CN115277062A

Movatterモバイル変換

Info

Publication number: CN115277062A
Application number: CN202210662425.3A
Authority: CN
Inventors: 贾宏祥; 万振华; 王颉; 董燕; 李华
Original assignee: Seczone Technology Co Ltd
Current assignee: Seczone Technology Co Ltd
Priority date: 2022-06-13
Filing date: 2022-06-13
Publication date: 2022-11-01
Anticipated expiration: 2042-06-13
Also published as: CN115277062B

Abstract

Description

Malicious attack intercepting method, device and equipment and readable storage medium

Technical Field

The present application relates to the field of network security technologies, and in particular, to a malicious attack intercepting method, apparatus, device, and readable storage medium.

Background

With the rise of the internet era, various application systems emerge endlessly, the problem of system security becomes more and more important, and some people acquire data of the application systems through malicious attack means to perform illegal operations, which may even cause system crash and fail to operate.

The conventional industry typically only recognizes that network security is important when a system is hacked, often upon finding a problem, the hack has already been made and causes loss.

Whether the running condition of the system can be detected in real time through a detection means is quite difficult when the system is attacked maliciously, necessary interception and blocking are made, and detailed information of the attack is recorded to form a detection log which is provided for a professional to analyze. Once the vicious attack is met, only the sheep can be killed and the fastness can be mended, and the judgment and the protection can not be accurately carried out.

Disclosure of Invention

The embodiment of the application provides a malicious attack intercepting method, a malicious attack intercepting device, malicious attack intercepting equipment and a readable storage medium, and at least the problem that the malicious attack cannot be intercepted and blocked in real time in related technologies can be solved.

A first aspect of an embodiment of the present application provides a malicious attack intercepting method, including:

after a protected application is deployed to a web server, configuring environment variables according to the application type of the protected application;

after the configuration of the environment variables is completed, acquiring first user interaction data, and analyzing the first user interaction data; the first user interaction data is data input by a user in an input stage;

if the attack sensitive characters of the malicious attack exist in the first user interaction data according to the analysis result, marking abnormal identification on the first user interaction data;

intercepting executed second user interaction data at an output stage, and filtering and protecting the second user interaction data with the abnormal identifier; and the second user interaction data is the user interaction data after the data flow is processed in the propagation stage.

A second aspect of the embodiments of the present application provides a malicious attack intercepting apparatus, including:

after the configuration of the environment variables is completed, acquiring user interaction data, and analyzing the user interaction data;

if the attack sensitive characters of the malicious attack exist in the user interaction data according to the analysis result, marking abnormal identification on the user interaction data;

A third aspect of an embodiment of the present application provides an electronic device, which is characterized by including a memory and a processor, where the processor is configured to execute a computer program stored on the memory, and the processor executes each step in the malicious attack interception method provided in the first aspect of the embodiment of the present application when executing the computer program.

A fourth aspect of the present embodiment provides a computer-readable storage medium, on which a computer program is stored, where when the computer program is executed by a processor, the steps in the malicious attack interception method provided in the first aspect of the present embodiment are implemented.

Drawings

Fig. 1 is a schematic basic flow chart of a malicious attack interception method according to a first embodiment of the present application;

FIG. 2 is a schematic diagram of a security protection mechanism according to a first embodiment of the present application;

fig. 3 is a schematic detailed flowchart of a malicious attack interception method according to a second embodiment of the present application;

fig. 4 is a schematic diagram of program modules of a malicious attack intercepting apparatus according to a third embodiment of the present application;

fig. 5 is a schematic structural diagram of an electronic device according to a fourth embodiment of the present application.

Detailed Description

In order to make the objects, features and advantages of the present invention more apparent and understandable, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present application, and it is apparent that the described embodiments are only a part of the embodiments of the present application, and not all the embodiments of the present application. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.

In order to solve the problem that the malicious attack cannot be intercepted and blocked in real time in the related art, a first embodiment of the present application provides a malicious attack intercepting method, for example, fig. 1 is a basic flowchart of the malicious attack intercepting method provided in this embodiment, and the malicious attack intercepting method includes the following steps:

step 101, after the protected application is deployed to the web server, configuring the environment variable according to the application type of the protected application.

Specifically, in this embodiment, the method is first configured in the server, and after the protected application is deployed in the web server, the environment variable is configured by using a malicious attack interception method according to the application type of the protected application.

In an optional implementation manner of this embodiment, the step of configuring the environment variable according to the application type of the protected application includes: if the protected application is the application of the network frame platform, calling a registry editor, and creating an Environment numerical value in the registry editor; wherein the Environment values include: an application identifier of the protected application and a deployment directory of a security protection mechanism; or, if the protected application is an application of the net 6 platform, acquiring a web.config file of the protected application, and performing environment variable configuration in the web.config file.

Specifically, in this embodiment, if the protected application is an application of a network frame platform, the protected application is deployed in a Web server, and is IIS on a Windows platform, after the deployment is completed, the application program cannot be directly started, but a registry editor is called to locate to a W3SVC file directory, and an Environment value is created, where the Environment value includes: and after the deployment of the Environment value is completed, the application identifier of the protected application and the deployment catalog of the safety protection mechanism are configured subsequently. Or if the protected application is the application of the NET 6 platform and is also the IIS under the Windows platform, the application program cannot be directly started after deployment is completed, the web.config file of the protected application is firstly found, corresponding configuration is added into the configuration file, different environment variables are configured for different NET platforms according to the configuration of the environment variables of the protected application, and malicious attacks can be effectively protected in real time.

Further, in an optional implementation manner of this embodiment, after the step of configuring the environment variable according to the application type of the protected application, the method further includes: setting the flashing time of the probe and the basic configuration of the gray box test; the step of analyzing the first user interaction data comprises: and carrying out a gray box test on the first user interaction data according to the probe flashing time.

Specifically, in this embodiment, as shown in fig. 2, a schematic diagram of a security protection mechanism provided in this embodiment of the present application is shown, after configuration of an environment variable of a protected application is completed, the security protection mechanism is configured according to the environment variable, firstly, a security probe of the security protection mechanism is configured, and probe flashing time is set, secondly, the security protection mechanism includes a gray box test, a server host identifier needs to be set first, an agent login token is obtained, a full name of an application program and a test identifier of the gray box test are set, and in configuration of the security protection mechanism, initial configurations such as a server and a security log that are reported may also be attacked according to requirements. It should be noted that, after the configuration of the security protection mechanism is completed, when the user inputs the interactive data, the gray box test is performed on the user interactive data according to the probe blinking time, and the attack detection is performed on the protected application according to the gray box test.

And 102, after the configuration of the environment variables is completed, acquiring first user interaction data, and analyzing the first user interaction data.

Specifically, in this embodiment, the first user interaction data is data input by the user in the input stage, and when the user normally uses the protected application, the security protection mechanism starts the input detection function, and all user interactions and inputs are collected and analyzed.

In an optional implementation manner of this embodiment, the step of obtaining the first user interaction data includes: performing input detection on all input forms of the protected application; wherein, the input form includes: page data interaction, form submission, data submission and data circulation; first user interaction data corresponding to the input form is obtained.

Specifically, in this embodiment, after the installation configuration of the security protection mechanism is completed, protection monitoring is performed on all methods of the protected application that have an input form, where the input form refers to page data interaction that exists when a user uses the protected application, such as operations of form submission, data submission, and the like, the application receives data input by the user to perform next data transfer, and according to the input detection function, all user interaction and input are collected.

And 103, if the attack sensitive characters of the malicious attack exist in the first user interaction data according to the analysis result, marking abnormal identification on the first user interaction data.

Specifically, in this embodiment, if the user interaction data is analyzed to find that some malicious attack-sensitive characters and other behaviors exist in the input stage, the security protection mechanism performs a tag on the input, and the tag indicates that some human attack risks may exist in the input stage. It should be understood that the safeguard mechanism is not directly blocked at this time, but is marked.

And 104, intercepting the executed second user interaction data at an output stage, and filtering and protecting the second user interaction data with the abnormal identifier.

Specifically, in this embodiment, the second user interaction data is user interaction data after passing through data flow in the propagation stage, and in the output stage, the security protection mechanism may intercept the first interaction data and the second interaction data at the same time, which does not exclude that the data input in the input stage is directly executed in the output stage without being converted in the form of any propagation stage, so that all data with the abnormal identifier may be subjected to filtering protection in the output stage.

In an optional implementation manner of this embodiment, before the step of intercepting the executed second user interaction data in the output stage, the method further includes: in the propagation stage of the first user interaction data, comparing the second user interaction data with the first user interaction data to determine whether the first user interaction data containing the abnormal identifier exists in the second user interaction data; and if the second user interaction data has the first user interaction data containing the abnormal identifier after the data flow, identifying the abnormal identifier for the corresponding second user interaction data.

Specifically, in this embodiment, after the data in the input stage is marked, the data flow is transferred to the service processing stage, which is referred to as a propagation stage at this time, for example, a login operation, after a user inputs a username and a password, the username and the password are transferred to the propagation stage as input streams, at this time, the application searches data in the database through the data obtained in the input stage, if the user data is searched in the database through the username and the password, the login is successful, and if the user data is not searched, the login is failed. In the above example, a series of processes of the system searching the database through the user name and the password filled by the user is the propagation stage. In the propagation stage of the first user interaction data, the second user interaction data is compared with the first user interaction data, and if some data in the propagation stage comprise marks from the input stage, the propagation stage is marked. The database is not queried in the propagation stage, and an SQL statement for querying the database may be generated, so that part of the contents in the SQL statement are malicious characters marked in the input stage, and the SQL also has malicious characters, so that the SQL statement needs to be marked with an abnormal identifier.

Further, in an optional implementation manner of this embodiment, the step of performing filtering protection on the second user interaction data with the abnormal identifier includes: acquiring parameter information from the intercepted second user interaction data; wherein the parameter information includes: inputting parameter data and return value of the second user interaction data; if the parameter information has the abnormal identifier, filtering the parameter information and generating an execution abnormal instruction; controlling a corresponding code of the second user interaction data to stop running according to the execution abnormal instruction; and if the abnormal identifier does not exist in the parameter information, allowing the second user interaction data to continue to operate in the output stage.

Specifically, in practical application, after data at both the input stage and the propagation stage are marked, the application executes the query operation, which becomes the output stage at this time, the output stage is the final stage of the attack, and if the output stage has no precautionary behavior, the malicious attack existing in the input and propagation stages directly runs in the output stage. In this embodiment, the security protection mechanism will take over the method of the output phase, filter and protect the entry and return values of the method, if the method of the output phase is executed, first obtain the parameter information of the method of the output phase, if the parameter is the marked propagation phase, throw an execution exception, and the following code will not run, thereby blocking the existing malicious attack, if the parameter is not any of the previously marked phases, then not interfere with the execution of the output phase.

In an optional implementation manner of this embodiment, after the step of performing filter protection on the second user interaction data with the abnormal identifier, the method further includes: detecting parameter information containing abnormal identification through a gray box test, and determining the attack type and attack sensitive characters of malicious attack; generating a security log according to the parameter information, the attack type of the malicious attack and the attack sensitive characters, and uploading the security log to a server host; when attack-sensitive characters are detected again in the input phase, a blocking instruction is sent to the server host.

Specifically, in this embodiment, after the security protection mechanism intercepts the parameter information with the abnormal identifier, the parameter information is detected through a gray box test, an attack type of a malicious attack and an attack sensitive character of the identifier included in the parameter information are determined, a security log is generated according to the attack type of the malicious attack and a data-sensitive character, and the security log is uploaded to a configured server, wherein the security log is used by the server host to generate a blocking rule for the attack sensitive character, according to the blocking rule, when the attack sensitive character is detected again in an input stage through the security protection mechanism, a blocking instruction is sent to the server host, and the server host directly blocks the attack sensitive character according to the blocking rule, that is, user interaction data is directly intercepted, and feedback is performed on a display page of the user terminal.

The method in fig. 3 is a detailed malicious attack interception method according to a second embodiment of the present application, and the malicious attack interception method includes:

step 301, after the protected application is deployed to the web server, configuring the environment variable according to the application type of the protected application.

Specifically, in this embodiment, if the protected application is an application of a network frame platform, the registry editor is called, and an Environment value is created in the registry editor; wherein the Environment values include: the deployment catalog of the application identification and the safety protection mechanism of the protected application; or, if the protected application is an application of the net 6 platform, acquiring a web.config file of the protected application, and performing environment variable configuration in the web.config file.

Step 302, after the configuration of the environment variable is completed, acquiring first user interaction data in an input stage.

And 303, performing input detection on all input forms in the first user interaction data, and analyzing a detection result.

Specifically, in this embodiment, the input form includes: page data interaction, form submission, data submission, and data circulation.

And 304, if the attack sensitive characters of the malicious attack exist in the first user interaction data according to the analysis result, marking abnormal identifications for the parameters of the attack sensitive characters contained in the first user interaction data.

Step 305, in the propagation stage of the first user interaction data, comparing the second user interaction data with the first user interaction data, and determining whether parameter information containing the abnormal identifier exists in the second user interaction data.

Specifically, in this embodiment, the second user interaction data is the first user interaction data after passing through the data flow in the propagation stage.

And step 306, if the parameter information containing the abnormal identifier exists in the second user interaction data, marking the abnormal identifier on the second user interaction data.

And 307, intercepting the second user interaction data in an output stage, and acquiring parameter information from the second user interaction data.

Step 308, if an abnormal identifier exists in the parameter information, filtering the parameter information corresponding to the abnormal identifier, and generating an execution abnormal instruction; and controlling the corresponding code of the second user interaction data to stop running according to the execution abnormal instruction.

And 309, if the abnormal identifier does not exist in the parameter information, allowing the second user interaction data to continue to operate in an output stage.

According to the malicious attack intercepting method provided by the scheme of the application, after the protected application is deployed to the web server, environment variable configuration is carried out according to the application type of the protected application; after the configuration of the environment variables is completed, acquiring first user interaction data in an input stage; performing input detection on all input forms in the first user interaction data, and analyzing a detection result; if the attack sensitive characters of the malicious attack exist in the first user interaction data according to the analysis result, marking abnormal marks on the parameters of the attack sensitive characters contained in the first user interaction data; in the propagation stage of the first user interaction data, comparing the second user interaction data with the first user interaction data to determine whether parameter information containing abnormal identification exists in the second user interaction data; if the second user interaction data contains parameter information containing the abnormal identification, marking the abnormal identification on the second user interaction data; intercepting second user interaction data at an output stage, and acquiring parameter information from the second user interaction data; if the parameter information has the abnormal identifier, filtering the parameter information corresponding to the abnormal identifier and generating an execution abnormal instruction; controlling a corresponding code of the second user interaction data to stop running according to the execution abnormal instruction; and if the abnormal identifier does not exist in the parameter information, allowing the second user interaction data to continue to operate in the output stage. Through the implementation of the scheme, the environment variable is configured after the protected application is deployed, the second user interaction data is intercepted in the output stage, and the second user interaction data with the abnormal identifier is filtered and protected. The invention can protect the malicious attack in real time in the running process of the system.

Fig. 4 is a malicious attack intercepting apparatus provided in a third embodiment of the present application, where the malicious attack intercepting apparatus may be used to implement the malicious attack intercepting method in the foregoing embodiment. As shown in fig. 4, the malicious attack intercepting apparatus mainly includes:

aconfiguration module 401, configured to perform environment variable configuration according to an application type of a protected application after the protected application is deployed to a web server;

ananalysis module 402, configured to obtain user interaction data after the environment variable configuration is completed, and analyze the user interaction data;

amarking module 403, configured to mark an abnormal identifier for the user interaction data if it is determined that an attack sensitive character of a malicious attack exists in the user interaction data according to an analysis result;

aprotection module 404, configured to intercept executed second user interaction data at an output stage, and perform filtering protection on the second user interaction data with the abnormal identifier; and the second user interaction data is the user interaction data after the data flow is processed in the propagation stage.

In an optional implementation manner of this embodiment, the configuration module is specifically configured to: if the protected application is the application of a network frame platform, calling a registry editor, and creating an Environment value in the registry editor; wherein the Environment values comprise: an application identifier of the protected application and a deployment directory of a security protection mechanism; or, if the protected application is an application of a.net 6 platform, acquiring a web.config file of the protected application, and performing environment variable configuration in the web.config file.

Further, in an optional implementation manner of this embodiment, the malicious attack blocking apparatus further includes: and setting a module. The setting module is used for: setting the flashing time of the probe and the basic configuration of the gray box test; wherein the basic configuration comprises: server host identity, login token, application full name and test identity. The analysis module is specifically further configured to: and carrying out a gray box test on the first user interaction data according to the probe flashing time.

In an optional implementation manner of this embodiment, when the analysis module implements the function of acquiring the first user interaction data, the analysis module is specifically configured to: performing input detection on all input forms of the protected application; wherein the input form comprises: page data interaction, form submission, data submission and data circulation; and acquiring first user interaction data corresponding to the input form.

In an optional implementation manner of this embodiment, the malicious attack blocking apparatus further includes: and a comparison module. The comparison module is used for: and in the propagation stage of the first user interaction data, comparing the second user interaction data with the first user interaction data to determine whether the first user interaction data containing the abnormal identifier exists in the second user interaction data. The identification module has further functions for: and if the first user interaction data containing the abnormal identifier exists after the second user interaction data is subjected to data flow, identifying the abnormal identifier for the corresponding second user interaction data.

Further, in an optional implementation manner of this embodiment, the protection module is specifically configured to: acquiring parameter information from the intercepted second user interaction data; wherein the parameter information includes: the input parameter data and the return value of the second user interaction data; if the parameter information has the abnormal identifier, filtering the parameter information and generating an execution abnormal instruction; controlling a corresponding code of the second user interaction data to stop running according to the execution abnormal instruction; and if the abnormal identifier does not exist in the parameter information, allowing the second user interaction data to continue to operate in the output stage.

In an optional implementation manner of this embodiment, the malicious attack blocking apparatus further includes: the device comprises a detection module, an uploading module and a sending module. The detection module is used for: and detecting the parameter information containing the abnormal identification through a gray box test, and determining the attack type and attack sensitive characters of the malicious attack. The uploading module is used for: generating a security log according to the parameter information, the attack type of the malicious attack and the attack sensitive characters, and uploading the security log to the server host; wherein the security log is used for the server host to generate a blocking rule for the attack sensitive character. The sending module is used for: when the attack sensitive characters are detected again in the input stage, a blocking instruction is sent to the server host; and the blocking instruction is used for directly blocking the attack sensitive characters by the server host according to the blocking rule.

Fig. 5 is an electronic device according to a fourth embodiment of the present application. The electronic device can be used for implementing the malicious attack interception method in the foregoing embodiment, and mainly includes:

amemory 501, aprocessor 502 and acomputer program 503 stored on thememory 501 and executable on theprocessor 502, thememory 501 and theprocessor 502 being communicatively connected. Theprocessor 502, when executing thecomputer program 503, implements the malicious attack interception method in the foregoing embodiments. Wherein the number of processors may be one or more.

TheMemory 501 may be a high-speed Random Access Memory (RAM) Memory or a non-volatile Memory (non-volatile Memory), such as a disk Memory. Thememory 501 is used for storing executable program code, and theprocessor 502 is coupled to thememory 501.

Further, an embodiment of the present application further provides a computer-readable storage medium, where the computer-readable storage medium may be provided in the electronic device in the foregoing embodiments, and the computer-readable storage medium may be the memory in the foregoing embodiment shown in fig. 5.

The computer-readable storage medium has stored thereon a computer program which, when executed by a processor, implements the malicious attack interception method in the foregoing embodiments. Further, the computer-readable storage medium may be various media that can store program codes, such as a usb disk, a removable hard disk, a Read-Only Memory (ROM), a RAM, a magnetic disk, or an optical disk.

In the several embodiments provided in the present application, it should be understood that the disclosed apparatus and method may be implemented in other ways. For example, the above-described apparatus embodiments are merely illustrative, and for example, a division of modules is merely a division of logical functions, and an actual implementation may have another division, for example, a plurality of modules or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or modules, and may be in an electrical, mechanical or other form.

Modules described as separate parts may or may not be physically separate, and parts displayed as modules may or may not be physical modules, may be located in one place, or may be distributed on a plurality of network modules. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment.

In addition, functional modules in the embodiments of the present application may be integrated into one processing module, or each module may exist alone physically, or two or more modules are integrated into one module. The integrated module can be realized in a hardware mode, and can also be realized in a software functional module mode.

The integrated module, if implemented in the form of a software functional module and sold or used as a separate product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application may be substantially implemented or contributed to by the prior art, or all or part of the technical solution may be embodied in a software product, which is stored in a readable storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method of the embodiments of the present application. And the aforementioned readable storage medium comprises: various media capable of storing program codes, such as a U disk, a removable hard disk, a ROM, a RAM, a magnetic disk, or an optical disk.

It should be noted that for simplicity and convenience of description, the above-described method embodiments are described as a series of combinations of acts, but those skilled in the art will appreciate that the present application is not limited by the order of acts, as some steps may, in accordance with the present application, occur in other orders and/or concurrently. Further, those skilled in the art should also appreciate that the embodiments described in the specification are preferred embodiments and that the acts and modules referred to are not necessarily required in this application.

In the foregoing embodiments, the descriptions of the respective embodiments have respective emphasis, and for parts that are not described in detail in a certain embodiment, reference may be made to the related descriptions of other embodiments.

In view of the above description of the malicious attack interception method, apparatus, device and readable storage medium provided by the present application, for those skilled in the art, according to the ideas of the embodiments of the present application, there may be changes in the specific implementation and application scope, and in summary, the content of the present specification should not be construed as limiting the present application.

Claims

1. A malicious attack interception method is characterized by comprising the following steps:

after the configuration of the environment variables is completed, acquiring first user interaction data, and analyzing the first user interaction data; the first user interaction data are data input by a user in an input stage;

intercepting executed second user interaction data at an output stage, and filtering and protecting the second user interaction data with the abnormal identifier; and the second user interaction data is the first user interaction data after passing through the data flow in the propagation stage.

2. The malicious attack interception method according to claim 1, wherein said step of configuring an environment variable according to an application type of said protected application comprises:

if the protected application is the application of a net frame platform, calling a registry editor, and creating an Environment numerical value in the registry editor; wherein the Environment values comprise: an application identifier of the protected application and a deployment directory of a security protection mechanism;

or, if the protected application is an application of a net 6 platform, acquiring a web.config file of the protected application, and performing environment variable configuration in the web.config file.

3. The malicious attack interception method according to claim 2, wherein said step of configuring an environment variable according to an application type of said protected application is followed by further comprising:

setting the flashing time of the probe and the basic configuration of the gray box test; wherein the basic configuration comprises: the system comprises a server host identifier, a login token, an application program full name and a test identifier;

the step of analyzing the first user interaction data comprises:

and carrying out a gray box test on the first user interaction data according to the probe flashing time.

4. The malicious attack interception method according to claim 1, wherein said step of obtaining first user interaction data comprises:

performing input detection on all input forms of the protected application; wherein the input form comprises: page data interaction, form submission, data submission and data circulation;

and acquiring first user interaction data corresponding to the input form.

5. The malicious attack interception method according to claim 1, wherein said step of intercepting said second user interaction data executed in an output phase further comprises:

in the propagation stage of the first user interaction data, comparing the second user interaction data with the first user interaction data to determine whether the first user interaction data containing the abnormal identifier exists in the second user interaction data;

and if the first user interaction data containing the abnormal identifier exists after the second user interaction data is subjected to data flow, identifying the abnormal identifier for the corresponding second user interaction data.

6. The malicious attack interception method according to claim 5, wherein said step of performing filter protection on said second user interaction data having said abnormal identifier comprises:

acquiring parameter information from the intercepted second user interaction data; wherein the parameter information includes: the input parameter data and the return value of the second user interaction data;

if the parameter information has the abnormal identifier, filtering the parameter information and generating an execution abnormal instruction;

controlling a corresponding code of the second user interaction data to stop running according to the execution abnormal instruction;

and if the abnormal identifier does not exist in the parameter information, allowing the second user interaction data to continue to operate in the output stage.

7. The malicious attack interception method according to any one of claims 1 to 6, wherein after the step of performing filter protection on the second user interaction data having the abnormal identifier, the method further comprises:

detecting the parameter information containing the abnormal identification through a gray box test, and determining the attack type and attack sensitive characters of the malicious attack;

generating a security log according to the parameter information, the attack type of the malicious attack and the attack sensitive characters, and uploading the security log to the server host; the security log is used for the server host to generate a blocking rule for the attack sensitive characters;

when the attack sensitive characters are detected again in the input stage, a blocking instruction is sent to the server host; and the blocking instruction is used for directly blocking the attack sensitive characters by the server host according to the blocking rule.

8. A malicious attack blocking apparatus, comprising:

the system comprises a configuration module, a configuration module and a management module, wherein the configuration module is used for configuring environment variables according to the application type of a protected application after the protected application is deployed to a web server;

the analysis module is used for acquiring first user interaction data after the configuration of the environment variables is completed, and analyzing the first user interaction data; the first user interaction data are data input by a user in an input stage;

the marking module is used for marking an abnormal identifier for the first user interaction data if the attack sensitive character of the malicious attack exists in the first user interaction data according to the analysis result;

the protection module is used for intercepting executed second user interaction data in an output stage and carrying out filtering protection on the second user interaction data with the abnormal identification; and the second user interaction data is the first user interaction data after passing through the data flow in the propagation stage.

9. An electronic device comprising a memory and a processor, wherein:

the processor is to execute a computer program stored on the memory;

the processor, when executing the computer program, performs the steps of the method of any one of claims 1 to 7.

10. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the steps of the method of any one of claims 1 to 7.