An enterprise network security data analysis method, server, medium and product
By employing a method of issuing instant time reference codes and synchronously generating passwords at random time intervals in enterprise network security data analysis, the problems of low efficiency and high resource consumption in existing technologies are solved, enabling rapid screening and release of legitimate data, and improving network security and smoothness.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- FUJIAN GUOKE INFORMATION TECH CO LTD
- Filing Date
- 2026-02-11
- Publication Date
- 2026-06-05
AI Technical Summary
In existing enterprise network security data analysis technologies, the full-content scanning method is inefficient, resource-intensive, and has high network latency, which makes it impossible to quickly filter and allow legitimate business data, thus becoming a performance bottleneck for network transmission.
The system employs a method that distributes instant time reference codes at random time intervals, and the enterprise client and server synchronously generate and compare access passwords. This lightweight password comparison method filters legitimate data and avoids full data parsing.
It significantly reduces the gateway's computational load, enables the rapid release of legitimate business data, improves the security and smoothness of network transmission, reduces computational and memory usage, and enhances anti-counterfeiting capabilities.
Smart Images

Figure CN122160107A_ABST
Abstract
Description
Technical Field
[0001] This application relates to the field of electronic digital data processing technology, and in particular to a method, server, medium and product for enterprise network security data analysis. Background Technology
[0002] As enterprise IT infrastructure development deepens, data interaction between internal and external networks becomes extremely frequent and involves massive amounts of traffic. This massive data transmission includes both normal business access data (such as ERP system calls and file synchronization) and potential malicious attacks or illegal data probing. To ensure enterprise network security, it is essential to analyze and monitor data entering and leaving the network to accurately distinguish legitimate business data from suspicious and abnormal data within the massive traffic.
[0003] Existing enterprise network security data analysis technologies primarily rely on deep packet inspection or content-based feature matching. Specifically, current solutions typically require disassembling and reassembling every data packet passing through the gateway, and performing a full scan of the packet's payload. The system then compares the data content against pre-defined, large virus databases, sensitive word lists, or regular expression rule sets (i.e., "checking file content, size, and keywords"). If a risk characteristic is matched in the content, the packet is blocked; otherwise, it is allowed to pass.
[0004] However, the aforementioned existing technologies have significant technical problems: this "full content scanning" method is extremely inefficient and consumes enormous resources. Because it requires deep content parsing and rule comparison of all data (including legitimate business data), the gateway device experiences extremely high computational load, resulting in severe network latency and consequently affecting the smoothness of normal user operations. Existing technologies cannot establish a fast, low-cost trust verification mechanism without parsing specific content, causing most useful and legitimate data to fail to be quickly filtered and allowed, becoming a performance bottleneck for network transmission. Summary of the Invention
[0005] This application provides a method, server, medium, and product for enterprise network security data analysis, which addresses the problems of low efficiency, high resource consumption, and high network latency in existing full-content scanning technologies, thereby ensuring the security and smoothness of enterprise network data transmission.
[0006] Firstly, this application provides an enterprise network security data analysis method applied to an enterprise network security server. The method includes: sending an instant time reference code to an enterprise client at random time intervals, so that the enterprise client synchronously generates a data access password based on the instant time reference code; receiving business data sent by the enterprise client and extracting a target data access password from the business data; generating an access verification password based on the instant time reference code and the business data, wherein the method for generating the access verification password is consistent with the method for generating the target data access password; comparing the target data access password with the access verification password to determine whether the business data is valid; and if the business data is determined to be valid, allowing the business data to pass.
[0007] By adopting the above technical solution, the core feature lies in the bidirectional synchronous generation of the baseline code and the bidirectional generation of the password at random time intervals. The former prevents the baseline code from being predicted in advance, while the latter eliminates the need for verification to rely on full data parsing. With these technical features interacting, the system does not need to disassemble data packet content or match rule bases; it directly completes the screening of legitimate data through lightweight password comparison, significantly reducing the gateway's computational load, solving the network latency problem caused by full-data scanning in existing technologies, and enabling rapid access for legitimate business data.
[0008] In conjunction with some embodiments of the first aspect, in some embodiments, the step of sending an instant time reference code to an enterprise client at random time intervals specifically includes: presetting a range of values for the random time interval; determining the time interval for a single transmission within the range of values using a random number generation algorithm; generating a random trigger signal based on the time interval; and in response to the random trigger signal, obtaining the timestamp of the current moment and generating the corresponding instant time reference code through one-way encryption operation.
[0009] By adopting the above technical solutions, the dynamic interval of the random number algorithm eliminates the possibility of cracking the pattern of base code distribution, while the one-way encryption operation prevents the base code from being reverse-derived. The combination of these two aspects gives the real-time base code dynamic uniqueness and immutability, avoiding the risk of replay attacks at fixed intervals and ensuring the authority of the base code as a seed variable. This provides a secure and reliable foundation for subsequent password generation, while simplifying the base code generation process and adapting to high-concurrency enterprise network data interaction scenarios.
[0010] In conjunction with some embodiments of the first aspect, in some embodiments, the step of generating a pass verification password based on the real-time reference code and the service data specifically includes: using the real-time reference code as a seed variable, calculating a coordinate index set of the service data, the coordinate index set being a set of multiple landing point coordinates sampled in the service data; mapping the service data into a continuous binary bit stream, and reading multiple binary bit values at corresponding positions in the binary bit stream according to the coordinate index set, the binary bit values including 0 or 1; concatenating each of the binary bit values in index order to obtain a feature data string; and performing a mathematical aggregation operation on the feature data string and the real-time reference code to obtain the pass verification password.
[0011] By adopting the above technical solution, the binding relationship between the reference code and the coordinate index allows the sampling position to change dynamically, and binary bit value sampling does not require parsing the meaning of data services. With the synergistic effect of technical features, the system can generate passwords by extracting only a small number of key bit features, avoiding the resource consumption of full data scanning. At the same time, the aggregation operation of the feature string and the reference code further improves the uniqueness of the password, significantly reducing the probability of password forgery, and achieving efficient and highly secure password generation.
[0012] In conjunction with some embodiments of the first aspect, in some embodiments, the step of mapping the service data into a continuous binary bit stream and reading multiple binary bit values at corresponding positions in the binary bit stream according to the coordinate index set specifically includes: treating the service data as a logical byte array and using the starting address of the byte array as a logical zero point; performing relative addressing calculations for each target bit index value in the coordinate index set to obtain the byte offset relative to the logical zero point and the bit offset within the corresponding byte; and reading the binary bit value corresponding to the target bit index value based on the byte offset and the bit offset.
[0013] By adopting the above technical solution, the abstract mapping of logical byte arrays is freed from the limitations of physical data storage, and the dual-offset addressing calculation achieves bit-level precise sampling. The combination of these two approaches allows the system to extract target bit values through lightweight addressing operations without generating a complete binary bit stream, significantly reducing memory usage and computation time. Simultaneously, it ensures the consistency of addressing logic between the enterprise client and server, guaranteeing unbiased sampling results and providing a precise data foundation for password synchronization.
[0014] In conjunction with some embodiments of the first aspect, in some embodiments, the calculation steps of the relative addressing calculation specifically include: calculating the quotient of the target bit index value and 8 to obtain the byte offset relative to the logical zero point; taking the remainder of the target bit index value divided by 8 to obtain the bit offset within the corresponding byte; locating the target byte in the byte array based on the byte offset; and locating the target binary bit within the target byte based on the bit offset.
[0015] By adopting the above technical solution, the fixed operation rules for integer division and modulo operation establish a correspondence between bit indexes and byte-bits, and the layer-by-layer positioning operation logic ensures the accuracy of sampling. The synergistic effect of these technical features makes addressing computation a standardized, low-time-consuming operation, avoiding the introduction of complex parsing algorithms. At the same time, the unified operation rules ensure that the calculation results between the enterprise client and the server are completely consistent, eliminating password mismatch problems caused by addressing differences and improving the stability and reliability of the verification process.
[0016] In conjunction with some embodiments of the first aspect, some embodiments further include: when the instant time reference code is sent to the enterprise client, generating a one-time access private key and a one-time access public key based on an asymmetric encryption algorithm, wherein the one-time access private key and the one-time access public key are a one-to-one corresponding key pair and expire immediately after use; encrypting the instant time reference code using the one-time access private key, and sending the one-time access public key to the enterprise client, so that the enterprise client can use the one-time access public key to verify the validity of the instant time reference code after receiving it; if a verification failure result is received from the enterprise client, it is determined that the instant time reference code has expired, and a new time reference code and the corresponding one-time key pair are re-sent to the enterprise client.
[0017] By adopting the above technical solutions, the single-use validity of the one-time key pair avoids the risk of key reuse, and the asymmetric encryption verification mechanism can directly identify the tampered base code. Together, they construct a trusted link for base code transmission, completely blocking the attack path of man-in-the-middle tampering with the base code. Simultaneously, the retransmission mechanism after verification failure ensures business continuity, solves the problem of legitimate data verification failure caused by base code tampering, and improves the solution's anti-attack capability and fault tolerance.
[0018] In conjunction with some embodiments of the first aspect, in some embodiments, after receiving the verification failure result from the enterprise client and determining that the instant time reference code is invalid, the method further includes: counting the number of reference code verification failures for the same enterprise client or the same network address within a preset time window; if the number of reference code verification failures exceeds a preset warning threshold, it is determined that there is a risk of virus tampering or malicious attack, and an early warning message is immediately sent to the enterprise security management platform. The early warning message includes at least the abnormal enterprise client identifier, abnormal network address, verification failure time, and number of failures; at the same time, the push of new time reference codes to the abnormal enterprise client or the abnormal network address is suspended.
[0019] By adopting the above technical solutions, frequency statistics and threshold determination enable accurate identification of abnormal behavior, while early warnings and push notification suspension quickly block the source of the attack. The interaction of these technical features upgrades passive verification failure handling to proactive attack risk prevention, avoiding misjudgments based on single failures and promptly detecting continuous interference from virus tampering or malicious attacks. Furthermore, early warning information provides precise tracing evidence, helping enterprises quickly locate risk points and improving the security protection level and maintainability of the solution.
[0020] In a second aspect, this application provides an enterprise network security server, which includes: one or more processors and a memory; the memory is coupled to the one or more processors, and the memory is used to store computer program code, the computer program code including computer instructions, which the one or more processors call to cause the enterprise network security server to perform the methods described in the first aspect and any possible implementation thereof.
[0021] Thirdly, this application provides a computer-readable storage medium including instructions that, when executed on an enterprise network security server, cause the enterprise network security server to perform the method described in the first aspect and any possible implementation thereof.
[0022] Fourthly, this application provides a computer program product, including a computer program that, when run on an enterprise network security server, causes the enterprise network security server to perform the method described in the first aspect and any possible implementation thereof.
[0023] One or more technical solutions provided in the embodiments of this application have at least the following technical effects or advantages:
[0024] 1. By adopting the above technical solution, the core technical means of issuing real-time reference codes at random time intervals and generating and comparing passwords synchronously between the enterprise client and the server based on the same reference code effectively solves the technical problems of low efficiency, high resource consumption and high network latency caused by full content scanning in the existing technology. This achieves the technical effect of quickly completing the screening of legitimate data without parsing the specific content of the data, greatly reducing the computing load of the gateway and ensuring the rapid release of legitimate business data.
[0025] 2. By adopting the above technical solution, the technical means of dynamically generating a sampling coordinate index set with an instantaneous time reference code as a seed and extracting only the binary bit values of business data to generate feature strings and perform aggregation operations are effectively solved. This solves the technical problems of high resource consumption and low verification efficiency caused by full scanning of data content in existing technologies. In this way, lightweight extraction of key data features to generate highly unique verification passwords is achieved, which reduces computation and memory usage and improves the anti-forgery ability of passwords.
[0026] 3. By adopting the above technical solution, the technical means of using one-time asymmetric key pair encryption of real-time reference code + enterprise client public key verification + verification failure retransmission effectively solves the technical problem in the existing technology that the reference code transmission is easily tampered with, leading to the failure of legitimate data verification. Thus, it realizes the construction of a trusted reference code transmission link, blocks man-in-the-middle tampering attacks, ensures business continuity, and improves the solution's anti-attack capability and fault tolerance. Attached Figure Description
[0027] Figure 1 This is a flowchart illustrating an enterprise network security data analysis method in an embodiment of this application.
[0028] Figure 2 This is another flowchart illustrating the enterprise network security data analysis method in this application embodiment;
[0029] Figure 3 This is a schematic diagram of the physical device structure of an enterprise network security server in the embodiments of this application. Detailed Implementation
[0030] The terminology used in the following embodiments of this application is for the purpose of describing particular embodiments only and is not intended to be limiting of this application. As used in the specification and appended claims of this application, the singular expressions “a,” “an,” “the,” “the,” “the,” and “this” are intended to include the plural expressions as well, unless the context clearly indicates otherwise. It should also be understood that the term “and / or” as used in this application refers to and includes any or all possible combinations of one or more of the listed items.
[0031] Hereinafter, the terms "first" and "second" are used for descriptive purposes only and should not be construed as implying or suggesting relative importance or implicitly indicating the number of indicated technical features. Thus, a feature defined as "first" or "second" may explicitly or implicitly include one or more of that feature, and in the description of the embodiments of this application, unless otherwise stated, "multiple" means two or more.
[0032] The following is a flowchart describing the method provided in this implementation. Please refer to [link / reference]. Figure 1 This is a flowchart illustrating an enterprise network security data analysis method in an embodiment of this application.
[0033] S101. Send an instant time reference code to the enterprise client at random time intervals so that the enterprise client can synchronously generate a data access password based on the instant time reference code;
[0034] The enterprise client refers to the enterprise terminal device that has this security mechanism installed, including but not limited to enterprise office computers, mobile terminals, etc.
[0035] This step is executed at all times when the enterprise network security server is running and the enterprise client and server have established a normal network connection. The execution scenario covers periodic verification nodes before and during business data transmission initiated by the enterprise client. First, the server pre-configures a random time interval range, such as 10-60 seconds, which can be dynamically adjusted according to the enterprise's network traffic load. Second, the server determines the time interval for each transmission within the preset range using a cryptographically secure random number generation algorithm, ensuring that the time interval is unpredictable. Next, the server generates a random trigger signal based on this time interval. When the trigger signal takes effect, it immediately obtains the current system's high-precision timestamp and encrypts it using a one-way encryption algorithm to generate an instantaneous time reference code. The one-way encryption ensures that the reference code cannot be reverse-engineered. This step does not require encryption of the instantaneous time reference code; even if the instantaneous time reference code is stolen or tampered with by a virus, it cannot generate a password matching the server.
[0036] Finally, the server sends the generated real-time reference code to the corresponding enterprise client via an encrypted channel. After receiving and verifying the validity of the reference code, the enterprise client can generate a data access password based on the reference code and the business data to be sent, using the same algorithm as the server. This lays the foundation for subsequent verification of the legitimacy of business data. This step, through the design of random time intervals and one-way encrypted reference codes, eliminates the possibility of attackers predicting the reference code generation pattern and forging passwords from the source.
[0037] S102. Receive business data sent by the enterprise client and extract the target data access password from the business data;
[0038] This step is executed after the enterprise client generates the data access password and initiates a business data transmission request. The execution scenario covers all interactions between enterprise clients and the server during the transmission of business data. Specifically, the enterprise network security server listens for business data transmission requests from enterprise clients through a pre-defined network communication interface. When a business data packet is detected, the server first confirms that the corresponding enterprise client is a legitimate terminal that has completed network access authentication. Then, according to the data packet encapsulation format pre-agreed between the server and the enterprise client, the server extracts the target data access password from a designated field in the business data. This designated field is stored in a fixed location agreed upon by both parties to ensure the accuracy and uniqueness of the extraction operation. After extraction, the server temporarily stores the target data access password and the corresponding business data, providing data support for subsequent password comparison and verification steps.
[0039] The core function of this step is to obtain business data and corresponding verification passwords, which is a key link connecting the enterprise client's data sending with the server's legality verification.
[0040] S103. Based on the real-time reference code and the business data, generate a pass verification password. The method for generating the pass verification password is the same as the method for generating the target data pass password.
[0041] This step is executed after the server successfully receives the business data and extracts the target data access password. The execution scenario covers all business data validity verification processes that require generating verification passwords. First, the server retrieves the real-time reference code sent to the enterprise client in this session and uses it as the seed variable for the preset pseudo-random number generation algorithm. This seed variable refers to the initial input value used to drive the pseudo-random number generation algorithm, ensuring the correlation and controllability of the generated results. The coordinate index set is a discrete set of values used to locate the sampling position of the binary bitstream of the business data; each value corresponds to a specific bit in the bitstream. After inputting into the algorithm, a discrete set of integers is generated, which is the coordinate index set. It should be noted that the length of the coordinate index set can be preset according to security requirements (e.g., 32 bits, 64 bits), and the range of index values is limited to the length range of the binary bitstream of the business data to avoid out-of-bounds sampling.
[0042] The server can normalize the format of received business data without parsing its specific business meaning (such as file content, instruction codes, etc.). Regardless of its original type—ERP data, file synchronization packets, or email messages—it converts it into a continuous byte sequence according to the general rules of computer data storage, and then further abstracts it into a logical byte array. Simultaneously, the virtual address corresponding to the first byte of this array is set as the logical zero point, thus establishing a unified addressing benchmark and ensuring complete consistency in addressing logic between the enterprise client and the server. Secondly, the server traverses each target bit index value in the coordinate index set, performing standardized relative addressing calculations for each index value.
[0043] The relative addressing calculation is performed as follows: First, the server performs standardized mathematical operations for each target bit index value:
[0044] Byte offset calculation: Since one byte in computer storage always contains 8 bits, the target bit index value is divided by 8, and the integer quotient of the result is the byte offset. For example, if the target bit index value is 35, the calculation is 35 ÷ 8 = 4 remainder 3. The integer quotient 4 here is the byte offset, representing that the target bit is located in the 5th byte of the logical byte array (array indexing starts from 0, and offset 4 corresponds to the 5th byte).
[0045] Bit offset calculation: Take the remainder of the target bit index value divided by 8. The remainder is the bit offset, which represents the specific position of the target bit within its byte. Continuing the example above, the remainder of 35 divided by 8 is 3, so the bit offset is 3, meaning the target bit is the 4th bit in its byte (bit numbering starts from 0).
[0046] After completing the offset calculation, the server performs a two-step positioning operation:
[0047] Locating the target byte: Using the logical zero of the logical byte array as a reference, the corresponding byte unit in the array is found based on the calculated byte offset; this byte unit is the target byte. This process does not require consideration of the original format of the business data; positioning can be completed solely through array indexing.
[0048] Locating the target binary bit: Within the located target byte, the specific bit position is determined based on the bit offset. The 8 bits within the byte are numbered sequentially from 0 to 7, and the bit offset directly corresponds to the number. For example, when the bit offset is 5, the 6th bit of the byte is located directly.
[0049] It is important to emphasize that the operation rules in this step are a unified standard agreed upon in advance by the enterprise client and the server. Both parties use the exact same calculation logic to ensure that the addressing results for the same target bit index value are completely consistent. At the same time, the entire calculation process only involves basic division and modulo operations, which is extremely efficient and does not generate additional resource consumption, perfectly adapting to the rapid sampling needs of massive business data.
[0050] The server directly reads the binary value (0 or 1) of the target bit and temporarily stores it in a cache. Next, the server concatenates the binary values sequentially to form a feature data string containing only 0s and 1s. This feature data string is the core feature extraction result of the business data, and its length is consistent with the length of the coordinate index set. Finally, the server inputs the feature data string and the real-time reference code into a preset mathematical aggregation operation module to perform a fusion operation. For example, the feature data string and the reference code can be converted into binary numbers first, XORed, and then a hash value can be generated using the SHA-256 algorithm. This hash value is the password verification code. The core function of the aggregation operation is to strengthen the binding relationship between the feature data string and the reference code, ensuring the uniqueness and anti-forgery properties of the password.
[0051] It should be noted that the read operation only takes the value of a single bit and does not require loading or parsing the business meaning of the entire byte. The computation time is negligible. At the same time, the read rules are completely consistent with the enterprise client, ensuring that the binary bit values read by both parties are without deviation. This provides an accurate and consistent data foundation for the synchronous generation and comparison of the subsequent access password, avoids verification failure due to differences in bit value reading, and ensures the stability and accuracy of the entire verification process.
[0052] This step, through the logic of "baseline code-driven sampling + lightweight feature extraction + aggregation operation to generate passwords", achieves the goal of generating verification passwords without parsing data content, significantly reducing the server's computational load.
[0053] S104. Compare the target data access password with the access verification password to determine whether the business data is valid;
[0054] This step is executed after the server has generated the access verification password. It covers the entire business data legality determination process for all extracted target passwords and generated verification passwords, and is the core step in distinguishing between legal and illegal data. First, the server retrieves two passwords from its local cache: one is the target data access password extracted from the enterprise client's business data, and the other is the access verification password generated by the server itself. Then, the server initiates a high-precision string comparison logic. This logic performs a complete match verification on every character of the two passwords (including character encoding format, capitalization, special symbols, etc.). The specific verification rules are: if the character lengths of the two passwords are inconsistent, the comparison is directly determined to be unsuccessful; if the lengths are consistent, starting from the first character, the corresponding characters are checked sequentially to see if they are completely identical until all characters have been verified. The entire comparison process is completed in the server's local memory, without transmitting the password content to any external nodes, avoiding the risk of password leakage.
[0055] S105. If the business data is determined to be valid, then the business data shall be allowed to pass.
[0056] This step is executed after the server determines the validity of the business data, covering the transmission process of all legitimate business data. First, the server confirms the validity of the business data and retrieves the corresponding transmission identification information, including the source address, destination address, and transmission protocol type. Then, according to the pre-agreed network transmission rules between the enterprise client and the server, the server forwards the business data to the designated destination address. This process requires no additional parsing or processing of the data content. Simultaneously, the server records the passage information for this business data, including the passage time, enterprise client identifier, data transmission direction, and data volume, forming a basic passage log for subsequent network traffic statistics and security auditing. The core function of this step is to quickly allow legitimate business data to pass through, avoiding the delays caused by full-scale scanning in existing technologies and ensuring the high efficiency of enterprise business data transmission.
[0057] In the above embodiment, because the core technical solution of issuing instant time reference codes at random time intervals and generating and comparing passwords synchronously between the enterprise client and the server is adopted, there is no need to perform full content parsing or rule base matching on business data. The legality determination can be completed by simply comparing the passwords. This effectively solves the problems of high computational load, large network latency, and low efficiency of allowing legitimate data to pass caused by deep packet inspection in the existing technology. At the same time, it avoids the risk of viruses tampering with business data content and forging verification information to bypass security detection.
[0058] In some embodiments, there may be situations where the real-time reference code is maliciously intercepted, tampered with, or replaced during transmission to the enterprise client. In order to build a reliable reference code transmission link, ensure that the reference code received by the enterprise client is authentic and valid, and prevent the verification of legitimate business data from failing due to the tampering of the reference code, steps S201-S203 can be executed.
[0059] Following the above embodiments, the method provided in this embodiment will now be described in more detail. Please refer to [link / reference]. Figure 2 This is another flowchart illustrating the enterprise network security data analysis method in this application embodiment.
[0060] S201. When the instant time reference code is sent to the enterprise client, a one-time access private key and a one-time access public key are generated based on an asymmetric encryption algorithm. The one-time access private key and the one-time access public key are a one-to-one corresponding key pair and become invalid immediately after use.
[0061] Asymmetric encryption algorithms refer to cryptographic algorithms that use different keys for encryption and decryption, including but not limited to RSA and ECC algorithms, which have the characteristic that the encryptor and decryptor do not need to share a key.
[0062] This step is executed after the server generates the real-time base code but before it is sent to the enterprise client, covering every real-time base code distribution process. First, the server calls a preset asymmetric encryption algorithm module to generate a highly random, one-time public-private key pair, ensuring the key pair cannot be predicted or cracked. Second, the server uniquely binds this key pair to the real-time base code to be sent, specifying that it is only used for base code encryption and verification in this session. Finally, the server sets the key pair's lifespan to "single-use validity." It is particularly important to emphasize that this one-time, disposable characteristic is a core design feature to prevent virus attacks: even if a virus intercepts the public key during transmission, it cannot reuse it to attack the base code in subsequent sessions, fundamentally eliminating the possibility of a virus holding the key for continuous attacks. This step, through the design of a one-time key pair, establishes the first line of defense for the secure transmission of the base code.
[0063] S202. Use the one-time access private key to encrypt the real-time reference code, and send the one-time access public key to the enterprise client so that the enterprise client can use the one-time access public key to verify the validity of the real-time reference code after receiving it.
[0064] This step is executed after the server generates the one-time public-private key pair, and the execution scenario is completely synchronized with the S201 base code distribution process. First, the server uses the one-time pass private key to encrypt the real-time base code. Even if the base code in ciphertext state is intercepted by a virus, the original content cannot be directly obtained. Second, the server sends the encrypted real-time base code and the corresponding one-time pass public key to the enterprise client through an encrypted channel, ensuring that the binding relationship between the two is not broken. Next, after receiving the data, the enterprise client calls the local asymmetric encryption verification module to verify the validity of the encrypted base code using the received one-time pass public key. The verification logic is as follows: attempt to verify and decrypt the ciphertext base code using the public key. If the complete and correctly formatted base code can be successfully decrypted, the base code is determined to be valid and has not been tampered with. If the virus intercepts the public key and tamperes with the ciphertext base code, the decrypted data will have format errors, incomplete content, or logical contradictions. The enterprise client will directly determine that the base code is invalid and report the result to the server. During this process, the enterprise client does not need to hold the private key; verification can be completed using only the public key. This simplifies the logic and avoids the security risks associated with key sharing.
[0065] S203. When a verification failure result is received from the enterprise client, it is determined that the real-time reference code is invalid, and a new time reference code and the corresponding one-time key pair are re-sent to the enterprise client.
[0066] This step is executed after the server receives the baseline code verification failure result from the enterprise client, covering the entire baseline code verification anomaly repair process. First, the server receives the verification failure feedback from the enterprise client. To prevent attackers from using the feedback information to analyze vulnerabilities, this feedback does not contain any details about the reason for the failure. Second, the server immediately determines that the issued instant-time baseline code is invalid and initiates a marking and isolation mechanism for invalid baseline codes, prohibiting their use in any subsequent password generation operations. Next, the server repeats the complete S201-S202 process, regenerating a completely new set of one-time public-private key pairs and corresponding instant-time baseline codes, ensuring the uniqueness and security of the new baseline codes and key pairs. Finally, the server reissues the new encrypted baseline code and accompanying public key to the enterprise client, while resetting the baseline code verification timeout for this session, giving the enterprise client sufficient time to re-verify. This step, through immediate failure determination and re-push mechanism, quickly blocks the use of tampered baseline codes while ensuring the continuity of business processes, achieving a balance between security and fault tolerance.
[0067] After the server receives a base code verification failure result from an enterprise client, the server starts a failure count statistics mechanism: for each verification failure event, the corresponding enterprise client identifier and network address are extracted, and an independent failure count statistics ledger is established for the same enterprise client or the same network address with a preset time window as the statistical period. The ledger is updated in real time and only retains the statistical data within the current time window. Historical data outside the window is automatically cleared to avoid the accumulation of invalid data.
[0068] Secondly, the server compares the count of failures with the preset warning threshold in real time. The comparison logic is divided into two cases:
[0069] The number of failures did not exceed the warning threshold: This is judged as an occasional anomaly, which may be caused by network transmission jitter, temporary failure of the enterprise client, etc. The server only records the failure event, does not trigger a warning, and allows the enterprise client to continue to initiate baseline code verification requests.
[0070] The number of failures exceeds the warning threshold: This is determined to be a risk of virus tampering or malicious attack, and the server immediately triggers a two-level response mechanism:
[0071] Warning Response: Generate warning information according to the preset data format. The information content should include at least the abnormal enterprise client identifier, access network address, timestamps of all verification failure events, and cumulative number of failures. Push the warning information to the enterprise security management platform through an encrypted interface. After receiving the information, the platform will immediately pop up a reminder to the security operations and maintenance personnel and store the warning information in the security event log for subsequent auditing and tracing.
[0072] Blocking Response: The server immediately adds the abnormal enterprise client or abnormal network address to the temporary blacklist, suspends the push of new real-time reference codes to it, and rejects all subsequent reference code verification requests initiated by the object, blocking the possibility of data transmission through the reference code verification process, thus curbing the continued attack from the source.
[0073] In this embodiment, the technical solution of using a one-time asymmetric key pair to encrypt the real-time reference code, verifying the validity of the reference code with a public key, and re-pushing the code after verification failure is adopted. Therefore, even if the public key is intercepted by a virus, the modified reference code cannot be verified by the enterprise client. Moreover, the key is destroyed after use, eliminating the possibility of reuse attacks. This effectively solves the problem that the real-time reference code is hijacked and tampered with by a virus during transmission, thereby bypassing security verification. As a result, the entire process of reference code transmission is reliably protected, ensuring the accuracy of password generation and improving the anti-attack capability of the entire verification system.
[0074] The enterprise network security server in the embodiments of this invention is described below from the perspective of hardware processing. Please refer to [link / reference needed]. Figure 3This is a schematic diagram of the physical device structure of an enterprise network security server in an embodiment of this application.
[0075] It should be noted that, Figure 3 The structure of the enterprise network security server shown is merely an example and should not impose any limitations on the functionality and scope of use of the embodiments of the present invention.
[0076] like Figure 3 As shown, the enterprise network security server includes a Central Processing Unit (CPU) 301, which can perform various appropriate actions and processes based on programs stored in Read-Only Memory (ROM) 302 or programs loaded from storage portion 308 into Random Access Memory (RAM) 303, such as performing the methods described in the above embodiments. The RAM 303 also stores various programs and data required for system operation. The CPU 301, ROM 302, and RAM 303 are interconnected via a bus 304. An Input / Output (I / O) interface 305 is also connected to the bus 304.
[0077] The following components are connected to I / O interface 305: input section 306 including audio input devices, push-button switches, etc.; output section 307 including a liquid crystal display (LCD) and audio output devices, indicator lights, etc.; storage section 308 including a hard disk, etc.; and communication section 309 including a network interface card such as a LAN (Local Area Network) card, modem, etc. Communication section 309 performs communication processing via a network such as the Internet. Drive 310 is also connected to I / O interface 305 as needed. Removable media 311, such as a disk, optical disk, magneto-optical disk, semiconductor memory, etc., are installed on drive 310 as needed so that computer programs read from them can be installed into storage section 308 as needed.
[0078] In particular, according to embodiments of the present invention, the processes described above with reference to the flowcharts can be implemented as computer software programs. For example, embodiments of the present invention include a computer program product comprising a computer program carried on a computer-readable medium, the computer program containing computer programs for performing the methods shown in the flowcharts. In such embodiments, the computer program can be downloaded and installed from a network via communication section 309, and / or installed from removable medium 311. When the computer program is executed by central processing unit (CPU) 301, it performs the various functions defined in the present invention.
[0079] It should be noted that specific examples of computer-readable storage media may include, but are not limited to: electrical connections having one or more wires, portable computer disks, hard disks, random access memory (RAM), read-only memory (ROM), erasable programmable read-only memory (EPROM), flash memory, optical fiber, portable compact disc read-only memory (CD-ROM), optical storage devices, magnetic storage devices, or any suitable combination thereof. In this invention, a computer-readable storage medium can be any tangible medium containing or storing a program that can be used by or in conjunction with an instruction execution system, apparatus, or device.
[0080] The flowcharts and block diagrams in the accompanying drawings illustrate the architecture, functionality, and operation of possible implementations of systems, methods, and computer program products according to various embodiments of the present invention. Each block in a flowchart or block diagram may represent a module, program segment, or portion of code, which contains one or more executable instructions for implementing a specified logical function. It should also be noted that in some alternative implementations, the functions indicated in the blocks may occur in a different order than those shown in the drawings.
[0081] Specifically, the enterprise network security server in this embodiment includes a processor and a memory. The memory stores a computer program, and when the computer program is executed by the processor, it implements the enterprise network security data analysis method provided in the above embodiment.
[0082] In another aspect, the present invention also provides a computer-readable storage medium, which may be included in the enterprise network security server described in the above embodiments; or it may exist independently and not assembled into the enterprise network security server. The storage medium carries one or more computer programs that, when executed by a processor of the enterprise network security server, cause the enterprise network security server to implement the enterprise network security data analysis method provided in the above embodiments.
[0083] The above-described embodiments are only used to illustrate the technical solutions of this application, and are not intended to limit it. Although this application has been described in detail with reference to the foregoing embodiments, those skilled in the art should understand that modifications can still be made to the technical solutions described in the foregoing embodiments, or equivalent substitutions can be made to some of the technical features. Such modifications or substitutions do not cause the essence of the corresponding technical solutions to deviate from the scope of the technical solutions of the embodiments of this application.
[0084] As used in the above embodiments, depending on the context, the term "when..." can be interpreted as meaning "if...", "after...", "in response to determining...", or "in response to detecting...". Similarly, depending on the context, the phrase "when determining..." or "if (the stated condition or event) is interpreted as meaning "if determining...", "in response to determining...", "when (the stated condition or event) is detected", or "in response to detecting (the stated condition or event)".
[0085] Those skilled in the art will understand that all or part of the processes in the methods of the above embodiments can be implemented by a computer program instructing related hardware. This program can be stored in a computer-readable storage medium, and when executed, it can include the processes described in the above method embodiments. The aforementioned storage medium includes various media capable of storing program code, such as ROM or random access memory (RAM), magnetic disks, or optical disks.
Claims
1. A method for analyzing enterprise network security data, characterized in that, The method, applied to enterprise network security servers, includes: Send an instant time reference code to the enterprise client at random time intervals so that the enterprise client can synchronously generate a data access password based on the instant time reference code; Receive business data sent by the enterprise client and extract the target data access password from the business data; Based on the real-time reference code and the business data, a pass verification password is generated, and the method for generating the pass verification password is the same as the method for generating the target data pass password. The target data access password is compared with the access verification password to determine whether the business data is valid; If the business data is determined to be valid, then the business data is allowed to pass.
2. The method according to claim 1, characterized in that, The step of sending real-time time reference codes to the enterprise client at random time intervals specifically includes: The range of values for the preset random time interval; The time interval for a single transmission is determined within the range of the specified values using a random number generation algorithm. A random trigger signal is generated based on the time interval; In response to the random trigger signal, the timestamp of the current moment is obtained, and the corresponding real-time reference code is generated through one-way encryption operation.
3. The method according to claim 1, characterized in that, The step of generating a pass verification password based on the real-time reference code and the business data, specifically includes the following methods: Using the real-time reference code as a seed variable, the coordinate index set of the business data is calculated. The coordinate index set is a set of multiple landing point coordinates sampled in the business data. The business data is mapped into a continuous binary bit stream, and multiple binary bit values at corresponding positions in the binary bit stream are read according to the coordinate index set. The binary bit values include 0 or 1. The binary bit values are concatenated in index order to obtain the feature data string; The feature data string is subjected to mathematical aggregation operation with the real-time reference code to obtain the access verification password.
4. The method according to claim 3, characterized in that, The step of mapping the business data into a continuous binary bit stream and reading multiple binary bit values at corresponding positions in the binary bit stream according to the coordinate index set specifically includes: The business data is treated as a logical byte array, and the starting address of the byte array is used as the logical zero point. For each target bit index value in the coordinate index set, relative addressing calculation is performed to obtain the byte offset relative to the logical zero point and the bit offset within the corresponding byte; Based on the byte offset and the bit offset, read the binary bit value corresponding to the target bit index value.
5. The method according to claim 4, characterized in that, The calculation steps for relative addressing specifically include: Calculate the quotient of the target bit index value and 8 to obtain the byte offset relative to the logical zero point; The bit offset within the corresponding byte is obtained by taking the remainder of the target bit index value divided by 8. The target byte in the byte array is located based on the byte offset; The target binary bit within the target byte is located based on the bit offset.
6. The method according to claim 1, characterized in that, Also includes: When the instant time reference code is sent to the enterprise client, a one-time access private key and a one-time access public key are generated based on an asymmetric encryption algorithm. The one-time access private key and the one-time access public key are a one-to-one key pair and become invalid immediately after use. The one-time access private key is used to encrypt the instant time reference code, and the one-time access public key is sent to the enterprise client so that the enterprise client can use the one-time access public key to verify the validity of the instant time reference code after receiving it. When a verification failure result is received from the enterprise client, it is determined that the real-time reference code is invalid, and a new time reference code and the corresponding one-time key pair are re-sent to the enterprise client.
7. The method according to claim 6, characterized in that, After the step of determining the invalidity of the real-time reference code upon receiving a verification failure result from the enterprise client, the method further includes: Count the number of base code verification failures for the same enterprise client or the same network address within a preset time window; If the number of verification failures of the baseline code exceeds the preset warning threshold, it is determined that there is a risk of virus tampering or malicious attack, and an early warning message is immediately sent to the enterprise security management platform. The early warning message includes at least the abnormal enterprise client identifier, abnormal network address, verification failure time and number of failures. At the same time, the push of new time reference codes to abnormal enterprise clients or the abnormal network addresses will be suspended.
8. An enterprise network security server, characterized in that, The enterprise network security server includes: one or more processors and a memory; the memory is coupled to the one or more processors, the memory is used to store computer program code, the computer program code including computer instructions, and the one or more processors call the computer instructions to cause the enterprise network security server to perform the method as described in any one of claims 1-7.
9. A computer-readable storage medium comprising instructions, characterized in that, When the instruction is executed on the enterprise network security server, it causes the enterprise network security server to perform the method as described in any one of claims 1-7.
10. A computer program product, comprising a computer program, characterized in that, When the computer program is run on an enterprise network security server, it causes the enterprise network security server to perform the method as described in any one of claims 1-7.