CN104994092A - Service request processing method, terminal browser and anti-attack server - Google Patents
Service request processing method, terminal browser and anti-attack server Download PDFInfo
- Publication number
- CN104994092A CN104994092A CN201510375370.8A CN201510375370A CN104994092A CN 104994092 A CN104994092 A CN 104994092A CN 201510375370 A CN201510375370 A CN 201510375370A CN 104994092 A CN104994092 A CN 104994092A
- Authority
- CN
- China
- Prior art keywords
- attack
- service request
- browser
- attack protection
- webpage
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/12—Applying verification of the received information
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The embodiment of the invention discloses a service request processing method, a terminal browser and an anti-attack server. The service request processing method implemented by a browser comprises the following steps: monitoring a service request generated on the basis of a currently-displayed webpage; if the service request is monitored, acquiring input behavior data recorded in the display process of the webpage; transmitting the input behavior data to the anti-attack server in order to obtain return information generated on the basis of an identification result after the anti-attack server performs attack behavior identification according to the input behavior data; and determining whether or not to initiate a service request to an application server providing the webpage according to the return information. Through the technical scheme provided by the embodiment of the invention, service request attacks triggered by non-human operation can be intercepted in time.
Description
Technical field
The embodiment of the present invention relates to internet security technical field, particularly relates to service request processing method, terminal browser and attack protection server.
Background technology
Along with developing rapidly of development of Mobile Internet technology, the info web that application server can be supplied to user is also more and more abundanter, can enjoy service that is more, the more degree of depth to make user.For a webpage shown on terminal browser, wherein the information such as multiple assemblies can be comprised, after the clicking operation that user triggers certain assembly, one or more service request can be initiated to application server based on this operation, so that application server carries out Business Processing according to these requests, such as, issue other webpages.
But some disabled users are under the ordering about of illegitimate benefits, and Malware instrument usually can be used to perform a large amount of non-artificial clicking operation to the assembly in webpage, and repeatedly to submit service request to, application server is attacked.
For this reason, be necessary for application server and a kind of mechanism identified unartificial clicking operation is provided, so that relevant attack protection measure taked by application server.But existing mechanism normally identifies afterwards, be also namely all after the related service request response that terminal is initiated, judge that whether whole request process is unartificial operation triggering by analyzing responding result, can not intercept attack in time.
Summary of the invention
The embodiment of the present invention provides a kind of service request processing method, terminal browser and attack protection server, and the service request triggered can tackle unartificial operation is in time attacked.
On the one hand, embodiments provide a kind of service request processing method, the method comprises:
Monitor the service request produced based on current shown webpage;
If listen to described service request, then obtain the input behavior data recorded in described web page display process;
Described input behavior data are sent to attack protection server, carries out attack identification and the return information generated based on recognition result to obtain described attack protection server according to described input behavior data;
According to described return information, determine whether to providing the application server of described webpage to initiate described service request.
On the other hand, the embodiment of the present invention additionally provides a kind of service request processing method, and the method comprises:
The data that browser on receiving terminal sends, these data for described browser is after listening to the service request produced based on current shown webpage, the input behavior data recorded in described web page display process got;
Attack identification is carried out according to described input behavior data;
Generate return information based on recognition result, sending to described browser, determining whether to providing the application server of described webpage to initiate described service request according to described return information to indicate described browser.
Again on the one hand, the embodiment of the present invention additionally provides a kind of terminal browser, comprising:
Service request monitoring unit, for monitoring the service request produced based on current shown webpage;
Input behavior data capture unit, if for listening to described service request, then obtains the input behavior data recorded in described web page display process;
Input behavior data transmission unit, for described input behavior data are sent to attack protection server, carries out attack identification and the return information generated based on recognition result to obtain described attack protection server according to described input behavior data;
Service request initiates unit, for according to described return information, determines whether to providing the application server of described webpage to initiate described service request.
Again on the one hand, the embodiment of the present invention additionally provides a kind of attack protection server, comprising:
Input behavior data receipt unit, the data that browser on receiving terminal sends, these data for described browser listen to based on current shown webpage produce service request after, the input behavior data recorded in described web page display process got;
Attack recognition unit, for carrying out attack identification according to described input behavior data;
Return information transmitting element, for generating return information based on recognition result, sending to described browser, determining whether to providing the application server of described webpage to initiate described service request to indicate described browser according to described return information.
The technical scheme that the embodiment of the present invention provides, browser is after real-time listening to the service request produced based on current shown webpage, do not initiate this service request to application server immediately, but first by attack protection server, attack identification is carried out to this service request, browser determines whether to application server initiating business request based on this recognition result more afterwards, therefore, it is possible to tackled timely the service request with attack that browser produces, attack to prevent its application server, alleviate the service request processing load of application server.
Accompanying drawing explanation
Fig. 1 is the schematic flow sheet of a kind of service request processing method that the embodiment of the present invention one provides;
Fig. 2 is the schematic flow sheet of a kind of service request processing method that the embodiment of the present invention two provides;
Fig. 3 is the schematic flow sheet of a kind of service request processing method that the embodiment of the present invention three provides;
Fig. 4 is the schematic flow sheet of a kind of service request processing method that the embodiment of the present invention four provides;
Fig. 5 is the schematic flow sheet of a kind of service request processing method that the embodiment of the present invention five provides;
Fig. 6 is the structural representation of a kind of terminal browser that the embodiment of the present invention six provides;
Fig. 7 is the structural representation of a kind of attack protection server that the embodiment of the present invention seven provides;
The signaling process figure of the service request processing method that Fig. 8 provides for the embodiment of the present invention eight.
Embodiment
Below in conjunction with drawings and Examples, the present invention is described in further detail.Be understandable that, specific embodiment described herein is only for explaining the present invention, but not limitation of the invention.It also should be noted that, for convenience of description, illustrate only part related to the present invention in accompanying drawing but not entire infrastructure.
Before in further detail exemplary embodiment being discussed, it should be mentioned that some exemplary embodiments are described as the process or method described as flow chart.Although operations (or step) is described as the process of order by flow chart, many operations wherein can be implemented concurrently, concomitantly or simultaneously.In addition, the order of operations can be rearranged.Described process can be terminated when its operations are completed, but can also have the additional step do not comprised in the accompanying drawings.Described process can correspond to method, function, code, subroutine, subprogram etc.
Also it should be mentioned that and to replace in implementation at some, the function/action mentioned can according to being different from occurring in sequence of indicating in accompanying drawing.For example, depend on involved function/action, in fact each width figure in succession illustrated can perform simultaneously or sometimes can perform according to contrary order substantially.
Embodiment one
Fig. 1 is the schematic flow sheet of a kind of service request processing method that the embodiment of the present invention one provides.The present embodiment is applicable to the network architecture be made up of terminal browser, application server and attack protection server.The method can be performed by the browser in terminal, and described terminal can be the electronic equipment that such as notebook computer, desktop computer etc. have mouse input and web page browsing function.See Fig. 1, the service request processing method that the present embodiment provides specifically comprises following operation:
Operate 110, monitor the service request produced based on current shown webpage.
The webpage shown can be acquired from application server by browser.At least one assembly is included in webpage.After the trigger event getting random component in webpage, browser can produce one or more service request (being also HTTP request) initiated to application server based on this trigger event, and application server is receiving the laggard line correlation Business Processing of these service request.Under normal conditions, the assembly that the trigger event of assembly is clicked in shown webpage by user is produced.But in some cases .., described trigger event also may be by the assembly clicked with aggressive robot in the webpage shown, or adopts other attack meanses and produce.So the service request produced based on described trigger event is likely just also the request with attack.
For this reason, the present embodiment provides a kind of mechanism, with the service request making browser real-time listening produce based on current shown webpage, if after listening to, and initiate this service request not directly to application server, but first by attack protection server, attack identification is carried out to this service request, determine whether again to application server initiating business request based on recognition result afterwards.
In the present embodiment, the service request monitored can be each service request produced because of the trigger event to random component in webpage.Consider that whether some service request are the request of attack, application server is unimportant, or because some other reason, each service request that all component in webpage produces need not be monitored, so preferred, the service request of monitoring comprises: the some or all service request produced by triggering assignment component in the webpage shown.
If operation 120 listens to service request, then obtain the input behavior data recorded in web page display process.
Exemplary, terminal is the electronic equipment (such as notebook computer) of mouse input form.Browser-presented webpage in terminal is to after user, and user can, with the distinctive mode operating mouse of a kind of people, to make mouse arrive corresponding assembly place in the webpage shown, and use mouse to click this assembly, and then the generation of trigger business request.Such as, under the peculiar mode of people, the lines of the motion track composition of mouse are mixed and disorderly curves, and some coordinate points in track repeat; In addition, the acceleration of rolling mouse does not also fix (normally first accelerating to slow down) again, and traveling time is consuming time longer; Etc..And for robot, be then that mouse beacon arrives corresponding assembly place with fixing acceleration, this process is very quick, and the lines normally straight line of the motion track of mouse composition, the coordinate points in track can not repeat; Or robot clicks modularity not by mouse beacon and produces service request, but crack means with certain and directly produce trigger event to random component in webpage.
For this reason, the input behavior data recorded in web page display process can be captured in browser side, carry out attack identification to make attack protection server according to input behavior data.Wherein, input behavior data comprise: the motion track of mouse and/or the mouse click coordinate of trigger business request in terminal.Certainly, time point during each coordinate points that mouse moves in track can also be comprised.It should be noted that, in embodiments of the present invention, mouse all refers to display mouse pointer on a terminal screen.
Operate 130, input behavior data are sent to attack protection server, carry out attack identification and the return information generated based on recognition result to obtain attack protection server according to input behavior data.
Operating 140, according to return information, determining whether the application server initiating business request to providing webpage.
As a kind of specific implementation, if return information is recognition result is the first indication information corresponding to non-attack behavior, then initiate the service request listened to application server;
If return information is recognition result is authorization information corresponding to attack, then obtain the checking feedback of input, attack protection server is sent to verify, and after receiving the second indication information that attack protection server generates based on verification succeeds result, initiate the service request listened to application server.
As another kind of specific implementation, if return information is recognition result is the first indication information corresponding to non-attack behavior, then initiate the service request listened to application server; If return information is recognition result is the 3rd indication information corresponding to attack, then masks listened to service request, refuse to send to application server.
In the scheme that the present embodiment provides, browser is after real-time listening to the service request produced based on current shown webpage, and initiate this service request not directly to application server, but first by attack protection server, attack identification is carried out to this service request, determine whether to application server initiating business request again based on recognition result afterwards, thus can the produce service request with attack be tackled timely, to prevent its application server from attacking, alleviate the service request processing load of application server.
Embodiment two
Fig. 2 is the schematic flow sheet of a kind of service request processing method that the embodiment of the present invention two provides.The present embodiment, on the basis of above-described embodiment one, adds the operation obtaining attack protection monitor code.The method that the present embodiment provides still can be performed by the browser in terminal.See Fig. 2, the method that the present embodiment provides specifically comprises following operation:
Operate 210, access and show the webpage that application server provides.
Operate 220, according to the attack protection service interface configured in webpage and code resource mark, obtain the attack protection monitor code of webpage from attack protection server.
Browser access to webpage in be configured with attack protection service interface and code resource mark.Wherein, code resource is designated unique character string identifying the attack protection monitor code of webpage, and it can be handed down to application server by attack protection server after generating the attack protection monitor code corresponding to webpage, is then built in webpage by application server.Like this, browser, after getting the webpage that application server provides, according to the attack protection service interface configured in webpage and code resource mark, can get the attack protection monitor code of webpage from attack protection server.Afterwards, browser is by running this code, the subsequent operation of finishing service request processing method.
Exemplary, operation 220 comprises: initiate attack protection monitor code based on attack protection service interface to attack protection server and obtain request, include code resource mark in this request; The attack protection monitor code of the webpage arrived according to code resource identifier lookup receiving that attack protection server returns.
Operate 230, monitor the service request produced based on current shown webpage.
If operation 240 listens to service request, then obtain the input behavior data recorded in web page display process.
Operate 250, input behavior data are sent to attack protection server, carry out attack identification and the return information generated based on recognition result to obtain attack protection server according to input behavior data.
Operate 260, according to return information, determine whether to application server initiating business request.
Certainly, those of ordinary skill in the art should be understood that application server also directly in webpage, can embed the attack protection monitor code that attack protection server is auto-building html files.Like this, browser is after getting the webpage that application server provides, and the attack protection monitor code that can configure in extracting directly webpage, afterwards by running this code, the subsequent operation of finishing service request processing method.
But, because attack protection monitor code amount is larger, in the scheme that the present embodiment provides, do not adopt the technological means in attack protection monitor code embedded web page, the loading velocity of browser to webpage can not only be accelerated like this, very fast by web page display to user, and to perform the work of attack protection monitor code embedded web page without the need to application server, alleviate its burden.
On the basis of such scheme, the service request processing method performed by browser that the present embodiment provides, also comprise: obtain the attack protection monitor code of webpage from attack protection server while, obtain the cryptographic algorithm that attack protection server dynamically generates, cryptographic algorithm is used for the encryption communicated between browser with attack protection server.
Embodiment three
Fig. 3 is the schematic flow sheet of a kind of service request processing method that the embodiment of the present invention three provides.The present embodiment is still applicable to the network architecture be made up of terminal browser, application server and attack protection server.The method can be performed by attack protection server, can coordinate perform with the service request processing method realized by terminal browser that any embodiment of the present invention provides.Attack protection server, as the third party's physical equipment providing attack protection to serve for application server, at terminal browser before application server initiating business request, can carry out attack protection monitoring to service request.See Fig. 3, the service request processing method that the present embodiment provides specifically comprises following operation:
The data that operation 310, browser on receiving terminal send, these data for browser is after listening to the service request produced based on current shown webpage, the input behavior data recorded in web page display process got.
Operate 320, carry out attack identification according to input behavior data.
Wherein, input behavior data comprise: the motion track of mouse and/or the mouse click coordinate of trigger business request in terminal.Certainly, time point during each coordinate points that mouse moves in track can also be comprised.
Concrete, default attack recognizer can be adopted, resolve input behavior data, to carry out attack identification.Exemplary, if resolve obtain in following result at least two: the mouse click coordinate of trigger business request is the coordinate of assignment component position, to be some coordinate points met in default mixed and disorderly curve, motion track be the lines of the motion track of mouse composition repeats, the acceleration of rolling mouse is fixing and mouse traveling time exceedes default mobile duration, then identifying this service request listened to of browser is the request of attack, determines that recognition result is attack.Otherwise, then identify the request that this service request listened to of browser is not attack, determine that recognition result is non-attack behavior.
Operate 330, generate return information based on recognition result, sending to browser, determining whether the application server initiating business request to providing webpage to indicate browser according to return information.
Concrete, if recognition result is non-attack behavior, then generates the first corresponding indication information, send to browser, to indicate browser after receiving the first indication information, to the application server initiating business request providing webpage.
Exemplary, if recognition result is attack, then can enable authentication mechanism, the service request that the browser in terminal listens to is verified, and adopt the result to revise this attack recognition result.Certainly, also authentication mechanism can not be enabled, obtaining after recognition result is attack, directly generate the 3rd corresponding indication information, send to browser, to indicate browser after receiving the 3rd indication information, masking the service request that this listens to, refusing the application server initiating business request to providing webpage.
The technical scheme that the present embodiment provides, can realize attack protection server to browser real-time listening to service request carry out attack identification, and generate corresponding return information, thus make browser can based on the return information received, determine whether to application server initiating business request, therefore, it is possible to tackled in time the service request with attack that browser produces, to prevent its application server from attacking, alleviate the service request processing load of application server.
Embodiment four
Fig. 4 is the schematic flow sheet of a kind of service request processing method that the embodiment of the present invention four provides.The present embodiment, on the basis of above-described embodiment three, does further optimization to operation 330, and the method still can be performed by attack protection server.See Fig. 4, the method that the present embodiment provides specifically comprises following operation:
The data that operation 410, browser on receiving terminal send, these data for browser is after listening to the service request produced based on current shown webpage, the input behavior data recorded in web page display process got.
Operate 420, carry out attack identification according to input behavior data.
If recognition result is non-attack behavior, then executable operations 430; If recognition result is attack, then executable operations 440-operation 460.
First indication information of operation 430, generation correspondence, sends to browser, initiates described service request to indicate browser after receiving the first indication information to application server.
The authorization information of operation 440, generation correspondence, sends to browser.
Operate 450, the checking feedback that browser returns according to described authorization information is verified.
Exemplary, authorization information is the checking picture including identifying code; Checking feedback is verified, comprising: checking feedback is mated with identifying code; If coupling is consistent, then verification succeeds, otherwise verifies unsuccessfully.Or
Authorization information is the checking picture including the contents such as problem, the correct option corresponding with problem, interference answer; Checking feedback is verified, comprising: checking feedback is resolved, to obtain from the answer selected in authorization information; Whether the answer selected by checking is the correct option corresponding with problem; If so, then verification succeeds, otherwise verify unsuccessfully.
Operate 460, after verification succeeds, issue the second indication information to browser, after receiving the second indication information, initiate described service request to application server to indicate browser.
If verification succeeds, then show that this attack identification makes a mistake, this service request listened to of browser is not the request of attack.As a kind of preferred implementation, the service request processing method that the present embodiment proposes, also comprises: attack protection server, after verification succeeds, revises this attack recognition result, and is optimized attack Activity recognition algorithm based on correction operation.Concrete correction operation comprises: the attack recognition result obtained is revised as non-attack Activity recognition result.
Preferably, if verify unsuccessfully, then show that this attack identification is correct, the request of the attack really of this service request listened to of browser, accordingly, attack protection server can issue the 3rd indication information to browser, to indicate browser after receiving the 3rd indication information, mask described service request, refuse to initiate described service request to application server.
The technical scheme that the present embodiment provides, obtaining after recognition result is attack, authentication mechanism can be enabled again verify the service request that browser listens to, whether to examine this service request really for attack, thus effectively can ensure the accuracy of attack protection identification, strengthen the fail safe of application server; Further, obtaining after recognition result is non-attack behavior, directly issues the execution information allowing browser to application server initiating business request, and verifying without the need to user's input information, therefore can accelerate the speed of initiating business request, promote Consumer's Experience.
Embodiment five
Fig. 5 is the schematic flow sheet of a kind of service request processing method that the embodiment of the present invention five provides.The present embodiment is on the basis of above-described embodiment three and embodiment four, and add the operation issuing attack protection monitor code, the method still can be performed by attack protection server.See Fig. 5, the method that the present embodiment provides specifically comprises following operation:
The attack protection monitor code that browser in operation 510, receiving terminal is initiated according to the attack protection service interface configured in current shown webpage and code resource mark obtains request.
Operation 520, obtain request according to attack protection monitor code, search and obtain the attack protection monitor code of described webpage, returning to browser.
The data that operation 530, browser on receiving terminal send, these data be browser after listening to the service request produced based on described webpage, the input behavior data recorded in described web page display process got;
Operate 540, carry out attack identification according to input behavior data;
Operate 550, generate return information based on recognition result, sending to browser, determining whether to providing the application server of described webpage to initiate described service request according to return information to indicate browser.
In the present embodiment, application server can ask attack protection server for attack protection monitor code corresponding to its auto-building html files provided in advance.Therefore, attack protection server is before executable operations 510, also comprise: the attack protection monitor code that reception application server sends generates request, this request comprises the uniform resource identifier (URL, Uniform Resoure Locator) of webpage and needs the service request of monitoring; According to described generation request, generate corresponding attack protection monitor code, and the character string of stochastic generation this code of unique identification; This character string is identified as code resource, is handed down to application server, to indicate application server, attack protection service interface and code resource mark are configured in webpage.
Wherein, the service request that needs are monitored is: the some or all service request produced by random component in trigger web pages or assignment component.According to generation request, generate corresponding attack protection monitor code, comprise: html (the Hypertext Markup Language of the webpage that the URL that acquisition comprises in generating and asking is corresponding, HTML) code, according to html code and the service request generating the needs monitoring comprised in request, generate corresponding attack protection monitor code.
Attack protection server, receiving after attack protection monitor code that browser sends obtains request, can extract wherein comprised code resource mark, and gets corresponding attack protection monitor code according to this identifier lookup.
As a kind of preferred implementation, the method that the present embodiment provides also comprises: dynamically generate cryptographic algorithm, and this cryptographic algorithm is used for the encryption communicated between browser with attack protection server; While attack protection monitor code is returned to browser, described cryptographic algorithm is returned to browser.Cryptographic algorithm generates in a dynamic fashion, is replaced frequently, instead of adopts the fixing cryptographic algorithm generated in advance, and considerably increase attack difficulty, the service request treatment mechanism that can effectively prevent the present embodiment from providing is cracked.
Consider some Malware instruments, still likely crack the method for processing business that invention the present embodiment provides, for ensureing safety further, on the basis of technique scheme, attack protection server is after carrying out attack identification according to described input behavior data, also comprise: if recognition result is non-attack behavior, then described recognition result is sent to application server, respond described service request to indicate application server according to recognition result.If application server is after this service request listened to receiving browser transmission, does not receive the recognition result for non-attack behavior that attack protection server sends within a preset time interval, then refuse to respond this service request.
Embodiment six
Fig. 6 is the structural representation of a kind of terminal browser that the embodiment of the present invention six provides.See Fig. 6, the concrete structure of this browser is as follows:
Service request monitoring unit 610, for monitoring the service request produced based on current shown webpage;
Input behavior data capture unit 620, if listen to described service request for described service request monitoring unit 610, then obtains the input behavior data recorded in described web page display process;
Input behavior data transmission unit 630, for described input behavior data are sent to attack protection server, carries out attack identification and the return information generated based on recognition result to obtain described attack protection server according to described input behavior data;
Service request initiates unit 640, for according to described return information, determines whether to providing the application server of described webpage to initiate described service request.
Exemplary, described service request initiates unit 640, specifically for:
If described return information is recognition result is the first indication information corresponding to non-attack behavior, then initiate described service request to described application server;
If described return information is recognition result is authorization information corresponding to attack, then obtain the checking feedback of input, described attack protection server is sent to verify, and after receiving the second indication information that described attack protection server generates based on verification succeeds result, initiate described service request to providing described application server.
Exemplary, the browser that the present embodiment provides also comprises attack protection monitor code acquiring unit 600, for:
Before monitoring at described service request monitoring unit 610 service request produced based on current shown webpage, access and show the described webpage that described application server provides;
According to the attack protection service interface configured in described webpage and code resource mark, obtain the attack protection monitor code of described webpage from attack protection server.
Exemplary, described attack protection monitor code acquiring unit 600, also for:
Obtain the attack protection monitor code of described webpage from described attack protection server while, obtain the cryptographic algorithm that described attack protection server dynamically generates, described cryptographic algorithm is used for the encryption communicated between described browser with described attack protection server.
On the basis of technique scheme, described input behavior data comprise: in described terminal mouse motion track and/or trigger the mouse click coordinate of described service request.
The service request monitored comprises: the some or all service request produced by triggering assignment component in described webpage.
The said goods can perform the service request processing method performed by the browser in terminal that any embodiment of the present invention provides, and possesses the corresponding functional module of manner of execution and beneficial effect.The ins and outs do not described in detail in the present embodiment, the service request processing method performed by the browser in terminal that can provide see any embodiment of the present invention.
Embodiment seven
Fig. 7 is the structural representation of a kind of attack protection server that the embodiment of the present invention seven provides.See Fig. 7, the concrete structure of this attack protection server is as follows:
Input behavior data receipt unit 710, the data that browser on receiving terminal sends, these data for described browser listen to based on current shown webpage produce service request after, the input behavior data recorded in described web page display process got;
Attack recognition unit 720, for carrying out attack identification according to described input behavior data;
Return information transmitting element 730, for generating return information based on recognition result, sending to described browser, determining whether to providing the application server of described webpage to initiate described service request to indicate described browser according to described return information.
Exemplary, described return information transmitting element 730, specifically for:
If the recognition result that described attack recognition unit 720 obtains is non-attack behavior, then generate the first corresponding indication information, send to described browser, after receiving described first indication information, initiate described service request to described application server to indicate described browser;
If the recognition result that described attack recognition unit 720 obtains is attack, then generate corresponding authorization information, send to described browser, and the checking feedback that described browser returns according to described authorization information is verified, after verification succeeds, issue the second indication information to described browser, after receiving described second indication information, initiate described service request to described application server to indicate described browser.
Exemplary, the attack protection server that the present embodiment provides also comprises: identify and optimize unit 740, for after described return information transmitting element 730 verification succeeds, revise this attack recognition result, and based on correction operation, attack Activity recognition algorithm is optimized.
Exemplary, the attack protection server that the present embodiment provides also comprises attack protection monitor code and issues unit 700, for:
Before the data that browser on described input behavior data receipt unit 710 receiving terminal sends, receive the attack protection monitor code acquisition request that described browser is initiated according to the attack protection service interface configured in described webpage and code resource mark;
Obtain request according to attack protection monitor code, search and obtain the attack protection monitor code of described webpage, returning to described browser.
Exemplary, described attack protection monitor code issues unit 700, also for:
Dynamic generation cryptographic algorithm, described cryptographic algorithm is used for the encryption communicated between described browser with described attack protection server;
While described attack protection monitor code is returned to described browser, described cryptographic algorithm is returned to described browser.
On the basis of technique scheme, the attack protection server that the present embodiment provides also comprises:
Recognition result transmitting element 750, after carrying out attack identification at described attack recognition unit 720 according to described input behavior data, if the recognition result obtained is non-attack behavior, then described recognition result is sent to described application server, respond described service request to indicate described application server according to recognition result.
Described input behavior data comprise following at least one item number certificate: in described terminal mouse motion track and/or trigger the mouse click coordinate of described service request.
The said goods can perform the service request processing method performed by attack protection server that any embodiment of the present invention provides, and possesses the corresponding functional module of manner of execution and beneficial effect.The ins and outs do not described in detail in the present embodiment, the service request processing method performed by attack protection server that can provide see any embodiment of the present invention.
Embodiment eight
The signaling process figure of the service request processing method that Fig. 8 provides for the embodiment of the present invention eight.The present embodiment based on above-mentioned all embodiments, can provide a kind of preferred embodiment.See Fig. 8, the method that the present embodiment provides specifically comprises following operation:
Browser in operation 801, terminal sends webpage to application server and obtains request, to access described webpage.
Operation 802, application server, by obtaining the webpage asking to find according to webpage, return to browser.
Operation 803, browser-presented webpage.
The attack protection service interface and code resource mark that configure in webpage are extracted in operation 804, browser.
Operation 805, browser, based on attack protection service interface, are initiated attack protection monitor code to attack protection server and are obtained request, and this request comprises code resource mark.
Operation 806, attack protection server, by the attack protection monitor code identifying the webpage got according to code resource and the cryptographic algorithm dynamically generated, return to browser.
Cryptographic algorithm is used for the encryption communicated between browser with attack protection server.
Browser, by running the attack protection monitor code of the webpage received, performs the operation of the follow-up service request processing method performed by browser.
Operation 807, browser record input behavior data in web page display process.
Operation 808, browser listen to the setting service request produced based on current shown webpage.
Setting service request is: the some or all service request produced by assignment component in trigger web pages.
The input behavior data of record are sent to attack protection server by operation 809, browser.
Operation 810, attack protection server carry out attack identification according to input behavior data.
If recognition result is non-attack behavior, executable operations 811; If recognition result is attack, enable authentication mechanism, executable operations 812-operation 816.
Operation 811, attack protection server generate the first corresponding indication information, send to browser.Executable operations 817.
Operation 812, attack protection server generate corresponding authorization information, send to browser.
Operation 813, browser display authorization information, obtain the checking feedback of input.
Checking feedback is sent to attack protection server by operation 814, browser.
Operation 815, attack protection server verify checking feedback.
If operation 816 verification succeeds, then attack protection recognition result is modified to non-attack behavior by attack protection server, and generates the second corresponding indication information, sends to browser.Executable operations 817.
Preferably, if verify unsuccessfully, then attack protection server generates corresponding authentication failed indication information, sends to browser; Browser, after receiving authentication failed indication information, masks listened to setting service request, refuses to send to application server, process ends.
Operation 817, browser after receiving the first indication information or the second indication information, to application server initiating business request.
Operation 818, application server send the request obtaining recognition result to attack protection server.
Operation 819, attack protection server return recognition result.
Operation 820, application server determine whether response setting service request according to recognition result.
Concrete, if recognition result is non-attack behavior, then response setting service request; If recognition result is attack, then refuse to respond setting service request.
The technical scheme tool that the present embodiment provides has the following advantages: can distinguish whether be attack in real time, the service request of timely intercept attack behavior, increases procedural freedom degree, alleviates application server burden; Cryptographic algorithm is random, frequently changes, and increases and attacks difficulty; For attack, automatically start identifying code, protection application server.
Note, above are only preferred embodiment of the present invention and institute's application technology principle.Skilled person in the art will appreciate that and the invention is not restricted to specific embodiment described here, various obvious change can be carried out for a person skilled in the art, readjust and substitute and can not protection scope of the present invention be departed from.Therefore, although be described in further detail invention has been by above embodiment, the present invention is not limited only to above embodiment, when not departing from the present invention's design, can also comprise other Equivalent embodiments more, and scope of the present invention is determined by appended right.
Claims (23)
1. a service request processing method, is characterized in that, is applied to the browser in terminal, comprises:
Monitor the service request produced based on current shown webpage;
If listen to described service request, then obtain the input behavior data recorded in described web page display process;
Described input behavior data are sent to attack protection server, carries out attack identification and the return information generated based on recognition result to obtain described attack protection server according to described input behavior data;
According to described return information, determine whether to providing the application server of described webpage to initiate described service request.
2. method according to claim 1, is characterized in that, according to described return information, determines whether, to providing the application server of described webpage to initiate described service request, to comprise:
If described return information is recognition result is the first indication information corresponding to non-attack behavior, then initiate described service request to described application server;
If described return information is recognition result is authorization information corresponding to attack, then obtain the checking feedback of input, described attack protection server is sent to verify, and after receiving the second indication information that described attack protection server generates based on verification succeeds result, initiate described service request to described application server.
3. method according to claim 1, is characterized in that, before monitoring the service request produced based on current shown webpage, also comprises:
Access and show the described webpage that described application server provides;
According to the attack protection service interface configured in described webpage and code resource mark, obtain the attack protection monitor code of described webpage from attack protection server.
4. method according to claim 3, is characterized in that, also comprises:
Obtain the attack protection monitor code of described webpage from described attack protection server while, obtain the cryptographic algorithm that described attack protection server dynamically generates, described cryptographic algorithm is used for the encryption communicated between described browser with described attack protection server.
5. the method according to any one of claim 1-4, is characterized in that, described input behavior data comprise: in described terminal mouse motion track and/or trigger the mouse click coordinate of described service request.
6. the method according to any one of claim 1-4, is characterized in that, the service request monitored comprises: the some or all service request produced by triggering assignment component in described webpage.
7. a service request processing method, is characterized in that, is applied to attack protection server, comprises:
The data that browser on receiving terminal sends, these data for described browser is after listening to the service request produced based on current shown webpage, the input behavior data recorded in described web page display process got;
Attack identification is carried out according to described input behavior data;
Generate return information based on recognition result, sending to described browser, determining whether to providing the application server of described webpage to initiate described service request according to described return information to indicate described browser.
8. method according to claim 7, is characterized in that, generates return information, send to described browser, to indicate described browser to determine whether to initiate described service request to described application server according to described return information, comprising based on recognition result:
If recognition result is non-attack behavior, then generates the first corresponding indication information, send to described browser, after receiving described first indication information, initiate described service request to described application server to indicate described browser;
If recognition result is attack, then generate corresponding authorization information, send to described browser, and the checking feedback that described browser returns according to described authorization information is verified, after verification succeeds, issue the second indication information to described browser, after receiving described second indication information, initiate described service request to described application server to indicate described browser.
9. method according to claim 8, is characterized in that, also comprises: after verification succeeds, revises this attack recognition result, and is optimized attack Activity recognition algorithm based on correction operation.
10. method according to claim 7, is characterized in that, before the data that the browser on receiving terminal sends, also comprises:
Receive the attack protection monitor code acquisition request that described browser is initiated according to the attack protection service interface configured in described webpage and code resource mark;
Obtain request according to attack protection monitor code, search and obtain the attack protection monitor code of described webpage, returning to described browser.
11. methods according to claim 10, is characterized in that, also comprise: dynamically generate cryptographic algorithm, and described cryptographic algorithm is used for the encryption communicated between described browser with described attack protection server;
While described attack protection monitor code is returned to described browser, described cryptographic algorithm is returned to described browser.
12. methods according to any one of claim 7-11, it is characterized in that, described input behavior data comprise: in described terminal mouse motion track and/or trigger the mouse click coordinate of described service request.
13. methods according to any one of claim 7-11, is characterized in that, after carrying out attack identification according to described input behavior data, also comprise:
If recognition result is non-attack behavior, then described recognition result is sent to described application server, respond described service request to indicate described application server according to recognition result.
14. 1 kinds of terminal browser, is characterized in that, comprising:
Service request monitoring unit, for monitoring the service request produced based on current shown webpage;
Input behavior data capture unit, if listen to described service request for described service request monitoring unit, then obtains the input behavior data recorded in described web page display process;
Input behavior data transmission unit, for described input behavior data are sent to attack protection server, carries out attack identification and the return information generated based on recognition result to obtain described attack protection server according to described input behavior data;
Service request initiates unit, for according to described return information, determines whether to providing the application server of described webpage to initiate described service request.
15. browsers according to claim 14, is characterized in that, described service request initiates unit, specifically for:
If described return information is recognition result is the first indication information corresponding to non-attack behavior, then initiate described service request to described application server;
If described return information is recognition result is authorization information corresponding to attack, then obtain the checking feedback of input, described attack protection server is sent to verify, and after receiving the second indication information that described attack protection server generates based on verification succeeds result, initiate described service request to described application server.
16. browsers according to claim 14, is characterized in that, also comprise attack protection monitor code acquiring unit, for:
Before monitoring at described service request monitoring unit the service request produced based on current shown webpage, access and show the described webpage that described application server provides;
According to the attack protection service interface configured in described webpage and code resource mark, obtain the attack protection monitor code of described webpage from attack protection server.
17. browsers according to claim 16, is characterized in that, described attack protection monitor code acquiring unit, also for:
Obtain the attack protection monitor code of described webpage from described attack protection server while, obtain the cryptographic algorithm that described attack protection server dynamically generates, described cryptographic algorithm is used for the encryption communicated between described browser with described attack protection server.
18. 1 kinds of attack protection servers, is characterized in that, comprising:
Input behavior data receipt unit, the data that browser on receiving terminal sends, these data for described browser listen to based on current shown webpage produce service request after, the input behavior data recorded in described web page display process got;
Attack recognition unit, for carrying out attack identification according to described input behavior data;
Return information transmitting element, for generating return information based on recognition result, sending to described browser, determining whether to providing the application server of described webpage to initiate described service request to indicate described browser according to described return information.
19. attack protection servers according to claim 18, is characterized in that, described return information transmitting element, specifically for:
If the recognition result that described attack recognition unit obtains is non-attack behavior, then generate the first corresponding indication information, send to described browser, after receiving described first indication information, initiate described service request to described application server to indicate described browser;
If the recognition result that described attack recognition unit obtains is attack, then generate corresponding authorization information, send to described browser, and the checking feedback that described browser returns according to described authorization information is verified, after verification succeeds, issue the second indication information to described browser, after receiving described second indication information, initiate described service request to described application server to indicate described browser.
20. attack protection servers according to claim 19, it is characterized in that, also comprise: identify and optimize unit, for after described return information transmitting element verification succeeds, revise this attack recognition result, and based on correction operation, attack Activity recognition algorithm is optimized.
21. attack protection servers according to claim 18, is characterized in that, also comprise attack protection monitor code and issue unit, for:
Before the data that browser on described input behavior data receipt unit receiving terminal sends, receive the attack protection monitor code acquisition request that described browser is initiated according to the attack protection service interface configured in described webpage and code resource mark;
Obtain request according to attack protection monitor code, search and obtain the attack protection monitor code of described webpage, returning to described browser.
22. attack protection servers according to claim 21, is characterized in that, described attack protection monitor code issues unit, also for:
Dynamic generation cryptographic algorithm, described cryptographic algorithm is used for the encryption communicated between described browser with described attack protection server;
While described attack protection monitor code is returned to described browser, described cryptographic algorithm is returned to described browser.
23. attack protection servers according to any one of claim 18-22, is characterized in that, also comprise:
Recognition result transmitting element, after carrying out attack identification at described attack recognition unit according to described input behavior data, described recognition result is sent to described application server, determines whether to respond described service request according to recognition result to indicate described application server.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510375370.8A CN104994092B (en) | 2015-06-30 | 2015-06-30 | Service request processing method, terminal browser and attack protection server |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510375370.8A CN104994092B (en) | 2015-06-30 | 2015-06-30 | Service request processing method, terminal browser and attack protection server |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN104994092A true CN104994092A (en) | 2015-10-21 |
| CN104994092B CN104994092B (en) | 2018-11-06 |
Family
ID=54305844
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510375370.8A Active CN104994092B (en) | 2015-06-30 | 2015-06-30 | Service request processing method, terminal browser and attack protection server |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104994092B (en) |
Cited By (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105376251A (en) * | 2015-12-02 | 2016-03-02 | 华侨大学 | Intrusion detection method and intrusion detection system based on cloud computing |
| CN106230855A (en) * | 2016-08-30 | 2016-12-14 | 五八同城信息技术有限公司 | Request message treatment method and device |
| CN107220543A (en) * | 2017-05-31 | 2017-09-29 | 北京京东尚科信息技术有限公司 | The method and apparatus for handling the service request of mobile terminal |
| CN108460269A (en) * | 2018-03-21 | 2018-08-28 | 广州多益网络股份有限公司 | Verification method and device, verification terminal device |
| CN108495272A (en) * | 2018-03-19 | 2018-09-04 | 上海哔哩哔哩科技有限公司 | Robot recognition methods, system and storage medium based on HTML5 browsers |
| CN108512808A (en) * | 2017-02-24 | 2018-09-07 | 贵州白山云科技有限公司 | A kind of malicious requests hold-up interception method and system improving access response speed |
| CN109407947A (en) * | 2018-09-30 | 2019-03-01 | 北京金山云网络技术有限公司 | Interface alternation and its verification method, logging request generation and verification method and device |
| CN110266727A (en) * | 2019-07-09 | 2019-09-20 | 中国工商银行股份有限公司 | Recognition methods, server and the client of simulation browser behavior |
| CN110909353A (en) * | 2019-11-28 | 2020-03-24 | 网易(杭州)网络有限公司 | Plug-in detection method and device |
| CN111489184A (en) * | 2019-01-29 | 2020-08-04 | 北京京东尚科信息技术有限公司 | Method, device, server, client and medium for verifying click behavior |
| CN111641588A (en) * | 2020-04-28 | 2020-09-08 | 深圳壹账通智能科技有限公司 | Webpage analog input detection method and device, computer equipment and storage medium |
| WO2020199163A1 (en) * | 2019-04-03 | 2020-10-08 | Citrix Systems, Inc. | Systems and methods for protecting remotely hosted application from malicious attacks |
| CN113360812A (en) * | 2016-03-07 | 2021-09-07 | 创新先进技术有限公司 | Service execution method and device |
| CN118138330A (en) * | 2024-03-19 | 2024-06-04 | 北京安胜华信科技有限公司 | Man-machine behavior detection method and system based on mobile terminal |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102737019A (en) * | 2011-03-31 | 2012-10-17 | 阿里巴巴集团控股有限公司 | Machine behavior determining method, webpage browser and webpage server |
| CN103218431A (en) * | 2013-04-10 | 2013-07-24 | 金军 | System and method for identifying and automatically acquiring webpage information |
| US8578482B1 (en) * | 2008-01-11 | 2013-11-05 | Trend Micro Inc. | Cross-site script detection and prevention |
-
2015
- 2015-06-30 CN CN201510375370.8A patent/CN104994092B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8578482B1 (en) * | 2008-01-11 | 2013-11-05 | Trend Micro Inc. | Cross-site script detection and prevention |
| CN102737019A (en) * | 2011-03-31 | 2012-10-17 | 阿里巴巴集团控股有限公司 | Machine behavior determining method, webpage browser and webpage server |
| CN103218431A (en) * | 2013-04-10 | 2013-07-24 | 金军 | System and method for identifying and automatically acquiring webpage information |
Cited By (20)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105376251A (en) * | 2015-12-02 | 2016-03-02 | 华侨大学 | Intrusion detection method and intrusion detection system based on cloud computing |
| CN113360812B (en) * | 2016-03-07 | 2024-02-06 | 创新先进技术有限公司 | Service execution method and device |
| CN113360812A (en) * | 2016-03-07 | 2021-09-07 | 创新先进技术有限公司 | Service execution method and device |
| CN106230855A (en) * | 2016-08-30 | 2016-12-14 | 五八同城信息技术有限公司 | Request message treatment method and device |
| CN108512808A (en) * | 2017-02-24 | 2018-09-07 | 贵州白山云科技有限公司 | A kind of malicious requests hold-up interception method and system improving access response speed |
| CN108512808B (en) * | 2017-02-24 | 2019-05-31 | 北京数安鑫云信息技术有限公司 | A kind of malicious requests hold-up interception method and system improving access response speed |
| CN107220543B (en) * | 2017-05-31 | 2020-11-24 | 北京京东尚科信息技术有限公司 | Method and device for processing service request of mobile terminal |
| CN107220543A (en) * | 2017-05-31 | 2017-09-29 | 北京京东尚科信息技术有限公司 | The method and apparatus for handling the service request of mobile terminal |
| CN108495272A (en) * | 2018-03-19 | 2018-09-04 | 上海哔哩哔哩科技有限公司 | Robot recognition methods, system and storage medium based on HTML5 browsers |
| CN108460269A (en) * | 2018-03-21 | 2018-08-28 | 广州多益网络股份有限公司 | Verification method and device, verification terminal device |
| CN109407947A (en) * | 2018-09-30 | 2019-03-01 | 北京金山云网络技术有限公司 | Interface alternation and its verification method, logging request generation and verification method and device |
| CN111489184A (en) * | 2019-01-29 | 2020-08-04 | 北京京东尚科信息技术有限公司 | Method, device, server, client and medium for verifying click behavior |
| WO2020199163A1 (en) * | 2019-04-03 | 2020-10-08 | Citrix Systems, Inc. | Systems and methods for protecting remotely hosted application from malicious attacks |
| CN113632080A (en) * | 2019-04-03 | 2021-11-09 | 思杰系统有限公司 | System and method for protecting remotely hosted applications from malicious attacks |
| US11347842B2 (en) | 2019-04-03 | 2022-05-31 | Citrix Systems, Inc. | Systems and methods for protecting a remotely hosted application from malicious attacks |
| CN110266727A (en) * | 2019-07-09 | 2019-09-20 | 中国工商银行股份有限公司 | Recognition methods, server and the client of simulation browser behavior |
| CN110909353A (en) * | 2019-11-28 | 2020-03-24 | 网易(杭州)网络有限公司 | Plug-in detection method and device |
| CN111641588A (en) * | 2020-04-28 | 2020-09-08 | 深圳壹账通智能科技有限公司 | Webpage analog input detection method and device, computer equipment and storage medium |
| CN118138330A (en) * | 2024-03-19 | 2024-06-04 | 北京安胜华信科技有限公司 | Man-machine behavior detection method and system based on mobile terminal |
| CN118138330B (en) * | 2024-03-19 | 2024-11-19 | 北京安胜华信科技有限公司 | Man-machine behavior detection method and system based on mobile terminal |
Also Published As
| Publication number | Publication date |
|---|---|
| CN104994092B (en) | 2018-11-06 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN104994092A (en) | Service request processing method, terminal browser and anti-attack server | |
| US10657243B2 (en) | Variation analysis-based public turing test to tell computers and humans apart | |
| CN104144419B (en) | Identity authentication method, device and system | |
| JP6879367B2 (en) | Attack status visualization device, attack status visualization method and program | |
| CN107451472B (en) | Form verification method, device and system | |
| CN103139138B (en) | A kind of application layer denial of service means of defence based on client detection and system | |
| US11810014B2 (en) | Systems, methods and apparatus for evaluating status of computing device user | |
| CN102739663A (en) | Detection method and scanning engine of web pages | |
| KR101369743B1 (en) | Apparatus and method for verifying referer | |
| CN109302394A (en) | A kind of anti-simulation login method of terminal, device, server and storage medium | |
| CN107612926B (en) | One-sentence speech WebShell interception method based on client recognition | |
| CN102833212A (en) | Webpage visitor identity identification method and system | |
| CN107241306B (en) | Man-machine identification method, server, client and man-machine identification system | |
| CN103902913B (en) | A kind of method and apparatus for carrying out safe handling to web applications | |
| CN109818906B (en) | Equipment fingerprint information processing method and device and server | |
| CN109120626A (en) | Security threat processing method, system, safety perception server and storage medium | |
| JP2011043924A (en) | Web action history acquisition system, web action history acquisition method, gateway device and program | |
| CN106209748A (en) | The means of defence of internet interface and device | |
| CN105592070B (en) | Application layer DDoS defence methods and system | |
| CN103929498A (en) | Method and device for processing client requests | |
| JP6258189B2 (en) | Specific apparatus, specific method, and specific program | |
| CN111953647A (en) | Security verification method and device, electronic equipment and storage medium | |
| CN107634969B (en) | Data interaction method and device | |
| CN112751799A (en) | Verification method and device based on picture verification code | |
| US20200314190A1 (en) | De termining that multiple requests are received from a particular user device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |