[go: up one dir, main page]

CN115396202A - An identification method for brute force cracking and related components - Google Patents

An identification method for brute force cracking and related components Download PDF

Info

Publication number
CN115396202A
CN115396202A CN202211027137.7A CN202211027137A CN115396202A CN 115396202 A CN115396202 A CN 115396202A CN 202211027137 A CN202211027137 A CN 202211027137A CN 115396202 A CN115396202 A CN 115396202A
Authority
CN
China
Prior art keywords
login
account
brute force
failure
target server
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202211027137.7A
Other languages
Chinese (zh)
Other versions
CN115396202B (en
Inventor
刘庆功
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Inspur Jinan data Technology Co ltd
Original Assignee
Inspur Jinan data Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Inspur Jinan data Technology Co ltd filed Critical Inspur Jinan data Technology Co ltd
Priority to CN202211027137.7A priority Critical patent/CN115396202B/en
Publication of CN115396202A publication Critical patent/CN115396202A/en
Application granted granted Critical
Publication of CN115396202B publication Critical patent/CN115396202B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

The invention discloses a brute force cracking recognition method and related components, and relates to the technical field of communication safety. The login data packet is acquired from the kernel layer, the information of the login account can be reflected in real time, the mode of violently cracking the account is more accurately identified according to the failure times of the login account in the preset time period after the current time, and the safety of the target server is ensured.

Description

一种暴力破解的识别方法及相关组件An identification method for brute force cracking and related components

技术领域technical field

本发明涉及通信安全技术领域,特别是涉及一种暴力破解的识别方法及相关组件。The invention relates to the technical field of communication security, in particular to an identification method for brute force cracking and related components.

背景技术Background technique

暴力破解是指攻击者穷举出目标服务器的用户名和密码等敏感信息的所有可能,并依此进行尝试直至破解成功的行为。暴力破解具有操作简单和成本低的优点,因此成为攻击者首选的攻击手段。为了保证目标服务器的安全,需要对暴力破解行为进行识别,现有技术中通过读取目标服务器的系统日志中记录的登录账户、登录账户的登录次数以及是否登录成功来识别该登录账户是否为攻击者使用的账户。但是目标服务器生成系统日志需要一定的时间,且目标服务器运行过程中有时会将系统日志关闭,这会导致无法快速且准确地识别暴力破解。此外,现有技术中还会通过winpcap等第三方库获取目标服务器的系统流量进而识别暴力破解,但是开源的第三方库具有潜在的安全风险,不利于维护目标服务器的安全。Brute force cracking refers to the behavior that the attacker exhaustively exhausts all possibilities of sensitive information such as the user name and password of the target server, and tries based on this until the cracking is successful. Brute force cracking has the advantages of simple operation and low cost, so it has become the preferred attack method for attackers. In order to ensure the security of the target server, it is necessary to identify the brute force cracking behavior. In the prior art, it is possible to identify whether the login account is an attack by reading the login account recorded in the system log of the target server, the number of login times of the login account, and whether the login is successful. the account used by the user. However, it takes a certain amount of time for the target server to generate system logs, and the system logs are sometimes turned off during the running of the target server, which makes it impossible to quickly and accurately identify brute force attacks. In addition, in the prior art, third-party libraries such as winpcap are used to obtain the system traffic of the target server to identify brute force cracking. However, open-source third-party libraries have potential security risks and are not conducive to maintaining the security of the target server.

发明内容Contents of the invention

本发明的目的是提供一种暴力破解的识别方法及相关组件,能够实时且准确的识别暴力破解,确保目标服务器的安全。The purpose of the present invention is to provide a brute force cracking identification method and related components, which can identify brute force cracking in real time and accurately, and ensure the security of the target server.

为解决上述技术问题,本发明提供了一种暴力破解的识别方法,包括:In order to solve the above technical problems, the present invention provides an identification method for brute force cracking, including:

在目标服务器的内核层获取各个登录账户的登录数据包,其中,所述登录数据包包括所述登录账户访问的目的端口以及所述登录账户的登录状态;Obtain the login data packets of each login account at the kernel layer of the target server, wherein the login data packets include the destination port accessed by the login account and the login status of the login account;

在所述目的端口为所述目标服务器中的风险端口时,确定所述登录账户在当前时刻之后的预设时间段内的登录状态为登录失败的失败次数;When the destination port is a risky port in the target server, determine that the login status of the login account within a preset period of time after the current moment is the number of failed logins;

在所述失败次数大于预设次数阈值时,识别所述登录账户为暴力破解账户。When the number of failures is greater than a preset threshold, the login account is identified as a brute force cracking account.

优选的,所述登录数据包还包括所述登录账户访问所述目标服务器使用的传输层协议;Preferably, the login data packet further includes a transport layer protocol used by the login account to access the target server;

在确定所述登录账户在当前时刻之后的预设时间段内的登录状态为登录失败的失败次数之前,还包括:Before determining that the login status of the login account within a preset period of time after the current moment is the number of failed login failures, it also includes:

确定所述传输层协议为所述目标服务器对应的风险传输层协议时,进入确定所述登录账户在当前时刻之后的预设时间段内的登录状态为登录失败的失败次数的步骤。When it is determined that the transport layer protocol is the risky transport layer protocol corresponding to the target server, enter the step of determining the number of times the login status of the login account is login failure within a preset period of time after the current moment.

优选的,所述风险端口包括:Preferably, the risk port includes:

所述目标服务器中用于进行远程桌面连接的RDP端口、所述目标服务器中用于共享所述目标服务器内的文件的端口以及所述目标服务器中用于连接共享输出设备的端口中的任意一个或多个的组合。Any one of the RDP port used for remote desktop connection in the target server, the port used for sharing files in the target server in the target server, and the port used for connecting to a shared output device in the target server or a combination of more.

优选的,所述登录数据包还包括所述登录账户使用的源IP以及源端口;Preferably, the login data packet also includes the source IP and source port used by the login account;

在识别所述登录账户为暴力破解账户之后,还包括:After identifying the login account as a brute force cracking account, it also includes:

在所述内核层拦截IP为所述源IP和/或端口为所述源端口的登录账户。Intercept the login account whose IP is the source IP and/or port is the source port at the kernel layer.

优选的,在识别所述登录账户为暴力破解账户之后,还包括:Preferably, after identifying the login account as a brute force cracking account, it further includes:

生成用于提示用户所述目标服务器受到暴力破解的提示信息。Generate prompt information for prompting the user that the target server is subject to brute force cracking.

优选的,确定所述登录账户在当前时刻之后的预设时间段内的登录状态为登录失败的失败次数,包括:Preferably, determining the number of times the login status of the login account is login failure within a preset period of time after the current moment includes:

在所述登录状态为登录成功时,将首次登录失败时间清除;When the login status is successful login, clear the first login failure time;

在所述登录状态为登录失败时,将登录失败次数加一;When the login status is login failure, add one to the number of login failures;

在确定所述首次登录失败时间不为空时,将所述登录账户当前的登录状态为登录失败时的时间减去所述首次登录失败时间得到登录持续时间;When it is determined that the first login failure time is not empty, the login duration is obtained by subtracting the first login failure time from the current login status of the login account as login failure time;

在确定所述首次登录失败时间为空时,记录所述登录账户当前的登录状态为登录失败时的时间为所述首次登录失败时间,并将所述登录失败次数加一;When it is determined that the first login failure time is empty, record the time when the current login status of the login account is login failure as the first login failure time, and add one to the number of login failures;

在所述登录持续时间小于所述预设时间段时,进入在所述失败次数大于预设次数阈值时,识别所述登录账户为暴力破解账户的步骤;When the login duration is less than the preset time period, enter the step of identifying the login account as a brute force cracking account when the number of failures is greater than a preset threshold;

在所述登录持续时间大于所述预设时间段时,将所述首次登录失败时间清除并将所述登录账户当前的登录状态为登录失败时的时间作为所述首次登录失败时间。When the login duration is longer than the preset time period, the first login failure time is cleared and the time when the current login status of the login account is login failure is used as the first login failure time.

为解决上述技术问题本申请还提供了一种暴力破解的识别系统,包括:In order to solve the above technical problems, the present application also provides a brute force cracking identification system, including:

登录数据包获取单元,用于在目标服务器的内核层获取各个登录账户的登录数据包,其中,所述登录数据包包括所述登录账户访问的目的端口以及所述登录账户的登录状态;The login data packet acquisition unit is used to obtain the login data packets of each login account at the kernel layer of the target server, wherein the login data packet includes the destination port accessed by the login account and the login status of the login account;

失败次数确定单元,用于在所述目的端口为所述目标服务器中的风险端口时,确定所述登录账户在当前时刻之后的预设时间段内的登录状态为登录失败的失败次数;The number of failures determination unit is configured to determine the number of failures that the login status of the login account within a preset period of time after the current moment is a login failure when the destination port is a risky port in the target server;

识别单元,用于在所述失败次数大于预设次数阈值时,识别所述登录账户为暴力破解账户。An identifying unit, configured to identify the login account as a brute force cracking account when the number of failures is greater than a preset threshold.

优选的,所述登录数据包还包括所述登录账户访问所述目标服务器使用的传输层协议,还包括:Preferably, the login data packet further includes the transport layer protocol used by the login account to access the target server, and further includes:

风险传输层协议确定单元,用于在确定所述传输层协议为所述目标服务器对应的风险传输层协议时触发所述失败次数确定单元。The risky transport layer protocol determining unit is configured to trigger the failure times determining unit when it is determined that the transport layer protocol is the risky transport layer protocol corresponding to the target server.

优选的,所述风险端口包括:Preferably, the risk port includes:

所述目标服务器中用于进行远程桌面连接的RDP端口、所述目标服务器中用于共享所述目标服务器内的文件的端口以及所述目标服务器中用于连接共享输出设备的端口中的任意一个或多个的组合。Any one of the RDP port used for remote desktop connection in the target server, the port used for sharing files in the target server in the target server, and the port used for connecting to a shared output device in the target server or a combination of more.

优选的,所述登录数据包还包括所述登录账户使用的源IP以及源端口,还包括:Preferably, the login data packet also includes the source IP and source port used by the login account, and also includes:

拦截单元,用于在识别所述登录账户为暴力破解账户之后,在所述内核层拦截IP为所述源IP和/或端口为所述源端口的登录账户。An intercepting unit, configured to intercept, at the kernel layer, a login account whose IP is the source IP and/or whose port is the source port after identifying the login account as a brute force cracking account.

优选的,还包括:Preferably, it also includes:

提示单元,用于在识别所述登录账户为暴力破解账户之后,生成用于提示用户所述目标服务器受到暴力破解的提示信息。A prompting unit, configured to generate prompt information for prompting the user that the target server is subject to brute force cracking after identifying the login account as a brute force cracking account.

优选的,所述失败次数确定单元包括:Preferably, the unit for determining the number of failures includes:

清除单元,用于在所述目的端口为所述目标服务器中的风险端口时,在所述登录状态为登录成功时,将首次登录失败时间清除;A clearing unit, configured to clear the first failed login time when the destination port is a risky port in the target server and when the login status is successful login;

计数单元,用于在所述登录状态为登录失败时,将登录失败次数加一;A counting unit, configured to add one to the number of login failures when the login status is login failure;

登录持续时间确定单元,用于在确定所述首次登录失败时间不为空时,将所述登录账户当前的登录状态为登录失败时的时间减去所述首次登录失败时间得到登录持续时间;The login duration determination unit is configured to subtract the first login failure time from the current login status of the login account to the login failure time to obtain the login duration when it is determined that the first login failure time is not empty;

首次登录失败时间确定单元,用于在确定所述首次登录失败时间为空时,记录所述登录账户当前的登录状态为登录失败时的时间为所述首次登录失败时间,并将所述登录失败次数加一;A first login failure time determination unit, configured to record the time when the current login status of the login account is login failure as the first login failure time when it is determined that the first login failure time is empty, and record the login failure time as the first login failure time. times plus one;

触发单元,用于在所述登录持续时间小于所述预设时间段时触发所述识别单元;a trigger unit, configured to trigger the identification unit when the login duration is less than the preset time period;

首次登录失败时间更新单元,用于在所述登录持续时间大于所述预设时间段时,将所述首次登录失败时间清除并将所述登录账户当前的登录状态为登录失败时的时间作为所述首次登录失败时间。A first login failure time updating unit, configured to clear the first login failure time when the login duration is greater than the preset time period, and use the time when the current login status of the login account is login failure as the time The time of the first login failure described above.

为解决上述技术问题本申请还提供了一种暴力破解的识别装置,包括:In order to solve the above technical problems, the present application also provides an identification device for brute force cracking, including:

存储器,用于存储计算机程序;memory for storing computer programs;

处理器,用于执行所述计算机程序时实现上述暴力破解的识别方法的步骤。A processor, configured to implement the steps of the identification method for brute force cracking when executing the computer program.

为解决上述技术问题本申请还提供了一种服务器,包括上述的暴力破解的识别装置。In order to solve the above-mentioned technical problem, the present application also provides a server, including the above-mentioned identification device for brute-force cracking.

为解决上述技术问题本申请还提供了一种计算机可读存储介质,所述计算机可读存储介质上存储有计算机程序,所述计算机程序被处理器执行时实现上述暴力破解的识别方法的步骤。In order to solve the above technical problems, the present application also provides a computer-readable storage medium, on which a computer program is stored, and when the computer program is executed by a processor, the steps of the above identification method for brute force cracking are realized.

综上,本发明提供了一种暴力破解的识别方法及相关组件,包括在目标服务器内核层获取各个登录账户的登录数据包,在登录数据包中记录的目的端口为目标服务器中的风险端口时进一步确定登录账户在当前时刻之后的预设时间段内的登录状态为登录失败的失败次数,当失败次数大于预设次数阈值时识别该登录账户为暴力破解账户。从内核层获取登录数据包能够实时反映登录账户的信息,并且在根据登录账户在当前时刻之后的预设时间段内的失败次数识别暴力破解账户的方式更加准确,确保了目标服务器的安全。To sum up, the present invention provides a brute force cracking identification method and related components, including obtaining the login data packets of each login account at the kernel layer of the target server, and when the destination port recorded in the login data packet is a risky port in the target server It is further determined that the login status of the login account within a preset period of time after the current moment is the number of failed logins, and when the number of failures is greater than the preset threshold, the login account is identified as a brute force cracking account. Obtaining the login data packet from the kernel layer can reflect the information of the login account in real time, and the method of identifying the brute force cracking account according to the number of failures of the login account within the preset time period after the current moment is more accurate, ensuring the security of the target server.

附图说明Description of drawings

为了更清除地说明本发明实施例中的技术方案,下面将对现有技术和实施例中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本发明的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the following will briefly introduce the prior art and the accompanying drawings that need to be used in the embodiments. Obviously, the accompanying drawings in the following description are only some of the present invention. Embodiments, for those of ordinary skill in the art, other drawings can also be obtained based on these drawings without any creative effort.

图1为本发明提供的一种暴力破解的识别方法的流程示意图;Fig. 1 is a schematic flow chart of a brute force cracking identification method provided by the present invention;

图2为本发明提供的另一种暴力破解的识别方法的流程示意图;Fig. 2 is a schematic flow chart of another identification method for brute force cracking provided by the present invention;

图3为本发明提供的一种暴力破解的识别系统的结构示意图;FIG. 3 is a schematic structural diagram of a brute force cracking identification system provided by the present invention;

图4为本发明提供的一种暴力破解的识别装置的结构示意图。FIG. 4 is a schematic structural diagram of a brute-force cracking identification device provided by the present invention.

具体实施方式Detailed ways

本发明的核心是提供一种暴力破解的识别方法及相关组件,能够实时且准确的识别暴力破解,确保目标服务器的安全。The core of the present invention is to provide a brute force cracking identification method and related components, which can identify brute force cracking in real time and accurately, and ensure the security of the target server.

为使本发明实施例的目的、技术方案和优点更加清除,下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清除、完整地描述,显然,所描述的实施例是本发明一部分实施例,而不是全部的实施例。基于本发明中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都属于本发明保护的范围。In order to clarify the purpose, technical solutions and advantages of the embodiments of the present invention, the technical solutions in the embodiments of the present invention will be clearly and completely described below in conjunction with the accompanying drawings in the embodiments of the present invention. Obviously, the described embodiments It is a part of embodiments of the present invention, but not all embodiments. Based on the embodiments of the present invention, all other embodiments obtained by persons of ordinary skill in the art without making creative efforts belong to the protection scope of the present invention.

请参照图1,图1为本发明提供的一种暴力破解的识别方法的流程示意图,该暴力破解的识别方法包括:Please refer to FIG. 1. FIG. 1 is a schematic flow chart of a brute-force cracking identification method provided by the present invention. The brute-force cracking identification method includes:

S1:在目标服务器的内核层获取各个登录账户的登录数据包,其中,登录数据包包括登录账户访问的目的端口以及登录账户的登录状态;S1: Obtain the login data packet of each login account at the kernel layer of the target server, wherein the login data packet includes the destination port accessed by the login account and the login status of the login account;

由于生成系统日志、获取系统日志和根据系统日志中的登录账户、登录账户的登录次数以及是否登录成功来识别暴力破解都需要一定的时间,因此现有技术中识别暴力破解的实时性比较差,并且还会受到系统日志可能会关闭的影响,导致无法对服务器受到的暴力破解行为进行识别,给服务器带来了很大的安全隐患。Since it takes a certain amount of time to generate system logs, obtain system logs, and identify brute force cracking according to the login account in the system log, the number of logins of the login account, and whether the login is successful, the real-time performance of identifying brute force cracking in the prior art is relatively poor. And it will also be affected by the possibility that the system log may be closed, resulting in the inability to identify the brute force cracking behavior of the server, which brings a great security risk to the server.

因此,在本申请中在目标服务器的内核层获取登录账户的登录数据包,能够实时地获取到登录账户的登录数据包,登录数据包中包括目的端口和登录状态,其中目的端口是指登录账户实际访问的目标服务器的端口,登录状态包括登录成功和登录失败。需要说明的是,登录数据包一般还可以包括源IP、源端口、目的IP和传输层协议,源IP和源端口反映登录账户的信息,目的IP反映目标服务器的信息,传输层协议可以反映登录账户想要访问目标服务器中的何种功能的进程。此外,本申请中的登录状态可以通过读取登录数据包中的code标识码确定,例如,当登录数据包为RDP登录数据包时code标识码为80000003,则可以确定RDP登录数据包对应的登录账户的登录状态为登录失败。Therefore, in this application, the login data packet of the login account is obtained at the kernel layer of the target server, and the login data packet of the login account can be obtained in real time. The login data packet includes the destination port and the login status, where the destination port refers to the login account The port of the target server actually accessed, and the login status includes login success and login failure. It should be noted that the login data packet can also generally include source IP, source port, destination IP and transport layer protocol. The source IP and source port reflect the information of the login account, the destination IP reflects the information of the target server, and the transport layer protocol can reflect the login account information. The process of what functions in the target server the account wants to access. In addition, the login status in this application can be determined by reading the code identification code in the login data packet. For example, when the login data packet is an RDP login data packet and the code identification code is 80000003, then the login status corresponding to the RDP login data packet can be determined. The login status of the account is login failed.

还需要说明的是,本申请对于具体如何从内核层中获取登录数据包信息不作特别限定,例如在内核层通过定义callout函数以及创建过滤器通过过滤条件获取源IP、源端口、目的IP、目的端口以及传输层协议等。It should also be noted that this application does not specifically limit how to obtain login data packet information from the kernel layer. For example, at the kernel layer, the source IP, source port, destination IP, destination ports and transport layer protocols, etc.

S2:在目的端口为目标服务器中的风险端口时,确定登录账户在当前时刻之后的预设时间段内的登录状态为登录失败的失败次数;S2: When the destination port is a risky port in the target server, determine the number of failure times that the login status of the login account within a preset period of time after the current moment is login failure;

S3:在失败次数大于预设次数阈值时,识别登录账户为暴力破解账户。S3: When the number of failures is greater than the preset threshold, identify the login account as a brute force cracking account.

考虑到攻击者攻击目标服务器主要是通过远程桌面连接、共享文件或者共享打印机等实现,不同的暴力破解行为攻击目标服务器中不同的端口,因此在本申请中当目的端口为目标服务器中的风险端口时判定该目的端口对应的登录账户可能为进行暴力破解的攻击账户。本申请中的风险端口为在进行暴力破解识别之前预先定义的,风险端口即为攻击者在进行暴力破解时可能会访问的端口,本申请对于风险端口的具体类型不作特别限定。Considering that the attacker attacks the target server mainly through remote desktop connections, shared files or shared printers, and different brute-force cracking behaviors attack different ports in the target server, so in this application, when the destination port is the risk port in the target server At this time, it is determined that the login account corresponding to the destination port may be an attack account for brute force cracking. The risk ports in this application are predefined before brute-force cracking identification, and the risk ports are ports that attackers may access when performing brute-force cracking. This application does not specifically limit the specific types of risk ports.

为了进一步增强本申请对暴力破解的识别结果的准确性,在确定目的端口为目标服务器中的风险端口之后还会确定登录账户在当前时刻之后的预设时间段内登录失败的失败次数。暴力破解一般是通过不断尝试密码或者账号的所有可能直至破解成功,因此在攻击者进行暴力破解的过程中必然会出现多次的登录失败,因此通过判断登录失败的失败次数即可识别暴力破解行为。并且,本申请中根据在当前时刻之后的预设时间段内登录失败的失败次数来识别暴力破解的方式相较于现有技术中常用的读取当前时间之前的预设时间段内的失败次数来说能够更加精准的反映登录账户目前的攻击状态,确保识别暴力破解的结果的实时性。In order to further enhance the accuracy of the identification result of brute force cracking in this application, after determining that the destination port is a risky port in the target server, the number of failed logins of the login account within a preset time period after the current moment will also be determined. Brute force cracking is generally done by continuously trying all possible passwords or accounts until the cracking is successful. Therefore, in the process of brute force cracking, there will inevitably be multiple login failures. Therefore, the brute force cracking behavior can be identified by judging the number of failed login failures. . Moreover, in this application, the way of identifying brute force cracking based on the number of failures of login failures within a preset time period after the current time is compared with the common method of reading the number of failures within a preset time period before the current time in the prior art. In other words, it can more accurately reflect the current attack status of the login account and ensure the real-time performance of the identification of brute force cracking results.

综上,本发明提供了一种暴力破解的识别方法,包括在目标服务器内核层获取各个登录账户的登录数据包,在登录数据包中记录的目的端口为目标服务器中的风险端口时进一步确定登录账户在当前时刻之后的预设时间段内的登录状态为登录失败的失败次数,当失败次数大于预设次数阈值时识别该登录账户为暴力破解账户。从内核层获取登录数据包能够实时反映登录账户的信息,并且在根据登录账户在当前时刻之后的预设时间段内的失败次数识别暴力破解账户的方式更加准确,确保了目标服务器的安全。To sum up, the present invention provides an identification method for brute force cracking, which includes obtaining the login data packets of each login account at the core layer of the target server, and further determining the login data when the destination port recorded in the login data packet is a risky port in the target server. The login status of the account within a preset period of time after the current moment is the number of login failures, and when the number of failures is greater than the preset threshold, the login account is identified as a brute force cracking account. Obtaining the login data packet from the kernel layer can reflect the information of the login account in real time, and the method of identifying the brute force cracking account according to the number of failures of the login account within the preset time period after the current moment is more accurate, ensuring the security of the target server.

在上述实施例的基础上:On the basis of above-mentioned embodiment:

作为一种优选的实施例,登录数据包还包括登录账户访问目标服务器使用的传输层协议;As a preferred embodiment, the login data packet also includes the transport layer protocol used by the login account to access the target server;

在确定登录账户在当前时刻之后的预设时间段内的登录状态为登录失败的失败次数之前,还包括:Before determining the login status of the login account within the preset period of time after the current moment is the number of login failures, it also includes:

确定传输层协议为目标服务器对应的风险传输层协议时,进入确定登录账户在当前时刻之后的预设时间段内的登录状态为登录失败的失败次数的步骤。When it is determined that the transport layer protocol is the risky transport layer protocol corresponding to the target server, enter the step of determining the number of times the login status of the login account is login failure within a preset period of time after the current moment.

在本实施例中,为了进一步确保识别暴力破解的结果的准确性,在目标服务器的内核层还获取了登录账户访问目标服务器使用的传输层协议,不同的传输层协议表示登录账户访问了目标服务器中不同的进程。因此,本申请中预先定义有风险传输层协议,所谓风险传输层协议就是指攻击者进行暴力破解时有可能会采用的传输层协议,本实施例对于风险传输层协议的具体类型不作特别限定,例如攻击者对目标服务器进行暴力破解时通常会访问远程控制的进程或者共享文件的进程,可以将远程访问对应的传输层协议以及共享文件对应的传输层协议作为风险传输层协议。In this embodiment, in order to further ensure the accuracy of the results of identifying brute force cracking, the kernel layer of the target server also obtains the transport layer protocol used by the login account to access the target server. Different transport layer protocols indicate that the login account has accessed the target server different processes. Therefore, the risky transport layer protocol is pre-defined in this application. The so-called risky transport layer protocol refers to the transport layer protocol that the attacker may use when performing brute force cracking. This embodiment does not specifically limit the specific type of the risky transport layer protocol. For example, when an attacker brute-forces a target server, he usually accesses a remote-controlled process or a file-sharing process. The transport layer protocol corresponding to remote access and shared files can be used as a risky transport layer protocol.

综上,本实施例在检测目的端口是否为目标服务器中的风险端口的基础上,还进一步检测了传输层协议是否为目标服务器对应的风险传输层协议,只有当检测目的端口为目标服务器中的风险端口且传输层协议为目标服务器对应的风险传输层协议时才进入后续识别暴力破解的步骤,一方面减轻了识别暴力破解的任务量,另一方面确保了识别暴力破解的识别结果的准确性。In summary, on the basis of detecting whether the destination port is a risky port in the target server, this embodiment further detects whether the transport layer protocol is a risky transport layer protocol corresponding to the target server. Only when the detected destination port is a risky port in the target server Only when the risky port and the transport layer protocol is the risky transport layer protocol corresponding to the target server will enter the subsequent step of identifying brute force cracking. On the one hand, it reduces the task of identifying brute force cracking, and on the other hand, it ensures the accuracy of the identification results of identifying brute force cracking. .

作为一种优选的实施例,风险端口包括:As a preferred embodiment, risk ports include:

目标服务器中用于进行远程桌面连接的RDP端口、目标服务器中用于共享目标服务器内的文件的端口以及目标服务器中用于连接共享输出设备的端口中的任意一个或多个的组合。Any one or a combination of the RDP port used for remote desktop connection in the target server, the port used for sharing files in the target server, and the port used for connecting to a shared output device in the target server.

在本实施例中,考虑到攻击者在对目标服务器进行暴力破解时一般会通过远程桌面连接、共享文件以及共享打印机等输出设备的方式实现,因此将目标服务器中用于进行远程桌面连接的RDP端口、目标服务器中用于共享目标服务器内的文件的端口以及目标服务器中用于连接共享输出设备的端口中的任意一个或多个的组合作为风险端口,进一步优化对暴力破解的识别方法,保证目标服务器的安全。In this embodiment, considering that the attacker usually implements brute force cracking on the target server through remote desktop connections, shared files, and shared printers and other output devices, the RDP used for remote desktop connections in the target server port, the port used to share the files in the target server, and any one or more combinations of the ports used to connect to the shared output device in the target server are used as risk ports to further optimize the identification method for brute force cracking and ensure Target server security.

例如,在目的端口为3389时表示登录账户想要与目标服务器进行远程桌面连接,此时认为登录账户可能为暴力破解账户。For example, when the destination port is 3389, it means that the login account wants to perform a remote desktop connection with the target server. At this time, it is considered that the login account may be a brute force cracking account.

作为一种优选的实施例,登录数据包还包括登录账户使用的源IP以及源端口;As a preferred embodiment, the login data packet also includes the source IP and source port used by the login account;

在识别登录账户为暴力破解账户之后,还包括:After identifying the login account as a brute force account, it also includes:

在内核层拦截IP为源IP和/或端口为源端口的登录账户。Intercept login accounts whose IP is source IP and/or port is source port at the kernel layer.

在对暴力破解进行识别之后,为了确保目标服务器后续不再承受由该攻击者发起的暴力破解,在本实施例中还在内核层中获取登录账户使用的源IP以及源端口,并且在内核层拦截符合IP为源IP以及端口为源端口中任意一项的登录账户,实现对目标服务器的保护。After the brute force cracking is identified, in order to ensure that the target server will no longer accept the brute force cracking initiated by the attacker, in this embodiment, the source IP and source port used by the login account are also obtained in the kernel layer, and the Intercept the login account whose IP is the source IP and the port is any one of the source ports, so as to realize the protection of the target server.

作为一种优选的实施例,在识别登录账户为暴力破解账户之后,还包括:As a preferred embodiment, after identifying the login account as a brute force cracking account, it also includes:

生成用于提示用户目标服务器受到暴力破解的提示信息。Generate a prompt message for prompting the user that the target server is being brute force cracked.

为了及时提醒用户目标服务器收到了暴力破解,在本实施例中在识别登录账户为暴力破解账户之后还生成用于提示用户目标服务器受到暴力破解的提示信息,例如发出语音提示或者在显示装置上输出提示信息等,本申请对于提示信息的具体类型不作特别限定。In order to promptly remind the user that the target server has received brute force cracking, in this embodiment, after identifying the login account as a brute force cracking account, a prompt message for prompting the user that the target server has been subjected to brute force cracking is also generated, such as issuing a voice prompt or outputting it on a display device. Prompt information, etc., this application does not specifically limit the specific type of prompt information.

此外,在识别登录账户为暴力破解账户之后,还可以将登陆账户的五元组数据进行数据也即输出源IP、源端口、目的IP、目的端口以及传输层协议,以便目标服务器的维护人员对暴力破解行为进行分析,以确保目标服务器的安全。In addition, after the login account is identified as a brute force cracking account, the quintuple data of the login account can also be processed, that is, output source IP, source port, destination IP, destination port, and transport layer protocol, so that the maintenance personnel of the target server can check Brute force cracking behavior is analyzed to ensure the security of the target server.

作为一种优选的实施例,确定登录账户在当前时刻之后的预设时间段内的登录状态为登录失败的失败次数,包括:As a preferred embodiment, determining the login status of the login account within a preset period of time after the current moment is the number of failed login failures, including:

在登录状态为登录成功时,将首次登录失败时间清除;When the login status is successful login, clear the first login failure time;

在登录状态为登录失败时,将登录失败次数加一;When the login status is login failure, add one to the number of login failures;

在确定首次登录失败时间不为空时,将登录账户当前的登录状态为登录失败时的时间减去首次登录失败时间得到登录持续时间;When it is determined that the first login failure time is not empty, the login duration is obtained by subtracting the first login failure time from the current login status of the login account as the login failure time;

在确定首次登录失败时间为空时,记录登录账户当前的登录状态为登录失败时的时间为首次登录失败时间,并将登录失败次数加一;When it is determined that the first login failure time is empty, record the current login status of the login account as the time when the login failed as the first login failure time, and add one to the number of login failures;

在登录持续时间小于预设时间段时,进入在失败次数大于预设次数阈值时,识别登录账户为暴力破解账户的步骤;When the login duration is less than the preset time period, enter the step of identifying the login account as a brute force cracking account when the number of failures is greater than the preset number threshold;

在登录持续时间大于预设时间段时,将首次登录失败时间清除并将登录账户当前的登录状态为登录失败时的时间作为首次登录失败时间。When the login duration is longer than the preset time period, the first login failure time is cleared and the time when the current login status of the login account is login failure is used as the first login failure time.

请参照图2,图2为本发明提供的另一种暴力破解的识别方法的流程示意图。在本实施例中,确定登录账户在当前时刻之后的预设时间段内的登录状态为登录失败的失败次数具体为:首先确定登录账户在当前时刻的登录状态,在登录状态为登录成功时认为该登录账户不是暴力破解对应的攻击者的账户,因此将首次登录失败时间清除;在登陆状态为登录失败时认为该登录账户有可能是暴力破解的攻击者对应账户,因此将登录失败次数加一以便进一步基于预设时间段内的总的失败次数确认登录账户是否为暴力破解账户。为了确定登录账户在预设时间段内的失败次数需要先确定预设时间段的时长,在首次登录失败时间不为空时将登录账户当前的登录状态为登录失败时的时间减去首次登录失败时间得到登录持续时间,并且只有在登录持续时间小于预设时间段时,才会进入在失败次数大于预设次数阈值时识别登录账户为暴力破解账户的步骤,在登录持续时间大于预设时间段时将首次登录失败时间清除并将登录账户当前的登录状态为登录失败时的时间作为首次登录失败时间。在首次登陆失败时间为空时表明该登录账户第一次登录失败,因此记录登录账户当前的登录状态为登录失败时的时间为首次登录失败时间,并将登录失败次数加一。Please refer to FIG. 2 . FIG. 2 is a schematic flowchart of another identification method for brute force cracking provided by the present invention. In this embodiment, the determination of the number of failed login attempts within the preset period of time after the current moment for the login status of the login account is as follows: first determine the login status of the login account at the current moment, and when the login status is successful login, consider The login account is not the account of the attacker corresponding to the brute force cracking, so the time of the first login failure is cleared; when the login status is login failure, it is considered that the login account may be the corresponding account of the attacker of the brute force cracking, so the number of login failures is increased by one In order to further confirm whether the login account is a brute force cracking account based on the total number of failures within the preset time period. In order to determine the number of failures of the login account within the preset time period, the duration of the preset time period needs to be determined first. When the first login failure time is not empty, the current login status of the login account is the time when the login failed minus the first login failure time to get the login duration, and only when the login duration is less than the preset time period, it will enter the step of identifying the login account as a brute force cracking account when the number of failures is greater than the preset threshold, and when the login duration is greater than the preset time period Clear the first login failure time and use the time when the current login status of the login account is login failure as the first login failure time. When the first login failure time is empty, it indicates that the login account failed to log in for the first time, so the time when the current login status of the login account is recorded as login failure is the first login failure time, and the number of login failures is increased by one.

可见,本实施例中确定登录账户在当前时刻之后的预设时间段内的登录状态为登录失败的失败次数的方式简单准确,能够进一步优化暴力破解的识别结果的准确性。It can be seen that in this embodiment, the method of determining the number of login failures in which the login status of the login account is the number of login failures within the preset time period after the current moment is simple and accurate, which can further optimize the accuracy of the identification result of brute force cracking.

请参照图3,图3为本发明提供的一种暴力破解的识别系统的结构示意图,该暴力破解的识别系统包括:Please refer to FIG. 3. FIG. 3 is a schematic structural diagram of a brute force identification system provided by the present invention. The brute force identification system includes:

登录数据包获取单元11,用于在目标服务器的内核层获取各个登录账户的登录数据包,其中,登录数据包包括登录账户访问的目的端口以及登录账户的登录状态;The login data packet acquisition unit 11 is used to obtain the login data packets of each login account at the kernel layer of the target server, wherein the login data packet includes the destination port accessed by the login account and the login status of the login account;

失败次数确定单元12,用于在目的端口为目标服务器中的风险端口时,确定登录账户在当前时刻之后的预设时间段内的登录状态为登录失败的失败次数;The number of failures determination unit 12 is used to determine the number of times that the login status of the login account within a preset period of time after the current moment is the number of failed logins when the destination port is a risky port in the target server;

识别单元13,用于在失败次数大于预设次数阈值时,识别登录账户为暴力破解账户。The identification unit 13 is configured to identify the login account as a brute force cracking account when the number of failures is greater than the preset number of times threshold.

对于本身请提供的一种暴力破解的识别系统的相关介绍请参照上述暴力破解的识别方法的实施例,本身请在此不做赘述。For the relevant introduction of a brute-force cracking identification system that you please provide, please refer to the embodiment of the above-mentioned brute-force cracking identification method, and please do not repeat it here.

在上述实施例的基础上:On the basis of above-mentioned embodiment:

作为一种优选的实施例,登录数据包还包括登录账户访问目标服务器使用的传输层协议,还包括:As a preferred embodiment, the login data packet also includes the transport layer protocol used by the login account to access the target server, and also includes:

风险传输层协议确定单元,用于在确定传输层协议为目标服务器对应的风险传输层协议时触发失败次数确定单元。The risk transport layer protocol determination unit is configured to trigger the failure times determination unit when it is determined that the transport layer protocol is the risk transport layer protocol corresponding to the target server.

作为一种优选的实施例,风险端口包括:As a preferred embodiment, risk ports include:

目标服务器中用于进行远程桌面连接的RDP端口、目标服务器中用于共享目标服务器内的文件的端口以及目标服务器中用于连接共享输出设备的端口中的任意一个或多个的组合。Any one or a combination of the RDP port used for remote desktop connection in the target server, the port used for sharing files in the target server, and the port used for connecting to a shared output device in the target server.

作为一种优选的实施例,登录数据包还包括登录账户使用的源IP以及源端口,还包括:As a preferred embodiment, the login data packet also includes the source IP and source port used by the login account, and also includes:

拦截单元,用于在识别登录账户为暴力破解账户之后,在内核层拦截IP为源IP和/或端口为源端口的登录账户。The interception unit is used to intercept the login account whose IP is the source IP and/or the port is the source port at the kernel layer after identifying the login account as a brute force cracking account.

作为一种优选的实施例,还包括:As a preferred embodiment, it also includes:

提示单元,用于在识别登录账户为暴力破解账户之后,生成用于提示用户目标服务器受到暴力破解的提示信息。The prompt unit is configured to generate prompt information for prompting the user that the target server is subject to brute force cracking after identifying the login account as a brute force cracking account.

作为一种优选的实施例,失败次数确定单元包括:As a preferred embodiment, the unit for determining the number of failures includes:

清除单元,用于在目的端口为目标服务器中的风险端口时,在登录状态为登录成功时,将首次登录失败时间清除;The clearing unit is used to clear the first login failure time when the destination port is a risky port in the target server and the login status is successful login;

计数单元,用于在登录状态为登录失败时,将登录失败次数加一;The counting unit is used to add one to the number of login failures when the login status is login failure;

登录持续时间确定单元,用于在确定首次登录失败时间不为空时,将登录账户当前的登录状态为登录失败时的时间减去首次登录失败时间得到登录持续时间;The login duration determination unit is used to obtain the login duration by subtracting the first login failure time from the current login status of the login account when it is determined that the first login failure time is not empty;

首次登录失败时间确定单元,用于在确定首次登录失败时间为空时,记录登录账户当前的登录状态为登录失败时的时间为首次登录失败时间,并将登录失败次数加一;The first login failure time determination unit is used to record the current login status of the login account as the first login failure time when the first login failure time is determined to be empty, and add one to the number of login failures;

触发单元,用于在登录持续时间小于预设时间段时触发识别单元13;A trigger unit, configured to trigger the identification unit 13 when the login duration is less than a preset time period;

首次登录失败时间更新单元,用于在登录持续时间大于预设时间段时,将首次登录失败时间清除并将登录账户当前的登录状态为登录失败时的时间作为首次登录失败时间。The first login failure time update unit is used to clear the first login failure time when the login duration is longer than the preset time period, and use the time when the current login status of the login account is login failure as the first login failure time.

请参照图4,图4为本发明提供的一种暴力破解的识别装置的结构示意图,该暴力破解的识别装置包括:Please refer to FIG. 4. FIG. 4 is a schematic structural diagram of a brute force identification device provided by the present invention. The brute force identification device includes:

存储器21,用于存储计算机程序;Memory 21, used to store computer programs;

处理器22,用于执行计算机程序时实现上述暴力破解的识别方法的步骤。The processor 22 is configured to implement the steps of the identification method for brute force cracking when executing the computer program.

对于本申请提供的一种暴力破解的识别装置的相关介绍请参照上述暴力破解的识别的实施例,本申请在此不做赘述。For the relevant introduction of a brute-force cracking identification device provided in this application, please refer to the above-mentioned embodiment of brute-force cracking identification, and this application will not repeat it here.

本申请还提供了一种服务器,包括上述的暴力破解的识别装置。The present application also provides a server, including the above identification device for brute force cracking.

对于本申请提供的一种服务器的相关介绍请参照上述暴力破解的识别方法的实施例,在此不做赘述。For the relevant introduction of a server provided in this application, please refer to the above embodiment of the identification method for brute force cracking, which will not be repeated here.

本申请还提供了一种计算机可读存储介质,计算机可读存储介质上存储有计算机程序,计算机程序被处理器执行时实现上述暴力破解的识别方法的步骤。The present application also provides a computer-readable storage medium, on which a computer program is stored, and when the computer program is executed by a processor, the steps of the above identification method for brute force cracking are implemented.

对于本申请提供的一种计算机可读存储介质的相关介绍请参照上述暴力破解的识别方法的实施例,在此不做赘述。For the relevant introduction of a computer-readable storage medium provided by the present application, please refer to the above-mentioned embodiment of the identification method for brute force cracking, and details are not repeated here.

可以理解的是,如果上述实施例中的方法以软件功能单元的形式实现并作为独立的产品销售或使用时,可以存储在一个计算机可读取存储介质中。基于这样的理解,本申请的技术方案本质上或者说对现有技术做出贡献的部分或者该技术方案的全部或部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质中,执行本申请各个实施例所述方法的全部或部分步骤。而前述的存储介质包括:U盘、移动硬盘、只读存储器(Read-Only Memory,简称ROM)、随机存取存储器(Random Access Memory,简称RAM)、磁碟或者光盘等各种可以存储程序代码的介质。It can be understood that if the methods in the above embodiments are implemented in the form of software function units and sold or used as independent products, they can be stored in a computer-readable storage medium. Based on this understanding, the technical solution of the present application is essentially or part of the contribution to the prior art or all or part of the technical solution can be embodied in the form of a software product, and the computer software product is stored in a storage medium , executing all or part of the steps of the methods described in the various embodiments of the present application. The aforementioned storage media include: U disk, mobile hard disk, read-only memory (Read-Only Memory, ROM for short), random access memory (Random Access Memory, RAM for short), magnetic disk or optical disk, etc., which can store program codes. medium.

本说明书中各个实施例采用递进的方式描述,每个实施例重点说明的都是与其他实施例的不同之处,各个实施例之间相同相似部分互相参见即可。对于实施例公开的装置而言,由于其与实施例公开的方法相对应,所以描述的比较简单,相关之处参见方法部分说明即可。Each embodiment in this specification is described in a progressive manner, each embodiment focuses on the difference from other embodiments, and the same and similar parts of each embodiment can be referred to each other. As for the device disclosed in the embodiment, since it corresponds to the method disclosed in the embodiment, the description is relatively simple, and for the related information, please refer to the description of the method part.

还需要说明的是,在本说明书中,术语“包括”、“包含”或者其任何其他变体意在涵盖非排他性的包含,从而使得包括一系列要素的过程、方法、物品或者设备不仅包括那些要素,而且还包括没有明确列出的其他要素,或者是还包括为这种过程、方法、物品或者设备所固有的要素。在没有更多限制的情况下,由语句“包括一个……”限定的要素,并不排除在包括所述要素的过程、方法、物品或者设备中还存在另外的相同要素。It should also be noted that in this specification, the term "comprises", "comprises" or any other variation thereof is intended to cover a non-exclusive inclusion, so that a process, method, article or device that includes a series of elements includes not only those elements, but also other elements not expressly listed, or elements inherent in the process, method, article, or apparatus. Without further limitations, an element defined by the phrase "comprising a ..." does not exclude the presence of additional identical elements in the process, method, article or apparatus comprising said element.

对所公开的实施例的上述说明,使本领域专业技术人员能够实现或使用本发明。对这些实施例的多种修改对本领域的专业技术人员来说将是显而易见的,本文中所定义的一般原理可以在不脱离本发明的精神或范围的情况下,在其他实施例中实现。因此,本发明将不会被限制于本文所示的这些实施例,而是要符合与本文所公开的原理和新颖特点相一致的最宽的范围。The above description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the invention. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the general principles defined herein may be implemented in other embodiments without departing from the spirit or scope of the invention. Therefore, the present invention will not be limited to the embodiments shown herein, but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.

Claims (10)

1. A brute force cracking recognition method is characterized by comprising the following steps:
obtaining login data packets of all login accounts at a kernel layer of a target server, wherein the login data packets comprise target ports accessed by the login accounts and login states of the login accounts;
when the target port is a risk port in the target server, determining that the login state of the login account in a preset time period after the current moment is the number of failed login failures;
and when the failure times are larger than a preset time threshold value, identifying the login account as a brute force account.
2. The method for identifying brute force of claim 1, wherein the login packet further comprises a transport layer protocol used by the login account to access the target server;
before determining that the login state of the login account in the preset time period after the current time is the failure times of login failure, the method further comprises the following steps:
and when the transmission layer protocol is determined to be a risk transmission layer protocol corresponding to the target server, entering a step of determining that the login state of the login account in a preset time period after the current time is the number of failed login failures.
3. The method for identifying brute force attacks of claim 1, wherein the risk port comprises:
any one or more of a RDP port in the target server for remote desktop connection, a port in the target server for sharing files in the target server, and a port in the target server for connecting a shared output device.
4. The method for identifying brute force of claim 1, wherein the login packet further comprises a source IP and a source port used by the login account;
after the login account is identified as a brute force account, the method further comprises the following steps:
and intercepting a login account of which the IP is the source IP and/or the port is the source port at the kernel layer.
5. The method for identifying brute force of claim 4, wherein after identifying the login account as a brute force account, further comprising:
and generating prompt information for prompting the user that the target server is cracked violently.
6. The identification method for brute force attack according to any one of claims 1 to 5, wherein determining the login status of the login account within a preset time period after the current time as the number of failed login failures comprises:
when the login state is login success, clearing the first login failure time;
when the login state is login failure, adding one to the login failure times;
when the first login failure time is determined not to be empty, subtracting the first login failure time from the time when the current login state of the login account is login failure to obtain login duration;
when the first login failure time is determined to be null, recording the time when the current login state of the login account is login failure as the first login failure time, and adding one to the login failure times;
when the login duration is less than the preset time period, entering a step of identifying the login account as a brute force account when the failure times are greater than a preset time threshold;
and when the login duration is longer than the preset time period, clearing the first login failure time and taking the time when the current login state of the login account is login failure as the first login failure time.
7. A brute force identification system, comprising:
the login data packet acquisition unit is used for acquiring login data packets of all login accounts in a kernel layer of a target server, wherein the login data packets comprise destination ports accessed by the login accounts and login states of the login accounts;
a failure frequency determining unit, configured to determine, when the destination port is a risk port in the target server, that a login state of the login account within a preset time period after a current time is a failure frequency of login failure;
and the identification unit is used for identifying the login account as a brute force account when the failure times are larger than a preset time threshold value.
8. An apparatus for identifying brute force, comprising:
a memory for storing a computer program;
a processor for implementing the steps of the brute force identification method according to any one of claims 1 to 6 when executing the computer program.
9. A server, characterized in that it comprises brute force crack recognition means according to claim 8.
10. A computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the steps of the method for identification of brute force attacks according to any one of claims 1 to 6.
CN202211027137.7A 2022-08-25 2022-08-25 A brute force cracking identification method and related components Active CN115396202B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211027137.7A CN115396202B (en) 2022-08-25 2022-08-25 A brute force cracking identification method and related components

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211027137.7A CN115396202B (en) 2022-08-25 2022-08-25 A brute force cracking identification method and related components

Publications (2)

Publication Number Publication Date
CN115396202A true CN115396202A (en) 2022-11-25
CN115396202B CN115396202B (en) 2025-06-20

Family

ID=84122289

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211027137.7A Active CN115396202B (en) 2022-08-25 2022-08-25 A brute force cracking identification method and related components

Country Status (1)

Country Link
CN (1) CN115396202B (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115883234A (en) * 2022-12-09 2023-03-31 杭州安恒信息安全技术有限公司 Brute force cracking detection method and related assembly
CN116248329A (en) * 2022-12-15 2023-06-09 厦门服云信息科技有限公司 Anti-violence cracking method, terminal device and storage medium
CN116318809A (en) * 2022-12-28 2023-06-23 北京安天网络安全技术有限公司 An identification method, device, medium and equipment for brute force cracking database behavior

Citations (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102467618A (en) * 2010-11-04 2012-05-23 上海宝信软件股份有限公司 Auditing system and method for shared file operation in local area network
CN104331644A (en) * 2014-11-24 2015-02-04 北京邮电大学 Transparent encryption and decryption method for intelligent terminal file
CN104796432A (en) * 2015-05-07 2015-07-22 浪潮电子信息产业股份有限公司 Data protection method and safety bastion host
CN108566363A (en) * 2018-01-09 2018-09-21 网宿科技股份有限公司 Method and system is determined based on the Brute Force of streaming computing
CN109842511A (en) * 2017-11-28 2019-06-04 网宿科技股份有限公司 A kind of TCP method for determination of performance parameter and system
CN109981647A (en) * 2019-03-27 2019-07-05 北京百度网讯科技有限公司 Method and apparatus for detecting Brute Force
US20190245875A1 (en) * 2016-12-20 2019-08-08 Tencent Technology (Shenzhen) Company Limited Method and apparatus for defending against dns attack, and storage medium
CN110417747A (en) * 2019-07-08 2019-11-05 新华三信息安全技术有限公司 A kind of detection method and device of Brute Force behavior
CN111125649A (en) * 2019-10-31 2020-05-08 苏州浪潮智能科技有限公司 A protection method and device for brute force cracking of remote desktop login
CN111200598A (en) * 2019-12-28 2020-05-26 浪潮商用机器有限公司 Method and related device for preventing password brute force of baseboard management controller
CN111447199A (en) * 2020-03-23 2020-07-24 深信服科技股份有限公司 Server risk analysis method, server risk analysis device, and medium
CN111565193A (en) * 2020-05-12 2020-08-21 广州锦行网络科技有限公司 Safety hidden access control method
CN112491897A (en) * 2020-11-30 2021-03-12 北京中软华泰信息技术有限责任公司 Remote anti-brute force cracking method based on database security
CN113110980A (en) * 2020-01-13 2021-07-13 奇安信科技集团股份有限公司 Method and device for identifying and intercepting violent cracking behaviors

Patent Citations (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102467618A (en) * 2010-11-04 2012-05-23 上海宝信软件股份有限公司 Auditing system and method for shared file operation in local area network
CN104331644A (en) * 2014-11-24 2015-02-04 北京邮电大学 Transparent encryption and decryption method for intelligent terminal file
CN104796432A (en) * 2015-05-07 2015-07-22 浪潮电子信息产业股份有限公司 Data protection method and safety bastion host
US20190245875A1 (en) * 2016-12-20 2019-08-08 Tencent Technology (Shenzhen) Company Limited Method and apparatus for defending against dns attack, and storage medium
CN109842511A (en) * 2017-11-28 2019-06-04 网宿科技股份有限公司 A kind of TCP method for determination of performance parameter and system
CN108566363A (en) * 2018-01-09 2018-09-21 网宿科技股份有限公司 Method and system is determined based on the Brute Force of streaming computing
CN109981647A (en) * 2019-03-27 2019-07-05 北京百度网讯科技有限公司 Method and apparatus for detecting Brute Force
CN110417747A (en) * 2019-07-08 2019-11-05 新华三信息安全技术有限公司 A kind of detection method and device of Brute Force behavior
CN111125649A (en) * 2019-10-31 2020-05-08 苏州浪潮智能科技有限公司 A protection method and device for brute force cracking of remote desktop login
CN111200598A (en) * 2019-12-28 2020-05-26 浪潮商用机器有限公司 Method and related device for preventing password brute force of baseboard management controller
CN113110980A (en) * 2020-01-13 2021-07-13 奇安信科技集团股份有限公司 Method and device for identifying and intercepting violent cracking behaviors
CN111447199A (en) * 2020-03-23 2020-07-24 深信服科技股份有限公司 Server risk analysis method, server risk analysis device, and medium
CN111565193A (en) * 2020-05-12 2020-08-21 广州锦行网络科技有限公司 Safety hidden access control method
CN112491897A (en) * 2020-11-30 2021-03-12 北京中软华泰信息技术有限责任公司 Remote anti-brute force cracking method based on database security

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115883234A (en) * 2022-12-09 2023-03-31 杭州安恒信息安全技术有限公司 Brute force cracking detection method and related assembly
CN116248329A (en) * 2022-12-15 2023-06-09 厦门服云信息科技有限公司 Anti-violence cracking method, terminal device and storage medium
CN116318809A (en) * 2022-12-28 2023-06-23 北京安天网络安全技术有限公司 An identification method, device, medium and equipment for brute force cracking database behavior
CN116318809B (en) * 2022-12-28 2025-07-25 北京安天网络安全技术有限公司 Identification method, device, medium and equipment for violent cracking database behaviors

Also Published As

Publication number Publication date
CN115396202B (en) 2025-06-20

Similar Documents

Publication Publication Date Title
CN115396202A (en) An identification method for brute force cracking and related components
US9800594B2 (en) Method and system for detecting unauthorized access attack
US20190268358A1 (en) Countering service enumeration through imposter-driven response
US8606866B2 (en) Systems and methods of probing data transmissions for detecting spam bots
US20080244748A1 (en) Detecting compromised computers by correlating reputation data with web access logs
CN111651757A (en) Monitoring method, device, device and storage medium for attack behavior
CN110245491A (en) Method, device, memory and processor for determining network attack type
CN112688930B (en) Brute force detection method, system, device and medium
CN110417747B (en) Method and device for detecting violent cracking behavior
JP6438534B2 (en) System and method for performing secure online banking transactions
CN112532631A (en) Equipment safety risk assessment method, device, equipment and medium
US20210203668A1 (en) Systems and methods for malicious client detection through property analysis
CN113852625B (en) A weak password monitoring method, device, equipment and storage medium
CN113965419B (en) Method and device for judging attack success through reverse connection
CN111726364A (en) A host intrusion prevention method, system and related device
CN114363053A (en) An attack identification method, device and related equipment
CN111385272B (en) Weak password detection method and device
CN116015800A (en) Scanner identification method and device, electronic equipment and storage medium
CN108028843A (en) Passive type web application firewalls
EP4044548B1 (en) Worm detection method and network device
CN114268475A (en) Malicious script intercepting method, system, server and computer readable storage medium
CN106919844B (en) A kind of android system vulnerability of application program detection method
US8266704B1 (en) Method and apparatus for securing sensitive data from misappropriation by malicious software
CN113110980A (en) Method and device for identifying and intercepting violent cracking behaviors
US12170688B1 (en) Automated attack mitigation

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant