CN105871775A - Security protection method and DPMA protection model - Google Patents
Security protection method and DPMA protection model Download PDFInfo
- Publication number
- CN105871775A CN105871775A CN201510026104.4A CN201510026104A CN105871775A CN 105871775 A CN105871775 A CN 105871775A CN 201510026104 A CN201510026104 A CN 201510026104A CN 105871775 A CN105871775 A CN 105871775A
- Authority
- CN
- China
- Prior art keywords
- web
- module
- protection
- attack
- monitoring
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Abstract
The invention discloses a security protection method. The method comprises: a DPMA protection model obtains protection information about a web attack event, wherein the DPMA protection model comprises a web detection module, a web protection module, a web monitoring module, and a web auditing module; and the DPMA protection model conducts linked actions according to the protection information about the web attack event to achieve security protection of a web application, wherein the linked actions include interactions between the web detection module, the web protection module, the web monitoring module, and the web auditing module by means of the protection information about the web attack event. The invention also discloses a DPMA protection model.
Description
Technical field
The present invention relates to Web technology, particularly relate to a kind of safety protecting method and DPMA (Detect,
Protect, Monitor, Audit, detect, protect, detect and audit) Protection Model.
Background technology
Along with the continuous progress and development of network (Web) application technology, web application carries and more comes
The most business, and the thing followed is also the safety problem become increasingly complex that Web application is faced.Root
According to the statistics of authoritative institution, the security attack of Web application class has been over the total of other aspect security attacks
With, assault is gradually turned to application layer by traditional Internet.
Web application is the business the most externally providing service, while providing the user convenient service, also allows
Malicious attacker has had opportunity, is once broken, and assailant just can collect more letters as springboard
Cease or other server is detected.Although website can be provided and protect by fire wall to a great extent
Protect, but owing to fire wall operates mainly in Internet, the attack for application layer seems helpless.Separately
Outward, owing to Web application developer level is uneven, shortage and survey to secure context knowledge during exploitation
Insufficient vulnerability that all can cause website itself of examination.How to ensure that Web applies the safety of self, more
Good provides the user the most stable service, is the challenge that must cope with of enterprise.
The technological means of existing Web security protection is broadly divided into detection class and protects Lei Liang great camp: first
Class is detection class security means, generally comprises Web vulnerability scanning and intrusion detection etc.;Equations of The Second Kind is protection class
Security means, generally comprises network level firewall, application layer firewall (WAF), security gateway (UTM)
And IPS equipment etc..Existing safety detection and preventer such as fire wall, vulnerability scanners etc. can
To be used for detecting and protect some attacks, serve very important effect, but still there is certain limitation
Property, it is mainly manifested in: from detection class technological means: vulnerability scanning is by the detection side being then based on black box
, there is the situation failed to report and report by mistake and can hardly be avoided in formula;Intrusion detection is mainly based upon the inspection of rule base/feature database
Survey method, in Web attack (being also called aggressive behavior) the more difficult discovery of rule base and right
In the Web attack having escaped detection, it is more difficult to replay attacks scene, it is impossible to trace to the source afterwards.From anti-
Protecting and say in technological means, fire wall operates mainly in Internet, and the security attack for application layer seems incompetent
For power;For Web application firewall, although be operated in application layer, but due to the volume of Web application code
Handwritten copy body has a lack of standard, without unified standard so that Web application firewall a large amount of wrong report occurs and cannot
Effectively use;After Web application safety event occurs, lack corresponding audit and instrument is traced to the source means.
Additionally, these safety detection all work alone with preventer, there is no interaction each other, it is impossible to certain
One safety behavior and event are associated analyzing and linkage process, and alarm event is more isolated.
Summary of the invention
In view of this, the embodiment of the present invention provides one for solving at least one problem present in prior art
Plant safety protecting method and DPMA Protection Model, it is possible to utilize multiple preventive means to be associated analyzing,
Thus improve safety.
The technical scheme of the embodiment of the present invention is achieved in that
First aspect, the embodiment of the present invention provides a kind of safety protecting method, and described method includes:
DPMA Protection Model obtains the protection information about Web attack, wherein, described DPMA
Protection Model includes: Web detection module, Web protection module, Web monitoring module, Web Audit Module
Four modules;
Described DPMA Protection Model links according to the protection information of described Web attack, with reality
Now for the security protection of Web application, wherein, described linkage includes utilizing described Web attack
Protection information is between Web detection module, Web protection module, Web monitoring module, Web Audit Module
Interact.
Second aspect, the embodiment of the present invention provides a kind of DPMA Protection Model, and described DPMA protects mould
Type includes: Web detection module, Web protection module, Web monitoring module, four moulds of Web Audit Module
Block, wherein:
Described Web detection module, for potential security threat is carried out Web safety detection, is examined
Survey result, from testing result, analyze potential risks point;Safety is provided according to described potential risks point
Restorative procedure, then transfers to described Web protection module by described safe restorative procedure, so that Web protection
Module utilizes safe restorative procedure to repair described potential risks point;
Web detection module, be additionally operable to transfer to testing result Web protection module, Web monitoring module,
Web Audit Module is associated analyzing and protection.
The safety protecting method of embodiment of the present invention offer and DPMA Protection Model, wherein, described method bag
Include: DPMA Protection Model obtains the protection information about Web attack, wherein, described DPMA
Protection Model includes: Web detection module, Web protection module, Web monitoring module, Web Audit Module
Four modules;Described DPMA Protection Model links according to the protection information of described Web attack,
To realize the security protection for Web application, wherein, described linkage includes utilizing described Web to attack thing
The protection information of part is at Web detection module, Web protection module, Web monitoring module, Web Audit Module
Between interact, so, it is possible to utilize multiple preventive means to be associated analyzing, thus improve safety
Property.
Accompanying drawing explanation
Fig. 1 is that the composition structure of embodiment of the present invention DPMA Protection Model is intended to;
Fig. 2 is the schematic flow sheet during work of embodiment of the present invention DPMA Protection Model;
Fig. 3 is embodiment of the present invention linked protection technology schematic flow sheet operationally;
Fig. 4-1 is embodiment of the present invention linkage model one schematic flow sheet operationally;
Fig. 4-2 is embodiment of the present invention linkage model two schematic flow sheet operationally;
Fig. 4-3 is embodiment of the present invention linkage model three schematic flow sheet operationally;
Fig. 4-4 is embodiment of the present invention linkage model four schematic flow sheet operationally;
Fig. 4-5 is embodiment of the present invention linkage model five schematic flow sheet operationally;
Fig. 4-6 is embodiment of the present invention linkage model six schematic flow sheet operationally;
Fig. 5 be embodiment of the present invention safety protecting method realize schematic flow sheet.
Detailed description of the invention
For making up the deficiency of prior art means, the embodiment of the present invention will provide a kind of Web DPMA of application
Protection Model, as it is shown in figure 1, collection Web detection (Detect), Web protection (Protect), Web prison
Control (Monitor) and the Web audit big function of (Audit) four in integrally DPMA (Detect, Protect,
Monitor, Audit) Protection Model, wherein, each function both corresponds to a security module, for Web
Corresponding to Web detection module for detection function, protect corresponding to Web for Web safeguard function
Module, corresponding to Web monitoring module for Web control function, for Web audit function
Corresponding to Web Audit Module, the security protection of this DPMA Protection Model is raw through whole security incident
The life cycle, and each security module the most mutually links while displaying one's respective advantages, and forms Web safety vertical
Deep defense system.
The concrete mechanism of DPMA Protection Model is as follows: before there is attack, collect Web detection module
Web application is carried out security breaches detection, in order to potential safety hazard potential in discovery system in advance;Work as appearance
During unsafe incidents, Web protection module carries out actual time safety protection;If being hacked successfully, Web monitors
Module perception timely to attack result (such as distort and hang horse) in real time, and by Web Audit Module to attacking thing
Part is traced to the source.Visible, between the modules in DPMA Protection Model, project linkage, learns from other's strong points to offset one's weaknesses.
By the mechanism of above-mentioned DPMA Protection Model, Web application is established a set of based on web portal security in advance
Defence and the integral protection system of postaudit in detection, thing.
Fig. 2 is the schematic flow sheet during work of embodiment of the present invention DPMA Protection Model, as in figure 2 it is shown,
The DPMA Protection Model that the embodiment of the present invention provides is provided simultaneously with four kinds of means, i.e. Web detection module institute
Web preventive means that the Web detection means that possesses, Web protection module are possessed, Web monitoring module
The Web audit means that the Web monitoring means possessed and Web Audit Module are possessed, these four means
Form the Web Defense in depth system of a set of interconnection.Make introductions all round these four modules below.
1) Web detection module
Web detection module is detection (D, the Detect) module in DPMA Protection Model.Web detects
Module major function is, before security threat potential in Web system is found and utilizes, actively to latent
Security threat carry out Web safety detection, obtain testing result, then find out potential from testing result
Risk point;Safe restorative procedure is provided, then by described safety reparation side according to described potential risks point
Method transfers to described Web protection module, so that Web protection module utilizes described safe restorative procedure to described
Potential risks point is repaired, and is formed according to described safe restorative procedure and corresponding potential risks point
Web protects daily record, and wherein, Web protection daily record is the daily record of Web protection module output.Web detects mould
Block detection content at least includes that any one of following content includes: SQL (SQL,
Structured Query Language) inject, (Xpath, wherein X represents extensible markup to path language
Language (XML, Extensible Markup Language)) injection, cross site scripting (XSS), mistake
Certification and session management, incorrect direct object are quoted, are forged across station request (CSRF, Cross-Site
Request Forgery), security error configuration, the remote access lost efficacy limit, not verified redirection and biography
Pass, unsafe encryption stores, unsafe transmission protection.
Testing result is transferred to Web protection module, Web monitoring module and Web audit by Web detection module
Module is associated analyzing and protection.
2) Web protection module
Web protection module is protection (P, the Protect) module in DPMA Protection Model.Web protects
The major function of module is, when Web attack occurs, attack can be carried out by Web protection module
Detection in real time and protection, effectively block the generation of various attacks, concurrently forms Web and protects daily record.Anti-
Protect attack type and include various application layer attack behavior.Meanwhile, Web safety protection module also can be by protection letter
Breath transfers to Web detection module, Web monitoring module and Web Audit Module to carry out degree of depth association analysis, reaches
To the effect searched for by following the clues and draw inferences about other cases from one instance.Wherein, described protection information include attack source, attack pattern,
Target of attack, attack frequency higher than preset the first uniform resource locator URL threshold value URL address and
Parameter, unauthorized public network Internet protocol IP address, attack frequency higher than the IP of an IP threshold value preset
Address, the URL address of high-risk leak and parameter, hung in the information such as the URL address of horse/distort any
One information;Wherein parameter includes the communication means definition such as use GET, POST defined in http agreement
Each class variable.
3) Web monitoring module
Web monitoring module is monitoring (M, the Monitor) module in DPMA Protection Model.Web supervises
Control module major function include Safety monitoring and stability monitoring two large divisions, possess system stability,
The page is distorted, is hung horse detection and back door detection function etc..Wherein, system stability includes: Web system can
With property, transmission control protocol (TCP, Transmission Control Protocol) response delay, hypertext
Transportation protocol (HTTP, Hyper-Text Transfer Protocol) response delay is monitored.The page is distorted
Including: the monitored page is distorted monitoring in real time, when the page is illegally replaced or is distorted, can and
Shi Jinhang note or mail alarm.Hang horse detection to include: the monitored page carries out real-time extension horse monitoring,
When the page is hung horse, note or mail alarm can be carried out in time.Back door detection includes: to monitored be
System carries out back door detection, when detecting that suspicious webpage password is, can carry out note or mail alarm in time.
When occurring that system response interval is big, or assailant has walked around and has protected layer by layer, carried out the page distorting,
When hanging horse or implant back door, Web monitoring module can detect in real time and alert.Meanwhile, Web prison
Uniform resource locator (URL, the Uniform Resource that monitoring information also can such as be gone wrong by control module
Locator) address transfers to Web detection module, Web protection module and Web Audit Module to be associated point
Analysis and protection, accomplish to excavate the security incident degree of depth, the URL address gone wrong carried out security protection.
4) Web Audit Module
Web Audit Module is audit (A, the Audit) module in DPMA Protection Model.WEB audits
The major function of module is, for the security incident of success attack, Web Audit Module is mainly by right
The daily record of Web attack carries out safety analysis, and attack is also traced to the source by detection aggressive behavior
Content.Content of wherein tracing to the source includes agreement (IP, the Internet of interconnection between attack, attack source network
Protocol), attack pattern and the leak etc. that utilized, accomplish " square of accounts after the autumn harvest ".Web Audit Module
Major function includes: supports SQL injection, cross site scripting, ask the various open Web such as deception across station
Application security project (OWASP, Open Web Application Security Project) and Web
The Web attack method detection that application safety associating (WASC) defines;Support the attack detecting of Behavior-based control
And association analysis;Support attack path plays back;Supported web page acess control and ranking.Meanwhile, Web audit
Log analysis information, such as attack source and suspicious webpage Trojan horse also can be transferred to Web detection module, Web by module
Protection module and Web monitoring module are associated analyzing.Attack, leak webpage Trojan horse are confirmed.
The embodiment of the present invention provides a kind of based on above-mentioned Web detection module, Web protection module, Web prison
Control module and the linked protection technology of Web Audit Module, linked protection technology is that linkage DPMA protects mould
Web detection module, Web protection module, Web monitoring module and the technology of Web Audit Module in type,
I.e. based on event workflow transfers mechanism, and the target of task scheduling is by security strategy is combined shape
Become safe task plan, and realize, for task scheduling plan, functions such as managing, issue.As protected at Web
The Log security audit event of daily record and Web attack finding, website can be given birth to after under attack automatically
Web scan task is become to go the specific webpage of website to examine, to determine whether this leak exists, if to need
Manager is wanted to process.
Fig. 3 is embodiment of the present invention linked protection technology schematic flow sheet operationally, as it is shown on figure 3,
Linked protection technology defines the various linkage scenes between four modules, and linkage model includes Web audit mould
Linkage between block and Web monitoring module (below with A-> M represent), Web Audit Module and Web
Linkage model between detection module (below with A-> D represent), Web Audit Module protect with Web
Linkage model between module (below with A-> P represent), Web protection module and Web Audit Module it
Between linkage model (below with P-> A represent), connection between Web detection module and Web protection module
Linkage mould between movable model (below with D-> P represent) and Web monitoring module and Web protection module
Type (below with M-> P represent).Make introductions all round linkage model above below.
One, linkage model one (A-> M): Webshell location
Fig. 4-1 is embodiment of the present invention linkage model one schematic flow sheet operationally, as shown in Fig. 4-1,
The main linkage flow process of A-> M is as follows: the dynamic page that 1. user was accessed by Web Audit Module is united
Meter, extracts by the dynamic page information of guarding website;2. these dynamic page information is handed over by Web Audit Module
By Web monitoring module, then Web monitoring module according to described dynamic page information to these dynamic pages
Crawl and detect, thus find concealed type Webshell and without streptostyly Webshell, here, Web
Audit Module can also by concealed type Webshell and without streptostyly Webshell with the shape of Web audit log
Formula export, wherein, Web audit log be Web Audit Module output daily record, Webshell be one section with
The code of Web server is remotely controlled in hacker.
General Webshell is hidden in certain catalogue of website, with other pages without linking relationship, from black box
Detection angles, it is more difficult to detection Webshell existence;But, the linkage that A-> M linkage model provides
Technology, it is possible to effectively solve in conventional art means, crawler technology cannot to be detected without link and hide
The problem of Webshell.
Two, linkage model two (A-> D): depth detection
Fig. 4-2 is embodiment of the present invention linkage model two schematic flow sheet operationally, as shown in the Fig. 4-2,
The main linkage flow process of A-> D is as follows: the URL that 1. Web Audit Module is higher to statistical attack frequency in daily record
Address and parameter are extracted;Wherein, the URL address that described attack frequency is higher refers to that attacking frequency is higher than
The URL address of the oneth URL threshold value;2. the URL address extracted and parameter are transferred to by Web Audit Module
Web detection module carries out degree of depth safety detection.
General scanning device is all based on the scan mode of black box, there is part URL address unavoidably and parameter crawls
Less than situation, and thereby result in failing to report of scanning result;But, the linkage that A-> D linkage model provides
Technology, it is possible to effective solution scanning device based on black box cannot detect all URL addresses and parameter in website and make
Become fails to report problem.
Three, linkage model three (A-> P): unauthorized access
Fig. 4-3 is embodiment of the present invention linkage model three schematic flow sheet operationally, as shown in Fig. 4-3,
The main linkage flow process of A-> P is as follows: 1. the IP address accessing portal management backstage is entered by Web Audit Module
Row statistics, obtains unauthorized public network IP address;2. Web Audit Module is by unauthorized public network IP address
Accessing portal management backstage situation, notice Web protection module carries out linked protection.
General IP address, portal management backstage is prohibited from, to the Internet opening, there is Brute Force risk, but
It being A-> P linkage model can detect the situation open to the Internet with protection network station administration backstage automatically.
Four, linkage model four (P-> A): intelligence is attacked and confirmed
Fig. 4-4 is embodiment of the present invention linkage model four schematic flow sheet operationally, as shown in Fig. 4-4,
The main linkage flow process of P-> A is as follows: 1. the IP address that altofrequency is attacked initiated in Web protection module record,
The IP address that its high frequency is attacked is an IP address, and a described IP address is higher than for attacking frequency
The IP address of the IP threshold value preset;2. these IP addresses of attack are transferred to by Web protection module
Audit module, other aggressive behaviors of these IP addresses of depth analysis.P-> A linkage model is to attack
Behavior is associated analyzing, and touches melon in passing, it is to avoid fish that has escape the net occur.
Five, linkage model five (D-> P): defense-in-depth
Fig. 4-5 is embodiment of the present invention linkage model five schematic flow sheet operationally, as illustrated in figures 4-5,
The main linkage flow process of D-> P is as follows: 1. Web monitoring module record exist high-risk leak URL address and
Parameter;2. these parameters are transferred to Web protection module, notice Web protection module to enter by Web monitoring module
Row customization protection.D-> P linkage model attacks or attacks, for there is high frequency, the URL address and parameter attempted,
Web protection module is transferred to carry out the protection that becomes more meticulous.
Six, linkage model six (M-> P): intelligence distorts protection
Fig. 4-6 is embodiment of the present invention linkage model six schematic flow sheet operationally, as Figure 4-Figure 6,
The main linkage flow process of M-> P is as follows: 1. horse or the URL address distorted are hung in the detection of Web monitoring module;
2. these URL addresses are issued Web protection module and are carried out linked protection by Web monitoring module.M-> P links
Model is for being hung the website of horse, it is possible to accomplish automatic protection.
Based on upper DPMA Protection Model, the embodiment of the present invention reoffers a kind of safety protecting method, Fig. 5
Schematic flow sheet is realized, as it is shown in figure 5, the method includes for embodiment of the present invention safety protecting method:
Step 501, DPMA Protection Model obtains the protection information about Web attack;
Here, described DPMA Protection Model includes: Web detection module, Web protection module, Web
Monitoring module, Web Audit Module.
Here, described protection information at least includes any one in following information: attack source, attack pattern,
Target of attack, the dynamic page information of website, attack frequency are higher than the first uniform resource locator preset
The URL address of URL threshold value and parameter, unauthorized public network Internet protocol IP address, attack frequency are higher than
The IP address of an IP threshold value, the URL address of high-risk leak and the parameter preset, hung horse/distort
URL address.
Step 502, described DPMA Protection Model joins according to the protection information of described Web attack
Dynamic, to realize the security protection for Web application.
Here, described linkage include the protection information utilizing described Web attack Web detection module,
Interact between Web protection module, Web monitoring module, Web Audit Module;
In the embodiment of the present invention, described Web detection module, for safe prestige potential in Web system
Before the side of body is found and utilizes, described potential security threat is carried out Web safety detection, obtain detection knot
Really, from testing result, analyze potential risks point;Safety is provided to repair according to described potential risks point
Method, then transfers to described Web protection module by described safe restorative procedure, so that Web protection module
Described potential risks point is utilized to repair;
Web detection module, be additionally operable to transfer to testing result Web protection module, Web monitoring module,
Web Audit Module is associated analyzing and protection.
In the embodiment of the present invention, described Web protection module, for when Web attack occurs, right
Described Web attack detects in real time and protects, to block the generation of various attack;Web prevents
Protect module, be additionally operable to transfer to protection information Web detection module, Web monitoring module, Web Audit Module
Carry out degree of depth association analysis and protection.
In the embodiment of the present invention, described Web monitoring module, distort prison for system stability monitoring, the page
Control, extension horse monitoring and back door monitoring, to obtain monitoring information, wherein: system stability monitoring includes Web
System availability, TCP response delay, http response time delay are monitored;Meanwhile, Web monitoring module,
It is additionally operable to monitoring information is transferred to Web detection module, Web protection module, Web Audit Module are associated
Analyzing and protection, wherein said monitoring information is used for showing to be monitored system stability, distort the page
Be monitored, hang horse monitoring and back door monitor to obtain monitored results.
In the embodiment of the present invention, described Web Audit Module, attack for the Web for success attack
Hitting event, by the daily record of Web attack carries out safety analysis, detection obtains Web attack
Content of tracing to the source;Described Web Audit Module, is additionally operable to content of tracing to the source by Web detection module, Web
Monitoring module, Web protection module are associated analyzing and protection.
In the embodiment of the present invention, described based on the joint-action mechanism to attack so that described protection information exists
Interact between Web detection module, Web protection module, Web monitoring module, Web Audit Module and
Call, including:
The dynamic page that user was accessed by Web Audit Module is added up, and extracts dynamic by guarding website
Page info;
Described dynamic page information is transferred to Web monitoring module by Web Audit Module;
Dynamic page is crawled according to described dynamic page information and detects by Web monitoring module, obtains hidden
Tibetan type Webshell and without streptostyly Webshell.
In the embodiment of the present invention, described based on the joint-action mechanism to attack so that described protection information exists
Interact between Web detection module, Web protection module, Web monitoring module, Web Audit Module and
Call, including:
Described Web Audit Module is higher than the URL address of a URL threshold value to statistical attack frequency in daily record
Extract with parameter;
Web detection module is transferred in the URL address extracted and parameter by described Web Audit Module;
URL address and parameter that described Web Audit Module is transferred to according to described Web Audit Module are carried out deeply
Degree safety detection.
In the embodiment of the present invention, described based on the joint-action mechanism to attack so that described protection information exists
Interact between Web detection module, Web protection module, Web monitoring module, Web Audit Module and
Call, including:
The IP address accessing portal management backstage is added up by described Web Audit Module, obtains unauthorized
Public network IP address;
Described unauthorized public network IP address is accessed portal management backstage situation by described Web Audit Module,
Transfer to described Web protection module to carry out linked protection.
In the embodiment of the present invention, described based on the joint-action mechanism to attack so that described protection information exists
Interact between Web detection module, Web protection module, Web monitoring module, Web Audit Module and
Call, including:
Described Web protection module obtains an IP address, and a described IP address is for attacking frequency higher than pre-
If the IP address of an IP threshold value;
Described Web Audit Module is transferred in a described IP address by described Web protection module;
Described Web Audit Module analyzes the suffered Web attack of a described IP address.
In the embodiment of the present invention, described based on the joint-action mechanism to attack so that described protection information exists
Interact between Web detection module, Web protection module, Web monitoring module, Web Audit Module and
Call, including:
There is URL address and the parameter of high-risk leak in described Web detection module record;
The URL address and parameter that there is high-risk leak are transferred to described Web to protect by described Web detection module
Module, is customized protection by described Web protection module.
In the embodiment of the present invention, described based on the joint-action mechanism to attack so that described protection information exists
Interact between Web detection module, Web protection module, Web monitoring module, Web Audit Module and
Call, including:
Horse or the URL address distorted are hung in the detection of Web monitoring module;
Web monitoring module is hung horse or the URL address distorted is issued Web protection module and joined by described
Dynamic protection.
Should be understood that during description is in the whole text that " embodiment " or " embodiment " mentioned means with real
Execute the relevant special characteristic of example, structure or characteristic to be included at least one embodiment of the present invention.Therefore,
Not necessarily refer in " in one embodiment " or " in one embodiment " that entire disclosure occurs everywhere
Identical embodiment.Additionally, these specific features, structure or characteristic can combine in any suitable manner
In one or more embodiments.Should be understood that in various embodiments of the present invention, the sequence of above-mentioned each process
Number size be not meant to the priority of execution sequence, the execution sequence of each process should be patrolled with its function and inherence
Collect and determine, and the implementation process of the embodiment of the present invention should not constituted any restriction.
In several embodiments provided herein, it should be understood that disclosed equipment and method, can
To realize by another way.Apparatus embodiments described above is only schematically, such as, and institute
Stating the division of unit, be only a kind of logic function and divide, actual can have other dividing mode when realizing,
As: multiple unit or assembly can be in conjunction with, or it is desirably integrated into another system, or some features can be neglected
Slightly, or do not perform.It addition, the coupling each other of shown or discussed each ingredient or directly coupling
Close or communication connection can be the INDIRECT COUPLING by some interfaces, equipment or unit or communication connection, can
Be electrical, machinery or other form.
The above-mentioned unit illustrated as separating component can be or may not be physically separate, as
The parts that unit shows can be or may not be physical location;Both may be located at a place, it is possible to
To be distributed on multiple NE;Part or all of unit therein can be selected according to the actual needs
Realize the purpose of the present embodiment scheme.
It addition, each functional unit in various embodiments of the present invention can be fully integrated in a processing unit,
Can also be that each unit is individually as a unit, it is also possible to two or more unit are integrated in one
In individual unit;Above-mentioned integrated unit both can realize to use the form of hardware, it would however also be possible to employ hardware adds soft
The form of part functional unit realizes.
One of ordinary skill in the art will appreciate that: all or part of step realizing said method embodiment can
Completing with the hardware relevant by programmed instruction, aforesaid program can be stored in embodied on computer readable storage
In medium, this program upon execution, performs to include the step of said method embodiment;And aforesaid storage is situated between
Matter includes: movable storage device, read only memory (Read Only Memory, ROM), magnetic disc or
The various medium that can store program code such as CD.
Or, if the above-mentioned integrated unit of the present invention is using the form realization of software function module and as independent
Production marketing or use time, it is also possible to be stored in a computer read/write memory medium.Based on so
Understanding, the part that prior art is contributed by the technical scheme of the embodiment of the present invention the most in other words can
Embodying with the form with software product, this computer software product is stored in a storage medium, bag
Include some instructions with so that a computer equipment (can be personal computer, server or network
Equipment etc.) perform all or part of of method described in each embodiment of the present invention.And aforesaid storage medium bag
Include: the various media that can store program code such as movable storage device, ROM, magnetic disc or CD.
The above, the only detailed description of the invention of the present invention, but protection scope of the present invention is not limited to
This, any those familiar with the art, in the technical scope that the invention discloses, can readily occur in
Change or replacement, all should contain within protection scope of the present invention.Therefore, protection scope of the present invention should
It is as the criterion with described scope of the claims.
Claims (15)
1. a safety protecting method, it is characterised in that described method includes:
DPMA Protection Model obtains the protection information about Web attack, wherein, described DPMA
Protection Model includes: Web detection module, Web protection module, Web monitoring module, Web Audit Module;
Described DPMA Protection Model links according to the protection information of described Web attack, with reality
Now for the security protection of Web application, wherein, described linkage includes utilizing described Web attack
Protection information is between Web detection module, Web protection module, Web monitoring module, Web Audit Module
Interact.
Method the most according to claim 1, it is characterised in that described protection information at least includes following
Any one in information: attack source, attack pattern, target of attack, the dynamic page information of website, attack
Frequency is higher than the URL address of the first uniform resource locator URL threshold value preset and parameter, unauthorized
Public network Internet protocol IP address, attack frequency are higher than the IP address of an IP threshold value preset, high-risk leak
URL address and parameter, hung the URL address of horse/distort.
Method the most according to claim 1, it is characterised in that described DPMA Protection Model according to
The protection information of described Web attack links, including:
Described Web detection module carries out Web safety detection to potential security threat, obtains testing result,
Potential risks point is analyzed from testing result;
Described Web detection module provides safe restorative procedure according to described potential risks point, then by described
Safe restorative procedure transfers to described Web protection module;Web protection module utilizes described safe restorative procedure pair
Described potential risks point is repaired, and according to described safe restorative procedure and corresponding potential risks point
Form Web and protect daily record;
Testing result is transferred to Web protection module, Web monitoring module, Web by told Web detection module
Audit Module is associated analyzing and protection.
Method the most according to claim 1, it is characterised in that described DPMA Protection Model according to
The protection information of described Web attack links, including:
Described Web protection module, when Web attack occurs, carries out reality to described Web attack
Time detection and protection, to block the generation of various attack;
Protection information is transferred to Web detection module, Web monitoring module, Web by described Web protection module
Audit Module carries out degree of depth association analysis and protection.
Method the most according to claim 1, it is characterised in that described DPMA Protection Model according to
The protection information of described Web attack links, including:
Described Web monitoring module carries out system stability monitoring, the page distorts monitoring, hang horse monitoring and back door
Monitoring, to obtain monitoring information, wherein: system stability monitoring includes that Web system availability, TCP ring
Time delay, http response time delay is answered to be monitored;Meanwhile,
Monitoring information is transferred to Web detection module, Web protection module, Web by described Web monitoring module
Audit Module is associated analyzing and protection.
Method the most according to claim 1, it is characterised in that described DPMA Protection Model according to
The protection information of described Web attack links, including:
Described Web Audit Module is for the Web attack of success attack, by attacking Web
The daily record of event carries out safety analysis, and detection obtains the content of tracing to the source of Web attack;
Described Web Audit Module content of tracing to the source is prevented by Web detection module, Web monitoring module, Web
Protect module to be associated analyzing and protection.
7. according to the method described in any one of claim 1 to 6, it is characterised in that described DPMA prevents
Protect model to link according to the protection information of described Web attack, including:
The dynamic page that user was accessed by Web Audit Module is added up, and extracts dynamic by guarding website
Page info;
Described dynamic page information is transferred to Web monitoring module by Web Audit Module;
Dynamic page is crawled according to described dynamic page information and detects by Web monitoring module, obtains hidden
Tibetan type Webshell and without streptostyly Webshell, and by concealed type Webshell with without streptostyly Webshell
Output.
8. according to the method described in any one of claim 1 to 6, it is characterised in that described DPMA prevents
Protect model to link according to the protection information of described Web attack, including:
Described Web Audit Module is higher than the URL address of a URL threshold value to statistical attack frequency in daily record
Extract with parameter;
Web detection module is transferred in the URL address extracted and parameter by described Web Audit Module;
URL address and parameter that described Web Audit Module is transferred to according to described Web Audit Module are carried out deeply
Degree safety detection.
9. according to the method described in any one of claim 1 to 6, it is characterised in that described DPMA prevents
Protect model to link according to the protection information of described Web attack, including:
The IP address accessing portal management backstage is added up by described Web Audit Module, obtains unauthorized
Public network IP address;
Described unauthorized public network IP address is accessed portal management backstage situation by described Web Audit Module,
It is sent to described Web protection module.
10. according to the method described in any one of claim 1 to 6, it is characterised in that described DPMA prevents
Protect model to link according to the protection information of described Web attack, including:
Described Web protection module obtains an IP address, and a described IP address is for attacking frequency higher than pre-
If the IP address of an IP threshold value;
Described Web Audit Module is transferred in a described IP address by described Web protection module;
Described Web Audit Module analyzes the suffered Web attack of a described IP address.
11. according to the method described in any one of claim 1 to 6, it is characterised in that described DPMA prevents
Protect model to link according to the protection information of described Web attack, including:
There is URL address and the parameter of high-risk leak in described Web detection module record;
The URL address and parameter that there is high-risk leak are transferred to described Web to protect by described Web detection module
Module;
Described Web protection module is customized protection according to URL address and the parameter of high-risk leak.
12. according to the method described in any one of claim 1 to 6, it is characterised in that described DPMA prevents
Protect model to link according to the protection information of described Web attack, including:
Horse or the URL address distorted are hung in the detection of Web monitoring module;
Web monitoring module is hung horse or Web protection module is issued in the URL address distorted by described.
13. 1 kinds of DPMA Protection Model, it is characterised in that described DPMA Protection Model includes: Web
Detection module, Web protection module, Web monitoring module, four modules of Web Audit Module, wherein:
Described Web detection module, for potential security threat is carried out Web safety detection, is examined
Survey result, from testing result, analyze potential risks point;Safety is provided according to described potential risks point
Restorative procedure, then transfers to described Web protection module by described safe restorative procedure, so that Web protection
Module utilizes described safe restorative procedure to repair described potential risks point;
Web detection module, be additionally operable to transfer to testing result Web protection module, Web monitoring module,
Web Audit Module is associated analyzing and protection.
14. models according to claim 13, it is characterised in that described Web protection module, use
In time occurring in Web attack, described Web attack is detected in real time and protects, with resistance
The generation of disconnected various attacks;
Web protection module, be additionally operable to transfer to protection information Web detection module, Web monitoring module,
Web Audit Module carries out degree of depth association analysis and protection.
15. according to the model described in claim 13 or 14, it is characterised in that described Web monitoring module,
Distort monitoring for system stability monitoring, the page, hang horse monitoring and back door monitoring, to obtain monitoring information,
Wherein: system stability monitoring includes Web system availability, TCP response delay, http response time delay
It is monitored;Meanwhile,
Web monitoring module, be additionally operable to transfer to monitoring information Web detection module, Web protection module,
Web Audit Module is associated analyzing and protection.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510026104.4A CN105871775B (en) | 2015-01-19 | 2015-01-19 | A kind of safety protecting method and DPMA Protection Model |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510026104.4A CN105871775B (en) | 2015-01-19 | 2015-01-19 | A kind of safety protecting method and DPMA Protection Model |
Publications (2)
Publication Number | Publication Date |
---|---|
CN105871775A true CN105871775A (en) | 2016-08-17 |
CN105871775B CN105871775B (en) | 2019-03-12 |
Family
ID=56622805
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201510026104.4A Active CN105871775B (en) | 2015-01-19 | 2015-01-19 | A kind of safety protecting method and DPMA Protection Model |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN105871775B (en) |
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106656975A (en) * | 2016-10-18 | 2017-05-10 | 新华三技术有限公司 | Attack defense method and attack defense device |
CN106790169A (en) * | 2016-12-29 | 2017-05-31 | 杭州迪普科技股份有限公司 | The means of defence and device of scanning device scanning |
CN107277080A (en) * | 2017-08-23 | 2017-10-20 | 深信服科技股份有限公司 | A kind of is the internet risk management method and system of service based on safety |
CN108234431A (en) * | 2016-12-22 | 2018-06-29 | 阿里巴巴集团控股有限公司 | A kind of backstage logs in behavioral value method and detection service device |
CN109067772A (en) * | 2018-09-10 | 2018-12-21 | 四川中电启明星信息技术有限公司 | A kind of component and safety protecting method for security protection |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20040098623A1 (en) * | 2002-10-31 | 2004-05-20 | Secnap Network Security, Llc | Intrusion detection system |
CN101257399A (en) * | 2007-12-29 | 2008-09-03 | 中国移动通信集团四川有限公司 | Service system united safe platform |
CN102111420A (en) * | 2011-03-16 | 2011-06-29 | 上海电机学院 | Intelligent NIPS framework based on dynamic cloud/fire wall linkage |
CN102739647A (en) * | 2012-05-23 | 2012-10-17 | 国家计算机网络与信息安全管理中心 | High-interaction honeypot based network security system and implementation method thereof |
-
2015
- 2015-01-19 CN CN201510026104.4A patent/CN105871775B/en active Active
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20040098623A1 (en) * | 2002-10-31 | 2004-05-20 | Secnap Network Security, Llc | Intrusion detection system |
CN101257399A (en) * | 2007-12-29 | 2008-09-03 | 中国移动通信集团四川有限公司 | Service system united safe platform |
CN102111420A (en) * | 2011-03-16 | 2011-06-29 | 上海电机学院 | Intelligent NIPS framework based on dynamic cloud/fire wall linkage |
CN102739647A (en) * | 2012-05-23 | 2012-10-17 | 国家计算机网络与信息安全管理中心 | High-interaction honeypot based network security system and implementation method thereof |
Non-Patent Citations (3)
Title |
---|
北京众信君安科技有限公司: "WebTrust应用防火墙产品介绍", 《百度文库》 * |
江超: "面向应用层的网络安全方案的设计与实施", 《中国优秀硕士学位论文全文数据库》 * |
深信服科技: "国内下一代防火墙第一品牌", 《百度文库》 * |
Cited By (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106656975A (en) * | 2016-10-18 | 2017-05-10 | 新华三技术有限公司 | Attack defense method and attack defense device |
CN106656975B (en) * | 2016-10-18 | 2020-01-24 | 新华三技术有限公司 | Attack defense method and device |
CN108234431A (en) * | 2016-12-22 | 2018-06-29 | 阿里巴巴集团控股有限公司 | A kind of backstage logs in behavioral value method and detection service device |
CN106790169A (en) * | 2016-12-29 | 2017-05-31 | 杭州迪普科技股份有限公司 | The means of defence and device of scanning device scanning |
CN106790169B (en) * | 2016-12-29 | 2020-06-09 | 杭州迪普科技股份有限公司 | Protection method and device for scanning of scanning equipment |
CN107277080A (en) * | 2017-08-23 | 2017-10-20 | 深信服科技股份有限公司 | A kind of is the internet risk management method and system of service based on safety |
CN109067772A (en) * | 2018-09-10 | 2018-12-21 | 四川中电启明星信息技术有限公司 | A kind of component and safety protecting method for security protection |
Also Published As
Publication number | Publication date |
---|---|
CN105871775B (en) | 2019-03-12 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
Diogenes et al. | Cybersecurity-attack and defense strategies: Infrastructure security with red team and blue team tactics | |
Han et al. | Evaluation of deception-based web attacks detection | |
CN106411578A (en) | Website monitoring system and method applicable to power industry | |
Dahbul et al. | Enhancing honeypot deception capability through network service fingerprinting | |
Elia et al. | Comparing SQL injection detection tools using attack injection: An experimental study | |
US20090241191A1 (en) | Systems, methods, and media for generating bait information for trap-based defenses | |
CN105871775B (en) | A kind of safety protecting method and DPMA Protection Model | |
CN104811447A (en) | Security detection method and system based on attack association | |
CN105939311A (en) | Method and device for determining network attack behavior | |
Yaacoub et al. | Ethical hacking for IoT: Security issues, challenges, solutions and recommendations | |
Marotta et al. | Integrating a proactive technique into a holistic cyber risk management approach | |
Cui et al. | A survey on xss attack detection and prevention in web applications | |
CN113422779B (en) | Active security defense system based on centralized management and control | |
Dharam et al. | Runtime monitors for tautology based SQL injection attacks | |
CN110378115B (en) | Data layer system of information security attack and defense platform | |
Aboelfotoh et al. | A review of cyber-security measuring and assessment methods for modern enterprises | |
Efendi et al. | A survey on deception techniques for securing web application | |
Whyte | Using a systems-theoretic approach to analyze cyber attacks on cyber-physical systems | |
Shihan et al. | Internal and External Factors to Adopt a Cyber Security Strategy in Iraqi Organisations | |
Gordon | Economic and national security effects of cyber attacks against small business communities | |
Mihai | MANAGEMENT OF ELEARNING PLATFORMS SECURITY. | |
Petkova | Security’s Leaks in Seo Spamming | |
Robles et al. | Survey of non-malicious user actions that introduce network and system vulnerabilities and exploits | |
KR102580469B1 (en) | Method for management for cyber security threat and attack surface and apparatus for performing the method | |
Buja et al. | AN ONLINE SQL VULNERABILITY ASSESSMENT TOOL AND IT’S IMPACT ON SMEs |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |