CN117081826A - Abnormal service verification method and device and computer equipment - Google Patents
Abnormal service verification method and device and computer equipment Download PDFInfo
- Publication number
- CN117081826A CN117081826A CN202311120390.1A CN202311120390A CN117081826A CN 117081826 A CN117081826 A CN 117081826A CN 202311120390 A CN202311120390 A CN 202311120390A CN 117081826 A CN117081826 A CN 117081826A
- Authority
- CN
- China
- Prior art keywords
- information
- verification
- machine interaction
- man
- user login
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000012795 verification Methods 0.000 title claims abstract description 141
- 230000002159 abnormal effect Effects 0.000 title claims abstract description 68
- 238000000034 method Methods 0.000 title claims abstract description 67
- 230000003993 interaction Effects 0.000 claims abstract description 65
- 230000006399 behavior Effects 0.000 claims description 81
- 238000004590 computer program Methods 0.000 claims description 23
- 238000001514 detection method Methods 0.000 claims description 22
- 238000010200 validation analysis Methods 0.000 claims description 3
- 238000010586 diagram Methods 0.000 description 7
- 230000008569 process Effects 0.000 description 7
- 230000004044 response Effects 0.000 description 7
- 230000000903 blocking effect Effects 0.000 description 4
- 238000004891 communication Methods 0.000 description 4
- 230000006870 function Effects 0.000 description 3
- 206010000117 Abnormal behaviour Diseases 0.000 description 2
- 230000008859 change Effects 0.000 description 2
- 238000007796 conventional method Methods 0.000 description 2
- 238000013500 data storage Methods 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- 230000003068 static effect Effects 0.000 description 2
- OKTJSMMVPCPJKN-UHFFFAOYSA-N Carbon Chemical compound [C] OKTJSMMVPCPJKN-UHFFFAOYSA-N 0.000 description 1
- 230000002776 aggregation Effects 0.000 description 1
- 238000004220 aggregation Methods 0.000 description 1
- 230000002547 anomalous effect Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000001680 brushing effect Effects 0.000 description 1
- 230000001413 cellular effect Effects 0.000 description 1
- 238000011156 evaluation Methods 0.000 description 1
- 229910021389 graphene Inorganic materials 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000002035 prolonged effect Effects 0.000 description 1
- 230000009467 reduction Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0861—Network architectures or network communication protocols for network security for authentication of entities using biometrical features, e.g. fingerprint, retina-scan
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/102—Entity profiles
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/145—Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Biomedical Technology (AREA)
- Virology (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The application relates to an abnormal service verification method. The method comprises the following steps: obtaining access request information, wherein the access request information comprises user login behavior information; under the condition that an access request object in the access request information passes through blacklist verification, corresponding characteristic information is generated by the request information according to a preset verification rule; transmitting man-machine interaction verification information under the condition that the characteristic information is marked as forbidden; comparing whether the user login behavior information is matched with preset behavior information or not under the condition that the man-machine interaction verification is successful; and under the condition that the comparison result comprises that the user login behavior information is not matched with the preset behavior information, determining that the abnormal service verification is failed. By adopting the method, abnormal service verification can be rapidly performed.
Description
Technical Field
The present application relates to the field of computer technologies, and in particular, to a method and apparatus for verifying abnormal services, and a computer device.
Background
The abnormal website business refers to preventing malicious, rapid and massive access requests to websites, and comprises the steps of crawlers, data acquisition, ranking by brushing, batch registration, batch posting, obtaining website data by utilizing vulnerabilities and the like.
In the related art, after receiving multiple access requests from a user, the access frequency limiting logic may be added during login verification, and a blocking process or a verification code ejection may be performed for requests exceeding the upper frequency limit. If the abnormal business logic is added to each verification address, a large number of repeated codes are generated, and the working efficiency is low.
Disclosure of Invention
Based on this, it is necessary to provide an abnormal service verification method for solving the above technical problems, which can flexibly combine abnormal service rules and effectively ensure the security of user login.
In a first aspect, the present application provides an abnormal service verification method. The method comprises the following steps:
obtaining access request information, wherein the access request information comprises user login behavior information;
under the condition that an access request object in the access request information passes through blacklist verification, corresponding characteristic information is generated by the request information according to a preset verification rule;
transmitting man-machine interaction verification information under the condition that the characteristic information is marked as forbidden;
comparing whether the user login behavior information is matched with preset behavior information or not under the condition that the man-machine interaction verification is successful;
and under the condition that the comparison result comprises that the user login behavior information is not matched with the preset behavior information, determining that the abnormal service verification is failed.
In one embodiment, the method further comprises:
in the case that the feature information is not marked as forbidden, passing the abnormal service verification;
and calculating the generation times of the characteristic information, and marking the characteristic information as forbidden after the times reach a time threshold.
In one embodiment, after the sending the man-machine interaction verification information, the method further includes:
and under the condition that the man-machine interaction verification fails, the man-machine interaction information is sent again, wherein the time interval for sending the man-machine interaction information again is larger than the time interval for sending the man-machine interaction information last time.
In one embodiment, the preset verification rule includes a plurality of rules;
and sending man-machine interaction verification information under the condition that the feature information corresponding to at least one verification rule in the feature information is marked as forbidden.
In one embodiment, after the feature information is marked as disabled, the method further comprises:
waiting for preset time, and deleting the forbidden mark in the characteristic information;
and when the characteristic information is regenerated, the generation times of the characteristic information are recalculated.
In one embodiment, after comparing whether the user login behavior information matches the preset behavior information, the method further includes:
obtaining access request equipment identification in the access request information to obtain historical user login behavior information, wherein the user login behavior information comprises environment information and use information;
and comparing the historical user login behavior information with the current user login behavior information to obtain a detection result, wherein the detection result is used for representing whether abnormal access behaviors exist or not.
In a second aspect, the present application further provides an abnormal service verification apparatus, where the apparatus includes:
the access request information comprises user login behavior information;
the generation module is used for generating corresponding characteristic information from the request information according to a preset verification rule under the condition that an access request object in the access request information passes blacklist verification;
the sending module is used for sending man-machine interaction verification information under the condition that the characteristic information is marked as forbidden;
the comparison module is used for comparing whether the user login behavior information is matched with preset behavior information or not under the condition that the man-machine interaction verification is successful;
and the matching module is used for determining that the abnormal service is verified as failed when the comparison result comprises that the user login behavior information is not matched with the preset behavior information.
In one embodiment, the apparatus further comprises:
in the case that the feature information is not marked as forbidden, passing the abnormal service verification;
and calculating the generation times of the characteristic information, and marking the characteristic information as forbidden after the times reach a time threshold.
In one embodiment, after the sending the man-machine interaction verification information, the apparatus further includes:
and under the condition that the man-machine interaction verification fails, the man-machine interaction information is sent again, wherein the time interval for sending the man-machine interaction information again is larger than the time interval for sending the man-machine interaction information last time.
In one embodiment, the preset verification rule includes a plurality of rules;
and sending man-machine interaction verification information under the condition that the feature information corresponding to at least one verification rule in the feature information is marked as forbidden.
In one embodiment, after the feature information is marked as disabled, the apparatus further comprises:
waiting for preset time, and deleting the forbidden mark in the characteristic information;
and when the characteristic information is regenerated, the generation times of the characteristic information are recalculated.
In one embodiment, after comparing whether the user login behavior information matches the preset behavior information, the apparatus further includes:
obtaining access request equipment identification in the access request information to obtain historical user login behavior information, wherein the user login behavior information comprises environment information and use information;
and comparing the historical user login behavior information with the current user login behavior information to obtain a detection result, wherein the detection result is used for representing whether abnormal access behaviors exist or not.
In a third aspect, the present disclosure also provides a computer device. The computer device comprises a memory and a processor, wherein the memory stores a computer program, and the processor realizes the steps of the abnormal service verification method when executing the computer program.
In a fourth aspect, the present disclosure also provides a computer-readable storage medium. The computer readable storage medium has stored thereon a computer program which, when executed by a processor, implements the steps of the abnormal traffic verification method.
In a fifth aspect, the present disclosure also provides a computer program product. The computer program product comprises a computer program which, when executed by a processor, implements the steps of the abnormal traffic verification method.
The abnormal service verification method at least comprises the following beneficial effects:
according to the embodiment scheme provided by the disclosure, the characteristic information is generated according to the access request information and the verification rule, the characteristic information can comprise a user identifier and a rule identifier, if the characteristic information is marked as blocked, in order to be capable of releasing the blocking and avoiding misjudgment, the server can return a man-machine interaction verification page to the user, and when the user passes the verification of the man-machine interaction verification page, the network equipment passes the abnormal service verification of the website.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the disclosure.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments or the conventional techniques of the present disclosure, the drawings required for the descriptions of the embodiments or the conventional techniques will be briefly described below, and it is apparent that the drawings in the following description are only some embodiments of the present disclosure, and other drawings may be obtained according to the drawings without inventive effort to those of ordinary skill in the art.
FIG. 1 is an application environment diagram of an abnormal business verification method in one embodiment;
FIG. 2 is a flow chart of an abnormal business verification method in one embodiment;
FIG. 3 is a schematic diagram of abnormal traffic verification in one embodiment;
FIG. 4 is a block diagram of an abnormal traffic verification device in one embodiment;
FIG. 5 is an internal block diagram of a computer device in one embodiment;
fig. 6 is an internal structural diagram of a server in one embodiment.
Detailed Description
In order to enable those skilled in the art to better understand the technical solutions of the present disclosure, the technical solutions of the embodiments of the present disclosure will be clearly and completely described below with reference to the accompanying drawings.
It should be noted that the terms "first," "second," and the like in the description and claims of the present disclosure and in the foregoing figures are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate such that the embodiments of the disclosure described herein may be capable of operation in sequences other than those illustrated or described herein. The implementations described in the following exemplary examples are not representative of all implementations consistent with the present disclosure. Rather, they are merely examples of apparatus and methods consistent with some aspects of the present disclosure as detailed in the accompanying claims. The terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, it is not excluded that additional identical or equivalent elements may be present in a process, method, article, or apparatus that comprises a described element. For example, if first, second, etc. words are used to indicate a name, but not any particular order.
The embodiment of the disclosure provides an abnormal service verification method, which can be applied to an application environment as shown in fig. 1. Wherein the terminal 102 communicates with the server 104 via a network. The data storage system may store data that the server 104 needs to process. The data storage system may be integrated on the server 104 or may be located on a cloud or other network server. The terminal 102 may be, but not limited to, various personal computers, notebook computers, smart phones, tablet computers, internet of things devices, and portable wearable devices, where the internet of things devices may be smart speakers, smart televisions, smart air conditioners, smart vehicle devices, and the like. The portable wearable device may be a smart watch, smart bracelet, headset, or the like. The server 104 may be implemented as a stand-alone server or as a server cluster of multiple servers.
In some embodiments of the present disclosure, as shown in fig. 2, an abnormal service verification method is provided, and the method is applied to the server in fig. 1 to process the access request information. It will be appreciated that the method may be applied to a server, and may also be applied to a system comprising a terminal and a server, and implemented by interaction of the terminal and the server. In a specific embodiment, the method may include the steps of:
s202: and obtaining access request information, wherein the access request information comprises user login behavior information.
The abnormal service verification may include mobile terminal abnormal service and client terminal abnormal service, and may be a case that the frequency of occurrence of the specified service behavior exceeds a predetermined number of times. The access request information may include user identification, device identification, user login behavior information, etc., which may include search content, mouse track, etc.
S204: and under the condition that the access request object in the access request information passes through blacklist verification, corresponding characteristic information is generated by the request information according to a preset verification rule.
Before the abnormal service verification, the computer device and the mobile device may perform blacklist verification on the requested website first, so as to perform abnormal service verification on only the website which passes the blacklist verification. Wherein, "WhiteList" is a WhiteList, no verification is required to be performed for configuring certain parameter values, and "verifiationcycle" is a verification period; "unit" is a unit of a verification period, and "MaxCount" is the maximum number of requests in the verification period; "BanTime" is the forbidden time after the number of requests is exceeded; the 'BanUnit' is a unit of blocking time, and the blacklist is verified by setting the parameters. Corresponding characteristic information can be generated according to the request information, and the characteristic information can be marked as blocked or unblocked.
S206: and sending man-machine interaction verification information under the condition that the characteristic information is marked as forbidden.
If the feature information is marked as forbidden, the server can return a man-machine interaction verification page to the user in order to be able to release the forbidden and avoid misjudgment. When a user accesses the man-machine interaction verification page, the user opens a page with a verification code, wherein the verification code can comprise verification modes such as noninductive, spatial reasoning, clicking and the like.
S208: and under the condition that the man-machine interaction verification is successful, comparing whether the user login behavior information is matched with preset behavior information.
S210: and under the condition that the comparison result comprises that the user login behavior information is not matched with the preset behavior information, determining that the abnormal service verification is failed.
When the website is used, the search content and the mouse track are recorded and verified with a machine model for collecting a large number of human behavior samples, verification is performed after the judgment of non-human behaviors, the verification mode is changed through a random function each time, an abnormal service mechanism is strengthened, and the response speed is reduced. The verification of reduced response speed detection behavior means that after detecting device abnormal behavior, the response time is prolonged, which is generally to prevent an attacker from burdening the system with frequent requests or other means, or to make it difficult for the attacker to quickly obtain the target resource.
For example, after detecting an abnormal device, the response time of the device may be extended to 10 seconds to reduce its frequency of access to the system. The purpose of this is to reduce the impact of the abnormal devices on the system while giving the administrator more time to further process and investigate. Different response strategies can be adopted according to different types of abnormal behaviors, or operations such as limiting specific IP addresses or devices can be performed.
FIG. 3 is a schematic diagram of anomalous traffic verification in an embodiment. In the abnormal service verification method, the characteristic information is generated according to the access request information and the verification rule, the characteristic information can comprise a user identifier and a rule identifier, if the characteristic information is marked as blocked, in order to release the blocking and avoid misjudgment, the server can return a man-machine interaction verification page to the user, and when the user passes the verification of the man-machine interaction verification page, the network equipment passes the abnormal service verification of the website.
In some embodiments of the present disclosure, the method further comprises:
in the case that the feature information is not marked as forbidden, passing the abnormal service verification;
and calculating the generation times of the characteristic information, and marking the characteristic information as forbidden after the times reach a time threshold.
And inquiring the characteristic information of the access request information from the cache, if the characteristic information is not marked as forbidden and is in the white list verification period, adding 1 to the count of the characteristic information by the network equipment through abnormal service verification of the website, and marking the characteristic information as forbidden when the count of the characteristic information reaches a preset threshold value in a certain time. Different from the blacklist, when the characteristic information of the user is marked as forbidden, in order to be able to release the forbidden, and avoid misjudgment, the server can return a man-machine interaction verification page to the user, and when the user passes the verification of the man-machine interaction verification page, the network equipment passes the abnormal service verification of the website.
In some embodiments of the present disclosure, after the sending the man-machine interaction verification information, the method further includes:
and under the condition that the man-machine interaction verification fails, the man-machine interaction information is sent again, wherein the time interval for sending the man-machine interaction information again is larger than the time interval for sending the man-machine interaction information last time.
The failure of the man-machine interaction verification may be a user misoperation or a non-human login, the man-machine interaction information can be sent again for verification, the time interval for sending the man-machine interaction information again is larger than the time interval for sending the man-machine interaction information last time, and whether the man-machine interaction information is the human login or not can be judged according to the response speed of the verification.
In some embodiments of the present disclosure, the preset validation rules include a plurality of rules;
and sending man-machine interaction verification information under the condition that the feature information corresponding to at least one verification rule in the feature information is marked as forbidden.
The verification stage can comprise a plurality of verification rules, and the man-machine interaction verification information is sent under the condition that the feature information corresponding to at least one verification rule in the feature information is marked as forbidden.
In some embodiments of the disclosure, after the feature information is marked as disabled, the method further comprises:
waiting for preset time, and deleting the forbidden mark in the characteristic information;
and when the characteristic information is regenerated, the generation times of the characteristic information are recalculated.
After the access request information is not received for a long time, the seal mark of the characteristic information corresponding to the current verification rule in the cache can be deleted, and the characteristic information is unpacked. After that, when the characteristic information appears again, it can be counted and marked for a new round, and the verification mode can be transformed by a specific function.
In some embodiments of the disclosure, after the comparing whether the user login behavior information matches the preset behavior information, the method further includes:
obtaining access request equipment identification in the access request information to obtain historical user login behavior information, wherein the user login behavior information comprises environment information and use information;
and comparing the historical user login behavior information with the current user login behavior information to obtain a detection result, wherein the detection result is used for representing whether abnormal access behaviors exist or not.
When the mobile terminal abnormal service verification is carried out, risk environment identification can be carried out, including proxy server detection, sensor state evaluation, risk running environment detection, high risk software detection, behavior risk identification, including fuselage attitude stability detection, abnormal moving speed detection, abnormal use habit detection, IP abnormal flow detection and equipment aggregation detection, and for the equipment with abnormal detection, historical user login behavior information and current user login behavior information are compared, and verification for response speed reduction detection behavior is carried out.
It should be understood that, although the steps in the flowcharts related to the embodiments described above are sequentially shown as indicated by arrows, these steps are not necessarily sequentially performed in the order indicated by the arrows. The steps are not strictly limited to the order of execution unless explicitly recited herein, and the steps may be executed in other orders. Moreover, at least some of the steps in the flowcharts described in the above embodiments may include a plurality of steps or a plurality of stages, which are not necessarily performed at the same time, but may be performed at different times, and the order of the steps or stages is not necessarily performed sequentially, but may be performed alternately or alternately with at least some of the other steps or stages.
Based on the same inventive concept, the embodiment of the present disclosure further provides an abnormal service verification apparatus for implementing the above-mentioned abnormal service verification method. The implementation scheme of the device for solving the problem is similar to that described in the above method, so the specific limitation in the embodiment of the abnormal service verification device provided below may refer to the limitation of the abnormal service verification method hereinabove, and will not be repeated here.
The apparatus may comprise a system (including a distributed system), software (applications), modules, components, servers, clients, etc. that employ the methods described in the embodiments of the present specification in combination with the necessary apparatus to implement the hardware. Based on the same innovative concepts, embodiments of the present disclosure provide for devices in one or more embodiments as described in the following examples. Because the implementation scheme and the method for solving the problem by the device are similar, the implementation of the device in the embodiment of the present disclosure may refer to the implementation of the foregoing method, and the repetition is not repeated. As used below, the term "unit" or "module" may be a combination of software and/or hardware that implements the intended function. While the means described in the following embodiments are preferably implemented in software, implementation in hardware, or a combination of software and hardware, is also possible and contemplated.
In one embodiment, as shown in fig. 4, an abnormal traffic verification apparatus 400 is provided, which may be the aforementioned server, or a module, component, device, unit, etc. integrated with the server.
The apparatus 400 may include:
an obtaining module 402, configured to obtain access request information, where the access request information includes user login behavior information;
the generating module 404 is configured to generate corresponding feature information from the request information according to a preset verification rule when the access request object in the access request information passes through blacklist verification;
a sending module 406, configured to send man-machine interaction verification information when the feature information is marked as forbidden;
a comparison module 408, configured to compare whether the user login behavior information is matched with preset behavior information if the man-machine interaction verification is successful;
and a matching module 410, configured to determine that the abnormal service is verified as failed if the comparison result includes that the user login behavior information does not match the preset behavior information.
In one embodiment, the apparatus further comprises:
in the case that the feature information is not marked as forbidden, passing the abnormal service verification;
and calculating the generation times of the characteristic information, and marking the characteristic information as forbidden after the times reach a time threshold.
In one embodiment, after the sending the man-machine interaction verification information, the apparatus further includes:
and under the condition that the man-machine interaction verification fails, the man-machine interaction information is sent again, wherein the time interval for sending the man-machine interaction information again is larger than the time interval for sending the man-machine interaction information last time.
In one embodiment, the preset verification rule includes a plurality of rules;
and sending man-machine interaction verification information under the condition that the feature information corresponding to at least one verification rule in the feature information is marked as forbidden.
In one embodiment, after the feature information is marked as disabled, the apparatus further comprises:
waiting for preset time, and deleting the forbidden mark in the characteristic information;
and when the characteristic information is regenerated, the generation times of the characteristic information are recalculated.
In one embodiment, after comparing whether the user login behavior information matches the preset behavior information, the apparatus further includes:
obtaining access request equipment identification in the access request information to obtain historical user login behavior information, wherein the user login behavior information comprises environment information and use information;
and comparing the historical user login behavior information with the current user login behavior information to obtain a detection result, wherein the detection result is used for representing whether abnormal access behaviors exist or not.
The specific manner in which the various modules perform the operations in the apparatus of the above embodiments have been described in detail in connection with the embodiments of the method, and will not be described in detail herein.
The above-described respective modules in the abnormal traffic verification apparatus may be implemented in whole or in part by software, hardware, and combinations thereof. The above modules may be embedded in hardware or may be independent of a processor in the computer device, or may be stored in software in a memory in the computer device, so that the processor may call and execute operations corresponding to the above modules.
In one embodiment, a computer device is provided, which may be a server, the internal structure of which may be as shown in fig. 5. The computer device includes a processor, a memory, and a network interface connected by a system bus. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device includes a non-volatile storage medium and an internal memory. The non-volatile storage medium stores an operating system, computer programs, and a database. The internal memory provides an environment for the operation of the operating system and computer programs in the non-volatile storage media. The database of the computer device is for storing access request information. The network interface of the computer device is used for communicating with an external terminal through a network connection. The computer program, when executed by a processor, implements a method of abnormal traffic verification.
In one embodiment, a computer device is provided, which may be a terminal, and the internal structure of which may be as shown in fig. 6. The computer device includes a processor, a memory, a communication interface, a display screen, and an input device connected by a system bus. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device includes a non-volatile storage medium and an internal memory. The non-volatile storage medium stores an operating system and a computer program. The internal memory provides an environment for the operation of the operating system and computer programs in the non-volatile storage media. The communication interface of the computer device is used for carrying out wired or wireless communication with an external terminal, and the wireless mode can be realized through WIFI, a mobile cellular network, NFC (near field communication) or other technologies. The computer program, when executed by a processor, implements an abnormal traffic verification method. The display screen of the computer equipment can be a liquid crystal display screen or an electronic ink display screen, and the input device of the computer equipment can be a touch layer covered on the display screen, can also be keys, a track ball or a touch pad arranged on the shell of the computer equipment, and can also be an external keyboard, a touch pad or a mouse and the like.
Those skilled in the art will appreciate that the structures shown in fig. 5 and 6 are merely block diagrams of partial structures associated with the disclosed aspects and do not constitute a limitation of the computer device on which the disclosed aspects may be applied, and that a particular computer device may include more or fewer components than shown, or may combine certain components, or have a different arrangement of components.
In one embodiment, a computer readable storage medium is provided, having a computer program stored thereon, which when executed by a processor, implements the method of any of the embodiments of the present disclosure.
In one embodiment, a computer program product is provided, comprising a computer program which, when executed by a processor, implements the method described in any of the embodiments of the present disclosure.
Those skilled in the art will appreciate that implementing all or part of the above described methods may be accomplished by way of a computer program stored on a non-transitory computer readable storage medium, which when executed, may comprise the steps of the embodiments of the methods described above. Any reference to memory, database, or other medium used in embodiments provided by the present disclosure may include at least one of non-volatile and volatile memory, among others. The nonvolatile Memory may include Read-Only Memory (ROM), magnetic tape, floppy disk, flash Memory, optical Memory, high density embedded nonvolatile Memory, resistive random access Memory (ReRAM), magnetic random access Memory (Magnetoresistive Random Access Memory, MRAM), ferroelectric Memory (Ferroelectric Random Access Memory, FRAM), phase change Memory (Phase Change Memory, PCM), graphene Memory, and the like. Volatile memory can include random access memory (Random Access Memory, RAM) or external cache memory, and the like. By way of illustration, and not limitation, RAM can be in the form of a variety of forms, such as static random access memory (Static Random Access Memory, SRAM) or dynamic random access memory (Dynamic Random Access Memory, DRAM), and the like. The databases referred to in the various embodiments provided by the present disclosure may include at least one of a relational database and a non-relational database. The non-relational database may include, but is not limited to, a blockchain-based distributed database, and the like. The processors involved in the embodiments provided by the present disclosure may be general-purpose processors, central processing units, graphics processors, digital signal processors, programmable logic, quantum computing-based data processing logic, etc., without limitation thereto.
The technical features of the above embodiments may be arbitrarily combined, and all possible combinations of the technical features in the above embodiments are not described for brevity of description, however, as long as there is no contradiction between the combinations of the technical features, they should be considered as the scope of the description.
The foregoing examples have expressed only a few embodiments of the present disclosure, which are described in more detail and detail, but are not to be construed as limiting the scope of the present disclosure. It should be noted that variations and modifications can be made by those skilled in the art without departing from the spirit of the disclosure, which are within the scope of the disclosure. Accordingly, the scope of the present disclosure should be determined from the following claims.
Claims (15)
1. An abnormal traffic verification method, the method comprising:
obtaining access request information, wherein the access request information comprises user login behavior information;
under the condition that an access request object in the access request information passes through blacklist verification, corresponding characteristic information is generated by the request information according to a preset verification rule;
transmitting man-machine interaction verification information under the condition that the characteristic information is marked as forbidden;
comparing whether the user login behavior information is matched with preset behavior information or not under the condition that the man-machine interaction verification is successful;
and under the condition that the comparison result comprises that the user login behavior information is not matched with the preset behavior information, determining that the abnormal service verification is failed.
2. The method according to claim 1, wherein the method further comprises:
in the case that the feature information is not marked as forbidden, passing the abnormal service verification;
and calculating the generation times of the characteristic information, and marking the characteristic information as forbidden after the times reach a time threshold.
3. The method of claim 1, wherein after the sending the human-machine interaction verification information, the method further comprises:
and under the condition that the man-machine interaction verification fails, the man-machine interaction information is sent again, wherein the time interval for sending the man-machine interaction information again is larger than the time interval for sending the man-machine interaction information last time.
4. The method of claim 1, wherein the preset validation rules comprise a plurality of rules;
and sending man-machine interaction verification information under the condition that the feature information corresponding to at least one verification rule in the feature information is marked as forbidden.
5. The method of claim 1, wherein after the feature information is marked as disabled, the method further comprises:
after waiting for a preset time, deleting the forbidden mark in the characteristic information;
and when the characteristic information is regenerated, the generation times of the characteristic information are recalculated.
6. The method of claim 1, wherein after comparing whether the user login behavior information matches preset behavior information, the method further comprises:
obtaining access request equipment identification in the access request information to obtain historical user login behavior information, wherein the user login behavior information comprises environment information and use information;
and comparing the historical user login behavior information with the current user login behavior information to obtain a detection result, wherein the detection result is used for representing whether abnormal access behaviors exist or not.
7. An abnormal traffic verification apparatus, the apparatus comprising:
the access request information comprises user login behavior information;
the generation module is used for generating corresponding characteristic information from the request information according to a preset verification rule under the condition that an access request object in the access request information passes blacklist verification;
the sending module is used for sending man-machine interaction verification information under the condition that the characteristic information is marked as forbidden;
the comparison module is used for comparing whether the user login behavior information is matched with preset behavior information or not under the condition that the man-machine interaction verification is successful;
and the matching module is used for determining that the abnormal service is verified as failed when the comparison result comprises that the user login behavior information is not matched with the preset behavior information.
8. The apparatus of claim 7, wherein the apparatus further comprises:
in the case that the feature information is not marked as forbidden, passing the abnormal service verification;
and calculating the generation times of the characteristic information, and marking the characteristic information as forbidden after the times reach a time threshold.
9. The apparatus of claim 7, wherein after the sending of the human-machine interaction verification information, the apparatus further comprises:
and under the condition that the man-machine interaction verification fails, the man-machine interaction information is sent again, wherein the time interval for sending the man-machine interaction information again is larger than the time interval for sending the man-machine interaction information last time.
10. The apparatus of claim 7, wherein the preset validation rules comprise a plurality of rules;
and sending man-machine interaction verification information under the condition that the feature information corresponding to at least one verification rule in the feature information is marked as forbidden.
11. The apparatus of claim 7, wherein after the characteristic information is marked as disabled, the apparatus further comprises:
after waiting for a preset time, deleting the forbidden mark in the characteristic information;
and when the characteristic information is regenerated, the generation times of the characteristic information are recalculated.
12. The apparatus of claim 7, wherein after comparing whether the user login behavior information matches preset behavior information, the apparatus further comprises:
obtaining access request equipment identification in the access request information to obtain historical user login behavior information, wherein the user login behavior information comprises environment information and use information;
and comparing the historical user login behavior information with the current user login behavior information to obtain a detection result, wherein the detection result is used for representing whether abnormal access behaviors exist or not.
13. A computer device comprising a memory and a processor, the memory storing a computer program, characterized in that the processor implements the steps of the method of any of claims 1 to 6 when the computer program is executed.
14. A computer readable storage medium, on which a computer program is stored, characterized in that the computer program, when being executed by a processor, implements the steps of the method of any of claims 1 to 6.
15. A computer program product comprising a computer program, characterized in that the computer program, when being executed by a processor, implements the steps of the method of any of claims 1 to 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311120390.1A CN117081826A (en) | 2023-09-01 | 2023-09-01 | Abnormal service verification method and device and computer equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311120390.1A CN117081826A (en) | 2023-09-01 | 2023-09-01 | Abnormal service verification method and device and computer equipment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117081826A true CN117081826A (en) | 2023-11-17 |
Family
ID=88709626
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311120390.1A Pending CN117081826A (en) | 2023-09-01 | 2023-09-01 | Abnormal service verification method and device and computer equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117081826A (en) |
-
2023
- 2023-09-01 CN CN202311120390.1A patent/CN117081826A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP3533199B1 (en) | Detection of fraudulent account usage in distributed computing systems | |
| CN113489713B (en) | Network attack detection method, device, equipment and storage medium | |
| CN111031035B (en) | Sensitive data access behavior monitoring method and device | |
| CN110677384B (en) | Phishing website detection method and device, storage medium and electronic device | |
| US11816249B2 (en) | System and method for dynamic management of private data | |
| CN108683668A (en) | Resource checksum method, apparatus, storage medium and equipment in content distributing network | |
| US20190281064A1 (en) | System and method for restricting access to web resources | |
| CN108366012B (en) | Social relationship establishing method and device and electronic equipment | |
| US9864870B2 (en) | Restricting network spidering | |
| WO2023014497A1 (en) | Network access anomaly detection via graph embedding | |
| CN116827677A (en) | System and method for detecting anomalies | |
| CN114244808B (en) | Offline illegal external connection method and device based on passive inspection of non-client mode | |
| US10742668B2 (en) | Network attack pattern determination apparatus, determination method, and non-transitory computer readable storage medium thereof | |
| CN113703996B (en) | Access control method, equipment and medium based on user and YANG model grouping | |
| CN109547427A (en) | Black list user's recognition methods, device, computer equipment and storage medium | |
| CN117081826A (en) | Abnormal service verification method and device and computer equipment | |
| CN115001724B (en) | Network threat intelligence management method, device, computing equipment and computer readable storage medium | |
| US9569619B1 (en) | Systems and methods for assessing internet addresses | |
| US20240232338A1 (en) | System and method for threat management in distributed systems | |
| CN116055186A (en) | Access authentication method, device, computer equipment and storage medium | |
| CN115567270A (en) | Service attack processing method and device, computer equipment and storage medium thereof | |
| CN117235722A (en) | Method, apparatus, computer device and storage medium for countering anti-sandboxed program | |
| CN116909785A (en) | Processing method, device, equipment, storage medium and program product for abnormal event | |
| CN116938535A (en) | Identification method and device of common equipment and computer equipment | |
| CN117131488A (en) | Early warning method and device for face recognition attack, computer equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |