[go: up one dir, main page]

CN115001832B - Method and device for preventing password attack and electronic equipment - Google Patents

Method and device for preventing password attack and electronic equipment Download PDF

Info

Publication number
CN115001832B
CN115001832B CN202210655456.6A CN202210655456A CN115001832B CN 115001832 B CN115001832 B CN 115001832B CN 202210655456 A CN202210655456 A CN 202210655456A CN 115001832 B CN115001832 B CN 115001832B
Authority
CN
China
Prior art keywords
password
login
attack
requests
current
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202210655456.6A
Other languages
Chinese (zh)
Other versions
CN115001832A (en
Inventor
欧阳志凡
蒋海滔
杨李贝
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Alibaba Cloud Computing Ltd
Original Assignee
Alibaba Cloud Computing Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Alibaba Cloud Computing Ltd filed Critical Alibaba Cloud Computing Ltd
Priority to CN202210655456.6A priority Critical patent/CN115001832B/en
Publication of CN115001832A publication Critical patent/CN115001832A/en
Application granted granted Critical
Publication of CN115001832B publication Critical patent/CN115001832B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1466Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application provides a method and a device for preventing password attack and electronic equipment, wherein the method for preventing password attack comprises the following steps: obtaining a login password adopted by a plurality of login requests from a first source address in a preset period; evaluating the password leakage risk degree of the login password; determining at least one attack candidate password based on the password leakage risk degree of the login password, wherein the attack candidate password is the login password with the password leakage risk degree in a preset range; based on the number of login requests employing at least one attack candidate password among the plurality of login requests, a corresponding password attack defense strategy is selected and executed from the plurality of password attack defense strategies to prevent a password attack from the first source address. According to the technical scheme, the account login efficiency and the user experience can be improved while the security defense capability is provided.

Description

Method and device for preventing password attack and electronic equipment
Technical Field
The present invention relates to the field of computer technologies, and in particular, to a method and an apparatus for preventing a password attack, and an electronic device.
Background
The account number and the password are an identity authentication mechanism, for example, when various applications are used, a user is required to set the account number and the corresponding password, log in the application through the account number and the password, and further acquire required data or perform corresponding work and the like. However, in some cases, the user's account is easily obtained by an attacker, and if the password of the account is a weak password, the attacker is likely to successfully log in the account through a limited number of attempts, which may pose a threat to network security. For example, when an attacker initiates an account login attack on multiple accounts using a set of common passwords, there is a high likelihood that a certain account is successfully logged in.
Disclosure of Invention
In view of this, the embodiments of the present application provide a method, an apparatus, and an electronic device for preventing a password attack, which can provide security protection capability and simultaneously avoid performing a secondary authentication operation for each login, so that account login efficiency and user experience can be improved.
In a first aspect, embodiments of the present application provide a method for preventing a cryptographic attack, including: obtaining a login password adopted by a plurality of login requests from a first source address in a preset period; evaluating the password leakage risk degree of the login password; determining at least one attack candidate password based on the password leakage risk degree of the login password, wherein the attack candidate password is the login password with the password leakage risk degree in a preset range; based on the number of login requests employing at least one attack candidate password among the plurality of login requests, a corresponding password attack defense strategy is selected and executed from the plurality of password attack defense strategies to prevent a password attack from the first source address.
In a second aspect, embodiments of the present application provide an apparatus for preventing a cryptographic attack, including: the acquisition module is used for acquiring a login password adopted by a plurality of login requests from a first source address in a preset period; the determining module is used for evaluating the password leakage risk degree of the login password and determining at least one attack candidate password based on the password leakage risk degree of the login password, wherein the attack candidate password is the login password with the password leakage risk degree in a preset range; and the execution module is used for selecting and executing a corresponding password attack defense strategy from a plurality of password attack defense strategies based on the number of login requests adopting at least one attack candidate password in the plurality of login requests so as to prevent the password attack from the first source address.
In a third aspect, embodiments of the present application provide an electronic device, including: a processor; a memory for storing processor-executable instructions, wherein the processor is configured to perform the method of preventing cryptographic attacks described in the first aspect above.
In a fourth aspect, embodiments of the present application provide a computer readable storage medium storing a computer program for executing the method for preventing a cryptographic attack according to the first aspect.
In a fifth aspect, embodiments of the present application provide a computer program product comprising instructions which, when executed by a processor of a computer device, enable the computer device to perform the method steps of the above-described embodiments.
The embodiment of the application provides a method, a device and electronic equipment for preventing password attack, which are used for determining attack candidate passwords from login passwords adopted by multiple login requests based on password leakage risk level, and further selecting and executing corresponding password attack defense strategies according to the number of the login requests adopting the attack candidate passwords, so that the security of an account login process can be improved, malicious login behaviors are prevented, and certain security defense capability is provided. In addition, the embodiment of the application can avoid the security improvement by providing a secondary authentication mode for each login behavior, so that the account login efficiency and the user experience can be improved. Compared with a conventional account login method without secondary authentication, the method and the device have the advantages that the higher security is achieved on the basis of keeping the same account login efficiency and user experience, password attack can be resisted, and malicious login behaviors are prevented.
Drawings
Fig. 1 is a schematic architecture diagram of a system for preventing a cryptographic attack according to an exemplary embodiment of the present application.
Fig. 2 is a flow chart of a method for preventing a cryptographic attack according to an exemplary embodiment of the present application.
Fig. 3 is a flowchart of a method for preventing a cryptographic attack according to another exemplary embodiment of the present application.
Fig. 4 is a schematic structural diagram of an apparatus for preventing a cryptographic attack according to an exemplary embodiment of the present application.
Fig. 5 is a block diagram of an electronic device for performing a method for preventing a cryptographic attack according to an exemplary embodiment of the present application.
Detailed Description
The following description of the technical solutions in the embodiments of the present application will be made clearly and completely with reference to the drawings in the embodiments of the present application, and it is apparent that the described embodiments are only some embodiments of the present application, not all embodiments. All other embodiments, which can be made by one of ordinary skill in the art without undue burden from the present disclosure, are within the scope of the present disclosure.
A compromised password data set is a set obtained by collecting passwords compromised in a security event. The number of times each of the compromised passwords is compromised may be counted. The higher the number of disclosure passwords, the higher the likelihood of being used by more people, and therefore the easier the attacker to be an attack candidate password, i.e., the attacker uses the attack candidate password to launch account login attacks on multiple accounts. Moreover, the higher the number of times the password is revealed, the higher the probability of success of the attack. For example, an attacker initiates an account login attack on thousands of accounts using a set of common passwords (attack candidate passwords), a behavior known as a password injection attack.
In an employee identity management (Employee Identity Access Management, EIAM) scenario of an application identity service (Identity as a Service, IDaaS), all employee account passwords in an enterprise are uniformly hosted in IDaaS products, and account authentication policies and password policies set by different enterprise administrators are quite different.
In general, the password injection attack can be defended by setting a secondary authentication mode, wherein the secondary authentication can comprise facial recognition, mobile phone short message verification codes and the like. For example, when a user logs in to an application, besides inputting an account number and a password, the user also needs to input a mobile phone short message verification code to prevent malicious login; or when the user fails to log in continuously for a plurality of times, the user is required to input a mobile phone short message verification code to retrieve the password so as to prevent malicious logging in.
From an industrial point of view, there are industries that require higher demands, such as government industry, financial industry, etc., and secondary authentication is generally set to defend against password injection attacks. For most common industries, no secondary authentication is set, and a user can successfully log in only by inputting an account number and a password. The common industries do not set secondary authentication, which may be caused by various reasons, for example, complicated login modes for setting secondary authentication, low efficiency, poor user experience and the like.
If the IDaaS instance of a certain enterprise does not configure the secondary authentication function for experience or other reasons, at this time, as long as any employee account in the enterprise has a weak password (or the password is revealed), an attacker may acquire the access right of the account in the enterprise based on the password injection attack mode, and then perform corresponding lateral penetration or right-raising attack based on the account, which may cause great harm to the application security of the enterprise.
Common industries can generally adopt a password wind control strategy to defend against password injection attacks, but if the interval time between two password login actions (the password errors) of a single account is long, the password wind control strategy cannot identify the attacks, or the password login locking of the account can expire before the next attack action is initiated.
Therefore, for the general industry without secondary authentication, if the employee account is attacked to defend, how to judge whether the login is an attack based on the login password is a technical problem to be solved.
In view of the above technical problems, the embodiments of the present application provide a method for preventing a password attack, which can provide a certain security defense capability while ensuring user experience by determining the number of login requests using attack candidate passwords (high-risk passwords) among multiple login requests and selecting and executing a corresponding password attack defense policy.
Exemplary System
Fig. 1 is a schematic architecture diagram of a system 100 for preventing a cryptographic attack according to an exemplary embodiment of the present application, which illustrates an application scenario for processing multiple login requests from a first source address. As shown in fig. 1, the system 100 includes: a user terminal 110 and a server 120. The user terminal 110 may be a computer, tablet, or mobile phone, and the server 120 may be an employee identity management (Employee Identity Access Management, EIAM) platform for application identity services (Identity as a Service, IDaaS).
The user terminal 110 may generate a login request for a certain account number and transmit the login request to the server 120. For example, the user terminal 110 may generate a login request according to an account number and a login password input by a user. If the login password is correct, the login request will pass the authentication of the server, and if the login password is incorrect, the login request will not pass the authentication of the server.
Multiple login requests for multiple accounts can be generated on the user terminal 110 within a certain time, and the server 120 detects the multiple login requests and performs different operations according to the detection result.
For example, when the detection result is that verification of multiple login requests is not passed and the number of login requests in which the login password adopts a high-risk password (attack candidate password) in the multiple login requests is greater than the first threshold, the server 120 seals the IP address of the user terminal 110, because there is a high possibility that password injection attack exists on the IP address.
When the detection result is that the number of login requests with the login password adopting the high-risk password (attack candidate password) among the multiple login requests is greater than the second threshold and less than or equal to the first threshold, and verification of the current login request among the multiple login requests is passed, the server 120 performs a blocking operation on the current login request to block the current login behavior, because the current login behavior is more likely to be a malicious login behavior.
When the detection result is that the number of login requests with the login password adopting the high-risk password (attack candidate password) among the multiple login requests is greater than the third threshold and less than or equal to the second threshold, and verification of the current login request among the multiple login requests is passed, the server 120 performs a secondary authentication operation on the current login request, because the current login behavior is likely to be a malicious login behavior. It should be appreciated here that the system 100 itself may be provided with secondary authentication capabilities, as the system 100 may obtain information such as the user's cell phone number or facial image when the user registers for an account, which may be used to configure the secondary authentication function. In the actual application process, the enterprise may choose whether to configure the system 100 with the secondary authentication function according to the need. For example, in the embodiment of the application, the secondary authentication function is triggered when a certain condition is met, so that the login process can be simplified, and the user experience is improved.
When the detection result is that the number of login requests with the high-risk password (attack candidate password) adopted by the login passwords in the multiple login requests is smaller than or equal to the third threshold value and verification of the current login request in the multiple login requests is passed, the server 120 processes the current login request so that the current login behavior is successful in login.
For avoiding redundancy, the specific process of processing multiple login requests by the system 100 may be described in the method section below.
The system for preventing password attack provided by the embodiment can execute different password attack defense strategies according to the different numbers of login requests using high-risk passwords on a certain IP address in a certain time, so that adverse effects such as poor user experience caused by misjudgment can be avoided while network security is ensured.
It should be noted that the above application scenario is only shown for the convenience of understanding the spirit and principles of the present application, and the embodiments of the present application are not limited thereto. Rather, embodiments of the present application may be applied to any scenario where applicable.
Exemplary method
Fig. 2 is a flow chart of a method for preventing a cryptographic attack according to an exemplary embodiment of the present application. The method of fig. 2 may be performed by a computing device (e.g., the server in fig. 1). As shown in fig. 2, the method of preventing a cryptographic attack includes the following.
210: and obtaining a login password adopted by a plurality of login requests from the first source address in a preset period.
The first source address may be an IP address or an egress IP gateway, for example, multiple login requests are issued on the same IP address or multiple login requests are issued by the same egress IP gateway for a certain time.
220: and evaluating the password leakage risk degree of the login password.
The password leakage risk level is used for evaluating the degree to which the login password employed for the corresponding login request is leaked.
The login request corresponds to a login behavior of the user, for example, the user terminal may generate the login request according to an account number and a login password input by the user. In a preset period, the same login password can be adopted to log in a plurality of accounts to generate a plurality of login requests, or the plurality of login passwords can be adopted to log in the same account to generate a plurality of login requests, or the plurality of login passwords can be adopted to log in each account in the plurality of accounts to generate a plurality of login requests, or the plurality of accounts can be divided into a plurality of groups, and the plurality of login passwords are adopted to log in accounts in different groups to generate a plurality of login requests.
The server may receive the multiple login requests and determine a password leakage risk level corresponding to each login password used by the multiple login requests.
In an example, the password leakage risk level of the login password may be determined according to a preset rule, for example, the login password only includes a number, the corresponding password leakage risk level is low, the login password includes a number and a letter, and the corresponding password leakage risk level is high. It should be understood that the preset rule may be that the password leakage risk corresponding to the login password with high complexity is high, where the preset rule may be set according to the actual situation.
In another example, the degree of risk of password disclosure may be represented by a number of password disclosure times that are used to represent a number of times a login password occurs in a historical password disclosure event, e.g., the number of password disclosure times of the login password may be obtained through a password data set. The password data set may include a plurality of compromised passwords, and a number of compromised times corresponding to each compromised password. Or, the password data set includes hash values corresponding to a plurality of leaked passwords and the number of leakage times corresponding to each leaked password, in which case the hash value corresponding to the login password may be calculated; and acquiring the number of password leakage times from the password leakage data set based on the hash value. By using the hash value to represent the corresponding leaked password, the security of the password data set can be improved, and the difficulty of an attacker to acquire the high-frequency leaked password is increased. Because the leaked password is expressed by using a plaintext, an attacker can easily identify the high-frequency leaked password in the password data set, and the password attack action is easier to succeed by adopting the high-frequency leaked password.
It should be understood that the password leakage data set may be obtained and dynamically updated through a published channel application, so that the attack defending capability of the method for preventing a password attack provided in the embodiment of the present application may be continuously optimized and improved through the dynamically updated password leakage data set.
In another example, the password leakage risk level may be obtained based on the number of password leakage times, for example, evaluating the password leakage risk level of the login password, including: acquiring the number of password leakage of a login password adopted by each login request in multiple login requests; and acquiring the corresponding password leakage risk degree based on the password leakage times.
Specifically, the degree of risk of password leakage may be expressed in terms of a password leakage score. If the password leakage score corresponding to the certain password leakage times can be determined according to the preset function, wherein the password leakage score corresponding to the login password with the higher password leakage times is higher. The interval range of the password leakage score may be (0, 100), (0, 1) or (1, 10), or the like.
The password leakage score may be determined, for example, by the following formula:
when the number of the password leakage is 0, the corresponding password leakage score is 0; when the number of the password leakage is 1, the corresponding password leakage score is 10; when the number of the password leakage exceeds 1 ten thousand, the corresponding password leakage score is greater than 90 and is positioned in the interval [90, 100 ].
For various different leaked passwords, the distribution of the corresponding password leakage times is uneven, for example, the various leaked passwords are arranged according to the password leakage times, and the obtained password leakage times curve is uneven. By characterizing the number of password leaks using the password leakage score, a smooth curve can be obtained. For example, a leaked password with a number of password leakage of 1 ten thousand or more may be regarded as a high-risk password, in which case the degree to which the leaked passwords with a number of password leakage of 1 ten thousand and 2 ten thousand are easily leaked is about the same, but the difference between the leaked passwords with a number of password leakage of 1 ten thousand and 2 ten thousand is large (the corresponding difference is 1 ten thousand) on the password leakage number curve. Therefore, the degree of easy leakage of the leaked password can be more closely represented through a smaller interval by utilizing the password leakage score, and more functions can be expanded based on the password leakage score.
Of course, the password leakage score may be determined according to the number of password leakage times by other functions or rules, such as a normalization function, etc., so long as the password leakage score may characterize the ease with which the login password employed for the corresponding login request is leaked.
In other examples, the risk of password leakage may be represented by a light color or other manners that can distinguish the leakage, which is not limited in the embodiments of the present application.
230: and determining at least one attack candidate password based on the password leakage risk degree of the login password, wherein the attack candidate password is the login password with the password leakage risk degree in a preset range.
The attack candidate password may indicate that the login password is a high-risk password, and an account logged in by using the login password may be maliciously logged in, that is, may be attacked by an attacker. In other words, the login request generated based on the login password is likely to be a malicious login request.
The higher the risk of password leakage, the greater the likelihood that the corresponding login password is a high-risk password. The server may determine whether the login password is an attack candidate password according to the password leakage risk degree of the login password. For example, the password leakage risk level is represented by a password leakage score, and if the password leakage score is greater than a set threshold, the corresponding login password is determined to be an attack candidate password. Specifically, a login password whose password leakage score is in a preset range may be determined as an attack candidate password. There may be no, one or more attack candidate passwords in the login passwords corresponding to the multiple login requests.
The preset range may be set as needed, for example, the upper limit of the preset range is the maximum value of the password leakage score; or the upper limit of the preset range is 90% and 95% of the maximum value of the password leakage score, so that the condition that the acquired password leakage score near the maximum value is possibly inaccurate can be avoided, and further the influence on the accuracy of password attack defense strategy selection is avoided. In an example, the maximum value of the password leakage score may be 100, and the upper limit of the preset range may be 100, 90, 95, or the like.
240: based on the number of login requests employing at least one attack candidate password among the plurality of login requests, a corresponding password attack defense strategy is selected and executed from the plurality of password attack defense strategies to prevent a password attack from the first source address.
When the attack candidate password exists in the login passwords corresponding to the multiple login requests, the existence of the password attack behavior on the first source address cannot be described, and the possibility of the existence of the password attack behavior needs to be further judged according to the number of the login requests adopting the attack candidate password in the multiple login requests in a preset period, namely, the possibility of the existence of the password attack behavior needs to be judged according to the login frequency (the login times adopting the attack candidate password in unit time) corresponding to the attack candidate password.
Specifically, the greater the number of login requests employing the attack candidate password, the greater the likelihood that a password attack will exist on the first source address. Different password attack defense strategies can be adopted according to different numbers of login requests adopting attack candidate passwords in multiple login requests.
For example, the number of login requests using different attack candidate passwords may be counted separately, and for any attack candidate password, the server may execute the corresponding password attack defense policy as long as the number of corresponding login requests satisfies the trigger condition of any password attack defense policy. Or, the number of the login requests adopting different attack candidate passwords can be counted uniformly, and for the number of the login requests adopting the attack candidate passwords to meet the triggering condition of any password attack defense strategy, the server can execute the corresponding password attack defense strategy, so that the defensiveness against the password attack can be effectively improved, and the situation that an attacker tries to login a plurality of accounts by adopting a large number of login passwords and is not defended in time is avoided.
The selection and execution process of the corresponding cryptographic attack defense strategy are similar to those of the execution process, whether the number of login requests using different attack candidate passwords is counted separately or uniformly, and the selection and execution process of the cryptographic attack defense strategy is described in detail below taking the number of login requests using different attack candidate passwords as an example.
In an example, if the number of login requests using the attack candidate password in the multiple login requests is greater than the first threshold, it may be considered that there is a greater possibility of a password attack on the first source address, and the server may execute a corresponding password attack defense policy on the first source address, for example, execute a blocking operation on the first source address, or send notification information to a user of the account corresponding to the multiple login requests to verify whether the user logs in.
In another example, if the multiple login requests do not burst (successfully collide with) an account, and the number of login requests using the attack candidate password in the multiple login requests is greater than the fifth threshold and less than or equal to the first threshold, it may be considered that there is a password attack on the first source address, and the server may send notification information to the user of the account corresponding to the multiple login requests to verify whether the login is the principal, for example, to perform the secondary authentication operation. Further, if the number of login requests adopting the attack candidate password continues to increase and is greater than the first threshold value in the multiple login requests, it can be considered that the possibility of password attack on the first source address is high, and the server can execute the blocking operation on the first source address. The first threshold and the fifth threshold may be set as needed.
According to the method for preventing the password attack, the attack candidate passwords are determined from the login passwords adopted by the login requests based on the password leakage risk degree, and the corresponding password attack defense strategies are selected and executed according to the number of the login requests adopting the attack candidate passwords, so that the security of the account login process can be improved, malicious login behaviors are prevented, and certain security defense capacity is achieved. In addition, the embodiment of the application can avoid the security improvement by providing a secondary authentication mode for each login behavior, so that the account login efficiency and the user experience can be improved. Compared with a conventional account login method without secondary authentication, the method and the device have the advantages that the higher security is achieved on the basis of keeping the same account login efficiency and user experience, password attack can be resisted, and malicious login behaviors are prevented.
According to an embodiment of the present application, based on the number of login requests employing at least one attack candidate password from among a plurality of login requests, selecting and executing a corresponding password attack defense policy from among a plurality of password attack defense policies includes: determining the number of login requests for logging in one or more accounts based on at least one attack candidate password in the multiple login requests; and when the number is greater than the first threshold, performing a blocking operation on the first source address.
Specifically, the number of login passwords corresponding to the plurality of login requests may be plural, and the number of attack candidate passwords determined as the plurality of login passwords may be plural. The number of login requests based on any attack candidate password may be one or more among the login requests from the first source address within the preset period, and the specific number may be set by an attacker or may be random. The login request corresponding to any attack candidate password can be counted uniformly, so that the number of the login requests adopting the attack candidate password in the login requests for multiple times is obtained.
For example, three login passwords are used to respectively attempt to login a plurality of account numbers, and multiple login requests can be generated within a certain time. The number of the three login passwords determined as the attack candidate passwords is two, and "123456" is the first attack candidate password and "1234567" is the second attack candidate password. The number of login requests using "123456" as the login password is a, the number of login requests using "1234567" as the login password is B, and if a+b is greater than the first threshold, it may be considered that there is a high possibility of a password attack on the IP address or the IP gateway that sent the plurality of login requests, where the password attack may be a password injection attack.
In this embodiment, the first threshold may be set according to actual needs, for example, may be 100, 150, or 200. The server may not pass the verification of the multiple login requests, i.e. the login password adopted by the multiple login requests is not matched with the account, that is, in a limited number of login attempts, the adopted login password does not successfully collide with a certain account. Or the server verifies the current login request in the multiple login requests as passing, namely the login password adopted by the current login request is successfully collided with the current account number. When the number of login requests adopting attack candidate passwords in the multiple login requests is greater than a first threshold, the server may perform blocking operation on the first source address, where the blocking operation may be temporary, for example, blocking the first source address for a certain period of time, or may perform verification on the first source address, and after the verification is passed, unblock the first source address.
In some situations, personnel of some enterprises can send account login requests based on the same IP gateway within a certain time, in order to avoid misjudging the situation as password injection attack behavior, the embodiment determines attack candidate passwords and determines the number of login requests adopting the attack candidate passwords, and further performs blocking operation on a first source address when the number is greater than a first threshold value, so that misjudgment can be avoided, normal login behavior is prevented from being influenced, and smooth proceeding of the normal login behavior is ensured.
According to an embodiment of the present application, based on the number of login requests employing at least one attack candidate password from among the plurality of login requests, selecting and executing a corresponding password attack defense policy from among the plurality of password attack defense policies, further includes: and when the number is smaller than or equal to the first threshold value and larger than the second threshold value, and the current login request of the current account is successfully verified in the multiple login requests, executing blocking operation on the current login request.
Specifically, if the number of login requests using the attack candidate password in the multiple login requests does not reach a certain order of magnitude, for example, the number of login requests using the attack candidate password is smaller than or equal to the first threshold, the possibility that the password attack behavior exists on the first source address is small, and at this time, it is not suitable to directly execute the blocking operation on the first source address, so that the normal login behavior is easily affected.
Therefore, when the number of login requests using the attack candidate password is less than or equal to the first threshold, further judgment can be made on the multiple login requests, for example, whether the current login request for the current account in the multiple login requests is successfully verified. If the verification of the current login request for the current account is successful, it may indicate that the login password adopted by the current login request successfully collides with the current account in a limited number of login attempts, and at this time, there is still a possibility of password attack on the first source address. To prevent password attacks, it may be further determined whether the number of login requests employing the attack candidate password is greater than a second threshold. The second threshold may be smaller than the first threshold, which may be set according to the actual situation, for example, may be 10, 15, 20, or the like.
If the number of the login requests adopting the attack candidate passwords is greater than the second threshold, blocking operation can be performed on the current login requests, so that an attacker is prevented from successfully logging in the current account and further performing dangerous operation such as transverse penetration, right-lifting attack and the like based on the current account.
In this embodiment, when the number of login requests using the attack candidate password is smaller than or equal to the first threshold, the possibility that the password sprays attack on the first source address is also high, but the attacker successfully bursts the currently logged account under the condition that the number of times of attempting to log in is smaller than or equal to the first threshold, so that the verification of the currently logged request passes, and therefore, the blocking operation can be directly performed on the currently logged request at this time, so that the attacker can be prevented from performing the jeopardy operation based on the currently logged account, and meanwhile, the security of the account logging process is improved. In addition, in this embodiment, the first source address may not have password injection attack, so by executing the blocking operation on the current login request, the normal login behavior of other users may be ensured to a certain extent.
Optionally, based on the number of login requests using at least one attack candidate password from the plurality of login requests, selecting and executing a corresponding password attack defense policy from the plurality of password attack defense policies, further includes: when the number is smaller than or equal to a first threshold value and the verification of the current login request aiming at the current account in the multiple login requests is successful, determining the number of times of using the login password adopted by the current login request in the multiple login requests; and when the number of times is larger than the fourth threshold value, executing blocking operation on the current login request.
Specifically, if the number of login requests using the attack candidate password is less than or equal to the first threshold, and the current login request for the current account is successfully verified in the multiple login requests, it may indicate that in a limited number of login attempts, the login password used by the current login request successfully collides with the current account, and at this time, there is still a possibility that password attack exists on the first source address. To prevent password attacks, it may be further determined whether the number of times the login password employed by the current login request is used in the multiple login requests is greater than a fourth threshold. The fourth threshold may be smaller than the first threshold, which may be set according to the actual situation, for example, may be 5, 10, 15, 20, or the like.
If the number of times of using the login password adopted by the current login request in the multiple login requests is greater than the fourth threshold, blocking operation can be performed on the current login request, so that an attacker is prevented from successfully logging in the current account and further performing jeopardy operation such as transverse penetration, right-lifting attack and the like based on the current account.
In this embodiment, when the number of login requests using the attack candidate password is less than or equal to the first threshold, and verification of the current login request for the current account in the multiple login requests is successful, the possibility that the password injection attack behavior exists on the first source address may be determined according to the number of times the login password used in the current login request is used in the multiple login requests and the size of the fourth threshold, so that the accuracy of the determination result may be improved, and further the accuracy of executing the corresponding password attack defense policy according to the determination result may be improved. For example, the blocking operation can be directly performed on the current login request, so as to avoid that an attacker performs a dangerous operation based on the current account number. Or, the blocking operation is executed on the current login request and the blocking operation is executed on the first source address, so that not only can the attacker be prevented from executing the jeopardy operation based on the current account, but also the attacker can be prevented from initiating other password attack behaviors based on the first source address, and the network security can be further ensured.
Further, the method for preventing the password attack further comprises the following steps: reminding the user of the current account that the current account is possibly attacked; and/or sending the uniform resource locator URL to the user of the current account so as to facilitate the user of the current account to log in again through the uniform resource locator URL.
Specifically, the current login request of the current account is successfully verified in the multiple login requests, and under the condition that the blocking operation is performed on the current login request, the user of the current account can be further reminded that the current account may be attacked. For example, the user may be alerted by means of a short message, telephone, email, or the like.
Optionally, a uniform resource locator (Universal Resource Locator, URL) may be sent to the user of the current account to facilitate re-login by the user of the current account via the uniform resource locator URL. Therefore, a new login path can be provided for the user of the current account, the risk of error blocking is reduced, and the influence on the normal login behavior of the user is avoided. Specifically, the URL may be sent to the user by means of mail, short message, or the like. For example, a URL may be attached to the alert notification sent to the user to facilitate the user's understanding that his account may be attacked, and re-login may be based on the URL.
In this embodiment, when the blocking operation is performed on the current login request, the user of the current account is reminded that the current account may be attacked, so that the user can check and verify the current login request conveniently, and the password is changed in time after verification, so as to improve the strength of the login password and prevent the next attack from being successful. In addition, by sending the URL to the user of the current account, a new login path can be provided for the user of the current account, the situation that the normal login of the user is affected due to blocking of the current login request caused by misjudgment is avoided, and therefore the security of the login process can be improved, and the normal login requirement of the user can be guaranteed.
According to an embodiment of the present application, based on the number of login requests employing at least one attack candidate password from among the plurality of login requests, selecting and executing a corresponding password attack defense policy from among the plurality of password attack defense policies, further includes: and when the number is smaller than or equal to the second threshold value and larger than the third threshold value, and the current login request of the current account is successfully verified in the multiple login requests, executing a secondary authentication operation on the current login request.
Specifically, if the number of login requests using the attack candidate password is less than or equal to the second threshold, and the current login request for the current account is successfully verified in the multiple login requests, it may indicate that the login password used in the current login request successfully collides with the current account in a limited number of login attempts, and then the possibility of password attack on the first source address is still present. To prevent a password attack, it may be further determined whether the number of login requests employing the attack candidate password is greater than a third threshold. The third threshold may be smaller than the second threshold, which may be set according to the actual situation, for example, may be 0, 3, 5, or the like.
If the number of login requests using the attack candidate password is greater than the third threshold, a secondary authentication operation may be performed on the current login request. The secondary authentication operation may include operations such as face recognition, sending a short message authentication code, etc.
Further, if the number of the login requests adopting the attack candidate passwords is smaller than or equal to a third threshold (the third threshold is not 0), and verification of the current login request aiming at the current account number in the multiple login requests is successful, the possibility that password attack does not exist on the first source address can be considered to be high, and at the moment, successful login operation can be executed on the current login request, so that the security of the account number login process can be ensured, simple login operation can be maintained, and user experience can be ensured.
In this embodiment, when the number of login requests using the attack candidate password is greater than the third threshold and less than or equal to the second threshold, it is indicated that the number of times the attack candidate password is used in the multiple login requests is low, and in this case, performing the second authentication operation on the current login request may reduce the probability of success of the password injection attack, while ensuring smooth progress of the current login process of the user.
According to an embodiment of the present application, the plurality of cryptographic attack defense strategies includes at least one of: executing blocking operation on the current login request in the multiple login requests; performing a blocking operation on the first source address; and executing a secondary authentication operation on the current login request.
In order to avoid repetition, the execution of any cryptographic attack defense strategy may refer to the description in the above embodiments, and will not be repeated here.
Fig. 3 is a flowchart illustrating a method for preventing a cryptographic attack according to another exemplary embodiment of the present application, and the embodiment of fig. 3 is an example of the embodiment of fig. 2, and in order to avoid repetition, the same points are not repeated. The method of preventing a cryptographic attack shown in fig. 3 includes the following.
310: and obtaining a login password adopted by a plurality of login requests from the first source address in a preset period.
320: the password leakage score of the login password employed by the multiple login requests is evaluated.
The password leakage score is used to evaluate the extent to which the login password employed for the corresponding login request is leaked.
330: and determining at least one attack candidate password based on the password revealing scores of the login passwords adopted by the login requests, wherein the attack candidate password is the login password with the password revealing score in a preset range.
For example, if the preset range is [90, 100 ], it may be indicated that the number of times of password leakage corresponding to the login password exceeds a certain number of times (for example, 1 ten thousand times), and the login password is easily used as an attack candidate password by an attacker.
340: the number of login requests to login one or more accounts based on at least one attack candidate password in the plurality of login requests is determined.
350: it is determined whether the number is greater than a first threshold.
If the number is greater than the first threshold, then 360 is performed, otherwise 370 is performed.
360: a blocking operation is performed on the first source address.
For example, the first threshold may be 100, if the number is greater than the first threshold, which indicates that the first source address has a high possibility of initiating the password injection attack, and at this time, a blocking operation may be performed on the first source address to defend the password injection attack.
370: and judging whether the current login request successfully collides with the current account.
If the current login request successfully collides with the current account, 380 is executed, otherwise, any defending policy may not be executed temporarily.
Specifically, if the number is less than or equal to the first threshold (e.g., 100), the password injection attack may successfully collide with an account within 100 login attempts, so that the password attack defense policy in step 360 is not triggered, and the determination in step 380 may be performed, so as to select the corresponding password attack defense policy.
If the current login request does not successfully collide with a certain account within 100 login attempts, the current login state of each account is indicated to be stable, and any defense strategy can be temporarily not executed.
380: it is determined whether the number is greater than a second threshold.
If the number is greater than the second threshold, execution 390 proceeds, otherwise execution 391 proceeds.
390: and executing blocking operation on the current login request, reminding the user of the current account that the current account is possibly attacked, and sending a URL to the user of the current account.
For example, the second threshold may be 10, if the number is greater than the second threshold, it indicates that the first source address has a possibility of initiating a password injection attack, and at this time, the blocking operation may be performed on the current login request, and a notification may be sent to the user of the current account to alert the user that the account may be attacked, so as to provide better feedback service for the user. In addition, for the situation of possible false blocking, a URL may be attached to the user notification, and the user may be informed to log in again through the URL, so that the risk of false blocking may be reduced.
391: it is determined whether the number is greater than a third threshold.
If the number is greater than the third threshold, execution 392 proceeds, otherwise execution 393 proceeds.
392: and executing a secondary authentication operation on the current login request.
For example, the third threshold may be 5, if the number is greater than the third threshold, it indicates that the first source address has a possibility of initiating a password injection attack, and at this time, a secondary authentication operation may be performed on the current login request, so that the probability of success of the password injection attack may be reduced, and at the same time, smooth performance of the current login process of the user is ensured.
393: and executing successful login operation on the current login request.
According to the method for preventing the password attack, the password revealing time detection capability is configured based on the revealing password data set, the password revealing score is obtained based on the password revealing time, whether password spraying attack behaviors exist on an internet protocol (Internet Protocol, IP) address/IP gateway or whether an account is attacked by the password spraying attack behaviors can be judged rapidly based on the score, and therefore temporary blocking can be conducted on the IP address/IP gateway or login blocking can be conducted on the corresponding account, and the password spraying attack behaviors of an attacker can be prevented. The method for preventing password attack provided by the embodiment of the invention analyzes password injection attack behaviors through the password leakage score, and can not depend on the setting of login password intensity, because the strong password is not necessarily not leaked, the security of a user during login cannot be ensured by adopting a strategy for setting the strong password. Further, aiming at the password injection attack behavior initiated by an attacker with the access right of the trusted network in the enterprise, the access strategy based on the IP address white list is generally difficult to identify and defend, but the embodiment of the application selects and executes the corresponding password attack defending strategy based on the number of the login requests adopting the attack candidate password in the multiple login requests, so that the possibility of successful attack of personnel in the enterprise can be reduced. In addition, the embodiment of the application can avoid secondary authentication in the account login process, and can select whether to trigger the secondary authentication or not based on a dynamic calculation process (a dynamic determination process of the number of login requests adopting attack candidate passwords), so that the user experience can be improved.
Exemplary apparatus
Fig. 4 is a schematic structural diagram of an apparatus 400 for preventing a cryptographic attack according to an exemplary embodiment of the present application. As shown in fig. 4, the apparatus 400 for preventing a cryptographic attack includes: acquisition module 410, determination module 420, and execution module 430.
The obtaining module 410 is configured to obtain a login password used by a plurality of login requests from a first source address in a preset period; the determining module 420 is configured to evaluate a password leakage risk degree of the login password, and determine at least one attack candidate password based on the password leakage risk degree of the login password, where the attack candidate password is the login password with the password leakage risk degree in a preset range; the execution module 430 is configured to select and execute a corresponding cryptographic attack defense policy from a plurality of cryptographic attack defense policies based on a number of login requests employing at least one attack candidate password from the plurality of login requests, so as to prevent a cryptographic attack from the first source address.
According to the device for preventing the password attack, the attack candidate passwords are determined from the login passwords adopted by the login requests for multiple times based on the password leakage risk degree, and the corresponding password attack defense strategies are selected and executed according to the number of the login requests for adopting the attack candidate passwords, so that the security of the account login process can be improved, malicious login behaviors are prevented, and certain security defense capacity is achieved. In addition, the embodiment of the application can avoid the security improvement by providing a secondary authentication mode for each login behavior, so that the account login efficiency and the user experience can be improved. Compared with a conventional account login method without secondary authentication, the method and the device have the advantages that the higher security is achieved on the basis of keeping the same account login efficiency and user experience, password attack can be resisted, and malicious login behaviors are prevented.
According to an embodiment of the present application, the execution module 430 is configured to: determining the number of login requests for logging in one or more accounts based on at least one attack candidate password in the multiple login requests; and when the number is greater than the first threshold, performing a blocking operation on the first source address.
According to an embodiment of the present application, the execution module 430 is further configured to: and when the number is smaller than or equal to the first threshold value and larger than the second threshold value, and the current login request of the current account is successfully verified in the multiple login requests, executing blocking operation on the current login request.
According to an embodiment of the present application, the apparatus 400 further comprises a sending module 440 configured to: reminding the user of the current account that the current account is possibly attacked; and/or sending the uniform resource locator URL to the user of the current account so as to facilitate the user of the current account to log in again through the uniform resource locator URL.
According to an embodiment of the present application, the execution module 430 is further configured to: when the number is smaller than or equal to a first threshold value and the verification of the current login request aiming at the current account in the multiple login requests is successful, determining the number of times of using the login password adopted by the current login request in the multiple login requests; and when the number of times is larger than the fourth threshold value, executing blocking operation on the current login request.
According to an embodiment of the present application, the apparatus 400 further comprises a sending module 440 configured to: reminding the user of the current account that the current account is possibly attacked; and/or sending the uniform resource locator URL to the user of the current account so as to facilitate the user of the current account to log in again through the uniform resource locator URL.
According to an embodiment of the present application, the execution module 430 is further configured to: and when the number is smaller than or equal to the second threshold value and larger than the third threshold value, and the current login request of the current account is successfully verified in the multiple login requests, executing a secondary authentication operation on the current login request.
According to an embodiment of the present application, the determining module 420 is configured to: acquiring the number of password leakage of a login password adopted by each login request in multiple login requests, wherein the number of password leakage is used for indicating the number of times of occurrence of the login password in a historical password leakage event; and acquiring the corresponding password leakage risk degree based on the password leakage times.
According to an embodiment of the present application, the determining module 420 is configured to: calculating a hash value corresponding to the login password; and acquiring the number of password leakage times from the password leakage data set based on the hash value.
According to an embodiment of the present application, the password leakage risk level is a password leakage score.
According to an embodiment of the present application, the plurality of cryptographic attack defense strategies includes at least one of: executing blocking operation on the current login request in the multiple login requests; performing a blocking operation on the first source address; and executing a secondary authentication operation on the current login request.
According to an embodiment of the present application, the upper limit of the preset range is the maximum value of the password leakage score.
It should be understood that the operations and functions of the acquisition module 410, the determination module 420, the execution module 430, and the sending module 440 in the above embodiments may refer to the descriptions in the method for preventing a cryptographic attack provided in the above embodiment of fig. 2 or fig. 3, and are not repeated herein.
Fig. 5 is a block diagram of an electronic device 500 for performing a method for preventing cryptographic attacks according to an exemplary embodiment of the present application.
Referring to fig. 5, electronic device 500 includes a processing component 510 that further includes one or more processors and memory resources represented by memory 520 for storing instructions, such as applications, executable by processing component 510. The application program stored in memory 520 may include one or more modules each corresponding to a set of instructions. Further, the processing component 510 is configured to execute instructions to perform the above-described method of preventing cryptographic attacks.
The electronic device 500 may also include a power component configured to perform power management of the electronic device 500, a wired or wireless network interface configured to connect the electronic device 500 to a network, and an input output (I/O) interface. The electronic device 500 may be operated based on an operating system stored in the memory 520, such as Windows Server TM ,Mac OS X TM ,Unix TM ,Linux TM ,FreeBSD TM Or the like.
A non-transitory computer readable storage medium, which when executed by a processor of the electronic device 500, enables the electronic device 500 to perform a method of preventing cryptographic attacks.
All the above optional solutions may be combined arbitrarily to form an optional embodiment of the present application, which is not described here in detail.
Those of ordinary skill in the art will appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
It will be clear to those skilled in the art that, for convenience and brevity of description, specific working procedures of the above-described systems, apparatuses and units may refer to corresponding procedures in the foregoing method embodiments, and are not repeated herein.
In the several embodiments provided in this application, it should be understood that the disclosed systems, devices, and methods may be implemented in other manners. For example, the apparatus embodiments described above are merely illustrative, e.g., the division of the units is merely a logical function division, and there may be additional divisions when actually implemented, e.g., multiple units or components may be combined or integrated into another system, or some features may be omitted or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be an indirect coupling or communication connection via some interfaces, devices or units, which may be in electrical, mechanical or other form.
The units described as separate units may or may not be physically separate, and units shown as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, each functional unit in each embodiment of the present application may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit.
The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a computer-readable storage medium. Based on such understanding, the technical solution of the present application may be embodied essentially or in a part contributing to the prior art or in a part of the technical solution, in the form of a software product stored in a storage medium, including several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to perform all or part of the steps of the methods described in the embodiments of the present application. And the aforementioned storage medium includes: a usb disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a magnetic disk, or an optical disk, or other various media capable of storing program verification codes.
It should be noted that in the description of the present application, the terms "first," "second," "third," and the like are used for descriptive purposes only and are not to be construed as indicating or implying relative importance. Furthermore, in the description of the present application, unless otherwise indicated, the meaning of "a plurality" is two or more.
The foregoing description of the preferred embodiments of the present invention is not intended to limit the invention to the precise form disclosed, and any modifications, equivalents, and alternatives falling within the spirit and principles of the present invention are intended to be included within the scope of the present invention.

Claims (11)

1. A method of preventing a cryptographic attack, comprising:
obtaining a login password adopted by a plurality of login requests from a first source address in a preset period;
evaluating the password leakage risk degree of the login password;
determining at least one attack candidate password based on the password leakage risk degree of the login password, wherein the attack candidate password is the login password with the password leakage risk degree in a preset range;
selecting and executing a corresponding cryptographic attack defense strategy from a plurality of cryptographic attack defense strategies based on the number of login requests employing the at least one attack candidate password from the plurality of login requests to prevent a cryptographic attack from the first source address, wherein,
the number of the login requests adopting the at least one attack candidate password corresponding to the plurality of password attack defense strategies is different, and the plurality of password attack defense strategies comprise: performing a blocking operation on a current login request of the multiple login requests,
The selecting and executing a corresponding cryptographic attack defense policy from a plurality of cryptographic attack defense policies based on the number of login requests employing the at least one attack candidate password from the plurality of login requests, including:
determining the number of login requests for logging in one or more accounts based on the attack candidate passwords in the multiple login requests;
when the number is smaller than or equal to a first threshold value and larger than a second threshold value, and the current login request for the current account is successfully verified, the blocking operation is executed on the current login request, or,
when the number is smaller than or equal to a first threshold value and the verification of the current login request aiming at the current account in the multiple login requests is successful, determining the number of times of using the login password adopted by the current login request in the multiple login requests, and executing blocking operation on the current login request when the number of times is larger than a fourth threshold value.
2. The method of claim 1, wherein the selecting and executing a corresponding cryptographic attack defense policy from a plurality of cryptographic attack defense policies based on a number of login requests employing the at least one attack candidate password from the plurality of login requests further comprises:
And when the number is greater than the first threshold, performing a blocking operation on the first source address.
3. The method as recited in claim 1, further comprising:
reminding the user of the current account that the current account is possibly attacked; and/or
And sending a Uniform Resource Locator (URL) to the user of the current account so as to facilitate the user of the current account to log in again through the URL.
4. The method of claim 1, wherein the selecting and executing a corresponding cryptographic attack defense policy from a plurality of cryptographic attack defense policies based on a number of login requests employing the at least one attack candidate password from the plurality of login requests further comprises:
and when the number is smaller than or equal to the second threshold value and larger than a third threshold value, and the current login request of the current account is successfully verified in the multiple login requests, executing a secondary authentication operation on the current login request.
5. The method of claim 1, wherein the evaluating the risk of password leakage for the login password comprises:
acquiring the number of password leakage of a login password adopted by each login request in the multiple login requests, wherein the number of password leakage is used for indicating the number of times of occurrence of the login password in a historical password leakage event;
And acquiring the corresponding password leakage risk degree based on the password leakage times.
6. The method of claim 5, wherein the obtaining the number of password leaks for the login password employed for each of the plurality of login requests comprises:
calculating a hash value corresponding to the login password;
and acquiring the password leakage times from the password leakage data set based on the hash value.
7. The method of claim 1, wherein the degree of risk of password leakage is a password leakage score.
8. The method of claim 7, wherein an upper limit of the preset range is a maximum value of the password leakage score.
9. The method of any of claims 1 to 8, wherein the plurality of cryptographic attack defense strategies further comprises at least one of:
performing a blocking operation on the first source address;
and executing a secondary authentication operation on the current login request.
10. An apparatus for preventing a cryptographic attack, comprising:
the acquisition module is used for acquiring a login password adopted by a plurality of login requests from a first source address in a preset period;
The determining module is used for evaluating the password leakage risk degree of the login password and determining at least one attack candidate password based on the password leakage risk degree of the login password, wherein the attack candidate password is the login password with the password leakage risk degree in a preset range;
an execution module for selecting and executing a corresponding cryptographic attack defense policy from a plurality of cryptographic attack defense policies based on a number of login requests employing the at least one attack candidate password from among the plurality of login requests to prevent a cryptographic attack from the first source address, wherein,
the number of the login requests adopting the at least one attack candidate password corresponding to the plurality of password attack defense strategies is different, and the plurality of password attack defense strategies comprise: performing a blocking operation on a current login request of the multiple login requests,
the execution module is used for:
determining the number of login requests for logging in one or more accounts based on the attack candidate passwords in the multiple login requests;
when the number is smaller than or equal to a first threshold value and larger than a second threshold value, and the current login request for the current account is successfully verified, the blocking operation is executed on the current login request, or,
When the number is smaller than or equal to a first threshold value and the verification of the current login request aiming at the current account in the multiple login requests is successful, determining the number of times of using the login password adopted by the current login request in the multiple login requests, and executing blocking operation on the current login request when the number of times is larger than a fourth threshold value.
11. An electronic device, comprising:
a processor;
a memory for storing the processor-executable instructions,
wherein the processor is configured to perform the method of preventing a cryptographic attack of any of the preceding claims 1 to 9.
CN202210655456.6A 2022-06-10 2022-06-10 Method and device for preventing password attack and electronic equipment Active CN115001832B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210655456.6A CN115001832B (en) 2022-06-10 2022-06-10 Method and device for preventing password attack and electronic equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210655456.6A CN115001832B (en) 2022-06-10 2022-06-10 Method and device for preventing password attack and electronic equipment

Publications (2)

Publication Number Publication Date
CN115001832A CN115001832A (en) 2022-09-02
CN115001832B true CN115001832B (en) 2024-02-20

Family

ID=83032189

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210655456.6A Active CN115001832B (en) 2022-06-10 2022-06-10 Method and device for preventing password attack and electronic equipment

Country Status (1)

Country Link
CN (1) CN115001832B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115580439A (en) * 2022-09-20 2023-01-06 上海金电网安科技有限公司 Detection method, device and equipment for password spray attack and storage medium

Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CA2611549A1 (en) * 2007-11-27 2009-05-27 Paul Plesman Method and system for providing a secure login solution using one-time passwords
CN104468249A (en) * 2013-09-17 2015-03-25 深圳市腾讯计算机系统有限公司 Method and device for detecting abnormal account number
CN106357696A (en) * 2016-11-14 2017-01-25 北京神州绿盟信息安全科技股份有限公司 Detection method and detection system for SQL injection attack
CN106603580A (en) * 2017-02-20 2017-04-26 东信和平科技股份有限公司 Login method and login system
CA2913571A1 (en) * 2015-12-01 2017-06-01 Frederic Mailhot Multi-platform user authentication device with double and multilaterally blind on-the-fly key generation
CN110222499A (en) * 2019-05-22 2019-09-10 杭州安恒信息技术股份有限公司 Mysql database weak password detection method
CN112738104A (en) * 2020-12-29 2021-04-30 杭州迪普科技股份有限公司 Scanning method and device of weak password equipment
CN112738006A (en) * 2019-10-28 2021-04-30 深信服科技股份有限公司 Identification method, device and storage medium
CN112822147A (en) * 2019-11-18 2021-05-18 上海云盾信息技术有限公司 Method, system and equipment for analyzing attack chain
CN114465816A (en) * 2022-03-17 2022-05-10 中国工商银行股份有限公司 Password spraying attack detection method, device, computer equipment and storage medium

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8041954B2 (en) * 2006-12-07 2011-10-18 Paul Plesman Method and system for providing a secure login solution using one-time passwords
US11936664B2 (en) * 2020-03-14 2024-03-19 Microsoft Technology Licensing, Llc Identity attack detection and blocking

Patent Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CA2611549A1 (en) * 2007-11-27 2009-05-27 Paul Plesman Method and system for providing a secure login solution using one-time passwords
CN104468249A (en) * 2013-09-17 2015-03-25 深圳市腾讯计算机系统有限公司 Method and device for detecting abnormal account number
CA2913571A1 (en) * 2015-12-01 2017-06-01 Frederic Mailhot Multi-platform user authentication device with double and multilaterally blind on-the-fly key generation
CN106357696A (en) * 2016-11-14 2017-01-25 北京神州绿盟信息安全科技股份有限公司 Detection method and detection system for SQL injection attack
CN106603580A (en) * 2017-02-20 2017-04-26 东信和平科技股份有限公司 Login method and login system
CN110222499A (en) * 2019-05-22 2019-09-10 杭州安恒信息技术股份有限公司 Mysql database weak password detection method
CN112738006A (en) * 2019-10-28 2021-04-30 深信服科技股份有限公司 Identification method, device and storage medium
CN112822147A (en) * 2019-11-18 2021-05-18 上海云盾信息技术有限公司 Method, system and equipment for analyzing attack chain
CN112738104A (en) * 2020-12-29 2021-04-30 杭州迪普科技股份有限公司 Scanning method and device of weak password equipment
CN114465816A (en) * 2022-03-17 2022-05-10 中国工商银行股份有限公司 Password spraying attack detection method, device, computer equipment and storage medium

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
中科大:邮件系统安全事件分析及应对;陈蕾;程雨;张焕杰;;中国教育网络;20200605(第06期);全文 *
基于密码服务平台的USB Key身份认证方案;李明;史国振;娄嘉鹏;;计算机应用与软件;20180912(第09期);全文 *
弱密码的防御与检测;杨浩;;计算机与网络;20180612(第11期);全文 *

Also Published As

Publication number Publication date
CN115001832A (en) 2022-09-02

Similar Documents

Publication Publication Date Title
US11888868B2 (en) Identifying security risks and fraud attacks using authentication from a network of websites
US10021132B2 (en) Limiting the efficacy of a denial of service attack by increasing client resource demands
US8819769B1 (en) Managing user access with mobile device posture
US11048792B2 (en) Risk based brute-force attack prevention
US9462011B2 (en) Determining trustworthiness of API requests based on source computer applications' responses to attack messages
US9275228B2 (en) Protecting multi-factor authentication
CN112688930B (en) Brute force detection method, system, device and medium
US9407661B2 (en) Blocking via an unsolvable CAPTCHA
CN114726579B (en) Method, device, equipment, storage medium and program product for defending network attack
CN110912945B (en) Network attack entry point detection method and device, electronic equipment and storage medium
CN115001832B (en) Method and device for preventing password attack and electronic equipment
CN106209851A (en) A kind of safety protection system and method for Computer information network
US20140317718A1 (en) IPS Detection Processing Method, Network Security Device, and System
CN110113351A (en) The means of defence and device, storage medium, computer equipment of CC attack
CN113938312B (en) Method and device for detecting violent cracking flow
CN107770150B (en) Terminal protection method and device
KR101576993B1 (en) Method and System for preventing Login ID theft using captcha
CN117768151A (en) Network communication method and system based on zero trust
CN117608954A (en) Method and device for determining abnormal operation, electronic equipment and storage medium
KR101132573B1 (en) Defense system of automatic code attack that threaten web server and defense method thereof
CN104883357A (en) Method and firewall for preventing HTTP POST flooding attacks
CN112910905A (en) Security verification method and device
CN117896124A (en) Attack detection method and related equipment
CN118013140B (en) Marketing fraud risk analysis method based on stream network
CN117857179B (en) Method for detecting and protecting IP violent cracking

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant