[go: up one dir, main page]

CN121333815A - Application interaction method, device, apparatus, medium and program product - Google Patents

Application interaction method, device, apparatus, medium and program product

Info

Publication number
CN121333815A
CN121333815A CN202511821837.7A CN202511821837A CN121333815A CN 121333815 A CN121333815 A CN 121333815A CN 202511821837 A CN202511821837 A CN 202511821837A CN 121333815 A CN121333815 A CN 121333815A
Authority
CN
China
Prior art keywords
proxy
information
application
application server
request
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202511821837.7A
Other languages
Chinese (zh)
Inventor
周洋
吴成杰
李明骏
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Industrial and Commercial Bank of China Ltd ICBC
Original Assignee
Industrial and Commercial Bank of China Ltd ICBC
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Industrial and Commercial Bank of China Ltd ICBC filed Critical Industrial and Commercial Bank of China Ltd ICBC
Priority to CN202511821837.7A priority Critical patent/CN121333815A/en
Publication of CN121333815A publication Critical patent/CN121333815A/en
Pending legal-status Critical Current

Links

Landscapes

  • Information Transfer Between Computers (AREA)

Abstract

The application provides an application interaction method, an application interaction device, application interaction equipment, a storage medium and a program product, which can be applied to the field of big data. The method comprises the steps of generating token information based on a page proxy request sent by a first application server and sending the token information to the first application server, receiving a proxy page link sent by the first application server, wherein the proxy page link is obtained by adding the token information to a uniform resource locator of the proxy page by the first application server, respectively checking the token information and the uniform resource locator in the proxy page link if the current access time is within the access period, destroying the token information if the current access time is within the access period, updating the proxy page link and sending the proxy page link to the first application server so that the first application server can call the updated proxy page link to access a second application.

Description

Application interaction method, device, apparatus, medium and program product
Technical Field
The present application relates to the field of big data, and more particularly, to an application interaction method, apparatus, device, medium, and program product.
Background
With the rapid development of internet technology, a user can access an application program running on a server side, namely a network application program (also called a web application), and during the interaction of each web application, the user can complete the interactive access between applications by simply checking the access information of the user.
Disclosure of Invention
In view of the above, the present application provides an application interaction method, apparatus, device, medium and program product for improving information transmission security in an application interaction process.
According to a first aspect of the application, an application interaction method is provided and applied to a second application, and the application interaction method comprises the steps of generating token information based on a page proxy request sent by a first application server and sending the token information to the first application server, wherein the page proxy request comprises user request information, request equipment information, proxy encryption key information and signature information of the first application, the token information comprises a page proxy request and an access period of a proxy page, receiving the proxy page link sent by the first application server, wherein the proxy page link is obtained by the first application server by adding the token information to a uniform resource locator of the proxy page, respectively checking the token information and the uniform resource locator in the proxy page link if the current access time is within the access period, destroying the token information if the current access time is within the access period, updating the proxy page link and sending the token information to the first application server so that the first application server calls the updated proxy page link to access the second application.
According to the embodiment of the application, based on a page proxy request sent by a first application server, token information is generated and sent to the first application server, the method comprises the steps of decrypting encryption request information sent by the first application server by using an asymmetric encryption private key of the first application server, wherein the encryption request information is obtained by encrypting user request information, request equipment information and proxy encryption key information by using an asymmetric encryption public key of a second application server, verifying encryption signature information sent by the first application server by using an asymmetric encryption public key of the first application server, encrypting the signature information by using an asymmetric encryption private key of the first application server, and if the decrypted request information is correct and passes verification, generating the token information, encrypting and sending the token information to the first application server.
According to the embodiment of the application, before receiving the proxy page link sent by the first application server, the method comprises the steps of encrypting token information by utilizing an asymmetric encryption public key of the first application server and sending the token information to the first application server, so that the first application server uses an asymmetric encryption private key of the first application server to decrypt the received token information, and adds the decrypted token information to a uniform resource locator and then encrypts the token information by utilizing a symmetric encryption key to generate the proxy page link.
According to the embodiment of the application, the proxy page link is updated by re-adding the access period into the uniform resource locator, updating the uniform resource locator, carrying out redirection operation on the updated uniform resource locator to obtain a redirection link, wherein the redirection operation is used for jumping an access request of a user to a second application to the redirection link, encrypting the redirection link based on proxy encryption key information to obtain an encrypted redirection link, and taking the encrypted redirection link as the updated proxy page link.
According to the embodiment of the application, the method further comprises the steps of comparing the relation between the request frequency of the page proxy request and a first preset threshold value if the page proxy request is received for a plurality of times within a preset time period, comprehensively analyzing log information generated by the first application and the second application in each interaction process if the request frequency is larger than the first preset threshold value, determining the abnormal probability of the current page proxy request, and generating and returning early warning information to the first application if the abnormal probability is larger than the second preset threshold value, wherein the early warning information represents risk information existing in the current page proxy request.
According to the embodiment of the application, log information generated by a first application and a second application in each interaction process is comprehensively analyzed to determine the abnormal probability of a current page proxy request, the method comprises the steps of extracting proxy pages, request equipment information and signature information generated in each interaction process from the log information, calculating feature similarity, determining the association relation between the feature similarity and the abnormal page proxy request based on historical log information, wherein the historical log information is acquired according to the historical interaction process of the first application and the second application, determining the weight of the feature similarity based on the association relation, and weighting the feature similarity and the weight of each feature similarity to obtain the abnormal probability.
The second aspect of the application provides an application interaction device applied to a second application, which comprises a token information generation module, a verification module and an application access module, wherein the token information generation module is used for generating token information based on a page proxy request sent by a first application server and sending the token information to the first application server, the page proxy request comprises user request information, request equipment information, proxy encryption key information and signature information of the first application, the token information comprises a page proxy request and an access period of a proxy page, the proxy page link acquisition module is used for receiving the proxy page link sent by the first application server, the proxy page link is obtained by adding the token information to a uniform resource locator of the proxy page by the first application server, the verification module is used for respectively verifying the token information and the uniform resource locator in the proxy page link if the current access time is within the access period, and the application access module is used for updating the proxy page link and sending the proxy page link to the first application server if the verification is passed, so that the first application server calls the updated proxy page link to access the second application.
A third aspect of the application provides an electronic device comprising one or more processors and a memory for storing one or more computer programs, wherein the one or more processors execute the one or more computer programs to implement the steps of the method.
A fourth aspect of the application also provides a computer readable storage medium having stored thereon a computer program or instructions which when executed by a processor performs the steps of the above method.
The fifth aspect of the application also provides a computer program product comprising a computer program or instructions which, when executed by a processor, carries out the steps of the method described above.
Drawings
The foregoing and other objects, features and advantages of the application will be apparent from the following description of embodiments of the application with reference to the accompanying drawings, in which:
FIG. 1 schematically illustrates an application scenario diagram of an application interaction method, apparatus, device, medium and program product according to an embodiment of the application;
FIG. 2 schematically illustrates a flow chart of an application interaction method according to an embodiment of the application;
FIG. 3 schematically illustrates a token information generation method according to an embodiment of the application;
FIG. 4 schematically illustrates a proxy page link acquisition method according to an embodiment of the application;
FIG. 5 schematically illustrates an application interaction process diagram according to an embodiment of the application;
FIG. 6 schematically illustrates a method for determining an exception page proxy request according to an embodiment of the present application;
FIG. 7 schematically illustrates a block diagram of an application interaction device according to an embodiment of the application;
fig. 8 schematically shows a block diagram of an electronic device adapted to implement an application interaction method according to an embodiment of the application.
Detailed Description
Hereinafter, embodiments of the present application will be described with reference to the accompanying drawings. It should be understood that the description is only illustrative and is not intended to limit the scope of the application. In the following detailed description, for purposes of explanation, numerous specific details are set forth in order to provide a thorough understanding of the embodiments of the application. It may be evident, however, that one or more embodiments may be practiced without these specific details. In addition, in the following description, descriptions of well-known structures and techniques are omitted so as not to unnecessarily obscure the present application.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the application. The terms "comprises," "comprising," and/or the like, as used herein, specify the presence of stated features, steps, operations, and/or components, but do not preclude the presence or addition of one or more other features, steps, operations, or components.
All terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art unless otherwise defined. It should be noted that the terms used herein should be construed to have meanings consistent with the context of the present specification and should not be construed in an idealized or overly formal manner.
Where a convention analogous to "at least one of A, B and C, etc." is used, in general such a convention should be interpreted in accordance with the meaning of one of skill in the art having generally understood the convention (e.g., "a system having at least one of A, B and C" would include, but not be limited to, systems having a alone, B alone, C alone, a and B together, a and C together, B and C together, and/or A, B, C together, etc.).
In the technical scheme of the application, the related user information (including but not limited to user personal information, user image information, user equipment information, such as position information and the like) and data (including but not limited to data for analysis, stored data, displayed data and the like) are information and data authorized by a user or fully authorized by all parties, and the related data are collected, stored, used, processed, transmitted, provided, disclosed, applied and the like, all comply with related laws and regulations and standards, necessary security measures are adopted, no prejudice to the public order is provided, and corresponding operation entries are provided for the user to select authorization or rejection.
In the scene of using personal information to make automatic decision, the method, the device and the system provided by the embodiment of the application provide corresponding operation inlets for users to choose to agree or reject the automatic decision result, and enter an expert decision flow if the users choose to reject. The expression "automated decision" here refers to an activity of automatically analyzing, assessing the behavioral habits, hobbies or economic, health, credit status of an individual, etc. by means of a computer program, and making a decision. The expression "expert decision" here refers to an activity of making a decision by a person who is specializing in a certain field of work, has specialized experience, knowledge and skills and reaches a certain level of expertise.
The embodiment of the application provides an application interaction method, which aims to solve the problem of poor information transmission security in the interaction process of a network application program (also called web application), and by adding token information generated by a proxy application in a proxy page link generated by the proxy application, the identity authentication can be rapidly completed by verifying the identity of a user and the compliance of the identity of the proxy application when the user accesses the proxy application through the proxy application, the security and the speed of application interaction are improved, the token is destroyed after the identity authentication is passed, the risk of replay attack by an attacker according to a token information forging request can be prevented, and the interaction security is greatly improved.
Fig. 1 schematically shows an application scenario diagram of an application interaction method according to an embodiment of the application.
As shown in fig. 1, an application scenario 100 according to this embodiment may include a first terminal device 101, a second terminal device 102, a third terminal device 103, a network 104, and a server 105. The network 104 is a medium used to provide a communication link between the first terminal device 101, the second terminal device 102, the third terminal device 103, and the server 105. The network 104 may include various connection types, such as wired, wireless communication links, or fiber optic cables, among others.
The user may interact with the server 105 via the network 104 using the first terminal device 101, the second terminal device 102, the third terminal device 103, to receive or send messages etc. Various communication client applications, such as a shopping class application, a web browser application, a search class application, an instant messaging tool, a mailbox client, social platform software, etc. (by way of example only) may be installed on the first terminal device 101, the second terminal device 102, and the third terminal device 103.
The first terminal device 101, the second terminal device 102, the third terminal device 103 may be various electronic devices having a display screen and supporting web browsing, including but not limited to smartphones, tablets, laptop and desktop computers, and the like.
The server 105 may be a server providing various services, such as a background management server (by way of example only) providing support for websites browsed by the user using the first terminal device 101, the second terminal device 102, and the third terminal device 103. The background management server may analyze and process the received data such as the user request, and feed back the processing result (e.g., the web page, information, or data obtained or generated according to the user request) to the terminal device.
It should be noted that, the application interaction method provided by the embodiment of the present application may be generally executed by the server 105. Accordingly, the application interaction device provided by the embodiment of the present application may be generally disposed in the server 105. The application interaction method provided by the embodiment of the present application may also be performed by a server or a server cluster, which is different from the server 105 and is capable of communicating with the first terminal device 101, the second terminal device 102, the third terminal device 103 and/or the server 105. Accordingly, the application interaction device provided by the embodiment of the present application may also be provided in a server or a server cluster, which is different from the server 105 and is capable of communicating with the first terminal device 101, the second terminal device 102, the third terminal device 103 and/or the server 105.
It should be understood that the number of terminal devices, networks and servers in fig. 1 is merely illustrative. There may be any number of terminal devices, networks, and servers, as desired for implementation.
The application interaction method according to the embodiment of the present application will be described in detail below with reference to fig. 2 to 6 based on the scenario described in fig. 1.
Fig. 2 schematically shows a flow chart of an application interaction method according to an embodiment of the application.
As shown in fig. 2, the application interaction method 200 of this embodiment includes operations S210 to S240.
In operation S210, token information is generated based on a page proxy request transmitted from the first application server and transmitted to the first application server, wherein the page proxy request includes user request information, request device information, proxy encryption key information, and signature information of the first application, and the token information includes a page proxy request and an access period of a proxy page.
In operation S220, a proxy page link transmitted by the first application server is received, wherein the proxy page link is obtained by the first application server adding token information to a uniform resource locator of the proxy page.
In operation S230, if the current access time is within the access deadline, the token information and the url in the proxy page link are checked, respectively.
In operation S240, if the verification passes, the token information is destroyed, and the proxy page link is updated and sent to the first application server, so that the first application server calls the updated proxy page link to access the second application.
In some embodiments, in operation S210, the user request information includes session information requested by the user, identity information of the user, and the like, the request device information includes fingerprint information of the request device, identification of the request device, configuration information of the request device, and the like, and the proxy encryption key information includes hash value of the proxy encryption key, key type identification, key version information, key parameter configuration information, and the like, and the proxy encryption key may be used to encrypt and decrypt a proxy page link and encrypt and decrypt service data to be accessed, for example, a user wants to access a payment page of the second application through the first application, and then the payment information provided by the payment page may be encrypted and decrypted by using the proxy encryption key, and the hash value of the proxy encryption key is used as a digital fingerprint of the proxy encryption key, and whether the proxy encryption key is tampered or not may be determined by checking the hash value, thereby ensuring security of the proxy encryption key. The access period of the proxy page can be determined according to factors such as the risk level of the service to be accessed, the historical access period of the service of the same type, the resource occupation condition in the historical access process and the like, for example, the type of the historical access service is determined according to the access service related to the historical interaction process of the first application and the second application, the risk level of each historical access service type is determined based on the service type and the risk level mapping table, the risk level table is obtained, the risk level of the service to be accessed currently is determined from the risk level table, the access request (namely the page proxy request) with higher risk level, longer historical access period and higher resource occupation rate is set to be shorter term, and the access request with lower risk level and lower resource occupation rate can be set to be longer time period.
In some embodiments, in operation S230, the token information is checked to verify the validity of the access request, ensure that the access request is a valid token issued by the second application, and the uniform resource locator (Uniform Resource Locator, URL) of the proxy page is checked to verify whether the access request is tampered with, ensure that the proxy page link is not tampered with during access to the second application, thereby reducing risk of unauthorized access.
According to the embodiment of the application, the compliance of the first application and the user identity can be verified through the token information, the token information is added in the proxy page link, and the identity verification can be rapidly completed through analyzing the token information in the proxy page link when the second application is accessed, so that the application interaction speed can be improved, the application interaction safety can also be improved, the token is destroyed after the identity verification is passed, the risk of replay attack by an attacker according to the token information counterfeiting request can be prevented, and the interaction safety is greatly improved.
Fig. 3 schematically shows a token information generation method according to an embodiment of the application.
In some embodiments, based on a page proxy request sent by a first application server, token information is generated and sent to the first application server, the method comprises the steps of decrypting encryption request information sent by the first application server by using an asymmetric encryption private key of the first application server, wherein the encryption request information is obtained by encrypting user request information, request equipment information and proxy encryption key information by using an asymmetric encryption public key of a second application server, verifying encryption signature information sent by the first application server by using an asymmetric encryption public key of the first application server, wherein the encryption signature information is obtained by encrypting the signature information by using an asymmetric encryption private key of the first application server, and if the decrypted request information is correct and passes verification, generating the token information, encrypting and sending the token information to the first application server.
As shown in fig. 3, based on the user request information 301, the request device information 302, and the proxy encryption key information 303, operation S310 is performed by using the asymmetric encryption public key 305 of the second application server, that is, the user request information 301, the request device information 302, and the proxy encryption key information 303 are encrypted by the first application server using the asymmetric encryption public key 305 of the second application server, respectively, to obtain encrypted request information 307, which includes the user request information 301, the request device information 302, and the proxy encryption key information 303, the signature information 304 of the first application is encrypted by using the asymmetric encryption private key 306 of the first application server, that is, operation S320 is performed, the signature information 304 is encrypted by using the asymmetric encryption private key 306 of the first application server, that is, the encrypted signature information 308 is obtained by using the asymmetric encryption key 309 of the second application server, that is performed for the encrypted request information 307, that is, the encrypted request information 307 is decrypted by using the asymmetric encryption private key 309 of the second application server, that is, the signature information is encrypted by using the symmetric encryption key 306 of the first application server, and the next verification operation S is performed by verifying the signature information is performed by using the symmetric encryption key 308 of the first application server, and the signature information is performed by verifying the symmetric encryption key. The fact that the decrypted request information is correct means that the request information before and after encryption and decryption is unchanged, the fact that the signature information before and after encryption and decryption is consistent indicates that verification of the signature information is passed, and the generated token information comprises the request information and the signature information and the access period of the proxy page.
According to the embodiment of the application, the page proxy request is transmitted to the second application server in an encrypted manner, the second application server verifies the information contained in the page proxy request, the validity of the request can be verified, the token information is generated after the verification is passed, the identity information of the user and the first application is verified by using the token information, and the safety of application interaction can be improved. The page proxy request is encrypted and transmitted by using the asymmetric encryption method, the asymmetric encryption key is more convenient to manage, the public key can be distributed in a public way, the private key is owned by the application, the risk of key leakage can be reduced, and the security is higher.
In some embodiments, before receiving the proxy page link sent by the first application server, encrypting the token information by using an asymmetric encryption public key of the first application server and sending the encrypted token information to the first application server, so that the first application server uses an asymmetric encryption private key of the first application server to decrypt the received token information, and adds the decrypted token information to the uniform resource locator and then encrypts the token information by using a symmetric encryption key to generate the proxy page link.
Fig. 4 schematically illustrates a proxy page link acquisition method according to an embodiment of the present application.
As shown in fig. 4, the token information 401 is decrypted by using the asymmetric encryption private key 402 of the first application server, that is, operation S410 is performed, the token information is decrypted by using the first application server, based on the decrypted token information, operation S420 is performed, the decrypted token information is added to the uniform resource locator of the proxy page to obtain the URL fused with the token information, the URL fused with the token information is encrypted by using the symmetric encryption key 403, that is, operation S430 is performed, the URL fused with the token information is encrypted by using the first application server through the symmetric encryption key 403, and the encrypted URL fused with the token information is used as the proxy page link 404. The symmetric encryption key is a proxy symmetric encryption key. Before executing operation S410, the second application server encrypts the generated token information by using the asymmetric encryption public key of the first application server and transmits the encrypted token information to the first application server.
According to the embodiment of the application, the token information is decrypted by using an asymmetric encryption method, the security is higher, the uniform resource locator added with the token information is symmetrically encrypted, the encryption strength is controllable, the data security requirement is met by selecting the proper key length, the encryption speed is higher, the encryption operation with larger data volume can be processed, and the efficiency is higher.
In some embodiments, the proxy page link is updated by re-adding the access deadline to the uniform resource locator, updating the uniform resource locator, performing a redirection operation on the updated uniform resource locator to obtain a redirect link, wherein the redirection operation is used for jumping an access request of a user to the second application to the redirect link, encrypting the redirect link based on proxy encryption key information to obtain an encrypted redirect link, and taking the encrypted redirect link as the updated proxy page link.
In some embodiments, before updating the proxy page link, whether the current access time is within the access period is determined first, if yes, whether the token information before and after encryption and decryption are consistent with the uniform resource locators before and after encryption and decryption is checked by the second application server, and if the token information before and after encryption and decryption are consistent with the uniform resource locators before and after encryption and decryption, the token information is destroyed by the second application server, and the proxy page link is updated. If the token information before and after encryption and decryption are inconsistent or the uniform resource locators before and after encryption and decryption are inconsistent, the fact that the token information or the uniform resource locators are tampered by an attacker is indicated, the current access request is interrupted, the first application server jumps the current page to an illegal access prompt page to remind a user that the current access is at risk, if the current access time is outside an access period, the first application server jumps the current page to the illegal access prompt page, and the user needs to initiate a proxy page request to a second application through the first application again, and the token information generation, the proxy page link generation and the proxy page link update operation are carried out again. The application interaction method of 'page proxy request-token information generation-accessing the second application in the access period-destroying the token information-updating proxy page link-accessing the second application again and needing to regenerate the token information' realizes dynamic generation of the token information, and the token information is regenerated once when the proxy application (i.e. the first application) accesses the proxy application (i.e. the second application) once, so that the generation and updating operation of the proxy page link is performed again.
Further, the second application server decrypts the encrypted proxy page link sent by the first application server by using the symmetric encryption key, extracts the token information and the uniform resource locator from the decrypted proxy page link, checks whether the extracted token information is consistent with the token information generated by the extracted token information, and checks whether the extracted uniform resource locator is consistent with the uniform resource locator in the proxy page link generated by the first application server.
In some embodiments, after the token information and the uniform resource locator are checked, the second application server destroys the token information, so that the proxy page link does not contain key information such as the token information, and in order to prevent the effective access time from being tampered, the second application server re-adds the access deadline to the proxy page link after destroying the token information, and performs redirection operation to obtain a redirection link, wherein the redirection link contains the access deadline, but does not contain key information such as user request information, request equipment information, signature information, proxy encryption key information and the like, and hiding the key information in the final proxy page link is also an important means for improving the interaction security of the application.
According to the embodiment of the application, the access deadline is added in the proxy page link, so that the attacker can be effectively prevented from tampering with the effective access time of the link, and the proxy page link can be normally accessed only when the access request time is within the access deadline, thereby improving the security.
FIG. 5 schematically illustrates an application interaction process diagram according to an embodiment of the application.
As shown in fig. 5, taking a first application as a proxy application 501 and taking a second application as a proxied application 502 as an example, the interaction process between the first application and the second application is as follows, after the first application receives a page proxy request initiated by a user, a first application server firstly adopts an asymmetric encryption algorithm to encrypt the page proxy request, and sends the encrypted page proxy request 503 to the second application server, wherein the page proxy request can be various service proxy requests, such as a payment request, a query request and the like, and the page proxy request comprises request information such as user request information, request equipment information and the like and signature information of the first application; the second application server decrypts the received page proxy request 503 by using an asymmetric encryption algorithm and checks the request information and the signature information respectively, after the verification, the second application server generates token information 504 according to the page proxy request 503, encrypts the token information by using the asymmetric encryption algorithm and sends the token information to the first application server, the first application server decrypts the received token information by using the asymmetric encryption algorithm, binds the decrypted token information to the URL of the proxy page, symmetrically encrypts the URL to generate a proxy page link 505 and sends the proxy page link 505 to the second application server, if the current access time is within the access period, the second application server performs operation S510, that is, checks whether the token information in the proxy page link is consistent with the token information generated by the second application server, and checks whether the URL in the proxy page link is consistent with the URL in the proxy page link generated by the first application server, that is, the second application server destroys the token information in the proxy page link, and simultaneously re-adds the access period to the proxy page link, encrypts the proxy page link by using the symmetric encryption algorithm, updates the proxy page link, sends the updated proxy page link to the first application server, and then executes operation S530, the first application server performs proxy access through the updated proxy page link to access the second application, the second application server returns the access result 506 to the first application server, and feeds back the access result to the user through the interface of the first application.
Fig. 6 schematically illustrates a method for determining an abnormal page proxy request according to an embodiment of the present application.
In some embodiments, the method further comprises the steps of comparing the relation between the request frequency of the page proxy requests and a first preset threshold value if the page proxy requests are received for a plurality of times within a preset time period, comprehensively analyzing log information generated by the first application and the second application in each interaction process if the request frequency is greater than the first preset threshold value, determining the abnormal probability of the current page proxy requests, and generating and returning early warning information to the first application if the abnormal probability is greater than the second preset threshold value, wherein the early warning information represents risk information existing in the current page proxy requests.
As shown in fig. 6, for the same access request, assuming that the user initiates the access request for multiple times within a certain time, multiple interactive operations triggered based on the multiple access requests are required to determine whether the current access request is abnormal, specifically, according to the first page proxy request 601, the second page proxy request 602 and the nth page proxy request 603, the request frequency 604 is determined, the operation S610 is executed, whether the request frequency 604 is greater than a first preset threshold is determined, if yes, the operation S620 is executed, log information of the N interactive processes is comprehensively analyzed, the abnormal probability is calculated, the operation S630 is executed, whether the abnormal probability is greater than a second preset threshold is determined, if yes, the operation S640 is executed, and early warning information is generated according to the current page proxy request and the log information of the N interactive processes; if the request frequency is less than or equal to the first preset threshold or the anomaly probability is less than or equal to the second preset threshold, operation S650 is performed to continue the interactive operation, specifically, if the request frequency is less than or equal to the first preset threshold, it is indicated that the user does not have a high access frequency to the access request and has no anomaly risk, the interactive operation may be performed according to the application interaction method given by the method 200, if the request frequency is greater than the first preset threshold but the anomaly probability is less than or equal to the second preset threshold, it is indicated that the user has a high access frequency to the access request, but no anomaly request is formed, where the user information, the request device information, etc. may be again verified by means of short message verification or slider verification, etc., after verification, the interactive operation is performed according to the application interaction method of the method 200, or the prompt information may be sent to the first application server first (for example, "request is too frequent, request is later retried"), after waiting for a period of time, the above interactive operations are performed according to the method 200, in this way, the problem of high resource occupancy caused by frequent access can be avoided.
According to the embodiment of the application, for the page proxy request initiated for many times, the log information of each interaction process is analyzed, and whether the current page proxy request has risks is judged according to the log information, so that the risk resistance is improved, the risks of fraud and the like of a user are avoided, and the safety in the application interaction process is improved.
In some embodiments, log information generated by a first application and a second application in each interaction process is comprehensively analyzed to determine abnormal probability of a current page proxy request, wherein the method comprises the steps of extracting proxy pages, request equipment information and signature information generated in each interaction process from the log information, calculating feature similarity, determining association relations between the feature similarity and the abnormal page proxy request based on historical log information, wherein the historical log information is acquired according to the historical interaction process of the first application and the second application, determining weights of the feature similarity based on the association relations, and weighting the feature similarity and the weights of the feature similarity to obtain the abnormal probability.
For example, for the same page proxy request, the user initiates N times in a period of time, calculates the proxy page similarity, the request device information similarity and the signature information similarity of the N times respectively, so as to determine whether the current proxy page is the same as the previous proxy page of N-1 times, whether the current request device is the same as the previous request device of N-1 times, whether the current signature information is the same as the previous signature information of N-1 times, one of the features is different from the previous one, so that the current page proxy request may have risk, and if the correlation degree between the proxy page similarity and the abnormal page proxy request is the closest based on the history log information, the signature information similarity is the signature information similarity, the request device information similarity is the highest, and if the similarity degree is expressed by weight, the probability that the current page proxy request is the abnormal page proxy request is the highest, the signature information abnormality is the request device abnormality (such as the request device is replaced), and finally, the feature similarity and the respective weight thereof are weighted, so that the abnormality probability is obtained.
According to the embodiment of the application, the change conditions of the dimensionality of the request equipment, the signature information, the proxy page and the like are synthesized, the association relation between each dimensionality feature and the proxy request of the abnormal page is determined based on the history log information, the abnormal probability is finally obtained, the unilaterality of single dimensionality feature judgment can be avoided, the false judgment probability is reduced, the abnormal probability is calculated, the risk is quantized, the countermeasures can be made in time, the occurrence of the risk event is reduced, and the safety of application interaction is improved.
Based on the application interaction method, the application further provides an application interaction device. The device will be described in detail below in connection with fig. 7.
Fig. 7 schematically shows a block diagram of an application interaction device according to an embodiment of the application.
As shown in fig. 7, the application interaction device 700 of this embodiment includes a token information generation module 710, a proxy page link acquisition module 720, a verification module 730, and an application access module 740.
The token information generating module 710 is configured to generate token information based on a page proxy request sent by the first application server, and send the token information to the first application server, where the page proxy request includes user request information, request device information, proxy encryption key information, and signature information of the first application, and the token information includes a page proxy request and an access period of a proxy page. In an embodiment, the token information generation module 710 may be configured to perform the operation S210 described above, which is not described herein.
The proxy page link obtaining module 720 is configured to receive a proxy page link sent by the first application server, where the proxy page link is obtained by adding token information to a uniform resource locator of the proxy page by the first application server. In an embodiment, the proxy page link obtaining module 720 may be configured to perform the operation S220 described above, which is not described herein.
And the verification module 730 is configured to verify the token information and the uniform resource locator in the proxy page link if the current access time is within the access period. In an embodiment, the verification module 730 may be configured to perform the operation S230 described above, which is not described herein.
The application access module 740 is configured to destroy the token information if the verification passes, update the proxy page link, and send the updated proxy page link to the first application server, so that the first application server calls the updated proxy page link to access the second application. In an embodiment, the application access module 740 may be configured to perform the operation S240 described above, which is not described herein.
According to the embodiment of the application, the application interaction device 700 can be utilized to add the token information generated by the proxy application in the proxy page link generated by the proxy application, so that the identity of the user and the compliance of the identity of the proxy application can be verified when the user accesses the proxy application through the proxy application, the identity authentication can be rapidly completed, the safety and speed of application interaction can be improved, the token can be destroyed after the identity authentication is passed, the risk of replay attack by an attacker according to the token information forging request can be prevented, and the interaction safety can be greatly improved.
In some embodiments, the token information generation module 710 is specifically configured to decrypt the encrypted request information sent by the first application server by using its own asymmetric encryption private key, where the encrypted request information is obtained by encrypting the user request information, the request device information, and the proxy encryption key information by using the asymmetric encryption public key of the second application server, verify the encrypted signature information sent by the first application server by using the asymmetric encryption public key of the first application server, where the encrypted signature information is obtained by encrypting the signature information by using its own asymmetric encryption private key by the first application server, and if the decrypted request information is correct and passes the verification, generate the token information and encrypt the token information and send the encrypted token information to the first application server.
In some embodiments, the application interaction device 700 is further specifically configured to encrypt the token information with an asymmetric encryption public key of the first application server before receiving the proxy page link sent by the first application server, and send the encrypted token information to the first application server, so that the first application server decrypts the received token information by using its own asymmetric encryption private key, and adds the decrypted token information to the uniform resource locator, and then encrypts the token information with the symmetric encryption key to generate the proxy page link.
In some embodiments, the application access module 740 is specifically configured to re-add the access deadline to the url, update the url, redirect the updated url to obtain a redirect link, where the redirect operation is used to jump the access request of the user to the second application to the redirect link, encrypt the redirect link based on the proxy encryption key information to obtain an encrypted redirect link, and use the encrypted redirect link as an updated proxy page link.
In some embodiments, the application interaction device 700 is specifically further configured to compare a relationship between a request frequency of the page proxy request and a first preset threshold value if the page proxy request is received for multiple times within a preset time period, comprehensively analyze log information generated in each interaction process between the first application and the second application if the request frequency is greater than the first preset threshold value, determine an abnormal probability of the current page proxy request, and generate and return early warning information to the first application if the abnormal probability is greater than the second preset threshold value, where the early warning information characterizes risk information existing in the current page proxy request.
In some embodiments, the application interaction device 700 is specifically further configured to extract proxy page, request device information and signature information generated in each interaction process from log information, and calculate feature similarity, where the feature similarity includes proxy page similarity, request device information similarity and signature information similarity, determine an association relationship between the feature similarity and an abnormal page proxy request based on historical log information, where the historical log information is acquired according to a historical interaction process of the first application and the second application, determine weights of the feature similarity based on the association relationship, and weight the feature similarity and its respective weights to obtain an abnormal probability.
Any of the token information generation module 710, the proxy page link acquisition module 720, the verification module 730, and the application access module 740 may be combined in one module or any of the modules may be split into multiple modules according to an embodiment of the present application. Or at least some of the functionality of one or more of the modules may be combined with, and implemented in, at least some of the functionality of other modules. According to embodiments of the application, at least one of the token information generation module 710, the proxy page link acquisition module 720, the verification module 730, and the application access module 740 may be implemented at least in part as hardware circuitry, such as a Field Programmable Gate Array (FPGA), a Programmable Logic Array (PLA), a system on a chip, a system on a substrate, a system on a package, an Application Specific Integrated Circuit (ASIC), or in hardware or firmware in any other reasonable manner of integrating or packaging the circuitry, or in any one of or a suitable combination of three of software, hardware, and firmware. Or at least one of the token information generation module 710, the proxy page link acquisition module 720, the verification module 730, and the application access module 740 may be at least partially implemented as a computer program module that, when executed, may perform the corresponding functions.
Fig. 8 schematically shows a block diagram of an electronic device adapted to implement an application interaction method according to an embodiment of the application.
As shown in fig. 8, an electronic device 800 according to an embodiment of the present application includes a processor 801 that can perform various appropriate actions and processes according to a program stored in a Read Only Memory (ROM) 802 or a program loaded from a storage section 808 into a Random Access Memory (RAM) 803. The processor 801 may include, for example, a general purpose microprocessor (e.g., a CPU), an instruction set processor and/or an associated chipset and/or a special purpose microprocessor (e.g., an Application Specific Integrated Circuit (ASIC)), or the like. The processor 801 may also include on-board memory for caching purposes. The processor 801 may comprise a single processing unit or multiple processing units for performing the different actions of the method flows according to embodiments of the application.
In the RAM 803, various programs and data required for the operation of the electronic device 800 are stored. The processor 801, the ROM 802, and the RAM 803 are connected to each other by a bus 804. The processor 801 performs various operations of the method flow according to the embodiment of the present application by executing programs in the ROM 802 and/or the RAM 803. Note that the program may be stored in one or more memories other than the ROM 802 and the RAM 803. The processor 801 may also perform various operations of the method flow according to embodiments of the present application by executing programs stored in the one or more memories.
According to an embodiment of the application, the electronic device 800 may further comprise an input/output (I/O) interface 805, the input/output (I/O) interface 805 also being connected to the bus 804. The electronic device 800 may also include one or more of an input portion 806 including a keyboard, a mouse, etc., an output portion 807 including a display such as a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), etc., and a speaker, etc., a storage portion 808 including a hard disk, etc., and a communication portion 809 including a network interface card such as a LAN card, a modem, etc., connected to an input/output (I/O) interface 805. The communication section 809 performs communication processing via a network such as the internet. The drive 810 is also connected to an input/output (I/O) interface 805 as needed. A removable medium 811 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is mounted on the drive 810 as needed so that a computer program read out therefrom is mounted into the storage section 808 as needed.
The present application also provides a computer-readable storage medium that may be included in the apparatus/device/system described in the above embodiments, or may exist alone without being assembled into the apparatus/device/system. The computer-readable storage medium carries one or more programs which, when executed, implement methods in accordance with embodiments of the present application.
According to embodiments of the application, the computer-readable storage medium may be a non-volatile computer-readable storage medium, which may include, for example, but is not limited to, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this document, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. For example, according to embodiments of the application, the computer-readable storage medium may include ROM 802 and/or RAM 803 and/or one or more memories other than ROM 802 and RAM 803 described above.
Embodiments of the present application also include a computer program product comprising a computer program containing program code for performing the method shown in the flowcharts. The program code means for causing a computer system to carry out the application interaction method provided by the embodiments of the present application when the computer program product is run on the computer system.
The above-described functions defined in the system/apparatus of the embodiment of the present application are performed when the computer program is executed by the processor 801. The systems, apparatus, modules, units, etc. described above may be implemented by computer program modules according to embodiments of the application.
In one embodiment, the computer program may be based on a tangible storage medium such as an optical storage device, a magnetic storage device, or the like. In another embodiment, the computer program may also be transmitted, distributed, and downloaded and installed in the form of a signal on a network medium, and/or from a removable medium 811 via a communication portion 809. The computer program may comprise program code that is transmitted using any appropriate network medium, including but not limited to wireless, wireline, etc., or any suitable combination of the preceding.
In such an embodiment, the computer program may be downloaded and installed from a network via the communication section 809, and/or installed from the removable media 811. The above-described functions defined in the system of the embodiment of the present application are performed when the computer program is executed by the processor 801. The systems, devices, apparatus, modules, units, etc. described above may be implemented by computer program modules according to embodiments of the application.
According to embodiments of the present application, program code for carrying out computer programs provided by embodiments of the present application may be written in any combination of one or more programming languages, and in particular, such computer programs may be implemented in high-level procedural and/or object-oriented programming languages, and/or in assembly/machine languages. Programming languages include, but are not limited to, such as Java, c++, python, "C" or similar programming languages. The program code may execute entirely on the user's computing device, partly on the user's device, partly on a remote computing device, or entirely on the remote computing device or server. In the case of remote computing devices, the remote computing device may be connected to the user computing device through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computing device (e.g., connected via the Internet using an Internet service provider).
The flowcharts and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
Those skilled in the art will appreciate that the features recited in the various embodiments of the application can be combined and/or combined in a variety of ways, even if such combinations or combinations are not explicitly recited in the present application. In particular, the features recited in the various embodiments of the application can be combined and/or combined in various ways without departing from the spirit and teachings of the application. All such combinations and/or combinations fall within the scope of the application.

Claims (10)

1. An application interaction method, applied to a second application, the method comprising:
generating token information based on a page proxy request sent by a first application server and sending the token information to the first application server, wherein the page proxy request comprises user request information, request equipment information, proxy encryption key information and signature information of a first application, and the token information comprises the page proxy request and an access period of a proxy page;
receiving a proxy page link sent by the first application server, wherein the proxy page link is obtained by the first application server by adding the token information to a uniform resource locator of the proxy page;
If the current access time is within the access period, respectively checking the token information and the uniform resource locator in the proxy page link;
If the verification is passed, destroying the token information, updating the proxy page link and sending the proxy page link to the first application server so that the first application server calls the updated proxy page link to access the second application.
2. The method of claim 1, wherein generating and sending token information to the first application server based on the page proxy request sent by the first application server comprises:
Decrypting the encryption request information sent by the first application server by using an asymmetric encryption private key of the first application server, wherein the encryption request information is obtained by encrypting the user request information, the request equipment information and the proxy encryption key information by the first application server by adopting an asymmetric encryption public key of a second application server;
Verifying the encrypted signature information sent by the first application server by using an asymmetric encryption public key of the first application server, wherein the encrypted signature information is obtained by encrypting the signature information by the first application server by adopting an asymmetric encryption private key of the first application server;
And if the decrypted request information is correct and the verification is passed, generating the token information, encrypting the token information and sending the encrypted token information to the first application server.
3. The method of claim 2, wherein prior to receiving the proxy page link sent by the first application server, comprising:
Encrypting the token information by using the asymmetric encryption public key of the first application server and sending the encrypted token information to the first application server, so that the first application server uses the asymmetric encryption private key of the first application server to decrypt the received token information, and adds the decrypted token information to the uniform resource locator and then encrypts the token information by using the symmetric encryption key to generate the proxy page link.
4. The method of claim 1, wherein the proxy page link is updated by:
re-adding the access deadline to the uniform resource locator and updating the uniform resource locator;
Redirecting the updated uniform resource locator to obtain a redirecting link, wherein the redirecting operation is used for jumping an access request of a user to the second application to the redirecting link;
encrypting the redirection link based on the proxy encryption key information to obtain an encrypted redirection link;
and taking the encrypted redirection link as the updated proxy page link.
5. The method according to claim 1, wherein the method further comprises:
if the page proxy request is received for a plurality of times within a preset time period, comparing the request frequency of the page proxy request with a first preset threshold value;
If the request frequency is greater than the first preset threshold value, comprehensively analyzing log information generated in each interaction process of the first application and the second application, and determining the abnormal probability of the current page proxy request;
And if the abnormal probability is greater than a second preset threshold, generating early warning information and returning the early warning information to the first application, wherein the early warning information characterizes risk information of the current page proxy request.
6. The method of claim 5, wherein the comprehensively analyzing log information generated by the first application and the second application during each interaction to determine the anomaly probability of the current page proxy request comprises:
extracting the proxy page, the request equipment information and the signature information generated in each interaction process from the log information, and calculating feature similarity, wherein the feature similarity comprises proxy page similarity, request equipment information similarity and signature information similarity;
Determining an association relation between the feature similarity and the abnormal page proxy request based on historical log information, wherein the historical log information is acquired according to a historical interaction process of the first application and the second application;
Determining the weight of the feature similarity based on the association relation;
And weighting the feature similarity and the weight of each feature similarity to obtain the anomaly probability.
7. An application interaction device for a second application, the device comprising:
The system comprises a token information generation module, a first application server and a second application server, wherein the token information generation module is used for generating token information based on a page proxy request sent by the first application server and sending the token information to the first application server, the page proxy request comprises user request information, request equipment information, proxy encryption key information and signature information of a first application, and the token information comprises the page proxy request and an access period of a proxy page;
The proxy page link acquisition module is used for receiving a proxy page link sent by the first application server, wherein the proxy page link is obtained by adding the token information to a uniform resource locator of the proxy page by the first application server;
the verification module is used for respectively verifying the token information and the uniform resource locator in the proxy page link if the current access time is within the access period;
And the application access module is used for destroying the token information if the verification passes, updating the proxy page link and sending the proxy page link to the first application server so that the first application server can call the updated proxy page link to access the second application.
8. An electronic device, comprising:
One or more processors;
A memory for storing one or more computer programs,
Characterized in that the one or more processors execute the one or more computer programs to implement the steps of the method according to any one of claims 1-6.
9. A computer readable storage medium having stored thereon a computer program or instructions, which when executed by a processor, implement the steps of the method according to any of claims 1 to 6.
10. A computer program product comprising a computer program or instructions which, when executed by a processor, implement the steps of the method according to any one of claims 1 to 6.
CN202511821837.7A 2025-12-05 2025-12-05 Application interaction method, device, apparatus, medium and program product Pending CN121333815A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202511821837.7A CN121333815A (en) 2025-12-05 2025-12-05 Application interaction method, device, apparatus, medium and program product

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202511821837.7A CN121333815A (en) 2025-12-05 2025-12-05 Application interaction method, device, apparatus, medium and program product

Publications (1)

Publication Number Publication Date
CN121333815A true CN121333815A (en) 2026-01-13

Family

ID=98348009

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202511821837.7A Pending CN121333815A (en) 2025-12-05 2025-12-05 Application interaction method, device, apparatus, medium and program product

Country Status (1)

Country Link
CN (1) CN121333815A (en)

Similar Documents

Publication Publication Date Title
US11736482B2 (en) Systems and methods for online third-party authentication of credentials
US12248938B2 (en) Systems and methods for blockchain based identity assurance and risk management
US11451392B2 (en) Token-based secure data management
US20200382510A1 (en) Dynamic management of consent and permissioning between executed applications and programmatic interfaces
CN112333198A (en) Secure cross-domain login method, system and server
US8818906B1 (en) Systems and methods for performing authentication of a customer interacting with a banking platform
CN114640524B (en) Method, apparatus, device and medium for processing transaction replay attack
US20240086923A1 (en) Entity profile for access control
CN114553570B (en) Method, device, electronic equipment and storage medium for generating token
CN114785560B (en) Information processing method, device, equipment and medium
CN114095165B (en) Key updating method, server device, client device and storage medium
CN118395412A (en) Non-inductive man-machine identification safety protection method, device, equipment and medium
CN114491489B (en) Request response method, device, electronic device and storage medium
CN114584378B (en) Data processing method, device, electronic equipment and medium
KR101978898B1 (en) Web scraping prevention system using characteristic value of user device and the method thereof
CN114676445B (en) Information processing methods, devices, equipment and media
CN121333815A (en) Application interaction method, device, apparatus, medium and program product
CN116527311A (en) Request response method, request response device, electronic equipment and storage medium
CN118200008B (en) Firewall-based secure communication methods, devices, equipment, media, and products
CN118199945B (en) Information encryption transmission method, device, equipment and storage medium
CN118449780B (en) Authentication method, device, equipment, storage medium and program product based on trusted equipment network
CN117422416A (en) Block chain-based business handling method, device, equipment, medium and product
CN118118182A (en) Data signing method, signature verification method, device, apparatus, medium, and program product
CN121283644A (en) Verification code verification method, central server, edge node, medium and product
CN115189945A (en) Transaction request verification method and device, electronic equipment and readable storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination