Data transmission security protection method based on dynamic encapsulation and dynamic confusion
By using dynamic encapsulation and obfuscation methods, feature extraction and real-time deformation are performed on each request at the web application layer, solving the problems of single protection focus and insufficient dynamism in existing technologies. This achieves efficient and flexible data transmission security protection and improves the protection capabilities of web applications.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- TIANXUN RUIDA COMM TECH CO LTD
- Filing Date
- 2026-03-12
- Publication Date
- 2026-06-09
AI Technical Summary
Existing technologies lack collaborative and real-time dynamic protection of code and data in web application data transmission security. They have a single focus, insufficient dynamism or high cost, and lack adaptability, making them unable to effectively deal with predictable threats at the web application layer.
By employing dynamic encapsulation and obfuscation methods, multi-dimensional feature extraction is performed on each client request to generate dynamic encapsulation and obfuscation instruction sets. This transforms the executable code and business data of web pages in real time. Through continuous monitoring and adaptive optimization, the code and data are coordinated and dynamically changed in real time, breaking the fixed patterns of attack dependencies.
It achieves lightweight, collaborative, and real-time dynamic protection for web application layers, blocks automated attacks, increases the difficulty of defending against advanced threats, flexibly adapts to the security needs of different business scenarios, and allows for seamless deployment without affecting user experience.
Smart Images

Figure CN122179178A_ABST
Abstract
Description
Technical Field
[0001] This invention relates to the field of network security technology, and in particular to a data transmission security protection method based on dynamic encapsulation and dynamic obfuscation. Background Technology
[0002] Against the backdrop of accelerated digitalization, web applications have become core business carriers in areas such as government services, e-commerce, and financial transactions. These applications typically employ a standard front-end / back-end separation architecture, where front-end code executes in the client's browser and exchanges data with the back-end server via HTTP / HTTPS protocols. The openness of this architecture exposes the application's data transmission logic and code implementation details to the client environment, creating an inherent, observable, and analyzable "static attack surface." Attackers exploit this characteristic, using automated tools for code reverse engineering, API scraping, and parameter replay, making it a crucial entry point for data breaches, business fraud, and system intrusions.
[0003] Existing technologies have proposed various solutions to address the aforementioned security threats. For example, CN111787032A hides real data packets by constructing obfuscated messages and adding encapsulation headers at the network layer, but it does not address the dynamic changes in the application layer web page code itself. CN116545650A proposes dynamic encapsulation and bidirectional detection of JS code, but its process is complex, may introduce latency, and affect deployment feasibility. CN120050092A adopts a strategy of injecting a dynamic mutation engine at the protocol stack level, which belongs to deep network layer protection and cannot solve the predictability problem of the web application layer. CN120547304A focuses on multipath transmission in distributed camera networks, and its model is incompatible with the centralized interaction mode of web applications. CN117650906A performs secondary encryption and obfuscation for the WebSocket protocol, but its algorithm is relatively fixed and lacks real-time dynamic scheduling capabilities.
[0004] In summary, existing technical solutions share the following common limitations: First, they focus on a single area of protection, lacking a holistic approach that coordinates and dynamically protects web application code and data in real time. Second, they suffer from insufficient dynamism or are prohibitively costly, with some solutions exhibiting dynamism only at the non-application layer or being overly complex to implement. Third, they lack adaptability, and protection strategies cannot be intelligently optimized based on attack patterns. Therefore, there is an urgent need for a data transmission security protection method that can directly act on the web application layer, implementing lightweight, collaborative, and real-time dynamic changes to the code logic and business data of each interaction, and adaptively evolving according to security threats. Summary of the Invention
[0005] To address the technical problems existing in the prior art, this invention provides a data transmission security protection method based on dynamic encapsulation and dynamic obfuscation, comprising the following steps: S101, Request parsing and multi-dimensional feature extraction: Receive web page access request sent by the client, parse the request and extract features to generate a multi-dimensional feature vector that can comprehensively reflect the current request status and historical behavior patterns. S102. Risk-aware dynamic encapsulation strategy decision-making: Based on the multi-dimensional feature vector, through risk assessment and randomization selection, a dynamic encapsulation instruction set is generated to guide the real-time deformation of the executable code of the webpage. S103. Context-aware dynamic obfuscation algorithm decision-making: Based on the multi-dimensional feature vector, through algorithm selection and dynamic key generation, a dynamic obfuscation instruction set is generated to guide the real-time obfuscation of service transmission data. S104. Real-time structured dynamic encapsulation of source code: Based on the dynamic encapsulation instruction set, the executable code of the webpage to be responded to by the server is subjected to dynamic encapsulation processing, including identifier obfuscation and code structure transformation, to generate the encapsulated code and the corresponding client boot code. S105. Multi-level real-time obfuscation processing of transmitted data: Based on the dynamic obfuscation instruction set and its associated dynamic key material, multi-level obfuscation transformation processing is performed on the service data to be transmitted by the server to generate obfuscated data and corresponding obfuscated meta-information objects. S106. Secure response assembly and metadata concealment embedding: Assemble the encapsulated code, the client boot code, the obfuscated data, and the obfuscated metadata object, and send the assembled response to the client. S107. Client-side transparent parsing and dynamic content restoration: After receiving the response, the client uses the client boot code to parse the obfuscated metadata object, obtain the restoration parameters, and reverse restore and execute the obfuscated data and encapsulated code. S108. Continuous monitoring and adaptive optimization of defense strategies: Monitor and collect system operation data, and dynamically update encapsulation rules and obfuscation algorithm strategies based on the analysis of attack patterns and strategy effectiveness.
[0006] As a preferred embodiment of this application, step S102, the dynamic encapsulation strategy decision based on risk perception, includes: assessing the real-time risk level of the current request based on the request frequency and trust score in the multi-dimensional feature vector; filtering candidate rule sets from a preset encapsulation rule base according to the real-time risk level; selecting a specific encapsulation rule for this request from the candidate rule set using a pseudo-random function with elements in the multi-dimensional feature vector as seeds; dynamically generating a namespace seed based on the current session identifier and server time, and randomly selecting a combination from multiple structural transformation templates associated with the selected encapsulation rule to form the dynamic encapsulation instruction set. The encapsulation strategy decision supports two triggering modes: request event-driven and time-driven based on a preset period.
[0007] As a preferred embodiment of this application, in step S103, the context-aware dynamic obfuscation algorithm decision includes: determining the data obfuscation strength based on the risk level obtained from the multi-dimensional feature vector assessment; selecting one or more algorithms from a pre-set obfuscation algorithm pool based on the determined obfuscation strength using randomization logic to form an algorithm combination; calling a key generator to dynamically generate one-time temporary key material using the current time, server salt value, and client characteristics as entropy sources; securely binding and storing the generated temporary key material with a short-term valid access token; and packaging the identifier of the algorithm combination and the corresponding access token to form the dynamic obfuscation instruction set.
[0008] As a preferred embodiment of this application, step S104, the real-time structured dynamic encapsulation of the source code includes: parsing the original webpage executable code into an abstract syntax tree; traversing the abstract syntax tree, and renaming the identifiers in the code to semantically meaningless strings through hash mapping according to the namespace seed in the dynamic encapsulation instruction set; performing node-level reconstruction operations on the abstract syntax tree according to the structure transformation template combination in the dynamic encapsulation instruction set, the reconstruction operations including adjusting the declaration order, equivalent replacement of the control flow structure, and inserting harmless redundant code; serializing the reconstructed abstract syntax tree into the encapsulated code in string format; and generating the client bootstrap code used to restore the identifier mapping relationship on the client side.
[0009] As a preferred embodiment of this application, in step S105, the multi-level real-time obfuscation processing of the transmitted data includes: serializing the service data to be transmitted into a string; obtaining the corresponding bound temporary key material according to the access token in the dynamic obfuscation instruction set; performing obfuscation transformation on the string sequentially using the corresponding algorithm and the temporary key material according to the algorithm combination order specified in the dynamic obfuscation instruction set to obtain the obfuscated data string; and creating a key-value pair object that records the algorithm combination identifier and the access token index as the obfuscation metadata object.
[0010] As a preferred embodiment of this application, in step S106, the secure response assembly and metadata concealment embedding includes: embedding the encapsulated code and client bootstrap code into the script tags of the HTML page; placing the obfuscated data into the HTML page or response body in the form of inline variables or API response bodies; encoding the obfuscated metadata object and setting it as the value of a custom HTTP response header or the attribute value of a hidden HTML tag; setting an HTTP cache control header to indicate that the content cannot be cached; and sending the assembled HTTP response to the client.
[0011] As a preferred embodiment of this application, step S107, the client-side transparent parsing and dynamic content restoration, includes: the client browser executing the client bootstrap code; the client bootstrap code extracting and parsing the obfuscated metadata object from the custom HTTP response header or hidden HTML tags; querying the corresponding key restoration parameters from the client's local secure storage based on the access token index in the obfuscated metadata object and a key seed pre-stored locally on the client; using the key restoration parameters, decrypting and restoring the obfuscated data in reverse order of the algorithm combination indicated by the obfuscated metadata object to obtain the original business data; loading and executing the encapsulated code, and correctly parsing the obfuscated identifier using the mapping relationship established by the client bootstrap code. The key seed is obtained through key negotiation with the server at the initial stage of the secure session.
[0012] This application also provides a data transmission security protection system based on dynamic encapsulation and dynamic obfuscation, used to implement the method described above. The system is deployed on the server side and specifically includes: The request receiving and feature extraction module is used to receive client requests, parse the requests and extract features to generate multi-dimensional feature vectors; The dynamic control center, connected to the request receiving and feature extraction module, is used to generate dynamic encapsulation instruction sets and dynamic obfuscation instruction sets based on the multi-dimensional feature vectors. The dynamic control center includes a risk assessment submodule, an encapsulation strategy decision engine, an obfuscation strategy decision engine, and a rule and algorithm knowledge base. The encapsulation strategy decision engine also integrates a strategy scheduler to support a time-driven mode for switching active encapsulation rule sets according to a preset period. The dynamic encapsulation processing module, connected to the dynamic control center, is used to dynamically encapsulate the executable code of the webpage according to the dynamic encapsulation instruction set, and generate the encapsulated code and client boot code. The dynamic obfuscation processing module, connected to the dynamic control center, is used to perform obfuscation transformation processing on business data based on the dynamic obfuscation instruction set and its associated dynamic key material, and generate obfuscated data and obfuscated metadata objects. The key generation and management module, connected to the dynamic control center and the dynamic obfuscation processing module, is used to dynamically generate and securely manage one-time key materials associated with the dynamic obfuscation instruction set according to requests; The response assembly module is connected to the dynamic encapsulation processing module and the dynamic obfuscation processing module, respectively, and is used to assemble the encapsulated code, the client boot code, the obfuscated data and the obfuscated meta information object into an HTTP response, and send the HTTP response to the client; The monitoring and optimization module is connected to the dynamic control center and is used to monitor system operation, analyze security status, and dynamically optimize the strategy decision-making logic of the dynamic control center based on the analysis results.
[0013] Compared with the prior art, the beneficial effects of the present invention are as follows: 1) Proactive defense against advanced threats: By dynamically changing code and data in real time, it breaks the fixed patterns that attacks rely on, making zero-day exploits lose their stable premise and significantly increasing the difficulty of spoofing attacks and forging legitimate requests.
[0014] 2) Block the automated attack chain. The code structure and data format returned by each request are different, which makes reverse engineering analysis ineffective and prevents automated crawlers and injection attacks from recognizing or parsing the payload.
[0015] 3) Flexible adaptation and elastic scheduling: It can intelligently adjust the protection strength according to the risk of the request, balancing security and performance. The rule and algorithm library supports hot updates, which can quickly adapt to the security needs of different business scenarios.
[0016] 4) Seamless deployment and high performance: Core computing is efficiently completed on the server side, and the client-side restoration process is completely transparent, without affecting web page functionality and user experience. The solution is easy to integrate into existing systems and has low deployment costs.
[0017] In summary, this invention effectively fills the gaps in traditional static protection technologies through a dynamic and differentiated proactive defense approach. It provides a real-time, continuously evolving solution for data transmission security in web applications, which is of great value in improving the security protection capabilities of critical business systems and ensuring the stable and reliable operation of digital services. Attached Figure Description
[0018] The accompanying drawings, which are incorporated in and form part of this specification, illustrate embodiments consistent with the invention and, together with the description, serve to explain the principles of the invention.
[0019] To more clearly illustrate the technical solutions in the embodiments of the present invention or the prior art, the drawings used in the description of the embodiments or the prior art will be briefly introduced below. Obviously, for those skilled in the art, other drawings can be obtained based on these drawings without creative effort.
[0020] Figure 1 This is a general flowchart of the data transmission security protection method provided in the embodiments of the present invention.
[0021] Figure 2 This is a flowchart of the dynamic encapsulation strategy decision-making provided in an embodiment of the present invention.
[0022] Figure 3 This is a flowchart of the dynamic obfuscation algorithm decision-making process provided in an embodiment of the present invention.
[0023] Figure 4 This is a schematic diagram of the real-time structured dynamic encapsulation of source code provided in an embodiment of the present invention.
[0024] Figure 5 This is a schematic diagram of multi-level real-time obfuscation processing of transmitted data provided in an embodiment of the present invention.
[0025] Figure 6 This is a schematic diagram of the security response assembly and metadata concealment embedding provided in the embodiments of the present invention.
[0026] Figure 7 This is a schematic diagram of client-side transparent parsing and dynamic content restoration provided in an embodiment of the present invention.
[0027] Figure 8 This is an architecture diagram of the data transmission security protection system provided in an embodiment of the present invention. Detailed Implementation
[0028] The technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only a part of the embodiments of the present invention, and not all of them. Based on the embodiments of the present invention, all other embodiments obtained by those of ordinary skill in the art without creative effort are within the scope of protection of the present invention.
[0029] It should be noted that all directional indications (such as up, down, left, right, front, back, etc.) in the embodiments of the present invention are only used to explain the relative positional relationship and movement of each component in a certain specific posture (as shown in the figure). If the specific posture changes, the directional indication will also change accordingly.
[0030] Furthermore, the use of terms such as "first" and "second" in this invention is for descriptive purposes only and should not be construed as indicating or implying their relative importance or implicitly specifying the number of technical features indicated. Therefore, features defined with "first" and "second" may explicitly or implicitly include at least one of those features. Additionally, the technical solutions of the various embodiments can be combined with each other, but only on the basis of being achievable by those skilled in the art. When the combination of technical solutions is contradictory or impossible to implement, such a combination of technical solutions should be considered non-existent and not within the scope of protection claimed by this invention.
[0031] Example 1 This invention provides a data transmission security protection method based on dynamic encapsulation and dynamic obfuscation. The method constructs a server-side driven proactive defense system. Its core mechanism lies in: for each independent client request, during the response generation stage, collaborative and real-time dynamic mutations are performed on the two core elements constituting a web application (executable code logic and business transmission data). Through this two-pronged dynamic processing, each server response possesses uniqueness and temporality in both structure and content representation, thereby transforming the fixed "attack surface" of traditional static applications into a continuously fluctuating "dynamic defense interface," significantly increasing the difficulty of reverse engineering, automated attacks, and vulnerability detection. Figure 1 As shown, the specific steps include: S101, Request Parsing and Multidimensional Feature Extraction The server network listening service captures HTTP / HTTPS request packets from clients and delivers the HTTP / HTTPS requests to the request feature extraction module for processing.
[0032] The request feature extraction module first accurately reconstructs the request method, target resource identifier, protocol version, and complete request header set from the original byte stream.
[0033] Subsequently, the request feature extraction module extracts several key features from the parsed structured request information, including but not limited to the client IP address, the cryptographic hash digest of the user agent string, the patterned representation of the requested resource path, and the timestamp. Simultaneously, the request feature extraction module interacts with the session management service to obtain the session history context associated with the request through querying. The session history context includes behavioral profiles such as the session's request frequency within a recent time window, historical access path sequences, and past response decryption success rates.
[0034] Finally, the request feature extraction module normalizes and weights the aforementioned discrete raw features and historical behavior data, encapsulating them into a machine-readable structured multidimensional feature vector. The attributes of this multidimensional feature vector include anonymized IP address, user agent hash fingerprint, normalized resource access pattern, instantaneous request frequency calculated based on recent history, current session duration, trust score calculated based on historical behavior, and precise timestamp. This multidimensional feature vector is not simply a data aggregation; rather, through preprocessing, it transforms a network request into a standardized decision input that comprehensively reflects the current instantaneous state of the request, client identity characteristics, and historical behavior patterns.
[0035] S102, Dynamic Encapsulation Strategy Decision Based on Risk Perception The encapsulation strategy decision engine within the dynamic control center receives multi-dimensional feature vectors. For example... Figure 2 As shown, the specific implementation is as follows: The encapsulated strategy decision engine first invokes its internal risk assessment submodule. This submodule, based on key dimensions of the multi-dimensional feature vector (such as instantaneous request frequency, session history trust score, and IP reputation information), performs calculations and inferences using a predefined, configurable rule set (e.g., if the request frequency exceeds threshold F1 and the trust score is below threshold S1, the risk level is high). This generates a qualitative, real-time risk level assessment result. The real-time risk level forms the basis for subsequent refined decision-making.
[0036] Subsequently, the encapsulation strategy decision engine accesses a pre-built encapsulation rule base. Each rule in the encapsulation rule base explicitly defines the strength, transformation type, and computational cost of code obfuscation. To ensure continuous dynamism, the encapsulation strategy decision engine supports two strategy triggering and update modes: one is the request-driven mode, which selects a subset of candidate rules based on the real-time risk level of the current request, and then introduces a pseudo-random number generator seeded with some elements of a multi-dimensional feature vector to randomly select an encapsulation rule specific to the current request from the candidate subset; the other is the time-driven mode, where the system has a built-in independent strategy scheduler that automatically switches the "active encapsulation rule set" according to a preset time period. Thereafter, the encapsulation strategy decision for all new requests is based on the new active rule set, thereby ensuring that the code structure has the ability to change periodically.
[0037] Once the encapsulation rule is selected, the encapsulation strategy decision engine immediately generates a unique "namespace seed" using a hash function based on the current session identifier and server clock; it then randomly selects a set of structure transformation templates from multiple structure transformation templates associated with the encapsulation rule (such as function reordering, control flow flattening, opaque predicate insertion, etc.).
[0038] Finally, the encapsulation strategy decision engine encapsulates the selected encapsulation rule identifier, namespace seed, structural transformation template combination, and other parameters into a structured encapsulation instruction set. This encapsulation instruction set serves as a detailed "blueprint," precisely guiding subsequent code transformation operations.
[0039] S103, Context-Aware Dynamic Obfuscation Algorithm Decision This step executes in parallel with S102 and is handled by the obfuscation policy decision engine within the dynamic control center. The obfuscation policy decision engine maintains a scalable pool of obfuscation algorithms, containing various types of algorithm implementations, such as character substitution algorithms based on dynamic mapping tables, XOR algorithms using temporary key streams, hash transformation algorithms incorporating dynamic salt values, and modified variants of classic encryption algorithms. Figure 3 As shown, the specific implementation is as follows: The obfuscation strategy decision engine first determines the required strength of the data obfuscation based on the calculated risk level and resource access patterns in the multidimensional feature vector (such as selecting a single algorithm or multiple algorithms in series). Then, through an independent random selection logic seeded by the request identifier, it selects one or more algorithms from the algorithm pool to form a combination of algorithms specific to this request.
[0040] Next, the system invokes a cryptographically secure key generator, inputting the current server time, the built-in master salt, and entropy sources such as the client's IP hash. It then executes a key derivation function to generate one-time temporary session keys, random permutation tables, or dynamic salts. These key materials are securely stored in volatile memory and bound to an automatically generated, short-lived access token.
[0041] Finally, the obfuscation policy decision engine packages the selected algorithm combination identifier and the corresponding key access token into a structured obfuscation instruction set. The obfuscation instruction set specifies the data processing method and credentials, but does not contain the key itself, thus achieving a secure separation of policy and key.
[0042] S104. Real-time structured dynamic encapsulation of source code The server-side dynamic encapsulation processing module receives raw JavaScript code strings from the application's business logic and a set of encapsulation instructions from the encapsulation strategy decision engine. For example... Figure 4 As shown, the specific implementation is as follows: The dynamic encapsulation processing module uses a JavaScript syntax parser to convert source code strings into an abstract syntax tree (AST). An AST is a precise and complete tree-like representation of the code; this conversion ensures that all subsequent transformations are performed at the structural level, guaranteeing logical accuracy.
[0043] Subsequently, the dynamic encapsulation processing module performs a depth-first traversal of the abstract syntax tree. For each variable declaration node, function declaration node, and member access expression node, it extracts its original identifier name. Then, using the "namespace seed" provided in the encapsulation instruction set and an incrementing counter as input, it calculates a new, semantically neutral short identifier (e.g., _0x1a2b3c) using a defined hash mapping function. This new identifier replaces the original name in the abstract syntax tree node. This achieves both the preservation of code semantics and the complete randomization of surface identifiers.
[0044] After identifier obfuscation, the dynamic encapsulation module reconstructs the abstract syntax tree based on the structural transformation template combination in the instruction set. For example, it randomly swaps the positions of sibling function declaration nodes within the same scope; converts simple if-else branch structures into equivalent switch-case structures; and inserts dead code or redundant arithmetic calculations that do not change the final state of the program inside loops or before function return. These transformations are performed at the abstract syntax tree node level through insertion, deletion, replacement, and node movement, ensuring the strict invariance of the code's logical functionality.
[0045] Finally, the dynamic encapsulation processing module reconstructs the abstract syntax tree, which has undergone a series of transformations, into a standard JavaScript code string through a code generator, i.e., the encapsulated code. At the same time, it generates a minimal client bootstrap code snippet, which contains the minimum lookup table or decoding logic necessary for the reverse-mapped obfuscated identifier.
[0046] S105. Multi-level real-time obfuscation processing of transmitted data The dynamic obfuscation module is responsible for transforming the plain data to be transmitted by the application in real time. For example... Figure 5 As shown, the specific implementation is as follows: The dynamic obfuscation module first receives the structured data object (such as a JSON object containing user information) that needs to be returned to the client from the server application layer, and serializes the structured data object into a UTF-8 encoded string.
[0047] Next, the dynamic obfuscation processing module, based on the key access token carried in the obfuscation instruction set from the obfuscation policy decision engine, initiates a security query to the centralized key management service to obtain the specific key materials such as the temporary key, salt value, or substitution table bound to it.
[0048] Subsequently, the dynamic obfuscation module initializes the corresponding algorithm processors according to the algorithm combination order specified in the obfuscation instruction set. For example, it first calls the permutation algorithm processor to rearrange the character sequence of the data string using the obtained random permutation table; then, the rearranged intermediate result is passed to the XOR algorithm processor for byte-by-byte XOR encryption using a temporary key stream; finally, it may pass through a custom encoding processor for output formatting. Each step is a deterministic and reversible transformation. After pipeline processing, the original data is transformed into a seemingly random and disordered obfuscated data string. Simultaneously, the dynamic obfuscation module creates a lightweight obfuscation metadata object, which records the algorithm combination ID and key access token index used in this operation in key-value pairs, providing decryption navigation for the client.
[0049] S106, Security Response Assembly and Meta-information Covert Embedding The response assembly module is the final step that integrates all the processing results. For example... Figure 6 As shown, the specific implementation is as follows: The response assembly module will embed the encapsulated code and client-side bootstrapping code produced by the encapsulation processing module into the HTML page template according to the correct dependencies and execution order. <script>标签中;将混淆处理模块产出的混淆后数据字符串,以内联JavaScript变量或异步API响应体的形式置入。最关键的一步是,响应组装模块将混淆元信息对象进行Base64编码或简单的序列化,然后通过一种隐蔽但约定好的方式传递给客户端。优选的嵌入方式包括:将其设置为一个自定义的HTTP响应头(如X-Data-Meta)的值;或将其作为HTML文档中一个隐藏的<meta>标签的content属性值。此举确保了还原信息的安全传递。
[0050] 随后,响应组装模块添加诸如Cache-Control: no-cache, must-revalidate等指令,防止浏览器缓存动态变化的内容。
[0051] 最终,响应组装模块调用服务器网络发送接口,将组装完毕的完整HTTP响应数据包传输至客户端网络。
[0052] S107、客户端透明化解析与动态内容还原在客户端浏览器环境中,整个还原过程对用户和上层应用逻辑是完全无感知的。如图7所示,具体实施如下:页面加载初期,浏览器引擎首先解释并执行内嵌的客户端引导代码。这段客户端引导代码从服务器预设的隐蔽位置(如解析X-Data-Meta响应头或读取特定meta标签)中提取出混淆元信息对象。
[0053] 为安全完成还原,客户端需管理密钥材料。在会话建立初期,通过一次受TLS保护的独立交互,客户端从服务器安全获取初始密钥材料或派生主种子。引导代码将其加密后存储于浏览器的安全存储区(如sessionStorage),并与会话ID绑定。对于后续请求,客户端引导代码根据混淆元信息对象中的密钥令牌索引,结合本地存储的种子和服务器返回的公开参数,在本地重新计算出解密所需的具体密钥。此设计实现了"密钥不离客户端”,提升了安全性。会话结束时,本地存储的密钥材料被自动清除。
[0054] 然后,根据混淆元信息对象中的密钥令牌索引,并结合本地密钥派生机制,从客户端本地安全存储(此存储可能由之前某次安全交互或一个独立的密钥协商协议预先填充)中查询或推导出解密所需的密钥参数。
[0055] 接着,客户端引导代码在DOM或全局对象中找到包含混淆后数据字符串的变量或响应体,按照元信息中记录的算法组合ID,反向顺序地应用对应的解密算法(如先解码、再异或、最后逆置换),将混淆后数据字符串准确还原为原始的结构化数据,并将其交付给等待此数据的页面业务逻辑。与此同时,浏览器并行加载并执行封装后代码。由于引导代码已提前建立了混淆标识符到原始语义的映射关系,因此尽管所有函数和变量名都已改变,代码的执行引擎能够正确解析符号引用,程序逻辑得以完全正常地运行,从而实现防护过程对业务功能的零干扰。
[0056] S108、防御策略的持续监控与自适应调优本步骤是一个贯穿系统始终、实现持续自进化的后台智能过程。监控与调优模块持续收集来自系统各个关节点的日志与指标,包括但不限于:每个请求的特征向量与最终施加的防护策略(封装规则、混淆算法)、客户端的解密成功 / 失败回执、页面关键性能指标、以及来自底层网络防火墙或Web应用防火墙的安全告警事件。
[0057] 随后,监控与调优模块利用统计分析和机器学习方法,对海量日志进行挖掘。例如,识别出某个IP段在短时间内对同一接口发起大量请求且使用固定User-Agent变体,即可标记为爬虫攻击模式;评估发现某套混淆算法组合在应用于高风险请求后,客户端解密失败率异常降低(可能意味着该算法被破解),则标记该组合需要强化。
[0058] 基于分析结果,监控与调优模块通过管理接口,自动或由管理员手动调整动态控制中心的决策逻辑。例如,自动降低疑似被识别的算法组合的选择权重,并提升新算法变体的使用概率;向封装规则库中添加一种新型的、针对近期常见逆向工具的分析盲点的结构变换模板。
[0059] 此闭环反馈机制确保了系统的防御策略不是一个静态的配置,而是一个能够随威胁环境共同演进的自适应免疫系统,从而长期维持其防护效力。
[0060] 实施例二本发明还提供了一种基于动态封装与动态混淆的数据传输安全保护系统,所述系统部署于服务器端,采用模块化流水线式的架构设计,各模块职责清晰、接口明确,通过高效协同共同实现主动动态防护。如图8所示,具体包括:请求接收与特征提取模块请求接收与特征提取模块作为系统的输入门户,承担着网络协议解析与请求情报初步加工的双重职责。请求接收与特征提取模块由网络监听单元、协议解析引擎和智能特征提取器构成。网络监听单元持续监听服务器指定端口,捕获原始的TCP连接和HTTP / HTTPS请求流。协议解析引擎对捕获的字节流进行深度解析,严格按照RFC标准解构出HTTP请求的各个组成部分,包括请求行、请求头域和消息体,并将其转换为内部易于处理的结构化对象。随后,智能特征提取器开始工作,智能特征提取器不仅仅是从结构化对象中读取字段值,而是执行复杂的特征工程:例如,对用户代理字符串进行规范化并计算其指纹哈希以抵抗细微改动;对请求URL进行模式匹配,提取资源访问模板;结合实时时钟和会话数据库,计算滑动时间窗口内的请求速率。请求接收与特征提取模块最终输出的是一个富含语义的、标准化的多维特征向量,它将一次原始的网络访问转换为了后续智能决策模块可直接消费的、高质量的信息实体。
[0061] 动态控制中心动态控制中心是本系统的神经中枢与决策核心,其设计借鉴了策略引擎与随机化决策相结合的理念。中心内部集成有封装策略决策引擎、混淆策略决策引擎、统一风险评估子模块以及一个持久化的规则与算法知识库。知识库是系统的策略蓝本,以结构化的方式存储所有可用的封装规则(描述代码如何变)和混淆算法(描述数据如何变)及其元属性(如复杂度、安全等级)。当特征向量送达后,统一风险评估子模块率先对其进行综合研判,输出一个量化的风险等级信号。此后,封装与混淆两个决策引擎并发工作。它们共享风险等级和特征向量,但拥有独立的随机化决策逻辑。为确保持续动态性,封装策略决策引擎还集成有策略调度器,支持按预设周期自动切换活跃封装规则集的时间驱动模式,与基于请求特征的事件驱动模式协同工作。封装决策引擎根据风险等级从知识库中筛选候选规则集,并利用一个以请求特征为种子的随机函数进行最终选择,同时动态生成本次执行所需的参数,输出一份具体的封装指令集。混淆决策引擎则并行地从算法池中选择算法组合,并协调密钥管理服务生成动态密钥,输出另一份混淆指令集。两个引擎的决策结果共同构成了一次完整防护的"战术方案”。
[0062] 动态封装处理模块动态封装处理模块是代码变形策略的忠实执行者与工程师。动态封装处理模块的核心是一个现代化的JavaScript处理工具链,主要包括抽象语法树解析器、符号表重写器、结构变换处理器和代码生成器。它的工作流程始于语法分析,抽象语法树解析器将输入的纯文本JavaScript代码,通过词法分析和语法分析,构建成一棵精确反映代码语法结构的抽象语法树。接着,符号表重写器接收封装指令集,根据其中的命名空间种子,遍历抽象语法树并为每个标识符节点计算其混淆后的新名称,同时维护一个完整的映射关系表。然后,结构变换处理器依据指令集中的模板指令,对抽象语法树进行外科手术式的修改,这些操作在树节点层面进行,确保了变换的准确性和功能性等价。最后,代码生成器负责将经过一系列改造后的抽象语法树,重新序列化为符合ECMAScript规范的JavaScript代码字符串,并负责生成与之配套的、用于客户端还原映射关系的微型引导代码。动态封装处理模块实现了从策略指令到可部署安全代码的转化。
[0063] 动态混淆处理模块动态混淆处理模块是数据变形策略的加密工厂。动态混淆处理模块设计为可插拔的算法流水线,由数据接口适配器、多算法执行引擎和元信息组装器组成。数据接口适配器负责从不同的服务器端应用框架(如Spring、Express)中,以约定方式提取出待保护的响应数据对象,并将其序列化为统一格式的字符串。多算法执行引擎是动态混淆处理模块的核心,多算法执行引擎内部注册了混淆算法池中所有算法的具体实现。当收到混淆指令集后,引擎按指令加载指定的算法组件,形成一条处理流水线,并同时从密钥管理模块动态获取本次所需的密钥材料。原始数据字符串如同原材料一般流过这条流水线,依次经过各算法组件的加密、混淆或编码处理,最终产出面目全非的混淆后数据。元信息组装器则同步工作,元信息组装器创建一个轻量的、包含算法流水线描述和密钥索引的混淆元信息对象,混淆元信息对象是数据得以正确还原的"钥匙说明书”。
[0064] 密钥生成与管理模块密钥生成与管理模块是系统安全基石的守护者,负责动态密钥材料的全生命周期管理。密钥生成与管理模块内置密码学安全随机数生成器,能够确保生成的密钥具备极高的不可预测性。其工作流程始于接收决策引擎或混淆模块的密钥生成请求。密钥生成与管理模块利用请求中携带的熵源(时间戳、会话ID等)和服务器主密钥,通过标准的密钥派生函数进行计算,动态生成一次性使用的会话密钥、盐值或随机数序列。生成后,密钥生成与管理模块并非直接返回密钥,而是将其存储在具备访问控制的临时安全内存区中,并生成一个与之唯一绑定的、短时效的令牌凭证返回给请求方。当混淆处理模块需要密钥进行运算时,必须提供此令牌凭证,经模块验证无误后方可获取真实的密钥材料。密钥生成与管理模块还设有自动清理机制,定期扫描并销毁过期的密钥材料和令牌,彻底杜绝密钥重用和长期驻留带来的风险。
[0065] 响应组装模块响应组装模块是交付最终防御成果的装配车间。响应组装模块接收来自上游各个处理模块的"零件”:封装后的代码、引导代码、混淆后的数据以及混淆元信息。响应组装模块的核心职责是执行智能组装与隐蔽嵌入。响应组装模块按照Web页面的标准结构和加载顺序,将代码和数据"零件”精准地安置在HTML文档的相应位置。响应组装模块关键技术在于对混淆元信息的隐蔽处理:模块通过编码和位置隐藏技术,将其嵌入到HTTP响应头或HTML文档的注释、隐藏标签等不易被普通解析器注意的位置,实现安全指令的"隐身”传输。此外,响应组装模块还负责设置一系列控制HTTP缓存行为的头部信息,确保动态生成的内容不会被客户端或中间代理缓存,从而保证每次请求都能获得最新的、动态变化的防护内容。组装完成后,响应组装模块调用底层网络服务,将完整的HTTP响应报文发送给客户端。
[0066] 监控与调优模块监控与调优模块是实现系统自我进化与持续优化的智慧大脑。监控与调优模块是一个后台服务,由数据采集代理、多维度分析引擎和管理控制台接口构成。数据采集代理以非侵入方式,从系统各个模块的日志接口、性能计数器中持续收集运行时数据,构建一个全面的系统运行状况与安全态势数据库。多维度分析引擎则对海量数据进行分析,多维度分析引擎不仅能通过阈值告警发现明显的异常攻击(如CC攻击),更能运用关联分析和机器学习模型,识别隐蔽的攻击模式(如低频慢速扫描、试探性攻击)并评估各条封装规则、各个混淆算法在实际对抗中的有效性。分析结果通过管理控制台接口,以可视化报表形式呈现给安全管理员,并支持一键式的策略调整。更重要的是,监控与调优模块支持自动化策略优化,例如,当分析发现某种攻击模式开始频繁出现时,可以自动推荐或直接启用一套新的、针对性的封装混淆组合策略,并将此策略更新同步至动态控制中心的知识库中,从而实现防御能力的动态增强和闭环演进。
[0067] 实施例三本发明还提供了一种电子设备,包括:处理器、发送装置、输入装置、输出装置和存储器,处理器,可采用通用的CPU(CentralProcessingUnit,中央处理器)、微处理器、应用专用集成电路、或者一个或多个集成电路等方式实现,用于执行相关程序,以实现本申请实施例所提供的技术方案,存储器可采用只读存储器(ReadOnlyMemory,ROM)、静态存储设备、动态存储设备或者随机存取存储器(RandomAccessMemory,RAM)等形式实现,用于存储计算机程序代码,计算机程序代码包括计算机指令,当处理器执行计算机指令时,电子设备执行如上述任意一种可能实现的方式的方法。
[0068] 实施例四本发明还提供了一种计算机可读存储介质,计算机可读存储介质中存储有计算机程序,计算机程序包括程序指令,程序指令当被电子设备的处理器执行时,使处理器执行如上述任意一种可能实现的方式的方法。
[0069] 在说明书的描述中,参考术语"一个实施例”、"示例”、"具体示例”等的描述意指结合该实施例或示例描述的具体特征、结构、材料或者特点包含于本发明的至少一个实施例或示例中。在本说明书中,对上述术语的示意性表述不一定指的是相同的实施例或示例。而且,描述的具体特征、结构、材料或者特点可以在任何的一个或多个实施例或示例中以合适的方式结合。
[0070] 以上所述仅是本发明的具体实施方式,使本领域技术人员能够理解或实现本发明。对这些实施例的多种修改对本领域的技术人员来说将是显而易见的,本文中所定义的一般原理可以在不脱离本发明的精神或范围的情况下,在其它实施例中实现。因此,本发明将不会被限制于本文所示的这些实施例,而是要符合与本文所申请的原理和新颖特点相一致的最宽的范围。< / script>
Claims
1. A data transmission security protection method based on dynamic encapsulation and dynamic obfuscation, characterized in that, Includes the following steps: S101, Request parsing and multi-dimensional feature extraction: Receive web page access request sent by the client, parse the request and extract features to generate a multi-dimensional feature vector that can comprehensively reflect the current request status and historical behavior patterns. S102. Risk-aware dynamic encapsulation strategy decision-making: Based on the multi-dimensional feature vector, through risk assessment and randomization selection, a dynamic encapsulation instruction set is generated to guide the real-time deformation of the executable code of the webpage. S103. Context-aware dynamic obfuscation algorithm decision-making: Based on the multi-dimensional feature vector, through algorithm selection and dynamic key generation, a dynamic obfuscation instruction set is generated to guide the real-time obfuscation of service transmission data. S104. Real-time structured dynamic encapsulation of source code: Based on the dynamic encapsulation instruction set, the executable code of the webpage to be responded to by the server is subjected to dynamic encapsulation processing, including identifier obfuscation and code structure transformation, to generate the encapsulated code and the corresponding client boot code. S105. Multi-level real-time obfuscation processing of transmitted data: Based on the dynamic obfuscation instruction set and its associated dynamic key material, multi-level obfuscation transformation processing is performed on the service data to be transmitted by the server to generate obfuscated data and corresponding obfuscated meta-information objects. S106. Secure response assembly and metadata concealment embedding: Assemble the encapsulated code, the client boot code, the obfuscated data, and the obfuscated metadata object, and send the assembled response to the client. S107. Client-side transparent parsing and dynamic content restoration: After receiving the response, the client uses the client boot code to parse the obfuscated metadata object, obtain the restoration parameters, and reverse restore and execute the obfuscated data and encapsulated code. S108. Continuous monitoring and adaptive optimization of defense strategies: Monitor and collect system operation data, and dynamically update encapsulation rules and obfuscation algorithm strategies based on the analysis of attack patterns and strategy effectiveness.
2. The method according to claim 1, characterized in that, In step S102, the dynamic encapsulation strategy decision based on risk perception includes: assessing the real-time risk level of the current request based on the request frequency and trust score in the multi-dimensional feature vector; filtering candidate rule sets from a preset encapsulation rule base according to the real-time risk level; selecting a specific encapsulation rule for this request from the candidate rule set using a pseudo-random function with elements in the multi-dimensional feature vector as seeds; dynamically generating a namespace seed based on the current session identifier and server time, and randomly selecting a combination from multiple structural transformation templates associated with the selected encapsulation rule to form the dynamic encapsulation instruction set; the encapsulation strategy decision supports two triggering modes: request event-driven and time-driven based on a preset period.
3. The method according to claim 1, characterized in that, In step S103, the context-aware dynamic obfuscation algorithm decision includes: determining the data obfuscation strength based on the risk level evaluated based on the multi-dimensional feature vector; selecting one or more algorithms from a preset obfuscation algorithm pool based on the determined obfuscation strength through randomization logic to form an algorithm combination; calling a key generator to dynamically generate one-time temporary key material using the current time, server salt value, and client characteristics as entropy sources; securely binding and storing the generated temporary key material with a short-term valid access token; and packaging the identifier of the algorithm combination and the corresponding access token to form the dynamic obfuscation instruction set.
4. The method according to claim 1, characterized in that, In step S104, the real-time structured dynamic encapsulation of the source code includes: parsing the original webpage executable code into an abstract syntax tree; traversing the abstract syntax tree and renaming identifiers in the code to semantically meaningless strings through hash mapping according to the namespace seed in the dynamic encapsulation instruction set; performing node-level reconstruction operations on the abstract syntax tree according to the structure transformation template combination in the dynamic encapsulation instruction set, the reconstruction operations including adjusting the declaration order, equivalent replacement of control flow structures, and inserting harmless redundant code; serializing the reconstructed abstract syntax tree into the encapsulated code in string format; and generating the client bootstrap code used to restore the identifier mapping relationship on the client side.
5. The method according to claim 1, characterized in that, In step S105, the multi-level real-time obfuscation processing of the transmitted data includes: serializing the service data to be transmitted into a string; obtaining the corresponding bound temporary key material according to the access token in the dynamic obfuscation instruction set; performing obfuscation transformation on the string sequentially using the corresponding algorithm and the temporary key material according to the algorithm combination order specified in the dynamic obfuscation instruction set to obtain the obfuscated data string; and creating a key-value pair object that records the algorithm combination identifier and the access token index as the obfuscation metadata object.
6. The method according to claim 1, characterized in that, In step S106, the secure response assembly and metadata concealment embedding includes: embedding the encapsulated code and client bootstrap code into the script tags of the HTML page; placing the obfuscated data into the HTML page or response body in the form of inline variables or API response bodies; encoding the obfuscated metadata object and setting it as the value of a custom HTTP response header or the attribute value of a hidden HTML tag; setting an HTTP cache control header to indicate that the content cannot be cached; and sending the assembled HTTP response to the client.
7. The method according to claim 1, characterized in that, In step S107, the client-side transparent parsing and dynamic content restoration includes: the client browser executing the client bootstrap code; the client bootstrap code extracting and parsing the obfuscated metadata object from the custom HTTP response header or hidden HTML tags; querying the corresponding key restoration parameters from the client's local secure storage based on the access token index in the obfuscated metadata object and the key seed pre-stored locally on the client; using the key restoration parameters, decrypting and restoring the obfuscated data in reverse order of the algorithm combination indicated by the obfuscated metadata object to obtain the original business data; loading and executing the encapsulated code, correctly parsing the obfuscated identifier using the mapping relationship established by the client bootstrap code; the key seed being obtained through key negotiation with the server at the initial stage of the secure session.
8. A data transmission security protection system based on dynamic encapsulation and dynamic obfuscation, characterized in that, The system application uses the method described in any one of claims 1 to 7, wherein the system is deployed on a server side, specifically including: The request receiving and feature extraction module is used to receive client requests, parse the requests and extract features to generate multi-dimensional feature vectors; A dynamic control center is used to generate dynamic encapsulation instruction sets and dynamic obfuscation instruction sets based on the multi-dimensional feature vectors. The dynamic control center includes a risk assessment submodule, an encapsulation strategy decision engine, an obfuscation strategy decision engine, and a rule and algorithm knowledge base. The encapsulation strategy decision engine also integrates a strategy scheduler to support a time-driven mode for switching active encapsulation rule sets according to a preset period. The dynamic encapsulation processing module is used to dynamically encapsulate the executable code of the webpage according to the dynamic encapsulation instruction set, and generate the encapsulated code and client boot code. The dynamic obfuscation processing module is used to perform obfuscation transformation processing on business data based on the dynamic obfuscation instruction set and its associated dynamic key material, and generate obfuscated data and obfuscated metadata objects. The key generation and management module is used to dynamically generate and securely manage one-time key materials associated with the dynamic obfuscation instruction set according to requests; The response assembly module is used to assemble the encapsulated code, the client bootstrap code, the obfuscated data, and the obfuscated metadata object into an HTTP response, and send the HTTP response to the client; The monitoring and optimization module is used to monitor system operation, analyze security status, and dynamically optimize the strategy decision-making logic of the dynamic control center based on the analysis results.
9. An electronic device comprising a processor, a memory, and a computer program stored in the memory, characterized in that, When the processor executes the computer program, it implements the method as described in any one of claims 1 to 7.
10. A computer-readable storage medium having a computer program stored thereon, characterized in that, When the program is executed by the processor, it implements the method as described in any one of claims 1 to 7.