CN114338114A - Intrusion detection method, device, equipment and storage medium - Google Patents
Intrusion detection method, device, equipment and storage medium Download PDFInfo
- Publication number
- CN114338114A CN114338114A CN202111568913.XA CN202111568913A CN114338114A CN 114338114 A CN114338114 A CN 114338114A CN 202111568913 A CN202111568913 A CN 202111568913A CN 114338114 A CN114338114 A CN 114338114A
- Authority
- CN
- China
- Prior art keywords
- server
- key information
- client
- public key
- message
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 77
- 238000000034 method Methods 0.000 claims abstract description 35
- 238000012545 processing Methods 0.000 claims description 15
- 230000003993 interaction Effects 0.000 claims description 11
- 238000004590 computer program Methods 0.000 claims description 6
- 230000004044 response Effects 0.000 claims description 6
- 238000010586 diagram Methods 0.000 description 11
- 230000005540 biological transmission Effects 0.000 description 6
- 230000006399 behavior Effects 0.000 description 3
- 238000004891 communication Methods 0.000 description 3
- 230000007123 defense Effects 0.000 description 3
- 230000006870 function Effects 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 3
- 230000008569 process Effects 0.000 description 3
- 238000003672 processing method Methods 0.000 description 3
- 230000009286 beneficial effect Effects 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 239000013307 optical fiber Substances 0.000 description 2
- 230000000644 propagated effect Effects 0.000 description 2
- 206010033799 Paralysis Diseases 0.000 description 1
- 238000005336 cracking Methods 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 238000009795 derivation Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000010295 mobile communication Methods 0.000 description 1
- 230000002265 prevention Effects 0.000 description 1
- 230000002035 prolonged effect Effects 0.000 description 1
- 230000008707 rearrangement Effects 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The embodiment of the invention provides an intrusion detection method, an intrusion detection device, intrusion detection equipment and a storage medium, wherein the method is applied to a server side and comprises the following steps: receiving client public key information sent by a client, encrypting server public key information based on the client public key information, and sending the encrypted server public key information to the client; the client decrypts the encrypted server public key information through the client private key information to obtain the server public key information, encrypts a target field in a message through a session key, and encrypts the session key through the server public key information; receiving an encrypted message sent by a client, decrypting the session key through the server private key information, and decrypting the encrypted message through the decrypted session key to obtain a message; the intrusion detection of malicious attack on the message can protect the data security, improve the security of background application and reduce the risk of message data leakage.
Description
Technical Field
The embodiment of the invention relates to the technical field of data transmission, in particular to an intrusion detection method, an intrusion detection device, intrusion detection equipment and a storage medium.
Background
With the rapid development of industries such as mobile application, electronic government affairs and internet finance, Web application is gradually favored. While the Web application is rapidly developed, a lot of security threats are brought, and according to statistics, 75% of attack behaviors on the internet are transferred from a network layer to an application layer. Attacks on the application layer are fatal to Web application, and can cause information system security events such as server sensitive information leakage and server paralysis. To cope with Web attacks, security devices such as Web Application level intrusion prevention (WAF) devices are mainly used for Application layer defense at present. The WAF device is a device which is concentrated on application layer traffic detection, and has a good effect on common network attacks. As technology evolves, this solution currently suffers from the following problems:
with the development of encryption technology and digital certificates, in order to achieve the security of message transmission, when message transmission is performed, a client and a server agree on a secret key, target data is encrypted, and then the target data is transmitted safely through a hypertext Transfer Protocol over Secure Socket Layer (HTTPS). After receiving the message, the server side unloads the HTTPS certificate and then performs security scanning through the WAF device, but since the target field is encrypted, the WAF device cannot effectively scan malicious attacks therein, and the server side may be attacked.
Disclosure of Invention
The embodiment of the invention provides an intrusion detection method, an intrusion detection device, intrusion detection equipment and a storage medium, which can improve data security, improve the security of background application and reduce the risk of message data leakage.
In a first aspect, an embodiment of the present invention provides an intrusion detection method, where the method is applied to a server, and the method includes:
receiving client public key information sent by a client, encrypting server public key information based on the client public key information, and sending the encrypted server public key information to the client; the client decrypts the encrypted server public key information through client private key information to obtain the server public key information, encrypts a target field in a message through a session key, and encrypts the session key through the server public key information;
receiving an encrypted message sent by the client, decrypting the session key through the server private key information, and decrypting the encrypted message through the decrypted session key to obtain the message;
and carrying out intrusion detection of malicious attack on the message.
In a second aspect, an embodiment of the present invention further provides an intrusion detection method, where the method is applied to a client, and the method includes:
sending the public key information of the client to a server; the server side encrypts server side public key information based on the client side public key information;
receiving encrypted server public key information sent by a server, and decrypting the encrypted server public key information through client private key information to obtain the server public key information;
generating a session key;
encrypting a message through the session key, encrypting the session key through the server public key information, and sending the encrypted message to the server, so that the server decrypts the session key and decrypts the encrypted message through the decrypted session key to obtain the message, and performing intrusion detection of malicious attack on the message.
In a third aspect, an embodiment of the present invention provides an intrusion detection method, including:
the client side sends the client side public key information to the server side;
the server encrypts server public key information based on the client public key information and sends the encrypted server public key information to the client;
the client receives the encrypted server public key information sent by the server, and decrypts the encrypted server public key information through the client private key information to obtain the server public key information;
the client generates a session key, encrypts a message through the session key, encrypts the session key through the server public key information, and sends the encrypted message to the server;
the server receives the encrypted message sent by the client, decrypts the session key through the server private key information, and decrypts the encrypted message through the decrypted session key to obtain the message;
and the server side carries out intrusion detection of malicious attack on the message.
In a fourth aspect, an embodiment of the present invention provides an intrusion detection apparatus, where the apparatus is configured at a server, and the apparatus includes:
the first key interaction device is used for receiving client public key information sent by a client, encrypting server public key information based on the client public key information and sending the encrypted server public key information to the client; the client decrypts the encrypted server public key information through client private key information to obtain the server public key information, encrypts a target field in a message through a session key, and encrypts the session key through the server public key information;
the first key decryptor is used for receiving the encrypted message sent by the client, decrypting the session key through the server private key information and decrypting the encrypted message through the decrypted session key to obtain the message;
and the intrusion detector is used for carrying out intrusion detection of malicious attack on the message.
In a fifth aspect, an embodiment of the present invention provides an intrusion detection apparatus, where the apparatus is configured at a client, and the apparatus includes:
the sending unit is used for sending the public key information of the client to the server; the server side encrypts server side public key information based on the client side public key information;
the decryption unit is used for receiving the encrypted server public key information sent by the server and decrypting the encrypted server public key information through the client private key information to obtain the server public key information;
a key generation unit for generating a session key;
and the encryption unit is used for encrypting the message through the session key, encrypting the session key through the server public key information, and sending the encrypted message to the server so that the server decrypts the session key and decrypts the encrypted message through the decrypted session key to obtain the message, and performing intrusion detection on malicious attack on the message.
In a sixth aspect, an embodiment of the present invention provides an electronic device, including:
one or more processors;
a storage device for storing one or more programs,
when executed by the one or more processors, cause the one or more processors to implement a method as claimed.
In a seventh aspect, an embodiment of the present invention provides a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the method provided by the embodiment of the present invention.
According to the technical scheme provided by the embodiment of the invention, the server side receives the client side public key information sent by the client side, encrypts the server side public key information based on the client side public key information and sends the encrypted server side public key information to the client side; the client decrypts the encrypted server public key information through the client private key information to obtain the server public key information, encrypts a target field in a message through a session key, and encrypts the session key through the server public key information; the server decrypts the session key through the server private key information by receiving the encrypted message sent by the client, and decrypts the encrypted message through the decrypted session key to obtain a message; the intrusion detection of malicious attack on the message can protect the data security, improve the security of background application and reduce the risk of message data leakage.
Drawings
FIG. 1a is a flow chart of an intrusion detection method according to an embodiment of the present invention;
FIG. 1b is a flow chart of a key interactor processing method of a server;
FIG. 1c is a flow chart of a processing method of a decryptor of a server;
FIG. 1d is a flow chart of intrusion detector processing;
FIG. 2a is a flow chart of an intrusion detection method according to an embodiment of the present invention;
FIG. 2b is a flowchart of a key interactor implementation method of the client;
FIG. 3a is a flowchart of an intrusion detection method according to an embodiment of the present invention;
FIG. 3b is a flowchart of an intrusion detection method according to an embodiment of the present invention;
fig. 4 is a block diagram of an intrusion detection device according to an embodiment of the present invention;
fig. 5a is a block diagram of an intrusion detection device according to an embodiment of the present invention;
FIG. 5b is an interaction diagram for intrusion detection in the related art;
FIG. 5c is an interaction diagram for intrusion detection in the related art;
fig. 6 is a schematic structural diagram of an intrusion detection system according to an embodiment of the present invention;
fig. 7 is a schematic structural diagram of an intrusion detection system according to an embodiment of the present invention;
fig. 8 is a schematic structural diagram of an electronic device according to an embodiment of the present invention.
Detailed Description
The present invention will be described in further detail with reference to the accompanying drawings and examples. It is to be understood that the specific embodiments described herein are merely illustrative of the invention and are not limiting of the invention. It should be further noted that, for the convenience of description, only some of the structures related to the present invention are shown in the drawings, not all of the structures.
Fig. 1a is a flowchart of an intrusion detection method according to an embodiment of the present invention, where the method may be executed by an intrusion detection apparatus, the apparatus may be implemented by software and/or hardware, the apparatus may be configured at a server, and the method may be applied in an intrusion detection scenario where an encrypted packet is attacked maliciously.
As shown in fig. 1a, the technical solution provided by the embodiment of the present invention includes:
s110: receiving client public key information sent by a client, encrypting server public key information based on the client public key information, and sending the encrypted server public key information to the client; the client decrypts the encrypted server public key information through the client private key information to obtain the server public key information, encrypts a target field in a message through a session key, and encrypts the session key through the server public key information.
In the embodiment of the present invention, the key interactor of the client may randomly generate public key information and private key information through the key generation unit, where the public key information and the private key information are asymmetric keys, that is, are encrypted and decrypted into different keys, and if the public key information is used for encryption, the private key information is used for decryption, and if the private key information is used for encryption, the public key information is used for decryption.
In the embodiment of the invention, the client sends the randomly generated client public key information to the key interactor of the server, and the server encrypts the server public key information based on the client public key information through the key interactor of the server and sends the encrypted server public key information to the client. Fig. 1b may be referred to in the process of the key interaction processor processing method of the server. As shown in fig. 1b, the server receives the client public key information sent by the client, calls a key generation unit in the key interaction device to generate public key information and private key information, calls an encryption unit to encrypt the server public key information by using the client public key information, and sends the encrypted server public key information to the client. The client decrypts the encrypted server public key information by adopting the randomly generated private key information through the key interaction device of the client, wherein the encrypted server public key information can be decrypted through the client private key information because the client public key information and the private key information are asymmetric keys and the server public key information is encrypted by adopting the client public key information.
In the embodiment of the invention, the client generates the session key by calling the key generation unit in the key interaction device, the encryption unit in the key interaction device is called to encrypt the target field in the message, the encryption unit is called to encrypt the session key by adopting the public key information of the server to obtain the encrypted message, and the client sends the encrypted message to the server, particularly to the decryptor of the server. The session key is a symmetric key, where the symmetric key refers to an operation that both sides sending data and receiving data must use the same key to encrypt or decrypt a packet.
S120: and receiving an encrypted message sent by the client, decrypting the session key through the server private key information, and decrypting the encrypted message through the decrypted session key to obtain the message.
In the embodiment of the invention, the server receives the encrypted message sent by the client through the decryptor, decrypts the session key through the server private key information, and decrypts the encrypted message through the decrypted session key to obtain the decrypted message. Referring to fig. 1c, as shown in fig. 1c, the server obtains an encrypted message sent by the client, may invoke a private key obtaining unit to obtain server private key information from its own key interactor, invokes a decryption unit in the key interactor to decrypt a session key using the server private key information to obtain a decrypted session key, and invokes a decryption unit to decrypt a target field in the encrypted message using the decrypted session key to obtain a decrypted message.
S130: and carrying out intrusion detection of malicious attack on the message.
In an implementation manner of the embodiment of the present invention, optionally, the intrusion detection for performing malicious attack on the packet includes: analyzing the message through an intrusion detector, and acquiring a request head, a request line and request body information from the message; and carrying out intrusion detection of malicious attacks on the request head, the request line and the request body information. Referring to fig. 1d, the flow of processing by the intrusion detector may refer to fig. 1d, and as shown in fig. 1d, the intrusion detector calls a message parsing unit to perform deep parsing on a message, and obtains a request header, a request line, and request body information from the message; the message may be an HTTP message. The intrusion detector calls an information decoding unit to decode the URL code in the acquired request line, the intrusion detector calls the information decoding unit to decode the base64 coded information in the request body, the message passing through the information decoding unit is sent to a regular engine unit, the intrusion detector calls the regular engine unit to load a preset defense strategy library, and the request head, the request line and the request body are subjected to intrusion detection of malicious attack, wherein the defense strategy library can intercept 10 common attack types; the result after the regular engine unit scans blocks the found malicious attack, and the intrusion detector calls a message assembly unit to assemble and return response information to the client; after the regular engine unit scans, the message which does not contain the malicious attack code is sent to the application logic processing module so as to carry out subsequent processing on the message.
HTTPS is a transport protocol for secure communication over a computer network, and communicates via HTTP, establishes a full channel using SSL/TLS, and encrypts packets. The primary purpose of HTTPS use is to provide authentication to the web server while protecting the privacy and integrity of the exchanged data. The regular engine unit realizes a security policy of loading the regular expression and screens the malicious attack codes. And the HTTPS certificate unloading decrypts the encrypted data by using the certificate information to obtain the plaintext of the transmission message.
In an implementation manner of the embodiment of the present invention, optionally, the method provided in the embodiment of the present invention may further include: if the message contains a malicious attack code, intercepting the message and feeding back response information to the client; and if the message does not contain the malicious attack code, sending the message to an application logic processing module for subsequent processing. If the message contains the malicious attack code, the message is blocked from entering the application logic processing module, and a response message is fed back to the client, and if the message contains the malicious attack code, the message is sent to the application logic processing module for subsequent processing, so that the data security can be ensured.
According to the technical scheme provided by the embodiment of the invention, the server side receives the client side public key information sent by the client side, encrypts the server side public key information based on the client side public key information and sends the encrypted server side public key information to the client side; the client decrypts the encrypted server public key information through client private key information to obtain the server public key information, encrypts a target field in a message through a session key, and encrypts the session key through the server public key information; the server decrypts the session key through the server private key information by receiving the encrypted message sent by the client, and decrypts the encrypted message through the decrypted session key to obtain the message; and carrying out intrusion detection of malicious attack on the message, so that the data security can be protected, the security of background application is improved, and the risk of message data leakage can be reduced.
Fig. 2a is a flowchart of an intrusion detection method according to an embodiment of the present invention, where the method may be executed by an intrusion detection apparatus, the apparatus may be implemented by software and/or hardware, the apparatus may be configured at a client, and optionally, may be configured in a key interactor of the client, and the method may be applied in an intrusion detection scenario where an encrypted packet is maliciously attacked.
As shown in fig. 2a, the technical solution provided by the embodiment of the present invention includes:
s210: sending the public key information of the client to a server; and the server side encrypts the server side public key information based on the client side public key information.
In the embodiment of the present invention, the key interactor of the client may randomly generate public key information and private key information through the key generation unit, where the public key information and the private key information are asymmetric keys, that is, are encrypted and decrypted into different keys, and if the public key information is used for encryption, the private key information is used for decryption, and if the private key information is used for encryption, the public key information is used for decryption.
In the embodiment of the invention, the client sends the randomly generated client public key information to the key interactor of the server, and the server encrypts the server public key information based on the client public key information through the key interactor of the server and sends the encrypted server public key information to the client. The client decrypts the encrypted server public key information by adopting the randomly generated private key information through the key interaction device of the client, wherein the encrypted server public key information can be decrypted through the client private key information because the client public key information and the private key information are asymmetric keys and the server public key information is encrypted by adopting the client public key information.
S220: and receiving the encrypted server public key information sent by the server, and decrypting the encrypted server public key information through the client private key information to obtain the server public key information.
In the embodiment of the invention, the client decrypts the encrypted server public key information by adopting the randomly generated private key information through the key interactor of the client to obtain the server public key information. The public key information and the private key information of the client are asymmetric keys, and the public key information of the server is encrypted by the public key information of the client, so that the encrypted public key information of the server can be decrypted by the private key information of the client.
S230: a session key is generated.
In the embodiment of the invention, the client generates the session key through a key generation unit in the calling key interactor of the client. The session key is a symmetric key, where the symmetric key refers to an operation that both sides sending data and receiving data must use the same key to encrypt or decrypt a packet.
S240: encrypting a message through the session key, encrypting the session key through the server public key information, and sending the encrypted message to the server, so that the server decrypts the session key and decrypts the encrypted message through the decrypted session key to obtain the message, and performing intrusion detection of malicious attack on the message.
In the embodiment of the invention, the client calls an encryption unit in the key interaction device to encrypt the target field in the message, calls the encryption unit to encrypt the session key by using the public key information of the server to obtain an encrypted message, and sends the encrypted message to the server, particularly to a decryptor of the server. The session key is a symmetric key, where the symmetric key refers to an operation that both sides sending data and receiving data must use the same key to encrypt or decrypt a packet.
In the embodiment of the invention, the server receives the encrypted message sent by the client through the decryptor, decrypts the session key through the server private key information, and decrypts the encrypted message through the decrypted session key to obtain the decrypted message. The method may be executed by a key interactor of the client, and a flow of the method executed by the key interactor of the client may refer to fig. 2 b.
According to the technical scheme provided by the embodiment of the invention, the client sends client public key information to the server, the server encrypts the server public key information by the client public key information and sends the encrypted server public key information to the client; the client decrypts the encrypted server public key information through client private key information to obtain the server public key information, encrypts a target field in a message through a session key, and encrypts the session key through the server public key information; the server decrypts the session key through the server private key information by receiving the encrypted message sent by the client, and decrypts the encrypted message through the decrypted session key to obtain the message; and carrying out intrusion detection of malicious attack on the message, so that the data security can be protected, the security of background application is improved, and the risk of message data leakage can be reduced.
Fig. 3a is a flowchart of an intrusion detection method according to an embodiment of the present invention, where the method may be executed by a system formed by a client and a server, as shown in fig. 3a, a technical solution provided by the embodiment of the present invention includes:
s310: and the client sends the client public key information to the server.
S320: and the server encrypts the server public key information based on the client public key information and sends the encrypted server public key information to the client.
S330: the client receives the encrypted server public key information sent by the server, and decrypts the encrypted server public key information through the client private key information to obtain the server public key information.
S340: the client generates a session key, encrypts a message through the session key, encrypts the session key through the server public key information, and sends the encrypted message to the server.
S350: and the server receives the encrypted message sent by the client, decrypts the session key through the server private key information, and decrypts the encrypted message through the decrypted session key to obtain the message.
S360: and the server side carries out intrusion detection of malicious attack on the message.
Reference may be made to the description of the above embodiments for the description of S310-S360. Fig. 3b may also be referred to in the method provided in the embodiment of the present invention.
Fig. 4 is a block diagram of an intrusion detection apparatus according to an embodiment of the present invention, where the apparatus is configured at a server, and as shown in fig. 4, the apparatus includes: key interactor 410, decryptor 420 and intrusion detector 430.
The key interactor 410 is used for receiving client public key information sent by a client, encrypting server public key information based on the client public key information, and sending the encrypted server public key information to the client; the client decrypts the encrypted server public key information through client private key information to obtain the server public key information, encrypts a target field in a message through a session key, and encrypts the session key through the server public key information;
a decryptor 420, configured to receive the encrypted message sent by the client, decrypt the session key through the server private key information, and decrypt the encrypted message through the decrypted session key to obtain the message;
and the intrusion detector 430 is used for carrying out intrusion detection of malicious attacks on the message.
Optionally, the intrusion detection for malicious attack on the packet includes:
analyzing the message through an intrusion detector, and acquiring a request head, a request line and request body information from the message;
and carrying out intrusion detection of malicious attacks on the request head, the request line and the request body information.
Optionally, the apparatus further includes a regular engine unit, configured to:
if the message contains a malicious attack code, intercepting the message and feeding back response information to the client;
and if the message does not contain the malicious attack code, sending the message to an application logic processing module for subsequent processing.
The device can execute the method provided by any embodiment of the invention, and has the corresponding functional modules and beneficial effects of the execution method.
Fig. 5a is a block diagram of an intrusion detection apparatus according to an embodiment of the present invention, where the apparatus is configured at a client, and as shown in fig. 5a, the apparatus includes: a transmission unit 510, a decryption unit 520, a key generation unit 530, and an encryption unit 540.
A sending unit 510, configured to send the client public key information to the server; the server side encrypts server side public key information based on the client side public key information;
the decryption unit 520 is configured to receive the encrypted server public key information sent by the server, and decrypt the encrypted server public key information through the client private key information to obtain the server public key information;
a key generation unit 530 for generating a session key;
an encrypting unit 540, configured to encrypt the packet with the session key, encrypt the session key with the server public key information, and send the encrypted packet to the server, so that the server decrypts the session key, decrypts the encrypted packet with the decrypted session key, obtains the packet, and performs intrusion detection on malicious attacks on the packet.
The device can execute the method provided by any embodiment of the invention, and has the corresponding functional modules and beneficial effects of the execution method.
In the related art, in order to avoid the attack of the server, two schemes are adopted to solve the problem:
the first scheme is that as shown in fig. 5b, a WAF is deployed before application, a key used by a server for decryption is manually introduced into a pre-WAF, and intrusion detection is performed after decryption by the pre-WAF; the second scheme is that, as shown in fig. 5c, a WAF is deployed after application, transaction messages are decrypted by a server, then are guided to the WAF, and after intrusion detection, the messages are returned to the server for service processing.
The first scheme has the following disadvantages: the key is crucial to the application, and in order to reduce the risk of key leakage, the key should be prevented from being exported from the device, and in the scheme, the key needs to be exported from the server and then imported into the WAF device, so that potential safety hazards exist in the process; in the scheme, the key needs to be exported from the server to the WAF device, and the client and the server cannot support secret communication in a one-time pad mode.
The second solution has the following disadvantages: after the server integrates the components, the message is led out to the WAF equipment, and then is led into the server after being cleaned by the WAF equipment, and a transaction link is obviously increased in the process, so that transaction delay is inevitably increased; the application layer attack behavior exists in the positions of a request head, a request line and a request body, and if the malicious code exists in the request line or the request head, the attack behavior may already occur when the message is decrypted to a server; when the server side leads the decrypted message to the WAF device, the message information of the link is plaintext transmission, and the risk of information leakage exists. According to the method and the device provided by the embodiment of the invention, the intrusion detector is arranged at the server side, so that malicious attacks can be detected, and the data security is protected. The technical scheme provided by the embodiment of the invention has low use cost, does not need to be separately deployed, saves server resources, can be directly integrated in the system, and realizes point-to-point protection on the system; the method has the advantages that manual derivation of the key can be avoided, the risk of key leakage is reduced, the client and the server are supported to carry out secret communication in a one-time pad mode, and the risk of cracking by a third party is reduced; the device or the unit can be integrated in the system, so that the decrypted message is prevented from being introduced outside, a transaction link is reduced, the response time is prolonged, and the risk of sensitive information leakage is reduced; the method can intercept common network attacks while protecting data security, and improves the security of background application.
Fig. 6 and fig. 7 are schematic structural diagrams of an intrusion detection system according to an embodiment of the present invention, including the apparatuses shown in fig. 4 and fig. 5a, where the system includes a client and a server. As shown in fig. 6, the system provided in the embodiment of the present invention includes: the system comprises a key interactor of a client, a key interactor of a server and an intrusion detector of the server. In particular, each section may contain different units, as may be seen in particular in fig. 7. Reference may be made, inter alia, to the description of the embodiments above as to the function of the various parts.
Fig. 8 is a schematic structural diagram of an apparatus provided in an embodiment of the present invention, and as shown in fig. 8, the apparatus includes:
one or more processors 810, one processor 810 being illustrated in FIG. 8;
a memory 820;
the apparatus may further include: an input device 830 and an output device 840.
The processor 810, the memory 820, the input device 830 and the output device 840 of the apparatus may be connected by a bus or other means, for example, in fig. 8.
The memory 820 is a non-transitory computer-readable storage medium and can be used for storing software programs, computer-executable programs, and modules, such as program instructions/modules corresponding to an intrusion detection method in the embodiment of the present invention (for example, the key interactor 410, the decryptor 420, and the intrusion detector 430 shown in fig. 4, or the sending unit 510, the decryption unit 520, the key generation unit 530, and the encryption unit 540 shown in fig. 5 a). The processor 810 executes various functional applications and data processing of the computer device by executing software programs, instructions and modules stored in the memory 820, so as to implement an intrusion detection method of the above method embodiment, that is:
receiving client public key information sent by a client, encrypting server public key information based on the client public key information, and sending the encrypted server public key information to the client; the client decrypts the encrypted server public key information through client private key information to obtain the server public key information, encrypts a target field in a message through a session key, and encrypts the session key through the server public key information;
receiving an encrypted message sent by the client, decrypting the session key through the server private key information, and decrypting the encrypted message through the decrypted session key to obtain the message;
and carrying out intrusion detection of malicious attack on the message.
Alternatively, the first and second electrodes may be,
sending the public key information of the client to a server; the server side encrypts server side public key information based on the client side public key information;
receiving encrypted server public key information sent by a server, and decrypting the encrypted server public key information through client private key information to obtain the server public key information;
generating a session key;
encrypting a message through the session key, encrypting the session key through the server public key information, and sending the encrypted message to the server, so that the server decrypts the session key and decrypts the encrypted message through the decrypted session key to obtain the message, and performing intrusion detection of malicious attack on the message.
The memory 820 may include a program storage area and a data storage area, wherein the program storage area may store an operating system, an application program required for at least one function; the storage data area may store data created according to use of the computer device, and the like. Further, the memory 820 may include high speed random access memory, and may also include non-transitory memory, such as at least one magnetic disk storage device, flash memory device, or other non-transitory solid state storage device. In some embodiments, memory 820 may optionally include memory located remotely from processor 810, which may be connected to the terminal device via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The input device 830 may be used to receive input numeric or character information and generate key signal inputs related to user settings and function control of the computer apparatus. The output device 840 may include a display device such as a display screen.
An embodiment of the present invention provides a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements an intrusion detection method according to an embodiment of the present invention:
receiving client public key information sent by a client, encrypting server public key information based on the client public key information, and sending the encrypted server public key information to the client; the client decrypts the encrypted server public key information through client private key information to obtain the server public key information, encrypts a target field in a message through a session key, and encrypts the session key through the server public key information;
receiving an encrypted message sent by the client, decrypting the session key through the server private key information, and decrypting the encrypted message through the decrypted session key to obtain the message;
and carrying out intrusion detection of malicious attack on the message.
Alternatively, the first and second electrodes may be,
sending the public key information of the client to a server; the server side encrypts server side public key information based on the client side public key information;
receiving encrypted server public key information sent by a server, and decrypting the encrypted server public key information through client private key information to obtain the server public key information;
generating a session key;
encrypting a message through the session key, encrypting the session key through the server public key information, and sending the encrypted message to the server, so that the server decrypts the session key and decrypts the encrypted message through the decrypted session key to obtain the message, and performing intrusion detection of malicious attack on the message.
Any combination of one or more computer-readable media may be employed. The computer readable medium may be a computer readable signal medium or a computer readable storage medium. A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples (a non-exhaustive list) of the computer readable storage medium would include the following: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this document, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
A computer readable signal medium may include a propagated data signal with computer readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device.
Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.
Computer program code for carrying out operations for aspects of the present invention may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, Smalltalk, C + + or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the case of a remote computer, the remote computer may be connected to the user's computer through any type of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet service provider).
It is to be noted that the foregoing is only illustrative of the preferred embodiments of the present invention and the technical principles employed. It will be understood by those skilled in the art that the present invention is not limited to the particular embodiments described herein, but is capable of various obvious changes, rearrangements and substitutions as will now become apparent to those skilled in the art without departing from the scope of the invention. Therefore, although the present invention has been described in greater detail by the above embodiments, the present invention is not limited to the above embodiments, and may include other equivalent embodiments without departing from the spirit of the present invention, and the scope of the present invention is determined by the scope of the appended claims.
Claims (10)
1. An intrusion detection method, which is applied to a server side, is characterized in that the method comprises the following steps:
receiving client public key information sent by a client, encrypting server public key information based on the client public key information, and sending the encrypted server public key information to the client; the client decrypts the encrypted server public key information through client private key information to obtain the server public key information, encrypts a target field in a message through a session key, and encrypts the session key through the server public key information;
receiving an encrypted message sent by the client, decrypting the session key through the server private key information, and decrypting the encrypted message through the decrypted session key to obtain the message;
and carrying out intrusion detection of malicious attack on the message.
2. The method of claim 1,
the intrusion detection for carrying out malicious attack on the message comprises the following steps:
analyzing the message through an intrusion detector, and acquiring a request head, a request line and request body information from the message;
and carrying out intrusion detection of malicious attacks on the request head, the request line and the request body information.
3. The method of claim 1, further comprising:
if the message contains a malicious attack code, intercepting the message and feeding back response information to the client;
and if the message does not contain the malicious attack code, sending the message to an application logic processing module for subsequent processing.
4. The method of claim 2, wherein the intrusion detector is deployed at a server.
5. An intrusion detection method, applied to a client, the method comprising:
sending the public key information of the client to a server; the server side encrypts server side public key information based on the client side public key information;
receiving encrypted server public key information sent by a server, and decrypting the encrypted server public key information through client private key information to obtain the server public key information;
generating a session key;
encrypting a message through the session key, encrypting the session key through the server public key information, and sending the encrypted message to the server, so that the server decrypts the session key and decrypts the encrypted message through the decrypted session key to obtain the message, and performing intrusion detection of malicious attack on the message.
6. An intrusion detection method, comprising:
the client side sends the client side public key information to the server side;
the server encrypts server public key information based on the client public key information and sends the encrypted server public key information to the client;
the client receives the encrypted server public key information sent by the server, and decrypts the encrypted server public key information through the client private key information to obtain the server public key information;
the client generates a session key, encrypts a message through the session key, encrypts the session key through the server public key information, and sends the encrypted message to the server;
the server receives the encrypted message sent by the client, decrypts the session key through the server private key information, and decrypts the encrypted message through the decrypted session key to obtain the message;
and the server side carries out intrusion detection of malicious attack on the message.
7. An intrusion detection device, the device being configured at a server, the device comprising:
the first key interaction device is used for receiving client public key information sent by a client, encrypting server public key information based on the client public key information and sending the encrypted server public key information to the client; the client decrypts the encrypted server public key information through client private key information to obtain the server public key information, encrypts a target field in a message through a session key, and encrypts the session key through the server public key information;
the decryptor is used for receiving the encrypted message sent by the client, decrypting the session key through the server private key information and decrypting the encrypted message through the decrypted session key to obtain the message;
and the intrusion detector is used for carrying out intrusion detection of malicious attack on the message.
8. An intrusion detection apparatus, the apparatus being configured at a client, the apparatus comprising:
the sending unit is used for sending the public key information of the client to the server; the server side encrypts server side public key information based on the client side public key information;
the decryption unit is used for receiving the encrypted server public key information sent by the server and decrypting the encrypted server public key information through the client private key information to obtain the server public key information;
a key generation unit for generating a session key;
and the encryption unit is used for encrypting the message through the session key, encrypting the session key through the server public key information, and sending the encrypted message to the server so that the server decrypts the session key and decrypts the encrypted message through the decrypted session key to obtain the message, and performing intrusion detection on malicious attack on the message.
9. An electronic device, comprising:
one or more processors;
a storage device for storing one or more programs,
when executed by the one or more processors, cause the one or more processors to implement the method of any one of claims 1-6.
10. A computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the method according to any one of claims 1 to 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111568913.XA CN114338114A (en) | 2021-12-21 | 2021-12-21 | Intrusion detection method, device, equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111568913.XA CN114338114A (en) | 2021-12-21 | 2021-12-21 | Intrusion detection method, device, equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114338114A true CN114338114A (en) | 2022-04-12 |
Family
ID=81055290
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111568913.XA Pending CN114338114A (en) | 2021-12-21 | 2021-12-21 | Intrusion detection method, device, equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114338114A (en) |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108462677A (en) * | 2017-02-20 | 2018-08-28 | 沪江教育科技(上海)股份有限公司 | A kind of file encrypting method and system |
| CN112699374A (en) * | 2020-12-28 | 2021-04-23 | 山东鲁能软件技术有限公司 | Integrity checking vulnerability security protection method and system |
| CN112711759A (en) * | 2020-12-28 | 2021-04-27 | 山东鲁能软件技术有限公司 | Method and system for preventing replay attack vulnerability security protection |
| CN113395237A (en) * | 2020-03-12 | 2021-09-14 | 中国电信股份有限公司 | Attack detection method and device and computer storage medium |
| CN113411345A (en) * | 2021-06-29 | 2021-09-17 | 中国农业银行股份有限公司 | Method and device for secure session |
-
2021
- 2021-12-21 CN CN202111568913.XA patent/CN114338114A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108462677A (en) * | 2017-02-20 | 2018-08-28 | 沪江教育科技(上海)股份有限公司 | A kind of file encrypting method and system |
| CN113395237A (en) * | 2020-03-12 | 2021-09-14 | 中国电信股份有限公司 | Attack detection method and device and computer storage medium |
| CN112699374A (en) * | 2020-12-28 | 2021-04-23 | 山东鲁能软件技术有限公司 | Integrity checking vulnerability security protection method and system |
| CN112711759A (en) * | 2020-12-28 | 2021-04-27 | 山东鲁能软件技术有限公司 | Method and system for preventing replay attack vulnerability security protection |
| CN113411345A (en) * | 2021-06-29 | 2021-09-17 | 中国农业银行股份有限公司 | Method and device for secure session |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107666383B (en) | Message processing method and device based on HTTPS (hypertext transfer protocol secure protocol) | |
| CN109413060B (en) | Message processing method, device, equipment and storage medium | |
| US10069809B2 (en) | System and method for secure transmission of web pages using encryption of their content | |
| CN113067828B (en) | Message processing method, device, server, computer equipment and storage medium | |
| CN110572804B (en) | Bluetooth communication authentication request, receiving and communication method, mobile terminal and equipment terminal | |
| TW201644252A (en) | System and method for reception and transmission optimization of secured video, image, audio, and other media traffic via proxy | |
| CN113225352B (en) | Data transmission method and device, electronic equipment and storage medium | |
| CN113114701B (en) | QUIC data transmission method and device | |
| US10015144B2 (en) | Method and system for protecting data using data passports | |
| CN106972919B (en) | Key negotiation method and device | |
| JP2010072916A (en) | Data protection system and data protection method | |
| CN110971616B (en) | Connection establishing method based on secure transport layer protocol, client and server | |
| KR101448866B1 (en) | Security apparatus for decrypting data encrypted according to the web security protocol and operating method thereof | |
| US20200092264A1 (en) | End-point assisted gateway decryption without man-in-the-middle | |
| KR101847636B1 (en) | Method and apprapatus for watching encrypted traffic | |
| CN113765900B (en) | Protocol interaction information output transmission method, adapter device and storage medium | |
| CN114338114A (en) | Intrusion detection method, device, equipment and storage medium | |
| KR101784240B1 (en) | Communication security method and system using a non-address network equipment | |
| CN112217810A (en) | Request response method, device, equipment and medium | |
| CN108809888B (en) | Safety network construction method and system based on safety module | |
| CN110855628A (en) | Data transmission method and system | |
| US20220069982A1 (en) | Caching encrypted content in an oblivious content distribution network, and system, compter-readable medium, and terminal for the same | |
| Park et al. | Secure Message Transmission against Remote Control System | |
| CN113726757B (en) | Verification method and device of HTTPS protocol client | |
| CN115767535A (en) | Terminal vpn network access authentication method and system under 5G scene |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |