Safety protection method and device and safety protection equipment
阅读说明:本技术 安全防护方法、装置以及安全防护设备 (Safety protection method and device and safety protection equipment ) 是由 雷鸣 宋阳阳 贾炯 于 2018-08-22 设计创作,主要内容包括:本发明实施例提供一种安全防护方法、装置及安全防护设备。所述方法包括:接收来自客户端的第一访问请求,所述第一访问请求中包括客户端的标识信息;将所述客户端的标识信息与标识信息数据库进行匹配并获得匹配结果;根据所述匹配结果计算匹配概率;以及在所述匹配概率达到预定值的情况下,开启安全防护。由此,能够提高CC攻击检测的准确率,能够增强针对CC攻击的防护。(The embodiment of the invention provides a safety protection method, a safety protection device and safety protection equipment. The method comprises the following steps: receiving a first access request from a client, wherein the first access request comprises identification information of the client; matching the identification information of the client with an identification information database and obtaining a matching result; calculating the matching probability according to the matching result; and starting safety protection under the condition that the matching probability reaches a preset value. Therefore, the accuracy of CC attack detection can be improved, and the protection against CC attack can be enhanced.)
1. A method of safeguarding, the method comprising:
receiving a first access request from a client, wherein the first access request comprises identification information of the client;
matching the identification information of the client with an identification information database and obtaining a matching result;
calculating the matching probability according to the matching result; and
and starting safety protection under the condition that the matching probability reaches a preset value.
2. A method of safeguarding according to claim 1,
the identification information database is an identification information classification database which is generated by analyzing historical network traffic and is based on the credibility of the identification information.
3. A method of safeguarding according to claim 1,
the first access request is a hypertext transfer protocol request; the identification information of the client is an internet protocol address, and a plurality of internet protocol addresses are stored in the identification information database.
4. The method of safeguarding according to claim 1, wherein in the event of opening the safeguards, the method further comprises:
receiving a second access request from the client, wherein the second access request comprises identification information of the client;
matching the identification information of the client in the second access request with the identification information database;
and intercepting or releasing the second access request according to the matching result of the identification information of the client in the second access request and the identification information database.
5. A method of safeguarding according to claim 4,
and under the condition of intercepting the second access request, performing reverse detection based on the identification information of the client in the second access request.
6. A method of safeguarding according to claim 1,
the identification information database comprises an internet protocol address black list library and an internet protocol address white list library.
7. A method of safeguarding according to claim 1 or 2, characterized in that the method further comprises:
and updating the identification information database at a preset period.
8. A safety shield apparatus, comprising:
the device comprises a receiving unit, a processing unit and a processing unit, wherein the receiving unit receives a first access request from a client, and the first access request comprises identification information of the client;
the matching unit is used for matching the identification information of the client with an identification information database and obtaining a matching result;
a calculation unit that calculates a matching probability from the matching result; and
and the safety protection starting unit is used for starting safety protection under the condition that the matching probability reaches a preset value.
9. The apparatus of claim 8,
the identification information database is an identification information classification database which is generated by analyzing historical network traffic and is based on the credibility of the identification information.
10. The apparatus of claim 8,
the receiving unit receives a second access request from the client, wherein the second access request comprises identification information of the client;
the matching unit matches the identification information of the client in the second access request with the identification information database,
the device further comprises:
and the access control unit intercepts or releases the second access request according to the matching result of the identification information of the client in the second access request and the identification information database.
11. The apparatus of claim 10, further comprising:
and the reverse detection unit is used for performing reverse detection based on the identification information of the client in the second access request under the condition that the access control unit intercepts the second access request.
12. The apparatus of claim 8 or 9, further comprising:
an updating unit that updates the identification information database at a predetermined cycle.
13. A safety device comprising a memory and a processor, the memory storing a computer program, wherein the processor executes the computer program to implement the safety method according to any one of claims 1 to 7.
14. A computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the steps of the safeguarding method according to any one of claims 1 to 7.
Technical Field
The embodiment of the invention relates to the technical field of information security, in particular to a security protection method, a security protection device and security protection equipment.
Background
In the internet, various communication protocols are applied to information transmission between devices. For example, data transmission between the client and the server may be implemented through a hypertext Transfer Protocol (HTTP).
For illegal purposes, an attacker often sends a large number of HTTP requests, such as HTTP Flood attack (also called CC attack), to a target server through a proxy or a zombie host, and the like, thereby consuming request processing resources of the target server and causing the server resources to be exhausted.
For such an attack, the existing security protection strategy is: a front-end cache (cache) is arranged at the client, and the front-end cache responds to the resources of the HTTP requests as much as possible, so that the occupation of a large number of HTTP requests on the server resources is reduced and even avoided.
Furthermore, in a CC attack, when an attacker makes a large number of HTTP requests to a target server, the front-end cache is breached by setting fields in the HTTP requests and requests resources from the server, for example, by using a Uniform Resource Identifier (URI) related to database operations or other URIs that consume system resources, causing the server resources to be exhausted and unable to respond to normal requests.
The existing CC attack detection scheme generally analyzes HTTP flow, and automatically starts the protection of CC attack after certain specific conditions are reached, for example, whether the request rate of real-time statistics exceeds a set threshold, whether the website response state code of real-time statistics exceeds a set threshold, and detection is performed according to the deviation of the actual click probability distribution of user access behaviors and the prior probability distribution of the website, and the like. Moreover, in the case of opening the protection of CC attack, the existing scheme generally adopts protection strategies such as reverse probing, identifying codes, closing connections, and the like.
However, in these CC attack detection schemes, there are cases where normal traffic scenarios are misjudged as CC attacks (e.g., normal traffic scenarios such as certain second kill, red packet robbery, and voting), and cases where certain attack scenarios cannot be detected (e.g., certain low-frequency and small-traffic attack scenarios), and in existing protection strategies, there are cases where normal accesses are misintercepted (e.g., third-party payment traffic, crawler request, and the like).
It should be noted that the above background description is only for the sake of clarity and complete description of the technical solutions of the present invention and for the understanding of those skilled in the art. Such solutions are not considered to be known to the person skilled in the art merely because they have been set forth in the background section of the invention.
Disclosure of Invention
In view of at least one of the above problems, embodiments of the present invention provide a security protection method, apparatus, and protection device, which are expected to improve accuracy of CC attack detection and enhance protection against CC attack.
According to a first aspect of the embodiments of the present invention, there is provided a safety protection method, including:
receiving a first access request from a client, wherein the first access request comprises identification information of the client;
matching the identification information of the client with an identification information database and obtaining a matching result;
calculating the matching probability according to the matching result; and
and starting safety protection under the condition that the matching probability reaches a preset value.
Optionally, the identification information database is an identification information classification database generated by analyzing historical network traffic and based on the reputation of the identification information.
Optionally, the first access request is a hypertext transfer protocol request; the identification information of the client is an internet protocol address, and a plurality of internet protocol addresses are stored in the identification information database.
Optionally, in the case of opening the safety protection, the method further includes:
receiving a second access request from the client, wherein the second access request comprises identification information of the client;
matching the identification information of the client in the second access request with the identification information database;
and intercepting or releasing the second access request according to the matching result of the identification information of the client in the second access request and the identification information database.
Optionally, under the condition of intercepting the second access request, reverse probing is performed based on the identification information of the client in the second access request.
Optionally, the identification information database includes an internet protocol address black list library and an internet protocol address white list library.
Optionally, the identification information database is updated at a predetermined period.
According to a second aspect of an embodiment of the present invention, there is provided a safety shield apparatus, including:
the device comprises a receiving unit, a processing unit and a processing unit, wherein the receiving unit receives a first access request from a client, and the first access request comprises identification information of the client;
the matching unit is used for matching the identification information of the client with an identification information database and obtaining a matching result;
a calculation unit that calculates a matching probability from the matching result; and
and the safety protection starting unit is used for starting safety protection under the condition that the matching probability reaches a preset value.
Optionally, the identification information database is an identification information classification database generated by analyzing historical network traffic and based on the reputation of the identification information.
Optionally, the receiving unit receives a second access request from the client, where the second access request includes identification information of the client;
the matching unit matches the identification information of the client in the second access request with the identification information database,
the device further comprises:
and the access control unit intercepts or releases the second access request according to the matching result of the identification information of the client in the second access request and the identification information database.
Optionally, the apparatus further comprises:
and the reverse detection unit is used for performing reverse detection on the basis of the identification information of the client in the second access request under the condition that the access control unit intercepts the second access request.
Optionally, the apparatus further comprises:
an updating unit that updates the identification information database at a predetermined cycle.
According to a third aspect of the embodiments of the present invention, there is provided a security device, including a memory and a processor, where the memory stores a computer program, and the processor executes the computer program to implement the security method according to the first aspect and any one of the above options.
According to a fourth aspect of embodiments of the present invention, there is provided a computer-readable storage medium having stored thereon a computer program which, when executed by a processor, implements the steps of the security protection method according to the first aspect and any one of the above-mentioned alternatives.
The embodiment of the invention has the beneficial effects that: receiving a first access request including identification information of a client from the client, matching the identification information of the client with an identification information database and obtaining a matching result; calculating the matching probability according to the matching result; and starting safety protection under the condition that the matching probability reaches a preset value. Therefore, the condition of CC attack misdetection can be avoided to a great extent, and the protection against CC attack can be enhanced.
Drawings
Elements and features described in one drawing or one implementation of an embodiment of the invention may be combined with elements and features shown in one or more other drawings or implementations. Moreover, in the drawings, like reference numerals designate corresponding parts throughout the several views, and may be used to designate corresponding parts for use in more than one embodiment.
FIG. 1 is a schematic view of a safety shield system according to an embodiment of the present invention;
FIG. 2 is a schematic view of a safety protection method according to embodiment 1 of the present invention;
FIG. 3 is another schematic view of the safety protection method according to embodiment 1 of the present invention;
FIG. 4 is a schematic view of a safety shield apparatus according to embodiment 2 of the present invention;
figure 5 is a schematic diagram of the construction of a safety shield apparatus in accordance with an embodiment of the present invention.
Detailed Description
Specific embodiments of the present invention are disclosed in detail with reference to the following description and drawings, indicating the manner in which the principles of the invention may be employed. It should be understood that the embodiments of the invention are not so limited in scope. The embodiments of the invention include many variations, modifications and equivalents within the spirit and scope of the appended claims.
Features that are described and/or illustrated with respect to one embodiment may be used in the same way or in a similar way in one or more other embodiments, in combination with or instead of the features of the other embodiments.
It should be emphasized that the term "comprises/comprising" when used herein, is taken to specify the presence of stated features, integers, steps or components but does not preclude the presence or addition of one or more other features, integers, steps or components.
The foregoing and other features of the invention will become apparent from the following description taken in conjunction with the accompanying drawings. In the description and drawings, particular embodiments of the invention have been disclosed in detail as being indicative of some of the embodiments in which the principles of the invention may be employed, it being understood that the invention is not limited to the embodiments described, but, on the contrary, is intended to cover all modifications, variations, and equivalents falling within the scope of the appended claims.
In the embodiments of the present invention, the terms "first", "second", and the like are used for distinguishing different elements by name, but do not denote a spatial arrangement, a temporal order, or the like of the elements, and the elements should not be limited by the terms. The term "and/or" includes any and all combinations of one or more of the associated listed terms. The terms "comprising," "including," "having," and the like, refer to the presence of stated features, elements, components, and do not preclude the presence or addition of one or more other features, elements, components, and elements.
In embodiments of the invention, the singular forms "a", "an", and the like include the plural forms and are to be construed broadly as "a" or "an" and not limited to the meaning of "a" or "an"; furthermore, the term "comprising" should be understood to include both the singular and the plural, unless the context clearly dictates otherwise. Further, the term "according to" should be understood as "at least partially according to … …," and the term "based on" should be understood as "based at least partially on … …," unless the context clearly dictates otherwise.
In the embodiments of the present invention, the term client or "Terminal Equipment" (TE) refers to, for example, a device that accesses a communication network through a network device and receives a network service. End devices may be fixed or mobile and may also be referred to as terminals, user terminals, access terminals, stations, and the like.
The terminal device may include, but is not limited to, the following devices: personal computers, workstations, Cellular telephones (Cellular phones), Personal Digital Assistants (PDAs), wireless modems, wireless communication devices, handheld devices, machine-type communication devices, laptop computers, cordless telephones, smartphones, smartwatches, Digital cameras, and the like.
In the embodiment of the present invention, the term "security protection device" may be a gateway or a firewall device, or may be other devices. The safety protection device can be positioned between the terminal device and the server and is used for carrying out safety protection on communication between the terminal device and the server. The security protection device may be a network device independent from the server, or may be a network security application integrated with the server, and the present invention does not limit the specific forms of the security protection device and the terminal device.
The following illustrates the scenarios of the embodiments of the present invention by way of example, but the present invention is not limited thereto.
Fig. 1 is a schematic diagram of a security protection system according to an embodiment of the present invention, schematically illustrating the situations of a terminal device, a security protection device, and a server, as shown in fig. 1, a security protection system 100 may include a terminal device 101, a security protection device 102, and a server 103. For simplicity, fig. 1 only illustrates one terminal device, one security device, and one server as an example, but the embodiment of the present invention is not limited thereto, and for example, the terminal device may be multiple.
As shown in fig. 1, the safety device 102 is communicatively connected to the terminal device 101 and the server 103, respectively. For example, the outer network IP address of security device 102 and the outer network IP address of server 103 may be the same, although the invention is not limited thereto. Since the external network IP address of the security device 102 is the same as the external network IP address of the server 103, the data sent by the terminal device 101 to the server 103 is obtained by the security device 102, and the terminal device 101 cannot know the existence of the security device 102.
The above description has been made only by way of example for the scenario of the present invention, but the present invention is not limited thereto, and may be applied to other scenarios according to practical situations. The following examples further illustrate the invention.