CN104394122B - A kind of HTTP business fire walls based on Adaptive proxy mechanism - Google Patents

A kind of HTTP business fire walls based on Adaptive proxy mechanism Download PDF

Info

Publication number
CN104394122B
CN104394122B CN201410603197.8A CN201410603197A CN104394122B CN 104394122 B CN104394122 B CN 104394122B CN 201410603197 A CN201410603197 A CN 201410603197A CN 104394122 B CN104394122 B CN 104394122B
Authority
CN
China
Prior art keywords
client
white list
http
access
session
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201410603197.8A
Other languages
Chinese (zh)
Other versions
CN104394122A (en
Inventor
王锦龙
范渊
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou Dbappsecurity Technology Co Ltd
Original Assignee
DBAPPSecurity Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by DBAPPSecurity Co Ltd filed Critical DBAPPSecurity Co Ltd
Priority to CN201410603197.8A priority Critical patent/CN104394122B/en
Publication of CN104394122A publication Critical patent/CN104394122A/en
Application granted granted Critical
Publication of CN104394122B publication Critical patent/CN104394122B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer And Data Communications (AREA)

Abstract

The present invention relates to fire wall field, it is desirable to provide a kind of HTTP business fire walls based on Adaptive proxy mechanism.The HTTP business fire wall that this kind is based on Adaptive proxy mechanism includes proxy module, core control and security policy database;Proxy module is used to access the HTTP access from client, obtains every data transfer and gives core control, and is performed after the ruling conclusion for receiving core control;Core is controlled for being responsible for dispatching the cooperation of modules, receiving the request of modules, and updates data record, mode of operation, method of work in security policy database;Security policy database includes client admission policy, client session state repository, initial address white list and subsequent address white list.The present invention can reduce protected system needs the inspection work of the cold call, unexpected parameter, session parameter inspection, the user-association data that consider etc. various secure contexts, so lifting system safe class.

Description

A kind of HTTP business fire walls based on Adaptive proxy mechanism
Technical field
The present invention is more particularly to a kind of HTTP business fire prevention based on Adaptive proxy mechanism on fire wall field Wall.
Background technology
In fire wall field, there are the earliest data link layer based on the layer architectures of OSI seven, the fire wall of Internet, it is main To be conducted interviews the fire wall of control of authority to carrying out source and destination, also there is the current newest application layer based on the layer architectures of OSI seven, The application firewall for being checked based on attack signature again.Traditional fire wall mainly has following common technique type:Packet filtering Fire wall, circuit layer fire wall, application level proxy fire wall, dynamic packet filter fire wall, Adaptive proxy fire wall.
Packet filter firewall:Finger is operated in Internet, and each bag for passing through is checked based on following information:IP sources Address and destination address, TCP/UDP source ports be good and destination port number, agreement (TCP, UDP, ICMP, BGP etc.), ICMP Type of message, size of bag etc..
Circuit layer fire wall:One kind of Proxy Firewall, is operated in transport layer;Flag bit according to packet sets up one Individual session table;For certain the IP bag for receiving, check whether it belongs to some session;A meeting in tracking a period of time By the sum of bag in words.
Application level proxy fire wall:It is operated in application layer;For specific protocol, such as telnet, http, smtp, pop etc. Identity authentication function can be supported;In addition to based on address, agreement, the control of port, application layer order can also be supported Filtering, such as GET of FTP, PUT etc..
Dynamic packet filter fire wall:Possess the essential characteristic of packet filter firewall, be provided additionally with following characteristics:By what is wrapped Attribute monitors that the state of communication session relies on the setting for indicating rather than simple with a connection table is safeguarded;For transport layer , so during selection dynamic packet filter, it is ensured that fire wall can safeguard the state of all transmission that user will use, such as TCP, UDP, ICMP etc..;It is dialogue-based during the filtering rule of dynamic bag compared with common (static state) packet filter firewall.
Adaptive proxy fire wall:Combine packet filtering with proxy server firewall a little, its packet filtering rules is It is dynamic, dialogue-based, and the filtering rule of IP filter can be dynamically adjusted in the process of running, carrying out filtering inspection When, can be with dialogue-based difference, using the filtering rule of various criterion.
HTTP (HTTP HTTP-Hypertext transfer protocol), is current many IT industries Operation system main flow a kind of operation communications protocol.In http protocol, possess two concepts of standard:URL(URL: The abbreviation of Uniform Resource Locator, is translated into " URL ", for example:“http:// www.bank.com/loginUserId=1001&Pass=123456 ");URI(Uniform Resource The abbreviation of Identifier, is translated into " universal resource identifier ", and the value of the URI of correspondence URL examples is:“http:// www.bank.com/login”)。
HTML (HTML HyperText Markup language), is current most popular one kind Page definition language, specific details can be found in RFC (Request For Comments, be it is a series of to number the file that is ranked, Basic Internet communication agreement have described in detail in RFC files) related specifications.
Html document is defined by HTML element, HTML element refer to from start label (start tag, such as:<p >、<A href=" default.htm ">) to end-tag (end tag, such as:</p>、</a>) all codes.
Html link, HTML is connected using hyperlink with another document on network.Almost can be in all of net Link is found in page.Clickthrough can be from a page jump to another page.Clickthrough is by according to link meaning URL, initiates to access to service end.Such as:“<A href=" http://www.w3school.com.cn/">Visit W3School</a>" just define one and be directed to " http:The link of //www.w3school.com.cn/ ", "<a href =" http://www.w3school.com.cn/"><Img border=" 0 " src=" ./images/NextPage.GIF "> </a>" also define one and be directed to " http:The link of //www.w3school.com.cn/ ".
Business fire wall, this is a new ideas, because the business of each client has larger difference, it is difficult to formed It is standardized to check rule, and because the concept of business fire wall just started to walk at nearly 2 years, at present in the industry still without in this respect Maturation or typical products.
The content of the invention
It is a primary object of the present invention to overcome deficiency of the prior art, there is provided one kind is associated with client session, oneself It is to protect the firewall technology of new generation of core to adapt to white list rule, the mechanism of proxy access, pattern.To solve above-mentioned technology Problem, solution of the invention is:
A kind of HTTP business fire walls based on Adaptive proxy mechanism are provided, for defending from client to being protected The attack access of the operation system of shield, the HTTP business fire wall based on Adaptive proxy mechanism includes proxy module, core The heart is controlled and security policy database;
The proxy module is used to access the HTTP access from client, then according to the moment for accessing generation, extracts Current accessed time, and according to http protocol specification (RFC 1945, RFC 2616), extract the source IP that accesses and port, The destination address of access, Request (referring to the Request definition in the HTTP Message definition of RFC 2616);
Each item data (destination address, the Request that access source IP and port, access) that proxy module will be obtained again is passed Core control is passed, the ruling of core control is waited, and after ruling conclusion is received, proxy module is held according to ruling conclusion OK;Wherein, ruling conclusion includes letting pass, monitors, alerts, intercepting;
If proxy module receives clearance, that is, check by conclusion after, proxy module acts on behalf of the Request of current sessions After being sent to shielded operation system, the response content Response of Request of the operation system to be received to forwarding is waited (to return Content is answered i.e. as issuing client as response contents), and message-body to responding content Response (refers to Response definition in the HTTP Message definition of RFC 2616) according to html language (HyperText Markup Language) parsed, obtained the addressable link responded in content;
The core control is the control centre of HTTP business fire walls, for being responsible for the cooperation of scheduling modules, connecing Asked by modules, and updated data record, mode of operation, method of work in security policy database;
Core control can extract proxy module transmission HTTP access data, HTTP access data include source IP, Source port, purpose IP, destination interface, the URL of HTTP request, the HEADER of HTTP request, the BODY of HTTP request, call visitor Family end admission policy is checked client source (source IP, source port):
If the inspection conclusion of client is dangerous, according to the different risk classes of conclusion, order proxy module is to this time Access carries out intercept process, and subsequent examination step is not entered;
If the inspection conclusion of client is safety, continue to call client session state repository to examine client state Look into, be in the data record of client session state repository for client source-information (source IP, SessionID) Session, as already-existing session, otherwise as new session;If being judged as new session, the data that the HTTP of current request is accessed Pass to initial address white list and checked that inspection passes through, the new session is just added into client session state repository, by acting on behalf of Request agency is sent to shielded operation system by module, and continues whole flow process treatment;If being judged as already-existing session, The data transfer that the HTTP of current request is accessed is distinguished to initial address white list and subsequent address white list by two modules Checked, if the inspection conclusion of one module of any of which is what is passed through, request agency is sent to by proxy module is received The operation system of protection, and continue whole flow process treatment;Otherwise processed according to the conclusion for intercepting;
The security policy database includes submodule:Client admission policy, client session state repository, the white name of initial address Single and subsequent address white list, and security policy database record has the initialization data of HTTP business fire walls, including client is permitted Initialization data, the initialization data of initial address white list that can be tactful;
Security policy database is used to receive core control scheduling, realizes following function:According to the scheduling of core control (according to visitor Request, the response of acquisition that family end is initiated), adjust the corresponding client session status data of client and subsequent address white list (refer in legend 310 with " after the access-session status " of client session (X, Y), " after access-the white name of subsequent address It is single "), and allow online (in running) to safeguard, update the data of client admission policy and initial address white list;According to The scheduling (when knowing that proxy module receives client request) of core control, according to client and corresponding corresponding strategies (client End admission policy, client session state repository, initial address white list, subsequent address white list), carry out corresponding safety inspection Look into, and return to ruling conclusion and give core control;
The client admission policy is the admission policy for describing the client that HTTP business fire walls allow access, and only There is the source for listing admission policy in, allow to access just now, otherwise will be intercepted;Admission policy includes that client is originated;
The client session state repository is used to preserve the rule of the client that HTTP business fire walls are allowed access into, and permits (this is clear for the regular inventory that the client for allowing to access protected system is listed in the way of white list of the client for entering perhaps It is single very close with traditional Access Control Lis);The rule of every client for allowing access into specifies protected system The address (target HOST, Target IP, target port) of system, access address (target HOST, Target IP, the destination end of proxy module Mouthful), the client that allows access into source (source IP, source port);
The initial address white list is made up of initial address white list rule, under initial address white list rule can be realized State function:The scheduling for receiving core control (knowing that client receives respective page, and obtains therein by parsing the page During chained address), can inquire about, increase, deleting the corresponding initial address rule of the client;The scheduling for receiving core control (is obtained When knowing that proxy module receives client request), check the client in current sessions state, if to have the right with initial address Mode accesses the initial address;Wherein, initial address white list rule include client condition, client session status condition, Initial address;
The subsequent address white list is made up of subsequent address white list rule, under subsequent address white list rule can be realized State function:The scheduling for receiving core control (knowing that client receives respective page, and obtains therein by parsing the page During chained address), can inquire about, increase, deleting the corresponding subsequent address rule of the client;The scheduling for receiving core control (is obtained When knowing that proxy module receives client request), check the client in current sessions state, if to have the right with subsequent address Mode accesses the subsequent address;Wherein, subsequent address white list rule include client condition, client session status condition, Subsequent address.
In the present invention, the core control can carry out man-machine interaction, and core control is by output equipment output data, news Number, and outside input is obtained by input equipment, so as to realize man-machine interaction.
In the present invention, the output equipment includes screen, loudspeaker, light, and input equipment includes keyboard, mouse.
In the present invention, the client source in the client admission policy includes source IP, source port, and client End source can be identified by regular expression, also can using it is general "", " * " asterisk wildcard recorded, and supported section Mode is marked (such as:12-254, mark allows the integer from 12 to 254).
In the present invention, every rule of the client for allowing access into the client session state repository, can pass through Regular expression is identified, also can using it is general "", " * " asterisk wildcard recorded, and support sector mode mark (ratio Such as:12-254, mark allows the integer from 12 to 254).
In the present invention, the treatment side of the interception conclusion of the HTTP business fire walls based on Adaptive proxy mechanism Formula, is that proxy module is directly closed client currently connection or closes connection after responding the response page of refusal service.
In the present invention, the initial address white list is when HTTP business fire wall is initialized, according to system operation Set preset record;And initial address white list can set different patterns according to system operation needs:According to client come Source, is that different initial address chained records are specified in different sources;All clients are originated, identical initial address is set Chained record.
In the present invention, renewal of the core control to data record in security policy database includes:
Renewal to subsequent address white list:Proxy module obtains operation system to the addressable of the responses content of the request After link, core control updates in subsequent address white list addressable link, and can be realized using both of which:Can visit Ask that chained record is appended in subsequent address white list, and chained record is corresponding with session;Remove and may have access to link to should The all old chained record of session, the new chained record corresponding with session for obtaining is added in subsequent address white list;
Renewal to client session state repository:Core control updates to client session state repository current accessed address In, and can be realized using both of which:A current procedures chained record is only preserved in client session state repository, with current visit The chained record asked directly covers original record;A plurality of current procedures chained record is preserved in client session state repository, ought The linkage record of preceding access is added;
Core control energy periodically checks client session state repository for (such as per second, every 20 milliseconds etc.), to already-existing session Record carry out expired inspection, if record arrived expired time if be purged;Wherein, expired time refers to that current time is added The timestamp that term of validity duration is obtained, and core control current request be already-existing session in the case of, call client session State repository to the term of validity duration of already-existing session, according to the session term of validity duration for pre-setting (such as:180 seconds, 3600 seconds etc. Deng) extended.
In the present invention, it is described that visitor is processed using both of which based on the HTTP business fire wall of Adaptive proxy mechanism Family end repeats to send current request:It is added to the address of current accessed as subsequent address in subsequent address white list;Will not The address of current accessed adds initial address white list and subsequent address white list, if operation system is in the response of current request When not including the URL/ chained addresses of current request in appearance, refresh page is not allowed to access current address again.
Operation principle of the invention:The interconnected system (access agent system Agent) of the HTTP access agents based on bottom, By the data on flows for obtaining in real time, analysis Agent is obtained, and client session association is carried out, then form client clear It is single, and the white list address for obtaining will be analyzed, merge rule, white name existing with corresponding client according to set in advance renewal Singly merge, update, obtain new reference address white list.When finding that HTTP from certain client is accessed, will be by The corresponding reference address white list of the client is checked, if meeting the rule of white list permission, then the access of letting pass, If not meeting the rule of white list permission, then the HTTP is accessed will be monitored, and alert or intercept.
Compared with prior art, the beneficial effects of the invention are as follows:
The present invention is capable of identify that the session step residing for particular clients, and automatically generates corresponding white name according to current procedures Single gauge then, let pass by the access hence for safety, and dangerous access is intercepted;
Interception is expanded into warning (controlling 120 to give a warning by core), authorized (by core control by the present invention 120 send request, it is desirable to by input equipment be input into authorization after allow just now the session continue access), intercept or not Various processing modes of same level, are all easy to carry out deforming adjustment;
The present invention can be according to the scene of the application layer for being gone out rule, automatic study, the white list rule of revision current procedures Then, so that it is guaranteed that all of access is met it is contemplated that all do not meet expected access and will all be rejected;
Agent protection of the invention design, the client for enabling protected system to receive access will all be it is safe, As long as the accessing step flow of protected system itself does not occur confusion, client just can only be in predetermined step flow specification Path on walk;
The present invention can reduce cold call, unexpected parameter, session parameter inspection, the Yong Huguan that protected system needs to consider The inspection work of connection data etc. various secure contexts, so as to help protected system that development cost, and energy is greatly lowered Enough by the safe class of lifting system of the present invention;
The present invention can make the protective capacities of fire wall obtain a rising for matter, and by various common attacks from mechanism Means are just masked from first the sky, attack is entered the new epoch with the general layout of defence.
Brief description of the drawings
Fig. 1 is the computation environmental system structured flowchart of specific embodiment in the present invention.
Fig. 2 is the redirect procedure figure of specific embodiment in the present invention.
Fig. 3 is the corresponding data record figure of jump procedure of specific embodiment in the present invention.
Specific embodiment
Firstly the need of explanation, the present invention is one kind application of the computer technology in field of information security technology, at this In the implementation process of invention, the application of multiple software function modules can be related to.It is applicant's understanding that such as reading over application text After part, accurate understanding realization principle of the invention and goal of the invention, in the case where existing known technology is combined, this area skill Art personnel can use the software programming technical ability of its grasp to realize the present invention completely.Aforementioned software functional module includes but does not limit In:Proxy module, kernel control module, security policy database etc., all the present patent application files are referred to category this category, applicant Will not enumerate.
The present invention is described in further detail with specific embodiment below in conjunction with the accompanying drawings:
As shown in figure 1, client 140 is to initiate the access source of access request, the request from client 140, it is necessary to By the proxy access of HTTP business fire wall 100, operation system 150 is able to access that just now, by above-mentioned deployment architecture, Realize protection of the HTTP business fire wall to operation system.
HTTP business fire wall 100 is exactly (the system) of the invention, and including proxy module 110, proxy module 110 is real The access of client 140 is now received, and by by the access of kernel control module 120 and the safety inspection of related function module Operation system 150 is sent to, the response of operation system 150 is then received, by the analysis to response contents, core control is updated Then module 120 and the corresponding function module will be made to the security strategy of current sessions from the response contents of operation system 150 It is to be responded to the response contents of client 140.
Kernel control module 120 as HTTP business fire walls kernel scheduling center, proxy module 110 receives and comes from The request of any client 140 must all notify that kernel control module 120, kernel control module 120 will extract current sessions Relevant information (source IP, source port, purpose IP, destination interface, the URL of HTTP request, HEADER, HTTP of HTTP request BODY of request etc.).
Kernel control module will call client admission policy 131 pairs after the corresponding information data for obtaining current sessions Client source (source IP, source port) is checked.Check the request not by (interception), direct interception request (agency Module is directly closed client and is currently connected, or responds closing connection after the response page of refusal service), follow-up inspection is not entered Look into step;The request that inspection passes through, into the inspection of subsequent step.
What current request was not intercepted by client admission policy 131, client session state repository 133 will be called to client End state (new session, already-existing session) is checked that client source-information (source IP, SessionID) has been in client In the data record in end session status storehouse 133 (already-existing session), as already-existing session, otherwise as new session.
In the case of new session, the data transfer to the HTTP request of current request is carried out to initial address white list 132 Check that the session is added client session state repository 133 by the request that inspection passes through, and is acted on behalf of the request by proxy module 110 Operation system is sent to, and continues whole flow process treatment.
In the case of already-existing session, to the data transfer of the HTTP request of current request to initial address white list 132, after Continuous address white list 134, is checked, the inspection conclusion of one module of any of which is what is passed through by two modules respectively, by Request agency is sent to operation system by proxy module 110, and continues whole flow process treatment.Otherwise enter according to the conclusion for intercepting Row treatment (proxy module is directly closed client and currently connected, or closes connection after the response page of response refusal service).
Initial address white list, when the system is initialized, the preset record of setting according to system operation, initial address is white List can set different pattern (A according to system operation needs:Originated according to client, be that different sources specifies different Initial address chained record;B:To two yuan of all clients, setting identical address chained record in fact;).
Obtain check by conclusion after, the request of current sessions agency is being sent to business system by proxy module 110 After system 150, response content of the operation system to the request will be received, and the response content is parsed, obtained and respond content In addressable link.After obtaining respective links record, system needs that different patterns can be set to subsequent address according to operation White list 134 is updated (A:By in respective links record addition to subsequent address white list 134, chained record and session pair Should;B:The corresponding all old chained records of the session are removed, the new chained record corresponding with session for obtaining is added;).For Current accessed address, system can set different patterns and be updated (A to client session state repository 133 according to operation needs: A current procedures chained record is only kept, original record is directly covered with the chained record of current accessed;B:Keep a plurality of to work as Preceding step chained record, the linkage record of current accessed is added;).When current request may be retransmitted, system Needed to set different patterns to support (A according to operation:The address of current accessed is added to subsequently as subsequent address In location white list 134;B:Any white list is not listed in, the URL/ not comprising current request is linked in the response content of the request During address, refresh page is not allowed to access current address again;).
In the case where current request is already-existing session, kernel control module will call client session state repository 133 to incite somebody to action Correspondence current sessions record time-out time according to the session term of validity duration for pre-setting (such as:180 seconds, 3600 seconds etc. Deng) extended (timestamp obtained plus term of validity duration using current time as expired time).
Kernel control module checks client session state repository by periodically (such as per second, every 20 milliseconds etc.), to wherein The record of already-existing session carries out expired inspection, and, already less than current time, relative recording will be clear for the timestamp of every record Remove.
Fig. 2 is the initial address white list and the current procedures (current page according to residing for session of specific embodiment URL) the redirect procedure figure of corresponding chained address.
Link 200, link 290 are initial addresses, and being can after any one legitimate client of certain specific embodiment enters Conducted interviews as initial address.
Link 210, link 220, link 230, are the subsequent access addresses of correspondence initial address link 200.
Link 231, link 232, link 233, are the subsequent access addresses of correspondence current address link 230.
Link 200, while as a subsequent access address of connection 230.
Fig. 3 is the redirect procedure figure of the chained address of specific embodiment, and in different access step, this is a client Corresponding client session state repository 133, initial address white list 132, the corresponding data of subsequent address white list 134 of uniting are remembered Record.
Initial state tables of data 300, illustrates after the completion of the system is initialized:(1) without record in session status storehouse Data;(2) initial address white list has two chained addresses by the way of to all source address Uniform provisions;(3) it is follow-up Address white list, is to distinguish stored record for each session, and primary data is sky.
Step tables of data 310, illustrates after two sessions occur accessing step in each time, based on data with existing note Record, the system is to the inspection result of this access and client session state repository 133, initial address white list 132, follow-up The corresponding data variation of address white list 134.
There are two sessions in step tables of data 310, although be same source IP, but because the difference of SessionID, The system is judged to two independent sessions.Session X represents (source IP:192.168.1.101, SessionID: 12345678900), session Y represents (source IP:192.168.1.101, SessionID:12345678901).
Current accessed URL in step tables of data 310, refers to that this records corresponding accessing step, and client expects what is accessed Destination address (is illustrated according to URI in this specific embodiment, can be managed according to URL in other specific embodiments Solution).All it is the URI of the most simple relative path for using for initial address, the differentiation of subsequent address in this specific embodiment Mode illustrated, in practical application embodiment, it would however also be possible to employ absolute path, it would however also be possible to employ the URL with parameter. It is carrying out white list chained address and differentiate, can be according to operation needs, in initial address white list, subsequent address white list In module, corresponding comparative approach is set, the complete matching way of character string can be used, it would however also be possible to employ regular expression is carried out The mode of matching, or other customized comparative approach.
In step tables of data 310 " after access-session status storehouse ", refer to after the completion of the step process, the system Session status storehouse 131 in data record.
In step tables of data 310 " after access-subsequent address white list ", refer to after the completion of the step process, this Data record in the subsequent address white list 134 of system.
In this specific embodiment, after the data Ji Lu completion systems initialization of initial address white list 132, keep not Become.In other specific embodiments, the system can adjust initial address according to operation needs by kernel control module 120 The data record of white list 132.In other specific embodiments, it is also possible to by kernel control module 120, in system operation mistake Cheng Zhong, the data record of adjustment client admission policy 131.In other specific embodiments, can be by kernel control module 120, adjust the initial address white list 132, comparative approach of subsequent address white list 134.
The present invention in actual applications, there is practical value very high.Fire wall designed by the present invention, belongs to application layer Proxy Firewall, while but also with the feature of Adaptive proxy fire wall, the filtering rule that different sessions is used is different , further, even if same session, when session is in different steps, filtering rule is also different.
As those skilled in the art should be recognized that, each aspect of the present invention can be presented as system, method or computer journey Sequence product.Therefore, aspect of the invention can be hard using complete hardware specific embodiment, complete software specific embodiment or combination The form of the specific embodiment of part and software aspects, it typically can be collectively referred to as " circuit ", " module ", " system " in the text.This Outward, aspect of the invention (can have computer readable program code using one or more computer-readable medium is embodied in Be embodied in wherein) in computer program product form.
Any combinations of one or more computer-readable medium can be utilized.It is embodied in the journey on computer-readable medium Sequence code can be used any appropriate medium to transmit, the medium include but is not limited to wireless, wired, Connectorized fiber optic cabling, RF etc. or Any appropriate combination of foregoing each.
The computer journey of the operation in terms of being write for performing the present invention with any combinations of one or more programming languages Sequence code, it includes Object-Oriented Programming Language (for example:Java, Smalltalk, C++ or fellow) and traditional program Programming language (such as " C " programming language or similar programming language).Program code can be performed on the user computer completely, portion Divide ground to perform on the user computer, performed as independent software package, partly performing on the user computer and partly existing Performed on remote computer or performed on remote computer or server completely.In latter, remote computer Can (including LAN (LAN) or wide area network (WAN) be connected to the computer of user, or can connect by any kind of network To outer computer (for example, by ISP via internet).
Each aspect of the present invention is with reference to method according to a particular embodiment of the invention, equipment (system) and computer program Product flow chart explanation and/or module map and be described in.It should be understood that each block of flow chart explanation and/or module map And the combination of block can be implemented by computer program instructions.These computer program instructions can be provided to all-purpose computer, specially With computer or the equipment of other processors with programmable data processing unit, to cause to be set up by above-mentioned various equipment For the means of function/action specified in implementing procedure figure and/or module map block.
Finally it should be noted that listed above is only specific embodiment of the invention.It is clear that the invention is not restricted to Above example, can also there is many variations.One of ordinary skill in the art can directly lead from present disclosure The all deformations for going out or associating, are considered as protection scope of the present invention.

Claims (9)

1. a kind of HTTP business fire walls based on Adaptive proxy mechanism, for defending from client to shielded industry The attack access of business system, it is characterised in that the HTTP business fire wall based on Adaptive proxy mechanism includes acting on behalf of mould Block, core control and security policy database;
The proxy module is used to access the HTTP access from client, then according to the moment for accessing generation, extracts current Access time, and according to http protocol specification, extract the source IP and port, destination address, the Request of access for accessing;
The every data transfer for obtaining is given core control by proxy module again, waits the ruling of core control, and is receiving ruling After conclusion, proxy module is performed according to ruling conclusion;Wherein, ruling conclusion includes letting pass, monitors, alerts, intercepting;
If proxy module receives clearance, that is, check by conclusion after, the Request of current sessions is acted on behalf of and sent by proxy module After to shielded operation system, the response content Response of Request of the operation system to be received to forwarding is waited, and to returning Answer the message-body of content Response to be parsed according to html language, obtain the addressable link responded in content;
The core control is the control centre of HTTP business fire walls, for being responsible for the cooperation of scheduling modules, receiving each The request of individual module, and update data record, mode of operation, method of work in security policy database;
Core control can extract the data that the HTTP of proxy module transmission is accessed, and the data that HTTP is accessed include source IP, source Port, purpose IP, destination interface, the URL of HTTP request, the HEADER of HTTP request, the BODY of HTTP request, call client Admission policy is checked client source:
If the inspection conclusion of client is dangerous, according to the different risk classes of conclusion, order proxy module is to this uneasiness Full access carries out intercept process, and subsequent examination step is not entered;
If the inspection conclusion of client is safety, continue to call client session state repository to check client state, The session in the data record of client session state repository has been in for client source-information, it is no as already-existing session Then as new session;If being judged as new session, initial address white list is given by the data transfer that the HTTP of current request is accessed Checked, inspection passes through, the new session is just added into client session state repository, the request acted on behalf of by proxy module is sent To shielded operation system, and continue whole flow process treatment;If being judged as already-existing session, the HTTP of current request is accessed Data transfer to initial address white list and subsequent address white list, checked respectively by two modules, if any of which The inspection conclusion of one module is what is passed through, acts on behalf of the request by proxy module and is sent to shielded operation system, and after Continuous whole flow process treatment;Otherwise processed according to the conclusion for intercepting;
The security policy database includes submodule:Client admission policy, client session state repository, initial address white list and Subsequent address white list, and security policy database record has the initialization data of HTTP business fire walls, including client license plan Initialization data, the initialization data of initial address white list slightly;
Security policy database is used to receive core control scheduling, realizes following function:According to the scheduling that core is controlled, client is adjusted Corresponding client session status data and subsequent address white list, and allow on-line maintenance, update client admission policy and The data of initial address white list;According to the scheduling that core is controlled, according to client and corresponding corresponding strategies, carry out corresponding Safety inspection, and return to ruling conclusion and give core control;
The client admission policy is the admission policy for describing the client that HTTP business fire walls allow access, and is only arranged Enter the source of admission policy, allow to access just now, otherwise will be intercepted;Admission policy includes that client is originated;
The client session state repository is used to preserving the rule of the client that HTTP business fire walls are allowed access into, and allow into The rule of the client for entering lists the inventory of the client for allowing to access protected system in the way of white list;Every permission The client that the rule of the client of entrance specifies the address of protected system, the access address of proxy module, allows access into Source;
The initial address white list is made up of initial address white list rule, and initial address white list rule can realize following work( Energy:Receive the scheduling of core control, can inquire about, increase, deleting the corresponding initial address rule of the client;Receive core control Scheduling, check the client in current sessions state, if to have the right to access the initial address in the way of initial address;Its In, initial address white list rule includes client condition, client session status condition, initial address;
The subsequent address white list is made up of subsequent address white list rule, and subsequent address white list rule can realize following work( Energy:Receive the scheduling of core control, can inquire about, increase, deleting the corresponding subsequent address rule of the client;Receive core control Scheduling, check the client in current sessions state, if to have the right to access the subsequent address in the way of subsequent address;Its In, subsequent address white list rule includes client condition, client session status condition, subsequent address.
2. a kind of HTTP business fire walls based on Adaptive proxy mechanism according to claim 1, it is characterised in that institute Stating core control can carry out man-machine interaction, and core control is obtained by output equipment output data, signal by input equipment Outside input, so as to realize man-machine interaction.
3. a kind of HTTP business fire walls based on Adaptive proxy mechanism according to claim 2, it is characterised in that institute Stating output equipment includes screen, loudspeaker, light, and input equipment includes keyboard, mouse.
4. a kind of HTTP business fire walls based on Adaptive proxy mechanism according to claim 1, it is characterised in that institute Stating the source of the client in client admission policy includes source IP, source port, and client source can pass through regular expressions Formula is identified, also can using it is general "", " * " asterisk wildcard recorded, and supported that sector mode is marked.
5. a kind of HTTP business fire walls based on Adaptive proxy mechanism according to claim 1, it is characterised in that institute Every in the client session state repository rule of the client for allowing access into is stated, can be identified by regular expression, Can using it is general "", " * " asterisk wildcard recorded, and supported that sector mode is marked.
6. a kind of HTTP business fire walls based on Adaptive proxy mechanism according to claim 1, it is characterised in that institute The processing mode of the interception conclusion of the HTTP business fire walls based on Adaptive proxy mechanism is stated, is that proxy module directly closes visitor Connection is closed after the response page of the currently connection of family end or response refusal service.
7. a kind of HTTP business fire walls based on Adaptive proxy mechanism according to claim 1, it is characterised in that institute Initial address white list is stated when HTTP business fire wall is initialized, the preset record of setting according to system operation;And starting point Location white list can set different patterns according to system operation needs:Originated according to client, be that difference is specified in different sources Initial address chained record;All clients are originated, identical initial address chained record is set.
8. a kind of HTTP business fire walls based on Adaptive proxy mechanism according to claim 1, it is characterised in that institute Stating renewal of the core control to data record in security policy database includes:
Renewal to subsequent address white list:Proxy module obtains addressable link of the operation system to the response content of the request Afterwards, core control updates in subsequent address white list addressable link, and can be realized using both of which:By addressable chain Record addition is connect in subsequent address white list and chained record is corresponding with session;Remove and may have access to link to should session All old chained record, the new chained record corresponding with session for obtaining is added in subsequent address white list;
Renewal to client session state repository:Core control updates in client session state repository current accessed address, And can be realized using both of which:A current procedures chained record is only preserved in client session state repository, current accessed is used Chained record directly cover original record;A plurality of current procedures chained record is preserved in client session state repository, will be current The linkage record of access is added;
Core control can inspect periodically client session state repository, and the record to already-existing session carries out expired inspection, if record is Then it is purged to expired time;Wherein, expired time refers to that current time adds the timestamp that term of validity duration is obtained, and core The heart is controlled in the case where current request is already-existing session, when calling client session state repository to the term of validity of already-existing session It is long, extended according to the session term of validity duration for pre-setting.
9. a kind of HTTP business fire walls based on Adaptive proxy mechanism according to claim 1, it is characterised in that institute State and processed using both of which client repetition transmission current request based on the HTTP business fire wall of Adaptive proxy mechanism: It is added to the address of current accessed as subsequent address in subsequent address white list;The address of current accessed starting is not added into Address white list and subsequent address white list, if operation system is not to including current request in the response content of current request During URL/ chained addresses, refresh page is not allowed to access current address again.
CN201410603197.8A 2014-10-31 2014-10-31 A kind of HTTP business fire walls based on Adaptive proxy mechanism Active CN104394122B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201410603197.8A CN104394122B (en) 2014-10-31 2014-10-31 A kind of HTTP business fire walls based on Adaptive proxy mechanism

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201410603197.8A CN104394122B (en) 2014-10-31 2014-10-31 A kind of HTTP business fire walls based on Adaptive proxy mechanism

Publications (2)

Publication Number Publication Date
CN104394122A CN104394122A (en) 2015-03-04
CN104394122B true CN104394122B (en) 2017-06-27

Family

ID=52611958

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201410603197.8A Active CN104394122B (en) 2014-10-31 2014-10-31 A kind of HTTP business fire walls based on Adaptive proxy mechanism

Country Status (1)

Country Link
CN (1) CN104394122B (en)

Families Citing this family (17)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105243165A (en) * 2015-11-05 2016-01-13 精硕世纪科技(北京)有限公司 Intelligent click jump method and system
US10289642B2 (en) * 2016-06-06 2019-05-14 Baidu Usa Llc Method and system for matching images with content using whitelists and blacklists in response to a search query
EP3840333A1 (en) * 2016-09-30 2021-06-23 Palo Alto Networks, Inc. Multifactor authentication as a network service
CN107454055B (en) * 2017-05-17 2020-08-28 中云网安科技(北京)有限公司 Method, device and system for protecting website through safe learning
CN107276986B (en) * 2017-05-17 2020-12-18 中云网安科技(北京)有限公司 Method, device and system for protecting website through machine learning
CN107864143B (en) * 2017-11-13 2020-05-15 翼果(深圳)科技有限公司 Self-evolution efficient proxy resource supply system and method
CN108173825B (en) * 2017-12-21 2021-01-01 奇安信科技集团股份有限公司 Network flow auditing method and device
CN109508542B (en) * 2018-10-26 2019-11-22 国家计算机网络与信息安全管理中心江苏分中心 WEB method for detecting abnormality, system and server under big data environment
CN109902476A (en) * 2019-01-25 2019-06-18 上海基分文化传播有限公司 A kind of anti-cheat method and system
CN112242972B (en) * 2019-07-16 2022-06-03 腾讯科技(武汉)有限公司 Network request processing method, device, storage medium and terminal
CN110677396A (en) * 2019-09-16 2020-01-10 杭州迪普科技股份有限公司 Security policy configuration method and device
CN111131250B (en) * 2019-12-24 2022-04-26 杭州迪普科技股份有限公司 Client identification method and device
CN111586134A (en) * 2020-04-29 2020-08-25 新浪网技术(中国)有限公司 CDN node overload scheduling method and system
CN114531304B (en) * 2022-04-24 2022-07-05 北京安华金和科技有限公司 Session processing method and system based on data packet
CN115622776A (en) * 2022-10-08 2023-01-17 浙江网商银行股份有限公司 Data access method and device
CN115994172B (en) * 2022-12-09 2024-05-14 华青融天(北京)软件股份有限公司 Method, device, equipment and medium for determining service access relation
CN116886449B (en) * 2023-09-07 2023-12-05 杭州优云科技有限公司 Method for intelligently identifying and intercepting domain name

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2004038559A2 (en) * 2002-10-24 2004-05-06 3Com Corporation System and method for using virtual local area network tags with a private network
CN102098268A (en) * 2009-12-11 2011-06-15 厦门大菁洋网络科技有限公司 Fingerprint identification-based vehicle leasing method

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2004038559A2 (en) * 2002-10-24 2004-05-06 3Com Corporation System and method for using virtual local area network tags with a private network
CN102098268A (en) * 2009-12-11 2011-06-15 厦门大菁洋网络科技有限公司 Fingerprint identification-based vehicle leasing method

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
《自适应防火墙设计及实现》;高岚岚;《附件教育学院学报》;20090131;全文 *

Also Published As

Publication number Publication date
CN104394122A (en) 2015-03-04

Similar Documents

Publication Publication Date Title
CN104394122B (en) A kind of HTTP business fire walls based on Adaptive proxy mechanism
US10887330B2 (en) Data surveillance for privileged assets based on threat streams
US10826872B2 (en) Security policy for browser extensions
US8516575B2 (en) Systems, methods, and media for enforcing a security policy in a network including a plurality of components
Trautman et al. Governance of the Internet of Things (IOT)
US9942250B2 (en) Network appliance for dynamic protection from risky network activities
US8161538B2 (en) Stateful application firewall
US8051484B2 (en) Method and security system for indentifying and blocking web attacks by enforcing read-only parameters
Sadiq et al. A review of phishing attacks and countermeasures for internet of things‐based smart business applications in industry 4.0
US20100199345A1 (en) Method and System for Providing Remote Protection of Web Servers
US20100235918A1 (en) Method and Apparatus for Phishing and Leeching Vulnerability Detection
CN110213198A (en) The monitoring method and system of network flow
WO2004036426A1 (en) Web service security filter
CN108243143A (en) A kind of gateway penetrating method and system based on different web agent
CN109074456A (en) The computer attack blocking method of two-stage filtering and the device for using this method
CN104954384B (en) A kind of url mimicry methods of protection Web applications safety
CN104301180B (en) A kind of service message processing method and equipment
CN110362992A (en) Based on the method and apparatus for stopping in the environment of cloud or detecting computer attack
CN103563301A (en) Incoming redirection mechanism on a reverse proxy
CN105704120A (en) Method for safe network access based on self-learning form
Rodríguez et al. Cookie scout: An analytic model for prevention of cross-site scripting (XSS) using a cookie classifier
Ahmad et al. Overview of phishing landscape and homographs in Arabic domain names
Li et al. A hierarchical mobile‐agent‐based security operation center
JP2005538620A (en) Screening malicious requests to computer applications
CN110581843B (en) Mimic Web gateway multi-application flow directional distribution method

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CP03 Change of name, title or address

Address after: Zhejiang Zhongcai Building No. 68 Hangzhou 310051 Zhejiang province Binjiang District Tong Road 15

Patentee after: Hangzhou Annan information technology Limited by Share Ltd

Address before: Hangzhou City, Zhejiang province 310051 Binjiang District and Zhejiang road in the 15 storey building

Patentee before: Dbappsecurity Co.,ltd.

CP03 Change of name, title or address
CP02 Change in the address of a patent holder

Address after: Zhejiang Zhongcai Building No. 68 Binjiang District road Hangzhou City, Zhejiang Province, the 310051 and 15 layer

Patentee after: Hangzhou Annan information technology Limited by Share Ltd

Address before: Zhejiang Zhongcai Building No. 68 Hangzhou 310051 Zhejiang province Binjiang District Tong Road 15

Patentee before: Hangzhou Annan information technology Limited by Share Ltd

CP02 Change in the address of a patent holder