Self-learning attack blocking method and system, electronic device, storage medium

By employing a self-learning attack blocking method, the backend program automatically establishes a whitelist, identifies real IPs and request paths, dynamically adjusts thresholds, and generates lists of permitted and illegal request paths. This solves the problem of existing technologies being unable to cope with new types of network attacks, achieving efficient and low-cost attack blocking and protection.

CN122372277APending Publication Date: 2026-07-10CHINA UNITED NETWORK COMM GRP CO LTD

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
CHINA UNITED NETWORK COMM GRP CO LTD
Filing Date
2026-04-16
Publication Date
2026-07-10

AI Technical Summary

Technical Problem

Existing backend program security protection relies on the server's basic security infrastructure, which is insufficient to cope with new types of network attacks, especially zero-day vulnerability attacks. Furthermore, traditional protection mechanisms cannot respond quickly to emerging attack methods and lack the ability to proactively block attacks at the source.

Method used

Through self-learning, the backend program automatically builds a whitelist, records the attacker's IP and request path, dynamically adjusts the threshold, identifies the real IP of the proxy pass-through, generates a list of permitted and illegal request paths, achieves precise blocking, and automatically updates the legitimate controller path in combination with the reflection mechanism, reducing the cost of system transformation.

Benefits of technology

It effectively avoids the attack risks brought by new vulnerabilities, reduces the cost of system transformation, achieves immediate blocking and all-round protection against emerging attacks, adapts to the mainstream service deployment of front-end and back-end separation, and reduces false interception and maintenance workload.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN122372277A_ABST
    Figure CN122372277A_ABST
Patent Text Reader

Abstract

The present disclosure provides a self-learning attack blocking method and system, an electronic device, and a storage medium. The method comprises the following steps: in response to receiving a visit request through a backend program entrance, extracting a real IP address and a request path of the visit request from the visit request; querying whether the real IP address exists in a cache; determining the number of attacks corresponding to the real IP address, and judging whether the number of attacks corresponding to the real IP address exceeds a dynamic threshold; judging whether the request path exists in an illegal request path list; and automatically establishing a whitelist by the backend through a self-learning mode to filter invalid addresses, and recording the IP and request path of an attacker, so as to prevent secondary attacks. The self-learning attack blocking method of the present disclosure can not only effectively avoid the attack risk caused by newly added vulnerabilities, but also reduce the construction cost of system transformation.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This disclosure relates to the field of network security technology, and in particular to a self-learning attack blocking method and system, electronic device, computer-readable storage medium, and computer program product. Background Technology

[0002] In today's complex network environment, the security of backend programs is crucial. Currently, backend programs heavily rely on the security measures provided by servers for their security protection. As the platform on which backend programs run, servers are typically equipped with a series of basic security protection mechanisms.

[0003] Taking a common World Wide Web (WWAN) server as an example, its security measures include firewall settings. Firewalls can filter network traffic entering and leaving the server according to predefined rules, blocking malicious traffic that does not conform to the rules. For example, they can block connection requests from specific malicious Internet Protocol (IP) addresses or restrict access to certain dangerous ports. Simultaneously, the server also utilizes Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS). IDS is responsible for real-time monitoring of network traffic, and will issue an alert once it detects suspected attack behavior, such as abnormal port scanning patterns or a large number of malformed data packets. IPS goes further, not only detecting attacks but also proactively taking defensive measures, such as directly blocking the network connection of the attack source. Furthermore, the server will regularly update system patches to fix known software vulnerabilities, reducing the risk of attackers exploiting these vulnerabilities to compromise the system.

[0004] However, these server-dependent security measures have significant limitations and are ill-equipped to handle emerging cybersecurity attacks. For example, new zero-day vulnerability attacks exploit undiscovered and unpatched vulnerabilities in software systems. Because these vulnerabilities were not previously disclosed, traditional protection mechanisms based on known vulnerability characteristics, such as common vulnerability scanning tools and signature-based intrusion detection systems, are simply unable to identify and prevent such attacks.

[0005] In general, the security protection of current backend programs heavily relies on the server's own basic security infrastructure (such as firewalls, IDS / IPS, and system patch updates). These mechanisms mainly rely on known vulnerability signature databases or preset rules for passive defense. However, this signature-based protection model has inherent limitations: on the one hand, as business complexity increases, Web Application Firewall (WAF) policy configuration becomes increasingly complex and difficult to coordinate with business iterations, easily leading to false blocking of normal business access; on the other hand, current access restrictions are mainly restricted through blacklists and whitelists, but blacklists are at risk of being bypassed by proxies, and whitelists may affect normal business operations due to untimely updates. More importantly, this protection mechanism relies on fixed or periodically maintained signature databases to resist hacker attacks, making it unable to quickly respond to newly emerging attack methods. The response mechanism lags behind the updates to attack methods, and once an attack occurs, it often responds by disconnecting the host network, failing to proactively cut off the source of the attack and lacking the ability to proactively and accurately block attacks at the source. Summary of the Invention

[0006] This disclosure provides a self-learning attack blocking method and system, electronic device, computer-readable storage medium, and computer program product.

[0007] Firstly, this disclosure provides a self-learning attack blocking method, which includes: responding to an incoming request received at the backend program entry point, extracting the real IP address and request path of the incoming request from the request; querying the cache to see if the real IP address exists; if the real IP address exists in the cache, determining the number of attacks corresponding to the real IP address, and judging whether the number of attacks corresponding to the real IP address exceeds a dynamic threshold; if it exceeds, blocking the current incoming request, and accumulating the number of attacks corresponding to the real IP address in the cache; if the number of attacks does not exceed the dynamic threshold or the real IP address does not exist in the cache, judging whether the request path exists in the illegal request path list; if the request path exists in the illegal request path list, blocking the current incoming request; if the request path does not exist in the illegal request path list, judging whether the request path exists in the permission controller path list; if it does not exist, determining it as illegal access, blocking the current incoming request, and automatically appending the request path to the illegal request path list; if the request path exists in the permission controller path list, allowing the request to be processed by the corresponding controller. The permission controller path list is dynamically generated by the backend program automatically scanning all legitimate controller paths in the project through a reflection mechanism when it starts.

[0008] Optionally, the visitor's real IP address can be extracted from the request, including: extracting the real IP address passed through by the proxy based on the proxy information in the request header; or, directly obtaining the source IP address of the connection request as the real IP address.

[0009] Optionally, the self-learning attack blocking method also includes: setting an initial threshold. The total number of attacks suffered by all servers in the cluster is counted in real time, and the initial threshold is dynamically adjusted based on the total number of attacks suffered by all servers in the cluster to obtain a dynamic threshold.

[0010] Optionally, the dynamic threshold is negatively correlated with the total number of attacks suffered by all servers in the cluster.

[0011] Optionally, the self-learning attack blocking method also includes automatically appending the corresponding request path to the illegal request path list each time unauthorized access is blocked. The illegal request path list is initially empty or generated by loading illegal path records from the historical database during system initialization.

[0012] Optionally, the self-learning attack blocking method also includes: after determining that the access is unauthorized and blocking the current access request, triggering a preset warning notification and notifying the administrator through an instant messaging tool or voice SMS interface.

[0013] Optionally, the self-learning attack blocking method also includes: synchronizing the cached IP and attack count data as static variables when the backend program starts. When the number of alerts reaches the alert threshold, the attack count in the static variables is reset.

[0014] Optionally, the self-learning attack blocking method also includes: periodically synchronizing the cache and the list of illegal request paths to a public database so that other servers in the cluster can refresh their local cache from the public database at regular intervals.

[0015] Optionally, the self-learning attack blocking method also includes setting expiration dates for entries in the cache and entries in the illegal request path list, respectively. Based on an absolute expiration mechanism or a sliding expiration mechanism, entries that have reached their expiration date are automatically cleared from the local cache. The absolute expiration mechanism records a timestamp when an entry is created and automatically clears it after the preset expiration date. The sliding expiration mechanism resets the timestamp and extends the expiration date if an entry triggers an attack again within its validity period. After an entry in the cache of any server in the cluster expires, the status of the expired entry is synchronized to other servers in the cluster via a public database, enabling other servers to clear the expired entries.

[0016] Optionally, the self-learning attack blocking method also includes: after the backend program performs business iterations, adds or modifies controllers, automatically scans again via reflection when the program starts next time, and automatically adds the new path after the iteration to the permission controller path list.

[0017] Secondly, this disclosure provides a self-learning attack blocking system, which includes an identity recognition module, a detection module, and a self-learning attack blocking module. The identity recognition module receives incoming requests at the backend program entry point and extracts the visitor's real IP address and request path from the request. The detection module checks if a real IP address exists in the cache. If a real IP address exists in the cache, it determines the number of attacks corresponding to that real IP address and checks if the number of attacks exceeds a dynamic threshold. If it does, it blocks the current incoming request and increments the number of attacks corresponding to the real IP address in the cache. If the number of attacks does not exceed the dynamic threshold or the real IP address does not exist in the cache, it checks if the request path exists in the illegal request path list. The self-learning attack blocking module blocks the current incoming request if the request path exists in the illegal request path list. If the request path does not exist in the illegal request path list, it checks if the request path exists in the permission controller path list. If it does not exist, it is determined to be illegal access, the current incoming request is blocked, and the request path is automatically appended to the illegal request path list. If the request path exists in the permission controller path list, the request is allowed to proceed to the corresponding controller for processing. The list of permitted controller paths is dynamically generated when the backend program starts, automatically scanning all legal controller paths in the project using a reflection mechanism.

[0018] Thirdly, this disclosure provides an electronic device comprising: a plurality of processing cores; and an on-chip network configured to interact with data between the plurality of processing cores and external data; wherein one or more of the processing cores store one or more instructions, and the one or more instructions are executed by the one or more processing cores to enable the one or more processing cores to perform the aforementioned self-learning attack blocking method.

[0019] Fourthly, this disclosure provides a computer-readable storage medium having a computer program stored thereon, wherein the computer program, when executed by a processor, implements the aforementioned self-learning attack blocking method.

[0020] Fifthly, this disclosure provides a computer program product comprising computer-readable code, or a non-volatile computer-readable storage medium carrying computer-readable code, wherein when the computer-readable code is executed in a processor of an electronic device, the processor in the electronic device performs the aforementioned self-learning attack blocking method.

[0021] The embodiments provided in this disclosure utilize a self-learning approach to automatically build a whitelist on the backend to filter invalid addresses, while simultaneously recording the attacker's IP address and request path, thereby preventing secondary attacks. This self-learning attack blocking method not only effectively mitigates the attack risks posed by newly added vulnerabilities but also reduces the construction costs of system modifications.

[0022] It should be understood that the description in this section is not intended to identify key or essential features of the embodiments of this disclosure, nor is it intended to limit the scope of this disclosure. Other features of this disclosure will become readily apparent from the following description. Attached Figure Description

[0023] The accompanying drawings are provided to further illustrate the present disclosure and form part of the specification. They are used together with the embodiments of the present disclosure to explain the disclosure and do not constitute a limitation thereof. The above and other features and advantages will become more apparent to those skilled in the art from the detailed description of exemplary embodiments with reference to the accompanying drawings, in which: Figure 1 A flowchart illustrating a self-learning attack blocking method provided in this embodiment of the disclosure; Figure 2 A flowchart of another self-learning attack blocking method provided in an embodiment of this disclosure; Figure 3 A flowchart illustrating yet another self-learning attack blocking method provided in this disclosure embodiment; Figure 4 A flowchart illustrating yet another self-learning attack blocking method provided in this disclosure embodiment; Figure 5 A flowchart illustrating a self-learning attack blocking method provided as an example of an embodiment of this disclosure; Figure 6 A block diagram of a self-learning attack blocking system provided in an embodiment of this disclosure; Figure 7 This is a block diagram of an electronic device provided in an embodiment of the present disclosure. Detailed Implementation

[0024] To enable those skilled in the art to better understand the technical solutions of this disclosure, exemplary embodiments of this disclosure are described below with reference to the accompanying drawings, including various details of the embodiments of this disclosure to aid understanding. These should be considered merely exemplary. Therefore, those skilled in the art should recognize that various changes and modifications can be made to the embodiments described herein without departing from the scope and spirit of this disclosure. Similarly, for clarity and conciseness, descriptions of well-known functions and structures are omitted in the following description.

[0025] Where there is no conflict, the various embodiments of this disclosure and the features thereof in the embodiments may be combined with each other.

[0026] As used herein, the term “and / or” includes any and all combinations of one or more related enumerated entries.

[0027] The terminology used herein is for the purpose of describing particular embodiments only and is not intended to limit this disclosure. As used herein, the singular forms “a” and “the” are intended to include the plural forms as well, unless the context clearly indicates otherwise. It will also be understood that when the terms “comprising” and / or “made of” are used in this specification, the presence of the stated feature, integral, step, operation, element, and / or component is specified, but the presence or addition of one or more other features, integrals, steps, operations, elements, components, and / or groups thereof is not excluded. Words such as “connected” or “linked” are not limited to physical or mechanical connections but can include electrical connections, whether direct or indirect.

[0028] Unless otherwise specified, all terms used herein (including technical and scientific terms) have the same meaning as commonly understood by one of ordinary skill in the art. It will also be understood that terms such as those defined in commonly used dictionaries should be interpreted as having a meaning consistent with their meaning in the context of the relevant art and this disclosure, and will not be interpreted as having an idealized or overly formal meaning, unless expressly so defined herein.

[0029] According to the self-learning attack blocking method of this disclosure, the backend automatically establishes a whitelist to filter invalid addresses through self-learning, while simultaneously recording the attacker's IP address and request path, thereby preventing secondary attacks. The self-learning attack blocking method of this disclosure not only effectively avoids the attack risks brought by newly added vulnerabilities, but also reduces the construction costs of system modification.

[0030] The self-learning attack blocking method according to embodiments of this disclosure can be executed by electronic devices such as terminal devices or servers. Terminal devices can be in-vehicle devices, user equipment (UE), mobile devices, user terminals, terminals, cellular phones, cordless phones, personal digital assistants (PDAs), handheld devices, computing devices, wearable devices, etc. The method can be implemented by a processor calling computer-readable program instructions stored in memory. Alternatively, the method can be executed by a server.

[0031] Embodiments of this disclosure provide a self-learning attack blocking method, such as... Figure 1 As shown, the method includes steps 101 to 103.

[0032] Step 101: In response to the backend program entry point receiving the access request, extract the real IP address and request path of the access request from the access request.

[0033] In some embodiments, the method for extracting the visitor's real IP address from the request includes: extracting the real IP address passed through by the proxy based on the proxy information in the request header; or, directly obtaining the source IP address of the connection request as the real IP address.

[0034] Understandably, in step 101, after the visitor initiates a request and the backend program receives the request, the pre-detection module with the embedded filter extracts the visitor's real IP and request path. The real IP is extracted based on the proxy information in the request header, either by the real IP passed through the proxy or by directly connecting to the real request IP.

[0035] In related technologies, some blocking methods involve configuring IP blocking modules within the firewall. This standalone deployment method requires additional hardware costs and only blocks based on the client's address. The implicit requirement is that the firewall must be deployed at the outermost egress point, which is no longer suitable for the current deployment of mainstream web services with front-end and back-end separation. Furthermore, obtaining the client's real IP address means that each sub-service needs to be deployed; otherwise, incorrect blocking of web proxy addresses (such as the common scenario where nginx uses a forward proxy to access the backend to resolve cross-domain issues) could lead to complete access interruption. Setting up a server whitelist, on the other hand, would allow hidden attacks to pass through. Compared to this approach in related technologies, the embodiments disclosed in this disclosure identify the real IP address passed through by the proxy, rather than targeting the proxy server's IP address. The advantages are: 1.1 Reduced deployment costs: No additional hardware purchase is required, and there is no need to deploy the IP blocking module separately on the firewall. This saves on the costs of dedicated hardware and deployment and debugging, and it can be implemented simply by adapting to the existing server architecture.

[0036] 1.2 Adapted to mainstream deployment scenarios: It perfectly matches the current deployment status of web services with front-end and back-end separation, eliminating the need to repeatedly deploy related modules in front of each sub-service, thus reducing system redundancy.

[0037] 1.3 Avoid the risk of false blocking: It will not mistakenly block the addresses of forward proxies such as nginx, preventing the interruption of all legitimate access due to the blocking of proxy addresses and ensuring business continuity.

[0038] 1.4 Precisely Block Hidden Attacks: Without relying on server whitelists, it directly penetrates proxies to identify the attacker's real IP, preventing hidden attacks covered by whitelists from being missed and improving the accuracy of protection.

[0039] 1.5 Reduced maintenance workload: No need to frequently adjust protection rules for proxy servers, reducing manual configuration costs and adapting to changes in the proxy architecture during business iterations.

[0040] Step 102: Check if a real IP address exists in the cache. If a real IP address exists in the cache, determine the number of attacks corresponding to that real IP address and check if the number of attacks exceeds a dynamic threshold. If it does, block the current incoming request and increment the number of attacks corresponding to the real IP address in the cache. If the number of attacks does not exceed the dynamic threshold or the real IP address does not exist in the cache, check if the request path exists in the list of illegal request paths.

[0041] In some embodiments, such as Figure 2 As shown, the self-learning attack blocking method provided in the embodiments of this disclosure further includes steps 201 to 202.

[0042] Step 201: Set the initial threshold.

[0043] Step 202: Count the total number of attacks suffered by all servers in the cluster in real time, and dynamically adjust the initial threshold based on the total number of attacks suffered by all servers in the cluster to obtain a dynamic threshold.

[0044] In some embodiments, the dynamic threshold is negatively correlated with the total number of attacks suffered by all servers in the cluster.

[0045] Understandably, the initial threshold is set manually, and the dynamic threshold is the same as the initial threshold during the first query.

[0046] For example, the threshold can be linearly reduced as needed based on the total number of attacks suffered by the server to counter attacks launched by attackers from different servers. This mechanism can effectively deal with distributed attacks launched by attackers from a large number of different servers (such as botnets or proxy pools), so that even if the number of attacks from each attack source is not high, the threshold will automatically decrease due to the surge in the total number of attacks, thereby promptly identifying and blocking distributed attacks.

[0047] Step 103: If the request path exists in the illegal request path list, block the current incoming request. If the request path does not exist in the illegal request path list, check if the request path exists in the permission controller path list. If it does not exist, it is considered illegal access, the current incoming request is blocked, and the request path is automatically appended to the illegal request path list. If the request path exists in the permission controller path list, allow the request to be processed by the corresponding controller.

[0048] In step 103, the list of permitted controller paths is dynamically generated by the backend program when it starts up by automatically scanning all legal controller paths in the project using a reflection mechanism.

[0049] Understandingly, the permission controller path list is equivalent to a whitelist. This list is automatically created when the backend application starts and can be dynamically updated during business iterations without requiring manual creation. Specifically, during application startup, the backend, through configuration of autoloading classes, triggers a reflection mechanism to scan all permitted controllers within the project (i.e., relative paths to web pages that the business allows access to). The scan results directly form the initial controller path list.

[0050] In some embodiments, the self-learning attack blocking method provided by the present disclosure further includes: after the backend program performs business iteration, adds or modifies the controller, automatically scans again by reflection when the program starts next time, and automatically adds the new path after iteration to the license controller path list.

[0051] Understandably, during the business iteration phase, when the project undergoes version updates, or when controllers are added or modified, the autoloaded classes will rescan using reflection principles the next time the program starts, automatically adding the new paths after the iteration to the list without requiring manual maintenance of the rules.

[0052] Understandably, the core technology supporting the licensed controller list relies on the principle of reflection to achieve non-intrusive scanning. It can accurately identify all legitimate controller paths without modifying the original business code, ensuring the integrity and timeliness of the list.

[0053] Understandably, the creation and updating of the permission controller path list does not require manual maintenance of permission path rules. After business iteration (adding / modifying controllers), the system will automatically scan and update upon the next program startup, avoiding rule lag. Reflective scanning achieves "non-intrusive" automatic synchronization without modifying existing business code, ensuring update efficiency.

[0054] In some embodiments, the self-learning attack blocking method provided by the present disclosure further includes: automatically appending the corresponding request path to the illegal request path list each time illegal access is blocked. The illegal request path list is initially empty or generated by loading illegal path records from a historical database during system initialization.

[0055] Understandably, the illegal request path list is equivalent to a blacklist, a self-learning dynamic list that is initially empty or loads illegal path records from the historical database during system initialization. It first records attack paths generated and used by the attacking IP during the attack process; these paths contain many unknown or unpredicted potential paths from internal application components. Then, embodiments of this disclosure automatically append these attack paths to the illegal path list. For scenarios where attackers use a large number of botnets for repetitive attacks, it further blocks all IPs from accessing paths in this list within the attack threshold range, ultimately achieving immediate blocking of newly emerging attack behaviors.

[0056] Understandably, when a request path is detected as not being in the permission controller list, in addition to blocking the request, the path will be directly added to the illegal request path cache list, so that the next similar request can be directly blocked. For new attack paths, it can be detected once and blocked twice.

[0057] In some embodiments, the self-learning attack blocking method provided by the present disclosure further includes: after determining that an access is illegal and blocking the current access request, triggering a preset warning notification and notifying the administrator through an instant messaging tool or voice SMS interface.

[0058] Understandably, when an IP address is in the cache and exceeds a dynamic threshold, the request is blocked, the cached IP address and attack count are incremented, and the alert module is invoked as needed. This alert can then be used to notify administrators via instant messaging software such as DingTalk or WeChat, or, depending on the urgency, via a voice / SMS interface. Through these alerts, security administrators can anticipate attack risks and take subsequent remedial measures, effectively buying time for vulnerability patching.

[0059] In some embodiments, such as Figure 3 As shown, the self-learning attack blocking method provided in the embodiments of this disclosure further includes steps 301 and 302.

[0060] Step 301: When the backend program starts, synchronize the cached IP and attack count data as static variables.

[0061] Step 302: When the number of warnings reaches the warning threshold, reset the number of attacks in the static variables.

[0062] Understandably, the warning threshold can be preset manually. When the number of warnings reaches the threshold, the attack count in the static variable can be reset to 0. When the backend program starts, the cached IP attack count data is synchronized to the static variable to control the warning frequency. When the number of warnings reaches the dynamic threshold and triggers a warning, the system automatically resets the attack count in the static variable, ensuring that the same attack source will not trigger warnings repeatedly in the short term. This mechanism prevents the warning interface from being blocked by massive requests under high-frequency attacks while ensuring that the cache-based real-time blocking function remains unaffected, achieving the technical effect of separating precise warning rate limiting from core protection.

[0063] In some embodiments, the self-learning attack blocking method provided by the present disclosure further includes: periodically synchronizing the cache and the list of illegal request paths to a public database, so that other servers in the cluster can refresh their local cache from the public database periodically.

[0064] Understandably, cached data is periodically written to a public database, and all servers in the cluster refresh their caches regularly to ensure that newly identified illegal paths are quickly synchronized, thus avoiding single points of lag.

[0065] In some embodiments, such as Figure 4 As shown, the self-learning attack blocking method provided in the embodiments of this disclosure further includes steps 401 to 403.

[0066] Step 401: Set expiration dates for entries in the cache and entries in the illegal request path list, respectively.

[0067] Step 402: Based on an absolute expiration mechanism or a sliding expiration mechanism, automatically clear entries that have reached their expiration date from the local cache.

[0068] In step 402, the absolute expiration mechanism is as follows: when an entry is created, a timestamp is recorded, and it is automatically deleted after the preset validity period. The sliding expiration mechanism is as follows: if an entry triggers an attack again within its validity period, the timestamp of the entry is reset and the validity period is extended.

[0069] Step 403: After an entry in the cache of any server in the cluster expires, the status of the expired entry is synchronized to other servers in the cluster through the public database so that the other servers can clear the expired entry.

[0070] Understandably, the self-learning attack blocking method provided in the embodiments of this disclosure does not require modification of the original business processing logic. The backend uses slice writing filters, and through reflection and automatic configuration loading mode, it reads the initial IP and attack count, illegal request paths from the database, and automatically establishes a path whitelist. During an attack, the application automatically appends the IP and path to the cache and writes it to the database periodically to prevent illegal path attacks from newly emerging vulnerabilities. It can also prevent attacks launched by attackers from different hosts based on the request path, and can share data with different servers through shared database data and periodic cache refresh, achieving a cluster collective immunity effect, ensuring system security and saving investment.

[0071] Understandably, in the self-learning attack blocking method provided in the embodiments of this disclosure, the IP addresses, attack counts, and illegal request lists used are based on caching technology. By configuring a certain period of validity, the list can be automatically cleared after the attack stops for a period of time, so that the victim acting as the attack proxy server can resume access without manual intervention.

[0072] Regarding the classification and independent configuration of cached objects, independent cache instances are created for two core data types: "IP + attack count" combined data and illegal request path list. The validity period can be configured separately (e.g., IP attack cache is set to 24 hours and illegal path cache is set to 72 hours) to adapt to the cleanup needs of different attack scenarios.

[0073] Real-time synchronization of cached data with the database: When an attack occurs, data is first written to the cache to ensure detection efficiency. At the same time, the cached data is synchronized to the public database through scheduled tasks (such as every 5 minutes) to ensure data consistency of the cluster servers. When the cache expires, only the local cached data is cleared, while the database historical records are retained for traceability analysis.

[0074] Regarding time validity configuration, two flexible configuration modes are supported: one is to preset a fixed validity period through a configuration file (e.g., ip_cache_expire: 86400, unit: seconds); the other is to dynamically adjust it through the backend management interface, which takes effect without restarting the service. For high-frequency attack scenarios, a "dynamically shortened validity period" rule is supported: when the server suffers a continuous attack, the corresponding cache validity period can be automatically shortened by 50% (e.g., from 24 hours to 12 hours) to accelerate the cleanup of temporary attack sources; the default validity period is automatically restored after the attack stops.

[0075] There are three automatic cleanup trigger mechanisms: Absolute expiration trigger: When cached data is created, a timestamp is recorded. After the configured validity period is reached, the system automatically performs a clearing operation, deleting the corresponding IP attack record or illegal path entry.

[0076] Sliding expiration optimization: For the "IP + attack count" cache, if an IP does not launch another attack within the validity period, it will be automatically cleared upon expiration. If a new attack occurs during the period, the timestamp will be reset and the validity period will be extended to avoid accidentally clearing active attack sources.

[0077] Cluster cache collaborative clearing: When cached data on a server in the cluster expires, it is synchronized to other servers through database shared state to ensure that all nodes clear the entry at the same time, avoiding inconsistent protection caused by single-point cache residue.

[0078] For example, the logic for restoring access for a victim of a proxy server is as follows: the IP of the victim's server (the legitimate server used as a proxy by the attacker) has never been blocked, and the cache only records the "real IP + number of attacks" and "illegal request path" when the attacker launched the attack through this proxy. When the attack stops, if the cache expires and is automatically cleared, subsequent legitimate requests forwarded by the proxy server (from non-attacking real IPs and non-illegal paths) will go through the normal detection process again. Since there is no matching attack cache record, they are directly allowed, allowing the victim to restore normal access without manually applying for unblocking. As a fallback for special scenarios: if the cache has not expired but it is confirmed to be a misjudgment of the victim, a single cache entry can be manually triggered for clearing through the backend management interface (without affecting other cached data), further improving flexibility.

[0079] Understandably, the additional advantages of cache clearing include: preventing cache bloat, reducing server memory usage by automatic clearing mechanisms, ensuring query efficiency of the detection module, and eliminating the need for manual, periodic cache cleanup. It also reduces operational costs, as it eliminates the need for maintenance personnel to monitor attack status or manually unblock IPs or paths, completing the process fully automatically and adapting to unattended scenarios. Furthermore, the cache can be periodically written to a public database for updates from different servers in the cluster, thus achieving cluster immunity against attacks.

[0080] The self-learning attack blocking method provided in this disclosure firstly identifies the real IP address transmitted through the proxy, accurately locating the true source of the attack regardless of how many proxy servers or botnets the attacker uses, avoiding omissions due to IP spoofing. Secondly, instead of relying on preset known attack paths, it records all paths generated by the attacking IP during the attack through self-learning, including unknown and unpredicted potential paths of application internal components, and automatically adds them to the illegal list, blocking all possible vulnerabilities at the attack entry point. The IP address identifies who is attacking, and the potential path covers the attack source; the combination of these two methods prevents both multiple attacks from a single IP and attacks launched by different IPs (such as botnet clusters) through the same potential path, achieving comprehensive protection.

[0081] Furthermore, the self-learning attack blocking method provided in the embodiments of this disclosure eliminates the need for manual maintenance of the path list. When an attack occurs, new potential paths are automatically captured and added to the illegal list, continuously covering newly emerging attack entry points. The cached IP attack records and illegal path lists are periodically written to a public database, and all servers within the cluster are synchronously updated to avoid single-point protection omissions. Upon backend startup, all legitimate controller paths are scanned using reflection technology to determine the accessible range. Paths outside this range (including potential attack paths) are blocked, further reducing protection blind spots. In short, IP addresses are responsible for accurately locating attackers, potential paths are responsible for blocking all possible attack entry points, and with dynamic updates and cluster synchronization, a comprehensive protection effect can be achieved when dealing with newly emerging attack paths.

[0082] In summary, the self-learning attack blocking method provided by the embodiments of this disclosure provides two-dimensional prevention and control by locking the source of the attacking IP and covering all potential attack paths. Combined with self-learning and dynamic synchronization mechanisms, it can deal with newly emerging attack paths and has the effect of immediate blocking and comprehensive protection.

[0083] The following example illustrates a self-learning attack blocking method provided by an embodiment of this disclosure. Figure 5 As shown, the method includes: 1. The visitor initiates a request ( Figure 5 (1) After the backend program receives the request, the pre-detection module with the embedded filter extracts the visitor's real IP and request path. Figure 5 (2), where the real IP is extracted based on the proxy information in the request header (the real IP of the proxy pass-through). Figure 5 (3) or directly connect to the real requesting IP ( Figure 5 3).

[0084] 2. The detection module queries the cached IP addresses and attack counts. Figure 5 (6) Whether the real requesting IP is in the cache and whether the number of attacks exceeds the set threshold. Figure 5 (5) The threshold can be linearly reduced as needed based on the total number of attacks the server suffers, in order to deal with attacks launched by attackers from different servers.

[0085] 3. If the value is in the cache and exceeds the threshold, then the request will be blocked and terminated. Figure 5 7), accumulated IP and attack count cache ( Figure 5 (6 and 9), and call the early warning module as needed ( Figure 5 (8) The system can call DingTalk, WeChat, or other IM notification services to notify administrators, or, depending on the urgency, call the voice SMS interface for notification. Additionally, to prevent dense attacks from blocking the warning interface, the program can synchronize the IP address and the number of attacks at startup. Figure 5(6) once, forming a static variable ( Figure 5 (9) Based on the warning threshold, the attack count is reset after each warning. Figure 5 (9th grade)

[0086] 4. If the path is not in the cache or has not exceeded the threshold, check if the request path is in the illegal path list. Figure 5 10), query the cache for a list of illegal request paths (cache) Figure 5 (11), using the request path extracted from point 1 ( Figure 5 2) Determine the request path.

[0087] 5. When the requested path is in the cache, similar to point 3 above, block the request. Figure 5 7), accumulated IP and attack count cache ( Figure 5 (6 and 9), and call the early warning module as needed ( Figure 5 (8).

[0088] 6. When the request path is not in the cache, check if the request path is in the controller path list. Figure 5 (12) When the backend program starts, it automatically scans all permitted controllers (relative paths to web pages) in the project by configuring auto-loading classes and using reflection. The path after each iteration is automatically added without the need for additional rule maintenance, resulting in better timeliness.

[0089] The controller path list is automatically created when the backend application starts, and it also supports dynamic updates during business iterations without the need for manual creation.

[0090] 6.1 Program startup phase: The backend triggers a reflection mechanism to scan all "permitted controllers" (i.e., relative paths of web pages that the business allows to access) within the project by configuring automatic class loading. The scan results directly form the initial controller path list.

[0091] 6.2 Business Iteration Phase: When the project undergoes a version update, or when controllers are added or modified, the autoloaded classes will rescan the list using reflection the next time the program starts, automatically adding the new paths after the iteration to the list without the need for manual rule maintenance.

[0092] 6.3 Core Technology Support: Relying on the principle of reflection to achieve non-intrusive scanning, it can accurately identify all legal controller paths without modifying the original business code, ensuring the integrity and timeliness of the list.

[0093] 7. When the request path is not in the controller path list, similar to point 3, block the request. Figure 5 7), accumulated IP and attack count cache ( Figure 5(6 and 9), and call the early warning module as needed ( Figure 5 (8), and at the same time append this path to the cache list ( Figure 5 (11).

[0094] When a request path is detected as not being in the list of all permitted controllers, the path is added to the illegal request path cache list for path detection from non-blocked IPs on the next request, thus effectively preventing attackers from launching attacks using proxy servers.

[0095] 8. When the requested path is in the controller path list, call the original controller ( Figure 5 (13) The process ends ( Figure 5 7).

[0096] 9. Without modifying the original business processing logic, the backend uses slice-based write filters. Through reflection and automatic configuration loading modes, it reads the initial IP and attack counts, illegal request paths, and automatically creates a path whitelist from the database. During an attack, the application automatically appends the IP and path to the cache and writes it to the database periodically to prevent illegal path attacks from newly emerging vulnerabilities. It can also prevent attacks launched from different hosts based on the request path. Furthermore, it can share data with different servers through shared database data and periodic cache refreshes to achieve a cluster collective immunity effect, ensuring system security and saving investment.

[0097] The IP addresses, attack counts, and illegal request list used in this example are based on caching technology. By configuring a certain period of validity, the list can be automatically cleared after an attack stops for a period of time, allowing the victim acting as the attack proxy server to resume access without manual intervention. Specific implementation methods include: 9.1 Cached object classification and independent configuration: For two core data types, namely "IP + attack count" combined data and illegal request path list, separate cache instances are created, and the validity period can be configured separately (e.g., IP attack cache is set to 24 hours and illegal path cache is set to 72 hours) to adapt to the cleanup needs of different attack scenarios.

[0098] Real-time synchronization of cached data with the database: When an attack occurs, data is first written to the cache to ensure detection efficiency. At the same time, the cached data is synchronized to the public database through scheduled tasks (such as every 5 minutes) to ensure data consistency of the cluster servers. When the cache expires, only the local cached data is cleared, while the database historical records are retained for traceability analysis.

[0099] 9.2 Time validity configuration method: It supports two flexible configuration modes: one is to preset a fixed expiration period through the configuration file (e.g., ip_cache_expire: 86400, unit: seconds), and the other is to dynamically adjust it through the backend management interface, which takes effect without restarting the service.

[0100] For high-frequency attack scenarios, the "dynamically shortened validity period" rule is supported: when the server is under continuous attack, the validity period of the corresponding cache can be automatically shortened by 50% (e.g., from 24 hours to 12 hours) to speed up the cleanup of temporary attack sources; the default validity period is automatically restored after the attack stops.

[0101] 9.3 Automatic Clearing Trigger Mechanism: Absolute expiration trigger: When cached data is created, a timestamp is recorded. After the configured validity period is reached, the system automatically performs a clearing operation, deleting the corresponding IP attack record or illegal path entry.

[0102] Sliding expiration optimization: For the "IP + attack count" cache, if an IP does not launch another attack within the validity period, it will be automatically cleared upon expiration; if a new attack occurs during the period, the timestamp will be reset and the validity period will be extended to avoid accidentally clearing active attack sources.

[0103] Cluster cache collaborative clearing: When cached data on a server in the cluster expires, it is synchronized to other servers through database shared state to ensure that all nodes clear the entry at the same time, avoiding inconsistent protection caused by single-point cache residue.

[0104] 9.4 Logic for restoring access to a proxy server victim: The victim's server (the legitimate server used as a proxy by the attacker) was never blocked. The cache only recorded the attacker's "real IP + number of attacks" and "illegal request path" when launching attacks through the proxy.

[0105] Once the attack stops, if the cache expires and is automatically cleared, subsequent legitimate requests forwarded by the proxy server (from non-attacking real IPs and non-illegal paths) will go through the normal detection process again. Since there is no matching attack cache record, they will be allowed directly, allowing victims to restore normal access without having to manually apply for unblocking.

[0106] Special scenario fallback: If the cache has not expired but it is confirmed to be a victim of misjudgment, a single cache entry can be manually cleared through the backend management interface (without affecting other cached data), further improving flexibility.

[0107] Additional advantages of 9.5 cache clearing: Avoid cache bloat: The automatic clearing mechanism reduces the server memory occupied by invalid cache, ensures the query efficiency of the detection module, and eliminates the need for manual cache clearing on a regular basis.

[0108] Reduce operation and maintenance costs: No operation and maintenance personnel are required to monitor the attack status or manually unblock IPs or paths. The process is fully automated and suitable for unattended scenarios.

[0109] In addition, the cache can be periodically written to a public database for different servers in the cluster to collect and update, thereby achieving cluster immunity to attacks.

[0110] This example employs a self-learning approach. It records the attack paths generated and used by the attacking IP during an attack, including many unknown or unpredictable potential paths to internal application components. These paths are then automatically added to an illegal path list, blocking all IPs from accessing this list within the attack threshold range (specifically, for attackers using a large number of botnets in a loop attack). This achieves immediate blocking of new attack behaviors. In other words, the example first records the attack paths generated and used by the attacking IP during the attack process. These paths contain many unknown or unpredictable potential paths to internal application components. Then, this example automatically adds these attack paths to an illegal path list. For scenarios where attackers use a large number of botnets in a loop attack, it further blocks all IPs from accessing paths in this list within the attack threshold range, ultimately achieving immediate blocking of new attack behaviors.

[0111] It is understood that the various method embodiments mentioned above in this disclosure can be combined with each other to form combined embodiments without violating the principle and logic. Due to space limitations, this disclosure will not elaborate further. Those skilled in the art will understand that in the above methods of specific implementation, the specific execution order of each step should be determined by its function and possible internal logic.

[0112] In addition, this disclosure also provides a self-learning attack blocking system, electronic device, and computer-readable storage medium, all of which can be used to implement any of the self-learning attack blocking methods provided in this disclosure. The corresponding technical solutions and descriptions are described in the relevant section of the method and will not be repeated here.

[0113] Figure 6 This is a block diagram of a self-learning attack blocking system provided in an embodiment of the present disclosure.

[0114] Reference Figure 6 This disclosure provides a self-learning attack blocking system 600, which includes an identity recognition module 601, a detection module 602, and a self-learning attack blocking module 603.

[0115] The identity recognition module 601 is used to: receive incoming requests at the backend program entry point and extract the visitor's real IP address and request path from the request.

[0116] The detection module 602 is used to: query whether a real IP address exists in the cache. If a real IP address exists in the cache, the number of attacks corresponding to the real IP address is determined, and it is judged whether the number of attacks corresponding to the real IP address exceeds a dynamic threshold. If it exceeds the threshold, the current incoming request is blocked, and the number of attacks corresponding to the real IP address is added to the cache. If the number of attacks does not exceed the dynamic threshold or a real IP address does not exist in the cache, it is judged whether the request path exists in the list of illegal request paths.

[0117] The self-learning attack blocking module 603 is used to: block the current incoming request if the request path exists in the illegal request path list; if the request path does not exist in the illegal request path list, check if the request path exists in the permission controller path list; if it does not exist, it is considered illegal access, the current incoming request is blocked, and the request path is automatically appended to the illegal request path list; if the request path exists in the permission controller path list, the request is allowed and processed by the corresponding controller. The permission controller path list is dynamically generated by the backend program when it starts up, automatically scanning all legal controller paths in the project using reflection.

[0118] Figure 7 This is a block diagram of an electronic device provided in an embodiment of the present disclosure.

[0119] Reference Figure 7 This disclosure provides an electronic device comprising: at least one processor 701; at least one memory 702; and one or more I / O interfaces 703 connected between the processor 701 and the memory 702; wherein the memory 702 stores one or more computer programs executable by the at least one processor 701, the one or more computer programs being executed by the at least one processor 701 to enable the at least one processor 701 to execute the aforementioned self-learning attack blocking method.

[0120] This disclosure also provides a computer-readable storage medium storing a computer program thereon, wherein the computer program, when executed by a processor, implements the aforementioned self-learning attack blocking method. The computer-readable storage medium may be volatile or non-volatile.

[0121] This disclosure also provides a computer program product, including computer-readable code, or a non-volatile computer-readable storage medium carrying computer-readable code, wherein when the computer-readable code is run in a processor of an electronic device, the processor in the electronic device executes the above-described self-learning attack blocking method.

[0122] Those skilled in the art will understand that all or some of the steps, systems, and functional modules / units within the methods disclosed above can be implemented as software, firmware, hardware, or suitable combinations thereof. In hardware implementations, the division between functional modules / units mentioned above does not necessarily correspond to the division of physical components; for example, a physical component may have multiple functions, or a function or step may be performed collaboratively by several physical components. Some or all physical components may be implemented as software executed by a processor, such as a central processing unit, digital signal processor, or microprocessor, or as hardware, or as an integrated circuit, such as an application-specific integrated circuit (ASIC). Such software may be distributed on a computer-readable storage medium, which may include computer storage media (or non-transitory media) and communication media (or transient media).

[0123] As is known to those skilled in the art, the term computer storage medium includes volatile and non-volatile, removable and non-removable media implemented in any method or technology for storing information, such as computer-readable program instructions, data structures, program modules, or other data. Computer storage media includes, but is not limited to, random access memory (RAM), read-only memory (ROM), erasable programmable read-only memory (EPROM), static random access memory (SRAM), flash memory or other memory technologies, portable compact disc read-only memory (CD-ROM), digital versatile disc (DVD) or other optical disc storage, magnetic cartridges, magnetic tape, disk storage or other magnetic storage and systems, or any other medium that can be used to store desired information and is accessible to a computer. Furthermore, it is known to those skilled in the art that communication media typically contain computer-readable program instructions, data structures, program modules, or other data in modulated data signals such as carrier waves or other transmission mechanisms, and may include any information delivery medium.

[0124] The computer-readable program instructions described herein can be downloaded from computer-readable storage media to various computing / processing devices, or downloaded via a network, such as the Internet, local area network, wide area network, and / or wireless network, to an external computer or external storage device. The network may include copper transmission cables, fiber optic transmission, wireless transmission, routers, firewalls, switches, gateway computers, and / or edge servers. A network adapter card or network interface in each computing / processing device receives the computer-readable program instructions from the network and forwards them to the computer-readable storage media in the respective computing / processing device.

[0125] Computer program instructions used to perform the operations of this disclosure may be assembly instructions, instruction set architecture (ISA) instructions, machine instructions, machine-dependent instructions, microcode, firmware instructions, status setting data, or source code or object code written in any combination of one or more programming languages, including object-oriented programming languages ​​such as Smalltalk, C++, etc., and conventional procedural programming languages ​​such as the "C" language or similar programming languages. The computer-readable program instructions may execute entirely on the user's computer, partially on the user's computer, as a standalone software package, partially on the user's computer and partially on a remote computer, or entirely on a remote computer or server. In cases involving a remote computer, the remote computer may be connected to the user's computer via any type of network—including a local area network (LAN) or a wide area network (WAN)—or may be connected to an external computer (e.g., via the Internet using an Internet service provider). In some embodiments, electronic circuitry, such as programmable logic circuitry, field-programmable gate arrays (FPGAs), or programmable logic arrays (PLAs), is personalized by utilizing the status information of the computer-readable program instructions to implement various aspects of this disclosure.

[0126] The computer program product described herein can be implemented specifically through hardware, software, or a combination thereof. In one alternative embodiment, the computer program product is specifically embodied in a computer storage medium; in another alternative embodiment, the computer program product is specifically embodied in a software product, such as a software development kit (SDK), etc.

[0127] Various aspects of this disclosure are described herein with reference to flowchart illustrations and / or block diagrams of methods, systems (systems), and computer program products according to embodiments of this disclosure. It should be understood that each block of the flowchart illustrations and / or block diagrams, and combinations of blocks in the flowchart illustrations and / or block diagrams, can be implemented by computer-readable program instructions.

[0128] These computer-readable program instructions can be provided to a processor of a general-purpose computer, a special-purpose computer, or other programmable data processing and systems to produce a machine such that, when executed by the processor of the computer or other programmable data processing and systems, they create a system that implements the functions / actions specified in one or more blocks of a flowchart and / or block diagram. These computer-readable program instructions can also be stored in a computer-readable storage medium that causes a computer, programmable data processing and systems, and / or other devices to function in a particular manner. Thus, the computer-readable medium storing the instructions comprises an article of manufacture that includes instructions for implementing aspects of the functions / actions specified in one or more blocks of a flowchart and / or block diagram.

[0129] Computer-readable program instructions may also be loaded onto a computer, other programmable data processing and system, or other device to cause a series of operational steps to be performed on the computer, other programmable data processing and system, or other device to produce a computer-implemented process, thereby causing the instructions executed on the computer, other programmable data processing and system, or other device to perform the functions / actions specified in one or more boxes of a flowchart and / or block diagram.

[0130] The flowcharts and block diagrams in the accompanying drawings illustrate the architecture, functionality, and operation of possible implementations of systems, methods, and computer program products according to various embodiments of the present disclosure. In this regard, each block in a flowchart or block diagram may represent a module, segment, or portion of an instruction containing one or more executable instructions for implementing a specified logical function. In some alternative implementations, the functions marked in the blocks may occur in a different order than those shown in the drawings. For example, two consecutive blocks may actually be executed substantially in parallel, and they may sometimes be executed in reverse order, depending on the functions involved. It should also be noted that each block in the block diagrams and / or flowcharts, and combinations of blocks in the block diagrams and / or flowcharts, may be implemented using a dedicated hardware-based system that performs the specified function or action, or using a combination of dedicated hardware and computer instructions.

[0131] Example embodiments have been disclosed herein, and while specific terminology has been used, it is for illustrative purposes only and should be construed as such, and is not intended to be limiting. In some instances, it will be apparent to those skilled in the art that features, characteristics, and / or elements described in connection with particular embodiments may be used alone, or in combination with features, characteristics, and / or elements described in connection with other embodiments, unless otherwise expressly indicated. Therefore, those skilled in the art will understand that various changes in form and detail may be made without departing from the scope of this disclosure as set forth by the appended claims.

Claims

1. A self-learning attack blocking method, characterized in that, include: In response to receiving an incoming access request at the backend program entry point, the real IP address and request path of the incoming access request are extracted from the access request. Check if the real IP address exists in the cache; If the real IP address exists in the cache, then determine the number of attacks corresponding to the real IP address and determine whether the number of attacks corresponding to the real IP address exceeds the dynamic threshold. If the number of attacks exceeds the limit, the current incoming request will be blocked, and the attack count corresponding to the real IP address will be added to the cache. If the number of attacks does not exceed the dynamic threshold or the real IP address is not present in the cache, then it is determined whether the request path exists in the list of illegal request paths. If the request path exists in the list of illegal request paths, the current access request is blocked; if the request path does not exist in the list of illegal request paths, it is determined whether the request path exists in the permission controller path list. If it does not exist, it is determined to be an illegal access, the current access request is blocked, and the request path is automatically appended to the list of illegal request paths. If the request path exists in the permission controller path list, the request is allowed to be processed by the corresponding controller. The permission controller path list is dynamically generated by the backend program when it starts up by automatically scanning all legal controller paths in the project through reflection.

2. The self-learning attack blocking method according to claim 1, characterized in that, Extracting the visitor's real IP address from the request includes: Extract the real IP address passed through by the proxy based on the proxy information in the request header; or, directly obtain the source IP address of the connection request as the real IP address.

3. The self-learning attack blocking method according to claim 1, characterized in that, Also includes: Set an initial threshold; The total number of attacks suffered by all servers in the cluster is counted in real time, and the initial threshold is dynamically adjusted based on the total number of attacks suffered by all servers in the cluster to obtain the dynamic threshold.

4. The self-learning attack blocking method according to claim 3, characterized in that, The dynamic threshold is negatively correlated with the total number of attacks suffered by all servers in the cluster.

5. The self-learning attack blocking method according to claim 1, characterized in that, Also includes: Each time unauthorized access is blocked, the corresponding request path is automatically appended to the list of unauthorized request paths; The list of illegal request paths is initially empty or generated by loading illegal path records from the historical database during system initialization.

6. The self-learning attack blocking method according to claim 1, characterized in that, Also includes: Once an unauthorized access request is detected and blocked, a pre-set warning notification is triggered, which is sent to administrators via instant messaging tools or voice SMS interface.

7. The self-learning attack blocking method according to claim 6, characterized in that, Also includes: When the backend program starts, the IP and attack count data in the cache are synchronized as static variables; Once the number of warnings reaches the warning threshold, the attack count in the static variable is reset.

8. The self-learning attack blocking method according to claim 1, characterized in that, Also includes: The cache and the list of illegal request paths are periodically synchronized to a public database so that other servers in the cluster can refresh their local caches from the public database at regular intervals.

9. The self-learning attack blocking method according to claim 8, characterized in that, Also includes: Set expiration dates for the entries in the cache and the entries in the illegal request path list, respectively; Based on an absolute expiration mechanism or a sliding expiration mechanism, entries that have reached their expiration date are automatically cleared from the local cache. The absolute expiration mechanism is as follows: when an entry is created, a timestamp is recorded, and the entry is automatically cleared after reaching a preset expiration date. The sliding expiration mechanism is as follows: if an entry triggers an attack again within its validity period, the timestamp of the entry is reset and the validity period is extended. When an entry in the cache of any server in the cluster expires, the status of the expired entry is synchronized to other servers in the cluster through the public database, so that the other servers can clear the expired entry.

10. The self-learning attack blocking method according to claim 1, characterized in that, Also includes: After the backend program iterates its business logic, adds or modifies controllers, it automatically scans again via reflection the next time the program starts, and automatically adds the new path after the iteration to the list of permitted controller paths.

11. A self-learning attack blocking system, characterized in that, include: The identity recognition module is used to: receive incoming requests at the backend program entry point and extract the visitor's real IP address and request path from the request; The detection module is used to: query whether the real IP address exists in the cache; If the real IP address exists in the cache, then determine the number of attacks corresponding to the real IP address and determine whether the number of attacks corresponding to the real IP address exceeds the dynamic threshold. If the number of attacks exceeds the limit, the current incoming request will be blocked, and the attack count corresponding to the real IP address will be added to the cache. If the number of attacks does not exceed the dynamic threshold or the real IP address is not present in the cache, then it is determined whether the request path exists in the list of illegal request paths. The self-learning attack blocking module is used to: block the current access request if the request path exists in the illegal request path list; if the request path does not exist in the illegal request path list, determine whether the request path exists in the permission controller path list; if it does not exist, determine it as illegal access, block the current access request, and automatically append the request path to the illegal request path list. If the request path exists in the permission controller path list, the request is allowed to be processed by the corresponding controller. The permission controller path list is dynamically generated by the backend program when it starts up by automatically scanning all legal controller paths in the project through reflection.

12. An electronic device, characterized in that, include: At least one processor; as well as A memory communicatively connected to the at least one processor; wherein, The memory stores one or more computer programs that can be executed by the at least one processor, the one or more computer programs being executed by the at least one processor to enable the at least one processor to perform the self-learning attack blocking method as described in any one of claims 1-10.

13. A computer-readable storage medium having a computer program stored thereon, characterized in that, When the computer program is executed by the processor, it implements the self-learning attack blocking method as described in any one of claims 1-10.

14. A computer program product, characterized in that, Includes computer-readable code, or a non-volatile computer-readable storage medium carrying computer-readable code, wherein when the computer-readable code is run in a processor of an electronic device, the processor in the electronic device performs the self-learning attack blocking method as described in any one of claims 1-10.