CN115514531B - Data hijacking alarm method, system, electronic equipment and storage medium - Google Patents
Data hijacking alarm method, system, electronic equipment and storage medium Download PDFInfo
- Publication number
- CN115514531B CN115514531B CN202211033164.5A CN202211033164A CN115514531B CN 115514531 B CN115514531 B CN 115514531B CN 202211033164 A CN202211033164 A CN 202211033164A CN 115514531 B CN115514531 B CN 115514531B
- Authority
- CN
- China
- Prior art keywords
- user
- login
- counter value
- account
- server
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 34
- 238000012795 verification Methods 0.000 claims abstract description 68
- 230000004044 response Effects 0.000 claims abstract description 22
- 238000012545 processing Methods 0.000 claims description 14
- 238000004458 analytical method Methods 0.000 claims description 9
- 238000004590 computer program Methods 0.000 claims description 3
- 230000002159 abnormal effect Effects 0.000 abstract description 4
- 238000001514 detection method Methods 0.000 abstract description 4
- 238000007726 management method Methods 0.000 description 6
- 238000004891 communication Methods 0.000 description 5
- 238000010586 diagram Methods 0.000 description 3
- 230000005540 biological transmission Effects 0.000 description 2
- 235000014510 cooky Nutrition 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 238000012216 screening Methods 0.000 description 2
- 230000006399 behavior Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000008094 contradictory effect Effects 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000008569 process Effects 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1466—Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer And Data Communications (AREA)
Abstract
The application provides a data hijacking alarm method, a system, electronic equipment and a storage medium, which comprise the following steps: when a user logs in a client, acquiring login IP, an account of the user and an initial count value in a local counter, wherein the local counter is used for recording operation times of each functional module in the client; when login records exist, judging whether the login records pass the first verification according to the initial count value and a preset verification condition, and initializing the count if the login records pass the first verification; after the user operation is finished, comparing the user counter value with the local counter value, wherein the server side comprises a plurality of user counters, and the user counters respectively record response operation times of the server side according to different login IP and accounts; if the user counter value is equal to the local counter value, the account is normally used; if not, generating a data hijacking alarm. The accuracy of data hijacking attack detection of the scene of the multi-person common management account is improved, and the abnormal account is rapidly disabled to improve the system safety.
Description
Technical Field
The present invention relates to the field of network security technologies, and in particular, to a data hijacking alarm method, system, electronic device, and storage medium.
Background
In many applications or applications, there are often cases where multiple people share the same account because of restrictions due to rights management, security issues, limited resources, etc. For example, if some scanners only provide one account for use and multiple operators in a department need to use the scanner, multiple users of one account may inevitably occur. When such a multi-person common management account number occurs, as the number of login nodes increases, the number of hackable objects increases, which results in an increase in the security risk of the account being hijacked by a hacker. And when the safety problem occurs, how to quickly trace the source to find the problem and timely respond to the emergency is also a problem which needs to be solved by many enterprises at present.
The solution to the problem of hijacking by hackers in the prior art is partly achieved by detecting the IP address: and collecting user accounts logged in any proxy IP address in the proxy IP address library, and screening one or more target accounts frequently using the proxy IP address from the user accounts. And screening out the undetermined IP addresses meeting preset conditions from the undetermined IP addresses logged in by the target account numbers, wherein the undetermined IP addresses meeting preset conditions are the IP addresses of the hijacked network terminal. Although the solution can effectively detect the IP address of the hijacked network terminal, the solution cannot be applied to the situation of multi-person common management account numbers.
Therefore, a data hijacking alarm method for a multi-person common-control account is needed to solve the above technical problems in the prior art.
Disclosure of Invention
In order to solve the defects in the prior art, the main purpose of the invention is to provide a data hijacking alarm method, a system, an electronic device and a storage medium, so as to solve the technical problems in the prior art.
To achieve the above object, in a first aspect, the present invention provides a data hijacking alert, the method comprising:
When a user logs in a client, acquiring login IP (Internet protocol) of the user, an account and an initial count value in a local counter, wherein the local counter is used for recording the operation times of each functional module in the client;
When the account has the login record of the login IP, judging whether the current login user passes the first verification according to the initial count value and a preset verification condition, and counting and initializing the current login user passing the first verification;
After user operation is completed, comparing a user counter value corresponding to a current login user with a local counter value, wherein the server side comprises a plurality of user counters, and the user counters record response operation times of the server side according to different login IP and accounts respectively;
If the user counter value is equal to the local counter value, the account is normally used;
and if the user counter value is not equal to the local counter value, generating a data hijacking alarm.
In some embodiments, the initializing the count of users that pass the first authentication includes:
after the server detects that the current login user in the client passes the first verification, generating an initialization instruction, and returning the initialization instruction to the client, wherein the initialization instruction comprises an initialization value randomly generated by the server;
The server inquires a corresponding user counter according to the account and login IP and adjusts the user counter value to the initialization value;
And after the client receives the initialization instruction, the local counter value is adjusted to be the initialization value.
In some embodiments, when the user logs into the client, the method further comprises:
The client generates a user login request, and sends the user login request and a corresponding login IP to the server for identity authentication, wherein the user login request comprises an account and a password;
and if the identity authentication is successful, the server inquires a corresponding key in a key bank based on the login IP and the account, generates user login success data and returns the user login success data to the client.
In some embodiments, when the account has a login record of the login IP, determining whether the current login user passes the first verification according to the initial count value and a preset verification condition includes:
inquiring a user counter value corresponding to the current login user in the server according to the login IP and the account of the current login user;
If the initial count value is equal to the user counter value corresponding to the current login user, the current login user passes the first verification;
and if the initial count value is not equal to the user counter value corresponding to the current login user, generating a data hijacking alarm.
In some embodiments, the method further comprises:
When the account does not have the login record of the login IP, a local counter is newly built in the client, and a user counter corresponding to the login IP and the user is newly built in the server.
In some embodiments, comparing the user counter value to the local counter value after the user operation is completed comprises:
the client encrypts the local counter value according to the key returned by the server and transmits the encrypted local counter value to the server;
the server decrypts the encrypted local counter value and inquires the user counter value of the current login user according to the IP address and the account of the current login user;
and the server compares the decrypted local counter value with the user counter value of the current login user.
In some embodiments, the data hijacking alert includes a login IP of the currently logged-in user and account information, the method further comprising:
according to the account information in the data hijacking alarm, disabling an account corresponding to the account information; and inquiring the recorded server response operation for the security personnel to check according to the login IP and the account information in the data hijack alarm.
In a second aspect, the present application provides a data hijacking alert system, the system comprising:
The preparation module is used for acquiring login IP (Internet protocol) of the user, an account and an initial count value in a local counter when the user logs in the client, wherein the local counter is used for recording the operation times of each functional module in the client;
The verification module is used for judging whether the current login user passes the first verification according to the initial count value and a preset verification condition when the login record of the login IP exists in the account, and counting and initializing the current login user passing the first verification;
The analysis module is used for comparing the user counter value corresponding to the current login user with the local counter value after the user operation is completed, wherein the server side comprises a plurality of user counters, and the user counters record response operation times of the server side according to different login IP and accounts respectively;
The processing module is used for normally using the account when the user counter value is equal to the local counter value;
The processing module is further configured to generate a data hijacking alarm when the user counter value is not equal to the local counter value.
In a third aspect, the present application provides an electronic device, including:
One or more processors;
And a memory associated with the one or more processors, the memory for storing program instructions that, when read for execution by the one or more processors, perform the following:
When a user logs in a client, acquiring login IP (Internet protocol) of the user, an account and an initial count value in a local counter, wherein the local counter is used for recording the operation times of each functional module in the client;
When the account has the login record of the login IP, judging whether the current login user passes the first verification according to the initial count value and a preset verification condition, and counting and initializing the current login user passing the first verification;
After user operation is completed, comparing a user counter value corresponding to a current login user with a local counter value, wherein the server side comprises a plurality of user counters, and the user counters record response operation times of the server side according to different login IP and accounts respectively;
If the user counter value is equal to the local counter value, the account is normally used;
and if the user counter value is not equal to the local counter value, generating a data hijacking alarm.
In a fourth aspect, the present application also provides a computer-readable storage medium having stored thereon a computer program that causes a computer to perform the operations of:
When a user logs in a client, acquiring login IP (Internet protocol) of the user, an account and an initial count value in a local counter, wherein the local counter is used for recording the operation times of each functional module in the client;
When the account has the login record of the login IP, judging whether the current login user passes the first verification according to the initial count value and a preset verification condition, and counting and initializing the current login user passing the first verification;
After user operation is completed, comparing a user counter value corresponding to a current login user with a local counter value, wherein the server side comprises a plurality of user counters, and the user counters record response operation times of the server side according to different login IP and accounts respectively;
If the user counter value is equal to the local counter value, the account is normally used;
and if the user counter value is not equal to the local counter value, generating a data hijacking alarm.
The beneficial effects achieved by the application are as follows:
The application provides a data hijacking alarm method, which comprises the following steps: when a user logs in a client, acquiring login IP (Internet protocol) of the user, an account and an initial count value in a local counter, wherein the local counter is used for recording the operation times of each functional module in the client; when the account has the login record of the login IP, judging whether the current login user passes the first verification according to the initial count value and a preset verification condition, and counting and initializing the current login user passing the first verification; after user operation is completed, comparing a user counter value corresponding to a current login user with a local counter value, wherein the server side comprises a plurality of user counters, and the user counters record response operation times of the server side according to different login IP and accounts respectively; if the user counter value is equal to the local counter value, the account is normally used; and if the user counter value is not equal to the local counter value, generating a data hijacking alarm. The hijacking attack of the multi-person common management account is effectively detected and the emergency response is carried out, the abnormal operation of an attacker after the hijacking session can be detected, the IP can be identified even if the attacker disguises the IP, the accuracy of the hijacking attack detection is improved, and therefore the account is rapidly disabled to protect the system security.
Drawings
For a clearer description of the technical solutions of the embodiments of the present application, the drawings that are needed in the description of the embodiments will be briefly introduced below, it being obvious that the drawings in the description below are only some embodiments of the present application, and that other drawings can be obtained according to these drawings without inventive effort for a person skilled in the art, wherein:
fig. 1 is a schematic diagram of a hijacking detection method according to an embodiment of the present application;
fig. 2 is a flowchart of a data hijacking alarm method provided by an embodiment of the present application;
FIG. 3 is a diagram of a data hijacking alarm system according to an embodiment of the present application;
fig. 4 is a block diagram of an electronic device according to an embodiment of the present application.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the present application more apparent, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present application, and it is apparent that the described embodiments are only some embodiments of the present application, not all embodiments of the present application. All other embodiments, which can be made by those skilled in the art based on the embodiments of the application without making any inventive effort, are intended to be within the scope of the application.
It should be understood that throughout this specification and the claims, unless the context clearly requires otherwise, the words "comprise", "comprising", and the like, are to be construed in an inclusive sense as opposed to an exclusive or exhaustive sense; that is, it is the meaning of "including but not limited to".
It should also be appreciated that the terms "first," "second," and the like are used for descriptive purposes only and are not to be construed as indicating or implying relative importance. Furthermore, in the description of the present application, unless otherwise indicated, the meaning of "a plurality" is two or more.
It should be noted that the terms "S1", "S2", and the like are used for the purpose of describing the steps only, and are not intended to be construed to be specific as to the order or sequence of steps, nor are they intended to limit the present application, which is merely used to facilitate the description of the method of the present application, and are not to be construed as indicating the sequence of steps. In addition, the technical solutions of the embodiments may be combined with each other, but it is necessary to base that the technical solutions can be realized by those skilled in the art, and when the technical solutions are contradictory or cannot be realized, the combination of the technical solutions should be considered to be absent and not within the scope of protection claimed in the present application.
Example 1
As shown in fig. 1, an embodiment of the present application provides a hijacking detection system for a multi-person common management account, including: the system comprises a functional module, an event counting module, a server log recording module, an encryption transmission module and an emergency response module. Specifically, the process of detecting whether to be hijacked when the user logs in the system disclosed in this embodiment includes:
S1, when a user logs in a client, identity verification is performed.
Specifically, when a user logs in the client, the client generates a user login request, and sends the user login request, a corresponding IP address (i.e. login IP), an account and other information to the server for identity verification. Wherein the user login request includes a login account and an account password. The server side judges whether the account password is correct or not based on the received user login request, if the account password is correct, the authentication is successful, and at the moment, the server side inquires a key in a key bank under the login scene and generates user login success data based on the acquired login IP and the account, and returns the key and the user login success data to the client side so as to prompt the user to normally operate; if the user login failure data is incorrect, the identity verification fails, and at the moment, the server returns the user login failure data to the client, so that the user cannot login.
S2, inquiring a user login condition, executing first verification on a user with a login record, and initializing the count of the user passing the first verification; and for the first logged-in user, a local counter is newly built in the client, and a user counter is newly built in the server.
There may be two settings for the local counter. In the first case: the local counter can be composed of a plurality of event counters, and different event counters are arranged in different functional modules to record the occurrence times of events (namely user operation) in the functional modules, and all the event counters work locally for users; when counting the use of the whole platform or different functional modules of the system logged in by the user, the user performs one-time operation in the different functional modules, the count value of the event counter corresponding to the functional module is increased by one, the counters of the different functional modules count independently, and the local counter is used for counting the count values of all the false counters. In the second case, the local counter is set locally to the user, and when counting the different functional modules of the whole platform or system in which the user logs in, the count value of the local counter is incremented by one as long as the user operates in any functional module.
Specifically, because each user receives the login IP and the account number sent by the client and carries out association and then records, the server can judge whether the user has the login record according to the association relation between the recorded login IP and the account number, and if the user has the corresponding association relation in the server between the login IP and the account number received by the server during login, the user has the login record; if the login IP and the account number received by the server side do not have a corresponding association relationship in the server side when the user logs in, the user does not have a login record (namely, first login).
When a current login user has a login record, acquiring an initial count value in a local counter in a client under the login scene and sending the initial count value to a server; the server side determines a corresponding user counter according to the login IP and the account number of the user, compares the initial count value with the user counter value, and if the initial count value is equal to the user counter value, the first verification is passed; if the initial count value is not equal to the user counter value, the first verification is not passed. The user counter is arranged in the log recording module of the server and is used for responding times corresponding to the operation request packet generated when the server operates the client functional module, and different user counters are created according to the login IP and the account to respectively record the response operation times of the server corresponding to different user logins. Under normal user use, the count value of the user counter is consistent with the count value of the local counter, and if the user cookie or other authentication information is hijacked, the count value of the local counter is not increased, an attacker can send an operation to the server, the server can still respond to the operation of the attacker, so the count value of the user counter in the server can be increased, and the count value of the user counter is different from the count value of the local counter. Therefore, the initial count value is verified in the case that the current user has a login record to avoid the situation that the user is hijacked after the last login is finished. Under the condition that the first verification is not passed, the emergency response module generates a data hijacking alarm, wherein the data hijacking alarm comprises login IP and account information of the current login user; the emergency response module disables an account corresponding to account information in the alarm according to the data hijack; and locating authentication information such as cookies and abnormal operations used by the user according to the login IP and account information in the data hijacking alarm, and searching the abnormal operations by security personnel. The counting initialization is performed under the condition that the first verification is passed, and the user can normally operate in the client: after detecting that a current login user in a client passes a first verification, the server generates an initialization instruction and returns the initialization instruction to the client, wherein the initialization instruction comprises an initialization value randomly generated by the server; the server inquires a corresponding user counter according to the account and the login IP and adjusts the value of the user counter to the initialization value; after receiving an initialization instruction sent by a server, the client adjusts the value of the local counter to the initialization value. When the current login user is the first login, a local counter is created in the client to record the operation times of the functional module, and a user counter is created in the server according to the login IP and the account.
And S3, after the user operation is finished, verifying the user counter value and the local counter value of the current user to detect whether data hijacking occurs.
Specifically, after the counter is initialized or the user logs in for the first time, the user can normally use the functions of the modules in the client; when a user operates the functions of each module, an event counter module local to the client side counts different modules respectively; meanwhile, the operation request of the user is sent to the server, and the server can count through the user counter in the log recording module of the server after receiving the request. After the operation of the functional module is completed, the client encrypts the local counter value through the encryption transmission module according to the key returned by the previous server and sends the encrypted local counter value to the server, the server compares the decrypted local counter value with the corresponding user counter value to judge whether the decrypted local counter value is equal or not after decrypting the encrypted local counter value through the key, if the decrypted local counter value is equal to the corresponding user counter value, the client can continue to serve through verification, if the decrypted local counter value is not equal to the corresponding user counter value, the verification fails, the emergency response module generates a data hijacking alarm after receiving the information of the verification failure, the account is disabled immediately, and meanwhile the log recording module of the server records the latest operation information to be early warned to security personnel, so that the positioning of the hijacking behavior can be realized.
Example two
Corresponding to the first embodiment, the embodiment of the present application further provides a data hijacking alarm method, as shown in fig. 2, which specifically includes the following steps:
2100. when a user logs in a client, acquiring login IP (Internet protocol) of the user, an account and an initial count value in a local counter, wherein the local counter is used for recording the operation times of each functional module in the client;
preferably, when the user logs in to the client, the method further comprises:
2110. the client generates a user login request, and sends the user login request and a corresponding login IP to the server for identity authentication, wherein the user login request comprises an account and a password;
2120. And if the identity authentication is successful, the server inquires a corresponding key in a key bank based on the login IP and the account, generates user login success data and returns the user login success data to the client.
2200. When the account has the login record of the login IP, judging whether the current login user passes the first verification according to the initial count value and a preset verification condition, and counting and initializing the current login user passing the first verification;
Preferably, the initializing the count of the users passing the first authentication includes:
2100. After the server detects that the current login user in the client passes the first verification, generating an initialization instruction, and returning the initialization instruction to the client, wherein the initialization instruction comprises an initialization value randomly generated by the server;
2200. The server inquires a corresponding user counter according to the account and login IP and adjusts the user counter value to the initialization value;
2300. And after the client receives the initialization instruction, the local counter value is adjusted to be the initialization value.
Preferably, when the account has a login record of the login IP, determining whether the current login user passes the first verification according to the initial count value and a preset verification condition includes:
2240. Inquiring a user counter value corresponding to the current login user in the server according to the login IP and the account of the current login user;
2250. If the initial count value is equal to the user counter value corresponding to the current login user, the current login user passes the first verification;
2260. And if the initial count value is not equal to the user counter value corresponding to the current login user, generating a data hijacking alarm.
Preferably, the method further comprises:
2270. When the account does not have the login record of the login IP, a local counter is newly built in the client, and a user counter corresponding to the login IP and the user is newly built in the server.
2300. After user operation is completed, comparing a user counter value corresponding to a current login user with a local counter value, wherein the server side comprises a plurality of user counters, and the user counters record response operation times of the server side according to different login IP and accounts respectively;
Preferably, after the user operation is completed, comparing the user counter value with the local counter value, including:
2310. The client encrypts the local counter value according to the key returned by the server and transmits the encrypted local counter value to the server;
2320. the server decrypts the encrypted local counter value and inquires the user counter value of the current login user according to the IP address and the account of the current login user;
2330. and the server compares the decrypted local counter value with the user counter value of the current login user.
2400. If the user counter value is equal to the local counter value, the account is normally used;
2500. And if the user counter value is not equal to the local counter value, generating a data hijacking alarm.
Preferably, the data hijacking alarm comprises login IP of the current login user and account information, and the method further comprises:
2510. According to the account information in the data hijacking alarm, disabling an account corresponding to the account information;
2520. And inquiring the recorded server response operation for the security personnel to check according to the login IP and the account information in the data hijack alarm.
Example III
As shown in fig. 3, corresponding to the first and second embodiments, an embodiment of the present application provides a data hijacking alarm system, where the system includes:
the preparation module 310 is configured to obtain, when a user logs in to a client, a login IP of the user, an account, and an initial count value in a local counter, where the local counter is used to record operation times of each functional module in the client;
The verification module 320 is configured to determine, when the account has a login record of the login IP, whether a current login user passes a first verification according to the initial count value and a preset verification condition, and count and initialize the current login user passing the first verification;
The analysis module 330 is configured to compare a user counter value corresponding to a current login user with a local counter value after the user operation is completed, where the server includes a plurality of user counters, and the user counters record response operation times of the server according to different login IPs and accounts respectively;
a processing module 340 for normally using the account when the user counter value is equal to the local counter value;
the processing module 340 is further configured to generate a data hijacking alert when the user counter value is not equal to the local counter value.
In some embodiments, the processing module 340 is further configured to generate an initialization instruction based on the server after detecting, by the server, that the current login user in the client passes the first verification, and return the initialization instruction to the client, where the initialization instruction includes an initialization value randomly generated by the server; the processing module 340 is further configured to query a corresponding user counter according to the account and login IP by using the server, and adjust the user counter value to the initialization value; the processing module 340 is further configured to adjust the local counter value to the initialization value by using the client after the client receives the initialization instruction.
In some embodiments, the preparation module 310 is further configured to send, when the client generates a user login request, the user login request and a corresponding login IP to the server for identity authentication, where the user login request includes an account and a password; if the identity authentication is successful, the preparation module 310 is further configured to query a key corresponding to the key store and generate user login success data for returning to the client based on the login IP and the account by using the server.
In some embodiments, the analysis module 330 is further configured to query a user counter value corresponding to the current login user in the server according to the login IP and the account of the current login user; if the initial count value is equal to the user counter value corresponding to the current login user, the analysis module 330 determines that the current login user passes the first verification; if the initial count value is not equal to the user counter value corresponding to the current login user, the analysis module 330 determines that the current login user fails the first verification and generates a data hijacking alarm.
In some embodiments, the verification module 320 is further configured to create a local counter in the client and create a user counter corresponding to the login IP and the user in the server when the login record of the login IP does not exist in the account.
In some embodiments, the analysis module 330 is further configured to encrypt the local counter value with the client according to the key returned by the server, and transmit the encrypted local counter value to the server; the analysis module 330 is further configured to decrypt the encrypted local counter value by using the server, and query the user counter value of the current login user according to the IP address and the account of the current login user; the analysis module 330 is further configured to compare the decrypted local counter value with a user counter value of a current logged-in user by using the server.
In some embodiments, the processing module 340 is further configured to disable an account corresponding to the account information according to the account information in the data hijacking alarm; the processing module 340 is further configured to query a recorded server response operation for a security personnel to check according to the login IP and the account information in the data hijack alarm.
Example IV
Corresponding to all the embodiments described above, an embodiment of the present application provides an electronic device, including:
one or more processors; and a memory associated with the one or more processors, the memory for storing program instructions that, when read for execution by the one or more processors, perform the following:
When a user logs in a client, acquiring login IP (Internet protocol) of the user, an account and an initial count value in a local counter, wherein the local counter is used for recording the operation times of each functional module in the client;
When the account has the login record of the login IP, judging whether the current login user passes the first verification according to the initial count value and a preset verification condition, and counting and initializing the current login user passing the first verification;
After user operation is completed, comparing a user counter value corresponding to a current login user with a local counter value, wherein the server side comprises a plurality of user counters, and the user counters record response operation times of the server side according to different login IP and accounts respectively;
If the user counter value is equal to the local counter value, the account is normally used;
and if the user counter value is not equal to the local counter value, generating a data hijacking alarm.
Fig. 4 illustrates an architecture of an electronic device, which may include a processor 410, a video display adapter 411, a disk drive 412, an input/output interface 413, a network interface 414, and a memory 420, among others. The processor 410, video display adapter 411, disk drive 412, input/output interface 413, network interface 414, and memory 420 may be communicatively coupled via bus 430.
The processor 410 may be implemented by a general-purpose CPU (Central Processing Unit ), a microprocessor, an Application SPECIFIC INTEGRATED Circuit (ASIC), or one or more integrated circuits, etc. for executing related programs to implement the technical solution provided by the present application.
The Memory 420 may be implemented in the form of ROM (Read Only Memory), RAM (Random Access Memory ), static storage, dynamic storage, etc. The memory 420 may store an operating system 421 for controlling the execution of the electronic device 400, and a Basic Input Output System (BIOS) 422 for controlling the low-level operation of the electronic device 400. In addition, a web browser 423, a data storage management system 424, an icon font processing system 425, and the like may also be stored. The icon font processing system 425 may be an application program that implements the operations of the foregoing steps in embodiments of the present application. In general, when the technical solution provided by the present application is implemented by software or firmware, relevant program codes are stored in the memory 420 and invoked by the processor 410 for execution.
The input/output interface 413 is used to connect to an input/output module to realize information input and output. The input/output module may be configured as a component in a device (not shown) or may be external to the device to provide corresponding functionality. Wherein the input devices may include a keyboard, mouse, touch screen, microphone, various types of sensors, etc., and the output devices may include a display, speaker, vibrator, indicator lights, etc.
The network interface 414 is used to connect communication modules (not shown) to enable communication interactions of the device with other devices. The communication module may implement communication through a wired manner (such as USB, network cable, etc.), or may implement communication through a wireless manner (such as mobile network, WIFI, bluetooth, etc.).
Bus 430 includes a path to transfer information between various components of the device (e.g., processor 410, video display adapter 411, disk drive 412, input/output interface 413, network interface 414, and memory 420).
In addition, the electronic device 400 may also obtain information of specific acquisition conditions from the virtual resource object acquisition condition information database, for performing condition judgment, and so on.
It should be noted that although the above devices only show the processor 410, the video display adapter 411, the disk drive 412, the input/output interface 413, the network interface 414, the memory 420, the bus 430, and the like, in the specific implementation, the device may further include other components necessary to achieve normal execution. Furthermore, it will be appreciated by those skilled in the art that the apparatus may include only the components necessary to implement the present application, and not all of the components shown in the drawings.
Example six
Corresponding to all the above embodiments, the embodiments of the present application further provide a computer-readable storage medium, characterized in that it stores a computer program that causes a computer to operate as follows:
When a user logs in a client, acquiring login IP (Internet protocol) of the user, an account and an initial count value in a local counter, wherein the local counter is used for recording the operation times of each functional module in the client;
When the account has the login record of the login IP, judging whether the current login user passes the first verification according to the initial count value and a preset verification condition, and counting and initializing the current login user passing the first verification;
After user operation is completed, comparing a user counter value corresponding to a current login user with a local counter value, wherein the server side comprises a plurality of user counters, and the user counters record response operation times of the server side according to different login IP and accounts respectively;
If the user counter value is equal to the local counter value, the account is normally used;
and if the user counter value is not equal to the local counter value, generating a data hijacking alarm.
From the above description of embodiments, it will be apparent to those skilled in the art that the present application may be implemented in software plus a necessary general hardware platform. Based on such understanding, the technical solution of the present application may be embodied essentially or in a part contributing to the prior art in the form of a software product, which may be stored in a storage medium, such as a ROM/RAM, a magnetic disk, an optical disk, etc., and includes several instructions for causing a computer device (which may be a personal computer, a cloud server, or a network device, etc.) to execute the method described in the embodiments or some parts of the embodiments of the present application.
In this specification, each embodiment is described in a progressive manner, and identical and similar parts of each embodiment are all referred to each other, and each embodiment mainly describes differences from other embodiments. In particular, for a system or system embodiment, since it is substantially similar to a method embodiment, the description is relatively simple, with reference to the description of the method embodiment being made in part. The systems and system embodiments described above are merely illustrative, wherein the elements illustrated as separate elements may or may not be physically separate, and the elements shown as elements may or may not be physical elements, may be located in one place, or may be distributed over a plurality of network elements. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of this embodiment. Those of ordinary skill in the art will understand and implement the present invention without undue burden.
The foregoing description of the preferred embodiments of the application is not intended to limit the application to the precise form disclosed, and any such modifications, equivalents, and alternatives falling within the spirit and scope of the application are intended to be included within the scope of the application.
Claims (10)
1. A data hijacking alarm method, the method comprising:
When a user logs in a client, acquiring login IP (Internet protocol) of the user, an account and an initial count value in a local counter, wherein the local counter is used for recording the operation times of each functional module in the client;
When the account has the login record of the login IP, judging whether the current login user passes the first verification according to the initial count value and a preset verification condition, and counting and initializing the current login user passing the first verification;
After user operation is completed, comparing a user counter value corresponding to a current login user with a local counter value, wherein the server side comprises a plurality of user counters, and the user counters record response operation times of the server side according to different login IP and accounts respectively;
If the user counter value is equal to the local counter value, the account is normally used;
and if the user counter value is not equal to the local counter value, generating a data hijacking alarm.
2. The method of claim 1, wherein initializing the count of users that pass the first authentication comprises:
after the server detects that the current login user in the client passes the first verification, generating an initialization instruction, and returning the initialization instruction to the client, wherein the initialization instruction comprises an initialization value randomly generated by the server;
The server inquires a corresponding user counter according to the account and login IP and adjusts the user counter value to the initialization value;
And after the client receives the initialization instruction, the local counter value is adjusted to be the initialization value.
3. The method of claim 2, wherein when the user logs into the client, the method further comprises:
The client generates a user login request, and sends the user login request and a corresponding login IP to the server for identity authentication, wherein the user login request comprises an account and a password;
and if the identity authentication is successful, the server inquires a corresponding key in a key bank based on the login IP and the account, generates user login success data and returns the user login success data to the client.
4. The method of claim 3, wherein when the account has a login record of the login IP, determining whether the current login user passes the first verification according to the initial count value and a preset verification condition includes:
inquiring a user counter value corresponding to the current login user in the server according to the login IP and the account of the current login user;
If the initial count value is equal to the user counter value corresponding to the current login user, the current login user passes the first verification;
and if the initial count value is not equal to the user counter value corresponding to the current login user, generating a data hijacking alarm.
5. The method according to claim 1, wherein the method further comprises:
When the account does not have the login record of the login IP, a local counter is newly built in the client, and a user counter corresponding to the login IP and the user is newly built in the server.
6. A method according to claim 3, wherein comparing the user counter value with the local counter value after the user operation is completed, comprises:
the client encrypts the local counter value according to the key returned by the server and transmits the encrypted local counter value to the server;
the server decrypts the encrypted local counter value and inquires the user counter value of the current login user according to the IP address and the account of the current login user;
and the server compares the decrypted local counter value with the user counter value of the current login user.
7. The method of claim 1, wherein the data hijacking alert includes a login IP of the currently logged-in user and account information, the method further comprising:
According to the account information in the data hijacking alarm, disabling an account corresponding to the account information;
And inquiring the recorded server response operation for the security personnel to check according to the login IP and the account information in the data hijack alarm.
8. A data hijacking alert system, the system comprising:
The preparation module is used for acquiring login IP (Internet protocol) of the user, an account and an initial count value in a local counter when the user logs in the client, wherein the local counter is used for recording the operation times of each functional module in the client;
The verification module is used for judging whether the current login user passes the first verification according to the initial count value and a preset verification condition when the login record of the login IP exists in the account, and counting and initializing the current login user passing the first verification;
The analysis module is used for comparing the user counter value corresponding to the current login user with the local counter value after the user operation is completed, wherein the server side comprises a plurality of user counters, and the user counters record response operation times of the server side according to different login IP and accounts respectively;
The processing module is used for normally using the account when the user counter value is equal to the local counter value;
The processing module is further configured to generate a data hijacking alarm when the user counter value is not equal to the local counter value.
9. An electronic device, the electronic device comprising:
One or more processors;
and a memory associated with the one or more processors, the memory for storing program instructions that, when read for execution by the one or more processors, perform the method of any of claims 1-7.
10. A computer-readable storage medium, characterized in that it stores a computer program, which causes a computer to perform the method of any one of claims 1-7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211033164.5A CN115514531B (en) | 2022-08-26 | 2022-08-26 | Data hijacking alarm method, system, electronic equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211033164.5A CN115514531B (en) | 2022-08-26 | 2022-08-26 | Data hijacking alarm method, system, electronic equipment and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN115514531A CN115514531A (en) | 2022-12-23 |
| CN115514531B true CN115514531B (en) | 2024-05-10 |
Family
ID=84501121
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211033164.5A Active CN115514531B (en) | 2022-08-26 | 2022-08-26 | Data hijacking alarm method, system, electronic equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115514531B (en) |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109104418A (en) * | 2018-07-25 | 2018-12-28 | 浙江威步机器人技术有限公司 | Account login validation method, device, storage medium and server |
| CN110035035A (en) * | 2018-01-12 | 2019-07-19 | 北京新媒传信科技有限公司 | A kind of secondary authentication method and system of single-sign-on |
| CN110932858A (en) * | 2018-09-19 | 2020-03-27 | 阿里巴巴集团控股有限公司 | Authentication method and system |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104144419B (en) * | 2014-01-24 | 2017-05-24 | 腾讯科技(深圳)有限公司 | Identity authentication method, device and system |
-
2022
- 2022-08-26 CN CN202211033164.5A patent/CN115514531B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110035035A (en) * | 2018-01-12 | 2019-07-19 | 北京新媒传信科技有限公司 | A kind of secondary authentication method and system of single-sign-on |
| CN109104418A (en) * | 2018-07-25 | 2018-12-28 | 浙江威步机器人技术有限公司 | Account login validation method, device, storage medium and server |
| CN110932858A (en) * | 2018-09-19 | 2020-03-27 | 阿里巴巴集团控股有限公司 | Authentication method and system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN115514531A (en) | 2022-12-23 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10057282B2 (en) | Detecting and reacting to malicious activity in decrypted application data | |
| US9866566B2 (en) | Systems and methods for detecting and reacting to malicious activity in computer networks | |
| JP6386069B2 (en) | Connection management method, apparatus, electronic equipment, program, and recording medium | |
| CN107211016B (en) | Session security partitioning and application profiler | |
| US20170318054A1 (en) | Authentication incident detection and management | |
| US20230412636A1 (en) | Risk measurement method for user account and related apparatus | |
| CN111506497A (en) | Service logic debugging method, device, equipment and computer readable storage medium | |
| CN110113351A (en) | The means of defence and device, storage medium, computer equipment of CC attack | |
| CN113496024B (en) | Web page login method and device, storage medium and electronic equipment | |
| CN115514531B (en) | Data hijacking alarm method, system, electronic equipment and storage medium | |
| KR101334771B1 (en) | surveillance system and method for authentication procedure based by unique identifier | |
| CN112688963A (en) | Method, device and storage medium for gateway authorized access and external open service | |
| KR101641306B1 (en) | Apparatus and method of monitoring server | |
| CN109587134B (en) | Method, apparatus, device and medium for secure authentication of interface bus | |
| CN114938313B (en) | Man-machine identification method and device based on dynamic token | |
| CN105933356A (en) | Method and device for detecting DNS (Domain Name System) hijacking of client | |
| US11126713B2 (en) | Detecting directory reconnaissance in a directory service | |
| CN116996238A (en) | Processing method and related device for network abnormal access | |
| CN112395604B (en) | System monitoring login protection method, client, server and storage medium | |
| CN112395562B (en) | Login protection method and device for code warehouse | |
| CN112398792B (en) | Login protection method, client, central control management equipment and storage medium | |
| CN112333248B (en) | Login failure verification method and related device | |
| CN112395585B (en) | Database service login method, device, equipment and readable storage medium | |
| CN117675353A (en) | Instant messaging-based identity verification method, system, electronic equipment and medium | |
| CN118200008A (en) | Security communication method, device, equipment, medium and product based on firewall |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |