CN118200008A - Security communication method, device, equipment, medium and product based on firewall - Google Patents

Abstract

The disclosure provides a secure communication method based on a firewall, which can be applied to the technical field of information security. The firewall-based secure communication method comprises the following steps: primarily identifying the received access request to obtain an identification result, wherein the access request comprises a target route; for an access request with a non-script identification result, under the condition of redirecting to a special route of the WAF, verifying whether the front-end function is normal; under the condition that the front end functions normally, acquiring fingerprint information plaintext of the equipment; under the condition that the acquisition of the fingerprint information plaintext of the equipment is successful, inquiring a first data table based on the fingerprint information plaintext; under the condition that the fingerprint information plaintext inquiry is successful, a first dangerous value is obtained; and redirecting to the target route release access under the condition that the first dangerous value is smaller than or equal to a preset threshold value. The present disclosure also provides a firewall-based secure communication apparatus, devices, media, and products.

Description

Security communication method, device, equipment, medium and product based on firewall

Technical Field

The present disclosure relates to the field of information security technologies, and in particular, to a firewall-based secure communication method, apparatus, device, medium, and product.

Background

The Web application firewall (Web Application Firewall, abbreviated as WAF) is a security solution for protecting Web applications from network attacks, which can help enterprises to improve security of Web applications and reduce risks of network attacks and data leakage.

In addition to identifying malicious traffic and intercepting network attacks according to rules, web application firewalls can help detect and block access to blacklisted IP addresses. These black lists typically contain IP addresses that are considered to be unsafe, such as those organized by a well-known hacker, as well as IP addresses that are considered to be untrusted. Through the blacklist or access control strategy based on the IP, the Web application firewall can relieve the threat of network attack to enterprises and organizations, thereby improving the network security.

An attacker may attempt to hide his real IP address using a proxy server, anonymous network, or other technique, bypassing the IP-based blacklist or access control policy. This results in a significant challenge for enterprise Web application firewalls in detecting and intercepting attacks.

Disclosure of Invention

In view of the foregoing, the present disclosure provides firewall-based secure communication methods, apparatuses, devices, media, and products that improve communication security and security efficiency and reduce the frequency of firewall use.

According to a first aspect of the present disclosure, there is provided a firewall-based secure communication method, comprising: primarily identifying a received access request to obtain an identification result, wherein the access request comprises a target route; for the access request with the identification result being non-script, under the condition of redirecting to the special route of the WAF, verifying whether the front-end function is normal; under the condition that the front end functions normally, acquiring fingerprint information plaintext of the equipment; under the condition that acquiring a fingerprint information plaintext of equipment is successful, inquiring a first data table based on the fingerprint information plaintext, wherein the first data table comprises N pieces of fingerprint information and dangerous values which are in one-to-one correspondence, and N is a positive integer; obtaining a first dangerous value under the condition that the fingerprint information plaintext is successfully inquired in the first data table; and redirecting to the target route release access under the condition that the first dangerous value is smaller than or equal to a preset threshold value.

According to an embodiment of the present disclosure, after the preliminary identifying the received access request, an identifying result is obtained, the method further includes: executing a dangerous value comprehensive calculation rule based on the target route for the access request with the identification result being a script to obtain a third dangerous value; and invoking WAF verification logic if the third hazard value is less than or equal to a preset threshold, such that if the WAF verification logic passes, redirecting to the target route release access; wherein, the dangerous value comprehensive calculation rule comprises: inquiring a second data table based on the target route or inquiring a second data table and a third data table based on the target route to obtain a dangerous weight, wherein the second data table comprises K pieces of route information, the third data table comprises L pieces of corresponding route information and access times, and K and L are positive integers; calling WAF to calculate the dangerous value of the question-proof request to obtain a second dangerous value; and calculating a third risk value based on the risk weight and the second risk value.

According to an embodiment of the present disclosure, after the acquiring the fingerprint information plaintext of the device, the method further includes: under the condition that acquiring fingerprint information plaintext of equipment fails, executing a dangerous value comprehensive calculation rule for an access request with a non-script identification result to obtain a third dangerous value; and calling WAF check logic when the third dangerous value is smaller than or equal to a preset threshold value, so that the WAF check logic redirects to the target route release access when the WAF check logic passes.

According to an embodiment of the disclosure, after the plaintext query of the first data table based on the fingerprint information, the method further includes: and calling WAF check logic in case that the fingerprint information plaintext inquiry of the first data table fails, so that the WAF check logic redirects to the target route release access in case that the WAF check logic passes.

According to an embodiment of the present disclosure, the verifying whether the front-end functions normally for the access request whose identification result is non-script in the case of redirecting to the dedicated route of the WAF includes: a dedicated route redirected to the WAF; checking whether a refresh token is normally generated; under the condition of normal generation of the refresh token, generating a key pair; writing the public key in the key pair into a preset first front-end execution logic to obtain a second front-end execution logic, wherein the first front-end execution logic comprises a logic for collecting fingerprint information of equipment; transmitting the second front-end execution logic to a front-end execution; and under the condition that the second front-end execution logic is successfully executed, receiving the fingerprint information ciphertext of the equipment and judging that the front-end function is normal.

According to an embodiment of the present disclosure, the acquiring fingerprint information plaintext of a device includes: and decrypting the fingerprint information ciphertext based on the key pair to obtain a fingerprint information plaintext of the device.

According to an embodiment of the present disclosure, after the checking whether the refresh token is normally generated, the method further includes: intercepting the access request under the condition that the refresh token is not normally generated; after the second front-end execution logic is transmitted to the front-end execution, the method further comprises: intercepting the access request under the condition that an abnormal jump event is detected; inquiring a first data table in the plaintext based on the fingerprint information to obtain a first dangerous value, and further comprising: intercepting the access request under the condition that the first dangerous value is larger than a preset threshold value; and after the dangerous value comprehensive calculation rule is executed based on the target route to obtain a third dangerous value, the method further comprises the following steps: and intercepting the access request under the condition that the third dangerous value is larger than a preset threshold value.

According to an embodiment of the disclosure, the querying the second data table based on the target route or querying the second data table and the third data table based on the target route, to obtain the risk weight, includes: querying the second data table based on the target route; under the condition that the target route is successful in inquiring the second data table, determining the dangerous weight as a first dangerous weight; querying the third data table based on the target route if the target route querying the second data table is unsuccessful; determining the dangerous weight as a second dangerous weight under the condition that the access times of the target route in the third data table are in a preset access time interval; and determining the dangerous weight as a third dangerous weight under the condition that the access times of the target route in the third data table are not in a preset access times interval or under the condition that the target route fails to inquire the third data table.

A second aspect of the present disclosure provides a firewall-based secure communication device comprising: the primary identification module is used for primarily identifying the received access request to obtain an identification result, wherein the access request comprises a target route; the non-script access front-end verification module is used for verifying whether the front-end function is normal or not under the condition of redirecting the special route to the WAF for the access request with the identification result of non-script; the fingerprint information plaintext acquisition module is used for acquiring the fingerprint information plaintext of the equipment under the condition that the front end function is normal; the first data table inquiring module is used for inquiring a first data table based on the fingerprint information plaintext when the fingerprint information plaintext of the equipment is successfully acquired, wherein the first data table comprises N fingerprint information and danger values which are in one-to-one correspondence; the first dangerous value determining module is used for obtaining a first dangerous value under the condition that the fingerprint information plaintext is successfully inquired about the first data table; and the WAF checking logic calling module is used for redirecting the access to the target route release under the condition that the first dangerous value is smaller than or equal to a preset threshold value.

According to an embodiment of the present disclosure, the apparatus further comprises: the dangerous value comprehensive calculation module is used for executing a dangerous value comprehensive calculation rule based on the target route to obtain a third dangerous value for the access request of which the identification result is a script; the WAF checking logic calling module is further configured to call WAF checking logic when the third risk value is less than or equal to a preset threshold value, so that the WAF checking logic is redirected to the target route for access when the WAF checking logic passes; wherein, the dangerous value comprehensive calculation rule comprises: inquiring a second data table based on the target route or inquiring a second data table and a third data table based on the target route to obtain a dangerous weight, wherein the second data table comprises K pieces of route information, the third data table comprises L pieces of route information and access times in one-to-one correspondence, and K and L are positive integers; calling WAF to calculate the dangerous value of the access request to obtain a second dangerous value; and calculating a third risk value based on the risk weight and the second risk value.

According to an embodiment of the present disclosure, the dangerous value comprehensive calculation module is further configured to execute a dangerous value comprehensive calculation rule for an access request whose identification result is a non-script if acquiring a fingerprint information plaintext of the device fails, so as to obtain a third dangerous value; and the WAF check logic calling module is further configured to call WAF check logic when the third risk value is less than or equal to a preset threshold value, so that the WAF check logic is redirected to the target route for access when the WAF check logic passes.

According to an embodiment of the disclosure, the WAF check logic invoking module is further configured to invoke the WAF check logic in case that the fingerprint information plaintext fails to query the first data table, so as to redirect the access to the target route release in case that the WAF check logic passes.

According to an embodiment of the present disclosure, the non-script access front-end verification module includes: the device comprises a WAF special route redirection unit, a refresh token check unit, a key pair generation unit, a key pair writing unit, a code transmission unit and a fingerprint information ciphertext receiving unit, wherein the WAF special route redirection unit is used for redirecting a special route to the WAF; the refresh token checking unit is used for checking whether the refresh token is normally generated or not; the key pair generating unit is used for generating a key pair under the condition of normally generating a refresh token; the key pair writing unit is used for writing the public key in the key pair into a preset first front-end execution logic to obtain a second front-end execution logic, and the first front-end execution logic comprises logic for collecting fingerprint information of equipment; the code transmission unit is used for transmitting the second front-end execution logic to front-end execution; and the fingerprint information ciphertext receiving unit is used for receiving the fingerprint information ciphertext of the equipment and judging that the front end function is normal under the condition that the second front end execution logic is successfully executed.

According to an embodiment of the present disclosure, the acquiring fingerprint information plaintext of a device includes: and decrypting the fingerprint information ciphertext based on the key pair to obtain a fingerprint information plaintext of the device.

According to an embodiment of the disclosure, the device further includes an interception module, configured to intercept the challenge request in a case where a refresh token is not normally generated; the interception module is further used for intercepting the access request under the condition that an abnormal jump event is detected; the interception module is further configured to intercept the access request if the first risk value is greater than a preset threshold; and the interception module is further configured to intercept the access request if the third risk value is greater than a preset threshold.

According to an embodiment of the disclosure, the risk value synthesis calculation module includes: the system comprises a second data table inquiring unit, a first risk weight determining unit, a third data table inquiring unit, a second risk weight determining unit and a third risk weight determining unit, wherein the second data table inquiring unit is used for inquiring the second data table based on the target route; the first risk weight determining unit is used for determining that the risk weight is a first risk weight under the condition that the target route is successful in inquiring the second data table; the third data table query unit is configured to query the third data table based on the target route if the target route is unsuccessful in querying the second data table; the two risk weight determining units are used for determining that the risk weight is a second risk weight when the access times of the target route in the third data table are in a preset access time interval; and the third risk weight determining unit is configured to determine that the risk weight is a third risk weight when the number of accesses of the target route in the third data table is not within a preset access number interval or when the target route fails to query the third data table.

A third aspect of the present disclosure provides an electronic device, comprising: one or more processors; and a memory for storing one or more programs, wherein the one or more programs, when executed by the one or more processors, cause the one or more processors to perform the firewall-based secure communication method described above.

A fourth aspect of the present disclosure also provides a computer-readable storage medium having stored thereon executable instructions that, when executed by a processor, cause the processor to perform the above-described firewall-based secure communication method.

A fifth aspect of the present disclosure also provides a computer program product comprising a computer program which, when executed by a processor, implements the firewall-based secure communication method described above.

In the embodiment of the disclosure, in order to solve the technical problems of correctness and coverage rate deficiency in identifying and intercepting WEB attacks in the prior art, the embodiment of the disclosure designs a set of auxiliary fire-proof soil moisture interception scheme, and after the steps of preliminary identifying, verifying front-end functions, judging dangerous values and the like, the original WAF checking logic is called according to specific conditions, so that most access requests with high-risk behaviors can be screened out in the process, the coverage rate is improved, the calling frequency of the WAF checking logic is reduced, and most access attacks are intercepted efficiently. And the access is redirected to the special route, in the process, the interaction with the front end can be realized, the verification of the front end (the client or the browser) is further completed, abnormal events (the front end cannot be used, data packets are forged and the like) are avoided in the process of the interaction between the front end and the server, meanwhile, the access of the special route to the existing network is irrelevant, and the normal access operation is prevented from being influenced by the verification process.

Drawings

The foregoing and other objects, features and advantages of the disclosure will be more apparent from the following description of embodiments of the disclosure with reference to the accompanying drawings, in which:

FIG. 1 schematically illustrates an application scenario diagram of a firewall-based secure communication method according to an embodiment of the disclosure;

FIG. 2 schematically illustrates a flow chart of a firewall-based secure communication method according to an embodiment of the disclosure;

FIG. 3 schematically illustrates a flow chart of another firewall-based secure communication method in accordance with an embodiment of the disclosure;

FIG. 4 schematically illustrates a flow chart of a front-end function verification method according to an embodiment of the disclosure;

FIG. 5 schematically illustrates a flow chart of a hazard weight determination method according to an embodiment of the present disclosure;

FIG. 6 schematically illustrates a full flow diagram of a firewall-based secure communication method according to an embodiment of the disclosure;

Fig. 7 schematically illustrates a block diagram of a firewall-based secure communication device according to an embodiment of the disclosure; and

Fig. 8 schematically illustrates a block diagram of an electronic device adapted to implement a firewall-based secure communication method in accordance with an embodiment of the disclosure.

Detailed Description

Hereinafter, embodiments of the present disclosure will be described with reference to the accompanying drawings. It should be understood that the description is only exemplary and is not intended to limit the scope of the present disclosure. In the following detailed description, for purposes of explanation, numerous specific details are set forth in order to provide a thorough understanding of the embodiments of the present disclosure. It may be evident, however, that one or more embodiments may be practiced without these specific details. In addition, in the following description, descriptions of well-known structures and techniques are omitted so as not to unnecessarily obscure the concepts of the present disclosure.

The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the disclosure. The terms "comprises," "comprising," and/or the like, as used herein, specify the presence of stated features, steps, operations, and/or components, but do not preclude the presence or addition of one or more other features, steps, operations, or components.

All terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art unless otherwise defined. It should be noted that the terms used herein should be construed to have meanings consistent with the context of the present specification and should not be construed in an idealized or overly formal manner.

Where a convention analogous to "at least one of A, B and C, etc." is used, in general such a convention should be interpreted in accordance with the meaning of one of skill in the art having generally understood the convention (e.g., "a system having at least one of A, B and C" would include, but not be limited to, systems having a alone, B alone, C alone, a and B together, a and C together, B and C together, and/or A, B, C together, etc.).

In the prior art, in order to ensure that an application server is safely accessed, a WAF self-contained checking logic is generally adopted for detecting and intercepting an access request so as to protect the security of a Web application program. The interception logic of WAF differs somewhat from vendor to vendor and from configuration to configuration. Generally, the main function of the method is to organize malicious traffic attack, the interception mechanism can have request characteristics and a certain rule base besides IP and the like, and can judge whether the HTTP request is malicious attack or not by identifying and analyzing the characteristics in the HTTP request and take corresponding interception measures.

However, WAF verification logic itself has certain limitations such as detection accuracy and processing costs, wherein the accuracy of the detection is aimed at: under the condition that an attacker uses a proxy server, an anonymous network or other technologies to hide a real IP address, accurate detection of the real IP address becomes a complex matter, and the error of a detection and identification result can be caused by the lack of some key information, so that the occurrence of error detection can possibly occur; for the processing cost, under the condition that the number of the questioning requests to be identified is large, if a complex mechanism of WAF checking logic is called for each questioning request (for example, a scheme for machine learning identification exists in some checking mechanisms, and the scheme is called as overhead), the great and unnecessary resource overhead exists, and the detection efficiency is obviously reduced.

In order to solve the technical problems in the prior art, the inventor aims to improve the accuracy and coverage rate of interception by an auxiliary interception scheme for pre-checking an access request before executing WAF checking logic.

The embodiment of the disclosure provides a secure communication method based on a firewall, which is used for preliminarily identifying a received access request to obtain an identification result, wherein the access request comprises a target route; for the access request with the identification result being non-script, under the condition of redirecting to the special route of the WAF, verifying whether the front-end function is normal; under the condition that the front end functions normally, acquiring fingerprint information plaintext of the equipment; under the condition that acquiring a fingerprint information plaintext of equipment is successful, inquiring a first data table based on the fingerprint information plaintext, wherein the first data table comprises N pieces of fingerprint information and dangerous values which are in one-to-one correspondence, and N is a positive integer; obtaining a first dangerous value under the condition that the fingerprint information plaintext is successfully inquired in the first data table; and redirecting to the target route release access under the condition that the first dangerous value is smaller than or equal to a preset threshold value.

In the embodiment of the disclosure, in order to solve the technical problems of correctness and coverage rate deficiency in recognition and interception of WEB attacks in the prior art, the embodiment of the disclosure designs a set of auxiliary firewall interception scheme, and after the steps of preliminary recognition, front-end function verification, danger value judgment and other auxiliary interception, the original WAF inspection logic is called according to specific conditions, so that most of access requests with high-risk behaviors can be screened out in the process, the coverage rate is improved, the calling frequency of the WAF inspection logic is reduced, and most of access attacks are intercepted efficiently. And the access is redirected to the special route, in the process, the interaction with the front end can be realized, the verification of the front end (the client or the browser) is further completed, abnormal events (the front end cannot be used, data packets are forged and the like) are avoided in the process of the interaction between the front end and the server, meanwhile, the access of the special route to the existing network is irrelevant, and the normal access operation is prevented from being influenced by the verification process.

Fig. 1 schematically illustrates an application scenario diagram of a firewall-based secure communication method according to an embodiment of the disclosure.

As shown in fig. 1, an application scenario 100 according to this embodiment may include terminal devices 101, 102, 103, a network 104, and a server 105. The network 104 is used as a medium to provide communication links between the terminal devices 101, 102, 103 and the server 105. The network 104 may include various connection types, such as wired, wireless communication links, or fiber optic cables, among others.

The user may interact with the server 105 via the network 104 using the terminal devices 101, 102, 103 to receive or send messages or the like. Various communication client applications, such as shopping class applications, web browser applications, search class applications, instant messaging tools, mailbox clients, social platform software, etc. (by way of example only) may be installed on the terminal devices 101, 102, 103.

The terminal devices 101, 102, 103 may be a variety of electronic devices having a display screen and supporting web browsing, including but not limited to smartphones, tablets, laptop and desktop computers, and the like.

The server 105 may be a server providing various services, such as a background management server (by way of example only) providing support for websites browsed by users using the terminal devices 101, 102, 103. The background management server may analyze and process the received data such as the user request, and feed back the processing result (e.g., the web page, information, or data obtained or generated according to the user request) to the terminal device.

It should be noted that the firewall-based secure communication method provided by the embodiments of the present disclosure may be generally performed by the server 105. Accordingly, the firewall-based secure communication device provided by embodiments of the disclosure may be generally disposed in the server 105. The firewall-based secure communication method provided by the embodiments of the disclosure may also be performed by a server or server cluster that is different from the server 105 and is capable of communicating with the terminal devices 101, 102, 103 and/or the server 105. Accordingly, the firewall-based secure communication apparatus provided by the embodiments of the disclosure may also be provided in a server or server cluster that is different from the server 105 and is capable of communicating with the terminal devices 101, 102, 103 and/or the server 105.

It should be understood that the number of terminal devices, networks and servers in fig. 1 is merely illustrative. There may be any number of terminal devices, networks, and servers, as desired for implementation.

The firewall-based secure communication method of the disclosed embodiment will be described in detail below with reference to fig. 2 to 6 based on the scenario described in fig. 1.

Fig. 2 schematically illustrates a flow chart of a firewall-based secure communication method according to an embodiment of the disclosure.

As shown in fig. 2, the firewall-based secure communication method of this embodiment includes operations S210 to S260, which can be performed by the server 1 05.

In operation S210, the received access request including the target route is initially identified, resulting in an identification result.

A preliminary identification is made as to whether the received access request is a front-end (e.g., browser or client) access or a script access (e.g., web crawler). For example, whether the access request is from the browser is determined by determining whether the User-Agent is normal.

In operation S220, for the access request whose identification result is non-script, in case of redirecting to the dedicated route of the WAF, it is verified whether the front-end function is normal.

Specifically, when the route of the access request is redirected, the route of the access request is redirected to the special route of the WAF, then the subsequent various verification operations are started, and when the access request is finally identified as a normal access request, the access request is redirected to the original target route, so that the influence of the whole verification process on the current network can be avoided. It should be noted that, in the case that the current access request is a non-scripted access request, it needs to be checked in more detail to avoid miskilling the normal access request.

The special route of the WAF is used for defending malicious invasion and attack, solves the problems of data leakage, compliance, privacy protection and the like, and further guarantees data security and application availability.

If the front end function is normal, it is verified whether the front end side can normally execute some representative functions in the front-back end interaction process, and the following is mainly verified whether the Cookie of the front end is normal and whether the page of the front end normally executes JavaScript code, which is specifically shown as follows:

Fig. 4 schematically illustrates a flowchart of a front-end function verification method according to an embodiment of the present disclosure.

As shown in fig. 4, another front-end function verification method of this embodiment includes operations S410 to S460, and operations S410 to S460 are performed after operation S220 described above.

In operation S410, the dedicated route to the WAF is redirected.

In operation S420, it is checked whether the refresh token is normally generated.

Specifically, a Refresh Token is issued by setting Set-Cookie in the redirected response packet.

In operation S430, in the case of normal generation of the refresh token, a key pair is generated.

In the case of normal generation of a refresh token, an asymmetric key pair, i.e. a public-private key, is generated and may be stored in a session for subsequent use in completing encryption decryption when passing the device fingerprint.

It should be noted that, in order to ensure the security of the fingerprint information transmitted later, a dynamic key pair is selected to be generated in real time, instead of a static key, and in consideration of the usability of generating the dynamic key pair (for example, the key generation logic is executed after the operation S410, but the verification after the operation S420 is not passed, the generated key pair has no meaning, and the computing overhead is increased), the call frequency of the key generation logic may be reduced after the verification of the refresh token is successful by placing the generation logic of the key pair.

According to an embodiment of the present disclosure, after the checking whether the refresh token is normally generated, the method further includes: and intercepting the access request under the condition that the refresh token is not normally generated.

And under the condition that the refresh token is not normally generated, judging that the front-end function is abnormal, suspected high-risk access is performed, and intercepting the front-end function. In the background during operation, a self-defined "state" bit is set in Session, and if the refresh token is successfully generated, the "state" position 0 indicates that the refresh token is not normally generated if the "state" position 0 is not queried.

It should be noted that, in the embodiment of the present disclosure, the intercepted access request will not access the target route, but the intercepted access request may be recorded, or an abnormal behavior analysis may be performed on the intercepted access request, so as to perfect the auxiliary interception scheme.

In operation S440, the public key in the key pair is written into a preset first front-end execution logic, so as to obtain a second front-end execution logic, where the first front-end execution logic includes logic for collecting fingerprint information of the device.

The first front-end execution logic is written by JavaScript language and comprises logic for automatically executing and collecting device fingerprint information of the front-end, and on the basis, the generated key pair is written into the first front-end execution logic to achieve a second front-end execution logic which is further defined: after the fingerprint information of the device is acquired, the fingerprint information is encrypted through a public key, so that the conversion from the plaintext to the ciphertext of the fingerprint information is realized.

It can be understood that, checking whether the front end successfully executes JavaScript does not need to limit special logic, and only needs to be executed, in the embodiment of the present disclosure, code logic in the JavaScript is limited to be code logic for acquiring device fingerprint information, so that functions executed by the code can be verified, and acquired device fingerprint information can be used for subsequent checking, so that multiple purposes are achieved. Data tampering can be effectively prevented by ciphertext propagation.

Wherein, fingerprint information of the device includes: operating system version, browser version, screen length and width, time zone, language preference, plug-in list, CPU core number, supported JavaScript function (e.g., webSocket), and the like. The information links are combined to calculate a hash value as device fingerprint information.

In operation S450, the second front-end execution logic is transferred to the front-end execution.

Specifically, the HTML and JavaScript code is issued and transmitted to the front end, so that the front end executes the JavaScript code.

According to an embodiment of the disclosure, after the transmitting the second front-end execution logic to the front-end execution, the method further includes: and intercepting the access request under the condition that the occurrence of an abnormal jump event is detected.

And under the condition that the abnormal jump event is detected, judging that the front-end function is abnormal, suspected high-risk access is performed, and intercepting the front-end function.

Wherein, the abnormal jump event refers to: in the background during operation, a self-defined "state" bit is set in Session, and under the condition of successfully collecting fingerprint information, the "state" position 1 is set. In particular, the interception here is to ensure that the current Session (Session) has performed to this step of extracting the fingerprint (state=1), instead of skipping the packets sent directly from the previous step of determining that a cookie is available and generating a key pair. If state is not 1, it is possible that the script or other tool directly intercepts the packet sent in this step. It can be appreciated that, considering that JavaScript used to extract a fingerprint does perform an exception in some harsh browser environments, the front-end logic is not directly intercepted if it is not successfully performed, but rather intercepts the behavior of having obvious subjective forgery features in the event of such an exception jump.

In operation S460, in case that the second front-end execution logic is successfully executed, the device fingerprint information ciphertext is received, and it is determined that the front-end functions normally.

Specifically, when the front end successfully executes the JavaScript of the second front end execution logic, the encrypted fingerprint information ciphertext is returned, and meanwhile, the front end is judged to be normal in function and not abnormal.

In operation S230, in case that the front end functions normally, a fingerprint information plaintext of the device is acquired.

According to an embodiment of the present disclosure, the acquiring fingerprint information plaintext of a device includes: and decrypting the fingerprint information ciphertext based on the key pair to obtain a fingerprint information plaintext of the device.

Specifically, under the condition that the front-end function is normal, only the fingerprint information ciphertext is returned, the process from the fingerprint information ciphertext to the fingerprint information plaintext needs to be decrypted through a pre-stored key pair, and two conditions of decryption success and decryption failure can occur.

In operation S240, in case that the obtaining of the fingerprint information plaintext of the device is successful, a first data table is queried based on the fingerprint information plaintext, the first data table includes N pieces of fingerprint information and risk values that are in one-to-one correspondence, and N is a positive integer.

And for the condition of successful decryption, inquiring a first data table maintained in advance through the fingerprint information, storing a plurality of fingerprint information-dangerous value information in the first data table, and then looking up the table through the obtained fingerprint information.

The first data table is maintained with historical data, fingerprint information and corresponding dangerous value in the first data table are maintained by the previous secure communication process, that is, if the device fingerprint corresponding to the access request is accessed in the past, the information of fingerprint information-dangerous value is left in the first data table, and if the device fingerprint corresponding to the access request is not accessed in the past, the information of fingerprint information-dangerous value is not left in the first data table. Furthermore, when the first data table is currently queried, two results of query success and query failure can also appear.

According to an embodiment of the present disclosure, after the acquiring the fingerprint information plaintext of the device, the method further includes: under the condition that acquiring fingerprint information plaintext of equipment fails, executing a dangerous value comprehensive calculation rule for an access request with a non-script identification result to obtain a third dangerous value; and calling WAF check logic when the third dangerous value is smaller than or equal to a preset threshold value, so that the WAF check logic redirects to the target route release access when the WAF check logic passes.

For the case of decryption failure, the suspected data has tamper behavior, but interacts with the front end to be normal, and for such behavior, a scheme for calculating the dangerous value in real time is introduced (instead of the pre-storing). The risk value comprehensive calculation rule will be disclosed in detail later.

In operation S250, in a case where the fingerprint information plaintext query to the first data table is successful, a first risk value is obtained.

And when the first data table is successfully queried, the situation that the equipment accesses the server in the past is indicated, and the dangerous value in the first data table is directly used as the first dangerous value.

According to an embodiment of the disclosure, after the plaintext query of the first data table based on the fingerprint information, the method further includes: and calling WAF check logic in case that the fingerprint information plaintext inquiry of the first data table fails, so that the WAF check logic redirects to the target route release access in case that the WAF check logic passes.

And when the first data table is failed to be inquired, the equipment is not accessed to the server in the past, WAF checking logic is called, comprehensive calculation is carried out on the WAF checking logic, and the WAF checking logic is redirected to the original target route to release the access of the WAF checking logic under the condition that the checking is passed.

It is emphasized that in order to achieve the maintenance of the first data table described above for such access requests that have a clear text of fingerprint information and have not been accessed historically, the risk value thereof may be directly calculated by the WAF and stored in the first data table. The WAF directly calculates the dangerous value of the WAF, which is greatly affected by manufacturers and settings, so that a calculation method of the dangerous value is not described herein.

According to an embodiment of the disclosure, in the querying the first data table based on the fingerprint information plaintext, a first risk value is obtained, and the method further includes: and intercepting the access request under the condition that the first dangerous value is larger than a preset threshold value.

Specifically, for the device with access behavior in the past, the corresponding risk value is found to be at a higher level, and the access request is intercepted.

In operation S260, if the first risk value is less than or equal to a preset threshold value, redirecting to the target route release access.

Specifically, if the access request corresponds to a device that has historically achieved access and is less dangerous, the access request is released without requiring identification verification at the time of invoking WAF verification logic.

In the embodiment of the disclosure, in order to solve the technical problems of correctness and coverage rate deficiency in recognition and interception of WEB attacks in the prior art, the embodiment of the disclosure designs a set of auxiliary firewall interception scheme, and after the steps of preliminary recognition, front-end function verification, danger value judgment and other auxiliary interception, the original WAF inspection logic is called according to specific conditions, so that most of access requests with high-risk behaviors can be screened out in the process, the coverage rate is improved, the calling frequency of the WAF inspection logic is reduced, and most of access attacks are intercepted efficiently. And the special route is redirected to prevent the inquiry, in the process, the interaction with the front end can be realized, the verification of the front end (the client or the browser) is further completed, abnormal events (the front end cannot be used, data packets are forged and the like) are avoided in the process of the interaction between the front end and the server, meanwhile, the access of the special route to the existing network is irrelevant, and the normal access operation is prevented from being influenced by the verification process.

The above operations S220 to S260 disclose in detail the secure communication logic in the case where the identified access request is a non-script access after the preliminary identification, and the secure communication logic in the case where the access request is a script access after the preliminary identification is as follows:

Fig. 3 schematically illustrates a flow chart of another firewall-based secure communication method according to an embodiment of the disclosure.

As shown in fig. 3, another firewall-based secure communication method of this embodiment includes operations S310 to S320, where operations S310 to S320 are performed after operation S210.

In operation S310, for the access request whose identification result is the script, a risk value comprehensive calculation rule is executed based on the target route, and a third risk value is obtained.

Specifically, for the access request of the script, the original WAF check logic is called to check after the dangerous value comprehensive calculation rule is directly executed on the access request without redirecting to the WAF special route to execute multiple rounds of check and operation.

According to an embodiment of the present disclosure, the risk value comprehensive calculation rule includes: inquiring a second data table based on the target route or inquiring a second data table and a third data table based on the target route to obtain a dangerous weight, wherein the second data table comprises K pieces of route information, the third data table comprises L pieces of route information and access times in one-to-one correspondence, and K and L are positive integers; calling WAF to calculate the dangerous value of the access request to obtain a second dangerous value; and calculating a third risk value based on the risk weight and the second risk value.

The second data table is a route white list, the third route table records the access times of different routes (namely a route-times table), and the dangerous weight is determined by inquiring the route white list or inquiring the route white list and the route-times table.

The second risk value is calculated in real time for the WAF, and is different from the first risk value, and the second risk value needs to be multiplied by a risk weight, wherein the risk weight is a coefficient larger than 1 and is used for increasing the examination strength of script access.

Further, the third risk value is obtained by multiplying the second risk value by the risk weight.

In operation S320, in a case where the third risk value is equal to or less than a preset threshold, the WAF check logic is invoked to redirect access to the target route release in a case where the WAF check logic passes.

And calling WAF checking logic to comprehensively calculate the third dangerous value when the third dangerous value passes, and redirecting the WAF checking logic to the original target route to release the access of the WAF checking logic when the third dangerous value passes.

According to an embodiment of the disclosure, after the performing the risk value synthesis calculation rule based on the target route, obtaining a third risk value further includes: and intercepting the access request under the condition that the third dangerous value is larger than a preset threshold value.

And intercepting the access request of the third dangerous value when the third dangerous value is too large.

Fig. 5 schematically illustrates a flowchart of a hazard weight determination method according to an embodiment of the present disclosure.

As shown in fig. 5, the risk weight determination method of this embodiment includes operations S510 to S550.

In operation S510, the second data table is queried based on the target route.

In operation S520, in case that the target route query of the second data table is successful, the risk weight is determined as a first risk weight.

Specifically, whether a corresponding route record exists in the route white list is inquired through the target route. Typically, the first risk weight corresponds to the routing white list, and accordingly, the first risk weight will also be smaller than the second risk weight and the third risk weight described below.

In operation S530, in case that the target route query of the second data table is unsuccessful, the third data table is queried based on the target route.

Specifically, in the case where the target route does not exist in the route whitelist, it is checked whether the target route exists in a table recording the history of access times of the route.

In operation S540, in a case where the number of accesses of the target route in the third data table is within a preset number of access interval, the risk weight is determined to be a second risk weight.

When the target route is found to exist in the table for recording the historical access times of the route, judging whether the target access times are in a preset access time interval (for example, the first 90%), if so, determining a second danger weight, wherein the second danger weight is smaller than a third danger weight.

In operation S550, in a case where the number of accesses of the target route in the third data table is not within a preset number of accesses interval, or in a case where the target route fails to query the third data table, the risk weight is determined to be a third risk weight.

And when the target route is inquired not to exist in the table for recording the historical access times of the route, or the target access times are inquired not to be in a preset access time interval (for example, the first 90%), if not, determining a third danger weight, wherein the second danger weight is smaller than the third danger weight.

Fig. 6 schematically illustrates a full flow chart of a firewall-based secure communication method according to an embodiment of the disclosure.

As shown in fig. 6, the firewall-based secure communication method includes operations S601 to S614.

In operation S601, a request is received.

In operation S602, whether script access such as a browser or a web crawler is primarily distinguished according to User-Agent. If it is a User-Agent of the normal browser, operation S603 is entered. If not or empty, operation S207 is entered.

In operation S603, the dedicated route to the WAF is redirected, and a Refresh-Token is issued through the Set-Cookie in the redirected 302 response packet. The background Session records an attribute state of 0 (the state corresponds to Refresh-Token), and records the original route accessed before the attribute route is redirected. (this Session has an expiration time of 5 seconds). Operation S604 is entered.

In operation S604, the routing check is performed to determine whether the state corresponding to Refresh-Token is 0. If the verification is not passed, the process is stopped. If the verification is passed, the state attribute in the Session is updated to 1, and the server generates a pair of private key and public key of the asymmetric encryption algorithm to store in the Session, and then operation S605 is entered.

In operation S605, a JavaScript code (carrying an asymmetric encryption algorithm public key) is embedded in the response page, and a meta tag is added for automatically reloading the page independent of JavaScript (setting delay 0.5 seconds). The code checks whether JavaScript is opened, and if so, extracts fingerprint information of the device. And encrypting the extracted device fingerprint information by using a public key of an asymmetric encryption algorithm, and then writing the device fingerprint information into a Dev-Token of the Cookie. And executing the reload page immediately after the execution of the core function of the JavaScript code is finished. If JavaScript cannot be executed, the page is reloaded with the Meta tag after 0.5 seconds. After reloading the page, the background checks whether the state of Refresh-Token is 1. If the verification is not passed, the process is stopped. If the verification passes, operation S606 is entered.

In operation S606, the background fetches the private key of the asymmetric encryption algorithm from the Session according to the Refresh-Token, and decrypts the value of Dev-Token in the Cookie. If the fingerprint information can be successfully decrypted, operation S610 is entered, otherwise operation S607 is entered.

In operation S607, the Route currently accessed is acquired, and if the Route specific to WAF is accessed, the Route corresponding to Refresh-Token is extracted from the Session. The white list routing table T11 is queried whether or not the route exists, and if so, operation S611 is entered. If not, operation S608 is entered.

In operation S608, the "route-number" table T12 is sorted from large to small in number of times, and the position of the current route in the table is found. If the location is the first 90% (including 90%), operation S612 is entered. Otherwise, operation S609 is entered.

In operation S609, the risk weight is set to 1.7. Operation S614 is entered.

In operation S610, after decrypting the fingerprint information, the "fingerprint-risk value" table T21 is queried. If the fingerprint exists, operation S613 is entered. If the fingerprint does not exist, operation S614 is entered.

In operation S611, the risk weight is set to 1.1. Operation S614 is entered.

In operation S612, the risk weight is set to 1.2. Operation S614 is entered.

In operation S613, the "fingerprint-risk value" table T21 is queried to obtain a risk value corresponding to the fingerprint. If the dangerous value is larger than the preset threshold value, intercepting and ending the process. If the risk value is equal to or less than the preset threshold, operation S614 is entered.

In operation S614, the normal recognition and interception function of the subsequent WAF is entered, and when calculating the risk value, the risk weight calculated in the pre-judgment flow needs to be multiplied, and whether to intercept is determined according to the risk value obtained by the multiplication. If no attack is identified and the WAF specific Route is currently accessed, extracting Route corresponding to Refresh-Token from Session, and redirecting to the original Route. If an attack is identified and the request carries a Dev-Token, a new risk value is calculated based on the severity of the attack in the result returned by the WAF follow-up module, and the "fingerprint-risk value" table is updated.

Based on the firewall-based secure communication method, the disclosure also provides a firewall-based secure communication device. The device will be described in detail below in connection with fig. 7.

Fig. 7 schematically illustrates a block diagram of a firewall-based secure communication device according to an embodiment of the disclosure.

As shown in fig. 7, the firewall-based secure communication device 700 of this embodiment includes a preliminary identification module 710, a non-script access front-end verification module 720, a fingerprint information plaintext acquisition module 730, a first data table lookup module 740, a first risk value determination module 750, and a WAF verification logic call module 760.

The preliminary identification module 710 is configured to preliminarily identify a received access request, where the access request includes a target route, to obtain an identification result. In an embodiment, the preliminary identification module 710 may be used to perform the operation S210 described above, which is not described herein.

The non-script access front-end verification module 720 is configured to verify, for the access request whose identification result is non-script, whether the front-end function is normal in the case of redirecting to the dedicated route of the WAF. In an embodiment, the non-script access front-end verification module 720 may be used to perform the operation S220 described above, which is not described herein.

The fingerprint information plaintext obtaining module 730 is configured to obtain a fingerprint information plaintext of the device in a case that the front end functions normally. In an embodiment, the fingerprint information plaintext obtaining module 730 may be used to perform the operation S230 described above, which is not described herein.

The first data table query module 740 is configured to query a first data table based on a fingerprint information plaintext of a device, where the first data table includes N fingerprint information and risk values that are in one-to-one correspondence, if the acquiring of the fingerprint information plaintext of the device is successful. In an embodiment, the first data table query module 740 may be configured to perform the operation S240 described above, which is not described herein.

The first risk value determining module 750 is configured to obtain a first risk value if the fingerprint information plaintext query to the first data table is successful. In an embodiment, the first risk value determining module 750 may be configured to perform the operation S250 described above, which is not described herein.

The WAF check logic call module 760 is configured to redirect the access to the target route release if the first risk value is less than or equal to a preset threshold. In an embodiment, the WAF check logic call module 760 may be used to perform the operation S260 described above, which is not described herein.

In the embodiment of the disclosure, in order to solve the technical problems of correctness and coverage rate deficiency in identifying and intercepting WEB attacks in the prior art, the embodiment of the disclosure designs a set of auxiliary fire-proof soil moisture interception scheme, and after the steps of preliminary identifying, verifying front-end functions, judging dangerous values and the like, the original WAF checking logic is called according to specific conditions, so that most access requests with high-risk behaviors can be screened out in the process, the coverage rate is improved, the calling frequency of the WAF checking logic is reduced, and most access attacks are intercepted efficiently. And the access is redirected to the special route, in the process, the interaction with the front end can be realized, the verification of the front end (the client or the browser) is further completed, abnormal events (the front end cannot be used, data packets are forged and the like) are avoided in the process of the interaction between the front end and the server, meanwhile, the access of the special route to the existing network is irrelevant, and the normal access operation is prevented from being influenced by the verification process.

According to an embodiment of the present disclosure, the apparatus further comprises: the dangerous value comprehensive calculation module is used for executing a dangerous value comprehensive calculation rule based on the target route to obtain a third dangerous value for the access request of which the identification result is a script; the WAF checking logic calling module is further configured to call WAF checking logic when the third risk value is less than or equal to a preset threshold value, so that the WAF checking logic is redirected to the target route for access when the WAF checking logic passes; wherein, the dangerous value comprehensive calculation rule comprises: inquiring a second data table based on the target route or inquiring a second data table and a third data table based on the target route to obtain a dangerous weight, wherein the second data table comprises K pieces of route information, the third data table comprises L pieces of route information and access times in one-to-one correspondence, and K and L are positive integers; calling WAF to calculate the dangerous value of the access request to obtain a second dangerous value; and calculating a third risk value based on the risk weight and the second risk value.

According to an embodiment of the present disclosure, the dangerous value comprehensive calculation module is further configured to execute a dangerous value comprehensive calculation rule for an access request whose identification result is a non-script if acquiring a fingerprint information plaintext of the device fails, so as to obtain a third dangerous value; and the WAF check logic calling module is further configured to call WAF check logic when the third risk value is less than or equal to a preset threshold value, so that the WAF check logic is redirected to the target route for access when the WAF check logic passes.

According to an embodiment of the disclosure, the WAF check logic invoking module is further configured to invoke the WAF check logic in case that the fingerprint information plaintext fails to query the first data table, so as to redirect the access to the target route release in case that the WAF check logic passes.

According to an embodiment of the present disclosure, the non-script access front-end verification module includes: the device comprises a WAF special route redirection unit, a refresh token check unit, a key pair generation unit, a key pair writing unit, a code transmission unit and a fingerprint information ciphertext receiving unit, wherein the WAF special route redirection unit is used for redirecting a special route to the WAF; the refresh token checking unit is used for checking whether the refresh token is normally generated or not; the key pair generating unit is used for generating a key pair under the condition of normally generating a refresh token; the key pair writing unit is used for writing the public key in the key pair into a preset first front-end execution logic to obtain a second front-end execution logic, and the first front-end execution logic comprises logic for collecting fingerprint information of equipment; the code transmission unit is used for transmitting the second front-end execution logic to front-end execution; and the fingerprint information ciphertext receiving unit is used for receiving the fingerprint information ciphertext of the equipment and judging that the front end function is normal under the condition that the second front end execution logic is successfully executed.

According to an embodiment of the present disclosure, the acquiring fingerprint information plaintext of a device includes: and decrypting the fingerprint information ciphertext based on the key pair to obtain a fingerprint information plaintext of the device.

According to an embodiment of the disclosure, the apparatus further includes an interception module, configured to intercept the access request in a case where a refresh token is not normally generated; the interception module is further used for intercepting the access request under the condition that an abnormal jump event is detected; the interception module is further configured to intercept the access request if the first risk value is greater than a preset threshold; and the interception module is further configured to intercept the access request if the third risk value is greater than a preset threshold.

According to an embodiment of the disclosure, the risk value synthesis calculation module includes: the system comprises a second data table inquiring unit, a first risk weight determining unit, a third data table inquiring unit, a second risk weight determining unit and a third risk weight determining unit, wherein the second data table inquiring unit is used for inquiring the second data table based on the target route; the first risk weight determining unit is used for determining that the risk weight is a first risk weight under the condition that the target route is successful in inquiring the second data table; the third data table query unit is configured to query the third data table based on the target route if the target route is unsuccessful in querying the second data table; the two risk weight determining units are used for determining that the risk weight is a second risk weight when the access times of the target route in the third data table are in a preset access time interval; and the third risk weight determining unit is configured to determine that the risk weight is a third risk weight when the number of questions in the third data table by the target route is not within a preset access number interval or when the target route fails to query the third data table.

According to embodiments of the present disclosure, any of the preliminary identification module 710, the non-script access front-end verification module 720, the fingerprint information plaintext acquisition module 730, the first data table lookup module 740, the first risk value determination module 750, and the WAF verification logic invocation module 760 may be combined in one module to be implemented, or any of the modules may be split into a plurality of modules. Or at least some of the functionality of one or more of the modules may be combined with, and implemented in, at least some of the functionality of other modules. According to embodiments of the present disclosure, at least one of the preliminary identification module 710, the non-scripting access front-end verification module 720, the fingerprint information plaintext acquisition module 730, the first data table lookup module 740, the first risk value determination module 750, and the WAF verification logic call module 760 may be implemented at least in part as hardware circuitry, such as a Field Programmable Gate Array (FPGA), a Programmable Logic Array (PLA), a system-on-chip, a system-on-substrate, a system-on-package, an Application Specific Integrated Circuit (ASIC), or may be implemented in hardware or firmware in any other reasonable manner of integrating or packaging circuitry, or in any one of or a suitable combination of three of software, hardware, and firmware implementations. Or at least one of the preliminary identification module 710, the non-script access front-end verification module 720, the fingerprint information plaintext acquisition module 730, the first data table lookup module 740, the first risk value determination module 750, and the WAF verification logic call module 760 may be at least partially implemented as a computer program module which, when executed, may perform the corresponding functions.

Fig. 8 schematically illustrates a block diagram of an electronic device adapted to implement a firewall-based secure communication method in accordance with an embodiment of the disclosure.

As shown in fig. 8, an electronic device 800 according to an embodiment of the present disclosure includes a processor 801 that can perform various appropriate actions and processes according to a program stored in a Read Only Memory (ROM) 802 or a program loaded from a storage section 808 into a Random Access Memory (RAM) 803. The processor 801 may include, for example, a general purpose microprocessor (e.g., a CPU), an instruction set processor and/or an associated chipset and/or a special purpose microprocessor (e.g., an Application Specific Integrated Circuit (ASIC)), or the like. The processor 801 may also include on-board memory for caching purposes. The processor 801 may include a single processing unit or multiple processing units for performing the different actions of the method flows according to embodiments of the disclosure.

In the RAM 803, various programs and data required for the operation of the electronic device 800 are stored. The processor 801, the ROM802, and the RAM 803 are connected to each other by a bus 804. The processor 801 performs various operations of the method flow according to the embodiments of the present disclosure by executing programs in the ROM802 and/or the RAM 803. Note that the program may be stored in one or more memories other than the ROM802 and the RAM 803. The processor 801 may also perform various operations of the method flows according to embodiments of the present disclosure by executing programs stored in the one or more memories.

According to an embodiment of the present disclosure, the electronic device 800 may also include an input/output (I/O) interface 805, the input/output (I/O) interface 805 also being connected to the bus 804. The electronic device 800 may also include one or more of the following components connected to the I/O interface 805: an input portion 806 including a keyboard, mouse, etc.; an output portion 807 including a display such as a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), and a speaker; a storage section 808 including a hard disk or the like; and a communication section 809 including a network interface card such as a LAN card, a modem, or the like. The communication section 809 performs communication processing via a network such as the internet. The drive 810 is also connected to the I/O interface 805 as needed. A removable medium 811 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is mounted on the drive 810 as needed so that a computer program read out therefrom is mounted into the storage section 808 as needed.

The present disclosure also provides a computer-readable storage medium that may be embodied in the apparatus/device/system described in the above embodiments; or may exist alone without being assembled into the apparatus/device/system. The computer-readable storage medium carries one or more programs which, when executed, implement methods in accordance with embodiments of the present disclosure.

According to embodiments of the present disclosure, the computer-readable storage medium may be a non-volatile computer-readable storage medium, which may include, for example, but is not limited to: a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this disclosure, a computer-readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. For example, according to embodiments of the present disclosure, the computer-readable storage medium may include ROM 802 and/or RAM 803 and/or one or more memories other than ROM 802 and RAM 803 described above.

Embodiments of the present disclosure also include a computer program product comprising a computer program containing program code for performing the methods shown in the flowcharts. The program code, when executed in a computer system, causes the computer system to implement the item recommendation method provided by embodiments of the present disclosure.

The above-described functions defined in the system/apparatus of the embodiments of the present disclosure are performed when the computer program is executed by the processor 801. The systems, apparatus, modules, units, etc. described above may be implemented by computer program modules according to embodiments of the disclosure.

In one embodiment, the computer program may be based on a tangible storage medium such as an optical storage device, a magnetic storage device, or the like. In another embodiment, the computer program may also be transmitted, distributed, and downloaded and installed in the form of a signal on a network medium, and/or from a removable medium 811 via a communication portion 809. The computer program may include program code that may be transmitted using any appropriate network medium, including but not limited to: wireless, wired, etc., or any suitable combination of the foregoing.

In such an embodiment, the computer program may be downloaded and installed from a network via the communication section 809, and/or installed from the removable media 811. The above-described functions defined in the system of the embodiments of the present disclosure are performed when the computer program is executed by the processor 801. The systems, devices, apparatus, modules, units, etc. described above may be implemented by computer program modules according to embodiments of the disclosure.

According to embodiments of the present disclosure, program code for performing computer programs provided by embodiments of the present disclosure may be written in any combination of one or more programming languages, and in particular, such computer programs may be implemented in high-level procedural and/or object-oriented programming languages, and/or assembly/machine languages. Programming languages include, but are not limited to, such as Java, c++, python, "C" or similar programming languages. The program code may execute entirely on the user's computing device, partly on the user's device, partly on a remote computing device, or entirely on the remote computing device or server. In the case of remote computing devices, the remote computing device may be connected to the user computing device through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computing device (e.g., connected via the Internet using an Internet service provider).

The flowcharts and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.

Those skilled in the art will appreciate that the features recited in the various embodiments of the disclosure and/or in the claims may be provided in a variety of combinations and/or combinations, even if such combinations or combinations are not explicitly recited in the disclosure. In particular, the features recited in the various embodiments of the present disclosure and/or the claims may be variously combined and/or combined without departing from the spirit and teachings of the present disclosure. All such combinations and/or combinations fall within the scope of the present disclosure.

The embodiments of the present disclosure are described above. These examples are for illustrative purposes only and are not intended to limit the scope of the present disclosure. Although the embodiments are described above separately, this does not mean that the measures in the embodiments cannot be used advantageously in combination. The scope of the disclosure is defined by the appended claims and equivalents thereof. Various alternatives and modifications can be made by those skilled in the art without departing from the scope of the disclosure, and such alternatives and modifications are intended to fall within the scope of the disclosure.

Claims (12)

1. A method of firewall-based secure communications, the method comprising:

Primarily identifying a received access request to obtain an identification result, wherein the access request comprises a target route;

for the access request with the identification result being non-script, under the condition of redirecting to the special route of the WAF, verifying whether the front-end function is normal;

Under the condition that the front end functions normally, acquiring fingerprint information plaintext of the equipment;

under the condition that acquiring a fingerprint information plaintext of equipment is successful, inquiring a first data table based on the fingerprint information plaintext, wherein the first data table comprises N pieces of fingerprint information and dangerous values which are in one-to-one correspondence, and N is a positive integer;

obtaining a first dangerous value under the condition that the fingerprint information plaintext is successfully inquired in the first data table; and

And redirecting the access to the target route release under the condition that the first dangerous value is smaller than or equal to a preset threshold value.

2. The method of claim 1, further comprising, after the preliminary identifying the received access request, obtaining an identification result:

Executing a dangerous value comprehensive calculation rule based on the target route for the access request with the identification result being a script to obtain a third dangerous value; and

Calling WAF check logic under the condition that the third dangerous value is smaller than or equal to a preset threshold value, so that the WAF check logic redirects to the target route release access under the condition that the WAF check logic passes;

wherein, the dangerous value comprehensive calculation rule comprises:

Inquiring a second data table based on the target route or inquiring a second data table and a third data table based on the target route to obtain a dangerous weight, wherein the second data table comprises K pieces of route information, the third data table comprises L pieces of route information and access times in one-to-one correspondence, and K and L are positive integers;

Calling WAF to calculate the dangerous value of the access request to obtain a second dangerous value; and

And calculating a third risk value based on the risk weight and the second risk value.

3. The method of claim 2, further comprising, after the acquiring the fingerprint information plaintext of the device:

Under the condition that acquiring fingerprint information plaintext of equipment fails, executing a dangerous value comprehensive calculation rule for an access request with a non-script identification result to obtain a third dangerous value; and

And calling WAF checking logic under the condition that the third dangerous value is smaller than or equal to a preset threshold value, so that the WAF checking logic redirects to the target route release access under the condition that the WAF checking logic passes.

4. The method of claim 2, further comprising, after said querying the first data table based on the fingerprint information plaintext:

and calling WAF check logic in case that the fingerprint information plaintext inquiry of the first data table fails, so that the WAF check logic redirects to the target route release access in case that the WAF check logic passes.

5. The method according to any of claims 2-4, wherein said verifying whether the front-end functions properly in case of redirecting to the WAF's dedicated route for an access request for which the identification result is non-scripted, comprises:

a dedicated route redirected to the WAF;

checking whether a refresh token is normally generated;

under the condition of normal generation of the refresh token, generating a key pair;

Writing the public key in the key pair into a preset first front-end execution logic to obtain a second front-end execution logic, wherein the first front-end execution logic comprises a logic for collecting fingerprint information of equipment;

transmitting the second front-end execution logic to a front-end execution; and

And under the condition that the second front-end execution logic is successfully executed, receiving the fingerprint information ciphertext of the equipment and judging that the front-end function is normal.

6. The method of claim 5, wherein the acquiring fingerprint information plaintext for a device comprises:

and decrypting the fingerprint information ciphertext based on the key pair to obtain a fingerprint information plaintext of the device.

7. The method of claim 5, wherein the step of determining the position of the probe is performed,

After the checking whether the refresh token is normally generated, the method further comprises: intercepting the access request under the condition that the refresh token is not normally generated;

after the second front-end execution logic is transmitted to the front-end execution, the method further comprises:

intercepting the access request under the condition that an abnormal jump event is detected;

Inquiring a first data table in the plaintext based on the fingerprint information to obtain a first dangerous value, and further comprising: intercepting the access request under the condition that the first dangerous value is larger than a preset threshold value; and

After the dangerous value comprehensive calculation rule is executed based on the target route to obtain a third dangerous value, the method further comprises the following steps: and intercepting the access request under the condition that the third dangerous value is larger than a preset threshold value.

8. The method according to any one of claims 2, 3 and 4, wherein said querying the second data table based on the target route or querying the second data table and the third data table based on the target route, obtaining the risk weight, comprises:

Querying the second data table based on the target route;

under the condition that the target route is successful in inquiring the second data table, determining the dangerous weight as a first dangerous weight;

Querying the third data table based on the target route if the target route querying the second data table is unsuccessful;

determining the dangerous weight as a second dangerous weight under the condition that the access times of the target route in the third data table are in a preset access time interval; and

And determining the dangerous weight as a third dangerous weight under the condition that the access times of the target route in the third data table are not in a preset access time interval or under the condition that the target route fails to inquire the third data table.

9. A firewall-based secure communication device, the device comprising:

The primary identification module is used for primarily identifying the received access request to obtain an identification result, wherein the access request comprises a target route;

the non-script access front-end verification module is used for verifying whether the front-end function is normal or not under the condition of redirecting the special route to the WAF for the access request with the identification result of non-script;

The fingerprint information plaintext acquisition module is used for acquiring the fingerprint information plaintext of the equipment under the condition that the front end function is normal;

the first data table inquiring module is used for inquiring a first data table based on the fingerprint information plaintext when the fingerprint information plaintext of the equipment is successfully acquired, wherein the first data table comprises N fingerprint information and danger values which are in one-to-one correspondence;

The first dangerous value determining module is used for obtaining a first dangerous value under the condition that the fingerprint information plaintext is successfully inquired about the first data table; and

And the WAF checking logic calling module is used for redirecting the access to the target route release under the condition that the first dangerous value is smaller than or equal to a preset threshold value.

10. An electronic device, comprising:

one or more processors;

Storage means for storing one or more computer programs,

Characterized in that the one or more processors execute the one or more computer programs to implement the steps of the method according to any one of claims 1-8.

11. A computer-readable storage medium, on which a computer program is stored, characterized in that the computer program, when being executed by a processor, realizes the steps of the method according to any one of claims 1-8.

12. A computer program product comprising a computer program, characterized in that the computer program, when executed by a processor, implements the steps of the method according to any one of claims 1-8.