CN112995186A

CN112995186A - Improvement method and system suitable for MQTT service safety guarantee

Info

Publication number: CN112995186A
Application number: CN202110253977.4A
Authority: CN
Inventors: 吴光需; 梁志婷
Original assignee: Shanghai Minglue Artificial Intelligence Group Co Ltd
Current assignee: Shanghai Minglue Artificial Intelligence Group Co Ltd
Priority date: 2021-03-09
Filing date: 2021-03-09
Publication date: 2021-06-18

Abstract

The application discloses an improvement method and system suitable for MQTT service safety guarantee, and the improvement method comprises the following steps: a request step: the client sends a request to the server; a pretreatment step: the server side records the request information of the request and then asynchronously synchronizes the request to the security policy technology computation server; generating protection strategy configuration: the security policy calculation server dynamically calculates and generates protection policy configuration according to the request and the request information; security policy adaptation processing step: and the server side stores the protection strategy configuration and performs security strategy adaptation processing when the client side sends a request next time. Aiming at protection of malicious attacks, on the premise of updating of protection strategy channels commonly used in the industry, response actions and information processing with lower performance loss and random rules are designed, and rules of security protection of a malicious client to a server are disturbed.

Description

Improvement method and system suitable for MQTT service safety guarantee

Technical Field

The invention belongs to the field of improvement of MQTT service security guarantee, and particularly relates to a method and a system for improving MQTT service security guarantee.

Background

The popularity of a communication scene designed based on an MQTT protocol is very high at present, but malicious attacks, particularly large concurrent attacks, suffered by a server are conventional topics in the field of network security, and the scheme aims to solve the malicious attacks, particularly the large concurrent attacks.

For example, according to the security protection method and system applicable to mqtt, a back-end server is combined with rules such as parameters for recording malicious requests of attackers and request frequency to form rules, the rules are configured and synchronized to nodes of a server, and the nodes operated by the server in normal operation are used for protection processing of the malicious requests.

Disadvantages of the first prior art

1: the server master node which operates normally is relied on to intercept the client which processes the malicious request, thereby seriously consuming the performance of the server which operates normally and reducing the service processing capacity of the server.

2: the method is not flexible enough due to the fact that the front-end server cluster is seriously depended on, the load of each server node of the front-end server cluster is unbalanced, the avalanche effect (the servers cannot bear excessive load pressure one by one and then crash, the load pressure is transferred to the next server) can be caused, and the operation and maintenance pressure on the servers is very high.

Disclosure of Invention

The embodiment of the application provides an improvement method and a system suitable for MQTT service safety guarantee, wherein the improvement method comprises the following steps:

a request step: the client sends a request to the server;

a pretreatment step: the server side records the request information of the request and then asynchronously synchronizes the request to the security policy technology computation server;

generating protection strategy configuration: the security policy calculation server dynamically calculates and generates protection policy configuration according to the request and the request information;

security policy adaptation processing step: and the server side stores the protection strategy configuration and performs security strategy adaptation processing when the client side sends a request next time.

The above improvement method further includes a malicious request processing step: and judging each request and outputting a judgment result, and processing the request by the server according to the judgment result.

The above improvement method, wherein the request information includes: request parameters, request IP, and request time.

The above improvement method, wherein the malicious request processing step includes:

a judging step: judging whether the request is a malicious request or not, and obtaining a judgment result;

and a judgment result processing step: if the judgment result is a non-malicious request, the server side sends the request to a service processing server for processing; if the judgment result is a malicious request, the server actively closes the request and transfers the request to a malicious request acceptance server for hosting.

In the above improvement method, the malicious request acceptance server attempts to reversely encroach the client sending the malicious request by using the malicious parameters of the malicious request client accumulated by random delay response, random disconnection and random response history.

The invention also comprises an improvement system suitable for MQTT service safety guarantee, wherein the improvement system comprises:

the server receives a request sent by the client and records request information of the request;

and the server side asynchronously synchronizes the request to the security policy technical calculation server, the security policy calculation server dynamically calculates and generates protection policy configuration according to the request and the request information, and the server side stores the protection policy configuration and performs security policy adaptation processing when the client side sends the request next time.

The above improvement system, wherein, still include:

and the malicious request processing unit is used for judging each request and outputting a judgment result, and the server side processes the requests according to the judgment result.

The above improvement system, wherein the request information includes: request parameters, request IP, and request time.

The above improvement system, wherein the malicious request processing unit includes:

the judging module is used for judging whether the request is a malicious request or not and obtaining a judging result;

if the judgment result is a non-malicious request, the server sends the request to the service processing server for processing;

and if the judgment result is that the request is a malicious request, the server actively closes the request and transfers the request to a malicious request acceptance server for hosting.

In the above improvement system, the malicious request acceptance server attempts to reversely encroach the client sending the malicious request by using the malicious parameters of the malicious request client accumulated by random delay response, random disconnection and random response history.

The invention has the beneficial effects that:

1. aiming at protection of malicious attacks, response actions and information processing with lower performance loss and random rules are designed on the premise of updating protection strategy channels based on industry general use, and rules of malicious clients for protecting server safety are disturbed

2. The safety protection capability of the server is improved, the influence on normal service processing is reduced, and even the attack cost of a malicious attack client and the research period of server attack are increased.

Drawings

The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the application and together with the description serve to explain the application and not to limit the application.

In the drawings:

FIG. 1 is a flow chart of an improved method for MQTT service security assurance;

FIG. 2 is a flow chart illustrating the substeps of step S5 in FIG. 1;

FIG. 3 is an application flow diagram of an improved method for MQTT service security assurance;

FIG. 4 is a schematic structural diagram of an improved system suitable for MQTT service security guarantee;

fig. 5 is a block diagram of a computer device according to an embodiment of the present invention.

Detailed Description

In order to make the objects, technical solutions and advantages of the present application more apparent, the present application will be described and illustrated below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the present application and are not intended to limit the present application. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments provided in the present application without any inventive step are within the scope of protection of the present application.

It is obvious that the drawings in the following description are only examples or embodiments of the present application, and that it is also possible for a person skilled in the art to apply the present application to other similar contexts on the basis of these drawings without inventive effort. Moreover, it should be appreciated that in the development of any such actual implementation, as in any engineering or design project, numerous implementation-specific decisions must be made to achieve the developers' specific goals, such as compliance with system-related and business-related constraints, which may vary from one implementation to another.

Reference in the specification to "an embodiment" means that a particular feature, structure, or characteristic described in connection with the embodiment can be included in at least one embodiment of the specification. The appearances of the phrase in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments. Those of ordinary skill in the art will explicitly and implicitly appreciate that the embodiments described herein may be combined with other embodiments without conflict.

Unless defined otherwise, technical or scientific terms referred to herein shall have the ordinary meaning as understood by those of ordinary skill in the art to which this application belongs. Reference to "a," "an," "the," and similar words throughout this application are not to be construed as limiting in number, and may refer to the singular or the plural. The present application is directed to the use of the terms "including," "comprising," "having," and any variations thereof, which are intended to cover non-exclusive inclusions; for example, a process, method, system, article, or apparatus that comprises a list of steps or modules (elements) is not limited to the listed steps or elements, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus. Reference to "connected," "coupled," and the like in this application is not intended to be limited to physical or mechanical connections, but may include electrical connections, whether direct or indirect. The term "plurality" as referred to herein means two or more. "and/or" describes an association relationship of associated objects, meaning that three relationships may exist, for example, "A and/or B" may mean: a exists alone, A and B exist simultaneously, and B exists alone. The character "/" generally indicates that the former and latter associated objects are in an "or" relationship. Reference herein to the terms "first," "second," "third," and the like, are merely to distinguish similar objects and do not denote a particular ordering for the objects.

The present invention is described in detail with reference to the embodiments shown in the drawings, but it should be understood that these embodiments are not intended to limit the present invention, and those skilled in the art should understand that functional, methodological, or structural equivalents or substitutions made by these embodiments are within the scope of the present invention.

Before describing in detail the various embodiments of the present invention, the core inventive concepts of the present invention are summarized and described in detail by the following several embodiments.

Referring to fig. 1, fig. 1 is a flowchart of an improved method for MQTT service security assurance. As shown in fig. 1, the method for improving MQTT service security assurance of the present invention includes:

request step S1: the client sends a request to the server;

preprocessing step S2: the server side records the request information of the request and then asynchronously synchronizes the request to the security policy technology computation server;

generating protection policy configuration step S3: the security policy calculation server dynamically calculates and generates protection policy configuration according to the request and the request information;

security policy adaptation processing step S4: the server side stores the protection strategy configuration and performs security strategy adaptation processing when the client side sends a request next time;

malicious request processing step S5: and judging each request and outputting a judgment result, and processing the request by the server according to the judgment result.

Further, wherein the request information includes: request parameters, request IP, and request time.

Referring to fig. 2, fig. 2 is a flowchart illustrating step S5 in fig. 1. As shown in fig. 2, the malicious request processing step S5 includes:

determination step S51: judging whether the request is a malicious request or not, and obtaining a judgment result;

determination result processing step S52: if the judgment result is a non-malicious request, the server side sends the request to a service processing server for processing; if the judgment result is a malicious request, the server actively closes the request and transfers the request to a malicious request acceptance server for hosting.

Still further, the malicious request acceptance server tries to invade the client sending the malicious request reversely by adopting the malicious parameters of the malicious request client accumulated by random delay response, random disconnection and random response history.

Hereinafter, the method for improving MQTT service security according to the present invention will be described in detail with reference to the following examples.

The first embodiment is as follows:

the invention combines the existing MQTT safety protection schemes commonly used in many industries, such as: the front-end gateway records parameters, request frequency, IP, time law and the like of a client request and sends the parameters, the request frequency, the IP, the time law and the like to the back-end strategy calculation server, the back-end strategy calculation server synchronizes to the gateway after calculating the safety protection strategy configuration, and the gateway accepts and actively closes the request. The scheme is characterized in that after the rear-end strategy computing server is computed into the safety protection strategy configuration and is synchronized to the front-end server, when the server identifies that the current request is a malicious request through the strategy configuration, part of the malicious requests can be closed or the malicious requests can be forwarded to a malicious request acceptance server connected to the socket long connection shared by a server cluster for processing, the process belongs to message forwarding in the computer principle, the performance of the server can not be influenced basically, the malicious request acceptance server can disturb and maintain data of the MQTT long connection of the malicious requests and return protected and disturbed data, and all operations of the malicious request acceptance server are pure memory-level operations, so that a malicious request client side is as follows: and performing slow request response processing and error character response processing measures, disturbing the security policy processing logic of the malicious request client to the server, and reversely invading the performance of the malicious request client.

In the security protection of the malicious request, the invention reversely occupies the performance of the malicious request client under the premise of maintaining the normal operation of the server as much as possible, thereby achieving more dynamic security protection.

The following is specifically described with reference to fig. 3, and as shown in the detailed description of the flow of the present invention shown in fig. 3, the specific steps are as follows:

1: client requests server to send message

2: the server accepts/authenticates the client request, records the client request parameters, IP, time and other information

3: the server side asynchronously synchronizes the client request to the security policy technical computation server

4: the security policy calculation server dynamically calculates protection policy configuration by combining parameters such as parameters, IP (Internet protocol), time and the like of a client request group, such as: and the processing of logging more than 3 times in 1 minute, logging error more than 2 times, request more than 5 times in the same IP one minute or request more than 2 times in the same second is randomly closed and randomly forwarded to a malicious request acceptance server for hosting, the policy configuration is actively synchronized to the server, and the process gradually generates stricter configuration aiming at the clients suspected of similar information.

5: the server side stores the security policy configuration of the security policy calculation server, and performs security policy adaptation processing when the client side requests next time.

6: and finally submitting the non-malicious request acceptance to a service server for processing, belonging to normal service operation.

7: the server side is randomly and actively closed and transferred to a malicious request acceptance server for hosting malicious requests

8: the malicious request server randomly delays response, randomly disconnects and randomly responds to malicious parameters of the malicious request client accumulated in history and tries to reversely invade the malicious client.

Example two:

referring to fig. 4, fig. 4 is a schematic structural diagram of an improvement system for MQTT service security assurance. As shown in fig. 4, the present invention further includes an improvement system for MQTT service security assurance, wherein the improvement system includes:

Wherein, improve the system and still include:

Wherein the request information includes: request parameters, request IP, and request time.

Wherein the malicious request processing unit includes:

The malicious request acceptance server tries to invade the client sending the malicious request reversely by adopting the malicious parameters of the malicious request client accumulated by random delay response, random disconnection and random response history.

Example three:

referring to FIG. 5, the embodiment discloses an embodiment of a computer device. The computer device may comprise a processor 81 and a memory 82 in which computer program instructions are stored.

Specifically, the processor 81 may include a Central Processing Unit (CPU), or A Specific Integrated Circuit (ASIC), or may be configured to implement one or more Integrated circuits of the embodiments of the present Application.

Memory 82 may include, among other things, mass storage for data or instructions. By way of example, and not limitation, memory 82 may include a Hard Disk Drive (Hard Disk Drive, abbreviated to HDD), a floppy Disk Drive, a Solid State Drive (SSD), flash memory, an optical Disk, a magneto-optical Disk, tape, or a Universal Serial Bus (USB) Drive or a combination of two or more of these. Memory 82 may include removable or non-removable (or fixed) media, where appropriate. The memory 82 may be internal or external to the data processing apparatus, where appropriate. In a particular embodiment, the memory 82 is a Non-Volatile (Non-Volatile) memory. In particular embodiments, Memory 82 includes Read-Only Memory (ROM) and Random Access Memory (RAM). The ROM may be mask-programmed ROM, Programmable ROM (PROM), Erasable PROM (EPROM), Electrically Erasable PROM (EEPROM), Electrically rewritable ROM (EAROM), or FLASH Memory (FLASH), or a combination of two or more of these, where appropriate. The RAM may be a Static Random-Access Memory (SRAM) or a Dynamic Random-Access Memory (DRAM), where the DRAM may be a Fast Page Mode Dynamic Random-Access Memory (FPMDRAM), an Extended data output Dynamic Random-Access Memory (EDODRAM), a Synchronous Dynamic Random-Access Memory (SDRAM), and the like.

The memory 82 may be used to store or cache various data files for processing and/or communication use, as well as possible computer program instructions executed by the processor 81.

The processor 81 reads and executes the computer program instructions stored in the memory 82 to implement any one of the above-mentioned embodiments of the improved method for MQTT service security assurance.

In some of these embodiments, the computer device may also include a communication interface 83 and a bus 80. As shown in fig. 5, the processor 81, the memory 82, and the communication interface 83 are connected via the bus 80 to complete communication therebetween.

The communication interface 83 is used for implementing communication between modules, devices, units and/or equipment in the embodiment of the present application. The communication port 83 may also be implemented with other components such as: the data communication is carried out among external equipment, image/data acquisition equipment, a database, external storage, an image/data processing workstation and the like.

Bus 80 includes hardware, software, or both to couple the components of the computer device to each other. Bus 80 includes, but is not limited to, at least one of the following: data Bus (Data Bus), Address Bus (Address Bus), Control Bus (Control Bus), Expansion Bus (Expansion Bus), and Local Bus (Local Bus). By way of example, and not limitation, Bus 80 may include an Accelerated Graphics Port (AGP) or other Graphics Bus, an Enhanced Industry Standard Architecture (EISA) Bus, a Front-Side Bus (FSB), a Hyper Transport (HT) Interconnect, an ISA (ISA) Bus, an InfiniBand (InfiniBand) Interconnect, a Low Pin Count (LPC) Bus, a memory Bus, a microchannel Architecture (MCA) Bus, a PCI (Peripheral Component Interconnect) Bus, a PCI-Express (PCI-X) Bus, a Serial Advanced Technology Attachment (SATA) Bus, a Video Electronics Bus (audio Electronics Association), abbreviated VLB) bus or other suitable bus or a combination of two or more of these. Bus 80 may include one or more buses, where appropriate. Although specific buses are described and shown in the embodiments of the application, any suitable buses or interconnects are contemplated by the application.

The computer device may implement the method described in connection with fig. 1-2 based on an improved method for MQTT service security assurance.

In addition, in combination with the method for managing data in the foregoing embodiments, embodiments of the present application may provide a computer-readable storage medium to implement. The computer readable storage medium having stored thereon computer program instructions; the computer program instructions, when executed by the processor, implement an improved method for MQTT service security assurance in the above embodiments.

The technical features of the embodiments described above may be arbitrarily combined, and for the sake of brevity, all possible combinations of the technical features in the embodiments described above are not described, but should be considered as being within the scope of the present specification as long as there is no contradiction between the combinations of the technical features.

In summary, the method for improving the MQTT service security assurance has the advantages that aiming at protection against malicious attacks, response actions and information processing with lower performance loss and random rules are designed on the premise of updating protection strategy channels commonly used in the industry, and the rules of server security protection by malicious clients are disturbed; the safety protection capability of the server is improved, the influence on normal service processing is reduced, and even the attack cost of a malicious attack client and the research period of server attack are increased.

The above-mentioned embodiments only express several embodiments of the present application, and the description thereof is more specific and detailed, but not construed as limiting the scope of the invention. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the concept of the present application, which falls within the scope of protection of the present application. Therefore, the protection scope of the present patent shall be subject to the appended claims.

Claims

1. An improvement method suitable for MQTT service security guarantee is characterized by comprising the following steps:

a request step: the client sends a request to the server;

2. The method for improving MQTT service security assurance of claim 1, further comprising:

and a malicious request processing step: and judging each request and outputting a judgment result, and processing the request by the server according to the judgment result.

3. The method for improving MQTT service security assurance of claim 1, wherein the request information includes: request parameters, request IP, and request time.

4. The improved method for MQTT service security assurance according to claim 2, wherein the malicious request processing step includes:

5. The method for improving MQTT service security assurance as claimed in claim 4, wherein the malicious request acceptance server attempts to back-invade the client sending the malicious request by using malicious parameters of the malicious request client accumulated by random delay response, random disconnection and random response history.

6. An improvement system suitable for MQTT service security assurance is characterized by comprising:

7. The system for improving MQTT service security assurance of claim 6, further comprising:

8. The system for improving MQTT service security assurance of claim 6, wherein the request information includes: request parameters, request IP, and request time.

9. The system for improving MQTT service security applicable according to claim 7, wherein the malicious request processing unit includes:

10. The system for improving MQTT service security assurance of claim 9, wherein the malicious request acceptance server attempts to back-invade the client sending the malicious request by using malicious parameters of the malicious request client accumulated by random delay response, random disconnection and random response history.