CN110381065A - A kind of agreement cracks monitoring method, device, server and storage medium - Google Patents
A kind of agreement cracks monitoring method, device, server and storage medium Download PDFInfo
- Publication number
- CN110381065A CN110381065A CN201910666790.XA CN201910666790A CN110381065A CN 110381065 A CN110381065 A CN 110381065A CN 201910666790 A CN201910666790 A CN 201910666790A CN 110381065 A CN110381065 A CN 110381065A
- Authority
- CN
- China
- Prior art keywords
- protocol data
- target uplink
- target
- uplink protocol
- data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/26—Special purpose or proprietary protocols or architectures
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Computer And Data Communications (AREA)
Abstract
The application provides a kind of agreement and cracks monitoring method, device, server and storage medium, by obtaining target uplink protocol data (target uplink protocol data is obtained after the client of application is decrypted to the uplink protocol data that the server of application is sent by server), the mode for determining that the corresponding target protocol of protocol type of target uplink protocol data cracks monitoring rules, and then cracking monitoring rules analysis target uplink protocol data based on target protocol can determine whether target uplink protocol data is dirty data for cracking the agreement of application.The uplink protocol data that the application can in time send the user end to server of application is analyzed by the target uplink protocol data that server is decrypted, determine whether the target uplink protocol data is dirty data for cracking the agreement of application, it realizes and carries out the monitoring for cracking behavior during agreement cracks to the agreement of plug-in attacker in plug-in attacker, improve agreement and crack monitoring timeliness.
Description
Technical field
The present invention relates to monitoring technology fields, crack monitoring method, device, service more specifically to a kind of agreement
Device and storage medium.
Background technique
Agreement is the abbreviation of network protocol, and network protocol is one group of agreement that communication computer both sides must defer to jointly,
Such as how to establish connection, how to identify mutually, exchange can be just in communication with each other between this agreement computer by only abiding by.
For example, agreement shows as the interactive correspondence between client and server-side in field of play.
Agreement crack be a kind of mainstream plug-in attack means, plug-in developer by crack agreement can be found that agreement leak
Protocol contents are modified to seek exorbitant profit in hole.It is mainly spectrum platform monitoring that agreement, which cracks monitoring method, at present, is mainly analyzed
There are the users of abnormal behaviour for the log discovery of application.For example, plug-in attacker has grasped the protocol bug of game application,
A large amount of swipe game item can generate abnormal behaviour, and the log that spectrum platform monitoring can analyze game application finds the exception
Behavior determines that plug-in attacker realizes the monitoring cracked to agreement.
Spectrum platform monitoring is that the subsequent agreement of one kind cracks monitoring scheme, has only cracked agreement simultaneously in plug-in developer
The monitoring cracked to agreement just may be implemented after seeking exorbitant profit using protocol bug, it is poor that agreement cracks monitoring timeliness.
Summary of the invention
In view of this, to solve the above problems, the present invention provide a kind of agreement crack monitoring method, device, server and
Storage medium cracks behavior to the agreement of plug-in attacker during plug-in attacker progress agreement cracks and is monitored, mentions
High agreement cracks monitoring timeliness.Technical solution is as follows:
A kind of agreement cracks monitoring method, comprising:
Obtain target uplink protocol data, the target uplink protocol data be application clothes from client to the application
What the uplink protocol data that business device is sent was obtained after server decryption;
It is identified using the protocol type that the target uplink protocol data carries and determines the target uplink protocol data
Protocol type;
It searches pre-set protocol type and agreement cracks the corresponding relationship of monitoring rules, the determining and target uplink
The corresponding target protocol of the protocol type of protocol data cracks monitoring rules;
The monitoring rules analysis target uplink protocol data, which is cracked, based on the target protocol obtains the target uplink
The monitored results of protocol data, the monitored results characterize whether the target uplink protocol data is for cracking the application
Agreement dirty data.
A kind of agreement cracks monitoring device, comprising:
Target uplink protocol data acquiring unit, for obtaining target uplink protocol data, the target uplink agreement number
The uplink protocol data sent according to the client for being application to the server of the application is obtained after server decryption;
Protocol type determination unit, the protocol type for being carried using the target uplink protocol data, which is identified, determines institute
State the protocol type of target uplink protocol data;
Target protocol cracks monitoring rules determination unit, cracks monitoring for searching pre-set protocol type and agreement
The corresponding relationship of rule determines that target protocol corresponding with the protocol type of the target uplink protocol data cracks monitoring rule
Then;
Monitoring unit is obtained for cracking the monitoring rules analysis target uplink protocol data based on the target protocol
The monitored results of the target uplink protocol data, the monitored results characterize the target uplink protocol data whether be for
Crack the dirty data of the agreement of the application.
A kind of server, comprising: at least one processor and at least one processor;The memory is stored with program,
The processor calls the program of the memory storage, and described program cracks monitoring method for realizing the agreement.
A kind of storage medium is stored with computer executable instructions in the storage medium, and the computer is executable to be referred to
It enables and cracks monitoring method for executing the agreement.
The application provides a kind of agreement and cracks monitoring method, device, server and storage medium, passes through and obtains target uplink
(target uplink protocol data is that the client of application is serviced to the uplink protocol data that the server of application is sent to protocol data
Obtained after device decryption), determine that the corresponding target protocol of protocol type of target uplink protocol data cracks monitoring rules, in turn
The mode for cracking monitoring rules analysis target uplink protocol data based on target protocol can determine that target uplink protocol data is
The no dirty data for for cracking the agreement of application.The uplink that the application can in time send the user end to server of application
Protocol data is analyzed by the target uplink protocol data that server is decrypted, and whether determines the target uplink protocol data
For the dirty data of the agreement for cracking application, realizes and carry out during agreement cracks in plug-in attacker to plug-in attacker
Agreement crack the monitoring of behavior, improve agreement and crack monitoring timeliness.
Detailed description of the invention
In order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, to embodiment or will show below
There is attached drawing needed in technical description to be briefly described, it should be apparent that, the accompanying drawings in the following description is only this
The embodiment of invention for those of ordinary skill in the art without creative efforts, can also basis
The attached drawing of offer obtains other attached drawings.
Fig. 1 is the structural schematic diagram that a kind of agreement provided by the embodiments of the present application cracks monitoring system;
Fig. 2 (a) is a kind of schematic diagram of uplink protocol data provided by the embodiments of the present application;
Fig. 2 (b) is a kind of schematic diagram of target uplink protocol data provided by the embodiments of the present application;
Fig. 2 (c) is a kind of schematic diagram of the protocol contents of target uplink protocol data provided by the embodiments of the present application;
Fig. 3 is a kind of hardware block diagram of protocol monitor server provided by the embodiments of the present application;
Fig. 4 is that a kind of agreement provided by the embodiments of the present application cracks monitoring method flow chart;
Fig. 5 is that a kind of target protocol that is based on provided by the embodiments of the present application cracks monitoring rules analysis target uplink agreement number
According to the method flow diagram for the monitored results for obtaining target uplink protocol data;
Fig. 6 is that another target protocol that is based on provided by the embodiments of the present application cracks monitoring rules analysis target uplink agreement
Data obtain the method flow diagram of the monitored results of target uplink protocol data;
Fig. 7 is a kind of at least one target uplink protocol data of comparison provided by the embodiments of the present application and at least one standard
Target uplink protocol data, obtains the method flow diagram of the second result;
Fig. 8 be it is provided by the embodiments of the present application another be based on target protocol crack monitoring rules analyze target uplink agreement
Data obtain the method flow diagram of the monitored results of target uplink protocol data;
Fig. 9 is the structural schematic diagram that a kind of agreement provided by the embodiments of the present application cracks monitoring device.
Specific embodiment
Following will be combined with the drawings in the embodiments of the present invention, and technical solution in the embodiment of the present invention carries out clear, complete
Site preparation description, it is clear that described embodiments are only a part of the embodiments of the present invention, instead of all the embodiments.It is based on
Embodiment in the present invention, it is obtained by those of ordinary skill in the art without making creative efforts every other
Embodiment shall fall within the protection scope of the present invention.
Embodiment:
At present agreement crack be a kind of mainstream plug-in attack means, by taking game application as an example, the association of a game application
Discussing structure is a black box structure for plug-in developer.Plug-in developer to crack the protocol architecture of game application,
It needs to analyze the protocol architecture of game application by means such as reverse-engineerings, then attempts discovery game in a manner of trial and error again
The loophole of agreement in, to achieve the purpose that crack agreement.
The prior art generallys use spectrum platform monitoring method and realizes the monitoring cracked to agreement, and this monitor mode can only
After plug-in developer has found the protocol bug of game application and seeks exorbitant profit using protocol bug, analysis could be passed through
There are the users of abnormal behaviour in the log discovery game application operation that game application generates in the process of running.For example, if outer
Hanging protocol bug of the developer based on its game application grasped can largely answer in swipe game items, so usually analysis game
Log can be found that the user of a large amount of swipe game items, and the user is determined as the user there are abnormal behaviour.
Spectrum platform monitoring method is on the basis of plug-in developer has cracked the protocol architecture of application, by benefit
The monitoring cracked to agreement that the analysis of the abnormal behaviour generated with the loophole of protocol architecture is realized, this agreement crack monitoring side
Formula can only find the problem after leading to the problem of, i.e., the case where agreement is cracked is found after agreement has been cracked, agreement cracks
It is poor to monitor timeliness.
Inventor passes through the study found that existing protocol cracks process by the application of the means analysis such as reverse-engineering
After protocol architecture, need to attempt the loophole of agreement in discovery application in a manner of trial and error, the process of trial and error is usually to modify application
Client be sent to application server uplink protocol data process, therefore during trial and error will necessarily output it is some
" dirty data ", " dirty data " may be considered the protocol architecture for cracking application, application client and be sent to application
The abnormal uplink protocol data of server.Based on this, inventor is further discovered that can be by the side of monitoring dirty data
Formula achievees the purpose that cracking behavior to agreement during agreement cracks is monitored, and cracks the timely of monitoring to improve agreement
Property.
A kind of agreement provided by the embodiments of the present application cracks monitoring method and cracks monitoring system applied to agreement, referring to Fig. 1
The structural schematic diagram of monitoring system is cracked for a kind of agreement provided by the embodiments of the present application.
As shown in Figure 1, the agreement cracks the server 12 of the client 11 that monitoring system includes: application, application, and association
Monitoring server 13 is discussed, wherein the server 12 applied includes access component 121 and encoding and decoding component 122;The server of application
Technical support is provided for the client of application.
As a kind of preferred embodiment of the embodiment of the present application, component can be accessed for Tconnd by accessing component, this connects
Entering component is a general TCP/UDP access component, is integrated with the functions such as data encryption authentication, compression, decryption.
In the embodiment of the present application, it is preferred that encoding and decoding component is mainly used for analysis protocol.As the embodiment of the present application
A kind of preferred embodiment, encoding and decoding component can be the public encoding and decoding component of TDR.
Above it is only a kind of specific implementation for accessing component, encoding and decoding component provided by the embodiments of the present application, has
Component is accessed in pass, the particular content inventor of encoding and decoding component can be configured according to their own needs, it is not limited here.
In the embodiment of the present application, using including client 11 and server 12, the clothes of the client 11 of application to application
The protocol data that business device 12 is sent may be considered uplink protocol data.Further, the client of application can by TGW to
The server of application sends uplink protocol data, wherein TGW is to be uniformly accessed into gateway, the uplink agreement number of the client of application
It is uniformly accessed into gateway TGW according to by public network arrival, is then forwarded to the server of application by TGW again.
As a kind of preferred embodiment of the embodiment of the present application, it is that network side is that the server 12 of application, which may be considered,
The user of application provides the service equipment of service, may be the server cluster of multiple servers composition, it is also possible to separate unit
Server.
It include access component 121 and encoding and decoding component 122 in the server 12 of application.Access component as shown in Figure 1 and
Encoding and decoding component can be located at same server in the server 12 of application or be located in the server 12 of application
Different server.
Referring to Fig. 1, [data content of the uplink protocol data is referring to fig. 2 for the uplink protocol data of the client 11 of application
(a)] unified gateway TGW is reached by public network, which passes through the server 12 that TGW is forwarded to application again, by answering
After access component [TCP/UDP accesses component, for example tconnd accesses component] authentication decryption decompression in server 12
It obtains target uplink protocol data [data content of the target uplink protocol data is referring to fig. 2 (b)], then will by communication component
Target uplink protocol data is distributed to the server in the server 12 of application.Server in the server 12 of application receives
After target uplink protocol data, target uplink protocol data is solved by the protocol analysis file of TDR component connected applications
Analysis obtains the protocol contents [protocol contents are referring to fig. 2 (c)] of target uplink protocol data.
In the embodiment of the present application, target uplink protocol data can be distributed to by protocol monitor server by communication component
On the basis of the process of server in the server 12 of application, target uplink agreement number generated in access component is obtained
According to.
As a kind of preferred embodiment of the embodiment of the present application, a duplication bypass can be done in access component, mesh
Putting on row protocol data forwards a copy to protocol monitor server.
Further, cracking monitoring system referring to a kind of Fig. 1 agreement provided by the embodiments of the present application further includes SR
(SecurityRadar, hand swim security vulnerability testing tool) 14.SR is based on the association that the test process of application can be generated application
Discuss resolution file.Correspondingly, protocol monitor server can be to target uplink agreement number based on the SR protocol analysis file generated
According to being parsed to obtain the protocol contents of target uplink protocol data.
In the embodiment of the present application, protocol monitor server is used to be assisted parsing target uplink protocol data
After discussing content, protocol contents are analyzed to determine whether target uplink protocol data is dirty data for cracking agreement.
Below from the angle of protocol monitor server to a kind of agreement provided by the embodiments of the present application crack monitoring method into
Row is described in detail.
A kind of agreement provided by the embodiments of the present application, which cracks monitoring method, can be applied to protocol monitor server, agreement prison
Control server can be network side and provide the service equipment of service for user, may be the server set of multiple servers composition
Group, it is also possible to single server.
Optionally, Fig. 3 shows the hardware block diagram of protocol monitor server, referring to Fig. 3, protocol monitor server
Hardware configuration may include: processor 31, communication interface 32, memory 33 and communication bus 34;
In embodiments of the present invention, processor 31, communication interface 32, memory 33, communication bus 34 quantity can be with
For at least one, and processor 31, communication interface 32, memory 33 complete mutual communication by communication bus 34;
Processor 31 may be a central processor CPU or specific integrated circuit ASIC (Application
Specific Integrated Circuit), or be arranged to implement the integrated electricity of one or more of the embodiment of the present invention
Road etc.;
Memory 33 may include high speed RAM memory, it is also possible to further include nonvolatile memory (non-volatile
Memory) etc., a for example, at least magnetic disk storage;
Wherein, memory is stored with program, the program that processor can call memory to store, and program is used for:
Target uplink protocol data is obtained, target uplink protocol data is that the client of application is sent to the server of application
Uplink protocol data decrypted by server after obtain;
The protocol type for determining target uplink protocol data is identified using the protocol type that target uplink protocol data carries;
It searches pre-set protocol type and agreement cracks the corresponding relationship of monitoring rules, determining and target uplink agreement
The corresponding target protocol of the protocol type of data cracks monitoring rules;
Monitoring rules analysis target uplink protocol data, which is cracked, based on target protocol obtains the prison of target uplink protocol data
Control is as a result, whether monitored results characterization target uplink protocol data is dirty data for cracking the agreement of application.
A kind of protocol monitor server provided by the embodiments of the present application is used to not influence the access component of application to application
Encoding and decoding component send target upstream data on the basis of, obtain target uplink protocol data, obtain target uplink agreement number
Protocol type in identifies the protocol type for determining target uplink agreement, and then the determining protocol type with target uplink agreement
Corresponding target protocol cracks monitoring rules, is obtained with cracking monitoring rules analysis target uplink protocol data based on target protocol
The monitored results of target uplink protocol data.
For the ease of the understanding of the function to the embodiment of the present application offer protocol monitor server, now in conjunction with Fig. 4 to this Shen
Please a kind of agreement applied to protocol monitor server for providing of embodiment crack monitoring method and be described in detail.
As shown in figure 4, this method comprises:
S401, obtain target uplink protocol data, target uplink protocol data be application service from client to application
What the uplink protocol data that device is sent obtained after being decrypted by server;
In the embodiment of the present application, access component 121 of the client 11 of application into the server 12 of application is sent
Row protocol data, access component 121 can be decrypted uplink protocol data to obtain target uplink protocol data, access component
It, not only can be by communication component by target uplink after being decrypted to obtain the above-mentioned protocol data of target to uplink protocol data
Protocol data is sent to the encoding and decoding component 122 in the server 12 of application, and can be obtained by protocol monitor server should
Target uplink protocol data.
It may include one or more server in the server 12 of application, access component 121 and encoding and decoding component 122 can
It can be located on same server in the server 12 of application, it is also possible to the different server in application server 12
On.
As a kind of preferred embodiment of the embodiment of the present application, component is accessed after receiving uplink protocol data, it is right
Uplink protocol data carries out authentication decryption decompression to obtain target uplink protocol data.
S402, the agreement for determining target uplink protocol data is identified using the protocol type that target uplink protocol data carries
Type;
(b) is it is found that target uplink protocol data carries protocol type mark, different protocol type marks pair referring to fig. 2
Answer different protocol types.In game application, protocol type can be the protocol type of purchase game item, attack protocol class
Type, task protocol type (for example, fishing task protocol type) etc..
In the embodiment of the present application, it is preferred that include various protocols type in the agreement of application, every kind of protocol type is corresponding
Protocol type mark be it is unique, different types of protocol type correspond to different protocol types and identifies.But because can not be straight
Obtain know application in protocol type mark and protocol type corresponding relationship, therefore, can by application operational process in produce
The mode that raw user behaviors log is analyzed, determines the corresponding relationship of protocol type mark and protocol type, and presets association
Discuss type identification and protocol type corresponding relationship, in order to can by searching for pre-set protocol type identify and agreement
The mode of the corresponding relationship of type searches protocol type corresponding with the protocol type mark that target uplink protocol data carries,
And using the protocol type found as the protocol type of target uplink protocol data.
It is above only the preferred content of protocol type provided by the embodiments of the present application, the particular content in relation to protocol type
Inventor can be configured according to their own needs, it is not limited here.
It can be obtained after getting target uplink protocol data as a kind of preferred embodiment of the embodiment of the present application
It takes the protocol type in target uplink protocol data to identify, and then determines the protocol type mark in the target uplink protocol data
Corresponding protocol type, and using identified protocol type as the protocol type of the target uplink protocol data.
Further, a kind of agreement provided by the embodiments of the present application cracks monitoring method, can also preset at least one
Kind target protocol type judges the agreement of target uplink protocol data after the protocol type for determining target uplink protocol data
Whether type is target protocol type at least one target protocol type;If so, thening follow the steps S403;If it is not, then really
The fixed target uplink protocol data is not dirty data.
Because in the agreement of application there are many kinds of involved protocol types, if the target uplink of every kind of protocol type
Protocol data is detected, and needs to consume more machine resources, therefore, a kind of preferred implementation as the embodiment of the present application
Mode can choose at least one protocol type from the protocol type of application, will be in at least one protocol type that chosen
Every kind of protocol type be determined as a kind of target protocol type.
In the embodiment of the present application, it is preferred that can choose from the protocol type of application and easily be attacked by plug-in developer
Protocol type as target protocol type.It is above only to be chosen in the protocol type provided by the embodiments of the present application from application
The preferred embodiment of target protocol type, the concrete mode in relation to choosing target protocol type from the protocol type of application, invention
People can be configured according to their own needs, it is not limited here.
S403, search pre-set protocol type and agreement cracks the corresponding relationship of monitoring rules, it is determining in target
The corresponding target protocol of the protocol type of row protocol data cracks monitoring rules;
In the embodiment of the present application, protocol type can be preset and agreement cracks the corresponding relationship of monitoring rules, with
After the protocol type for determining target uplink protocol data, the corresponding agreement of protocol type for searching target uplink protocol data is broken
Monitoring rules are solved, and the agreement found is cracked into monitoring rules as target protocol and cracks monitoring rules.
As a kind of preferred embodiment of the embodiment of the present application, the quantity that the agreement found cracks monitoring rules can be with
For one or more, each agreement found is cracked into monitoring rules as a target protocol and cracks monitoring rules, it is different
The monitor mode that the agreement of type cracks monitoring rules instruction is different, the protocol type with target uplink protocol data found
The monitor mode that corresponding each target protocol cracks monitoring rules instruction is different.
It is analyzed by cracking process to agreement, we can be found that plug-in developer in the process for excavating protocol bug
In usually have following several trial and error modes: modification protocol field value, modification protocol sequence improve agreement and send frequency etc..
In the embodiment of the present application, for every kind of protocol type, this kind of protocol type can correspond to one or more
Trial and error mode, the monitor mode generallyd use for " modification protocol field value " this trial and error mode is field detection mode, needle
The monitor mode generallyd use to " modification protocol sequence " this trial and error mode is detection protocol sequential system, for " raising is assisted
The monitor mode that this trial and error mode of view transmission frequency " generallys use is that detection protocol sends Frequency Patterns.
S404, cracked based on target protocol monitoring rules analysis target uplink protocol data obtain target uplink protocol data
Monitored results, whether monitored results characterization target uplink protocol data is dirty data for cracking the agreement of application.
In the embodiment of the present application, it after getting target protocol and cracking monitoring rules, can be cracked based on target protocol
Monitoring rules analyze target uplink protocol data, obtain the monitored results of target uplink protocol data.
As a kind of preferred embodiment of the embodiment of the present application, the available SR of protocol monitor server is based on to application
Test process application generated protocol analysis file, based on the protocol analysis file to target uplink protocol data carry out
Parsing obtains protocol contents, obtains target uplink protocol data to be cracked monitoring rules based on target protocol and analyzed the protocol contents
Monitored results, whether monitored results characterization target uplink protocol data is dirty data for cracking the agreement of application.
In the embodiment of the present application, if the monitored results of target uplink protocol data characterize the target uplink protocol data not
For the dirty data of the agreement for destroying application, the monitored results of the target uplink agreement are the first monitored results;If in target
It is the dirty data for destroying the agreement of application, the target that the monitored results of row protocol data, which characterize the target uplink protocol data,
The monitored results of uplink protocol data are the second monitored results.
Further, a kind of agreement provided by the embodiments of the present application cracks monitoring method referring to fig. 4 further include: S405,
When monitored results characterize the dirty data that target uplink protocol data is the agreement for cracking application, generate for passing through client
Send the portrait of the user of target uplink protocol data.
In the embodiment of the present application, if monitored results characterization target uplink protocol data is for destroying the agreement of application
When dirty data, the user for sending target uplink protocol data can be determined, and then generate the portrait of the user, the portrait of the user
Including whole belonging to the account information for sending the target uplink protocol data, the client for sending the target uplink agreement
It is any one in the IP address at end, and the unique device identity of the affiliated terminal of client for sending the target uplink agreement
Item is multinomial.
Wherein, the unique device identity of terminal can be the machine identifier of terminal.It is above only the embodiment of the present application
The particular content inventor of the preferred content of the unique device identity of the terminal of offer, the unique device identity in relation to terminal can root
It is configured according to the demand of oneself, it is not limited here.
In the embodiment of the present application, portrait library can be set, the picture of each user of generation is stored in the portrait library
Picture can achieve the purpose for resisting plug-in attack in advance based on portrait library.
Such as, however, it is determined that when currently logged on user matches with the portrait of the user in portrait library, no matter can be by being somebody's turn to do
Currently logged on user initiates any request, returns to the side for returning packet pre-set at random to the currently logged on user
Formula, to promote the difficulty that the currently logged on user excavates protocol bug.
Such as, however, it is determined that it, can be by will be current when currently logged on user matches with the portrait of a user in portrait library
The operation behavior of login user is limited in the mode under a safe mode, the operation model of limitation currently logged on user in the application
It encloses, to be lower than the plug-in attack of currently logged on user in advance.
As a kind of preferred embodiment of the embodiment of the present application, the basic information of available currently logged on user will
The basic information of currently logged on user is matched with the portrait in portrait library, matched with currently logged on user in portrait library to determine
Portrait.Wherein, belonging to the client that basic information can be logged in by the account information of currently logged on user, currently logged on user
The IP address of terminal, the unique device identity of the affiliated terminal of client that is logged in of currently logged on user etc..
A kind of agreement for the ease of providing application embodiment cracks the understanding of monitoring method, now cracks prison to the agreement
One of prosecutor method cracks monitoring rules analysis target uplink protocol data based on target protocol and obtains target uplink agreement number
According to the methods of monitored results be described in detail.
If the corresponding target protocol of protocol type of target uplink protocol data cracks the monitor mode of monitoring rules instruction
When detecting for field, one kind provided by the embodiments of the present application cracks monitoring rules analysis target uplink agreement number based on target protocol
Fig. 5 is referred to according to the method for the monitored results for obtaining target uplink protocol data.
As shown in figure 5, this method comprises:
S501, parsing target uplink protocol data obtain the protocol contents of target uplink protocol data;
In the embodiment of the present application, it is preferred that parsing target uplink protocol data obtains the association of target uplink protocol data
Discuss content.The protocol contents of target uplink protocol data referring to fig. 2 (c), protocol contents include source IP address, target ip address,
Protocol type mark and protocol data, wherein source IP address is the IP address of terminal belonging to the client 11 of application, Target IP
Address is the IP address of the server 12 of application, and the protocol type mark in the protocol contents of target uplink protocol data is corresponding
Protocol type is the protocol type of the target uplink protocol data, includes at least one field and each field in protocol data
Field value.
The field value of S502, at least one field in acquisition protocol contents and each field;
S503, determine that target protocol cracks the aiming field and target word at least one field of monitoring rules instruction
The aiming field information of section;
As a kind of preferred embodiment of the embodiment of the present application, determine that the protocol type of target uplink protocol data is corresponding
Target protocol crack monitoring rules after, if target protocol cracks the detection of monitoring rules indication field, which cracks prison
Regulatory control then indicates the aiming field information of aiming field and aiming field, also, the target protocol cracks monitoring rules instruction
Aiming field be the target uplink protocol data protocol contents in any one or more fields.At this time, it may be necessary to obtain
The target protocol cracks the aiming field of monitoring rules instruction and the aiming field information of aiming field.
In the embodiment of the present application, the aiming field information that target protocol cracks the aiming field of monitoring rules instruction is logical
What the mode of the field value for the aiming field crossed in the target uplink protocol data of a large amount of normal users of statistics application obtained.
For example, if aiming field be currency type when, the target uplink protocol data of a large amount of normal users of statistics application
In " currency type " this field field value, if counting on both is 1 in the presence of the field value of " currency type " this field
The target uplink protocol data that target uplink protocol data, the field value that there is " currency type " this field again are 0, then can be with
The aiming field information representation field value that target protocol cracks " currency type " this field of monitoring rules instruction, the mesh are set
Marking-up segment information includes " 0 " and " 1 ".
For example, if aiming field be quantity purchase type when, the target uplink protocol data of a large number of users of statistics application
In " quantity purchase " this field field value, exclude field value abnormal in each field value counted on, obtain remaining
Field value in the maximum field value of numerical value (the maximum field value of numerical value may be considered largest field value) and numerical value it is minimum
Field value (the smallest field value of numerical value may be considered minimum field value) generate field value range, the minimum of field value range
Value is minimum field value, and the maximum value of field value range is largest field value.Correspondingly, target protocol cracks rule instruction
The aiming field information representation numberical range of " quantity purchase " this field, the aiming field information are field value model generated
It encloses.Wherein, between the not abnormal field value in the field value of the exception in the field value counted on and the field value counted on
Numerical value differ greatly.
In the embodiment of the present application, the aiming field information that target protocol cracks the aiming field of monitoring rules instruction may be used also
Rule of thumb to preset.For example, if aiming field be quantity purchase type when, can be with empirically determined aiming field
Overflow value, and then the aiming field information representation flooding information of aiming field, at this time the aiming field information of aiming field are set
For the overflow value of above-mentioned empirically determined aiming field.For example, such as certain game when buying stage property, assists purchase
The number parameter of view has modified a very big value, as a result directly overflows, and obtains a huge stage property quantity.
It is above only the set-up mode of the aiming field information of aiming field provided by the embodiments of the present application, related target
The specific set-up mode of the aiming field information of field, inventor can be configured according to their own needs, it is not limited here.
Whether S504, the field value for detecting aiming field meet the aiming field information of aiming field, obtain the first result;
In the embodiment of the present application, information type (information of the aiming field information representation of aiming field can be determined
Type can be field value, numberical range, flooding information etc.), and then should based on the corresponding detected rule detection of information type
Whether the field value of aiming field meets the aiming field information of the aiming field.
For example, when the information type of the aiming field information representation of aiming field is field value, if aiming field
Field value is any one value in the aiming field information of aiming field, then it is assumed that the field value of aiming field meets target word
The aiming field information of section;It is on the contrary then think that the field value of aiming field is unsatisfactory for the aiming field information of aiming field.
For example, when the information type of the aiming field information representation of aiming field is numberical range, if aiming field
Field value be located within the scope of the field value of aiming field information instruction of aiming field, then it is assumed that the field value of aiming field is full
The aiming field information of foot-eye field;It is on the contrary, then it is assumed that the field value of aiming field is unsatisfactory for the aiming field of aiming field
Information.
For example, when the information type of the aiming field information representation of aiming field is flooding information, if aiming field
Field value be not more than aiming field overflow value, then it is assumed that the field value of aiming field meet aiming field aiming field letter
Breath;It is on the contrary, then it is assumed that the field value of aiming field is unsatisfactory for the aiming field information of aiming field.
Further, if aiming field information includes first object field information and the second aiming field information, the first mesh
Marking-up segment information characterizes numberical range, and the second aiming field information representation flooding information can determine target uplink protocol data
Whether the field value of middle aiming field meets first object field information, and determines aiming field in target uplink protocol data
Field value whether meet the second aiming field information;If the field value of aiming field meets first in target uplink protocol data
The field value of aiming field meets the second aiming field information in aiming field information and target uplink protocol data, determines target
The field value of aiming field meets the aiming field information of aiming field in uplink protocol data;Conversely, determining target uplink association
The field value of aiming field is unsatisfactory for the aiming field information of aiming field in view data.
Above it is only whether the field value of detection aiming field provided by the embodiments of the present application meets the mesh of aiming field
Whether the preferred embodiment of marking-up segment information, the field value in relation to detecting aiming field meet the aiming field information of aiming field
Concrete mode, inventor can be configured according to their own needs, it is not limited here.
S505, the monitored results of target uplink protocol data are obtained based on the first result.
In the embodiment of the present application, if the first result characterization target protocol cracks each aiming field of monitoring rules instruction
Field value be all satisfied the aiming field information of aiming field, it is determined that target uplink protocol data is not for destroying application
The dirty data of agreement, the monitored results of obtained target uplink protocol data are the first monitored results;If the first result characterizes mesh
Mark agreement crack monitoring rules instruction aiming field in there are the aiming fields that field value is unsatisfactory for aiming field information, then really
The uplink that sets the goal protocol data is the dirty data for destroying the agreement of application, the monitoring knot of obtained target uplink protocol data
Fruit is the second monitored results.
For example, target protocol, which cracks monitoring rules, indicates 3 aiming fields, respectively aiming field 1,2 and of aiming field
Aiming field 3, if the field value of the aiming field 1 of target uplink protocol data meets the aiming field information of aiming field 1, mesh
The field value for putting on the aiming field 2 of row protocol data meets the aiming field information of aiming field 2, and target uplink agreement number
According to the field value of aiming field 3 meet the aiming field information of aiming field 3, then it is assumed that target uplink protocol data is not dirty
Data;It is on the contrary, then it is assumed that target uplink protocol data is dirty data.
If the corresponding target protocol of protocol type of target uplink protocol data cracks the monitor mode of monitoring rules instruction
When for detection protocol sequence, the embodiment of the present application, which also provides, another cracks monitoring rules analysis target uplink based on target protocol
The method that protocol data obtains the monitored results of target uplink protocol data, specifically refers to Fig. 6.
As shown in fig. 6, this method comprises:
S601, at least one target uplink protocol data is determined according to target uplink protocol data, at least one target
Row protocol data includes that first adjacent with target uplink protocol data obtained before target uplink protocol data is preset
Quantity first object uplink protocol data, and/or, obtain after the target uplink protocol data with target uplink agreement
Data the second target uplink protocol data of the second adjacent preset quantity;
In the embodiment of the present application, it is preferred that at least one target uplink agreement is determined according to target uplink protocol data
The process of data can be with are as follows: determine obtained before being located at the target uplink protocol data it is adjacent with the target uplink protocol data
The first preset quantity target uplink protocol data (for the ease of distinguish, temporarily by it is determined here that target uplink agreement number
Be stated to be first object uplink protocol data), and/or, determine be located at the target uplink protocol data after obtain with the mesh
Put on the second adjacent preset quantity target uplink protocol data of row protocol data (for the ease of distinguish, temporarily will herein really
Fixed target uplink protocol data is known as the second target uplink protocol data), so by first object uplink protocol data and/or
Second target uplink protocol data constitutes at least one target uplink protocol data.
In the embodiment of the present application, the first preset quantity and the second preset quantity can be cracked monitoring by target protocol
Rule instruction.
For example, protocol monitor server is followed successively by target uplink protocol data to the acquisition sequence of target uplink protocol data
1, target uplink protocol data 2, target uplink protocol data 3, target uplink protocol data 4, target uplink protocol data 5 and mesh
Put on row protocol data 6;If the target uplink protocol data that protocol monitor server is currently got is target uplink agreement number
According to 4 and target protocol to crack the first preset quantity of monitoring rules instruction be 2, the second preset quantity is 1;Then exist
The 2 target uplink protocol datas difference adjacent with the target uplink protocol data 4 obtained before target uplink protocol data 4
For target uplink protocol data 2 and target uplink protocol data 3;Obtained after target uplink protocol data 4 with the target
1 adjacent target uplink protocol data of uplink protocol data 4 is target uplink protocol data 5;And then by target uplink agreement
Data 2, target uplink protocol data 3, target uplink protocol data 4 and target uplink protocol data 5 are constituted according to target uplink
At least one target uplink agreement that protocol data 4 determines.
S602, at least one standard target uplink protocol data that target protocol cracks monitoring rules instruction is obtained;
In the embodiment of the present application, target protocol cracks monitoring rules and indicates at least one standard target uplink agreement number
According at least one standard target uplink protocol data includes one or more standard target uplink protocol datas.
S603, compare at least one target uplink protocol data and at least one standard target uplink protocol data, obtain
Second result;
In the embodiment of the present application, it can calculate at least one target uplink protocol data and at least one standard target
First similarity of row protocol data, using first similarity as comparing at least one target uplink protocol data and at least
The second result that one standard target uplink protocol data obtains.
As a kind of preferred embodiment of the embodiment of the present application, if at least one target uplink protocol data and at least one
A standard target uplink protocol data is identical, then it is assumed that at least one target uplink protocol data and at least one standard target
First similarity of row protocol data is 100%;If at least one target uplink protocol data and at least one standard target
Row protocol data is not identical, can determine at least one target uplink protocol data and at least one standard target uplink agreement number
According to the quantity (for the ease of distinguishing, quantity herein is temporarily known as the first quantity) of middle same target uplink protocol data, determine
In at least one standard target uplink protocol data target uplink protocol data quantity (for the ease of distinguishing, temporarily will herein
Quantity is known as the second quantity), the first quantity is accounted for into the ratio of the second quantity as at least one target uplink protocol data and extremely
First similarity of a few standard target uplink protocol data.
As another preferred embodiment of the embodiment of the present application, the embodiment of the present application also provides a kind of comparison at least one
A target uplink protocol data and at least one standard target uplink protocol data, obtain the method flow diagram of the second result, have
Body refers to Fig. 7.
As shown in fig. 7, this method comprises:
S701, first object uplink protocol data sequence is sequentially generated according to the acquisition of at least one target uplink protocol data
Column;
It in the embodiment of the present application, can basis after determining at least one target uplink protocol data in step s 601
Acquisition sequence at least one target uplink protocol data between each target uplink protocol data is (that is, protocol monitor service
Device obtains the sequence of target uplink protocol data from access component), generate first object uplink protocol sequence.Continue with above-mentioned be
Example, if being assisted by above-mentioned target uplink protocol data 2, target uplink protocol data 3, target uplink protocol data 4 and target uplink
In the case where the composition of data 5 is discussed according at least one determining target uplink protocol data of target uplink protocol data 4, generated
First object uplink protocol data sequence in each target uplink protocol data sequence successively are as follows: target uplink protocol data
2, target uplink protocol data 3, target uplink protocol data 4 and target uplink protocol data 5.
S702, cracked based on target protocol monitoring rules instruction at least one standard target uplink protocol data in it is each
Sequence between standard target uplink protocol data determines the second target uplink protocol data sequence;
In the embodiment of the present application, target protocol cracks monitoring rules and not only indicates at least one standard target uplink agreement
Data, at least one standard target uplink protocol data include one or more standard target uplink protocol datas;It also indicates
Sequence at least one standard target uplink protocol data between each standard target uplink protocol data, and then thus generate
Second target uplink protocol data sequence.
For example, at least one standard target uplink protocol data that target protocol cracks monitoring rules instruction is respectively standard
Target uplink protocol data 1, standard target uplink protocol data 2 and standard target uplink protocol data 3, and the target protocol is broken
It solves at least one standard target uplink protocol data of monitoring rules instruction between each standard target uplink protocol data
Sequence is followed successively by standard target uplink protocol data 2, standard target uplink protocol data 1 and standard target uplink protocol data 3,
Each standard target uplink protocol data is followed successively by standard target in the second target uplink protocol data sequence thus generated
Row protocol data 2, standard target uplink protocol data 1 and standard target uplink protocol data 3.
S703, compare first object uplink protocol data sequence and the second target uplink protocol data sequence, obtain second
As a result.
In the embodiment of the present application, first object uplink protocol data sequence and the second target uplink agreement number can be compared
According to the second similarity of sequence, using the second similarity as comparing in first object uplink protocol data sequence and the second target
The second result that row protocol data sequence obtains.
It is above only at least one target uplink protocol data of comparison provided by the embodiments of the present application and at least one mark
Quasi- target uplink protocol data obtains the preferred embodiment of the second result, in relation to relatively at least one target uplink protocol data and extremely
A few standard target uplink protocol data obtains the concrete mode of the second result, and inventor can set according to their own needs
It sets, it is not limited here.
S604, the monitored results of target uplink protocol data are obtained based on the second result.
In the embodiment of the present application, target protocol, which cracks monitoring rules, also can indicate that default similarity, if the second result
Less than default similarity, determine that target uplink protocol data is dirty data;If the second result is not less than default similarity, mesh is determined
Putting on row protocol data is not dirty data.
If the corresponding target protocol of protocol type of target uplink protocol data cracks the monitor mode of monitoring rules instruction
The embodiment of the present application also provides another and cracks monitoring rules analysis target based on target protocol when sending frequency for detection protocol
The method that uplink protocol data obtains the monitored results of target uplink protocol data, specifically refers to Fig. 8.
As shown in figure 8, this method comprises:
S801, statistics in preset duration be located at target uplink protocol data before obtain with target uplink protocol data
The quantity of adjacent third target uplink protocol data;
In the embodiment of the present application, it is preferred that target protocol cracks monitoring rules instruction preset duration, according to current time
Target time section is determined with preset duration, and the end time point of target time section is current time, at the beginning of target time section
Between put and end time point between time difference be preset duration;Protocol monitor server is got in statistics target time section
The quantity of target uplink protocol data.
S802, compare quantity and target protocol cracks the destination number of monitoring rules instruction, obtain third result;
In the embodiment of the present application, target protocol cracks monitoring rules and also indicates destination number, compares the target counted on
The quantity and the destination number for the target uplink protocol data that period gets, obtain third result.
S803, the monitored results of target uplink protocol data are obtained based on third result.
In the embodiment of the present application, if the target uplink agreement that the target time section that third result characterization counts on is got
The quantity of data is not more than destination number, determines that monitored results characterization target uplink protocol data is not dirty data;If third knot
The quantity for the target uplink protocol data that the target time section that fruit characterization counts on is got is greater than destination number, determines in target
Row protocol data is not dirty data.
Further, in the embodiment of the present application, if the corresponding target protocol of protocol type of target uplink protocol data
When to crack monitoring rules be multiple, monitoring rules are cracked for each target protocol execute respectively and " prison is cracked based on target protocol
Control rule analysis target uplink protocol data obtains the monitored results of target uplink protocol data " process, correspondingly, according to every
A target protocol cracks the monitored results that monitoring rules analysis target uplink protocol data obtains and characterizes target uplink agreement number
When according to not being dirty data, determine that target uplink protocol data is not dirty data;Conversely, determining that target uplink protocol data is dirty number
According to.
For example, if corresponding 3 target protocols of the protocol type of target uplink protocol data crack monitoring rules, this 3
It is respectively that target protocol cracks monitoring rules 1, target protocol cracks monitoring rules 2 and target association that target protocol, which cracks monitoring rules,
View cracks monitoring rules 3, if cracking monitoring rules 1 based on target protocol analyzes the monitoring knot that target uplink protocol data obtains
Fruit characterization target uplink protocol data is not dirty data, is cracked the analysis target uplink agreement number of monitoring rules 2 based on target protocol
It is not dirty data according to obtained monitored results characterization target uplink protocol data, and monitoring rules 3 is cracked based on target protocol and are divided
The monitored results characterization target uplink protocol data that analysis target uplink protocol data obtains is not dirty data, then it is assumed that target uplink
Protocol data is not dirty data;It is on the contrary, then it is assumed that target uplink protocol data is dirty data.
It is above only that a kind of target protocol that is based on provided by the embodiments of the present application cracks monitoring rules analysis target uplink
Protocol data obtains the preferred embodiment of the monitored results of target uplink protocol data, related to crack monitoring rules based on target protocol
Analysis target uplink protocol data obtains the concrete mode of the monitored results of target uplink protocol data, and inventor can be according to oneself
Demand be configured, it is not limited here.
Fig. 9 is the structural schematic diagram that a kind of agreement provided by the embodiments of the present application cracks monitoring device.
As shown in figure 9, the device includes:
Target uplink protocol data acquiring unit 91, for obtaining target uplink protocol data, target uplink protocol data
It is to be obtained after the client of application is decrypted to the uplink protocol data that the server of application is sent by server;
Protocol type determination unit 92, the protocol type for being carried using target uplink protocol data, which is identified, determines target
The protocol type of uplink protocol data;
Target protocol cracks monitoring rules determination unit 93, cracks prison for searching pre-set protocol type and agreement
The corresponding relationship of regulatory control then determines that target protocol corresponding with the protocol type of target uplink protocol data cracks monitoring rules;
Monitoring unit 94 obtains target for cracking monitoring rules analysis target uplink protocol data based on target protocol
The monitored results of row protocol data, monitored results characterize whether target uplink protocol data is for cracking the dirty of the agreement of application
Data.
In the embodiment of the present application, it is preferred that target uplink protocol data acquiring unit is specifically used for obtaining the clothes of application
The target uplink protocol data that the access component of business device is sent to encoding and decoding component, target uplink protocol data are that access component connects
Uplink protocol data is decrypted after receiving the uplink protocol data that the client of application is sent.
In the embodiment of the present application, it is preferred that monitoring unit includes:
Resolution unit obtains the protocol contents of target uplink protocol data for parsing target uplink protocol data;
First acquisition unit, for obtaining the field value of at least one field and each field in protocol contents;
First determination unit, for determining that target protocol cracks the target word at least one field of monitoring rules instruction
The aiming field information of section and aiming field;
Whether detection unit, the field value for detecting aiming field meet the aiming field information of aiming field, obtain
First result;
First monitoring unit, for obtaining the monitored results of target uplink protocol data based on the first result.
In the embodiment of the present application, it is preferred that monitoring unit includes:
Second determination unit, for determining at least one target uplink protocol data according to target uplink protocol data, until
A few target uplink protocol data include obtained before target uplink protocol data with target uplink protocol data phase
The first adjacent preset quantity first object uplink protocol data, and/or, after target uplink protocol data acquisition with
Target uplink protocol data the second target uplink protocol data of the second adjacent preset quantity;
Second acquisition unit cracks at least one standard target uplink association of monitoring rules instruction for obtaining target protocol
Discuss data;
First comparing unit, for comparing at least one target uplink protocol data and at least one standard target uplink association
Data are discussed, the second result is obtained;
Second monitoring unit, for obtaining the monitored results of target uplink protocol data based on the second result.
In the embodiment of the present application, it is preferred that the first comparing unit, comprising:
First ray determination unit, for being sequentially generated the first mesh according to the acquisition of at least one target uplink protocol data
Put on row protocol data sequence;
Second sequence determination unit, for cracking at least one standard target of monitoring rules instruction based on target protocol
Sequence in row protocol data between each standard target uplink protocol data determines the second target uplink protocol data sequence;
First comparing subunit, for comparing first object uplink protocol data sequence and the second target uplink protocol data
Sequence obtains the second result.
In the embodiment of the present application, it is preferred that monitoring unit includes:
Statistic unit, for count in preset duration be located at target uplink protocol data before obtain with target uplink
The quantity of the adjacent third target uplink protocol data of protocol data;
Second comparing unit obtains for comparing quantity and target protocol cracks the destination number of monitoring rules instruction
Three results;
Third monitoring unit, for obtaining the monitored results of target uplink protocol data based on third result.
Further, a kind of agreement provided by the embodiments of the present application cracks monitoring device further include:
Portrait generation unit, for being for cracking the agreement of application in monitored results characterization target uplink protocol data
When dirty data, the portrait of the user for sending target uplink protocol data by client is generated, portrait includes the account of user
It is any one or more in the device identification of number information, the IP address of the affiliated terminal of client and the affiliated terminal of client.
Further, the embodiment of the present application also provides a kind of computer readable storage medium, the computer-readable storage medium
Computer executable instructions are stored in matter, which cracks monitoring method for executing above-mentioned agreement.
Optionally, the refinement function of computer executable instructions and extension function can refer to above description.
The application provides a kind of agreement and cracks monitoring method, device, server and storage medium, passes through and obtains target uplink
(target uplink protocol data is that the client of application is serviced to the uplink protocol data that the server of application is sent to protocol data
Obtained after device decryption), determine that the corresponding target protocol of protocol type of target uplink protocol data cracks monitoring rules, in turn
The mode for cracking monitoring rules analysis target uplink protocol data based on target protocol can determine that target uplink protocol data is
The no dirty data for for cracking the agreement of application.The uplink that the application can in time send the user end to server of application
Protocol data is analyzed by the target uplink protocol data that server is decrypted, and whether determines the target uplink protocol data
For the dirty data of the agreement for cracking application, realizes and carry out during agreement cracks in plug-in attacker to plug-in attacker
Agreement crack the monitoring of behavior, improve agreement and crack monitoring timeliness.
Each embodiment in this specification is described in a progressive manner, the highlights of each of the examples are with other
The difference of embodiment, the same or similar parts in each embodiment may refer to each other.For device disclosed in embodiment
For, since it is corresponded to the methods disclosed in the examples, so being described relatively simple, related place is said referring to method part
It is bright.
Professional further appreciates that, unit described in conjunction with the examples disclosed in the embodiments of the present disclosure
And algorithm steps, can be realized with electronic hardware, computer software, or a combination of the two, in order to clearly demonstrate hardware and
The interchangeability of software generally describes each exemplary composition and step according to function in the above description.These
Function is implemented in hardware or software actually, the specific application and design constraint depending on technical solution.Profession
Technical staff can use different methods to achieve the described function each specific application, but this realization is not answered
Think beyond the scope of this invention.
The step of method described in conjunction with the examples disclosed in this document or algorithm, can directly be held with hardware, processor
The combination of capable software module or the two is implemented.Software module can be placed in random access memory (RAM), memory, read-only deposit
Reservoir (ROM), electrically programmable ROM, electrically erasable ROM, register, hard disk, moveable magnetic disc, CD-ROM or technology
In any other form of storage medium well known in field.
The foregoing description of the disclosed embodiments enables those skilled in the art to implement or use the present invention.
Various modifications to these embodiments will be readily apparent to those skilled in the art, as defined herein
General Principle can be realized in other embodiments in the case where not departing from core of the invention thought or scope.Therefore, originally
Invention is not intended to be limited to the embodiments shown herein, and is to fit to and the principles and novel features disclosed herein
Consistent widest scope.
Claims (10)
1. a kind of agreement cracks monitoring method characterized by comprising
Obtain target uplink protocol data, the target uplink protocol data be application server from client to the application
What the uplink protocol data of transmission obtained after being decrypted by the server;
The agreement for determining the target uplink protocol data is identified using the protocol type that the target uplink protocol data carries
Type;
It searches pre-set protocol type and agreement cracks the corresponding relationship of monitoring rules, the determining and target uplink agreement
The corresponding target protocol of the protocol type of data cracks monitoring rules;
The monitoring rules analysis target uplink protocol data, which is cracked, based on the target protocol obtains the target uplink agreement
The monitored results of data, the monitored results characterize whether the target uplink protocol data is association for cracking the application
The dirty data of view.
2. the method according to claim 1, wherein the acquisition target uplink protocol data, comprising:
Obtain the target uplink protocol data that the access component of the server of application is sent to encoding and decoding component, the target uplink
Protocol data be it is described access component receive the application client send uplink protocol data after to the uplink assist
View data are decrypted.
3. the method according to claim 1, wherein described crack monitoring rules analysis based on the target protocol
The target uplink protocol data obtains the monitored results of the target uplink protocol data, comprising:
It parses the target uplink protocol data and obtains the protocol contents of the target uplink protocol data;
Obtain the field value of at least one field and each field in the protocol contents;
Determine that the target protocol cracks aiming field and the mesh at least one described field of monitoring rules instruction
The aiming field information of marking-up section;
Whether the field value for detecting the aiming field meets the aiming field information of the aiming field, obtains the first result;
The monitored results of the target uplink protocol data are obtained based on first result.
4. the method according to claim 1, wherein described crack monitoring rules analysis based on the target protocol
The target uplink protocol data obtains the monitored results of the target uplink protocol data, comprising:
At least one target uplink protocol data, at least one described target uplink are determined according to the target uplink protocol data
Protocol data includes adjacent with the target uplink protocol data the obtained before the target uplink protocol data
One preset quantity first object uplink protocol data, and/or, obtain after the target uplink protocol data with institute
State target uplink protocol data the second target uplink protocol data of the second adjacent preset quantity;
Obtain at least one standard target uplink protocol data that the target protocol cracks monitoring rules instruction;
Compare at least one described target uplink protocol data and at least one described standard target uplink protocol data, obtains the
Two results;
The monitored results of the target uplink protocol data are obtained based on second result.
5. according to the method described in claim 4, it is characterized in that, at least one target uplink protocol data described in the comparison
With at least one described standard target uplink protocol data, the second result is obtained, comprising:
First object uplink protocol data sequence is sequentially generated according to the acquisition of at least one target uplink protocol data;
Each standard at least one standard target uplink protocol data of monitoring rules instruction is cracked based on the target protocol
Sequence between target uplink protocol data determines the second target uplink protocol data sequence;
Compare the first object uplink protocol data sequence and the second target uplink protocol data sequence, obtains the second result.
6. the method according to claim 1, wherein described crack monitoring rules analysis based on the target protocol
The target uplink protocol data obtains the monitored results of the target uplink protocol data, comprising:
Statistics is obtaining with the target uplink protocol data before being located at the target uplink protocol data in preset duration
The quantity of adjacent third target uplink protocol data;
Compare the quantity and the target protocol cracks the destination number of monitoring rules instruction, obtains third result;
The monitored results of the target uplink protocol data are obtained based on the third result.
7. method described in -5 any one according to claim 1, which is characterized in that further include:
When the monitored results characterize the dirty data that the target uplink protocol data is the agreement for cracking the application,
The portrait of the user for sending the target uplink protocol data by the client is generated, the portrait includes the use
It is any in the device identification of the account information at family, the IP address of the affiliated terminal of the client and the affiliated terminal of the client
It is one or more.
8. a kind of agreement cracks monitoring device characterized by comprising
Target uplink protocol data acquiring unit, for obtaining target uplink protocol data, the target uplink protocol data is
What the uplink protocol data that the client of application is sent to the server of the application obtained after being decrypted by the server;
Protocol type determination unit, the protocol type for being carried using the target uplink protocol data, which is identified, determines the mesh
Put on the protocol type of row protocol data;
Target protocol cracks monitoring rules determination unit, cracks monitoring rules for searching pre-set protocol type and agreement
Corresponding relationship, determine that corresponding with the protocol type of target uplink protocol data target protocol cracks monitoring rules;
Monitoring unit, for based on the target protocol crack monitoring rules analyze the target uplink protocol data obtain it is described
The monitored results of target uplink protocol data, the monitored results characterize whether the target uplink protocol data is for cracking
The dirty data of the agreement of the application.
9. a kind of server characterized by comprising at least one processor and at least one processor;The memory is deposited
Program is contained, the processor calls the program of the memory storage, and described program is any for realizing such as claim 1-7
Agreement described in one cracks monitoring method.
10. a kind of storage medium, which is characterized in that be stored with computer executable instructions, the calculating in the storage medium
Machine executable instruction requires agreement described in 1-7 any one to crack monitoring method for perform claim.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910666790.XA CN110381065B (en) | 2019-07-23 | 2019-07-23 | Protocol cracking monitoring method, device, server and storage medium |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910666790.XA CN110381065B (en) | 2019-07-23 | 2019-07-23 | Protocol cracking monitoring method, device, server and storage medium |
Publications (2)
Publication Number | Publication Date |
---|---|
CN110381065A true CN110381065A (en) | 2019-10-25 |
CN110381065B CN110381065B (en) | 2021-05-04 |
Family
ID=68255132
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201910666790.XA Active CN110381065B (en) | 2019-07-23 | 2019-07-23 | Protocol cracking monitoring method, device, server and storage medium |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN110381065B (en) |
Citations (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101162992A (en) * | 2007-09-29 | 2008-04-16 | 中国人民解放军信息工程大学 | Cipher protocol safety operation protecting method and system of tolerant intrusion |
US20130040740A1 (en) * | 2011-08-10 | 2013-02-14 | Electronics And Telecommunications Research Institute | Method and apparatus for testing stability of game server |
CN103095532A (en) * | 2013-02-01 | 2013-05-08 | 起于凡信息技术(上海)有限公司 | System and method for online game pug-in prevention and plug-in prevention server-side |
CN104618336A (en) * | 2014-12-30 | 2015-05-13 | 广州酷狗计算机科技有限公司 | Account number management method, device and system |
CN104753949A (en) * | 2015-04-08 | 2015-07-01 | 北京金山安全软件有限公司 | Game data packet validity detection method and device |
CN107261502A (en) * | 2017-05-10 | 2017-10-20 | 珠海金山网络游戏科技有限公司 | A kind of anti-external store system of game on line based on procotol and method |
CN107846392A (en) * | 2017-08-25 | 2018-03-27 | 西北大学 | A kind of intrusion detection algorithm based on improvement coorinated training ADBN |
CN108429651A (en) * | 2018-06-06 | 2018-08-21 | 腾讯科技(深圳)有限公司 | Data on flows detection method, device, electronic equipment and computer-readable medium |
CN108809909A (en) * | 2017-05-04 | 2018-11-13 | 腾讯科技(深圳)有限公司 | Data processing method and data processing equipment |
-
2019
- 2019-07-23 CN CN201910666790.XA patent/CN110381065B/en active Active
Patent Citations (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101162992A (en) * | 2007-09-29 | 2008-04-16 | 中国人民解放军信息工程大学 | Cipher protocol safety operation protecting method and system of tolerant intrusion |
US20130040740A1 (en) * | 2011-08-10 | 2013-02-14 | Electronics And Telecommunications Research Institute | Method and apparatus for testing stability of game server |
CN103095532A (en) * | 2013-02-01 | 2013-05-08 | 起于凡信息技术(上海)有限公司 | System and method for online game pug-in prevention and plug-in prevention server-side |
CN104618336A (en) * | 2014-12-30 | 2015-05-13 | 广州酷狗计算机科技有限公司 | Account number management method, device and system |
CN104753949A (en) * | 2015-04-08 | 2015-07-01 | 北京金山安全软件有限公司 | Game data packet validity detection method and device |
CN108809909A (en) * | 2017-05-04 | 2018-11-13 | 腾讯科技(深圳)有限公司 | Data processing method and data processing equipment |
CN107261502A (en) * | 2017-05-10 | 2017-10-20 | 珠海金山网络游戏科技有限公司 | A kind of anti-external store system of game on line based on procotol and method |
CN107846392A (en) * | 2017-08-25 | 2018-03-27 | 西北大学 | A kind of intrusion detection algorithm based on improvement coorinated training ADBN |
CN108429651A (en) * | 2018-06-06 | 2018-08-21 | 腾讯科技(深圳)有限公司 | Data on flows detection method, device, electronic equipment and computer-readable medium |
Also Published As
Publication number | Publication date |
---|---|
CN110381065B (en) | 2021-05-04 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
Gascon et al. | Pulsar: Stateful black-box fuzzing of proprietary network protocols | |
US11138095B2 (en) | Identity propagation through application layers using contextual mapping and planted values | |
JP4020912B2 (en) | Unauthorized access detection device, unauthorized access detection program, and unauthorized access detection method | |
CN108259425A (en) | The determining method, apparatus and server of query-attack | |
CN107465651A (en) | Network attack detecting method and device | |
Xuan et al. | Detecting application denial-of-service attacks: A group-testing-based approach | |
CN106445796B (en) | Automatic detection method and device for cheating channel | |
CN104869155B (en) | Data Audit method and device | |
CN110830445B (en) | Method and device for identifying abnormal access object | |
CN106778260A (en) | Attack detection method and device | |
CN107070940B (en) | Method and device for judging malicious login IP address from streaming login log | |
CN110213124A (en) | Passive operation system identification method and device based on the more sessions of TCP | |
CN107294953A (en) | Attack operation detection method and device | |
CN104954345B (en) | Attack recognition method and device based on object analysis | |
CN108243189A (en) | A kind of Cyberthreat management method, device, computer equipment and storage medium | |
CN111181978B (en) | Abnormal network traffic detection method and device, electronic equipment and storage medium | |
CN110233831A (en) | The detection method and device of malicious registration | |
CN110830234A (en) | User traffic distribution method and device | |
CN109327356B (en) | User portrait generation method and device | |
CN110417768A (en) | A kind of tracking and device of Botnet | |
CN109257378A (en) | A kind of quick identification environment of internet of things illegally accesses the method and system of assets | |
CN109547426A (en) | Service response method and server | |
CN107426136A (en) | A kind of recognition methods of network attack and device | |
CN109120626A (en) | Security threat processing method, system, safety perception server and storage medium | |
CN108184146A (en) | A kind of method and relevant device for calculating live streaming platform popularity |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |