Resource overload method and system based on traffic hijacking

Abstract

The application discloses a resource reloading method and system based on traffic hijacking, wherein the method comprises the following steps: hijacking a first request, sending a second data packet to a terminal, wherein the second data packet comprises a detection service instruction and a reloading service instruction; executing a detection task based on the detection service instruction; obtaining a first DOM node and its attribute based on the reloading service instruction; constructing a first label according to the attribute of the first DOM node; generating a second DOM node according to the first label and inserting the second DOM node into a DOM rendering sequence; sending a second request to make a re-request, and thus realizing resource reloading of the original request. According to the method, the attribute of the original request can be dynamically judged, and a request completely consistent with the original request is constructed to restore the original request resource, so that the hijackable resources are more, the hijacking success rate is high, the loading sequence of the hijacked request resource after restoration is consistent with the original request, and the association between the original resource and the page is not affected.

Description

Technical Field

[0001] This disclosure relates to the field of network information security technology, and in particular to a resource reloading method and system based on traffic hijacking. Background Technology

[0002] In government departments and enterprises with high data confidentiality levels or strict network security requirements, in order to avoid direct or indirect connections between the local area network (LAN) and the Internet, which could increase security risks within the LAN, physical isolation between the LAN and the Internet is generally adopted. A dedicated network is used to connect the headquarters and branches, thus physically preventing dangerous threats to the confidential LAN from entering from the Internet or other external networks.

[0003] However, such physical isolation is not absolutely secure, because there will always be network interfaces that network administrators cannot monitor in real time. This may lead to difficult-to-control human-caused cross-connection and interconnection between internal and external networks, posing a threat to network security and data security within the local area network.

[0004] For network environments with strict data and information security and confidentiality requirements, there are generally confidentiality requirements such as not allowing simultaneous connection to internal and external networks, and not allowing the unauthorized download of internal network web page resources to be opened on external networks.

[0005] To detect such violations, existing technologies typically employ real-time traffic mirroring and man-in-the-middle hijacking techniques. However, with the diversification of front-end deployments and request methods, the original synchronous request method after hijacking is highly likely to cause changes in the order of JS loading requested by users, leading to page rendering failures or even large-scale page loading errors, resulting in a poor user experience. Therefore, this hijacking detection method may be abandoned.

[0006] Meanwhile, man-in-the-middle hijacking techniques generally disrupt the acquisition of hijacked resources. If the hijacked resource is a relatively important page resource or is related to other requested resources, the hijacking detection process will disrupt the stability of the page where the hijacked request is located, resulting in a poor user experience and thus affecting the application and promotion of the detection technology. Summary of the Invention

[0007] In view of this, the present disclosure provides a resource reloading method and system based on traffic hijacking, which can not only meet the preset detection requirements, but also ensure that there are many hijackable resources, a high hijacking success rate, and ensure that the loading order of the hijacked request resources after recovery is consistent with the original request, without affecting the original resource association relationship.

[0008] In a first aspect, embodiments of this disclosure provide a resource reloading method based on traffic hijacking, including:

[0009] The first request is intercepted, and a second data packet is sent to the terminal. The second data packet includes a detection service instruction and a reload service instruction.

[0010] Execute the detection task based on the aforementioned detection service instruction;

[0011] The first DOM node and its attributes are obtained based on the overloaded business instructions.

[0012] A first tag is constructed based on the attributes of the first DOM node; the DOM attributes in the first tag are consistent with the attributes of the first DOM node;

[0013] Generate a second DOM node based on the first tag, insert it into the DOM rendering sequence, and send a second request;

[0014] Determine whether the resource information of the second request is consistent with the resource information of the first request; if they are consistent, determine that the second request is a resource overload request and do not hijack it; otherwise, hijack the second request.

[0015] Optionally, the second data packet is a forged data packet, and the method for obtaining the forged data packet is as follows:

[0016] Based on the first request, obtain first data packet information, which includes IP address, TCP / HTTP interaction data packet header attributes, and the URL of the first request;

[0017] Based on the information in the first datagram, determine whether the first request requires a true hijacking; if not, discard it.

[0018] If so, the forged datagram is constructed based on the first datagram information and the HTTP protocol rules.

[0019] Optionally, the method for determining whether the first request requires a true hijacking includes:

[0020] Determine whether the first request is a JS request based on the HTTP protocol. If so, determine that the first request needs to be truly hijacked.

[0021] If not, then the first request is determined to require a fake hijacking and is discarded.

[0022] Optionally, the original DOM node is the node to which the first request belongs.

[0023] Optionally, the node attributes include resource loading method, resource display method, resource language, and resource character encoding.

[0024] Optionally, the forged datagram may also include a self-correction service;

[0025] Based on the self-correction function, determine whether the new DOM node has been successfully inserted; if so, proceed normally.

[0026] If not, the terminal's browser will execute a full page reload command.

[0027] Optionally, the resource reload method includes: obtaining the first request by mirroring the request received by the core switch.

[0028] Secondly, this disclosure also provides a resource reload system based on traffic hijacking, comprising:

[0029] The hijacking module is configured to hijack the first request and obtain the resource information of the first request;

[0030] The data packet generation module is configured to obtain a second data packet based on the resource information of the first request; the second data packet includes a detection service instruction and a reload service instruction.

[0031] The reload triggering module is configured to send the forged data report to the terminal.

[0032] The execution module is configured to execute detection tasks based on the detection service instructions;

[0033] The overload module is configured to obtain the first DOM node and its attributes based on the overload business instruction;

[0034] A first tag is constructed based on the attributes of the first DOM node; the DOM attributes in the first tag are consistent with the attributes of the first DOM node;

[0035] The second DOM node is generated based on the first tag and inserted into the DOM rendering sequence, and the second request is sent.

[0036] Determine whether the resource information of the second request is consistent with the resource information of the first request; if they are consistent, determine that the second request is a resource overload request and do not hijack it; otherwise, hijack the second request.

[0037] Thirdly, this disclosure also provides an electronic device that adopts the following technical solution:

[0038] The electronic device includes:

[0039] At least one processor; and,

[0040] A memory communicatively connected to the at least one processor; wherein,

[0041] The memory stores instructions that can be executed by the at least one processor, which, when executed by the at least one processor, enables the at least one processor to perform any of the above-described resource reloading methods based on traffic hijacking.

[0042] Fourthly, embodiments of this disclosure also provide a computer-readable storage medium storing computer instructions for causing a computer to execute any of the above-described resource reloading methods based on traffic hijacking.

[0043] The resource reloading method based on traffic hijacking provided in this disclosure can effectively solve user experience problems such as page loading and rendering errors, unusable functions, and continuous reloading caused by existing detection technologies. This makes the detection technology more acceptable to customers and easier to promote, allowing it to play its due role in actual engineering projects.

[0044] The solution disclosed in this application addresses the recovery of the original request after violation detection based on traffic hijacking. The hijacking target is a JavaScript request. Based on the original request, the attributes of the original request are dynamically determined, and a request that is completely identical to the original request is constructed to restore the original request resource. This ensures that there are many hijackable resources and a high hijacking success rate, while also ensuring that the loading order of the hijacked request resource after recovery is consistent with the original request, without affecting the association between the original resource and other unhijacked requests on the terminal page.

[0045] The method disclosed in this application dynamically constructs the inserted network request process based on the original loading method of the hijacked request. At this point, the forged script (i.e., the forged datagram) has already been loaded into the DOM tree by the browser according to the original resource loading method. Therefore, based on the relevant attributes of the first request, the DOM rendering node of this resource request can be obtained from the browser. Then, based on the obtained DOM rendering node, it is analyzed whether the resource loading method is asynchronous or synchronous, and the specific attributes in the DOM node are analyzed. Finally, based on the analyzed loading method and node attributes, a JS request tag with the same attributes is constructed and inserted into the DOM rendering sequence, thus restoring the hijacked resource request to the greatest extent. Since this process generally occurs quickly (milliseconds), it ensures normal loading and display without duplicate detection.

[0046] The above description is merely an overview of the technical solution disclosed herein. In order to better understand the technical means of this disclosure and to implement it in accordance with the contents of the specification, and to make the above and other objects, features and advantages of this disclosure more apparent and understandable, preferred embodiments are described below in detail with reference to the accompanying drawings. Attached Figure Description

[0047] To more clearly illustrate the technical solutions of the embodiments of this disclosure, the drawings used in the embodiments will be briefly introduced below. Obviously, the drawings described below are only some embodiments of this disclosure. For those skilled in the art, other drawings can be obtained based on these drawings without creative effort.

[0048] Figure 1 A flowchart illustrating the resource reloading method based on traffic hijacking provided in this embodiment of the disclosure;

[0049] Figure 2 A flowchart illustrating a method for obtaining forged data packets provided in this embodiment of the disclosure;

[0050] Figure 3 An application topology diagram of a specific embodiment provided in this disclosure;

[0051] Figure 4 This is a schematic diagram of the configuration of the detection device according to an embodiment of the present disclosure;

[0052] Figure 5 This is a schematic diagram of the configuration of a resource reload system based on traffic hijacking provided in an embodiment of this disclosure;

[0053] Figure 6 This is a schematic block diagram of an electronic device provided in an embodiment of the present disclosure. Detailed Implementation

[0054] The embodiments of this disclosure will now be described in detail with reference to the accompanying drawings.

[0055] It should be understood that the following specific examples illustrate the implementation of this disclosure, and those skilled in the art can easily understand other advantages and effects of this disclosure from the content disclosed in this specification. Obviously, the described embodiments are only a part of the embodiments of this disclosure, and not all of them. This disclosure can also be implemented or applied through other different specific implementation methods, and the details in this specification can also be modified or changed based on different viewpoints and applications without departing from the spirit of this disclosure. It should be noted that, in the absence of conflict, the following embodiments and features in the embodiments can be combined with each other. Based on the embodiments in this disclosure, all other embodiments obtained by those skilled in the art without creative effort are within the scope of protection of this disclosure.

[0056] It should be noted that various aspects of embodiments within the scope of the appended claims are described below. It will be apparent that the aspects described herein can be embodied in a wide variety of forms, and any particular structure and / or function described herein is merely illustrative. Based on this disclosure, those skilled in the art will understand that one aspect described herein can be implemented independently of any other aspect, and two or more of these aspects can be combined in various ways. For example, any number of aspects set forth herein can be used to implement the device and / or practice the method. Additionally, this device and / or method can be implemented using structures and / or functionalities other than one or more of the aspects set forth herein.

[0057] It should also be noted that the illustrations provided in the following embodiments are only schematic representations of the basic concept of this disclosure. The drawings only show the components related to this disclosure and are not drawn according to the number, shape and size of the components in actual implementation. In actual implementation, the form, quantity and proportion of each component can be arbitrarily changed, and the layout of the components may also be more complex.

[0058] Furthermore, specific details are provided in the following description to facilitate a thorough understanding of the examples. However, those skilled in the art will understand that the described aspects can be practiced without these specific details.

[0059] Reference Figure 1 and Figure 2 This application discloses a resource reloading method based on traffic hijacking, which specifically includes the following steps:

[0060] S100, the first request sent by the terminal is intercepted and a second data packet is obtained. The second data packet is a forged data packet.

[0061] Specifically, the method for obtaining forged data packets is as follows:

[0062] A110, based on the first request, obtain the original datagram information (i.e., the first datagram information); wherein, the first datagram information includes the IP address, TCP / HTTP interaction datagram header attributes, and the URL of the first request.

[0063] A120 determines whether the first request requires true hijacking based on the original datagram information. If not, it is discarded; if so, the forged datagram is constructed based on the original datagram information and the HTTP protocol rules.

[0064] Furthermore, the methods for determining whether the first request requires a genuine hijacking include:

[0065] Determine whether the first request is a JS request based on the HTTP protocol. If it is, the first request is considered a genuine hijacking; otherwise, the first request is considered a fake hijacking and is discarded.

[0066] S200 sends a forged data packet to the terminal. The forged data packet includes a detection service instruction and a reload service instruction.

[0067] S300, the terminal executes detection tasks based on detection service instructions; specifically, the detection service instructions include preset detection script request tags, the purpose of which is to execute predicted detection tasks.

[0068] S400 obtains the first DOM node and its attributes based on overloaded business instructions. The attributes of the first DOM node include resource loading method, resource display method, resource language, and resource character encoding.

[0069] In this embodiment, the first DOM node is the node to which the first request belongs.

[0070] The first tag, namely the JS request tag, is constructed based on the attributes of the first DOM node. The DOM attributes of the JS request tag are the same as those of the first DOM node.

[0071] Among them, the reload service instruction includes a request reload tag, which is an instruction sent to the terminal to request reload.

[0072] S500 generates a second DOM node based on the JS request tag, inserts it into the DOM rendering sequence, and sends the second request.

[0073] S600, determine whether the resource information of the second request is consistent with the resource information of the first request; if consistent, determine that the second request is a resource reload request, and implement request reload without hijacking; otherwise, it means that the second request sent is a request sent by the terminal itself, rather than a reload request sent through hijacking, and hijack the second request, repeating S100 to S600.

[0074] Furthermore, the forged datagram also includes a self-correcting service instruction, which includes a self-correcting tag.

[0075] The terminal's browser determines whether the second DOM node was successfully inserted based on the self-correcting business instruction. If it was, it executes normally; otherwise, the terminal's browser executes the entire page reload instruction.

[0076] Specifically, a new DOM node (i.e., the second DOM node) is generated based on the JS request tag and inserted into the DOM rendering sequence to obtain a new DOM tree. The terminal browser determines whether the new DOM node exists in the new DOM tree based on the self-correction business logic. If it exists, it means that the insertion was successful.

[0077] Reference Figure 3 and Figure 4This will be explained in detail using the example of unauthorized external testing.

[0078] In this embodiment, the detection device intercepts the first request sent by any terminal, and then determines that the first request is a JS request based on the HTTP protocol based on the IP address, TCP interaction rules and URL of the first request. If the first request is indeed intercepted, it is analyzed and processed by the detection device.

[0079] In one embodiment, the hijacking of the first request is not carried out from the output of any terminal, but rather the request sent to the core switch is hijacked after being mirrored. That is, the first request is obtained by mirroring the request received by the core switch through a detection device.

[0080] The detection device is deployed in a bypass manner on the interface of the core switch of the network being detected. It has traffic mirroring and man-in-the-middle hijacking functions and can monitor the mirrored traffic content of the network being detected passing through the core switch.

[0081] In another embodiment, after any terminal issues a first request, the detection device intercepts the first request before it is sent to the core switch. The detection device analyzes the intercepted first request to determine whether a true hijacking is necessary. If a true hijacking is necessary, the device then performs a hijacking operation on the first request sent to the core switch after mirroring.

[0082] Specifically, the detection device includes a receiving module, an analysis module, a forgery module, and a transmitting module. The analysis module is signal-connected to the receiving module, the forgery module is signal-connected to the analysis module, and the transmitting module is signal-connected to the forgery module.

[0083] The receiving module is used to intercept the first request sent by the terminal. Specifically, the first request is a request that is first sent to the core switch and then intercepted. The analysis module is used to obtain the resource information of the first request. The forgery module is used to construct a forged data packet based on the resource information of the first request and the HTTP protocol rules. The forged data packet includes detection service, reload service and self-correction service. The sending module is used to send the forged data packet to the terminal.

[0084] Furthermore, the forged data packet contains a forgery script, which includes detection service instructions, reload service instructions, and self-correction service instructions.

[0085] In this embodiment, when the receiving module discovers a JS request based on the HTTP protocol that can be used for detection, it performs man-in-the-middle datagram forgery (i.e., constructs a forged datagram) and then responds to the terminal being detected.

[0086] When the browser of the terminal being tested receives the forged response, that is, after receiving the forged data packet, it will execute the external detection task according to the detection business. Specifically, the illegal external detection URL request tag is dynamically appended to the DOM rendering sequence. At this time, the detection purpose has been completed, that is, the detection and audit information recording of whether the terminal has made illegal external connections has been completed.

[0087] The terminal analyzes the original DOM nodes based on the reloaded service to obtain node attributes (i.e., obtain the first DOM node and its attributes); and constructs a JS request tag based on the node attributes, wherein the DOM attributes of the JS request tag are consistent with the attributes of the original DOM nodes.

[0088] A new DOM node (i.e., the second DOM node) is generated based on the JS request tag and inserted into the DOM rendering sequence, and a second request is sent. It should be noted that the second request is sent to the core switch. The detection device obtains the second request through mirrored traffic. If the resource information of the second request is consistent with that of the first request, it is determined that the second request is a resource reload request, and the detection device will not intercept the second request. If the resource information of the second request is inconsistent with that of the first request, it means that the second request was sent by the terminal itself, rather than a reload request sent through hijacking, and the second request will be hijacked.

[0089] This solution dynamically constructs the inserted network request process based on the original loading method of the hijacked request. At this point, the forged script (i.e., the forged datagram) has already been loaded into the DOM tree by the browser according to the original resource loading method. Therefore, based on the relevant attributes of the first request, the DOM rendering node of this resource request can be obtained from the browser. Then, based on the obtained DOM rendering node, it is analyzed whether the resource loading method is asynchronous or synchronous, and the specific attributes in the DOM node are analyzed. Finally, based on the analyzed loading method and node attributes, a JS request tag with the same attributes is constructed and inserted into the DOM rendering sequence, thus restoring the hijacked resource request to the greatest extent. Since this process generally occurs quickly (milliseconds), it ensures normal loading and display without duplicate detection, achieving comprehensive, real-time, and immediate detection of unauthorized external links.

[0090] In this embodiment, if the second request and the first request have the same IP address and request attributes by default based on the overload service, the detection device analyzes whether the time interval between the second request and the first request meets the preset hijacking interval. If it does, the interaction is performed according to the preset interaction process; if it does not, the above steps are repeated.

[0091] The preset hijacking interval is 1 to 5 seconds, or the preset hijacking interval is the interval between the terminal initiating two identical JS requests.

[0092] By analyzing whether the request has been hijacked and whether the update cycle has arrived, we can ensure that duplicate detection will not occur.

[0093] It should be noted that, in this application, a better criterion for judging the second request can be: judging whether the resource information of the second request is consistent with the resource information of the first request and judging whether the time interval between the second request and the first request meets the preset hijacking interval. If both are met, the second request is judged to be a resource reload request, and the detection device does not hijack it. The second request sent through the core switch requests resources from the WEB server according to the preset interaction process (i.e., the normal interaction process).

[0094] The terminal-based self-correction function determines whether the new DOM node has been successfully inserted. If so, it executes normally; otherwise, the terminal's browser executes a full page reload instruction. In other words, if an insertion error occurs, the entire page will be reloaded to ensure proper page loading.

[0095] Meanwhile, the first request is transmitted to the WEB server through the core switch according to the preset interaction process. The WEB server then responds, and the response information is transmitted to the terminal that made the request through the core switch. However, since the process of the detection device listening and hijacking halfway usually occurs quickly (milliseconds), it does not connect to the server. Therefore, its response to the terminal is much faster than that of the server. After that, the information normally replied by the server is discarded because it has the same serial number as the detection device.

[0096] Specifically, the terminal that sends the request first receives the information from the detection device. Since the attribute corresponding to the information from the detection device is the same as the attribute of the first request, the terminal considers it to be a correct response. When the response from the web server is transmitted to the terminal, it will be discarded after the response has been hijacked.

[0097] The scheme disclosed in this application ensures that the constructed forged datagram and the reloaded second request have the same attributes as the first request, thus guaranteeing that the essence of the reloaded request is consistent with the essence of the request sent by the detected terminal. This ensures that the page loading and rendering of the detected terminal is normal and that the functions are normal. At the same time, it effectively avoids the occurrence of continuous reloading, making this detection technology more easily accepted by customers and more easily promoted, so that it can play its due role in actual engineering.

[0098] In actual testing, more than 100 websites, including common technology websites and company homepages, were targeted for hijacking. Existing detection technologies had a hijacking rate of about 40% that caused page errors. However, after the improvement of this solution, no page loading errors caused by traffic hijacking occurred.

[0099] The solution disclosed in this application addresses the recovery of the original request after violation detection based on traffic hijacking. The hijacking target is a JavaScript request. Based on the original request, the properties of the original request are dynamically determined, and a request that is completely identical to the original request is constructed to restore the original request resource. This ensures that there are many hijackable resources and a high hijacking success rate, while also ensuring that the loading order of the hijacked request resource after recovery is consistent with the original request, without affecting the relationship between the original resources.

[0100] Reference Figure 5 The second aspect of this application discloses a resource reload system based on traffic hijacking, comprising:

[0101] The hijacking module is configured to hijack the first request sent by the terminal and obtain the resource information of the first request;

[0102] The data packet generation module is configured to obtain a forged data packet based on the resource information of the first request; the forged data packet includes a detection service instruction and a reload service instruction.

[0103] The reload triggering module is configured to send the forged data report to the terminal.

[0104] The execution module is configured to execute detection tasks based on the detection service instructions;

[0105] The overload module is configured to analyze the original DOM nodes based on the overload business instructions to obtain node attributes (i.e., obtain the first DOM node and its attributes);

[0106] A JS request tag is constructed based on the node attributes; the DOM attributes of the JS request tag are consistent with the attributes of the original DOM node.

[0107] The new DOM node (i.e., the second DOM node) is generated based on the JS request tag and inserted into the DOM rendering sequence, and the second request is sent.

[0108] Determine whether the resource information of the second request is consistent with the resource information of the first request; if they are consistent, determine that the second request is a resource overload request and do not hijack it; otherwise, hijack the second request.

[0109] An electronic device according to embodiments of the present disclosure includes a memory and a processor. The memory is used to store non-transitory computer-readable instructions. Specifically, the memory may include one or more computer program products, which may include various forms of computer-readable storage media, such as volatile memory and / or non-volatile memory. The volatile memory may, for example, include random access memory (RAM) and / or cache memory. The non-volatile memory may, for example, include read-only memory (ROM), a hard disk, flash memory, etc.

[0110] The processor may be a central processing unit (CPU) or other processing unit with data processing capabilities and / or instruction execution capabilities, and may control other components in the electronic device to perform desired functions. In one embodiment of this disclosure, the processor is used to execute computer-readable instructions stored in the memory, causing the electronic device to perform all or part of the steps of the resource reloading method based on traffic hijacking described in the foregoing embodiments of this disclosure.

[0111] Those skilled in the art will understand that, in order to solve the technical problem of how to achieve a good user experience, this embodiment may also include well-known structures such as communication buses and interfaces, and these well-known structures should also be included within the protection scope of this disclosure.

[0112] like Figure 6 This is a schematic diagram of the structure of an electronic device provided in an embodiment of the present disclosure. It illustrates a structural schematic diagram suitable for implementing the electronic device in the embodiment of the present disclosure. Figure 6 The electronic device shown is merely an example and should not be construed as limiting the functionality and scope of the embodiments disclosed herein.

[0113] like Figure 6 As shown, an electronic device may include a processing unit (such as a central processing unit, graphics processing unit, etc.) that can perform various appropriate actions and processes based on a program stored in read-only memory (ROM) or a program loaded from a storage device into random access memory (RAM). The RAM also stores various programs and data required for the operation of the electronic device. The processing unit, ROM, and RAM are interconnected via a bus. Input / output (I / O) interfaces are also connected to the bus.

[0114] Typically, the following devices can be connected to the I / O interface: input devices, such as sensors or visual information acquisition devices; output devices, such as displays; storage devices, such as magnetic tapes or hard drives; and communication devices. Communication devices allow electronic devices to communicate wirelessly or wiredly with other devices (such as edge computing devices) to exchange data. Although Figure 6 Electronic devices with various devices are shown, but it should be understood that it is not required to implement or have all of the devices shown. More or fewer devices may be implemented or have instead.

[0115] In particular, according to embodiments of this disclosure, the processes described above with reference to the flowcharts can be implemented as computer software programs. For example, embodiments of this disclosure include a computer program product comprising a computer program carried on a non-transitory computer-readable medium, the computer program containing program code for performing the methods shown in the flowcharts. In such embodiments, the computer program can be downloaded and installed from a network via a communication device, or installed from a storage device, or installed from a ROM. When the computer program is executed by a processing device, all or part of the steps of the traffic hijacking-based resource reloading method of embodiments of this disclosure are performed.

[0116] For a detailed description of this embodiment, please refer to the corresponding descriptions in the foregoing embodiments, which will not be repeated here.

[0117] A computer-readable storage medium according to embodiments of the present disclosure stores non-transitory computer-readable instructions. When these non-transitory computer-readable instructions are executed by a processor, all or part of the steps of the resource reloading method based on traffic hijacking described in the foregoing embodiments of the present disclosure are performed.

[0118] The aforementioned computer-readable storage media include, but are not limited to: optical storage media (e.g., CD-ROM and DVD), magneto-optical storage media (e.g., MO), magnetic storage media (e.g., magnetic tape or portable hard drive), media with built-in rewritable non-volatile memory (e.g., memory card), and media with built-in ROM (e.g., ROM cartridge).

[0119] For a detailed description of this embodiment, please refer to the corresponding descriptions in the foregoing embodiments, which will not be repeated here.

[0120] The basic principles of this disclosure have been described above with reference to specific embodiments. However, it should be noted that the advantages, benefits, and effects mentioned in this disclosure are merely examples and not limitations, and should not be considered as essential features of each embodiment of this disclosure. Furthermore, the specific details disclosed above are for illustrative and facilitative purposes only, and are not limitations. These details do not limit the scope of this disclosure to the necessity of employing the aforementioned specific details for implementation.

[0121] In this disclosure, relational terms such as "first" and "second" are used merely to distinguish one entity or operation from another, and do not necessarily require or imply any such actual relationship or order between these entities or operations. The block diagrams of devices, apparatuses, devices, and systems involved in this disclosure are merely illustrative examples and are not intended to require or imply that they must be connected, arranged, or configured in the manner shown in the block diagrams. As those skilled in the art will recognize, these devices, apparatuses, devices, and systems can be connected, arranged, and configured in any manner. Words such as "comprising," "including," "having," etc., are open-ended terms meaning "including but not limited to," and are used interchangeably with them. The terms "or" and "and" as used herein refer to the terms "and / or," and are used interchangeably with them unless the context clearly indicates otherwise. The term "such as" as used herein refers to the phrase "such as but not limited to," and is used interchangeably with it.

[0122] Additionally, as used herein, the “or” used in a list of items beginning with “at least one” indicates a separate list, such that a list of, for example, “at least one of A, B, or C” means A or B or C, or AB or AC or BC, or ABC (i.e., A and B and C). Furthermore, the word “exemplary” does not imply that the described example is preferred or better than other examples.

[0123] It should also be noted that in the systems and methods of this disclosure, the components or steps can be decomposed and / or recombined. These decompositions and / or recombinations should be considered as equivalent solutions to this disclosure.

[0124] Various changes, substitutions, and modifications can be made to the technology described herein without departing from the teachings defined by the appended claims. Furthermore, the scope of the claims of this disclosure is not limited to the specific aspects of the processes, machines, manufactures, events, means, methods, and actions described above. Currently existing or later-developed processes, machines, manufactures, events, means, methods, or actions that perform substantially the same function or achieve substantially the same result as the corresponding aspects described herein can be utilized. Therefore, the appended claims include such processes, machines, manufactures, events, means, methods, or actions within their scope.

[0125] The above description of the disclosed aspects is provided to enable any person skilled in the art to make or use this disclosure. Various modifications to these aspects will be readily apparent to those skilled in the art, and the general principles defined herein may be applied to other aspects without departing from the scope of this disclosure. Therefore, this disclosure is not intended to be limited to the aspects shown herein, but rather to be carried out within the widest scope consistent with the principles and novel features disclosed herein.

[0126] The above description has been given for purposes of illustration and description. Furthermore, this description is not intended to limit the embodiments of this disclosure to the forms disclosed herein. Although numerous exemplary aspects and embodiments have been discussed above, those skilled in the art will recognize certain variations, modifications, alterations, additions, and sub-combinations therein.

Claims

1. A resource reloading method based on traffic hijacking, characterized in that, include: The first request is intercepted, and a second data packet is sent to the terminal. The second data packet includes a detection service instruction and a reload service instruction. Execute the detection task based on the aforementioned detection service instruction; The first DOM node and its attributes are obtained based on the overloaded business instructions. The first tag is constructed based on the attributes of the first DOM node; The DOM attributes in the first tag are consistent with the attributes of the first DOM node; Generate a second DOM node based on the first tag, insert it into the DOM rendering sequence, and send a second request; Determine whether the resource information of the second request is consistent with the resource information of the first request; If they match, the second request is determined to be a resource reload request and will not be hijacked. Conversely, the second request is hijacked.

2. The resource reloading method based on traffic hijacking according to claim 1, characterized in that, The second data packet is a forged data packet, and the method for constructing the forged data packet includes: Based on the first request, obtain first data packet information, which includes IP address, TCP / HTTP interaction data packet header attributes, and the URL of the first request; Based on the information in the first datagram, determine whether the first request requires a true hijacking; if not, discard it. If so, the forged datagram is constructed based on the first datagram information and the HTTP protocol rules.

3. The resource reloading method based on traffic hijacking according to claim 2, characterized in that, Determining whether the first request requires a true hijacking based on the information in the first datagram includes: Based on the information in the first data packet, determine whether the first request is a JS request based on the HTTP protocol. If so, determine that the first request needs to be hijacked. If not, then the first request is determined to require a fake hijacking and is discarded.

4. The resource reloading method based on traffic hijacking according to claim 1, characterized in that, The first DOM node is the node to which the first request belongs.

5. The resource reloading method based on traffic hijacking according to claim 1, characterized in that, The node attributes include resource loading method, resource display method, resource language, and resource character encoding.

6. The resource reloading method based on traffic hijacking according to claim 2, characterized in that, The forged data packet also includes a self-correction service instruction; Based on the self-correcting business instruction, determine whether the second DOM node was successfully inserted; if so, execute normally. If not, the terminal's browser will execute a full page reload command.

7. The resource reloading method based on traffic hijacking according to claim 1, characterized in that, The resource reload method includes: obtaining the first request by mirroring the request received by the core switch.

8. A resource reload system based on traffic hijacking, characterized in that, include: The hijacking module is configured to hijack the first request and obtain the resource information of the first request; The data packet generation module is configured to obtain a forged data packet based on the resource information of the first request; the forged data packet includes a detection service instruction and a reload service instruction. The reload triggering module is configured to send the forged data report to the terminal. The execution module is configured to execute detection tasks based on the detection service instructions; The overload module is configured to obtain the first DOM node and its attributes based on the overload business instruction; The first tag is constructed based on the attributes of the first DOM node; The DOM attributes in the first tag are consistent with the attributes of the first DOM node; Generate a second DOM node based on the first tag, insert it into the DOM rendering sequence, and send a second request; Determine whether the resource information of the second request is consistent with the resource information of the first request; If they match, the second request is determined to be a resource reload request and will not be hijacked. Conversely, the second request is hijacked.

9. An electronic device, characterized in that, The electronic device includes: At least one processor; and, A memory communicatively connected to the at least one processor; wherein, The memory stores instructions that can be executed by the at least one processor, which, when executed by the at least one processor, enables the at least one processor to perform the resource reloading method based on traffic hijacking as described in any one of claims 1-7.

10. A computer-readable storage medium, characterized in that, The computer-readable storage medium stores computer instructions for causing the computer to perform the resource reloading method based on traffic hijacking as described in any one of claims 1-7.

Images