CN107124390B - Security defense and implementation method, device and system of computing equipment - Google Patents
Security defense and implementation method, device and system of computing equipment Download PDFInfo
- Publication number
- CN107124390B CN107124390B CN201610105483.0A CN201610105483A CN107124390B CN 107124390 B CN107124390 B CN 107124390B CN 201610105483 A CN201610105483 A CN 201610105483A CN 107124390 B CN107124390 B CN 107124390B
- Authority
- CN
- China
- Prior art keywords
- server
- computing device
- information
- login
- source workstation
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0815—Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/44—Program or device authentication
Abstract
The application discloses a security defense method, a security defense device, a security defense implementation method, a security defense implementation device and a security defense system of a computing device. Wherein, the method comprises the following steps: the server receives login information sent by the computing equipment; wherein the login information is information requesting to login to a source workstation of the computing device; the server judges whether the designated behavior of the source workstation corresponding to the login information is legal or not, wherein the designated behavior is the behavior of the source workstation requesting to login the computing equipment; in the event that the designated behavior is not legal, the server notifies the computing device to prevent the source workstation from logging into the computing device.
Description
Technical Field
The application relates to the field of information security, in particular to a security defense and implementation method, device and system of computing equipment.
Background
The traditional Windows system for preventing Remote Desktop Protocol (RDP) brute force from being cracked needs Windows developers to intercept from a driving layer, the development cost is high, stability is difficult to achieve, the defense can only defend a single computing device in time, other computing devices are still exposed to attackers, the attackers can continue to crack, and meanwhile if the attackers explode extensively, the defense mechanism cannot be triggered by any computing device. Therefore, the related art is high in development cost and is a single-point defense, that is, only when the set number of times is satisfied, a single computing device is defended, and a plurality of computing devices cannot be defended effectively.
Disclosure of Invention
According to an aspect of the embodiments of the present application, there is provided a security defense implementation method for a computing device, including: the server receives login information sent by the computing equipment; wherein the login information is information requesting to login to a source workstation of the computing device; the server judges whether the designated behavior of the source workstation corresponding to the login information is legal or not, wherein the designated behavior is the behavior of the source workstation requesting to login the computing equipment; in the event that the designated behavior is not legal, the server notifies the computing device to prevent the source workstation from logging into the computing device.
According to another aspect of the embodiments of the present application, there is also provided a security defense method for a computing device, including: the computing equipment sends login information to the server; the login information is source workstation information requesting to login the computing equipment; the computing equipment receives notification information sent by the server; the notification information is information sent by the server under the condition that the appointed behavior of the source workstation corresponding to the login information is judged to be illegal; the computing device prevents the source workstation from logging into the computing device based on the notification information.
According to another aspect of the embodiments of the present application, there is also provided a security defense implementing apparatus for a computing device, applied to a server, including: the receiving module is used for receiving login information sent by the computing equipment; wherein the login information is information requesting to login a source workstation of the computing device; the judging module is used for judging whether the designated behavior of the source workstation corresponding to the login information is legal or not, and the designated behavior is the behavior of the source workstation requesting to login the computing equipment; a notification module to notify the computing device to prevent the source workstation from logging into the computing device if the specified behavior is not legal.
According to another aspect of the embodiments of the present application, there is also provided a security defense apparatus for a computing device, which is applied to the computing device, and includes: the sending module is used for sending login information to the server; the login information is source workstation information requesting to login the computing equipment; the receiving module is used for receiving the notification information sent by the server; the notification information is sent by the server under the condition that the appointed behavior of the source workstation corresponding to the login information is judged to be illegal; and the processing module is used for preventing the source workstation from logging in the computing equipment according to the notification information.
According to another aspect of the embodiments of the present application, there is also provided a security defense system of a computing device, including: a server, a computing device; the computing equipment is used for sending the login information to the server; wherein the login information is information requesting to login a source workstation of the computing device; the server is used for judging whether the designated behavior of the source workstation corresponding to the login information is legal or not, and the designated behavior is the behavior of the source workstation requesting to login the computing equipment; and in the event that the specified behavior is not legal, notifying the computing device to prevent the source workstation from logging into the computing device.
In the embodiment of the application, the server is adopted to receive the login information sent by the computing equipment, judge whether the behavior of the login information corresponding to the source workstation for requesting to login the computing equipment is legal or not, in the event of an illegal event, notifying the computing device of the manner in which the source workstation is prevented from logging into the computing device, the login information of the source workstation requesting to login the computing equipment is acquired through the server, and is analyzed and judged, under the condition that the action that the source workstation requests to log in the computing equipment is judged to be illegal, the computing equipment can be informed to intercept in time, namely, the interception of the logging behavior of the source workstation on the computing equipment is realized through the analysis and judgment of the server, so that the effective defense can be realized for a plurality of computing equipment, and further, the technical problem that a plurality of computing devices cannot be defended from brute force cracking of the source workstation in the related technology is solved.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the application and together with the description serve to explain the application and not to limit the application. In the drawings:
fig. 1 is a block diagram of a hardware structure of a computer terminal of a security defense implementation method of a computing device according to an embodiment of the present application;
FIG. 2 is a flow chart of a security defense implementation method of a computing device according to embodiment 1 of the present application;
FIG. 3 is a schematic diagram of a method for implementing security defense of a computing device in scenario 1 of an alternative embodiment of the present application;
FIG. 4 is a flow diagram of a method of security defense of a computing device of an embodiment of the present application;
FIG. 5 is a block diagram of a security defense implementing apparatus of a computing device according to an embodiment of the present application;
FIG. 6 is a block diagram of a security defense apparatus of a computing device according to an embodiment of the present application;
FIG. 7 is a block diagram of a security defense system of a computing device of an embodiment of the present application;
FIG. 8 is a block diagram of a security defense system of a computing device of an alternative embodiment of the present application;
fig. 9 is a block diagram of a computer terminal according to an embodiment of the present application.
Detailed Description
In order to make the technical solutions better understood by those skilled in the art, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only partial embodiments of the present application, but not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
It should be noted that the terms "first," "second," and the like in the description and claims of this application and in the drawings described above are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used is interchangeable under appropriate circumstances such that the embodiments of the application described herein are capable of operation in sequences other than those illustrated or described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
Example 1
There is also provided, in accordance with an embodiment of the present application, a method embodiment of a method for security defense implementation of a computing device, it being noted that the steps illustrated in the flowchart of the drawings may be performed in a computer system such as a set of computer-executable instructions and that, although a logical order is illustrated in the flowchart, in some cases, the steps illustrated or described may be performed in an order different than here.
The method provided by the embodiment 1 of the present application can be executed in a mobile terminal, a computer terminal or a similar computing device. Taking an example of the security defense implementation method running on a computer terminal, fig. 1 is a hardware structure block diagram of a computer terminal of the security defense implementation method of a computing device according to the embodiment of the present application. As shown in fig. 1, the computer terminal 10 may include one or more (only one shown) processors 102 (the processor 102 may include, but is not limited to, a processing device such as a microprocessor MCU or a programmable logic device FPGA), a memory 104 for storing data, and a transmission device 106 for communication functions. It will be understood by those skilled in the art that the structure shown in fig. 1 is only an illustration and is not intended to limit the structure of the electronic device. For example, the computer terminal 10 may also include more or fewer components than shown in FIG. 1, or have a different configuration than shown in FIG. 1.
The memory 104 may be configured to store software programs and modules of application software, such as program instructions/modules corresponding to the security defense implementing method of the computing device in the embodiment of the present application, and the processor 102 executes various functional applications and data processing by executing the software programs and modules stored in the memory 104, that is, the security defense implementing method of the computing device implementing the application programs. The memory 104 may include high speed random access memory, and may also include non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory. In some examples, the memory 104 may further include memory located remotely from the processor 102, which may be connected to the computer terminal 10 via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The transmission device 106 is used for receiving or transmitting data via a network. Specific examples of the network described above may include a wireless network provided by a communication provider of the computer terminal 10. In one example, the transmission device 106 includes a Network adapter (NIC) that can be connected to other Network devices through a base station to communicate with the internet. In one example, the transmission device 106 can be a Radio Frequency (RF) module, which is used to communicate with the internet in a wireless manner.
Under the operating environment, the application provides a security defense implementation method of the computing device shown in fig. 2. Fig. 2 is a flowchart of a security defense implementing method of a computing device according to embodiment 1 of the present application, the method including steps S202 to S206:
step S202, a server receives login information sent by computing equipment; wherein the login information is information requesting to login to a source workstation of the computing device;
in an optional embodiment of the present application, the login information includes at least one of the following information: and requesting to log in IP address information of the source workstation of the computing device and requesting to log in user name information adopted by the source workstation of the computing device. The login information may be collected by the computing device and then sent to the server through the network module of the computing device.
It should be noted that the above steps may be applied to a Windows anti-brute force cracking system, and may also be applied to anti-brute force cracking systems of other operating systems, such as an android system, an ios system, and the like. Taking the application to the Window anti-brute force cracking system as an example, the step S202 may be represented as: in the login process of requesting to login the computing device by the source workstation, after the sub-authorization Module (i.e. SubAuth Module) in the computing device collects the login information, the login information is reported to the server through the network Module (i.e. NetWorker) of the computing device.
The server may be a computer terminal shown in fig. 1, may be a similar computing device, and is not limited thereto. The server can be connected with a plurality of computing devices, and the server can perform security defense on the plurality of computing devices by connecting the plurality of computing devices through the server; the computing device may be embodied as a client device or a server device, but is not limited thereto; the source workstation is a requester for logging in the computing device, and may be embodied as a computer device or a mobile terminal, but is not limited thereto.
Step S204, the server judges whether the appointed behavior of the source workstation corresponding to the login information is legal, wherein the appointed behavior is the behavior of the source workstation requesting to login the computing equipment;
in an embodiment of the present application, the step S204 may be at least one of the following: the first method is as follows: the server searches a record corresponding to the login information in a database of the server and determines whether the specified behavior is legal or not according to the record; the second method comprises the following steps: the server judges whether the quantity of the login information received by the server in the preset time exceeds a first preset threshold value or not; and in the event that the quantity exceeds a first predetermined threshold, the server determines that the specified behavior is illegal. Of course, the first and second manners may be combined to determine whether the specified behavior is legal, for example, if the server receives login information in an amount exceeding a first predetermined threshold within a predetermined time, the server considers that the specified behavior may be illegal, further, the server searches a record corresponding to the login information in the database, and determines whether the specified behavior is actually illegal according to the record; but is not limited thereto.
It should be noted that, the database stores source workstation information and login computing device failure information and/or login computing device success information corresponding to the source workstation, and the login computing device failure information and/or login computing device success information may be acquired by a log acquisition module of the computing device and then uploaded to the server through a network module of the computing device. In the first mode, by searching the record corresponding to the login information in the database, whether login failure information exists in the source workstation when the source workstation logs in the computing device or other computing devices can be quickly found out, that is, whether a bad record exists in the source workstation can be quickly found out, the bad record is that the source workstation carries out malicious attack or brute force attack on other computing devices or the computing device, and further the specified behavior can be found out to be illegal.
Specifically, in one embodiment of the present application, in the first mode, whether the specified behavior is legal may also be determined by one of the following modes: the first mode is as follows: under the condition that the recorded content is that the source workstation fails to log in, the server determines that the specified behavior is illegal; the second mode is as follows: the server counts the number of the records with the recorded content being the failed login records of the source workstation in the searched records; in the event that the number of records exceeds a second predetermined threshold, the server determines that the specified behavior is illegal. With the first approach, the designated behavior is considered illegal whenever there is a source workstation login failure, i.e., whenever there is a bad record for the source workstation, the designated behavior corresponding to the source workstation is considered illegal. For the second way, there may be more than one record corresponding to the login information found in the database, and whether the designated behavior is legal or not is determined by counting the number of records in which the source workstation has failed to login and comparing the number with a preset threshold (i.e. a second predetermined threshold), that is, whether the designated behavior is legal or not is determined by statistical analysis and matching comparison of bad records corresponding to the source workstation. Compared with the first mode, the second mode can more accurately judge the legality of the specified behavior.
It should be noted that, the process of searching and counting the record may be executed by a logic analysis module in the server, and the second predetermined threshold may be preset in a rule matching module in the server, specifically, may be preset based on the configuration file, and further, the second predetermined threshold may be adjusted by modifying the configuration file, so that better flexibility is increased, and maintenance and upgrade are facilitated.
In the first mode, the following scenarios can be applied: a source workstation performing illegal activities on one computing device followed by other computing devices may also be applied to: a source workstation may continue to illicit a computing device after illicit activity on the computing device, but is not limited to such.
In the second embodiment, whether the designated behavior is legal or not is obtained by comparing the number of login information received within the predetermined time with the first predetermined threshold, which may be applied to extensive illegal behaviors, such as performing illegal behaviors on a group of computing devices by one source workstation at the same time, or performing illegal behaviors on a group of computing devices by one source workstation at different times, but the number of illegal behaviors performed on each computing device is small (i.e. the number of illegal behaviors is less than a preset threshold), but is not limited thereto. If the server receives a certain amount of login information in a certain time, the specified behavior can be considered to be not legal.
In step S206, in the event that the designated action is not legal, the server notifies the computing device to prevent the source workstation from logging into the computing device.
In one embodiment of the present application, the server may notify the computing device to prevent the source workstation from logging into the computing device by issuing an intercept request to the computing device in the event that the specified behavior is not legal.
According to the method, the server acquires the login information of the source workstation requesting to login the computing equipment, analyzes and judges the login information, and can timely inform the computing equipment to intercept under the condition that the behavior of the source workstation requesting to login the computing equipment is judged to be illegal, namely effective defense can be realized for a plurality of computing equipment through the analysis and judgment of the server, and the technical problem that the plurality of computing equipment cannot be defended from being violently cracked by the source workstation in the related technology is solved.
In an embodiment of the present application, after the step S206, the following processing steps may also be performed: the server receives login failure information sent by the computing equipment, wherein the login failure information is used for indicating that the source workstation fails to login the computing equipment; and recording the login failure information into a database of the server. Through the processing steps, the login failure information is recorded in the database of the server, so that the server can quickly judge the illegal behaviors when the subsequent source workstation carries out illegal behaviors on the computing equipment or other computing equipment again, and further can prevent the illegal behaviors.
In an embodiment of the present application, the illegal behavior may be a brute-force cracking behavior of the source workstation on the computing device, or a malicious attack behavior of the source workstation on the computing device, which is not limited to this. The following description takes the illegal behavior as an example of the brute force cracking behavior of the workstation on the computing device:
scene 1: a source workstation maliciously performs brute force cracking on a certain computing device, the computing device reports login failure events (equivalent to login failure information in embodiment 1) collected from a log collection Module in the computing device to a server, the server analyzes data in a database, and finds that brute force cracking occurs, so as to inform a SubAuth Module on the computing device to stop login behaviors, meanwhile, when other source workstations try to attack other computing devices, SubAuth modules on other computing devices send login request information to the server, and the server can directly issue an interception request (equivalent to step S206 in embodiment 1), so as to directly stop login requests.
Scene 2: a certain source workstation performs brute force cracking on a group of computing devices, but the number of times of brute force cracking on each computing device is small, when the server receives login information for many times, matching is performed according to set rules, after some behavior rules meeting brute force cracking are found, the login of the source workstation is considered to be intercepted (which is equivalent to the mode 1 and/or the mode 2 in the embodiment 1), and then when the SubAuth Module of other computing devices finds that the source workstation has a login request to send to the server, the server issues an interception requirement (which is equivalent to the step S206 in the embodiment 1), so that more brute force cracking requests are prevented.
Scene 3: when brute force cracking of a certain source workstation is discovered by the computing equipment, brute force cracking is continuously carried out on the computing equipment, the SubAuth Module Module of the computing equipment sends login request information to the server, meanwhile, the login process is delayed, and failure information is returned after a certain time, so that cracking cost is increased, and brute force cracking can be prevented.
Fig. 3 is a schematic diagram of a method for implementing security defense of a computing device in scenario 1 according to an optional embodiment of the present application, as shown in fig. 3, login failure information of a source workstation on a host (computing device) is uploaded to a Database (Database) in a server through a network Module (NetWorker) in the host, when the server learns that the source workstation may crack other hosts violently, a Logic Module (Logic Module) in the server extracts data from the Database and analyzes the data to obtain an analysis result (for example, to obtain the number of login failure records corresponding to the source workstation), the analysis result is input to a Rule matching Module (Rule Match) in the server to perform Rule matching (for example, to compare the obtained number of records with a threshold preset in the Rule matching Module), the Rule matching Module obtains, through the comparison result, that the source workstation cracks other hosts, therefore, an interception instruction is issued to SubAuth modules of other hosts through the Logic Module to carry out interception.
It should be noted that, for simplicity of description, the above-mentioned method embodiments are described as a series of acts or combination of acts, but those skilled in the art will recognize that the present application is not limited by the order of acts described, as some steps may occur in other orders or concurrently depending on the application. Further, those skilled in the art should also appreciate that the embodiments described in the specification are preferred embodiments and that the acts and modules referred to are not necessarily required in this application.
Through the above description of the embodiments, those skilled in the art can clearly understand that the method according to the above embodiments can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware, but the former is a better implementation mode in many cases. Based on such understanding, the technical solutions of the present application may be embodied in the form of a software product, which is stored in a storage medium (e.g., ROM/RAM, magnetic disk, optical disk) and includes instructions for enabling a terminal device (e.g., a mobile phone, a computer, a server, or a network device) to execute the method according to the embodiments of the present application.
Example 2
According to an embodiment of the present application, there is further provided a security defense method for a computing device, fig. 4 is a flowchart of the security defense method for a computing device according to an embodiment of the present application, and as shown in fig. 4, the method includes steps S402 to S406:
step S402, the computing device sends login information to a server; the login information is source workstation information requesting to login the computing equipment;
the computing device may be the computer terminal shown in fig. 1, or may be a mobile terminal, but is not limited thereto.
The login information includes at least one of the following information: and requesting to log in IP address information of the source workstation of the computing device and requesting to log in user name information adopted by the source workstation of the computing device. The login information may be collected by a module of the computing device and sent to the server through a network module of the computing device.
It should be noted that the method can be applied to a Windows anti-brute force cracking system, and can also be applied to anti-brute force cracking systems of other operating systems, such as an android system and an ios system. Taking the application to the Window anti-brute force cracking system as an example, the step S402 may be represented as: in the login process of requesting to login the computing device by the source workstation, after the SubAuthor Module in the computing device collects the login information, the login information is reported to the server through a network Module (namely, NetWorker) of the computing device.
The server can be connected with a plurality of computing devices, and security defense for the computing devices can be realized at the server; the computing device may be embodied as a client device or a server device, but is not limited thereto; the source workstation is a requester for logging in the computing device, and may be embodied as a computer device or a mobile terminal, but is not limited thereto.
Step S404, the computing device receives the notification information sent by the server; the notification information is information sent by the server under the condition that the appointed behavior of the source workstation corresponding to the login information is judged to be illegal;
it should be noted that the method for the server to determine whether the designated behavior of the source workstation corresponding to the login information is legal is the same as the method in embodiment 1, and is not described herein again.
In step S406, the computing device prevents the source workstation from logging into the computing device based on the notification information.
According to the method, the server analyzes and judges the login information sent by the computing equipment, and under the condition that the action that the source workstation requests to login the computing equipment is judged to be illegal, the computing equipment receives the notification information sent by the server to notify the computing equipment to intercept, namely effective defense can be realized for a plurality of computing equipment through the analysis and judgment of the server, and the technical problem that the plurality of computing equipment cannot be defended from being violently cracked by the source workstation in the related technology is solved.
In an embodiment of the present application, after step S406, the method may further include: the computing equipment sends login failure information to the server; wherein the login failure information is used to indicate that the source workstation failed to login to the computing device. After the login failure information is sent to the server, the login failure information is stored in a database in the server, and the login failure information is recorded in the database of the server, so that the server can quickly judge illegal behaviors when subsequent source workstations perform illegal behaviors on the computing device or other computing devices again, and further can quickly inform the computing device to prevent the illegal behaviors.
Example 3
According to an embodiment of the present application, there is further provided an apparatus for implementing the security defense implementing method of the computing device, where fig. 5 is a block diagram of a structure of the security defense implementing apparatus of the computing device according to the embodiment of the present application, and as shown in fig. 5, the apparatus includes:
a receiving module 52, configured to receive login information sent by a computing device; wherein the login information is information requesting to login to a source workstation of the computing device;
in an embodiment of the present application, the login information includes at least one of the following information: and requesting to log in IP address information of the source workstation of the computing device and requesting to log in user name information adopted by the source workstation of the computing device.
The device can be positioned in a server, and the server can be connected with a plurality of computing devices and can perform security defense on the plurality of computing devices; the computing device may be embodied as a client device or a server device, but is not limited thereto; the source workstation is a requester for logging in the computing device, and may be embodied as a computer device or a mobile terminal, but is not limited thereto.
A determining module 54, connected to the receiving module 52, configured to determine whether a specified behavior of a source workstation corresponding to the login information is legal, where the specified behavior is a behavior of the source workstation requesting to login to the computing device;
in an embodiment of the present application, the determining module 54 is further configured to search a database of the server for a record corresponding to the login information, and determine whether the designated behavior is legal according to the record, and/or determine whether the amount of the login information received within a predetermined time exceeds a first predetermined threshold; and in the event that the quantity exceeds a first predetermined threshold, the server determines that the specified behavior is illegal.
It should be noted that the database stores source workstation information and login computing device failure information and/or login computing device success information corresponding to the source workstation. By searching the record corresponding to the login information in the database, the determining module 54 can quickly find out whether the source workstation has login failure information when logging in the computing device or other computing devices, that is, the determining module 54 can quickly find out whether the source workstation has a bad record, that is, the source workstation performs malicious attack or brute force attack on other computing devices or the computing device, and further can determine that the specified behavior may be illegal.
Specifically, in one embodiment of the present application, the determining module 54 is further configured to determine that the designated behavior is illegal if the recorded content is a failure of the source workstation login. That is, the designated behavior is considered to be illegal if the content of the record obtained by the determination module 54 is the content of the login failure of the source workstation, that is, if the determination module 54 obtains that the source workstation has a bad record, the designated behavior corresponding to the source workstation is considered to be illegal.
The judging module 54 is further configured to count the number of records with the content of the record being the source workstation login failure in the searched records; in case the number of records exceeds a second predetermined threshold, it is determined that the specified behavior is illegal. The decision module 54 determines whether the designated action is legitimate by statistical analysis, matching comparison of the bad records corresponding to the source workstation.
It should be noted that the apparatus may further include a rule matching module, configured to preset the second predetermined threshold. The rule matching module can be preset based on the configuration file, and then the second preset threshold value can be adjusted by modifying the configuration file, so that better flexibility is increased, and maintenance and upgrading are facilitated.
The judging module 54 is further configured to determine whether the number of the login information received within a predetermined time exceeds a first predetermined threshold; and determining that the specified behavior is illegal if the quantity exceeds a first predetermined threshold.
A notification module 56, connected to the determination module 54, for notifying the computing device to prevent the source workstation from logging into the computing device if the specified behavior is not legal.
It is noted that notification module 56 may prevent the source workstation from logging into the computing device by sending an intercept request.
By the device, the receiving module 52 obtains login information of a source workstation requesting to login a computing device, the judging module 54 analyzes and judges the login information, and in the case that the behavior of the source workstation requesting to login the computing device is judged to be illegal, the notifying module 56 can timely notify the computing device to intercept, namely, the device can realize effective defense on a plurality of computing devices through analysis and judgment of the server, thereby solving the technical problem that the plurality of computing devices cannot be defended from brute force cracking of the source workstation in the related technology.
In an embodiment of the application, the apparatus may further include a database module configured to receive and store login failure information sent by the computing device, where the login failure information indicates that the source workstation failed to login to the computing device. The login failure information is stored in the database module, so that illegal behaviors can be quickly judged when the subsequent source workstation carries out illegal behaviors on the computing device or other computing devices again, and the illegal behaviors can be prevented.
It should be noted that the apparatus can be applied to the method, can be applied to a Windows anti-brute force system, and can also be applied to anti-brute force systems of other operating systems, such as an android system, an ios system, and the like, without being limited thereto. In an embodiment of the present application, the illegal behavior may be a brute-force cracking behavior of the source workstation on the computing device, or a malicious attack behavior of the source workstation on the computing device, which is not limited to this.
It should be noted that, the above modules may be implemented by software or hardware, and for the latter, the following may be implemented, but not limited to: the modules (e.g., the receiving module 52, the determining module 54, and the notifying module 56) may be located in the same processor, or the modules may be located in different processors.
Example 4
According to an embodiment of the present application, there is further provided an apparatus for implementing the security defense method for a computing device, where fig. 6 is a block diagram of a security defense apparatus for a computing device according to an embodiment of the present application, and as shown in fig. 6, the apparatus includes:
a sending module 62, configured to send login information to a server; the login information is source workstation information requesting to login the computing equipment;
it should be noted that the apparatus may be applied to a computing device, and the computing device may be the computer terminal shown in fig. 1, or may be a mobile terminal, but is not limited thereto; the computing device may appear as a client device, or a server device, but is not so limited; the source workstation is a requester for logging in the computing device, and may be embodied as a computer device or a mobile terminal, but is not limited thereto. .
The login information includes at least one of the following information: and requesting to log in IP address information of the source workstation of the computing device and requesting to log in user name information adopted by the source workstation of the computing device. The login information may be collected by a collection module of the computing device and sent to the server through the sending module 62. The server can be connected with a plurality of computing devices, and security defense for the computing devices can be realized at the server.
A receiving module 64 connected to the sending module 62 for receiving the notification information sent by the server; the notification information is sent by the server under the condition that the appointed behavior of the source workstation corresponding to the login information is judged to be illegal;
it should be noted that the determination of whether the designated behavior of the source workstation corresponding to the login information is legal by the server may be implemented by the determination module 54 in embodiment 3, and the specific implementation manner is described in detail in embodiment 3 and is not described herein again.
And a processing module 66, connected to the receiving module 64, for preventing the source workstation from logging into the computing device according to the notification information.
The device receives the notification information sent by the server through the sending module 62, the receiving module 64 and the processing module 66 to notify the computing device to intercept, wherein the notification information is sent by the server to analyze and judge the login information sent by the computing device, and the notification information is sent by the server when the action of requesting the login of the computing device by the source workstation is judged to be illegal, namely the device can effectively defend a plurality of computing devices through the analysis and judgment of the server, thereby solving the technical problem that the plurality of computing devices cannot be defended against brute force of the source workstation in the related art.
In an embodiment of the present application, the apparatus may further include: and the log collection module is used for collecting login failure information from the log system and sending the login failure information to the database of the server through the sending module 62 so as to be used when the subsequent source workstation carries out illegal behaviors on the computing equipment or other computing equipment again and the server carries out analysis.
It should be noted that the device can also be applied to a Windows anti-brute force system, and can also be applied to anti-brute force systems of other operating systems, such as an android system, an ios system, and the like, but is not limited thereto. In an embodiment of the present application, the illegal behavior may be a brute-force cracking behavior of the source workstation on the computing device, or a malicious attack behavior of the source workstation on the computing device, which is not limited to this.
It should be noted that, the above modules may be implemented by software or hardware, and for the latter, the following may be implemented, but not limited to: the modules (e.g., the sending module 62, the receiving module 64, and the processing module 66) may all be in the same processor, or the modules may be located in different processors.
Example 5
According to an embodiment of the present application, there is further provided a security defense system of a computing device, fig. 7 is a block diagram of a security defense system of a computing device according to an embodiment of the present application, and as shown in fig. 7, the system includes: a server, a computing device;
a computing device 72 for sending login information to the server; wherein the login information is information requesting to login to a source workstation of the computing device;
a server 74 connected to the computing device 72, configured to determine whether a specified behavior of the source workstation corresponding to the login information is legal, where the specified behavior is a behavior of the source workstation requesting to login to the computing device; and in the event that the specified behavior is not legal, notifying the computing device to prevent the source workstation from logging into the computing device.
The registration information includes at least one of the following information: and requesting to log in IP address information of the source workstation of the computing device and requesting to log in user name information adopted by the source workstation of the computing device.
It should be noted that the computing device 72 may include a security defense apparatus of the computing device in embodiment 4, and the server 74 may include a security defense implementing apparatus of the computing device in embodiment 3. See the description of examples 3 and 4 for details, which are not repeated here. Multiple computing devices 72 may be connected to the server 74 to implement security defense for the multiple computing devices.
Through the system, the server acquires the login information of the source workstation requesting to login the computing equipment, analyzes and judges the login information, and can timely inform the computing equipment to intercept under the condition that the behavior of the source workstation requesting to login the computing equipment is judged to be illegal, namely effective defense can be realized for a plurality of computing equipment through the analysis and judgment of the server, and the technical problem that the plurality of computing equipment cannot be defended from being violently cracked by the source workstation in the related technology is solved.
The security defense system of the computing device is further explained below in connection with alternative embodiments.
An alternative embodiment of the present application provides a security defense system for a computing device in Windows, fig. 8 is a block diagram of a security defense system for a computing device in an alternative embodiment of the present application, and as shown in fig. 8, the system mainly includes a computing device (host) 82(host, corresponding to the computing device 72) and a server 84(server, corresponding to the server 74).
The host may further include: RDP Login Proc822(RDP Login processor): windows RDP login processing: the SubAuth Module824 (a sub-authorization Module, which is equivalent to the acquisition Module and the processing Module 66) is used for acquiring information of a logged source workstation and a logged user name, intercepting login behavior in a serial processing process of login verification, namely, in an access Windows RDP login process, collecting logged-in IP and the logged-in user name, uploading the logged-in IP and the logged-in user name to a server through a network Module, and simultaneously determining to pass or prevent the current login according to a processing result returned by the server; NetworkWorker826 (network module, equivalent to the transmission module 62 and the reception module 64): the host computer network communication part is used for carrying out network communication with a Server (Server) end to send and receive data; a Log Collect Module828 (a Log collecting Module, which is equivalent to the Log collecting Module in implementation 4) is configured to Collect result information of whether login is successful or not, that is, to Collect information of success and failure of login from the Windows Log system, and to send the information to the server through the network Module.
The server may further include: logic Module842 (Logic Module) for processing login information uploaded by host, and determining whether to pass or intercept according to data and rules in database, i.e. analyzing based on login information of host, judging whether login request is malicious attack behavior, wherein the analysis process is based on multiple simple login information and results to perform comprehensive analysis, and when discovering that source workstation is performing brute force cracking, issuing interception command to intercept login after other host reported behaviors; database Module844 (Database Module, equivalent to the Database in example 3): and the database module in the Server is used for storing information such as login data and the like. Log Module 846; rule Match module 848 for implementing Rule matching logic, i.e. Rule matching based on behavior analyzed by logic module is based on configuration file, so it has high flexibility, and can maintain and upgrade rules by modifying configuration file. Rule Manager8410 (Rule management module) for managing, updating, and the like rules; white List8412 (White List module) to avoid false positives in special cases. The logic module and the rule matching module correspond to the determination module 54 in embodiment 3.
In the system, the SubAuth Module provides reliable login process control. The Log Collection Module provides a reliable information acquisition mode. The Logic Module is based on big data processing, can effectively analyze the behavior purpose of the login request, and is different from simple single-host information recording judgment. The Rule Match makes a final detection result based on the behavior analysis of the Logic Module in a flexible and configurable manner. And the judgment of the login purpose can be automatically realized based on the analysis of big data.
It should be noted that, in an optional embodiment of the present application, the Server may be connected to multiple hosts, and connected to a unified Server (Server), so as to analyze login information and timely defend against possible attacks. When a machine connected to the Server finds that a source workstation of the machine has a brute-force cracking behavior, the machine can timely inform the Server to record data, and when the source workstation performs brute-force cracking on other machines, the Server can timely inform the cracked machine to defend the cracking behavior performed by the source workstation. Meanwhile, if an attacker conducts a brute force cracking behavior based on the breadth, the Server can timely discover that the source workstation conducts a login behavior on a plurality of hosts, the login behavior is an abnormal behavior for a common user, the behavior can be classified into brute force cracking under the condition of a certain rule, and meanwhile, a defense mechanism of the hosts is triggered. The cost and difficulty of an attacker can be greatly improved, and the safety of the host can be better protected.
Example 6
The embodiment of the application can provide a computer terminal, and the computer terminal can be any one computer terminal device in a computer terminal group. Optionally, in this embodiment, the computer terminal may also be replaced with a terminal device such as a mobile terminal.
Optionally, in this embodiment, the computer terminal may be located in at least one network device of a plurality of network devices of a computer network.
In this embodiment, the computer terminal may execute the program code of the following steps in the security defense implementation method of the computing device of the application program: receiving login information sent by computing equipment; wherein the login information is information requesting to login to a source workstation of the computing device; judging whether the designated behavior of the source workstation corresponding to the login information is legal or not, wherein the designated behavior is the behavior of the source workstation requesting to login the computing equipment; in the event that the designated behavior is not legal, the computing device is notified to prevent the source workstation from logging into the computing device.
It should be noted that, multiple computing devices may be connected to the computer terminal, so as to implement security defense for the multiple computing devices. Specifically, reference may be made to the description of embodiment 1, which is not repeated herein.
Optionally, fig. 9 is a block diagram of a computer terminal according to an embodiment of the present application. As shown in fig. 9, the computer terminal a may include: one or more processors 92 (only one shown), memory 94, and transmission device 96.
The memory 94 may be configured to store software programs and modules, such as program instructions/modules corresponding to the security defense implementing method and apparatus of the computing device in the embodiment of the present application, and the processor 92 executes various functional applications and data processing by running the software programs and modules stored in the memory 94, so as to implement the security defense implementing method of the computing device. The memory 94 may include high speed random access memory and may also include non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory. In some examples, the memory 94 may further include memory located remotely from the processor 92, which may be connected to the computer terminal a via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The processor may invoke the memory-stored information and applications via the transmission device 96 to perform the following steps: receiving login information sent by computing equipment; wherein the login information is information requesting to login to a source workstation of the computing device; judging whether the designated behavior of the source workstation corresponding to the login information is legal or not, wherein the designated behavior is the behavior of the source workstation requesting to login the computing equipment; in the event that the designated behavior is not legal, the computing device is notified to prevent the source workstation from logging into the computing device.
By adopting the embodiment of the application, the scheme of the computer terminal for realizing the security defense of the computing equipment is provided. The computer terminal obtains login information of a source workstation requesting to login a computing device, analyzes and judges the login information, and can timely inform the computing device to intercept under the condition that the behavior of the source workstation requesting to login the computing device is judged to be illegal, namely effective defense can be realized for a plurality of computing devices through analysis and judgment, and the technical problem that brute force of the source workstation cannot defend the plurality of computing devices in the related technology is solved.
It can be understood by those skilled in the art that the structure shown in fig. 9 is only an illustration, and the computer terminal may also be a terminal device such as a smart phone (e.g., an Android phone, an iOS phone, etc.), a tablet computer, a palmtop computer, a Mobile Internet Device (MID), a PAD, and the like. Fig. 9 is a diagram illustrating a structure of the electronic device. For example, the computer terminal a may also include more or fewer components (e.g., network interfaces, display devices, etc.) than shown in fig. 9, or have a different configuration than shown in fig. 9.
Those skilled in the art will appreciate that all or part of the steps in the methods of the above embodiments may be implemented by a program instructing hardware associated with the terminal device, where the program may be stored in a computer-readable storage medium, and the storage medium may include: flash disks, Read-Only memories (ROMs), Random Access Memories (RAMs), magnetic or optical disks, and the like.
Example 7
Embodiments of the present application also provide a storage medium. Optionally, in this embodiment, the storage medium may be configured to store the program code executed by the security defense implementing method of the computing device provided in embodiment 1.
Optionally, in this embodiment, the storage medium may be located in any one of computer terminals in a computer terminal group in a computer network, or in any one of mobile terminals in a mobile terminal group.
Optionally, in this embodiment, the storage medium is configured to store program code for performing the following steps: receiving login information sent by computing equipment; wherein the login information is information requesting to login to a source workstation of the computing device; judging whether the designated behavior of the source workstation corresponding to the login information is legal or not, wherein the designated behavior is the behavior of the source workstation requesting to login the computing equipment; in the event that the designated behavior is not legal, the computing device is notified to prevent the source workstation from logging into the computing device.
The above-mentioned serial numbers of the embodiments of the present application are merely for description and do not represent the merits of the embodiments.
In the above embodiments of the present application, the descriptions of the respective embodiments have respective emphasis, and for parts that are not described in detail in a certain embodiment, reference may be made to related descriptions of other embodiments.
In the embodiments provided in the present application, it should be understood that the disclosed technology can be implemented in other ways. The above-described embodiments of the apparatus are merely illustrative, and for example, the division of the units is only one type of division of logical functions, and there may be other divisions when actually implemented, for example, a plurality of units or components may be combined or may be integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, units or modules, and may be in an electrical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.
The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application may be substantially implemented or contributed to by the prior art, or all or part of the technical solution may be embodied in a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a removable hard disk, a magnetic or optical disk, and other various media capable of storing program codes.
The foregoing is only a preferred embodiment of the present application and it should be noted that those skilled in the art can make several improvements and modifications without departing from the principle of the present application, and these improvements and modifications should also be considered as the protection scope of the present application.
Claims (12)
1. A method for implementing security defense of a computing device, comprising:
the server receives login information sent by the computing equipment; wherein the login information is information requesting to login to a source workstation of the computing device, wherein the login information includes: requesting to log in IP address information of the source workstation of the computing device, wherein the server is connected with a plurality of computing devices;
the server judges whether the designated behavior of the source workstation corresponding to the login information is legal or not, wherein the designated behavior is the behavior of the source workstation requesting to login the computing equipment;
the server judges whether the designated behavior of the source workstation corresponding to the login information is legal or not, wherein the designated behavior of the source workstation corresponding to the login information comprises at least one of the following behaviors:
the server searches a record corresponding to the login information in a database of the server, and determines whether the specified behavior is legal or not according to the record, wherein the record comprises: information of success of logging in the computing device and/or information of failure of logging in the computing device;
the server judges whether the quantity of the login information received by the server in preset time exceeds a first preset threshold value or not; and in the event that said number exceeds said first predetermined threshold, said server determines that said specified behavior is illegal;
in the event that the specified behavior is not legal, the server notifies the computing device to prevent the source workstation from logging into the computing device.
2. The method of claim 1, wherein the login information further comprises: requesting to log in username information employed by a source workstation of the computing device.
3. The method of claim 1, wherein the server determining from the record whether the specified behavior is legitimate comprises at least one of:
in the case that the recorded content is that the source workstation fails to log in, the server determines that the specified behavior is illegal;
the server counts the number of the records with the content of the record being the login failure of the source workstation in the searched records; in the event that the number of records exceeds a second predetermined threshold, the server determines that the specified behavior is illegal.
4. The method of any of claims 1-3, wherein after the server notifies the computing device to prevent the source workstation from logging into the computing device, the method further comprises: the server receives login failure information sent by the computing equipment, wherein the login failure information is used for indicating that the source workstation fails to login the computing equipment; and recording the login failure information into a database of the server.
5. A method of security defense for a computing device, comprising:
the computing equipment sends login information to the server; wherein the login information is source workstation information requesting to login the computing device, wherein the login information includes: requesting to log in IP address information of the source workstation of the computing device, wherein the server is connected with a plurality of computing devices;
the computing equipment receives notification information sent by the server; the notification information is information sent by the server when judging that the designated behavior of the source workstation corresponding to the login information is illegal, wherein the judgment of the designated behavior of the source workstation corresponding to the login information by the server includes at least one of the following:
the server searches a record corresponding to the login information in a database of the server, and determines whether the specified behavior is legal or not according to the record, wherein the record comprises: information of success of logging in the computing device and/or information of failure of logging in the computing device;
the server judges whether the quantity of the login information received by the server in preset time exceeds a first preset threshold value or not; and in the event that said number exceeds said first predetermined threshold, said server determines that said specified behavior is illegal;
and the computing device prevents the source workstation from logging in the computing device according to the notification information.
6. The method of claim 5, wherein the login information further comprises: requesting to log in username information employed by a source workstation of the computing device.
7. The method of claim 6, wherein after the computing device prevents the source workstation from logging into the computing device based on the notification information, the method further comprises:
the computing device sends login failure information to the server; wherein the login failure information is used to indicate that the source workstation failed to login to the computing device.
8. A security defense implementing device of a computing device, which is applied to a server, comprises:
the receiving module is used for receiving login information sent by the computing equipment; wherein the login information is information requesting to login to a source workstation of the computing device, and the login information includes: requesting to log in IP address information of the source workstation of the computing device, wherein the server is connected with a plurality of computing devices;
a judging module, configured to judge whether a specified behavior of a source workstation corresponding to the login information is legal, where the specified behavior is a behavior of the source workstation requesting to log in the computing device, and the judging, by the server, whether the specified behavior of the source workstation corresponding to the login information is legal includes at least one of:
the server searches a record corresponding to the login information in a database of the server, and determines whether the specified behavior is legal or not according to the record, wherein the record comprises: information of success of logging in the computing device and/or information of failure of logging in the computing device;
the server judges whether the quantity of the login information received by the server in preset time exceeds a first preset threshold value or not; and in the event that said number exceeds said first predetermined threshold, said server determines that said specified behavior is illegal;
a notification module to notify the computing device to prevent the source workstation from logging into the computing device if the specified behavior is not legal.
9. The apparatus of claim 8, wherein the login information comprises: requesting to log in username information employed by a source workstation of the computing device.
10. A security defense apparatus of a computing device, applied to the computing device, comprising:
the sending module is used for sending login information to the server; wherein the login information is source workstation information requesting to login the computing device, wherein the login information includes: requesting to log in IP address information of the source workstation of the computing device, wherein the server is connected with a plurality of computing devices;
the receiving module is used for receiving the notification information sent by the server; the notification information is sent by the server when the server judges that the designated behavior of the source workstation corresponding to the login information is illegal, wherein the server judges whether the designated behavior of the source workstation corresponding to the login information is legal or not and comprises at least one of the following:
the server searches a record corresponding to the login information in a database of the server, and determines whether the specified behavior is legal or not according to the record, wherein the record comprises: information of success of logging in the computing device and/or information of failure of logging in the computing device;
the server judges whether the quantity of the login information received by the server in preset time exceeds a first preset threshold value or not; and in the event that said number exceeds said first predetermined threshold, said server determines that said specified behavior is illegal;
and the processing module is used for preventing the source workstation from logging in the computing equipment according to the notification information.
11. The apparatus of claim 10, wherein the login information comprises: requesting to log in username information employed by a source workstation of the computing device.
12. A security defense system for a computing device, comprising: a server, a computing device;
the computing device is used for sending login information to the server; wherein the login information is information requesting to login to a source workstation of the computing device, and the login information includes: requesting to log in IP address information of the source workstation of the computing device, wherein the server is connected with a plurality of computing devices;
the server is used for judging whether the designated behavior of the source workstation corresponding to the login information is legal or not, wherein the designated behavior is the behavior of the source workstation requesting to login the computing equipment; and in the event that the specified behavior is not legal, notifying the computing device to prevent the source workstation from logging into the computing device;
the server judges whether the designated behavior of the source workstation corresponding to the login information is legal or not, wherein the designated behavior of the source workstation corresponding to the login information comprises at least one of the following behaviors:
the server searches a record corresponding to the login information in a database of the server, and determines whether the specified behavior is legal or not according to the record, wherein the record comprises: information of success of logging in the computing device and/or information of failure of logging in the computing device;
the server judges whether the quantity of the login information received by the server in preset time exceeds a first preset threshold value or not; and in the event that the number exceeds the first predetermined threshold, the server determines that the specified behavior is illegal.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610105483.0A CN107124390B (en) | 2016-02-25 | 2016-02-25 | Security defense and implementation method, device and system of computing equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610105483.0A CN107124390B (en) | 2016-02-25 | 2016-02-25 | Security defense and implementation method, device and system of computing equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN107124390A CN107124390A (en) | 2017-09-01 |
| CN107124390B true CN107124390B (en) | 2021-05-04 |
Family
ID=59717084
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201610105483.0A Active CN107124390B (en) | 2016-02-25 | 2016-02-25 | Security defense and implementation method, device and system of computing equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN107124390B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109842587B (en) * | 2017-11-27 | 2021-11-12 | 北京京东尚科信息技术有限公司 | Method and device for monitoring system safety |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1780206A (en) * | 2004-11-23 | 2006-05-31 | 华为技术有限公司 | Internet identity authentication and system |
| CN102307097A (en) * | 2011-09-02 | 2012-01-04 | 深圳中兴网信科技有限公司 | User identity authentication method and system |
| CN103200169A (en) * | 2013-01-30 | 2013-07-10 | 中国科学院自动化研究所 | Method and system of user data protection based on proxy |
| CN103379108A (en) * | 2012-04-28 | 2013-10-30 | 中国邮政储蓄银行股份有限公司 | Flexible and safe concentrated identity authentication method |
Family Cites Families (24)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101421968B (en) * | 2003-12-23 | 2011-01-26 | 万朝维亚有限公司 | Authentication system for networked computer applications |
| CN1588850A (en) * | 2004-06-30 | 2005-03-02 | 大唐微电子技术有限公司 | Network identifying method and system |
| CN2891499Y (en) * | 2005-12-21 | 2007-04-18 | 梁剑豪 | Network-based declaration system |
| CN1874227A (en) * | 2006-06-09 | 2006-12-06 | 中国民生银行股份有限公司 | Network site system with defensive pseudo network, and defensive method of pseudo network site |
| US8151326B2 (en) * | 2006-12-08 | 2012-04-03 | Core Mobility, Inc. | Using audio in N-factor authentication |
| CN101252436B (en) * | 2008-03-27 | 2011-11-23 | 上海柯斯软件有限公司 | Smart card dynamic password creating and judging system |
| US8281377B1 (en) * | 2008-04-15 | 2012-10-02 | Desktone, Inc. | Remote access manager for virtual computing services |
| CN101719238B (en) * | 2009-11-30 | 2013-09-18 | 中国建设银行股份有限公司 | Method and system for managing, authenticating and authorizing unified identities |
| CN102469080B (en) * | 2010-11-11 | 2015-07-15 | 中国电信股份有限公司 | Method for pass user to realize safety login application client and system thereof |
| CN102487380B (en) * | 2010-12-01 | 2016-09-07 | 中兴通讯股份有限公司 | Desktop virtual terminal entrusting method and system |
| CN102333081B (en) * | 2011-08-03 | 2014-01-22 | 北京星网锐捷网络技术有限公司 | Authentication method, equipment and system |
| CN102368768B (en) * | 2011-10-12 | 2014-04-02 | 北京星网锐捷网络技术有限公司 | Identification method, equipment and system as well as identification server |
| CN102739658B (en) * | 2012-06-16 | 2015-09-30 | 华南师范大学 | A kind of offline verification method of single-sign-on |
| CN102946397B (en) * | 2012-11-26 | 2015-11-25 | 北京奇虎科技有限公司 | User authen method and system |
| CN103841091B (en) * | 2012-11-26 | 2017-05-10 | ***通信集团公司 | safety login method, device and system |
| CN103746995B (en) * | 2014-01-03 | 2017-09-26 | 汉柏科技有限公司 | User's management-control method and system for secure network |
| CN103888459B (en) * | 2014-03-25 | 2017-04-19 | 深信服网络科技(深圳)有限公司 | Method and device for detecting intranet intrusion of network |
| CN104301316A (en) * | 2014-10-13 | 2015-01-21 | 中国电子科技集团公司第二十八研究所 | Single sign-on system and implementation method thereof |
| CN104468599A (en) * | 2014-12-18 | 2015-03-25 | 浪潮(北京)电子信息产业有限公司 | Method and system for achieving session sharing among multiple applications |
| CN104639562B (en) * | 2015-02-27 | 2018-03-13 | 飞天诚信科技股份有限公司 | A kind of system of pushing certification and the method for work of equipment |
| CN105024819B (en) * | 2015-05-29 | 2019-02-12 | 北京中亦安图科技股份有限公司 | A kind of multiple-factor authentication method and system based on mobile terminal |
| CN104902028B (en) * | 2015-06-19 | 2019-02-15 | 广州密码科技有限公司 | A kind of a key login authentication method, apparatus and system |
| CN105162775A (en) * | 2015-08-05 | 2015-12-16 | 深圳市方迪科技股份有限公司 | Logging method and device of virtual machine |
| CN105162774B (en) * | 2015-08-05 | 2018-08-24 | 深圳市方迪融信科技有限公司 | Virtual machine entry method, the virtual machine entry method and device for terminal |
-
2016
- 2016-02-25 CN CN201610105483.0A patent/CN107124390B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1780206A (en) * | 2004-11-23 | 2006-05-31 | 华为技术有限公司 | Internet identity authentication and system |
| CN102307097A (en) * | 2011-09-02 | 2012-01-04 | 深圳中兴网信科技有限公司 | User identity authentication method and system |
| CN103379108A (en) * | 2012-04-28 | 2013-10-30 | 中国邮政储蓄银行股份有限公司 | Flexible and safe concentrated identity authentication method |
| CN103200169A (en) * | 2013-01-30 | 2013-07-10 | 中国科学院自动化研究所 | Method and system of user data protection based on proxy |
Also Published As
| Publication number | Publication date |
|---|---|
| CN107124390A (en) | 2017-09-01 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11025674B2 (en) | Cybersecurity profiling and rating using active and passive external reconnaissance | |
| CN109829310B (en) | Similar attack defense method, device, system, storage medium and electronic device | |
| US20220014560A1 (en) | Correlating network event anomalies using active and passive external reconnaissance to identify attack information | |
| US10382469B2 (en) | Domain age registration alert | |
| KR101890272B1 (en) | Automated verification method of security event and automated verification apparatus of security event | |
| US9954896B2 (en) | Preconfigured honey net | |
| US10873594B2 (en) | Test system and method for identifying security vulnerabilities of a device under test | |
| CN111274583A (en) | Big data computer network safety protection device and control method thereof | |
| CN106161395B (en) | Method, device and system for preventing brute force cracking | |
| EP3068095B1 (en) | Monitoring apparatus and method | |
| KR20180120157A (en) | Data set extraction based pattern matching | |
| CN111010409B (en) | Encryption attack network flow detection method | |
| US9444821B2 (en) | Management server, communication cutoff device and information processing system | |
| CN112738071B (en) | Method and device for constructing attack chain topology | |
| CN108270722B (en) | Attack behavior detection method and device | |
| US20180124103A1 (en) | Cloud checking and killing method, device and system for combating anti-antivirus test | |
| CN110417717B (en) | Login behavior identification method and device | |
| CN111898124B (en) | Process access control method and device, storage medium and electronic equipment | |
| US20210281609A1 (en) | Rating organization cybersecurity using probe-based network reconnaissance techniques | |
| CN106982188B (en) | Malicious propagation source detection method and device | |
| CN110188538B (en) | Method and device for detecting data by adopting sandbox cluster | |
| US20230283641A1 (en) | Dynamic cybersecurity scoring using traffic fingerprinting and risk score improvement | |
| CN107666464B (en) | Information processing method and server | |
| CN114139178A (en) | Data link-based data security monitoring method and device and computer equipment | |
| CN112491883A (en) | Method, device, electronic device and storage medium for detecting web attack |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |