CN-122027304-A - Full-link bypass-preventing file transmission bidirectional interception and verification system and method

Abstract

The invention discloses a full-link bypass-preventing file transmission bidirectional interception checking system and a method, and particularly relates to the technical field of network security, wherein the method comprises the following steps of S1, constructing a multi-level file interception system; the method comprises the steps of S2, establishing a dynamic marking and real-time verification mechanism, S3, implementing an API level total interception technology, S4, deploying an event system deep interception technology, S5, applying a dynamic DOM real-time monitoring technology, S6, adopting a file transmission protocol comprehensive coverage technology, S7, configuring a network request layer final interception technology, S8, reinforcing an anti-bypass enhancement technology, and S9, adapting a complex scene adaptation technology. The invention constructs a full-link interception system covering 5 layers, covers the full life cycle of file transmission, solves the problem of interception blind areas in the prior art, and accurately matches the compliance control requirement that all accessories of a secret related unit need to have a secret foundation and meet the standard secret level.

Inventors

• SUN TAO

Assignees

• 北京联创永信科技有限公司

Dates

Publication Date

20260512

Application Date

20260227

Claims (10)

1. 1. The full-link bypass-preventing file transmission bidirectional interception and verification method is characterized by comprising the following steps of: s1, constructing a multi-level file interception system, namely covering 5 layers of a user interface layer, a DOM operation layer, an event processing layer, a data transmission layer and a network request layer, and realizing unit multi-system accessory transmission all-link dead angle-free interception; S2, a dynamic marking and real-time verification mechanism is established, wherein a unique mark is generated based on file byte data, compliance verification is carried out on the accessory by associating with configurable verification rules, and verification is triggered in real time in the whole life cycle of uploading or downloading the accessory, so that the verification is ensured not to be lagged; S3, implementing an API level full-quantity interception technology, namely intercepting showOpenFilePicker and other core APIs through 'original reference preservation + wrapper function rewriting', rewriting HTMLInputelement.prototype.files and other prototype chain core attributes, adapting asynchronous verification, and ensuring that the accessory verification is not omitted; S4, deploying event system depth interception technology, namely injecting check logic into the addEventListener packaging method in an event binding stage, controlling event transmission through stopImmediatePropagation, covering change, drop, paste accessory related events, and guaranteeing that check is executed preferentially; S5, applying a dynamic DOM real-time monitoring technology, namely monitoring DOM changes in real time through MutationObserver, rewriting a document. CreateElement method to intercept an element creation process, supporting recursive traversal to penetrate the Shadow DOM, and ensuring that accessory transmission of various custom system components of a secret-related unit is managed and controlled; S6, adopting a file transmission protocol comprehensive coverage technology, namely deeply intercepting files, item attributes and GETASFILE by using a Proxy DATATRANSFER object, and intercepting clipboardData of a paste event at the same time to realize full verification of a transmission path of a drag and paste accessory; S7, configuring a network request layer final interception technology, namely rewriting an XMLHttpRequest.send method and a global fetch function, analyzing FormData accessory data in a request body before request transmission, checking compliance, directly throwing out exception for a request which does not pass the check, and terminating transmission; s8, building a final patch system, distributing unique ID (identity) for each accessory related element to track the whole life cycle, setting a timer to periodically scan non-patched elements and patch, marking patch states through custom attributes to avoid repetitive processing, and adapting to the batch deployment requirements of multiple systems; S9, adapting the complex scene adaptation technology, namely supporting interception of accessory elements in a homologous iframe, identifying association relation between label and file input elements, performing prepositive verification, traversing and adapting various custom uploading components through a deep DOM, ensuring compatibility of different architecture systems, initializing each module in an external script injection mode during deployment, and being capable of being applied to all systems of a secret related unit in batches, and respectively executing full-link verification of accessory uploading and downloading and anti-bypass leak repairing flow.
2. 2. The full-link bypass-preventing file transfer bidirectional interception checking method according to claim 1, wherein the hierarchical collaboration logic of the multi-level file interception system in step S1 is: The user interface layer intercepts the manual uploading triggering operation preferentially, the DOM operation layer synchronously monitors element attribute change, the event processing layer intercepts all accessory related interaction events, the data transmission layer verifies the byte data integrity of the file, the network request layer serves as an ultimate interception barrier, and all the layers work cooperatively according to the principle of front interception priority and rear spam supplement, so that interception is guaranteed to be free of dead angles.
3. 3. The full-link bypass-preventing file transmission bidirectional interception checking method according to claim 1, wherein the dynamic marking and real-time verification mechanism in step S2 specifically comprises the following steps: And triggering and checking at all nodes of the file selection, uploading and submitting, transmission process, downloading and triggering and storing the local full life cycle, synchronizing the checking result to each interception level in real time, and immediately stopping the transmission process and recording a log if the checking of any node fails.
4. 4. The full-link bypass-preventing file transfer bidirectional interception checking method according to claim 1, wherein the implementation logic of the API-level full-volume interception technique in step S3 is as follows: the original reference of the core API is saved in advance, the target API is rewritten through function packaging, and check logic is embedded in the rewriting function; the attribute descriptor redefinition mode is adopted for the HTMLInputElement.prototype.files prototype chain attribute, and the attribute reading and assignment operation is intercepted; and the chain call is adapted Promise for the asynchronous API, so that the follow-up logic is executed after the verification is completed, and asynchronous bypass is avoided.
5. 5. The full-link bypass-preventing file transmission bidirectional interception checking method according to claim 1, wherein the dynamic DOM real-time monitoring technique in step S5 specifically comprises the following steps: Configuring MutationObserver monitoring node creation, attribute change and child node change key events, wherein a monitoring range covers a main document and a Shadow DOM; The method for creating and inserting the document/createElement/document/appdHild element is rewritten, and verification association logic is injected at the element generation stage; And penetrating the DOM boundary of the Shadow by adopting a depth-first traversal algorithm, and performing full-scale scanning and control on the internal elements of the custom uploading component.
6. 6. The full-link bypass-preventing file transfer bidirectional interception checking method according to claim 1, wherein the patching mechanism of the bypass-preventing enhancement technology in step S8 is as follows: Adding custom attribute for each accessory related element to mark patch states, wherein the patch states comprise non-patched, patched and intercepted; Setting a timer with a fixed time interval of 100-300ms, periodically scanning all elements of a page, and automatically executing API (application program interface) rewriting and event injection patch operation on non-patched elements; aiming at the dynamically generated temporary elements, the instant patch is triggered when the elements are inserted into the DOM tree, so that no omission is ensured.
7. 7. The full-link bypass-prevention file transfer bidirectional interception verification method according to claim 1, wherein the configurable verification rule supports customization according to confidential unit requirements, including but not limited to: The secret is verified according to a validity verification rule, namely whether the accessory is related to legal secret file numbers or not and secret liability person information are verified; the security standard accords with the rule, namely, whether the security identifier accords with the national/industry standard or not and the matching degree of the security and the file content is checked; The file attribute limits the rule, namely, the file type, size, format and signature information are checked, and the rule can be applied to all management and control systems in batches after configuration.
8. 8. The full-link bypass-preventing file transfer bidirectional interception checking method according to claim 1, wherein the file transfer protocol full coverage technique in step S6 specifically comprises the following steps: Deeply intercepting the reading operation of the files and the item attributes and the call of the GETASFILE method through the Proxy DATATRANSFER object; clipboardData intercepting a paste event, and executing verification on pasted file data; The full verification of the transmission paths of the selected files, the dragged and pasted accessories is realized, and no blind area of the transmission paths exists.
9. 9. The full-link bypass-preventing file transmission bidirectional interception checking method according to claim 1, wherein the complex scene adaptation technique in step S9 specifically comprises the following steps: aiming at the accessory elements in the homologous iframe, acquiring an internal document object through the iframe.contentdocument, and executing interception and verification logic consistent with the main document; identifying the association relation between the label tag and the file input element, namely, through matching for attribute and id, pre-checking when clicking label to trigger file selection; And a depth DOM traversal algorithm is adopted, a custom uploading component developed by a Vue and React framework is adapted, and hidden elements and dynamically generated elements in the component are subjected to full management and control.
10. 10. A full-link bypass-preventing file transmission bidirectional interception checking system for implementing the full-link bypass-preventing file transmission bidirectional interception checking method according to any one of claims 1 to 9, comprising the steps of: the multi-level interception module is used for constructing a full-link interception system covering a user interface layer, a DOM operation layer, an event processing layer, a data transmission layer and a network request layer, and realizing dead angle-free interception of accessory transmission behaviors; The dynamic marking and verifying module is used for generating a unique identifier based on file byte data, associating configurable verification rules, triggering real-time verification in a full life cycle of file uploading or downloading, and ensuring verification timeliness and accuracy; The API and event interception module is used for realizing full interception of the core API, deep interception and preferential execution of prototype chain rewriting and accessory related events, and blocking bypass behaviors in API calling and event hijacking modes; The dynamic DOM monitoring module is used for monitoring DOM changes in real time through MutationObserver, penetrating through the Shadow DOM to carry out full-scale scanning, intercepting the element creation process and adapting to the complex scene of the custom assembly; The protocol and data interception module is used for acting DATATRANSFER on the object, intercepting clipboardData, covering the transmission path of dragging and pasting, and simultaneously rewriting the network request function to realize the final verification of the attachment data in the request body; the anti-bypass enhancement module is used for constructing a patch system, tracking the life cycle of the element through the unique ID, periodically scanning and patching, and avoiding the omission of control of the dynamic element; The rule configuration and management module is used for supporting customized check rules of secret related units, including secret related standard related rules of secret related basis and secret level, realizing addition, modification, deletion and batch application of the rules, and adapting to the control requirements of multiple systems; The deployment adaptation module is used for initializing all modules in an external script injection mode, supporting batch deployment in a secret related unit multi-system, and reducing deployment cost without modifying an original system code; the multi-level interception module is used for constructing a full-link interception system covering a user interface layer, a DOM operation layer, an event processing layer, a data transmission layer and a network request layer, and realizing dead angle-free interception of accessory transmission behaviors; The dynamic marking and verifying module is used for generating a unique identifier based on file byte data, associating configurable verification rules, triggering real-time verification in a full life cycle of file uploading or downloading, and ensuring verification timeliness and accuracy; The API and event interception module is used for realizing full interception of the core API, deep interception and preferential execution of prototype chain rewriting and accessory related events, and blocking bypass behaviors in API calling and event hijacking modes; The dynamic DOM monitoring module is used for monitoring DOM changes in real time through MutationObserver, penetrating through the Shadow DOM to carry out full-scale scanning, intercepting the element creation process and adapting to the complex scene of the custom assembly; The protocol and data interception module is used for acting DATATRANSFER on the object, intercepting clipboardData, covering the transmission path of dragging and pasting, and simultaneously rewriting the network request function to realize the final verification of the attachment data in the request body; the anti-bypass enhancement module is used for constructing a patch system, tracking the life cycle of the element through the unique ID, periodically scanning and patching, and avoiding the omission of control of the dynamic element; The rule configuration and management module is used for supporting secret related units to self-define check rules, realizing addition, modification, deletion and batch application of the rules, and adapting to the management and control requirements of multiple systems; the deployment adaptation module is used for initializing all modules in an external script injection mode, supporting batch deployment in a secret related unit multi-system, and reducing deployment cost without modifying an original system code.

Description

Full-link bypass-preventing file transmission bidirectional interception and verification system and method Technical Field The invention relates to the technical field of network security, in particular to a full-link bypass-preventing file transmission bidirectional interception and verification system and method. Background Along with the advancement of digital transformation of secret related units, a large number of heterogeneous B/S architecture service systems such as an OA system, a project management system, a scientific research data platform and the like are generally deployed in an intranet environment, and accessory uploading and downloading are core data circulation modes of cross-system service collaboration. Because the compliance requirement of the confidential unit on file transmission is extremely high, all transmission accessories are required to be ensured to have associated legal confidential basis and confidential identifiers meet national/industry standards, but the existing file transmission security management and control scheme has a plurality of defects, and is difficult to meet the requirement of batch and strict management and control. The key problems of the prior art are mainly characterized in that firstly, interception level is single, protection links are incomplete, most schemes only carry out single verification on files in a network request submitting stage, a large number of protection dead zones cannot exist in front links such as user interface operation, DOM dynamic generation, file dragging/pasting and the like, secondly, complex scene adaptation capability is insufficient, modern business systems generally adopt assembly frameworks such as Vue, action and the like, page elements are often packaged in ShadowDOM closure areas, and have complex structures such as homologous iframes, custom uploading assemblies and the like, the existing schemes are difficult to penetrate through the package boundaries to realize effective management and control omission, thirdly, the anti-bypass capability is weak, an attacker can bypass front end verification in a mode such as tampering DOM attribute, hijacking event spreading, calling showOpenFilePicker and the like, illegal accessory transmission is caused, fourthly, the full life cycle verification mechanism is lacking, the traditional business systems only rely on single verification to be incapable of coping with tampering and replacement behaviors in the file transmission process, the reliability of safety management is insufficient, fifth, the adaptation and the hard adaptation scheme is difficult to realize effective management and control omission, the existing schemes are difficult to realize the self-control omission according to the single-level coding scheme, the existing schemes are difficult to realize the requirement of the single-level and the system is difficult to realize, and the self-control is difficult to realize according to the requirement of the multiple-level of the system. Although some file transmission interception technologies exist in the current network security field, the technologies are generally focused on 'passive blocking' illegal operation, lack of full-link deep defense design, and do not perform customized adaptation aiming at the core requirements of secret-related units, such as secret-related basis verification, secret-level standard management and control, so that the problems of batch compliance verification and bypass prevention in multiple systems and complex scenes cannot be solved. Therefore, the construction of a full-link and non-bypass bidirectional interception verification system realizes the precise control and flexible adaptation of the transmission of the multi-system accessories of the secret-related units, and is a technical problem to be solved currently. Disclosure of Invention Aiming at the defects that the interception level is single, the protection link is incomplete, the complex scene adaptation is insufficient, the bypassing-preventing capability is weak, the secret-related unit ' all accessories need to have secret foundation and meet the standard secret level ' batch management and control requirement ' and the like in the prior art, the invention provides a full-link bypassing-preventing file transmission bidirectional interception checking system and method, a full-link depth defense system from user interface operation to a network protocol layer is constructed, bidirectional, real-time and bypassing-preventing precise checking and management and control on uploading and downloading behaviors of the secret-related unit multisystem accessories are realized through a configurable checking rule, the problem of secret-related unit multisystem accessory compliance checking and control is solved in batches, and the secret-related unit file transmission safety protection capability is improved. In order to achieve the above purpose, the invention adopts a technical a