技术领域Technical Field
本发明涉及网络安全技术领域,特别涉及一种数据劫持告警方法、系统、电子设备及存储介质。The present invention relates to the field of network security technology, and in particular to a data hijacking alarm method, system, electronic equipment and storage medium.
背景技术Background technique
在很多特殊平台或应用的使用中,因为受到权限管理、保密问题、资源受限等原因的限制,经常会存在多人共用同一账户的情况。例如,某些扫描器只提供一个账户以供使用,而部门多名测评人员都需要使用该扫描器,则会不可避免的出现一个账户多人使用的情况。而在出现这种多人共管账号情况时,由于登录节点增多,黑客可攻击的对象增加,就会导致账户受到黑客劫持攻击的安全风险的增加。并且在出现安全问题时,如何快速溯源发现问题并及时进行应急响应也是当前许多企业需要解决的问题。In the use of many special platforms or applications, due to restrictions such as permission management, confidentiality issues, and resource constraints, there are often situations where multiple people share the same account. For example, some scanners only provide one account for use, and multiple evaluators in a department need to use the scanner, so it is inevitable that one account will be used by multiple people. When this kind of account sharing occurs, the number of login nodes and the number of targets that hackers can attack will increase, which will lead to an increase in the security risk of accounts being hijacked by hackers. And when security issues arise, how to quickly trace the source to discover the problem and respond to emergencies in a timely manner is also a problem that many companies need to solve.
现有技术中针对黑客劫持问题的解决方案,有一部分是通过对IP地址进行检测:通过收集在代理IP地址库中任一代理IP地址上登录过的用户账号,并从该用户账号中筛选出一个或多个经常使用代理IP地址的目标账号。从各目标账号登录过的待定IP地址中筛选出满足预设条件的待定IP地址为被劫持网络终端的IP地址。这种解决方案虽然可以有效检测出被劫持网络终端的IP地址,但是却无法应用在多人共管账号的情况下。Some of the solutions to the problem of hacker hijacking in the prior art are to detect IP addresses: by collecting user accounts that have logged in on any proxy IP address in the proxy IP address library, and screening out one or more target accounts that frequently use the proxy IP address from the user accounts. The pending IP addresses that have been logged in by each target account are screened out as the IP addresses of the hijacked network terminal that meet the preset conditions. Although this solution can effectively detect the IP address of the hijacked network terminal, it cannot be applied to the case where multiple people share the account.
因此,亟需一种针对多人共管账号的数据劫持告警方法,以解决现有技术的上述技术问题。Therefore, there is an urgent need for a data hijacking alarm method for accounts co-managed by multiple people to solve the above-mentioned technical problems of the prior art.
发明内容Summary of the invention
为了解决现有技术的不足,本发明的主要目的在于提供一种数据劫持告警方法、系统、电子设备及存储介质,以解决现有技术的上述技术问题。In order to solve the deficiencies of the prior art, the main purpose of the present invention is to provide a data hijacking alarm method, system, electronic device and storage medium to solve the above-mentioned technical problems of the prior art.
为了达到上述目的,第一方面本发明提供了一种数据劫持告警,所述方法包括:In order to achieve the above object, the present invention provides a data hijacking alarm in a first aspect, the method comprising:
用户登录客户端时,获取该用户的登录IP、账户以及本地计数器内的初始计数值,所述本地计数器用于记录所述客户端内各功能模块操作次数;When a user logs in to the client, the user's login IP, account, and initial count value in the local counter are obtained. The local counter is used to record the number of operations of each functional module in the client;
所述账户存在所述登录IP的登录记录时,根据所述初始计数值以及预设验证条件,判断当前登录用户是否通过第一验证,并对通过所述第一验证的当前登录用户进行计数初始化;When the account has a login record of the login IP, judging whether the current login user has passed the first verification according to the initial count value and the preset verification condition, and initializing the count of the current login user who has passed the first verification;
用户操作完成后,对比当前登录用户对应的用户计数器数值与本地计数器数值,其中,服务端中包含多个用户计数器,所述用户计数器根据不同登录IP以及账户分别记录服务端响应操作次数;After the user operation is completed, the user counter value corresponding to the currently logged-in user is compared with the local counter value. The server includes multiple user counters, which record the number of server response operations according to different login IPs and accounts;
若所述用户计数器数值等于所述本地计数器数值,则所述账户正常使用;If the user counter value is equal to the local counter value, the account is in normal use;
若所述用户计数器数值不等于所述本地计数器数值,则生成数据劫持告警。If the user counter value is not equal to the local counter value, a data hijacking alarm is generated.
在一些实施例中,所述对通过所述第一验证的用户进行计数初始化,包括:In some embodiments, the initializing the counting of users who have passed the first verification includes:
所述服务端检测到所述客户端内当前登录用户通过第一验证后,生成初始化指令,并返还给所述客户端,其中所述初始化指令包括所述服务端随机生成的初始化数值;After the server detects that the currently logged-in user in the client has passed the first verification, it generates an initialization instruction and returns it to the client, wherein the initialization instruction includes an initialization value randomly generated by the server;
所述服务端根据所述账户以及登录IP查询对应的用户计数器并将所述用户计数器数值调整为所述初始化数值;The server queries the corresponding user counter according to the account and the login IP and adjusts the value of the user counter to the initialization value;
所述客户端接收到所述初始化指令后,将所述本地计数器数值调整为所述初始化数值。After receiving the initialization instruction, the client adjusts the local counter value to the initialization value.
在一些实施例中,所述用户登录客户端时,所述方法还包括:In some embodiments, when the user logs in to the client, the method further includes:
所述客户端生成用户登录请求,将用户登录请求、对应的登录IP发送给所述服务端以进行身份认证,所述用户登录请求包含账户以及密码;The client generates a user login request, and sends the user login request and the corresponding login IP to the server for identity authentication, wherein the user login request includes an account and a password;
若身份认证成功,则所述服务端基于所述登录IP以及账户,查询密钥库中对应的密钥并生成用户登录成功数据返还给所述客户端。If the identity authentication is successful, the server will query the corresponding key in the key library based on the login IP and account and generate user login success data and return it to the client.
在一些实施例中,所述账户存在所述登录IP的登录记录时,根据所述初始计数值以及预设验证条件,判断当前登录用户是否通过第一验证,包括:In some embodiments, when the account has a login record of the login IP, judging whether the current login user passes the first verification according to the initial count value and the preset verification condition includes:
根据当前登录用户的所述登录IP、账户查询所述服务端内当前登录用户对应的用户计数器数值;According to the login IP and account of the currently logged-in user, query the user counter value corresponding to the currently logged-in user in the server;
若所述初始计数值等于当前登录用户对应的用户计数器数值,则当前登录用户通过所述第一验证;If the initial count value is equal to the user counter value corresponding to the currently logged-in user, the currently logged-in user passes the first verification;
若所述初始计数值不等于当前登录用户对应的用户计数器数值,则生成数据劫持告警。If the initial count value is not equal to the user counter value corresponding to the currently logged-in user, a data hijacking alarm is generated.
在一些实施例中,所述方法还包括:In some embodiments, the method further comprises:
所述账户不存在所述登录IP的登录记录时,在客户端内新建本地计数器,以及在服务端内新建与所述登录IP以及用户对应的用户计数器。When the account does not have a login record of the login IP, a local counter is newly created in the client, and a user counter corresponding to the login IP and the user is newly created in the server.
在一些实施例中,所述用户操作完成后,对比用户计数器数值与本地计数器数值,包括:In some embodiments, after the user operation is completed, comparing the user counter value with the local counter value includes:
所述客户端根据所述服务端返还的密钥对本地计数器数值进行加密,并将加密后的本地计数器数值传输至所述服务端;The client encrypts the local counter value according to the key returned by the server, and transmits the encrypted local counter value to the server;
所述服务端对所述加密后的本地计数器数值进行解密,并根据当前登录用户的IP地址和账户查询当前登录用户的用户计数器数值;The server decrypts the encrypted local counter value and queries the user counter value of the currently logged-in user according to the IP address and account of the currently logged-in user;
所述服务端对比解密后本地计数器数值与当前登录用户的用户计数器数值。The server compares the decrypted local counter value with the user counter value of the currently logged-in user.
在一些实施例中,所述数据劫持告警包括当前登录用户的登录IP以及账户信息,所述方法还包括:In some embodiments, the data hijacking alert includes the login IP and account information of the current logged-in user, and the method further includes:
根据所述数据劫持告警中的账户信息,禁用所述账户信息对应的账户;根据所述数据劫持告警中的登录IP以及账户信息,查询记录的服务端响应操作以供安全人员查看。According to the account information in the data hijacking alarm, the account corresponding to the account information is disabled; according to the login IP and account information in the data hijacking alarm, the recorded server response operation is queried for security personnel to review.
第二方面,本申请提供了一种数据劫持告警系统,所述系统包括:In a second aspect, the present application provides a data hijacking alarm system, the system comprising:
准备模块,用于在用户登录客户端时,获取该用户的登录IP、账户以及本地计数器内的初始计数值,所述本地计数器用于记录所述客户端内各功能模块操作次数;A preparation module, used to obtain the user's login IP, account and initial count value in a local counter when the user logs in to the client, and the local counter is used to record the number of operations of each functional module in the client;
验证模块,用于在所述账户存在所述登录IP的登录记录时,根据所述初始计数值以及预设验证条件,判断当前登录用户是否通过第一验证,并对通过所述第一验证的当前登录用户进行计数初始化;A verification module, configured to determine whether the current logged-in user has passed the first verification according to the initial count value and a preset verification condition when the account has a login record of the login IP, and to initialize the count of the current logged-in user who has passed the first verification;
分析模块,用于在用户操作完成后,对比当前登录用户对应的用户计数器数值与本地计数器数值,其中,服务端中包含多个用户计数器,所述用户计数器根据不同登录IP以及账户分别记录服务端响应操作次数;The analysis module is used to compare the user counter value corresponding to the current logged-in user with the local counter value after the user operation is completed, wherein the server includes multiple user counters, and the user counters record the number of server response operations according to different login IPs and accounts;
处理模块,用于在所述用户计数器数值等于所述本地计数器数值时,正常使用所述账户;A processing module, configured to use the account normally when the value of the user counter is equal to the value of the local counter;
所述处理模块,还用于在所述用户计数器数值不等于所述本地计数器数值时,生成数据劫持告警。The processing module is further configured to generate a data hijacking alarm when the value of the user counter is not equal to the value of the local counter.
第三方面,本申请提供了一种电子设备,所述电子设备包括:In a third aspect, the present application provides an electronic device, the electronic device comprising:
一个或多个处理器;one or more processors;
以及与所述一个或多个处理器关联的存储器,所述存储器用于存储程序指令,所述程序指令在被所述一个或多个处理器读取执行时,执行如下操作:and a memory associated with the one or more processors, the memory being used to store program instructions, the program instructions when read and executed by the one or more processors performing the following operations:
用户登录客户端时,获取该用户的登录IP、账户以及本地计数器内的初始计数值,所述本地计数器用于记录所述客户端内各功能模块操作次数;When a user logs in to the client, the user's login IP, account, and initial count value in the local counter are obtained. The local counter is used to record the number of operations of each functional module in the client;
所述账户存在所述登录IP的登录记录时,根据所述初始计数值以及预设验证条件,判断当前登录用户是否通过第一验证,并对通过所述第一验证的当前登录用户进行计数初始化;When the account has a login record of the login IP, judging whether the current login user has passed the first verification according to the initial count value and the preset verification condition, and initializing the count of the current login user who has passed the first verification;
用户操作完成后,对比当前登录用户对应的用户计数器数值与本地计数器数值,其中,服务端中包含多个用户计数器,所述用户计数器根据不同登录IP以及账户分别记录服务端响应操作次数;After the user operation is completed, the user counter value corresponding to the currently logged-in user is compared with the local counter value. The server includes multiple user counters, which record the number of server response operations according to different login IPs and accounts;
若所述用户计数器数值等于所述本地计数器数值,则所述账户正常使用;If the user counter value is equal to the local counter value, the account is in normal use;
若所述用户计数器数值不等于所述本地计数器数值,则生成数据劫持告警。If the user counter value is not equal to the local counter value, a data hijacking alarm is generated.
第四方面,本申请还提供了一种计算机可读存储介质,所述存储介质上存储计算机程序,所述计算机程序使得计算机执行如下操作:In a fourth aspect, the present application further provides a computer-readable storage medium, wherein the storage medium stores a computer program, and the computer program enables a computer to perform the following operations:
用户登录客户端时,获取该用户的登录IP、账户以及本地计数器内的初始计数值,所述本地计数器用于记录所述客户端内各功能模块操作次数;When a user logs in to the client, the user's login IP, account, and initial count value in the local counter are obtained. The local counter is used to record the number of operations of each functional module in the client;
所述账户存在所述登录IP的登录记录时,根据所述初始计数值以及预设验证条件,判断当前登录用户是否通过第一验证,并对通过所述第一验证的当前登录用户进行计数初始化;When the account has a login record of the login IP, judging whether the current login user has passed the first verification according to the initial count value and the preset verification condition, and initializing the count of the current login user who has passed the first verification;
用户操作完成后,对比当前登录用户对应的用户计数器数值与本地计数器数值,其中,服务端中包含多个用户计数器,所述用户计数器根据不同登录IP以及账户分别记录服务端响应操作次数;After the user operation is completed, the user counter value corresponding to the currently logged-in user is compared with the local counter value. The server includes multiple user counters, and the user counters record the number of server response operations according to different login IPs and accounts;
若所述用户计数器数值等于所述本地计数器数值,则所述账户正常使用;If the user counter value is equal to the local counter value, the account is in normal use;
若所述用户计数器数值不等于所述本地计数器数值,则生成数据劫持告警。If the user counter value is not equal to the local counter value, a data hijacking alarm is generated.
本申请实现的有益效果为:The beneficial effects achieved by this application are:
本申请提供了一种数据劫持告警方法,包括:用户登录客户端时,获取该用户的登录IP、账户以及本地计数器内的初始计数值,所述本地计数器用于记录所述客户端内各功能模块操作次数;所述账户存在所述登录IP的登录记录时,根据所述初始计数值以及预设验证条件,判断当前登录用户是否通过第一验证,并对通过所述第一验证的当前登录用户进行计数初始化;用户操作完成后,对比当前登录用户对应的用户计数器数值与本地计数器数值,其中,服务端中包含多个用户计数器,所述用户计数器根据不同登录IP以及账户分别记录服务端响应操作次数;若所述用户计数器数值等于所述本地计数器数值,则所述账户正常使用;若所述用户计数器数值不等于所述本地计数器数值,则生成数据劫持告警。针对多人共管账户的劫持攻击进行了有效的检测以及应急响应,攻击者在劫持会话后进行异常操作就会被检测到,即使伪装了自身IP也会被识别到,提高了劫持攻击检测的准确性,从而快速的禁用该账户以保护系统安全。The present application provides a data hijacking alarm method, including: when a user logs in to a client, obtaining the user's login IP, account and initial count value in a local counter, the local counter is used to record the number of operations of each functional module in the client; when the account has a login record of the login IP, judging whether the current login user has passed the first verification according to the initial count value and the preset verification condition, and initializing the count of the current login user who has passed the first verification; after the user operation is completed, comparing the user counter value corresponding to the current login user with the local counter value, wherein the server includes multiple user counters, and the user counter records the number of server response operations according to different login IPs and accounts; if the user counter value is equal to the local counter value, the account is used normally; if the user counter value is not equal to the local counter value, a data hijacking alarm is generated. Effective detection and emergency response are carried out for hijacking attacks on accounts managed by multiple people. The attacker will be detected if he performs abnormal operations after hijacking the session, and will be identified even if he disguises his own IP, which improves the accuracy of hijacking attack detection, thereby quickly disabling the account to protect system security.
附图说明BRIEF DESCRIPTION OF THE DRAWINGS
为了更清楚地说明本申请实施例中的技术方案,下面将对实施例描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本申请的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图,其中:In order to more clearly illustrate the technical solutions in the embodiments of the present application, the drawings required for use in the description of the embodiments are briefly introduced below. Obviously, the drawings described below are only some embodiments of the present application. For those of ordinary skill in the art, other drawings can be obtained based on these drawings without creative work, among which:
图1是本申请实施例提供的劫持检测方法示意图;FIG1 is a schematic diagram of a hijacking detection method provided in an embodiment of the present application;
图2是本申请实施例提供的数据劫持告警方法流程图;FIG2 is a flow chart of a data hijacking alarm method provided by an embodiment of the present application;
图3是本申请实施例提供的数据劫持告警系统架构图;FIG3 is a diagram showing the architecture of a data hijacking alarm system provided in an embodiment of the present application;
图4是本申请实施例提供的电子设备结构图。FIG. 4 is a structural diagram of an electronic device provided in an embodiment of the present application.
具体实施方式Detailed ways
为使本申请的目的、技术方案和优点更加清楚,下面将结合本申请实施例中的附图,对本申请实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例仅仅是本申请一部分实施例,而不是全部的实施例。基于本申请中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都属于本申请保护的范围。In order to make the purpose, technical solutions and advantages of this application clearer, the technical solutions in the embodiments of this application will be clearly and completely described below in conjunction with the drawings in the embodiments of this application. Obviously, the described embodiments are only part of the embodiments of this application, not all of the embodiments. Based on the embodiments in this application, all other embodiments obtained by ordinary technicians in this field without creative work are within the scope of protection of this application.
应当理解,在本申请的描述中,除非上下文明确要求,否则整个说明书和权利要求书中的“包括”、“包含”等类似词语应当解释为包含的含义而不是排他或穷举的含义;也就是说,是“包括但不限于”的含义。It should be understood that in the description of the present application, unless the context clearly requires otherwise, words such as "include", "comprises", and the like in the entire specification and claims should be interpreted as inclusive rather than exclusive or exhaustive; that is, the meaning of "including but not limited to".
还应当理解,术语“第一”、“第二”等仅用于描述目的,而不能理解为指示或暗示相对重要性。此外,在本申请的描述中,除非另有说明,“多个”的含义是两个或两个以上。It should also be understood that the terms "first", "second", etc. are only used for descriptive purposes and cannot be understood as indicating or implying relative importance. In addition, in the description of this application, unless otherwise specified, "plurality" means two or more.
需要注意的是,术语“S1”、“S2”等仅用于步骤的描述目的,并非特别指称次序或顺位的意思,亦非用以限定本申请,其仅仅是为了方便描述本申请的方法,而不能理解为指示步骤的先后顺序。另外,各个实施例之间的技术方案可以相互结合,但是必须是以本领域普通技术人员能够实现为基础,当技术方案的结合出现相互矛盾或无法实现时应当认为这种技术方案的结合不存在,也不在本申请要求的保护范围之内。It should be noted that the terms "S1", "S2", etc. are only used for the purpose of describing the steps, and do not specifically refer to the order or sequence, nor are they used to limit the present application. They are only for the convenience of describing the method of the present application, and cannot be understood as indicating the order of the steps. In addition, the technical solutions between the various embodiments can be combined with each other, but they must be based on the ability of ordinary technicians in this field to implement them. When the combination of technical solutions is contradictory or cannot be implemented, it should be considered that such a combination of technical solutions does not exist and is not within the scope of protection required by the present application.
实施例一Embodiment 1
如图1所示,本申请实施例了提供了一种针对多人共管账号的劫持检测系统,包括:功能模块、事件计数模块、服务端日志记录模块、加密传输模块以及应急响应模块。具体的,在本实施例公开的系统中进行用户登录时检测是否被劫持的过程包括:As shown in Figure 1, the present application embodiment provides a hijacking detection system for multi-person co-managed accounts, including: a function module, an event counting module, a server-side log recording module, an encryption transmission module, and an emergency response module. Specifically, the process of detecting whether a user is hijacked when logging in in the system disclosed in this embodiment includes:
S1、用户登录客户端时,进行身份验证。S1. When a user logs in to the client, identity authentication is performed.
具体的,用户在登录客户端时,客户端生成用户登录请求,并将用户登录请求、对应的IP地址(即登录IP)以及账户等信息发送给服务器以进行身份验证。其中,用户登录请求包含登录账户以及账户密码。服务端基于接收到的用户登录请求,判断账户密码是否正确,若正确则身份验证成功,此时服务端基于获取到的登录IP以及账户,查询密钥库中该登录场景下的密钥并生成用户登录成功数据,将密钥以及用户登录成功数据返还给客户端,以提示用户可正常进行操作;若不正确则身份验证失败,此时服务端返回用户登录失败数据给客户端,用户无法登录。Specifically, when a user logs in to the client, the client generates a user login request and sends the user login request, the corresponding IP address (i.e., login IP), and account information to the server for identity authentication. Among them, the user login request includes the login account and account password. The server determines whether the account password is correct based on the received user login request. If it is correct, the identity authentication is successful. At this time, the server queries the key for the login scenario in the key library based on the acquired login IP and account and generates user login success data. The key and user login success data are returned to the client to prompt the user to operate normally; if it is incorrect, the identity authentication fails. At this time, the server returns the user login failure data to the client, and the user cannot log in.
S2、查询用户登录情况,对已经存在登录记录的用户执行第一验证并对通过第一验证的用户进行计数初始化;对第一次登录的用户,则在客户端内新建本地计数器,并在服务端内新建用户计数器。S2. Query the user login status, perform the first verification for the users who already have the login record and initialize the count for the users who have passed the first verification; for the users who log in for the first time, create a new local counter in the client and a new user counter in the server.
其中,本地计数器可以有两种设置情况。第一种情况下:本地计数器可以由多个事件计数器构成,不同的事件计数器设置在不同的功能模块内以记录该功能模块内事件(即用户操作)发生的次数,均工作于用户本地;对用户登录的整个平台或者系统的不同功能模块的使用进行计数时,用户在不同的功能模块内进行一次操作,该功能模块对应的事件计数器的计数值都会加一,不同功能模块的计数器单独计数,本地计数器用于统计所有事假计数器的计数值。第二种情况下,本地计数器设置在用户本地,对用户登录的整个平台或者系统的不同功能模块进行计数时,只要用户在任一功能模块内进行操作,本地计数器的计数值都会加一。Among them, the local counter can be set in two situations. In the first case: the local counter can be composed of multiple event counters, and different event counters are set in different functional modules to record the number of events (i.e. user operations) in the functional modules, and all work locally on the user; when counting the use of different functional modules of the entire platform or system logged in by the user, the user performs an operation in different functional modules, and the count value of the event counter corresponding to the functional module will be increased by one. The counters of different functional modules are counted separately, and the local counter is used to count the count values of all event counters. In the second case, the local counter is set locally on the user. When counting the different functional modules of the entire platform or system logged in by the user, as long as the user operates in any functional module, the count value of the local counter will be increased by one.
具体的,由于每一用户在登录时,服务端都会接收到客户端发送的登录IP以及账号并将其进行关联后记录,因此服务端可根据记录下的登录IP和账号的关联关系判断用户是否存在登录记录,若用户在登录时服务端接收到的登录IP和账号在服务端内已经存在对应的关联关系,则该用户存在登录记录;若用户在登录时服务端接收到的登录IP和账号在服务端内不存在对应的关联关系,则该用户不存在登录记录(即第一次登录)。Specifically, when each user logs in, the server will receive the login IP and account sent by the client and record them after associating them. Therefore, the server can determine whether the user has a login record based on the recorded association between the login IP and the account. If the login IP and account received by the server when the user logs in already have a corresponding association in the server, then the user has a login record; if the login IP and account received by the server when the user logs in do not have a corresponding association in the server, then the user does not have a login record (i.e., the first login).
当前登录用户存在登录记录时,获取该登录场景下客户端内本地计数器内的初始计数值并发送给服务端;服务端根据该用户对于的登录IP以及账号确定对应的用户计数器,并比较上述初始计数值与用户计数器数值,若初始计数值等同于用户计数器数值则第一验证通过;若初始计数值不等同于用户计数器数值则第一验证不通过。其中,用户计数器设置在服务端的日志记录模块内,用于对服务端对客户端功能模块进行操作时生成的操作请求包对应的响应次数,根据登录IP以及账户创建不同的用户计数器分别记录不同用户登录对应的服务端响应操作次数。在正常用户的使用下,用户计数器与本地计数器的计数值是一致的,而如果用户cookie或者其他认证信息被劫持时,本地计数器的计数值不会增加,而攻击者会发送操作到服务端,服务端对于攻击者的操作依旧会响应,因此服务器内的用户计数器的计数值会增加,此时用户计数器的计数值就不等同于本地计数器的计数值。因此,在当前用户存在登录记录的情况下验证初始计数值以避免用户在上一次登录结束后发生数据被劫持的情况。在上述第一验证不通过的情况下,则应急响应模块生成数据劫持告警,该数据劫持告警包括当前登录用户的登录IP以及账户信息;应急响应模块根据数据劫持告警中的账户信息,禁用所述账户信息对应的账户;并根据所述数据劫持告警中的登录IP以及账户信息,定位其所用cookie等认证信息和异常操作,并将以供安全人员查找异常操作。在上述第一验证通过的情况下进行计数初始化,用户可在客户端内正常进行操作:服务端检测到客户端内当前登录用户通过第一验证后,生成初始化指令,并返还给客户端,其中初始化指令包括所述服务端随机生成的初始化数值;服务端根据所述账户以及登录IP查询对应的用户计数器并将所述用户计数器数值调整为所述初始化数值;客户端接收到服务端发送的初始化指令后,将本地计数器数值调整为所述初始化数值。当前登录用户为第一次登录时,在客户端内创建本地计数器以记录功能模块操作次数,并在服务端内根据登录IP以及账户创建用户计数器。When the current logged-in user has a login record, the initial count value in the local counter in the client under the login scenario is obtained and sent to the server; the server determines the corresponding user counter according to the login IP and account of the user, and compares the above initial count value with the user counter value. If the initial count value is equal to the user counter value, the first verification is passed; if the initial count value is not equal to the user counter value, the first verification is not passed. Among them, the user counter is set in the log recording module of the server, which is used to respond to the number of operation request packets generated when the server operates the client function module. Different user counters are created according to the login IP and account to record the number of server response operations corresponding to different user logins. Under normal user use, the count value of the user counter is consistent with that of the local counter. If the user cookie or other authentication information is hijacked, the count value of the local counter will not increase, and the attacker will send an operation to the server. The server will still respond to the attacker's operation, so the count value of the user counter in the server will increase, and the count value of the user counter is not equal to the count value of the local counter. Therefore, the initial count value is verified when the current user has a login record to avoid the situation where the user's data is hijacked after the last login. In the case where the above-mentioned first verification fails, the emergency response module generates a data hijacking alarm, which includes the login IP and account information of the current logged-in user; the emergency response module disables the account corresponding to the account information according to the account information in the data hijacking alarm; and locates the authentication information and abnormal operations such as cookies used according to the login IP and account information in the data hijacking alarm, and provides security personnel with the opportunity to find abnormal operations. In the case where the above-mentioned first verification passes, the counting is initialized, and the user can operate normally in the client: after the server detects that the current logged-in user in the client has passed the first verification, it generates an initialization instruction and returns it to the client, wherein the initialization instruction includes the initialization value randomly generated by the server; the server queries the corresponding user counter according to the account and login IP and adjusts the user counter value to the initialization value; after the client receives the initialization instruction sent by the server, it adjusts the local counter value to the initialization value. When the current logged-in user logs in for the first time, a local counter is created in the client to record the number of functional module operations, and a user counter is created in the server according to the login IP and account.
S3、用户操作完成后,验证当前用户的用户计数器数值以及本地计数器数值以检测是否发生数据劫持。S3. After the user operation is completed, the user counter value of the current user and the local counter value are verified to detect whether data hijacking occurs.
具体的,在计数器初始化或者用户第一次登录后,用户可正常使用客户端内个模块功能;用户在对各模块功能进行操作的时候,客户端本地的事件计数器模块会对不同模块分别进行计数;于此同时,用户的操作请求会发送到服务端,服务端在接受到请求后,会通过服务端的日志记录模块内的用户计数器同样进行计数。客户端在完成了功能模块操作后会通过加密传输模块根据先前服务端返还的密钥将本地计数器数值加密后发送至服务端,服务端基于密钥将其解密后会将解密后的本地计数器数值与对应的用户计数器数值进行比对判断是否相等,若相等则验证通过客户端可继续服务,若不相等则验证失败,应急响应模块在接受到验证失败的信息后会生成数据劫持告警,并立即禁用该账户,同时将服务端日志记录模块记录最近的操作信息预警给安全人员,即可实现对劫持行为的定位。Specifically, after the counter is initialized or the user logs in for the first time, the user can use the functions of each module in the client normally; when the user operates the functions of each module, the local event counter module of the client will count the different modules separately; at the same time, the user's operation request will be sent to the server, and after receiving the request, the server will also count through the user counter in the log recording module of the server. After the client completes the operation of the functional module, it will encrypt the local counter value according to the key previously returned by the server through the encryption transmission module and send it to the server. After the server decrypts it based on the key, it will compare the decrypted local counter value with the corresponding user counter value to determine whether they are equal. If they are equal, the verification passes and the client can continue to serve. If they are not equal, the verification fails. After receiving the verification failure information, the emergency response module will generate a data hijacking alarm and immediately disable the account. At the same time, the server log recording module will record the latest operation information to the security personnel, so as to locate the hijacking behavior.
实施例二Embodiment 2
对应上述实施例一,本申请实施例还提供了一种数据劫持告警方法,如图2所示,具体如下:Corresponding to the above-mentioned embodiment 1, the embodiment of the present application further provides a data hijacking alarm method, as shown in FIG2 , which is specifically as follows:
2100、用户登录客户端时,获取该用户的登录IP、账户以及本地计数器内的初始计数值,所述本地计数器用于记录所述客户端内各功能模块操作次数;2100. When a user logs in to a client, the user's login IP, account, and initial count value in a local counter are obtained. The local counter is used to record the number of operations of each functional module in the client.
优选的,所述用户登录客户端时,所述方法还包括:Preferably, when the user logs in to the client, the method further includes:
2110、所述客户端生成用户登录请求,将用户登录请求、对应的登录IP发送给所述服务端以进行身份认证,所述用户登录请求包含账户以及密码;2110. The client generates a user login request, and sends the user login request and the corresponding login IP to the server for identity authentication, wherein the user login request includes an account and a password;
2120、若身份认证成功,则所述服务端基于所述登录IP以及账户,查询密钥库中对应的密钥并生成用户登录成功数据返还给所述客户端。2120. If the identity authentication is successful, the server queries the corresponding key in the key library based on the login IP and account and generates user login success data and returns it to the client.
2200、所述账户存在所述登录IP的登录记录时,根据所述初始计数值以及预设验证条件,判断当前登录用户是否通过第一验证,并对通过所述第一验证的当前登录用户进行计数初始化;2200. When the account has a login record of the login IP, determine whether the current login user has passed the first verification according to the initial count value and the preset verification condition, and initialize the count of the current login user who has passed the first verification;
优选的,所述对通过所述第一验证的用户进行计数初始化,包括:Preferably, the initializing the count of users who have passed the first verification includes:
2100、所述服务端检测到所述客户端内当前登录用户通过第一验证后,生成初始化指令,并返还给所述客户端,其中所述初始化指令包括所述服务端随机生成的初始化数值;2100. After detecting that the currently logged-in user in the client has passed the first verification, the server generates an initialization instruction and returns it to the client, wherein the initialization instruction includes an initialization value randomly generated by the server;
2200、所述服务端根据所述账户以及登录IP查询对应的用户计数器并将所述用户计数器数值调整为所述初始化数值;2200. The server queries the corresponding user counter according to the account and the login IP and adjusts the value of the user counter to the initialization value;
2300、所述客户端接收到所述初始化指令后,将所述本地计数器数值调整为所述初始化数值。2300. After receiving the initialization instruction, the client adjusts the local counter value to the initialization value.
优选的,所述账户存在所述登录IP的登录记录时,根据所述初始计数值以及预设验证条件,判断当前登录用户是否通过第一验证,包括:Preferably, when the account has a login record of the login IP, judging whether the current login user passes the first verification according to the initial count value and the preset verification condition includes:
2240、根据当前登录用户的所述登录IP、账户查询所述服务端内当前登录用户对应的用户计数器数值;2240. Query the user counter value corresponding to the currently logged-in user in the server according to the login IP and account of the currently logged-in user;
2250、若所述初始计数值等于当前登录用户对应的用户计数器数值,则当前登录用户通过所述第一验证;2250. If the initial count value is equal to the user counter value corresponding to the currently logged-in user, the currently logged-in user passes the first verification;
2260、若所述初始计数值不等于当前登录用户对应的用户计数器数值,则生成数据劫持告警。2260. If the initial count value is not equal to the user counter value corresponding to the currently logged-in user, a data hijacking alarm is generated.
优选的,所述方法还包括:Preferably, the method further comprises:
2270、所述账户不存在所述登录IP的登录记录时,在客户端内新建本地计数器,以及在服务端内新建与所述登录IP以及用户对应的用户计数器。2270. When the account does not have a login record for the login IP, a local counter is newly created in the client, and a user counter corresponding to the login IP and the user is newly created in the server.
2300、用户操作完成后,对比当前登录用户对应的用户计数器数值与本地计数器数值,其中,服务端中包含多个用户计数器,所述用户计数器根据不同登录IP以及账户分别记录服务端响应操作次数;2300. After the user operation is completed, the user counter value corresponding to the currently logged-in user is compared with the local counter value, wherein the server includes multiple user counters, and the user counters respectively record the number of times the server responds to the operation according to different login IPs and accounts;
优选的,所述用户操作完成后,对比用户计数器数值与本地计数器数值,包括:Preferably, after the user operation is completed, comparing the user counter value with the local counter value includes:
2310、所述客户端根据所述服务端返还的密钥对本地计数器数值进行加密,并将加密后的本地计数器数值传输至所述服务端;2310. The client encrypts the local counter value according to the key returned by the server, and transmits the encrypted local counter value to the server;
2320、所述服务端对所述加密后的本地计数器数值进行解密,并根据当前登录用户的IP地址和账户查询当前登录用户的用户计数器数值;2320. The server decrypts the encrypted local counter value, and queries the user counter value of the currently logged-in user according to the IP address and account of the currently logged-in user;
2330、所述服务端对比解密后本地计数器数值与当前登录用户的用户计数器数值。2330. The server compares the decrypted local counter value with the user counter value of the currently logged-in user.
2400、若所述用户计数器数值等于所述本地计数器数值,则所述账户正常使用;2400. If the value of the user counter is equal to the value of the local counter, the account is used normally;
2500、若所述用户计数器数值不等于所述本地计数器数值,则生成数据劫持告警。2500. If the user counter value is not equal to the local counter value, a data hijacking alarm is generated.
优选的,所述数据劫持告警包括当前登录用户的登录IP以及账户信息,所述方法还包括:Preferably, the data hijacking alarm includes the login IP and account information of the current logged-in user, and the method further includes:
2510、根据所述数据劫持告警中的账户信息,禁用所述账户信息对应的账户;2510. According to the account information in the data hijacking alarm, disable the account corresponding to the account information;
2520、根据所述数据劫持告警中的登录IP以及账户信息,查询记录的服务端响应操作以供安全人员查看。2520. According to the login IP and account information in the data hijacking alarm, query the recorded server response operation for security personnel to review.
实施例三Embodiment 3
如图3所示,对应上述实施例一和实施例二,本申请实施例提供了一种数据劫持告警系统,所述系统包括:As shown in FIG3 , corresponding to the above-mentioned Embodiment 1 and Embodiment 2, the embodiment of the present application provides a data hijacking alarm system, the system comprising:
准备模块310,用于在用户登录客户端时,获取该用户的登录IP、账户以及本地计数器内的初始计数值,所述本地计数器用于记录所述客户端内各功能模块操作次数;The preparation module 310 is used to obtain the user's login IP, account and the initial count value in the local counter when the user logs in to the client. The local counter is used to record the number of operations of each functional module in the client;
验证模块320,用于在所述账户存在所述登录IP的登录记录时,根据所述初始计数值以及预设验证条件,判断当前登录用户是否通过第一验证,并对通过所述第一验证的当前登录用户进行计数初始化;The verification module 320 is used to determine whether the current logged-in user has passed the first verification according to the initial count value and the preset verification condition when the account has a login record of the login IP, and initialize the count of the current logged-in user who has passed the first verification;
分析模块330,用于在用户操作完成后,对比当前登录用户对应的用户计数器数值与本地计数器数值,其中,服务端中包含多个用户计数器,所述用户计数器根据不同登录IP以及账户分别记录服务端响应操作次数;The analysis module 330 is used to compare the user counter value corresponding to the current logged-in user with the local counter value after the user operation is completed, wherein the server includes multiple user counters, and the user counters record the number of server response operations according to different login IPs and accounts;
处理模块340,用于在所述用户计数器数值等于所述本地计数器数值时,正常使用所述账户;A processing module 340 is configured to use the account normally when the value of the user counter is equal to the value of the local counter;
所述处理模块340,还用于在所述用户计数器数值不等于所述本地计数器数值时,生成数据劫持告警。The processing module 340 is further configured to generate a data hijacking alarm when the value of the user counter is not equal to the value of the local counter.
在一些实施例中,所述处理模块340还用于利用所述服务端检测到所述客户端内当前登录用户通过第一验证后,基于所述服务端生成初始化指令,并返还给所述客户端,其中所述初始化指令包括所述服务端随机生成的初始化数值;所述处理模块340还用于利用所述服务端根据所述账户以及登录IP查询对应的用户计数器并将所述用户计数器数值调整为所述初始化数值;所述处理模块340还用于在所述客户端接收到所述初始化指令后,利用所述客户端将所述本地计数器数值调整为所述初始化数值。In some embodiments, the processing module 340 is also used to use the server to detect that the currently logged-in user in the client has passed the first verification, generate an initialization instruction based on the server, and return it to the client, wherein the initialization instruction includes an initialization value randomly generated by the server; the processing module 340 is also used to use the server to query the corresponding user counter according to the account and login IP and adjust the user counter value to the initialization value; the processing module 340 is also used to use the client to adjust the local counter value to the initialization value after the client receives the initialization instruction.
在一些实施例中,所述准备模块310还用于在所述客户端生成用户登录请求时,将用户登录请求、对应的登录IP发送给所述服务端以进行身份认证,所述用户登录请求包含账户以及密码;若身份认证成功,则所述准备模块310还用于利用所述服务端基于所述登录IP以及账户,查询密钥库中对应的密钥并生成用户登录成功数据返还给所述客户端。In some embodiments, the preparation module 310 is also used to send the user login request and the corresponding login IP to the server for identity authentication when the client generates a user login request, and the user login request includes an account and password; if the identity authentication is successful, the preparation module 310 is also used to use the server to query the corresponding key in the key library based on the login IP and account and generate user login success data and return it to the client.
在一些实施例中,所述分析模块330还用于根据当前登录用户的所述登录IP、账户查询所述服务端内当前登录用户对应的用户计数器数值;若所述初始计数值等于当前登录用户对应的用户计数器数值,则所述分析模块330确定当前登录用户通过所述第一验证;若所述初始计数值不等于当前登录用户对应的用户计数器数值,则所述分析模块330确定当前登录用户没有通过所述第一验证并生成数据劫持告警。In some embodiments, the analysis module 330 is also used to query the user counter value corresponding to the currently logged-in user in the server according to the login IP and account of the currently logged-in user; if the initial count value is equal to the user counter value corresponding to the currently logged-in user, the analysis module 330 determines that the currently logged-in user has passed the first verification; if the initial count value is not equal to the user counter value corresponding to the currently logged-in user, the analysis module 330 determines that the currently logged-in user has not passed the first verification and generates a data hijacking alarm.
在一些实施例中,所述验证模块320还用于所述账户不存在所述登录IP的登录记录时,在客户端内新建本地计数器,以及在服务端内新建与所述登录IP以及用户对应的用户计数器。In some embodiments, the verification module 320 is also used to create a local counter in the client when there is no login record of the login IP in the account, and to create a user counter corresponding to the login IP and the user in the server.
在一些实施例中,所述分析模块330还用于利用所述客户端根据所述服务端返还的密钥对本地计数器数值进行加密,并将加密后的本地计数器数值传输至所述服务端;所述分析模块330还用于利用所述服务端对所述加密后的本地计数器数值进行解密,并根据当前登录用户的IP地址和账户查询当前登录用户的用户计数器数值;所述分析模块330还用于利用所述服务端对比解密后本地计数器数值与当前登录用户的用户计数器数值。In some embodiments, the analysis module 330 is also used to use the client to encrypt the local counter value according to the key returned by the server, and transmit the encrypted local counter value to the server; the analysis module 330 is also used to use the server to decrypt the encrypted local counter value, and query the user counter value of the currently logged-in user according to the IP address and account of the currently logged-in user; the analysis module 330 is also used to use the server to compare the decrypted local counter value with the user counter value of the currently logged-in user.
在一些实施例中,所述处理模块340还用于根据所述数据劫持告警中的账户信息,禁用所述账户信息对应的账户;所述处理模块340还用于根据所述数据劫持告警中的登录IP以及账户信息,查询记录的服务端响应操作以供安全人员查看。In some embodiments, the processing module 340 is also used to disable the account corresponding to the account information according to the account information in the data hijacking alarm; the processing module 340 is also used to query the recorded server response operations for security personnel to view according to the login IP and account information in the data hijacking alarm.
实施例四Embodiment 4
对应上述所有实施例,本申请实施例提供一种电子设备,包括:Corresponding to all the above embodiments, an embodiment of the present application provides an electronic device, including:
一个或多个处理器;以及与所述一个或多个处理器关联的存储器,所述存储器用于存储程序指令,所述程序指令在被所述一个或多个处理器读取执行时,执行如下操作:One or more processors; and a memory associated with the one or more processors, the memory being used to store program instructions, the program instructions when read and executed by the one or more processors, performing the following operations:
用户登录客户端时,获取该用户的登录IP、账户以及本地计数器内的初始计数值,所述本地计数器用于记录所述客户端内各功能模块操作次数;When a user logs in to the client, the user's login IP, account, and initial count value in the local counter are obtained. The local counter is used to record the number of operations of each functional module in the client;
所述账户存在所述登录IP的登录记录时,根据所述初始计数值以及预设验证条件,判断当前登录用户是否通过第一验证,并对通过所述第一验证的当前登录用户进行计数初始化;When the account has a login record of the login IP, judging whether the current login user has passed the first verification according to the initial count value and the preset verification condition, and initializing the count of the current login user who has passed the first verification;
用户操作完成后,对比当前登录用户对应的用户计数器数值与本地计数器数值,其中,服务端中包含多个用户计数器,所述用户计数器根据不同登录IP以及账户分别记录服务端响应操作次数;After the user operation is completed, the user counter value corresponding to the currently logged-in user is compared with the local counter value. The server includes multiple user counters, and the user counters record the number of server response operations according to different login IPs and accounts;
若所述用户计数器数值等于所述本地计数器数值,则所述账户正常使用;If the user counter value is equal to the local counter value, the account is in normal use;
若所述用户计数器数值不等于所述本地计数器数值,则生成数据劫持告警。If the user counter value is not equal to the local counter value, a data hijacking alarm is generated.
其中,图4示例性的展示出了电子设备的架构,具体可以包括处理器410,视频显示适配器411,磁盘驱动器412,输入/输出接口413,网络接口414,以及存储器420。上述处理器410、视频显示适配器411、磁盘驱动器412、输入/输出接口413、网络接口414,与存储器420之间可以通过总线430进行通信连接。4 exemplarily shows the architecture of the electronic device, which may include a processor 410, a video display adapter 411, a disk drive 412, an input/output interface 413, a network interface 414, and a memory 420. The processor 410, the video display adapter 411, the disk drive 412, the input/output interface 413, the network interface 414, and the memory 420 may be communicatively connected via a bus 430.
其中,处理器410可以采用通用的CPU(Central Processing Unit,中央处理器)、微处理器、应用专用集成电路(Application Specific Integrated Circuit,ASIC)、或者一个或多个集成电路等方式实现,用于执行相关程序,以实现本申请所提供的技术方案。Among them, the processor 410 can be implemented by a general-purpose CPU (Central Processing Unit), a microprocessor, an application-specific integrated circuit (Application Specific Integrated Circuit, ASIC), or one or more integrated circuits, etc., to execute relevant programs to implement the technical solution provided in this application.
存储器420可以采用ROM(Read Only Memory,可编写存储器)、RAM(Random AccessMemory,随机存取存储器)、静态存储设备,动态存储设备等形式实现。存储器420可以存储用于控制电子设备400执行的操作系统421,用于控制电子设备400的低级别操作的基本输入输出系统(BIOS)422。另外,还可以存储网页浏览器423,数据存储管理系统424,以及图标字体处理系统425等等。上述图标字体处理系统425就可以是本申请实施例中具体实现前述各步骤操作的应用程序。总之,在通过软件或者固件来实现本申请所提供的技术方案时,相关的程序代码保存在存储器420中,并由处理器410来调用执行。The memory 420 can be implemented in the form of ROM (Read Only Memory), RAM (Random Access Memory), static storage device, dynamic storage device, etc. The memory 420 can store an operating system 421 for controlling the execution of the electronic device 400, and a basic input and output system (BIOS) 422 for controlling the low-level operations of the electronic device 400. In addition, a web browser 423, a data storage management system 424, and an icon font processing system 425, etc. can also be stored. The above-mentioned icon font processing system 425 can be an application program that specifically implements the operations of the aforementioned steps in the embodiment of the present application. In short, when the technical solution provided in the present application is implemented by software or firmware, the relevant program code is stored in the memory 420 and is called and executed by the processor 410.
输入/输出接口413用于连接输入/输出模块,以实现信息输入及输出。输入输出/模块可以作为组件配置在设备中(图中未示出),也可以外接于设备以提供相应功能。其中输入设备可以包括键盘、鼠标、触摸屏、麦克风、各类传感器等,输出设备可以包括显示器、扬声器、振动器、指示灯等。The input/output interface 413 is used to connect the input/output module to realize information input and output. The input/output module can be configured in the device as a component (not shown in the figure), or it can be externally connected to the device to provide corresponding functions. The input device may include a keyboard, a mouse, a touch screen, a microphone, various sensors, etc., and the output device may include a display, a speaker, a vibrator, an indicator light, etc.
网络接口414用于连接通信模块(图中未示出),以实现本设备与其他设备的通信交互。其中通信模块可以通过有线方式(例如USB、网线等)实现通信,也可以通过无线方式(例如移动网络、WIFI、蓝牙等)实现通信。The network interface 414 is used to connect to a communication module (not shown) to realize communication interaction between the device and other devices. The communication module can realize communication through a wired mode (such as USB, network cable, etc.) or a wireless mode (such as mobile network, WIFI, Bluetooth, etc.).
总线430包括一通路,在设备的各个组件(例如处理器410、视频显示适配器411、磁盘驱动器412、输入/输出接口413、网络接口414,与存储器420)之间传输信息。The bus 430 comprises a pathway for transmitting information between the various components of the device (eg, the processor 410, the video display adapter 411, the disk drive 412, the input/output interface 413, the network interface 414, and the memory 420).
另外,该电子设备400还可以从虚拟资源对象领取条件信息数据库中获得具体领取条件的信息,以用于进行条件判断,等等。In addition, the electronic device 400 can also obtain information on specific collection conditions from the virtual resource object collection condition information database for use in condition judgment, etc.
需要说明的是,尽管上述设备仅示出了处理器410、视频显示适配器411、磁盘驱动器412、输入/输出接口413、网络接口414,存储器420,总线430等,但是在具体实施过程中,该设备还可以包括实现正常执行所必需的其他组件。此外,本领域的技术人员可以理解的是,上述设备中也可以仅包含实现本申请方案所必需的组件,而不必包含图中所示的全部组件。It should be noted that, although the above device only shows a processor 410, a video display adapter 411, a disk drive 412, an input/output interface 413, a network interface 414, a memory 420, a bus 430, etc., in the specific implementation process, the device may also include other components necessary for normal execution. In addition, it can be understood by those skilled in the art that the above device may also only include components necessary for implementing the solution of the present application, and does not necessarily include all the components shown in the figure.
实施例六Embodiment 6
对应上述所有实施例,本申请实施例还提供一种计算机可读存储介质,其特征在于,其存储计算机程序,所述计算机程序使得计算机如下操作:Corresponding to all the above embodiments, the embodiments of the present application further provide a computer-readable storage medium, characterized in that it stores a computer program, and the computer program enables the computer to operate as follows:
用户登录客户端时,获取该用户的登录IP、账户以及本地计数器内的初始计数值,所述本地计数器用于记录所述客户端内各功能模块操作次数;When a user logs in to the client, the user's login IP, account, and initial count value in the local counter are obtained. The local counter is used to record the number of operations of each functional module in the client;
所述账户存在所述登录IP的登录记录时,根据所述初始计数值以及预设验证条件,判断当前登录用户是否通过第一验证,并对通过所述第一验证的当前登录用户进行计数初始化;When the account has a login record of the login IP, judging whether the current login user has passed the first verification according to the initial count value and the preset verification condition, and initializing the count of the current login user who has passed the first verification;
用户操作完成后,对比当前登录用户对应的用户计数器数值与本地计数器数值,其中,服务端中包含多个用户计数器,所述用户计数器根据不同登录IP以及账户分别记录服务端响应操作次数;After the user operation is completed, the user counter value corresponding to the currently logged-in user is compared with the local counter value. The server includes multiple user counters, and the user counters record the number of server response operations according to different login IPs and accounts;
若所述用户计数器数值等于所述本地计数器数值,则所述账户正常使用;If the user counter value is equal to the local counter value, the account is in normal use;
若所述用户计数器数值不等于所述本地计数器数值,则生成数据劫持告警。If the user counter value is not equal to the local counter value, a data hijacking alarm is generated.
通过以上的实施方式的描述可知,本领域的技术人员可以清楚地了解到本申请可借助软件加必需的通用硬件平台的方式来实现。基于这样的理解,本申请的技术方案本质上或者说对现有技术做出贡献的部分可以以软件产品的形式体现出来,该计算机软件产品可以存储在存储介质中,如ROM/RAM、磁碟、光盘等,包括若干指令用以使得一台计算机设备(可以是个人计算机,云服务端,或者网络设备等)执行本申请各个实施例或者实施例的某些部分所述的方法。It can be seen from the description of the above implementation methods that those skilled in the art can clearly understand that the present application can be implemented by means of software plus a necessary general hardware platform. Based on this understanding, the technical solution of the present application can be essentially or partly contributed to the prior art in the form of a software product, which can be stored in a storage medium such as ROM/RAM, a disk, an optical disk, etc., including several instructions for enabling a computer device (which can be a personal computer, a cloud service end, or a network device, etc.) to execute the methods described in the various embodiments of the present application or certain parts of the embodiments.
本说明书中的各个实施例均采用递进的方式描述,各个实施例之间相同相似的部分互相参见即可,每个实施例重点说明的都是与其他实施例的不同之处。尤其,对于系统或系统实施例而言,由于其基本相似于方法实施例,所以描述得比较简单,相关之处参见方法实施例的部分说明即可。以上所描述的系统及系统实施例仅仅是示意性的,其中所述作为分离部件说明的单元可以是或者也可以不是物理上分开的,作为单元显示的部件可以是或者也可以不是物理单元,即可以位于一个地方,或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部模块来实现本实施例方案的目的。本领域普通技术人员在不付出创造性劳动的情况下,即可以理解并实施。Each embodiment in this specification is described in a progressive manner, and the same or similar parts between the embodiments can refer to each other, and each embodiment focuses on the differences from other embodiments. In particular, for the system or system embodiment, since it is basically similar to the method embodiment, the description is relatively simple, and the relevant parts can refer to the partial description of the method embodiment. The system and system embodiments described above are merely schematic, wherein the units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, they may be located in one place, or they may be distributed on multiple network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the scheme of this embodiment. Ordinary technicians in this field can understand and implement it without paying creative labor.
以上所述仅为本申请的较佳实施例,并不用以限制本申请,凡在本申请的精神和原则之内,所作的任何修改、等同替换、改进等,均应包含在本申请的保护范围之内。The above description is only a preferred embodiment of the present application and is not intended to limit the present application. Any modifications, equivalent substitutions, improvements, etc. made within the spirit and principles of the present application should be included in the protection scope of the present application.
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211033164.5ACN115514531B (en) | 2022-08-26 | 2022-08-26 | Data hijacking alarm method, system, electronic device and storage medium |
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211033164.5ACN115514531B (en) | 2022-08-26 | 2022-08-26 | Data hijacking alarm method, system, electronic device and storage medium |
| Publication Number | Publication Date |
|---|---|
| CN115514531A CN115514531A (en) | 2022-12-23 |
| CN115514531Btrue CN115514531B (en) | 2024-05-10 |
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211033164.5AActiveCN115514531B (en) | 2022-08-26 | 2022-08-26 | Data hijacking alarm method, system, electronic device and storage medium |
| Country | Link |
|---|---|
| CN (1) | CN115514531B (en) |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109104418A (en)* | 2018-07-25 | 2018-12-28 | 浙江威步机器人技术有限公司 | Account login validation method, device, storage medium and server |
| CN110035035A (en)* | 2018-01-12 | 2019-07-19 | 北京新媒传信科技有限公司 | A kind of secondary authentication method and system of single-sign-on |
| CN110932858A (en)* | 2018-09-19 | 2020-03-27 | 阿里巴巴集团控股有限公司 | Authentication method and system |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104144419B (en)* | 2014-01-24 | 2017-05-24 | 腾讯科技(深圳)有限公司 | Identity authentication method, device and system |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110035035A (en)* | 2018-01-12 | 2019-07-19 | 北京新媒传信科技有限公司 | A kind of secondary authentication method and system of single-sign-on |
| CN109104418A (en)* | 2018-07-25 | 2018-12-28 | 浙江威步机器人技术有限公司 | Account login validation method, device, storage medium and server |
| CN110932858A (en)* | 2018-09-19 | 2020-03-27 | 阿里巴巴集团控股有限公司 | Authentication method and system |
| Publication number | Publication date |
|---|---|
| CN115514531A (en) | 2022-12-23 |
| Publication | Publication Date | Title |
|---|---|---|
| US10057282B2 (en) | Detecting and reacting to malicious activity in decrypted application data | |
| US9866566B2 (en) | Systems and methods for detecting and reacting to malicious activity in computer networks | |
| CN108885666B (en) | System and method for detecting and preventing counterfeiting | |
| CN107835149B (en) | Network privacy stealing behavior detection method and device based on DNS (Domain name System) traffic analysis | |
| US9942220B2 (en) | Preventing unauthorized account access using compromised login credentials | |
| US8782796B2 (en) | Data exfiltration attack simulation technology | |
| CN111651757A (en) | Monitoring method, device, device and storage medium for attack behavior | |
| US10542044B2 (en) | Authentication incident detection and management | |
| JP5987627B2 (en) | Unauthorized access detection method, network monitoring device and program | |
| US20060149848A1 (en) | System, apparatuses, and method for linking and advising of network events related to resource access | |
| JP2019506674A (en) | Pattern matching based dataset extraction | |
| CN103795702A (en) | Transit control for data | |
| US9059987B1 (en) | Methods and systems of using single sign-on for identification for a web server not integrated with an enterprise network | |
| US11770385B2 (en) | Systems and methods for malicious client detection through property analysis | |
| US11356478B2 (en) | Phishing protection using cloning detection | |
| CN110674376A (en) | Interface parameter checking method, device, equipment and computer readable storage medium | |
| CN112688963A (en) | Method, device and storage medium for gateway authorized access and external open service | |
| KR20210074938A (en) | METHOD AND SYSTEM FOR AUTHENTICATING TOKEN FOR IoT DEVICE BASED ON PRIVATE BLOCKCHAIN | |
| CN112434301A (en) | Risk assessment method and device | |
| US20230244797A1 (en) | Data processing method and apparatus, electronic device, and medium | |
| US20150281282A1 (en) | Application signature authorization | |
| CN107733853A (en) | Page access method, apparatus, computer and medium | |
| US20150163238A1 (en) | Systems and methods for testing and managing defensive network devices | |
| CN115514531B (en) | Data hijacking alarm method, system, electronic device and storage medium | |
| KR101641306B1 (en) | Apparatus and method of monitoring server |
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| CP03 | Change of name, title or address | Address after:215168 Jiangsu Province, Suzhou City, Wuzhong Economic Development Zone, Guoqiang Street, Guanpu Road No. 1, Building 9 Patentee after:Suzhou Yuannao Intelligent Technology Co.,Ltd. Country or region after:China Address before:215168 Jiangsu Province, Suzhou City, Wuzhong Economic Development Zone, Guoqiang Street, Guanpu Road No. 1, Building 9 Patentee before:SUZHOU LANGCHAO INTELLIGENT TECHNOLOGY Co.,Ltd. Country or region before:China |