the back of the ID and the authenticity of the validity period of the ID need to be considered.
为此,本发明实施例还可以对正常的请求消息进行分析。当M(M为预设整数)个用户对应的请求消息中存在相同的验证信息时,根据验证信息生成新的识别规则,并将新的识别规则添加至识别规则集合中。其中,M个用户对应的请求消息为正常的请求消息。示例性地,当M个用户在开户时,开户请求消息中身份证背面相同,则可以生成新的识别规则:开户时再次收到相同的身份证背面。然后将新的识别规则添加至识别规则集合中。进一步地,还可以为新的识别规则设置对应的预防策略。通过对多个正常的请求消息进行分析,从多个用户的聚集行为中发现潜在的风险,并生成新的识别规则,使用新的识别规则对识别规则集合进行补充,能够提高预防恶意攻击的准确性。To this end, the embodiment of the present invention can also analyze normal request messages. When the same verification information exists in the request messages corresponding to M (M is a preset integer) users, a new recognition rule is generated according to the verification information, and the new recognition rule is added to the recognition rule set. Among them, the request messages corresponding to the M users are normal request messages. Exemplarily, when M users are opening an account, and the back of the ID card in the account opening request message is the same, a new identification rule can be generated: the same back side of the ID card is received again when opening an account. Then add the new recognition rule to the recognition rule set. Further, it is also possible to set a corresponding prevention strategy for the new identification rule. Through the analysis of multiple normal request messages, potential risks are discovered from the aggregate behaviors of multiple users, and new identification rules are generated, and the new identification rules are used to supplement the identification rule set, which can improve the accuracy of preventing malicious attacks. Sex.
为了更好的解释本发明实施例,下面结合具体的实施场景描述本发明实施例提供的预防恶意攻击的方法,该方法可以由预防恶意攻击的装置执行,例如图1中的应用服务器102。如图5所示,该方法包括以下步骤:In order to better explain the embodiments of the present invention, the method for preventing malicious attacks provided by the embodiments of the present invention will be described below in conjunction with specific implementation scenarios. The method may be executed by a malicious attack preventing device, such as the application server 102 in FIG. 1. As shown in Figure 5, the method includes the following steps:
步骤501,接收用户端发送的第一请求消息。Step 501: Receive a first request message sent by a user terminal.
步骤502,判断第一请求消息与识别规则集合中的识别规则是否匹配,若 是,则执行步骤503,否则执行步骤508。Step 502: It is judged whether the first request message matches the identification rule in the identification rule set, if yes, step 503 is executed, otherwise, step 508 is executed.
步骤503,确定第一请求消息为可疑消息。Step 503: Determine that the first request message is a suspicious message.
示例性地,预防恶意攻击的装置的离线审计模块可以对每个识别规则与请求消息的匹配次数进行统计,统计的结果可以用于更新识别规则对应的预防策略。Exemplarily, the offline audit module of the device for preventing malicious attacks can count the number of times each identification rule matches the request message, and the statistical result can be used to update the prevention strategy corresponding to the identification rule.
步骤504,从匹配的识别规则对应的预防策略中确定目标预防策略。Step 504: Determine a target prevention strategy from the prevention strategies corresponding to the matched identification rules.
本申请实施例中,每个识别规则可以对应多个预防策略,识别规则与每个预防策略之间可以存在一个匹配概率,根据匹配概率从多个预防策略中确定目标预防策略。其中,每个识别规则对应的多个预防策略可以根据识别规则的历史匹配次数定期更新。In the embodiment of the present application, each identification rule may correspond to multiple prevention strategies, there may be a matching probability between the identification rule and each prevention strategy, and the target prevention strategy is determined from the multiple prevention strategies according to the matching probability. Among them, the multiple prevention strategies corresponding to each identification rule can be updated regularly according to the historical matching times of the identification rule.
步骤505,采用目标预防策略确定第一请求消息对应的应答消息。Step 505: Determine the response message corresponding to the first request message using the target prevention strategy.
步骤506,将应答消息发送至用户端。Step 506: Send the response message to the client.
步骤507,接收用户端发送的第二请求消息。Step 507: Receive a second request message sent by the user terminal.
其中,第一请求消息和第二请求消息可以不同。Wherein, the first request message and the second request message may be different.
步骤508,确定第一请求消息正常。Step 508: Determine that the first request message is normal.
示例性地,预防恶意攻击的装置的离线审计模块可以对正常的请求消息进行分析,当多个用户对应的请求消息中存在相同的验证信息时,可以根据验证信息生成新的识别规则,然后将新的识别规则添加至识别规则集合中。Exemplarily, the offline audit module of the device for preventing malicious attacks can analyze normal request messages. When the same verification information exists in the request messages corresponding to multiple users, new identification rules can be generated based on the verification information, and then The new recognition rule is added to the recognition rule set.
本申请实施例中,由于每个识别规则对应的预防策略并不是单一的,故当请求消息与识别规则集合中的识别规则匹配时,从识别规则对应的预防策略中确定的目标预防策略是不同的;其次,识别规则对应的预防策略会根据识别规则的历史匹配次数进行更新,故选择的目标识别策略也会随机变化,当恶意用户攻击时,即使通过多次尝试也很难绕过预防策略,从而可以提高系统的安全性。另外,恶意用户在发现预防策略随机时,还可能会降低恶意尝试的次数,从而能够减少网络负载。In the embodiment of the present application, since the prevention strategy corresponding to each identification rule is not single, when the request message matches the identification rule in the identification rule set, the target prevention strategy determined from the prevention strategy corresponding to the identification rule is different Secondly, the prevention strategy corresponding to the identification rule will be updated according to the historical matching times of the identification rule, so the selected target identification strategy will also change randomly. When a malicious user attacks, it is difficult to bypass the prevention strategy even after multiple attempts , Which can improve the security of the system. In addition, when malicious users find that the prevention strategy is random, they may also reduce the number of malicious attempts, thereby reducing network load.
基于相同的技术构思,本发明实施例还提供了一种预防恶意攻击的装置,如图6所示,该装置600包括:Based on the same technical concept, an embodiment of the present invention also provides a device for preventing malicious attacks. As shown in FIG. 6, the device 600 includes:
接收模块601,用于接收用户端发送的第一请求消息;The receiving module 601 is configured to receive the first request message sent by the user terminal;
识别模块602,用于在所述第一请求消息与识别规则集合中的识别规则匹配时,确定所述第一请求消息为可疑消息,并从匹配的识别规则对应的预防策略中确定目标预防策略,所述识别规则对应的预防策略是根据所述识别规则的历史匹配次数更新的;The identification module 602 is configured to determine that the first request message is a suspicious message when the first request message matches the identification rule in the identification rule set, and determine the target prevention strategy from the prevention strategy corresponding to the matching identification rule , The prevention strategy corresponding to the identification rule is updated according to the historical matching times of the identification rule;
处理模块603,用于采用所述目标预防策略对所述第一请求消息进行处理,并发送处理结果至所述用户端。The processing module 603 is configured to use the target prevention strategy to process the first request message and send the processing result to the client.
可选地,所述识别模块602具体用于:Optionally, the identification module 602 is specifically configured to:
根据所述识别规则在历史时间段的匹配次数,更新所述识别规则当前的风险值;Update the current risk value of the identification rule according to the matching times of the identification rule in the historical time period;
根据所述识别规则更新后的风险值更新所述识别规则的风险等级;Update the risk level of the identification rule according to the updated risk value of the identification rule;
根据所述识别规则更新后的风险等级及识别规则与预防策略的等级对应关系更新所述识别规则对应的预防策略。Update the prevention strategy corresponding to the identification rule according to the updated risk level of the identification rule and the level correspondence between the identification rule and the prevention strategy.
可选地,所述识别规则对应多个预防策略,每个预防策略对应的一个匹配概率,所述匹配概率为预防策略被选中作为目标预防策略的概率;Optionally, the identification rule corresponds to a plurality of prevention strategies, and each prevention strategy corresponds to a matching probability, and the matching probability is the probability that the prevention strategy is selected as the target prevention strategy;
所述识别模块602具体用于:The identification module 602 is specifically configured to:
根据匹配概率从匹配的识别规则对应的多个预防策略中确定目标预防策略。According to the matching probability, the target prevention strategy is determined from the multiple prevention strategies corresponding to the matching identification rules.
可选地,所述处理模块603具体用于:Optionally, the processing module 603 is specifically configured to:
采用所述目标预防策略确定所述第一请求消息对应的应答消息,将所述应答消息发送至所述用户端,以使所述用户端发送区别于所述第一请求消息的第二请求消息。The target prevention strategy is used to determine the response message corresponding to the first request message, and the response message is sent to the user end, so that the user end sends a second request message different from the first request message .
可选地,所述识别模块602还用于:Optionally, the identification module 602 is further configured to:
在所述第一请求消息与所述识别规则集合中的识别规则不匹配时,确定所述第一请求消息正常。When the first request message does not match the recognition rule in the recognition rule set, it is determined that the first request message is normal.
可选地,还包括分析模块604;Optionally, it further includes an analysis module 604;
所述分析模块604具体用于:The analysis module 604 is specifically configured to:
当M个用户对应的请求消息中存在相同的验证信息时,根据所述验证信息生成新的识别规则,所述M个用户对应的请求消息为正常的请求消息,M为预设整数;When the same verification information exists in the request messages corresponding to M users, a new identification rule is generated according to the verification information, the request messages corresponding to the M users are normal request messages, and M is a preset integer;
将所述新的识别规则添加至所述识别规则集合中。The new recognition rule is added to the recognition rule set.
基于相同的技术构思,本发明实施例还提供了一种计算机设备,如图7所示,包括至少一个处理器701,以及与至少一个处理器连接的存储器702,本发明实施例中不限定处理器701与存储器702之间的具体连接介质,图7中处理器701和存储器702之间通过总线连接为例。总线可以分为地址总线、数据总线、控制总线等。Based on the same technical concept, an embodiment of the present invention also provides a computer device, as shown in FIG. 7, including at least one processor 701 and a memory 702 connected to the at least one processor. The embodiment of the present invention does not limit the processing. For the specific connection medium between the processor 701 and the memory 702, the connection between the processor 701 and the memory 702 in FIG. 7 is taken as an example. The bus can be divided into address bus, data bus, control bus, etc.
在本发明实施例中,存储器702存储有可被至少一个处理器701执行的指令,至少一个处理器701通过执行存储器702存储的指令,可以执行前述的预防恶意攻击的方法中所包括的步骤。In the embodiment of the present invention, the memory 702 stores instructions that can be executed by at least one processor 701. By executing the instructions stored in the memory 702, the at least one processor 701 can execute the steps included in the aforementioned method for preventing malicious attacks.
其中,处理器701是计算机设备的控制中心,可以利用各种接口和线路连接计算机设备的各个部分,通过运行或执行存储在存储器702内的指令以及调用存储在存储器702内的数据,从而预防恶意攻击。可选的,处理器701可包括一个或多个处理单元,处理器701可集成应用处理器和调制解调处理器,其中,应用处理器主要处理操作系统、用户界面和应用程序等,调制解调处理器主要处理无线通信。可以理解的是,上述调制解调处理器也可以不集成到处理器701中。在一些实施例中,处理器701和存储器702可以在同一芯片上实现,在一些实施例中,它们也可以在独立的芯片上分别实现。Among them, the processor 701 is the control center of the computer equipment, which can use various interfaces and lines to connect various parts of the computer equipment, and prevent maliciousness by running or executing instructions stored in the memory 702 and calling data stored in the memory 702. attack. Optionally, the processor 701 may include one or more processing units, and the processor 701 may integrate an application processor and a modem processor. The application processor mainly processes the operating system, user interface, and application programs. The adjustment processor mainly deals with wireless communication. It can be understood that the foregoing modem processor may not be integrated into the processor 701. In some embodiments, the processor 701 and the memory 702 may be implemented on the same chip, and in some embodiments, they may also be implemented on separate chips.
处理器701可以是通用处理器,例如中央处理器(CPU)、数字信号处理器、专用集成电路(Application Specific Integrated Circuit,ASIC)、现场可编程门阵列或者其他可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件,可以实现或者执行本发明实施例中公开的各方法、步骤及逻辑框图。通用处理器可以是微处理器或者任何常规的处理器等。结合本发明实施例所公开的方法的步骤可以直接体现为硬件处理器执行完成,或者用处理器中的硬件及软件模块组合执行完成。The processor 701 may be a general-purpose processor, such as a central processing unit (CPU), a digital signal processor, an application specific integrated circuit (ASIC), a field programmable gate array or other programmable logic devices, discrete gates or transistors Logic devices and discrete hardware components can implement or execute the methods, steps, and logic block diagrams disclosed in the embodiments of the present invention. The general-purpose processor may be a microprocessor or any conventional processor. The steps of the method disclosed in the embodiments of the present invention may be directly embodied as being executed and completed by a hardware processor, or executed and completed by a combination of hardware and software modules in the processor.
存储器702作为一种非易失性计算机可读存储介质,可用于存储非易失性软件程序、非易失性计算机可执行程序以及模块。存储器702可以包括至少一种类型的存储介质,例如可以包括闪存、硬盘、多媒体卡、卡型存储器、随机访问存储器(Random Access Memory,RAM)、静态随机访问存储器(Static Random Access Memory,SRAM)、可编程只读存储器(Programmable Read Only Memory,PROM)、只读存储器(Read Only Memory,ROM)、带电可擦除可编程只读存储器(Electrically Erasable Programmable Read-Only Memory,EEPROM)、磁性存储器、磁盘、光盘等等。存储器702是能够用于携带或存储具有指令或数据结构形式的期望的程序代码并能够由计算机存取的任何其他介质,但不限于此。本发明实施例中的存储器702还可以是电路或者其它任意能够实现存储功能的装置,用于存储程序指令和/或数据。The memory 702, as a non-volatile computer-readable storage medium, can be used to store non-volatile software programs, non-volatile computer-executable programs, and modules. The memory 702 may include at least one type of storage medium, such as flash memory, hard disk, multimedia card, card-type memory, random access memory (Random Access Memory, RAM), static random access memory (Static Random Access Memory, SRAM), Programmable Read Only Memory (PROM), Read Only Memory (ROM), Electrically Erasable Programmable Read-Only Memory (EEPROM), magnetic memory, disk , CD, etc. The memory 702 is any other medium that can be used to carry or store desired program codes in the form of instructions or data structures and that can be accessed by a computer, but is not limited thereto. The memory 702 in the embodiment of the present invention may also be a circuit or any other device capable of realizing a storage function for storing program instructions and/or data.
基于相同的技术构思,本发明实施例提供了一种计算机可读存储介质,其存储有可由计算机设备执行的计算机程序,当所述程序在计算机设备上运行时,使得所述计算机设备执行预防恶意攻击的方法的步骤。Based on the same technical concept, the embodiments of the present invention provide a computer-readable storage medium that stores a computer program executable by a computer device. When the program runs on the computer device, the computer device is executed to prevent malicious Steps of the method of attack.
本领域内的技术人员应明白,本发明的实施例可提供为方法、或计算机程序产品。因此,本发明可采用完全硬件实施例、完全软件实施例、或结合软件和硬件方面的实施例的形式。而且,本发明可采用在一个或多个其中包含有计算机可用程序代码的计算机可用存储介质(包括但不限于磁盘存储器、CD-ROM、光学存储器等)上实施的计算机程序产品的形式。Those skilled in the art should understand that the embodiments of the present invention may be provided as methods or computer program products. Therefore, the present invention may adopt the form of a complete hardware embodiment, a complete software embodiment, or an embodiment combining software and hardware. Moreover, the present invention may adopt the form of a computer program product implemented on one or more computer-usable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) containing computer-usable program codes.
本发明是参照根据本发明实施例的方法、设备(系统)、和计算机程序产品的流程图和/或方框图来描述的。应理解可由计算机程序指令实现流程图和/或方框图中的每一流程和/或方框、以及流程图和/或方框图中的流程和/或方框的结合。可提供这些计算机程序指令到通用计算机、专用计算机、嵌入式处理机或其他可编程数据处理设备的处理器以产生一个机器,使得通过计算机或其他可编程数据处理设备的处理器执行的指令产生用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的装置。The present invention is described with reference to flowcharts and/or block diagrams of methods, devices (systems), and computer program products according to embodiments of the present invention. It should be understood that each process and/or block in the flowchart and/or block diagram, and the combination of processes and/or blocks in the flowchart and/or block diagram can be implemented by computer program instructions. These computer program instructions can be provided to the processor of a general-purpose computer, a special-purpose computer, an embedded processor, or other programmable data processing equipment to generate a machine, so that the instructions executed by the processor of the computer or other programmable data processing equipment are generated It is a device that realizes the functions specified in one process or multiple processes in the flowchart and/or one block or multiple blocks in the block diagram.
这些计算机程序指令也可存储在能引导计算机或其他可编程数据处理设备以特定方式工作的计算机可读存储器中,使得存储在该计算机可读存储器中的指令产生包括指令装置的制造品,该指令装置实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能。These computer program instructions can also be stored in a computer-readable memory that can guide a computer or other programmable data processing equipment to work in a specific manner, so that the instructions stored in the computer-readable memory produce an article of manufacture including the instruction device. The device implements the functions specified in one process or multiple processes in the flowchart and/or one block or multiple blocks in the block diagram.
这些计算机程序指令也可装载到计算机或其他可编程数据处理设备上,使得在计算机或其他可编程设备上执行一系列操作步骤以产生计算机实现的处理,从而在计算机或其他可编程设备上执行的指令提供用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的步骤。These computer program instructions can also be loaded on a computer or other programmable data processing equipment, so that a series of operation steps are executed on the computer or other programmable equipment to produce computer-implemented processing, so as to execute on the computer or other programmable equipment. The instructions provide steps for implementing functions specified in a flow or multiple flows in the flowchart and/or a block or multiple blocks in the block diagram.
尽管已描述了本发明的优选实施例,但本领域内的技术人员一旦得知了基本创造性概念,则可对这些实施例作出另外的变更和修改。所以,所附权利要求意欲解释为包括优选实施例以及落入本发明范围的所有变更和修改。Although the preferred embodiments of the present invention have been described, those skilled in the art can make additional changes and modifications to these embodiments once they learn the basic creative concept. Therefore, the appended claims are intended to be interpreted as including the preferred embodiments and all changes and modifications falling within the scope of the present invention.
显然,本领域的技术人员可以对本发明进行各种改动和变型而不脱离本发明的精神和范围。这样,倘若本发明的这些修改和变型属于本发明权利要求及其等同技术的范围之内,则本发明也意图包含这些改动和变型在内。Obviously, those skilled in the art can make various changes and modifications to the present invention without departing from the spirit and scope of the present invention. In this way, if these modifications and variations of the present invention fall within the scope of the claims of the present invention and their equivalent technologies, the present invention is also intended to include these modifications and variations.

Claims (10)

  1. 一种预防恶意攻击的方法,其特征在于,包括:A method for preventing malicious attacks, characterized in that it includes:
    接收用户端发送的第一请求消息;Receiving the first request message sent by the user terminal;
    在所述第一请求消息与识别规则集合中的识别规则匹配时,确定所述第一请求消息为可疑消息,并从匹配的识别规则对应的预防策略中确定目标预防策略,所述识别规则对应的预防策略是根据所述识别规则的历史匹配次数更新的;When the first request message matches the recognition rule in the recognition rule set, it is determined that the first request message is a suspicious message, and the target prevention strategy is determined from the prevention strategy corresponding to the matching recognition rule, and the recognition rule corresponds to The prevention strategy is updated according to the historical matching times of the identification rule;
    采用所述目标预防策略对所述第一请求消息进行处理,并发送处理结果至所述用户端。The target prevention strategy is used to process the first request message, and the processing result is sent to the client.
  2. 如权利要求1所述的方法,其特征在于,所述识别规则对应的预防策略是根据所述识别规则的历史匹配次数更新的,包括:The method according to claim 1, wherein the prevention strategy corresponding to the identification rule is updated according to the historical matching times of the identification rule, comprising:
    根据所述识别规则在历史时间段的匹配次数,更新所述识别规则当前的风险值;Update the current risk value of the identification rule according to the matching times of the identification rule in the historical time period;
    根据所述识别规则更新后的风险值更新所述识别规则的风险等级;Update the risk level of the identification rule according to the updated risk value of the identification rule;
    根据所述识别规则更新后的风险等级及识别规则与预防策略的等级对应关系更新所述识别规则对应的预防策略。Update the prevention strategy corresponding to the identification rule according to the updated risk level of the identification rule and the level correspondence between the identification rule and the prevention strategy.
  3. 如权利要求2所述的方法,其特征在于,所述识别规则对应多个预防策略,每个预防策略对应的一个匹配概率,所述匹配概率为预防策略被选中作为目标预防策略的概率;The method according to claim 2, wherein the identification rule corresponds to a plurality of prevention strategies, and each prevention strategy corresponds to a matching probability, and the matching probability is the probability that the prevention strategy is selected as the target prevention strategy;
    所述从匹配的识别规则对应的预防策略中确定目标预防策略,包括:Said determining the target prevention strategy from the prevention strategy corresponding to the matching identification rule includes:
    根据匹配概率从匹配的识别规则对应的多个预防策略中确定目标预防策略。According to the matching probability, the target prevention strategy is determined from the multiple prevention strategies corresponding to the matching identification rules.
  4. 如权利要求1所述的方法,其特征在于,所述采用所述目标预防策略对所述第一请求消息进行处理,并发送处理结果至所述用户端,包括:The method according to claim 1, wherein said using said target prevention strategy to process said first request message and sending a processing result to said user end comprises:
    采用所述目标预防策略确定所述第一请求消息对应的应答消息,将所述应答消息发送至所述用户端,以使所述用户端发送区别于所述第一请求消息 的第二请求消息。The target prevention strategy is used to determine the response message corresponding to the first request message, and the response message is sent to the user end, so that the user end sends a second request message different from the first request message .
  5. 如权利要求1至4任一所述的方法,其特征在于,还包括:The method according to any one of claims 1 to 4, further comprising:
    在所述第一请求消息与所述识别规则集合中的识别规则不匹配时,确定所述第一请求消息正常。When the first request message does not match the recognition rule in the recognition rule set, it is determined that the first request message is normal.
  6. 如权利要求5所述的方法,其特征在于,还包括:The method of claim 5, further comprising:
    当M个用户对应的请求消息中存在相同的验证信息时,根据所述验证信息生成新的识别规则,所述M个用户对应的请求消息为正常的请求消息,M为预设整数;When the same verification information exists in the request messages corresponding to M users, a new identification rule is generated according to the verification information, the request messages corresponding to the M users are normal request messages, and M is a preset integer;
    将所述新的识别规则添加至所述识别规则集合中。The new recognition rule is added to the recognition rule set.
  7. 一种预防恶意攻击的装置,其特征在于,包括:A device for preventing malicious attacks, characterized in that it includes:
    接收模块,用于接收用户端发送的第一请求消息;The receiving module is used to receive the first request message sent by the user terminal;
    识别模块,用于在所述第一请求消息与识别规则集合中的识别规则匹配时,确定所述第一请求消息为可疑消息,并从匹配的识别规则对应的预防策略中确定目标预防策略,所述识别规则对应的预防策略是根据所述识别规则的历史匹配次数更新的;The identification module is configured to determine that the first request message is a suspicious message when the first request message matches the identification rule in the identification rule set, and determine the target prevention strategy from the prevention strategy corresponding to the matched identification rule, The prevention strategy corresponding to the identification rule is updated according to the historical matching times of the identification rule;
    处理模块,用于采用所述目标预防策略对所述第一请求消息进行处理,并发送处理结果至所述用户端。The processing module is configured to use the target prevention strategy to process the first request message and send the processing result to the client.
  8. 如权利要求7所述的装置,其特征在于,所述识别模块具体用于:The device according to claim 7, wherein the identification module is specifically configured to:
    根据所述识别规则在历史时间段的匹配次数,更新所述识别规则当前的风险值;Update the current risk value of the identification rule according to the matching times of the identification rule in the historical time period;
    根据所述识别规则更新后的风险值更新所述识别规则的风险等级;Update the risk level of the identification rule according to the updated risk value of the identification rule;
    根据所述识别规则更新后的风险等级及识别规则与预防策略的等级对应关系更新所述识别规则对应的预防策略。Update the prevention strategy corresponding to the identification rule according to the updated risk level of the identification rule and the level correspondence between the identification rule and the prevention strategy.
  9. 一种计算机设备,包括存储器、处理器及存储在存储器上并可在处理器上运行的计算机程序,其特征在于,所述处理器执行所述程序时实现权利要求1~6任一权利要求所述方法的步骤。A computer device, comprising a memory, a processor, and a computer program stored on the memory and capable of running on the processor, wherein the processor executes the program when the program is executed by any one of claims 1 to 6 The steps of the method.
  10. 一种计算机可读存储介质,其特征在于,其存储有可由计算机设备 执行的计算机程序,当所述程序在计算机设备上运行时,使得所述计算机设备执行权利要求1~6任一所述方法的步骤。A computer-readable storage medium, characterized in that it stores a computer program executable by a computer device, and when the program runs on a computer device, the computer device executes the method described in any one of claims 1 to 6 A step of.
PCT/CN2020/084321 2019-06-12 2020-04-10 Method and apparatus for preventing malicious attack WO2020248687A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201910506914.8A CN110266676B (en) 2019-06-12 2019-06-12 Method and device for preventing malicious attack
CN201910506914.8 2019-06-12

Publications (1)

Publication Number Publication Date
WO2020248687A1 true WO2020248687A1 (en) 2020-12-17

Family

ID=67917857

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2020/084321 WO2020248687A1 (en) 2019-06-12 2020-04-10 Method and apparatus for preventing malicious attack

Country Status (2)

Country Link
CN (1) CN110266676B (en)
WO (1) WO2020248687A1 (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112688930A (en) * 2020-12-18 2021-04-20 深圳前海微众银行股份有限公司 Brute force cracking detection method, system, equipment and medium
CN113205328A (en) * 2021-06-07 2021-08-03 中国银行股份有限公司 Mobile banking security detection method and digital twin system
CN113486344A (en) * 2021-07-14 2021-10-08 北京奇艺世纪科技有限公司 Interface anti-brushing method and device, server and storage medium
CN116528243A (en) * 2023-06-29 2023-08-01 北京华翔联信科技股份有限公司 User identification method and device, electronic equipment and storage medium

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110266676B (en) * 2019-06-12 2023-05-12 深圳前海微众银行股份有限公司 Method and device for preventing malicious attack

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2013164821A2 (en) * 2012-05-03 2013-11-07 Shine Security Ltd. Malicious threat detection, malicious threat prevention, and a learning systems and methods for malicious threat detection and prevention
CN106790292A (en) * 2017-03-13 2017-05-31 摩贝(上海)生物科技有限公司 The web application layer attacks detection and defence method of Behavior-based control characteristic matching and analysis
CN108259476A (en) * 2017-12-29 2018-07-06 杭州安恒信息技术有限公司 A kind of anti-based on fuzzy induction guesses solution around method and its system
US10063519B1 (en) * 2017-03-28 2018-08-28 Verisign, Inc. Automatically optimizing web application firewall rule sets
CN109561090A (en) * 2018-11-30 2019-04-02 杭州安恒信息技术股份有限公司 A kind of web intelligence defence method, device, equipment and readable storage medium storing program for executing
CN110266676A (en) * 2019-06-12 2019-09-20 深圳前海微众银行股份有限公司 A kind of method and device of pre- preventing malicious attack

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8966591B2 (en) * 2013-01-18 2015-02-24 Ca, Inc. Adaptive strike count policy
CN104125225A (en) * 2014-07-28 2014-10-29 浪潮(北京)电子信息产业有限公司 Method and device for user login authentication in cloud data centre
CN109302380B (en) * 2018-08-15 2022-10-25 全球能源互联网研究院有限公司 Intelligent decision-making method and system for linkage defense strategy of safety protection equipment

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2013164821A2 (en) * 2012-05-03 2013-11-07 Shine Security Ltd. Malicious threat detection, malicious threat prevention, and a learning systems and methods for malicious threat detection and prevention
CN106790292A (en) * 2017-03-13 2017-05-31 摩贝(上海)生物科技有限公司 The web application layer attacks detection and defence method of Behavior-based control characteristic matching and analysis
US10063519B1 (en) * 2017-03-28 2018-08-28 Verisign, Inc. Automatically optimizing web application firewall rule sets
CN108259476A (en) * 2017-12-29 2018-07-06 杭州安恒信息技术有限公司 A kind of anti-based on fuzzy induction guesses solution around method and its system
CN109561090A (en) * 2018-11-30 2019-04-02 杭州安恒信息技术股份有限公司 A kind of web intelligence defence method, device, equipment and readable storage medium storing program for executing
CN110266676A (en) * 2019-06-12 2019-09-20 深圳前海微众银行股份有限公司 A kind of method and device of pre- preventing malicious attack

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112688930A (en) * 2020-12-18 2021-04-20 深圳前海微众银行股份有限公司 Brute force cracking detection method, system, equipment and medium
CN113205328A (en) * 2021-06-07 2021-08-03 中国银行股份有限公司 Mobile banking security detection method and digital twin system
CN113486344A (en) * 2021-07-14 2021-10-08 北京奇艺世纪科技有限公司 Interface anti-brushing method and device, server and storage medium
CN113486344B (en) * 2021-07-14 2023-09-05 北京奇艺世纪科技有限公司 Interface anti-brushing method and device, server side and storage medium
CN116528243A (en) * 2023-06-29 2023-08-01 北京华翔联信科技股份有限公司 User identification method and device, electronic equipment and storage medium
CN116528243B (en) * 2023-06-29 2023-09-08 北京华翔联信科技股份有限公司 User identification method and device, electronic equipment and storage medium

Also Published As

Publication number Publication date
CN110266676A (en) 2019-09-20
CN110266676B (en) 2023-05-12

Similar Documents

Publication Publication Date Title
WO2020248687A1 (en) Method and apparatus for preventing malicious attack
CN111343142B (en) Data processing method and device based on block chain network and storage medium
WO2016202952A1 (en) Digital token exchange system
KR102567342B1 (en) Block chain-based asset processing method, device, apparatus and storage medium
US9639689B1 (en) User authentication
CN110113366B (en) CSRF vulnerability detection method and device, computing device and storage medium
US20160260089A1 (en) Secure account management using tokens
JP6438534B2 (en) System and method for performing secure online banking transactions
US11362836B2 (en) Consensus protocol for permissioned ledgers
WO2019080423A1 (en) Resource value transfer method and apparatus, storage medium, and server
CN112653679B (en) Dynamic identity authentication method, device, server and storage medium
CN114422139B (en) API gateway request security verification method, device, electronic equipment and computer readable medium
CN107046516B (en) Wind control method and device for identifying mobile terminal identity
WO2019114246A1 (en) Identity authentication method, server and client device
CN106878335A (en) A kind of method and system for login authentication
CN113556343A (en) DDoS attack defense method and device based on browser fingerprint identification
US11074586B2 (en) Methods and apparatuses for fraud handling
CN115118423A (en) Consensus method and device for trusted block chain and trusted block chain system
CN108600259A (en) The certification of equipment and binding method and computer storage media, server
CN114157482A (en) Service access control method, device, control equipment and storage medium
CN108494805B (en) CC attack processing method and device
CN107948130B (en) File processing method, server and system
US20240078563A1 (en) Method and system for identifying fraud merchants descriptors
CN113779567B (en) DPI cache loss attack oriented defense method, computer and storage medium
CN111431796B (en) Instant messaging early warning method and device, computing equipment and storage medium

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 20823621

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 20823621

Country of ref document: EP

Kind code of ref document: A1

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205A DATED 21/03/2022)

122 Ep: pct application non-entry in european phase

Ref document number: 20823621

Country of ref document: EP

Kind code of ref document: A1