CN119316231B

CN119316231B - WAF-based attack flow countering method and system

Info

Publication number: CN119316231B
Application number: CN202411854267.7A
Authority: CN
Inventors: 陈俊章; 陈功; 陈凯平
Original assignee: Hangzhou Anquan Digital Intelligence Technology Co ltd
Current assignee: Hangzhou Anquan Digital Intelligence Technology Co ltd
Priority date: 2024-12-17
Filing date: 2024-12-17
Publication date: 2025-03-14
Anticipated expiration: 2044-12-17
Also published as: CN119316231A

Abstract

The embodiments of the present disclosure relate to the field of network security technologies, and in particular, to a method and a system for countering attack traffic based on WAF. The method comprises the steps of detecting whether an access request is attack flow according to a preset WAF matching rule, marking a source IP of the attack flow as a mark IP when the access request is attack flow, sending real person verification to an access terminal, generating a response page according to a page requested by the access request and a preset simulated vulnerability page when the real person verification is passed, and sending the response page to the access terminal, and generating an induction file and prompting downloading when the mark IP and the response page are interacted to meet a preset triggering condition, wherein the induction file comprises a preset countercheck code.

Description

WAF-based attack flow countering method and system

Technical Field

The embodiments of the present disclosure relate to the field of network security technologies, and in particular, to a method and a system for countering attack traffic based on WAF.

Background

The web pages have high value, are the main windows for enterprises and organizations to exist online, and are used for displaying products, attracting clients and promoting sales. Meanwhile, the web pages are centers for data collection and analysis, so that enterprises are helped to optimize market strategies and improve user experience. In addition, the web page is an important defense line for information security, and user data and service continuity are protected. At the social level, web pages provide public service information and educational resources, enhancing transparency and engagement. Therefore, it is important to enhance the security and functionality of web pages. Attack traffic countering by Web Application Firewalls (WAFs) is an important means of protecting Web applications from various attacks. Attack traffic countermeasures not only detect and block attacks, but also include a series of response measures to ensure the security and usability of the system. The security of the webpage can be improved, but the current network security is in an unequal attack and defense state. In network security, defenders tend to be overly concerned with passive defenses, while attackers have little cost and risk. Such an unequal pair causes the attacker to become unscrupulous and the defender is always in a passive state. Risks and challenges are brought to web page security, so new defense strategies need to be studied to help contain the attack.

Disclosure of Invention

Various embodiments of the present specification describe a WAF-based attack traffic countering method and system.

In a first aspect, an embodiment of the present disclosure provides a WAF-based attack traffic countering method, including the steps of:

detecting whether the access request is attack flow or not according to a preset WAF matching rule;

When the access request is attack flow, marking a source IP of the attack flow, marking the source IP as a mark IP, and sending a true man verification to an access terminal;

When the verification of the true man is passed, generating a response page according to the page requested by the access request and a pre-configured simulated vulnerability page, and sending the response page to an access terminal;

And when the interaction between the mark IP and the response page meets a preset trigger condition, generating an induction file and prompting downloading, wherein the induction file comprises a preset countercheck code.

In a second aspect, embodiments of the present disclosure provide a WAF-based attack traffic countering system, including:

The detection module is used for detecting whether the access request is attack flow or not according to a preset WAF matching rule;

The verification module marks the source IP of the attack flow when the access request is the attack flow, marks the source IP as the mark IP and sends the verification of the true man to the access terminal;

The response module generates a response page and sends the response page to the access terminal according to the page requested by the access request and a pre-configured simulated vulnerability page when the real person passes verification;

and the countering module is used for generating an induction file and prompting downloading when the interaction between the mark IP and the response page meets a preset trigger condition, wherein the induction file comprises a preset countering code.

In a third aspect, embodiments of the present disclosure provide an electronic device comprising a processor and a memory;

the processor is connected with the memory;

The memory is used for storing executable program codes;

The processor runs a program corresponding to the executable program code by reading the executable program code stored in the memory for performing the method of any one of the above aspects.

In a fourth aspect, embodiments of the present description provide a computer-readable storage medium, on which a computer program is stored, which when executed by a processor, implements the method of any of the above aspects.

In a fifth aspect, embodiments of the present description provide a computer program product comprising a computer program which, when executed by a processor, implements the method of any of the above aspects.

The technical scheme provided by some embodiments of the present specification has the following beneficial effects:

In various embodiments of the present disclosure, a WAF-based attack traffic countering method and system are provided that actively induce an attacker to interact multiple times, thereby collecting more information about the attack and knowing the type of information that the attacker is interested in. And the self-confidence that the attacker has attacked successfully is enhanced, so that the vigilance is relaxed, the induced file is easier to actively download and open, and finally the attack is counteracted. By simulating the vulnerability page to generate the response page, the attack flow can not access to the page which normally provides the service, and the safe operation of the server is ensured.

Other features and advantages of various embodiments of the present disclosure will be further disclosed in the following detailed description, the accompanying drawings.

Drawings

In order to more clearly illustrate the technical solutions in the embodiments of the present description, the drawings that are required in the embodiments will be briefly described below, and it is apparent that the drawings in the following description are only some embodiments of the present description, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.

Fig. 1 is an application scenario schematic diagram of an attack traffic countering method according to an embodiment of the present disclosure.

Fig. 2 is a schematic diagram of another application scenario of the attack traffic countering method according to the embodiment of the present disclosure.

Fig. 3 is a schematic diagram of an application architecture of an attack traffic countering method according to an embodiment of the present disclosure.

Fig. 4 is a schematic flow chart of an attack traffic countering method according to an embodiment of the present disclosure.

Fig. 5 is a flow chart of a method for detecting attack traffic according to an embodiment of the present disclosure.

Fig. 6 is a flowchart of a method for configuring a simulated vulnerability page according to an embodiment of the present disclosure.

Fig. 7 is a flowchart of a method for generating a response page according to an embodiment of the present disclosure.

Fig. 8 is a flowchart of a method for generating an induced file according to an embodiment of the present disclosure.

Fig. 9 is a schematic diagram of an attack traffic countering system according to an embodiment of the present disclosure.

Fig. 10 is a schematic diagram of an electronic device according to an embodiment of the present disclosure.

Detailed Description

The technical solutions of the embodiments of the present specification are explained and illustrated below with reference to the drawings of the embodiments of the present specification, but the following embodiments are only preferred embodiments of the present specification, and not all the embodiments. Based on the examples in the implementation manner, those skilled in the art may obtain other examples without making any creative effort, which fall within the protection scope of the present specification.

The terms first, second, third and the like in the description and in the claims and in the above drawings are used for distinguishing between different objects and not necessarily for describing a particular sequential or chronological order. Furthermore, the terms "comprise" and "have," as well as any variations thereof, are intended to cover a non-exclusive inclusion. For example, a process, method, system, article, or apparatus that comprises a list of steps or elements is not limited to only those listed steps or elements but may include other steps or elements not listed or inherent to such process, method, article, or apparatus.

In the following description, directional or positional relationships such as the terms "inner", "outer", "upper", "lower", "left", "right", etc., are presented merely to facilitate describing the embodiments and simplify the description, and do not indicate or imply that the devices or elements referred to must have a particular orientation, be constructed and operate in a particular orientation, and therefore should not be construed as limiting the description.

The data related to the application are information and data authorized by the user or fully authorized by all parties, and the collection of the related data complies with related laws and regulations and standards of related countries and regions.

The technical scheme related by the application is implemented under legal compliance conditions.

Before describing the technical scheme, the application scenario of the technical scheme and related technologies are described.

In the current internet environment, the servers 10 deployed on the network are not at any time at risk for various types of attacks. While WEB applications are becoming more and more rich, WEB servers are becoming a major target of attack with their powerful computing power, processing performance, and high value involved. SQL injection, web page tampering, web page hanging, etc., are frequently occurring. These attacks include, but are not limited to, scanning of web service instrumentation tools, malicious crawling of automated crawlers, and targeted attacks initiated by a human. These attacks are diverse and complex, ranging from simple port scanning to complex zero-day exploits, which can pose a serious threat to the security and stability of the server 10.

Web Application Firewalls (WAFs) are one of the important tools to protect the server 10 from network attacks. WAF 20 detects and intercepts potentially malicious requests by matching against known network vulnerabilities writing specific rules. However, the protective capabilities of WAF 20 are not without loss. For undisclosed network attacks, especially those that utilize zero-day vulnerabilities, WAF 20 tends to have difficulty in achieving effective interception. These unknown ways of attack may bypass existing protection rules, resulting in the server 10 still being at risk of being breached.

Therefore, in performing a network attack event trace-back analysis afterwards, as many valuable threads as possible need to be collected. These threads include, but are not limited to, the IP address of the attacker, the time and frequency of the attack, the attack tools and techniques used, the specific interfaces and parameters being attacked, etc. By comprehensively analyzing the information, the characteristics and the behavior patterns of the attacker can be more accurately identified, so that references are provided for future protection strategies.

But the current network security is in an unequal state of attack and defense. In network security protection, defenders often focus too much on passive defense, and lack countering strategies, the attacker has little cost and risk. Such an unequal causes the attacker to become unscrupulous and the defender to remain in a passive state, which is detrimental to the security of the web server 10.

Particularly in an internet of things (IoT) environment, many devices use web pages as access and control interfaces. This is because web interfaces have advantages of cross-platform, ease of use, and scalability. The Internet of things equipment using web pages as access and control interfaces is widely applied to various scenes, from smart home to industrial production, from medical health to agricultural management, and to smart city and security monitoring. The usability and the cross-platform characteristic of the webpage interface enable a user to access and control the devices through the browser at any time and any place, and the usability and the management efficiency of the devices are improved. However, this also presents a security challenge, requiring appropriate security measures to be taken to protect these devices from attack. Under the condition of high-speed development of the Internet of things, the access and control of the Internet of things equipment are also in a severe security situation.

Therefore, the specification provides a WAF-based attack flow countering method and system, which can realize the identification, interception, tracking and countering of attacks. And contributes to improving the security of the network. Please refer to fig. 1, which is a schematic diagram illustrating an application scenario of the technical solution described in the present specification. The page 11 for providing the service and the simulated vulnerability page 12 are both provided on the server 10. WAF 20 may be located on either server 10 or on a dedicated firewall server 2110 (as shown in fig. 2). The access request sent by the request end 30 reaches the WAF 20 first, the WAF 20 performs screening, the normal access request is directed to the requested page 11 capable of providing service, the attack access request is redirected to the simulated vulnerability page 12, and finally the countercheck is realized. The method described in this specification runs on the server 10. When WAF 20 is provided on a dedicated firewall server 21, part of the steps run on firewall server 21 and part of the steps run on server 10.

The method provided by the application is applied to a system architecture shown in fig. 3, fig. 3 is a schematic diagram of the system architecture in the embodiment of the application, and as shown in fig. 3, the system architecture includes a server 10 and a terminal device, and a request end 30 (i.e. a web browser) is deployed on the terminal device. The server 10 according to the present application may be an independent physical server, or may be a server cluster or a distributed system formed by a plurality of physical servers, or may be a cloud server that provides cloud services, cloud databases, cloud computing, cloud functions, cloud storage, network services, cloud communication, middleware services, domain name services, security services, content delivery networks (Content Delivery Network, CDN), and basic cloud computing services such as big data and artificial intelligence platforms. The terminal device may be, but is not limited to, a smart phone, a tablet computer, a notebook computer, a palm computer, a personal computer, a smart speaker, a smart television, a smart watch, a vehicle-mounted device, a wearable device, and the like. The terminal device and the server 10 may be directly or indirectly connected through wired or wireless communication, and the present application is not limited herein. The number of servers 10 and terminal devices is not limited either.

In view of the many terms involved in the present application, these terms will be described first.

WAF

WAF refers to a Web application defense system (also called as a Web application level intrusion prevention system, english: web Application Firewall, abbreviated as WAF). Web application firewalls are a product that provides protection for Web applications specifically by enforcing a series of security policies for HTTP/HTTPs.

Attack traffic

Attack traffic refers to network traffic in the internet that is initiated by a malicious attacker and is intended to cause damage, interference or unauthorized access to the target system or network. Such traffic often contains specific malicious activities such as probing, scanning, injection, denial of service, etc., intended to disrupt the proper functioning of the target system or steal sensitive information. The attack flow can perform illegal operations on the target system or the network or have destructive results, such as destroying system components, so that the target system cannot normally operate, and service interruption is caused. And (5) stealing information and acquiring sensitive information of a target system, such as user data, passwords, financial information and the like. Tampering with the information modifies the data in the target system, resulting in data inconsistencies or errors. Unauthorized access, obtaining unauthorized access rights to the target system, and performing illegal operation.

Induction file

Induced files (Lure Files) refer to files that are deliberately placed in the system or on the network, with the purpose of attracting the attention of an attacker, inducing them to download or access the files. These files typically contain content that disguises as legitimate files, but actually contain countering code so that the security team can detect and analyze the activity of the attacker.

Inverse code

The reaction code (Countermeasures Code) refers to a specially designed code or script for detecting, preventing, or responding to an attack. The countering code may be integrated into a variety of security tools and systems, such as firewalls, intrusion Detection Systems (IDS), intrusion Prevention Systems (IPS), and the like.

The main functions of the countering code are detection and alerting, and predefined response measures can be automatically performed, such as blocking malicious IP addresses, quarantining infected hosts, etc. Detailed attack logs may also be recorded, including attacker behavior, time stamps, attack means, etc. Data support is provided for subsequent attack analysis and evidence collection.

The present disclosure first provides a WAF-based attack traffic countering method, referring to fig. 4, including the steps of:

step S101) detects whether the access request is attack traffic or not according to a preset WAF matching rule.

Web Application Firewalls (WAFs) detect and block various types of network attacks through preset matching rules.

Illustratively, the matching rules for SQL injection attack traffic are:

"@rx(union\s+select|exec\s+\(|insert\s+into|update\s+set|delete\s+from)" "id:100,rev:1,severity:2,msg:'SQL Injection Attack Detected',logdata:'Matched Data:%{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',

phase:2,deny,status:403,t:lowercase,t:replaceNulls,t:compressWhitespace"。

the matching rules are capable of detecting and blocking requests containing SQL injection features, such as ' union select ', ' exec (' insert intero ', ' update set ' and ' delete from ', etc. specifically, regular expressions ' @rx (union \s+select |exec\s + (|insert\s + inter|update\s + set|delete\s + from ') are used to detect whether the request parameters contain SQL injection features, if matching is successful, the access request is determined to be attack flow, wherein't: lowercase ' converts the input into lowercase,'t: replaceNulls ' replaces null characters, and't: compressWhitespace ' compresses blank characters to improve matching accuracy.

Still another exemplary, matching rules for cross site scripting attack (XSS) attack traffic are:

"@rx (<script>|<iframe>|onerror=|alert\()" "id:101,rev:1,severity:2,msg:'XSS Attack Detected',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',phase:2,deny,status:403,t:lowercase,t:replaceNulls,t:compressWhitespace".

The matching rule can detect and prevent requests containing cross-site scripting attack features, such as ' script > ', iframe > ' onerror = ' and ' alert (', etc. whether the request parameters contain XSS attack features is detected by using a regular expression @ rx (< script > | < iframe > | onerror = |alert\ () '.

Still another exemplary matching rule for cross-site request forging (CSRF) is:

SecRule REQUEST_HEADERS:Referer "!@streq http://example.com" "id:102,rev:1,severity:2,msg:'CSRF Attack Detected',logdata:'Invalid Referer: %{REQUEST_HEADERS:Referer}',phase:2,deny,status:403"

The matching rules can detect and block requests for missing valid CSRF tokens, ensuring that the requests come from legitimate sources. Check if the requested 'reference' header is equal to 'http:// sample. Com', if not, consider a CSRF attack.

Through these example rules, the WAF may perform effective detection of matching attack traffic based on the characters contained in the URL. In practice, these rules may be adapted and extended by techniques disclosed in the art, depending on the specific needs and circumstances.

Step S102) when the access request is attack traffic, marking the source IP of the attack traffic as the mark IP, and sending the authentication to the access terminal. After the attack traffic is detected, the source IP of the attack traffic is marked as a mark IP. This may be accomplished by setting an environment variable, such as using code setenv: ATTACK _ip=% { remote_addr }. A verification page (e.g., verify. Php) for verification of a person is created for verification of the person. This page may contain a passcode, slide verification, or other form of verification mechanism.

Illustratively, verification is performed using the following verification code. The verification code is displayed on the verification page with a complex background.

< P > please complete the following authentication to continue access. </p)

< Label for= "captcha" > please input verification code: </label >

< Button type= "submit" > verify button)

</form>

After receiving the submitted form, the server 10 uses if ($captcha= = '123456')/(example verification code// verification pass, clears the flag, and can determine whether it is a person.

Step S103), when the verification of the real person is passed, a response page is generated according to the page requested by the access request and the pre-configured simulated vulnerability page 12 and sent to the access terminal.

The simulated vulnerability page 12 appears to be a page with vulnerabilities, but is actually only used to confuse and track the attacker. The page format and content of the simulated vulnerability pages 12 are highly similar to the pages 11 that normally provide service, except that the specific content is modified. So that an attacker cannot distinguish the authenticity. For example, if the user requests a control page, the returned response page also displays the same control, but the control parameters and the object information of the control are modified and displayed as erroneous information. Making an attacker misunderstand that the attack is successful.

Step S104), when the interaction between the mark IP and the response page meets the preset trigger condition, generating an induction file and prompting the downloading, wherein the induction file comprises a preset countercheck code. When an attacker interacts multiple times, i.e. sends access requests multiple times, the corresponding server 10 generates multiple response pages. A plurality of records of interactions with the response page may be formed. And when the interaction meets the preset triggering condition, generating an induction file and prompting downloading. The reaction code set in the induced file may be set using techniques disclosed in the art.

On the other hand, recording the interaction logs of all the access requests within the preset time. Referring to fig. 5, the method for detecting whether the access request is attack traffic according to the preset WAF matching rule includes:

step S201) determines whether the IP address used by the access request matches the tag IP, and if so, determines that the access request is attack traffic.

Step S202) reading the URL of the access request, analyzing the parameters of the URL, matching the parameters with a preset WAF matching rule, and if the parameters are matched, judging that the access request is attack flow.

Step S203), if the matching is not consistent, the interaction record of the IP address used by the access request is obtained from the interaction log.

Step S204) matching the interaction record with a preset interaction rule, and if the matching is consistent, judging the request as attack flow.

It should be noted that the web interaction determines that each access request is a new URL-carried access request. But can determine whether it is an access of the requesting end 30 that has previously made an access by the IP address of the source. Of course, the request end 30 conditionally replaces the IP address, when the request end 30 replaces the IP address, the tag IP cannot identify that the new access request is attack traffic. When attack traffic cannot be identified by the tag IP, then the WAF matching rule is used for matching.

The WAF matching rule presetting method comprises the step of generating matching rules of characters, commands and parameters according to the configured attack types.

The method for presetting the interaction rules comprises the step of generating matching rules about interaction times, interaction frequencies and interaction similarity according to the configured abnormal access types.

When none of the previous multiple access requests originating from an IP address are labeled as labeled IP, but multiple access requests are found to be too frequent (e.g., 1000 access requests per second for 1 second), or the interaction similarity is too high, e.g., repeated requests to access the same page or repeated operations to submit a form on the page. And judging that the access request belongs to attack traffic through the interaction similarity. Specifically, the preset interaction rule may be set such that the number of interactions is greater than a set threshold, or the frequency of interactions is greater than a set threshold, or the degree of similarity of interactions is greater than a set threshold.

On the other hand, referring to fig. 6, the method for pre-configuring the simulated vulnerability page 12 includes:

Step S301) modifies the content of the page requested by the access request as the content of the simulated vulnerability page 12. The use program is automatically modified, and the modification can be performed through a modification template which is manually configured in advance. The real data and information are modified to erroneous data and information.

Step S302) sets the simulated vulnerability page 12 not to trigger WAF matching rules and the interaction rules.

Step S303) configures a redirection rule, which redirects the subsequent access request of the tag IP to a preset defending page.

Step S304) the defending page generates a new response page according to the subsequent access request and sends the new response page to the access terminal.

On the other hand, in another embodiment, referring to fig. 7, the method for generating, by the defending page, a new response page according to the subsequent access request and sending the new response page to the access terminal includes:

Step S401) reads the content of the page requested by the subsequent access request, and obtains the duty ratio of the information type in the content, where the information type includes data information, account information and status information.

The method specifically comprises the steps of reading content from a requested page, extracting information in the page by using a text analysis technology, classifying the extracted information into data information, account information and state information, and finally calculating the duty ratio of each information type.

Illustratively, the following code is used to read the content from the requested page:

function fetch_page_content($url){$ch = curl_init($url);curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); $content = curl_exec($ch); curl_close($ch); return $content;}, And then extracting information in the page by using a regular expression or other text parsing technology.

Illustratively, the regular expression is as follows:

preg_match_all('/<div class="data">(.*?)<\/div>/is', $content, $matches_data);

preg_match_all('/<div class="account">(.*?)<\/div>/is', $content, $matches_account);

preg_match_all('/<div class="status">(.*?)<\/div>/is', $content, $matches_status)。

Respectively used for matching data information, account information and state information. Illustratively, the web page accessed is an intelligent home control page. The data information then contains data relating to device status, environmental parameters, etc. For example, temperature, the current indoor temperature value. Humidity, the current indoor humidity value. Illumination intensity is the current indoor illumination intensity value. Air quality: the current indoor air quality index. Energy consumption, namely energy consumption data of equipment. Sensor data, data of various sensors (such as smoke sensor and infrared sensor).

The account information contains information related to the user account. For example, a user name, a login name of the user. Password-the user's login password (typically not shown in plain text on the page, but may be present in a form). Mailbox-registered mailbox address of user. Mobile phone number, the registered mobile phone number of the user. User ID: unique identifier of user. Permission level, which is the permission level of the user, such as an administrator, a common user and the like.

The status information contains data related to device status, system status, etc. For example, device status, online/offline status of the device. Connection status-connection status of device with server 10. Battery power-battery power of the device. Fault information, fault information of the device or error code. Operational state-the current operational state of the device, such as on/off, run/pause, etc. Update status: firmware update status of the device. The duty cycle of each information type is obtained from the number of bytes occupied by the three types of information.

Step S402) modifies the content of the requested page as the content of the response page.

Step S403) obtaining the information type with the largest duty ratio, recording the information type as the main information type, generating more information of the main information type, and adding the information type into the response page.

Step S404) sends the response page to the access terminal.

Illustratively, the attacker is more interested in the state information and therefore will continually access pages with more state information displayed.

The preset triggering condition comprises the step of setting the triggering condition according to the duty ratio of the main information type in the content of the response page. Referring to fig. 8, when the duty ratio of the main information type exceeds a preset threshold, the method for generating the induced file includes:

Step S501) generates information of the main information type as the content of the induced file.

Step S502) generating a reaction code to be added to the induced file.

Step S503) generates a file name of the induced file according to the main information type.

When the attacker is more interested in the state information, the attacker is specially generated with a file which claims to record a large amount of historical state information or a file which claims to record all the current states is generated, and the file is an induction file, so that the attacker can more easily and actively download the induction file. The reaction code may be added by techniques known in the art.

Through actively inducing the attacker to interact for a plurality of times, more information about the attack is collected, and the types of information of interest to the attacker are known. And the self-confidence that the attacker has attacked successfully is enhanced, so that the vigilance is relaxed, the induced file is easier to actively download and open, and finally the attack is counteracted.

In another aspect, the present disclosure provides a WAF-based attack traffic countering system, referring to fig. 9, including:

The detection module 100 detects whether the access request is attack flow according to a preset WAF matching rule;

The verification module 200 marks the source IP of the attack flow when the access request is the attack flow, marks the source IP as the mark IP and sends the verification of the true man to the access terminal;

the response module 300 generates a response page and sends the response page to the access terminal according to the page requested by the access request and the pre-configured simulated vulnerability page 12 when the verification of the real person is passed;

And the reverse module 400 is used for generating an induction file and prompting downloading when the interaction of the mark IP and the response page meets the preset trigger condition, wherein the induction file comprises a preset reverse code.

Please refer to fig. 10, which illustrates a schematic structural diagram of an electronic device according to an embodiment of the present disclosure.

As shown in fig. 10, the electronic device 1100 may include at least one processor 1101, at least one network interface 1104, a user interface 1103, a memory 1105, and at least one communication bus 1102. Wherein communication bus 1102 is operable to facilitate connection communications among the various components described above. The user interface 1103 may comprise keys and the optional user interface may also comprise a standard wired interface, a wireless interface. The network interface 1104 may include, but is not limited to, a bluetooth module, an NFC module, a Wi-Fi module, and the like. Wherein the processor 1101 may comprise one or more processing cores. The processor 1101 connects various portions of the overall electronic device 1100 using various interfaces and lines, performs various functions of the routing device 1100 and processes data by executing or executing instructions, programs, code sets, or instruction sets stored in the memory 1105, and invoking data stored in the memory 1105. Alternatively, the processor 1101 may be implemented in at least one hardware form of DSP, FPGA, PLA. The processor 1101 may integrate one or a combination of several of a CPU, GPU, modem, and the like. The CPU mainly processes an operating system, a user interface, an application program and the like, the GPU is used for rendering and drawing contents required to be displayed by the display screen, and the modem is used for processing wireless communication.

It will be appreciated that the modem may not be integrated into the processor 1101 and may be implemented by a single chip.

The memory 1105 may include RAM or ROM. Optionally, the memory 1105 includes a non-transitory computer readable medium. Memory 1105 may be used to store instructions, programs, code, sets of codes, or sets of instructions. The memory 1105 may include a stored program area that may store instructions for implementing an operating system, instructions for at least one function (such as a touch function, a sound playing function, an image playing function, etc.), instructions for implementing the various method embodiments described above, etc., and a stored data area that may store data related to the various method embodiments described above, etc. The memory 1105 may also optionally be at least one storage device located remotely from the processor 1101. The memory 1105, which is a type of computer storage medium, may include an operating system, a network communication module, a user interface module, and application programs. The processor 1101 may be used to invoke the application program stored in the memory 1105 and perform the methods of the various embodiments described above.

The present description also provides a computer-readable storage medium having instructions stored therein, which when executed on a computer or processor, cause the computer or processor to perform the steps of the above embodiments. The above-described constituent modules of the electronic apparatus may be stored in the computer-readable storage medium if implemented in the form of software functional units and sold or used as independent products.

The present description also provides a computer program product comprising a computer program which, when executed by a processor, implements the steps of the above embodiments.

The technical features in the present examples and embodiments may be arbitrarily combined without conflict.

In the above embodiments, it may be implemented in whole or in part by software, hardware, firmware, or any combination thereof. When implemented in software, may be implemented in whole or in part in the form of a computer program product. The computer program product includes a plurality of computer instructions. When loaded and executed on a computer, produces a flow or function in accordance with embodiments of the present description, in whole or in part. The computer may be a general purpose computer, a special purpose computer, a computer network, or other programmable apparatus. The computer instructions may be stored in or transmitted across a computer-readable storage medium. The computer instructions may be transmitted from one website, computer, server, or data center to another website, computer, server, or data center by a wired (e.g., coaxial cable, fiber optic, digital subscriber line (Digital Subscriber Line, DSL)), or wireless (e.g., infrared, wireless, microwave, etc.). The computer readable storage medium may be any available medium that can be accessed by a computer or a data storage device such as a server, data center, etc. that contains an integration of a plurality of available media. The usable medium may be a magnetic medium (e.g., a floppy disk, a hard disk, a magnetic tape), an optical medium (e.g., a digital versatile disk (DIGITAL VERSATILE DISC, DVD)), or a semiconductor medium (e.g., a Solid state disk (Solid STATE DISK, SSD)), or the like.

When the method is realized by hardware and firmware, the method flow is programmed into a hardware circuit to obtain a corresponding hardware circuit structure, so as to realize corresponding functions. For example, a programmable logic device (Programmable Logic Device, PLD) (e.g., field programmable gate array (FieldProgrammable GATEARRAY, FPGA)) is an integrated circuit whose logic functions are determined by user programming of the device. A designer programs to "integrate" a digital system onto a PLD without requiring the chip manufacturer to design and fabricate application-specific integrated circuit chips. Moreover, today, instead of manually fabricating integrated circuit chips, such programming is most often implemented with "logic compiler (logic compiler)" software, which is similar to the software compiler used in program development and writing, and the original code before it is compiled is also written in a specific programming language, which is called hardware description language (Hardware Description Language, HDL), which is not just one but a plurality of HDL. It will also be apparent to those skilled in the art that a hardware circuit implementing the logic method flow can be readily obtained by merely slightly programming the method flow into an integrated circuit using several of the hardware description languages described above.

The above-described embodiments are merely preferred embodiments of the present disclosure, and do not limit the scope of the disclosure, and various modifications and improvements made by those skilled in the art to the technical solutions of the disclosure should fall within the protection scope defined by the claims of the disclosure without departing from the design spirit of the disclosure.

Claims

1. A WAF-based attack traffic countermeasure method, characterized in that it comprises the following steps:

Detect whether the access request is attack traffic based on the preset WAF matching rules;

When the access request is attack traffic, mark the source IP of the attack traffic as the marked IP, and send a real person verification to the access end;

When the real person verification is passed, a response page is generated according to the page requested by the access request and the pre-configured simulated vulnerability page and sent to the access end;

When the interaction between the marked IP and the response page meets the preset trigger condition, an inducement file is generated and prompted to download, wherein the inducement file includes a preset countermeasure code;

Methods for pre-configuring simulated vulnerability pages include:

Modifying the content of the page requested by the access request as the content of the simulated vulnerability page;

Set the simulated vulnerability page not to trigger WAF matching rules and interaction rules;

Configure a redirection rule, wherein the redirection rule redirects subsequent access requests of the marked IP to a preset defense page;

The defense page generates a new response page according to the subsequent access request and sends it to the access end;

The method in which the defense page generates a new response page according to the subsequent access request and sends it to the access end includes:

Reading the content of the page requested by the subsequent access request, and obtaining the proportion of information types in the content of the page requested by the subsequent access request, wherein the information types include data information, account information, and status information;

Modify the content of the requested page as the content of the response page;

The information type with the largest proportion is obtained, recorded as the main information type, and more information of the main information type is generated and added to the response page;

The response page is sent to the access end.

2. The WAF-based attack traffic countermeasure method according to claim 1, characterized in that:

Record the interaction log of all access requests within a preset time period.

Methods for detecting whether an access request is attack traffic based on preset WAF matching rules include:

Determine whether the IP address used in the access request matches the marked IP address, and if so, determine that the access request is attack traffic;

Read the URL of the access request, parse the parameters of the URL, match the parameters with the preset WAF matching rules, and if the match is consistent, determine that the access request is attack traffic;

If the match does not match, then reading from the interaction log to obtain the interaction record of the IP address used in the access request;

The interaction record is matched with a preset interaction rule, and if the match is consistent, the request is determined to be attack traffic.

3. The WAF-based attack traffic countermeasure method according to claim 1, characterized in that:

Methods for presetting WAF matching rules include:

Generate matching rules for characters, commands, and parameters based on the configured attack type;

Methods for presetting interaction rules include:

Generate matching rules for the number of interactions, interaction frequency, and interaction similarity based on the configured abnormal access type.

4. The WAF-based attack traffic countermeasure method according to claim 1, characterized in that:

The preset trigger conditions include:

Setting a trigger condition according to the proportion of the main information type in the content of the response page;

When the proportion of the main information type exceeds a preset threshold, it is determined that a preset trigger condition is met, and the method for generating an induction file includes:

Generate information of the main information type as the content of the induction file;

Generate countermeasure code and add it to the inducement file;

The file name of the induction file is generated according to the main information type.

5. The attack traffic countermeasure system based on WAF is characterized by including:

The detection module detects whether the access request is attack traffic based on the preset WAF matching rules;

A verification module, when the access request is attack traffic, marks the source IP of the attack traffic as a marked IP, and sends a real person verification to the access end;

A response module, when the real person verification is passed, generates a response page according to the page requested by the access request and the pre-configured simulated vulnerability page and sends it to the access end;

A countermeasure module, when the interaction between the marked IP and the response page satisfies a preset trigger condition, generates an inducement file and prompts downloading, wherein the inducement file includes a preset countermeasure code;

Methods for pre-configuring simulated vulnerability pages include:

Modify the content of the requested page as the content of the response page;

The response page is sent to the access end.

6. An electronic device, characterized in that it comprises a processor and a memory;

The processor is connected to the memory;

The memory is used to store executable program code;

The processor runs a program corresponding to the executable program code by reading the executable program code stored in the memory, so as to execute the method according to any one of claims 1 to 4.

7. A computer-readable storage medium having a computer program stored thereon, wherein when the computer program is executed by a processor, the method according to any one of claims 1 to 4 is implemented.

8. A computer program product, comprising a computer program, characterized in that when the computer program is executed by a processor, the method according to any one of claims 1 to 4 is implemented.