CN111585981A - Security detection method based on application firewall and related equipment - Google Patents
Security detection method based on application firewall and related equipment Download PDFInfo
- Publication number
- CN111585981A CN111585981A CN202010329731.6A CN202010329731A CN111585981A CN 111585981 A CN111585981 A CN 111585981A CN 202010329731 A CN202010329731 A CN 202010329731A CN 111585981 A CN111585981 A CN 111585981A
- Authority
- CN
- China
- Prior art keywords
- request
- inbound request
- parameter
- rule
- new
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0263—Rule management
Landscapes
- Engineering & Computer Science (AREA)
- Business, Economics & Management (AREA)
- General Business, Economics & Management (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention discloses a security detection method based on an application firewall and related equipment, which are used for actively acquiring request parameters of an application system through the application firewall, realizing accurate verification by configuring proper rules for the request parameters and reducing the false alarm rate caused by using general rules. The method comprises the following steps: deploying application firewall WAFs in an application system and configuring a filter; calling an application firewall to perform security check filtering on an initial inbound request in an application system according to a preset general rule to obtain a target inbound request; starting an automatic parameter collection mechanism to monitor the target inbound request, wherein the automatic parameter collection mechanism is used for collecting a request parameter value corresponding to the target inbound request; sending the corresponding request parameter value to a parameter rule configuration platform; acquiring a target parameter rule sent by a parameter rule configuration platform, and synchronously deploying the target parameter rule to an application system; and calling the WAF to perform subsequent security detection based on the target parameter rule.
Description
Technical Field
The invention relates to the field of network security, in particular to a security detection method based on an application firewall and related equipment.
Background
With the rapid development of internet technology, network security is also more and more emphasized. The target is that a Web Application Firewall (WAF) is generally adopted to detect and verify the content of various requests from a Web application client, so as to ensure the security and the validity of the requests, block illegal requests in real time and provide protection for Web applications, and the WAF is an important ring in a network security deep defense system.
Most products on the market today are rule-based WAFs. The principle is that each session is subjected to a series of tests, each test consisting of one or more detection rules, and if the test fails, the request is considered illegal and rejected. Rule-based WAF testing is easy to construct and effective against known security problems. It is more convenient to use when we want to make a custom defense strategy. But are supported by a strong rule database because they must first identify the nature of each threat. WAF producers maintain this database and they provide tools for automatic updates.
The existing scheme aims at the attack characteristic overall defense detection, and can not be strongly associated with the service of an actual application system, so that the false alarm rate is high, and the normal function of the application system is influenced.
Disclosure of Invention
The invention provides a security detection method based on an application firewall and related equipment, which are used for actively acquiring request parameters of an application system through the application firewall, realizing accurate verification by configuring proper rules for the request parameters and reducing the false alarm rate caused by using general rules.
A first aspect of an embodiment of the present invention provides a security detection method based on an application firewall, including: deploying an application firewall (WAF) in an application system and configuring a filter, wherein the filter is used for intercepting all inbound requests and request parameters passing through the WAF; calling the application firewall to perform security check filtering on the initial inbound request in the application system according to a preset general rule to obtain a target inbound request; enabling a parameter automatic collection mechanism to monitor the target inbound request, wherein the parameter automatic collection mechanism is used for collecting a request parameter value corresponding to the target inbound request; sending the corresponding request parameter values to a parameter rule configuration platform, wherein the parameter rule configuration platform is provided with a plurality of types of rules, so that the parameter rule configuration platform matches a target parameter rule in the plurality of types of rules through the request parameter values; acquiring a target parameter rule sent by the parameter rule configuration platform, and synchronously deploying the target parameter rule to the application system; and calling the WAF to perform subsequent security detection based on the target parameter rule.
Optionally, in a first implementation manner of the first aspect of the embodiment of the present invention, the invoking the application firewall to perform security check filtering on the initial inbound request in the application system according to a preset general rule to obtain a target inbound request includes: receiving an initial inbound request; acquiring a preset general rule in the application system; calling the application firewall to perform security check on the initial inbound request based on the preset general rule, wherein the preset general rule is used for judging whether the initial inbound request belongs to a malicious request; if the initial inbound request does not accord with the preset general rule, the initial inbound request belongs to a malicious request and is intercepted and filtered; and if the initial inbound request conforms to the preset general rule, determining the initial inbound request as a target inbound request.
Optionally, in a second implementation manner of the first aspect of the embodiment of the present invention, the invoking the WAF to perform subsequent security detection based on the target parameter rule includes: calling the WAF to scan a preset path to obtain a plurality of safety rules; loading the plurality of security rules; and when the WAF subsequently receives a new inbound request, invoking the plurality of security rules to perform security verification on the new inbound request.
Optionally, in a third implementation manner of the first aspect of the embodiment of the present invention, the invoking the multiple security rules to perform security check on the new inbound request when the WAF subsequently receives the new inbound request includes: when the WAF subsequently receives a new inbound request, judging whether the new inbound request belongs to a global white list; if the new inbound request does not belong to a global white list, determining whether the new inbound request accesses a static resource file; if the new inbound request does not access a static resource file, determining whether the new inbound request passes a custom security rule; if the new inbound request passes a custom security rule, judging whether a Uniform Resource Locator (URL) of the new inbound request is in a login-free white list; if the URL of the new inbound request is in the login-free white list, judging whether the new inbound request is HOST forgery attack; if the new inbound request is not a HOST forgery attack, judging whether the new inbound request is a cross-site request forgery attack; if the new inbound request is not a cross-site request forgery attack, judging whether the new inbound request is a request meeting specified IP access; and if the new inbound request is a request meeting the specified IP access, acquiring request parameters corresponding to the new inbound request, checking the legality of the request parameters, and sending the request parameters meeting the legality check to a parameter rule configuration platform.
Optionally, in a fourth implementation manner of the first aspect of the embodiment of the present invention, if the new inbound request does not access a static resource file, the determining whether the new inbound request passes a custom security rule includes: if the new inbound request does not access the static resource file, determining whether the new inbound request contains a Trojan request parameter; if the new inbound request does not contain the Trojan request parameter, judging whether the new inbound request accesses the sensitive file; if the new inbound request does not access the sensitive file, determining whether the new inbound request is unauthorized access; if the new inbound request is not an unauthorized access, determining that the new inbound request passes a custom security rule.
A second aspect of the embodiments of the present invention provides a security detection apparatus based on an application firewall, including: a deployment configuration unit, configured to deploy an application firewall WAF in an application system and configure a filter, where the filter is configured to intercept all inbound requests and request parameters that pass through the WAF; the inspection filtering unit is used for calling the application firewall to perform security inspection filtering on the initial inbound request in the application system according to a preset general rule to obtain a target inbound request; a monitoring unit, configured to enable an automatic parameter collection mechanism to monitor the target inbound request, where the automatic parameter collection mechanism is configured to collect a request parameter value corresponding to the target inbound request; the sending unit is used for sending the corresponding request parameter values to a parameter rule configuration platform, and the parameter rule configuration platform is provided with multiple types of rules so that the parameter rule configuration platform can match target parameter rules in the multiple types of rules through the request parameter values; the acquisition synchronization unit is used for acquiring the target parameter rule sent by the parameter rule configuration platform and synchronously deploying the target parameter rule to the application system; and the detection unit is used for calling the WAF to perform subsequent safety detection based on the target parameter rule.
Optionally, in a first implementation manner of the second aspect of the embodiment of the present invention, the inspection filtering unit is specifically configured to: receiving an initial inbound request; acquiring a preset general rule in the application system; calling the application firewall to perform security check on the initial inbound request based on the preset general rule, wherein the preset general rule is used for judging whether the initial inbound request belongs to a malicious request; if the initial inbound request does not accord with the preset general rule, the initial inbound request belongs to a malicious request and is intercepted and filtered; and if the initial inbound request conforms to the preset general rule, determining the initial inbound request as a target inbound request.
Optionally, in a second implementation manner of the second aspect of the embodiment of the present invention, the detecting unit includes: the scanning module is used for calling the WAF to scan a preset path to obtain a plurality of safety rules; a loading module for loading the plurality of security rules; and the verification module is used for calling the plurality of security rules to perform security verification on the new inbound request when the WAF subsequently receives the new inbound request.
Optionally, in a third implementation manner of the second aspect of the embodiment of the present invention, the verification module is specifically configured to: when the WAF subsequently receives a new inbound request, judging whether the new inbound request belongs to a global white list; if the new inbound request does not belong to a global white list, determining whether the new inbound request accesses a static resource file; if the new inbound request does not access a static resource file, determining whether the new inbound request passes a custom security rule; if the new inbound request passes a custom security rule, judging whether a Uniform Resource Locator (URL) of the new inbound request is in a login-free white list; if the URL of the new inbound request is in the login-free white list, judging whether the new inbound request is HOST forgery attack; if the new inbound request is not a HOST forgery attack, judging whether the new inbound request is a cross-site request forgery attack; if the new inbound request is not a cross-site request forgery attack, judging whether the new inbound request is a request meeting specified IP access; and if the new inbound request is a request meeting the specified IP access, acquiring request parameters corresponding to the new inbound request, checking the legality of the request parameters, and sending the request parameters meeting the legality check to a parameter rule configuration platform.
Optionally, in a fourth implementation manner of the second aspect of the embodiment of the present invention, the verification module is further specifically configured to: if the new inbound request does not access the static resource file, determining whether the new inbound request contains a Trojan request parameter; if the new inbound request does not contain the Trojan request parameter, judging whether the new inbound request accesses the sensitive file; if the new inbound request does not access the sensitive file, determining whether the new inbound request is unauthorized access; if the new inbound request is not an unauthorized access, determining that the new inbound request passes a custom security rule.
A third aspect of the embodiments of the present invention provides a security detection apparatus based on an application firewall, including a memory, a processor, and a computer program stored on the memory and executable on the processor, where the processor implements the security detection method based on the application firewall according to any of the foregoing embodiments when executing the computer program.
A fourth aspect of the embodiments of the present invention provides a computer-readable storage medium, including instructions, which, when executed on a computer, cause the computer to perform the steps of the application firewall-based security detection method according to any of the foregoing embodiments.
In the technical scheme provided by the embodiment of the invention, an application firewall WAF is deployed in an application system and a filter is configured, wherein the filter is used for intercepting all inbound requests and request parameters passing through the WAF; calling an application firewall to perform security check filtering on an initial inbound request in an application system according to a preset general rule to obtain a target inbound request; starting an automatic parameter collection mechanism to monitor the target inbound request, wherein the automatic parameter collection mechanism is used for collecting a request parameter value corresponding to the target inbound request; sending the corresponding request parameter values to a parameter rule configuration platform, wherein the parameter rule configuration platform is provided with a plurality of types of rules, so that the parameter rule configuration platform matches the target parameter rules in the plurality of types of rules through the request parameter values; acquiring a target parameter rule sent by a parameter rule configuration platform, and synchronously deploying the target parameter rule to an application system; and calling the WAF to perform subsequent security detection based on the target parameter rule. The embodiment of the invention actively embeds the request parameters into the application system in a way of being strongly associated with the application system, actively acquires the request parameters of the application system through the application firewall, and configures proper rules for the request parameters to realize accurate verification and reduce the false alarm rate caused by using the general rules.
Drawings
FIG. 1 is a schematic diagram of an embodiment of a security detection method based on an application firewall according to an embodiment of the present invention;
FIG. 2 is a schematic diagram of an embodiment of a security detection apparatus based on an application firewall according to an embodiment of the present invention;
FIG. 3 is a schematic diagram of another embodiment of a security detection apparatus based on an application firewall according to an embodiment of the present invention;
fig. 4 is a schematic diagram of an embodiment of a security detection device based on an application firewall in the embodiment of the present invention.
Detailed Description
The invention provides a security detection method based on an application firewall and related equipment, which are used for actively acquiring request parameters of an application system through the application firewall, realizing accurate verification by configuring proper rules for the request parameters and reducing the false alarm rate caused by using general rules.
In order to make the technical field of the invention better understand the scheme of the invention, the embodiment of the invention will be described in conjunction with the attached drawings in the embodiment of the invention.
The terms "first," "second," "third," "fourth," and the like in the description and in the claims, as well as in the drawings, if any, are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It will be appreciated that the data so used may be interchanged under appropriate circumstances such that the embodiments described herein may be practiced otherwise than as specifically illustrated or described herein. Furthermore, the terms "comprises," "comprising," or "having," and any variations thereof, are intended to cover non-exclusive inclusions, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
Referring to fig. 1, a flowchart of a security detection method based on an application firewall according to an embodiment of the present invention specifically includes:
101. an application firewall WAF is deployed in an application system and filters are configured to intercept all inbound requests and request parameters that pass through the WAF.
The server deploys an application firewall WAF in the application system and configures a filter for intercepting all inbound requests and request parameters that pass through the WAF.
The main technology of the application firewall is the detection capability of intrusion, especially the detection of Web service intrusion, and the biggest challenge of the Web application firewall is the recognition rate, which is not an easily-measured index, because intruders who miss the Web are not widely spread, for example, a Web page is hung with a horse, and a server is difficult to perceive which intruder is, so that statistics cannot be carried out. For known attack methods, one can talk about the recognition rate, and for unknown attack methods, the server also has to wait for himself to "jump" out to know. Rule-based WAF testing is easy to construct and effective against known security problems.
In actual application, a unified interceptor (SecurityFilter) of the WAF (security unified protection module) is configured into a web.xml (or similar configuration file) of an application system to ensure that the WAF works normally.
It is understood that the execution subject of the present invention may be a security detection device based on an application firewall, and may also be a terminal or a server, which is not limited herein. The embodiment of the present invention is described by taking a server as an execution subject.
102. And calling an application firewall to perform security check filtering on the initial inbound request in the application system according to a preset general rule to obtain a target inbound request.
And the server calls an application firewall to perform security check and filtering on the initial inbound request in the application system according to a preset general rule to obtain a target inbound request.
It should be noted that, after receiving an inbound request from a user, the WAF starts to execute a predetermined validity check, and first executes a general web protection rule, such as a sensitive file download, a custom security (class) rule (including a trojan access check, a sensitive file access, an unauthorized access check, and the like), and starts to check a request parameter, and executes an sql injection check and a cross-site script check after all the checks pass. If the checked parameters are configured with specific rules, specific rules (whitelist) are executed, if not, the built-in generic blacklist rules of the WAF are executed.
It should be noted that, the WAF performs rule matching, behavior analysis, and the like on the content of the initial inbound request to identify malicious behavior, and performs related actions, including blocking, recording, alarming, and the like, to obtain a target inbound request, where the target inbound request conforms to the general rule.
Optionally, the server calls the application firewall to perform security check filtering on the initial inbound request in the application system according to a preset universal rule, and obtain the target inbound request, where the method includes:
the server receives an initial inbound request; the server acquires a preset general rule in an application system; the server calls an application firewall to perform security check on the initial inbound request based on a preset universal rule, wherein the preset universal rule is used for judging whether the initial inbound request belongs to a malicious request; if the initial inbound request does not accord with the preset general rule, the server really determines that the initial inbound request belongs to a malicious request and intercepts and filters the initial inbound request; if the initial inbound request meets a preset universal rule, the server determines the initial inbound request as a target inbound request.
103. And starting an automatic parameter collection mechanism to monitor the target inbound request, wherein the automatic parameter collection mechanism is used for collecting a request parameter value corresponding to the target inbound request.
The server starts an automatic parameter collection mechanism to monitor the target inbound request, and the automatic parameter collection mechanism is used for collecting a request parameter value corresponding to the target inbound request. And after receiving the collected parameters, the server analyzes the parameter values and intelligently recommends the closest rule.
It should be noted that the WAF detects and identifies the communication based on the HTTP protocol before working on the web server. In popular terms, the WAF is similar to security inspection of subway stations, performs rapid security inspection on HTTP requests, analyzes HTTP data, and judges in dimensions such as features and rules in different fields respectively, and the judgment result is used as a basis for interception so as to determine whether to release.
104. And sending the corresponding request parameter values to a parameter rule configuration platform, wherein the parameter rule configuration platform is provided with a plurality of types of rules, so that the parameter rule configuration platform matches the target parameter rules in the plurality of types of rules through the request parameter values.
The server sends the corresponding request parameter values to a parameter rule configuration platform, and the parameter rule configuration platform is provided with multiple types of rules so that the parameter rule configuration platform can match the target parameter rules in the multiple types of rules through the request parameter values.
The multiple types of rules can comprise a number type, an alphabet type, a single-line text type, a multi-line text type, an html field type and the like, and the server intelligently matches the parameter rules through the collected parameter values.
It should be noted that, after the parameter rule configuration platform confirms the parameter rule, the rule is synchronously validated to the application system, so as to ensure that the subsequent security detection is performed based on the determined rule, and the built-in general rule (blacklist) is not used for checking, so that the detection precision can be effectively improved, and the influence on the system function due to false alarm is avoided.
It is understood that the parameter rule configuration platform should provide the capability of rule configuration and modification, and the maintenance personnel entering the parameter rule configuration module can configure and confirm the parameters and transmit the confirmed result back to the WAF.
105. And acquiring a target parameter rule sent by the parameter rule configuration platform, and synchronously deploying the target parameter rule to the application system.
And the server acquires the target parameter rule sent by the parameter rule configuration platform and synchronously deploys the target parameter rule to the application system.
106. And calling the WAF to perform subsequent security detection based on the target parameter rule.
And calling the WAF by the server to perform subsequent security detection based on the target parameter rule.
Optionally, the server invokes the WAF to perform subsequent security detection based on the target parameter rule, including:
the server calls the WAF to scan the preset path to obtain a plurality of safety rules;
the server loads a plurality of safety rules;
when the WAF subsequently receives a new inbound request, the server invokes a plurality of security rules to perform a security check on the new inbound request.
Optionally, when the WAF subsequently receives a new inbound request, invoking a plurality of security rules to perform security check on the new inbound request, including:
when the WAF subsequently receives a new inbound request, judging whether the new inbound request belongs to a global white list; if the new inbound request does not belong to the global white list, determining whether the new inbound request accesses the static resource file; if the new inbound request does not access the static resource file, determining whether the new inbound request passes the custom security rule; if the new inbound request passes the custom security rule, judging whether the Uniform Resource Locator (URL) of the new inbound request is in the login-free white list; if the URL of the new inbound request is in the login-free white list, judging whether the new inbound request is HOST forgery attack; if the new inbound request is not a HOST forgery attack, determining whether the new inbound request is a cross-site request forgery attack; if the new inbound request is not a cross-site request forgery attack, judging whether the new inbound request is a request meeting the specified IP access; and if the new inbound request is a request meeting the specified IP access, acquiring request parameters corresponding to the new inbound request, checking the legality of the request parameters, and sending the request parameters meeting the legality check to the parameter rule configuration platform.
It should be noted that the WAF actively scans all security (class) rules under the specified path and actively loads them, and calls these class rules to perform security check each time there is an inbound request; the establishment of the security (class) rule must follow the unified standard of the WAF, namely, the method established by the WAF is realized, and the security protection code is established in the valid () method; and uploading the realized security (class) rule to the designated path of the WAF, and refreshing the WAF cache, so that the newly added protection rule can be immediately effective and a new bug can be quickly defended. According to the method and the device, a more flexible code level rule compiling mode is provided, and more complex vulnerability defense questions can be solved more flexibly and effectively
Wherein, the implementation standard of the security (class) rule is as follows:
1. a specific interface (BaseRule) must be implemented;
2. a method of implementing in a particular interface, comprising the steps of:
optionally, if the new inbound request does not access the static resource file, determining whether the new inbound request passes the custom security rule includes:
if the new inbound request does not access the static resource file, determining whether the new inbound request contains a Trojan request parameter;
if the new inbound request does not contain the Trojan request parameter, judging whether the new inbound request accesses the sensitive file;
if the new inbound request does not access the sensitive file, determining whether the new inbound request is unauthorized access;
if the new inbound request is not an unauthorized access, the new inbound request is determined to pass the custom security rule.
The embodiment of the invention actively embeds the request parameters into the application system in a way of being strongly associated with the application system, actively acquires the request parameters of the application system through the application firewall, and configures proper rules for the request parameters to realize accurate verification and reduce the false alarm rate caused by using the general rules.
Describing the security detection method based on the application firewall in the embodiment of the present invention, please refer to fig. 2, in which the following describes the security detection apparatus based on the application firewall in the embodiment of the present invention, and an embodiment of the security detection apparatus based on the application firewall in the embodiment of the present invention includes:
a deployment configuration unit 201, configured to deploy an application firewall WAF in an application system and configure a filter, where the filter is configured to intercept all inbound requests and request parameters that pass through the WAF;
the inspection filtering unit 202 is configured to invoke the application firewall to perform security inspection filtering on the initial inbound request in the application system according to a preset general rule, so as to obtain a target inbound request;
a monitoring unit 203, configured to enable an automatic parameter collection mechanism to monitor the target inbound request, where the automatic parameter collection mechanism is configured to collect a request parameter value corresponding to the target inbound request;
a sending unit 204, configured to send the corresponding request parameter value to a parameter rule configuration platform, where the parameter rule configuration platform is provided with multiple types of rules, so that the parameter rule configuration platform matches a target parameter rule in the multiple types of rules through the request parameter value;
an obtaining synchronization unit 205, configured to obtain a target parameter rule sent by the parameter rule configuration platform, and synchronously deploy the target parameter rule to the application system;
a detecting unit 206, configured to invoke the WAF to perform subsequent security detection based on the target parameter rule.
The embodiment of the invention actively embeds the request parameters into the application system in a way of being strongly associated with the application system, actively acquires the request parameters of the application system through the application firewall, and configures proper rules for the request parameters to realize accurate verification and reduce the false alarm rate caused by using the general rules.
Referring to fig. 3, another embodiment of the security detection apparatus based on an application firewall according to the embodiment of the present invention includes:
a deployment configuration unit 201, configured to deploy an application firewall WAF in an application system and configure a filter, where the filter is configured to intercept all inbound requests and request parameters that pass through the WAF;
the inspection filtering unit 202 is configured to invoke the application firewall to perform security inspection filtering on the initial inbound request in the application system according to a preset general rule, so as to obtain a target inbound request;
a monitoring unit 203, configured to enable an automatic parameter collection mechanism to monitor the target inbound request, where the automatic parameter collection mechanism is configured to collect a request parameter value corresponding to the target inbound request;
a sending unit 204, configured to send the corresponding request parameter value to a parameter rule configuration platform, where the parameter rule configuration platform is provided with multiple types of rules, so that the parameter rule configuration platform matches a target parameter rule in the multiple types of rules through the request parameter value;
an obtaining synchronization unit 205, configured to obtain a target parameter rule sent by the parameter rule configuration platform, and synchronously deploy the target parameter rule to the application system;
a detecting unit 206, configured to invoke the WAF to perform subsequent security detection based on the target parameter rule.
Optionally, the inspection filtering unit 202 is specifically configured to:
receiving an initial inbound request;
acquiring a preset general rule in the application system;
calling the application firewall to perform security check on the initial inbound request based on the preset general rule, wherein the preset general rule is used for judging whether the initial inbound request belongs to a malicious request;
if the initial inbound request does not accord with the preset general rule, the initial inbound request belongs to a malicious request and is intercepted and filtered;
and if the initial inbound request conforms to the preset general rule, determining the initial inbound request as a target inbound request.
Optionally, the detecting unit 206 includes:
a scanning module 2061, configured to invoke the WAF to scan a preset path to obtain multiple security rules;
a loading module 2062, configured to load the plurality of security rules;
a verification module 2063, when the WAF subsequently receives a new inbound request, for invoking the plurality of security rules to perform a security verification on the new inbound request.
Optionally, the checking module 2063 is specifically configured to:
when the WAF subsequently receives a new inbound request, judging whether the new inbound request belongs to a global white list;
if the new inbound request does not belong to a global white list, determining whether the new inbound request accesses a static resource file;
if the new inbound request does not access a static resource file, determining whether the new inbound request passes a custom security rule;
if the new inbound request passes a custom security rule, judging whether a Uniform Resource Locator (URL) of the new inbound request is in a login-free white list;
if the URL of the new inbound request is in the login-free white list, judging whether the new inbound request is HOST forgery attack;
if the new inbound request is not a HOST forgery attack, judging whether the new inbound request is a cross-site request forgery attack;
if the new inbound request is not a cross-site request forgery attack, judging whether the new inbound request is a request meeting specified IP access;
and if the new inbound request is a request meeting the specified IP access, acquiring request parameters corresponding to the new inbound request, checking the legality of the request parameters, and sending the request parameters meeting the legality check to a parameter rule configuration platform.
Optionally, the check module 2063 is further specifically configured to:
if the new inbound request does not access the static resource file, determining whether the new inbound request contains a Trojan request parameter; if the new inbound request does not contain the Trojan request parameter, judging whether the new inbound request accesses the sensitive file; if the new inbound request does not access the sensitive file, determining whether the new inbound request is unauthorized access; if the new inbound request is not an unauthorized access, determining that the new inbound request passes a custom security rule.
The embodiment of the invention actively embeds the request parameters into the application system in a way of being strongly associated with the application system, actively acquires the request parameters of the application system through the application firewall, and configures proper rules for the request parameters to realize accurate verification and reduce the false alarm rate caused by using the general rules.
Fig. 2 to fig. 3 describe the security detection apparatus based on the application firewall in the embodiment of the present invention in detail from the perspective of the modular functional entity, and the security detection apparatus based on the application firewall in the embodiment of the present invention is described in detail from the perspective of hardware processing.
Fig. 4 is a schematic structural diagram of an application firewall-based security detection apparatus according to an embodiment of the present invention, where the application firewall-based security detection apparatus 400 includes a memory 401, a processor 402, and a computer program stored in the memory and executable on the processor, and when the processor executes the computer program, the processor implements the application firewall-based security detection method according to any embodiment. The application firewall based security detection apparatus 400 may also include a communication interface 403.
When loaded and executed on a computer, cause the processes or functions described in accordance with the embodiments of the invention to occur, in whole or in part. The computer may be a general purpose computer, a special purpose computer, a network of computers, or other programmable device. The computer instructions may be stored in a computer readable storage medium or transmitted from one computer readable storage medium to another computer readable storage medium, for example, the computer instructions may be transmitted from one website, computer, server, or data center to another website, computer, server, or data center by wire (e.g., coaxial cable, optical fiber, twisted pair) or wireless (e.g., infrared, wireless, microwave, etc.). The computer-readable storage medium can be any available medium that a computer can store or a data storage device, such as a server, a data center, etc., that is integrated with one or more available media. The usable medium may be a magnetic medium (e.g., floppy disk, hard disk, magnetic tape), an optical medium (e.g., compact disk), or a semiconductor medium (e.g., Solid State Disk (SSD)), among others.
It is clear to those skilled in the art that, for convenience and brevity of description, the specific working processes of the above-described systems, apparatuses and units may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.
In the embodiments provided in the present invention, it should be understood that the disclosed system, apparatus and method may be implemented in other ways. For example, the above-described apparatus embodiments are merely illustrative, and for example, the division of the units is only one logical division, and other divisions may be realized in practice, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.
The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: various media capable of storing program codes, such as a usb disk, a removable hard disk, a read-only memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk.
The above-mentioned embodiments are only used for illustrating the technical solutions of the present invention, and not for limiting the same; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.
Claims (10)
1. A security detection method based on an application firewall is characterized by comprising the following steps:
deploying an application firewall (WAF) in an application system and configuring a filter, wherein the filter is used for intercepting all inbound requests and request parameters passing through the WAF;
calling the application firewall to perform security check filtering on the initial inbound request in the application system according to a preset general rule to obtain a target inbound request;
enabling a parameter automatic collection mechanism to monitor the target inbound request, wherein the parameter automatic collection mechanism is used for collecting a request parameter value corresponding to the target inbound request;
sending the corresponding request parameter values to a parameter rule configuration platform, wherein the parameter rule configuration platform is provided with a plurality of types of rules, so that the parameter rule configuration platform matches a target parameter rule in the plurality of types of rules through the request parameter values;
acquiring a target parameter rule sent by the parameter rule configuration platform, and synchronously deploying the target parameter rule to the application system;
and calling the WAF to perform subsequent security detection based on the target parameter rule.
2. The method for security detection based on an application firewall according to claim 1, wherein the invoking of the application firewall performs security check filtering on an initial inbound request in the application system according to a preset general rule to obtain a target inbound request includes:
receiving an initial inbound request;
acquiring a preset general rule in the application system;
calling the application firewall to perform security check on the initial inbound request based on the preset general rule, wherein the preset general rule is used for judging whether the initial inbound request belongs to a malicious request;
if the initial inbound request does not accord with the preset general rule, the initial inbound request belongs to a malicious request and is intercepted and filtered;
and if the initial inbound request conforms to the preset general rule, determining the initial inbound request as a target inbound request.
3. The application firewall-based security detection method according to claim 1, wherein the invoking the WAF for subsequent security detection based on the target parameter rule comprises:
calling the WAF to scan a preset path to obtain a plurality of safety rules;
loading the plurality of security rules;
and when the WAF subsequently receives a new inbound request, invoking the plurality of security rules to perform security verification on the new inbound request.
4. The application firewall-based security detection method of claim 3, wherein invoking the plurality of security rules to perform security check on a new inbound request when the WAF subsequently receives the new inbound request comprises:
when the WAF subsequently receives a new inbound request, judging whether the new inbound request belongs to a global white list;
if the new inbound request does not belong to a global white list, determining whether the new inbound request accesses a static resource file;
if the new inbound request does not access a static resource file, determining whether the new inbound request passes a custom security rule;
if the new inbound request passes a custom security rule, judging whether a Uniform Resource Locator (URL) of the new inbound request is in a login-free white list;
if the URL of the new inbound request is in the login-free white list, judging whether the new inbound request is HOST forgery attack;
if the new inbound request is not a HOST forgery attack, judging whether the new inbound request is a cross-site request forgery attack;
if the new inbound request is not a cross-site request forgery attack, judging whether the new inbound request is a request meeting specified IP access;
and if the new inbound request is a request meeting the specified IP access, acquiring request parameters corresponding to the new inbound request, checking the legality of the request parameters, and sending the request parameters meeting the legality check to a parameter rule configuration platform.
5. The method of claim 4, wherein if the new inbound request does not access a static resource file, determining whether the new inbound request passes a custom security rule comprises:
if the new inbound request does not access the static resource file, determining whether the new inbound request contains a Trojan request parameter;
if the new inbound request does not contain the Trojan request parameter, judging whether the new inbound request accesses the sensitive file;
if the new inbound request does not access the sensitive file, determining whether the new inbound request is unauthorized access;
if the new inbound request is not an unauthorized access, determining that the new inbound request passes a custom security rule.
6. A security detection device based on an application firewall is characterized by comprising:
a deployment configuration unit, configured to deploy an application firewall WAF in an application system and configure a filter, where the filter is configured to intercept all inbound requests and request parameters that pass through the WAF;
the inspection filtering unit is used for calling the application firewall to perform security inspection filtering on the initial inbound request in the application system according to a preset general rule to obtain a target inbound request;
a monitoring unit, configured to enable an automatic parameter collection mechanism to monitor the target inbound request, where the automatic parameter collection mechanism is configured to collect a request parameter value corresponding to the target inbound request;
the sending unit is used for sending the corresponding request parameter values to a parameter rule configuration platform, and the parameter rule configuration platform is provided with multiple types of rules so that the parameter rule configuration platform can match target parameter rules in the multiple types of rules through the request parameter values;
the acquisition synchronization unit is used for acquiring the target parameter rule sent by the parameter rule configuration platform and synchronously deploying the target parameter rule to the application system;
and the detection unit is used for calling the WAF to perform subsequent safety detection based on the target parameter rule.
7. The firewall-based security detection apparatus according to claim 6, wherein the inspection filtering unit is specifically configured to:
receiving an initial inbound request;
acquiring a preset general rule in the application system;
calling the application firewall to perform security check on the initial inbound request based on the preset general rule, wherein the preset general rule is used for judging whether the initial inbound request belongs to a malicious request;
if the initial inbound request does not accord with the preset general rule, the initial inbound request belongs to a malicious request and is intercepted and filtered;
and if the initial inbound request conforms to the preset general rule, determining the initial inbound request as a target inbound request.
8. The application firewall-based security detection apparatus according to claim 6, wherein the detection unit comprises:
the scanning module is used for calling the WAF to scan a preset path to obtain a plurality of safety rules;
a loading module for loading the plurality of security rules;
and the verification module is used for calling the plurality of security rules to perform security verification on the new inbound request when the WAF subsequently receives the new inbound request.
9. The application firewall-based security detection apparatus according to claim 8, wherein the verification module is specifically configured to:
when the WAF subsequently receives a new inbound request, judging whether the new inbound request belongs to a global white list;
if the new inbound request does not belong to a global white list, determining whether the new inbound request accesses a static resource file;
if the new inbound request does not access a static resource file, determining whether the new inbound request passes a custom security rule;
if the new inbound request passes a custom security rule, judging whether a Uniform Resource Locator (URL) of the new inbound request is in a login-free white list;
if the URL of the new inbound request is in the login-free white list, judging whether the new inbound request is HOST forgery attack;
if the new inbound request is not a HOST forgery attack, judging whether the new inbound request is a cross-site request forgery attack;
if the new inbound request is not a cross-site request forgery attack, judging whether the new inbound request is a request meeting specified IP access;
and if the new inbound request is a request meeting the specified IP access, acquiring request parameters corresponding to the new inbound request, checking the legality of the request parameters, and sending the request parameters meeting the legality check to a parameter rule configuration platform.
10. A computer-readable storage medium comprising instructions that, when executed on a computer, cause the computer to perform the method for application firewall based security detection of any of claims 1-5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010329731.6A CN111585981B (en) | 2020-04-24 | 2020-04-24 | Security detection method based on application firewall and related equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010329731.6A CN111585981B (en) | 2020-04-24 | 2020-04-24 | Security detection method based on application firewall and related equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111585981A true CN111585981A (en) | 2020-08-25 |
| CN111585981B CN111585981B (en) | 2022-07-12 |
Family
ID=72125450
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010329731.6A Active CN111585981B (en) | 2020-04-24 | 2020-04-24 | Security detection method based on application firewall and related equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111585981B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113676473A (en) * | 2021-08-19 | 2021-11-19 | 中国电信股份有限公司 | Network service safety protection device, method and storage medium |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103107948A (en) * | 2011-11-15 | 2013-05-15 | 阿里巴巴集团控股有限公司 | Flow control method and flow control device |
| CN105338017A (en) * | 2014-06-30 | 2016-02-17 | 北京新媒传信科技有限公司 | WEB defense method and system |
| US20160182454A1 (en) * | 2014-12-22 | 2016-06-23 | Edgecast Networks, Inc. | Real-Time Reconfigurable Web Application Firewall For a Distributed Platform |
| CN106250292A (en) * | 2016-08-11 | 2016-12-21 | 上海泛微网络科技股份有限公司 | A kind of office management system performance monitoring platform |
| US20180109546A1 (en) * | 2013-04-10 | 2018-04-19 | Illumio, Inc. | Distributed Network Security Using a Logical Multi-Dimensional Label-Based Policy Model |
| CN108111466A (en) * | 2016-11-24 | 2018-06-01 | 北京金山云网络技术有限公司 | A kind of attack detection method and device |
| CN109167792A (en) * | 2018-09-19 | 2019-01-08 | 四川长虹电器股份有限公司 | A kind of novel WAF design method based on Nginx |
| CN110213375A (en) * | 2019-06-04 | 2019-09-06 | 杭州安恒信息技术股份有限公司 | A kind of method, apparatus and electronic equipment of the IP access control based on cloud WAF |
-
2020
- 2020-04-24 CN CN202010329731.6A patent/CN111585981B/en active Active
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103107948A (en) * | 2011-11-15 | 2013-05-15 | 阿里巴巴集团控股有限公司 | Flow control method and flow control device |
| US20180109546A1 (en) * | 2013-04-10 | 2018-04-19 | Illumio, Inc. | Distributed Network Security Using a Logical Multi-Dimensional Label-Based Policy Model |
| CN105338017A (en) * | 2014-06-30 | 2016-02-17 | 北京新媒传信科技有限公司 | WEB defense method and system |
| US20160182454A1 (en) * | 2014-12-22 | 2016-06-23 | Edgecast Networks, Inc. | Real-Time Reconfigurable Web Application Firewall For a Distributed Platform |
| CN106250292A (en) * | 2016-08-11 | 2016-12-21 | 上海泛微网络科技股份有限公司 | A kind of office management system performance monitoring platform |
| CN108111466A (en) * | 2016-11-24 | 2018-06-01 | 北京金山云网络技术有限公司 | A kind of attack detection method and device |
| CN109167792A (en) * | 2018-09-19 | 2019-01-08 | 四川长虹电器股份有限公司 | A kind of novel WAF design method based on Nginx |
| CN110213375A (en) * | 2019-06-04 | 2019-09-06 | 杭州安恒信息技术股份有限公司 | A kind of method, apparatus and electronic equipment of the IP access control based on cloud WAF |
Non-Patent Citations (3)
| Title |
|---|
| VICTOR CLINCY;HOSSAIN SHAHRIAR: ""Web Application Firewall: Network Security Models and Configuration"", 《2018 IEEE 42ND ANNUAL COMPUTER SOFTWARE AND APPLICATIONS CONFERENCE (COMPSAC)》 * |
| 姚琳琳、何倩: ""基于分布式对等架构的Web应用防火墙"", 《计算机工程》 * |
| 马月、侯雪城、吴佳帅: ""Web应用防火墙(WAF)技术的综述"", 《计算机时代》 * |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113676473A (en) * | 2021-08-19 | 2021-11-19 | 中国电信股份有限公司 | Network service safety protection device, method and storage medium |
| CN113676473B (en) * | 2021-08-19 | 2023-05-02 | 中国电信股份有限公司 | Network service safety protection device, method and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111585981B (en) | 2022-07-12 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10467411B1 (en) | System and method for generating a malware identifier | |
| CA2946695C (en) | Fraud detection network system and fraud detection method | |
| US9838419B1 (en) | Detection and remediation of watering hole attacks directed against an enterprise | |
| CN107659583B (en) | Method and system for detecting attack in fact | |
| KR101689296B1 (en) | Automated verification method of security event and automated verification apparatus of security event | |
| EP2863611B1 (en) | Device for detecting cyber attack based on event analysis and method thereof | |
| CN105915532B (en) | A kind of recognition methods of host of falling and device | |
| CN105939311A (en) | Method and device for determining network attack behavior | |
| CN103516693B (en) | Differentiate the method and apparatus of fishing website | |
| CN102185859A (en) | Computer system and data interaction method | |
| US12056237B2 (en) | Analysis of historical network traffic to identify network vulnerabilities | |
| CN104486320B (en) | Intranet sensitive information leakage evidence-obtaining system and method based on sweet network technology | |
| CN111585981B (en) | Security detection method based on application firewall and related equipment | |
| CN105939314A (en) | Network protection method and device | |
| KR102156340B1 (en) | Method and apparatus for blocking web page attack | |
| CN108268774B (en) | Method and device for judging attack request | |
| CN107294994B (en) | CSRF protection method and system based on cloud platform | |
| KR101923054B1 (en) | Wire and wireless gateway for detecting malignant action autonomously based on signature and method thereof | |
| JP2005284523A (en) | System, method and program for illegal intrusion detection | |
| KR102001814B1 (en) | A method and apparatus for detecting malicious scripts based on mobile device | |
| CN117955739B (en) | Interface security identification method and device, computing equipment and storage medium | |
| CN106529286A (en) | Behavior detection method and apparatus | |
| CN106685961A (en) | ATM (automatic teller machine) security defense system and ATM security defense method | |
| Gheorghe et al. | Attack evaluation and mitigation framework | |
| CN116702133A (en) | Alarm information noise reduction strategy determination method and device and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |