CN108270730A - A kind of application layer detection method, device and electronic equipment for extending fire wall - Google Patents
A kind of application layer detection method, device and electronic equipment for extending fire wall Download PDFInfo
- Publication number
- CN108270730A CN108270730A CN201611260548.5A CN201611260548A CN108270730A CN 108270730 A CN108270730 A CN 108270730A CN 201611260548 A CN201611260548 A CN 201611260548A CN 108270730 A CN108270730 A CN 108270730A
- Authority
- CN
- China
- Prior art keywords
- flow
- network
- code
- network application
- application
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0245—Filtering by information in the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0263—Rule management
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/02—Capturing of monitoring data
- H04L43/026—Capturing of monitoring data using flow identification
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/02—Capturing of monitoring data
- H04L43/028—Capturing of monitoring data by filtering
Abstract
The present invention relates to a kind of application layer detection method, device and electronic equipment for extending fire wall, wherein, detection method includes:Flow pretreatment is carried out to network application flow, obtains the bearing protocol type of the network flow and network application type;Corresponding bearing protocol decoding code is obtained according to the bearing protocol type of network application flow and network application type, parses the characteristic information of bearing protocol;By the characteristic information and the predefined Digital ID that matching acquisition network application is carried out using feature, the logical code that this kind is corresponded in programmable engine code library and is applied as index search and is performed using the Digital ID.The technical program causes fire wall to have programmable functions, fire wall is allowed to have the ability of studying new knowledge knowledge, pass through the depth integration with Client application operation system, implement the adjustment of dynamic flexible, it can be under different application scenarios, increase fire wall dynamic scalability, to realize that the Initiative Defense of security boundary control and intelligence are controllable.
Description
Technical field
The present invention relates to network security applied technical field, more particularly to a kind of application layer detection side for extending fire wall
Method, device and electronic equipment.
Background technology
As enterprise and society constantly enhance the attention degree of the network information security, fire wall is carried in network application
The requirement of deep analysis is gone out to need.But network application is multifarious, it is mobile especially with the development of mobile Internet
The quantity of app shows growth as explosion, and therefore, it is desirable to a firewall applications detecting and alarms to be capable of deep analysis whole
Using being unpractical.In addition from the angle of user, enterprise customer will not be concerned about the peace of whole network applications and application
Entirely, the part that they are concerned about is the involved the Internet, applications of enterprise's office, such as:Web mails, microblogging, wechat etc., in addition
A part is exactly the privately owned application of enterprises.
With traditional firewall do not have programmable ability compared with, fire wall of the present invention by possessing programmability,
No matter how applied business adjusts variation innovation, can be adjusted by the Programmable Technology of fire wall come on-the-flier compiler.This hair
Bright fire wall can improve adaptive ability and extended capability of the equipment under different application scene using Programmable Technology, by certainly
Main programming carrys out the logical code of design customization, carrys out the reliability of matching network application logic business operation, to realize that boundary is pacified
The Initiative Defense controlled entirely is controllable with intelligence.
Invention content
To solve problem of the prior art, the present invention propose it is a kind of extend the application layer detection method of fire wall, device and
Electronic equipment so that fire wall has programmable functions, once Programmable Technology is utilized in fire wall, is equivalent to allow fire wall
Have the ability of studying new knowledge knowledge, by the depth integration with Client application operation system, implement the adjustment of dynamic flexible, it can
Under different application scenarios, to increase fire wall dynamic scalability, and support to learn different network applications and fine granularity
Control and safety management.
To achieve the above object, the present invention provides it is a kind of extend fire wall application layer detection method, including:
Flow pretreatment is carried out to network application flow, obtains the bearing protocol type and network of the network application flow
Application type;
In corresponding bearing protocol decoding generation, is obtained according to the bearing protocol type of network application flow and network application type
Code parses the characteristic information of bearing protocol;
Pass through the characteristic information and the predefined number that code matches acquisition network application flow is carried out using feature
Mark corresponds to patrolling for the network application using the Digital ID as storage in index search and the programmable engine code library of execution
Collect code.
Optionally, in an embodiment of the present invention, the logical code is in line coding or offline for network application
Coding is completed.
Optionally, in an embodiment of the present invention, the logical code pre-processes after writing completion into line code;Its
In, the step of code pretreatment, includes:
The logical code is loaded;
Respective logic is performed to the logical code after loading processing, detects the mistake letter in the logical code implementation procedure
Breath, and judge whether implementing result meets expection;
The logical code is modified according to testing result.
Optionally, in an embodiment of the present invention, the method further includes:
MIME decodings are carried out, while make school to the network application flow to the load for needing the decoded bearing protocols of MIME
It tests.
Optionally, in an embodiment of the present invention, the step of flow pretreatment includes:
The network flow is recombinated;
Network flow data after recombination is identified, obtains the bearing protocol type of network flow and network application class
Type.
Optionally, in an embodiment of the present invention, the step of flow pretreatment further includes:
If the network flow is by the network flow of ssl protocol encryption certification, described before being recombinated
Network flow is handled by ssl proxy, by encrypted network flow recovery into the network flow of plaintext.
To achieve the above object, the present invention also provides it is a kind of extend fire wall application layer detection device, including:
Flow pretreatment unit for carrying out flow pretreatment to network application flow, obtains the network application flow
Bearing protocol type and network application type;
Feature extraction unit is corresponded to for the bearing protocol type according to network application flow and network application type
Bearing protocol decoding code, parse the characteristic information of bearing protocol;
Detection unit, should for carrying out code matches acquisition network by the characteristic information and predefined application feature
With the Digital ID of flow, being corresponded to using the Digital ID as storage in index search and the programmable engine code library of execution should
The logical code of network application.
Optionally, in an embodiment of the present invention, the logical code that the detection unit is found out is for network application
It is completed in line coding or offline coding.
Optionally, in an embodiment of the present invention, described device further includes code pretreatment unit;Wherein, the code
Pretreatment unit includes:
Load-on module, for being loaded to the logical code;
Pre-execution module for performing respective logic to the logical code after loading processing, detects the logical code and holds
Error message during row, and judge whether implementing result meets expection;
Correcting module, for being modified according to testing result to the logical code.
Optionally, in an embodiment of the present invention, described device further includes:
MIME decodes verification unit, for carrying out MIME decodings to the load for needing the decoded bearing protocols of MIME, simultaneously
The network application flow is verified.
Optionally, in an embodiment of the present invention, the flow pretreatment unit includes:
Recombination module, for being recombinated to the network flow;
Identification module for the network flow data after recombination to be identified, obtains the bearing protocol class of network flow
Type and network application type.
Optionally, in an embodiment of the present invention, the flow pretreatment unit further includes:
Ssl proxy module, if being that the network flow of certification is encrypted by ssl protocol for the network flow,
Before being recombinated, the network flow is handled by ssl proxy, by encrypted network flow recovery into the network flow of plaintext
Amount.
To achieve the above object, the present invention also provides a kind of electronic equipment, the electronic equipment includes foregoing
Extend the application layer detection device of fire wall.
Compared with prior art, the technical program devises a set of programmable mechanism, has firewall platform itself
For the dynamic expansion ability of application detection, and code performs the logic level in network application, therefore network application is complete
Portion's details can completely be excavated by the code of customization.Coder is directed to a certain network application and writes logic generation
Code, fire wall just remove logical code of the execution for such application using recognition detection to corresponding network application later.From
And the application layer depth detection ability of fire wall can be quickly extended, the network application limited amount for solving fire wall support
With the privately owned problem using depth analysis of enterprises.
Description of the drawings
In order to illustrate more clearly about the embodiment of the present invention or technical scheme of the prior art, to embodiment or will show below
There is attached drawing needed in technology description to be briefly described, it should be apparent that, the accompanying drawings in the following description is only this
Some embodiments of invention, for those of ordinary skill in the art, without creative efforts, can be with
Other attached drawings are obtained according to these attached drawings.
Fig. 1 is the Organization Chart of the technical program;
Fig. 2 is the functional block diagram of the application layer detection device of extension fire wall provided in an embodiment of the present invention;
Fig. 3 is the application layer detection method flow chart of extension fire wall provided in an embodiment of the present invention;
Fig. 4 is a kind of electronic equipment provided in an embodiment of the present invention.
Specific embodiment
Below in conjunction with the attached drawing in the embodiment of the present invention, the technical solution in the embodiment of the present invention is carried out clear, complete
Site preparation describes, it is clear that described embodiment is only part of the embodiment of the present invention, instead of all the embodiments.It is based on
Embodiment in the present invention, those of ordinary skill in the art are obtained every other without making creative work
Embodiment shall fall within the protection scope of the present invention.
Art technology technical staff knows, embodiments of the present invention can be implemented as a kind of system, device, equipment,
Method or computer program product.Therefore, the disclosure can be with specific implementation is as follows, i.e.,:It is complete hardware, complete soft
The form that part (including firmware, resident software, microcode etc.) or hardware and software combine.
According to the embodiment of the present invention, it is proposed that a kind of application layer detection method, device and electronics for extending fire wall
Equipment.
Herein, it is to be understood that in involved term:
Fire wall:Refer to that one is composed of software and hardware equipment, between intranet and extranets, private network
The protective barrier constructed on interface between public network is a kind of vivid saying for obtaining security method menu, it is a kind of meter
The combination of calculation machine hardware and software makes to set up a security gateway (Security between Internet and Intranet
Gateway), so as to protect intranet from the intrusion of disabled user, fire wall mainly by service access rule, verification tool,
Packet filtering and the part of application gateway 4 form, and fire wall is exactly one, and to be located at computer soft between network that it is connected
Part or hardware.The all-network communication of the computer inflow and outflow and data packet are intended to by this fire wall.
In addition, any number of elements in attached drawing be used to example and it is unrestricted and it is any name be only used for distinguishing,
Without any restrictions meaning.
Below with reference to several representative embodiments of the present invention, the principle and spirit of the invention are illustrated in detail.
Summary of the invention
Conventionally, the users such as enterprise generally use the first line of defence of the fire wall as efficient public security system.Traditional net
Network fire wall can only detect packet hearders, and most session layer fire walls cannot even prevent most basic answer
It is attacked with type.And application layer firewall can detect the information flow of application program, and depth content is carried out to a variety of application layer protocols
Detection and filtering, to prevent security incidents such as SQL injection, webpage tamper, web page horse hangings.But with the quick hair of network application
Exhibition, existing firewall technology cause the network application limited amount that fire wall is supported.It is also, in practical applications, existing anti-
Wall with flues is inadequate to the privately owned application depth analysis of enterprises.
For this purpose, the present invention provides a kind of programmable firewall technologies.High performance fire wall is as programmable base
Plinth platform, pre-processes network application flow, and corresponding bearing protocol type and network application are obtained from network flow
Type.Due to the difference of bearing protocol type, it may be possible to http session, it is also possible to be one section of continuous data.Correlation is opened
Hair personnel are directed to a certain network application and write according to bearing protocol type and network application type or write online logic in advance
Code, fire wall just remove logical code of the execution for such application using recognition detection to corresponding application later.
Further, with the increase of network application, related development personnel are according to the characteristic information of network application, online volume
It writes corresponding logical code or writes offline in advance and complete corresponding logical code, net is obtained by the depth detection of fire wall
The individual features information of network application is matched with predefined application feature according to characteristic information, phase is obtained from code library
The logical code answered performs corresponding logical code.Solve network application limited amount and the enterprise of fire wall support
The internal privately owned problem using depth analysis.After the basic principle for describing the present invention, lower mask body introduces the present invention
Various non-limiting embodiments.
Operation principle
It is the Organization Chart of the technical program referring initially to Fig. 1.The data forwarding of fire wall and processing are developed with C language,
In order to fire wall depth integration, we select Lua language as programmable foundational development language.Fire wall is compiled
The engine of journey is developed with C language, externally provides the interface of Lua language.As shown in Figure 1, the fire wall of the technical program include can
The engine of programming and flow preprocessor.The programmable engine of fire wall includes code preprocessor, code library, MIME decodings
Device, characteristic matching module, memory management module.Wherein, the phase that code library compiles for storage for different network applications
The logical code answered.
Programmable engine is independent finger daemon presence, passes through code preprocessor load logic generation after startup
Code.Purpose is to check all syntax error and form report to feed back to user, until all syntax error is eliminated.It connects down
Come, code preprocessor since entrance function, can perform the logical code for eliminating syntax error the logic of code, it is therefore an objective to
Detect the mistake in implementation procedure, and whether the result of Validation Code output meets expection, developer can basis at this time
The modified result code of output is debugged, until result meets expected effect, revised logical code is then imported into code
In library.In the technical program, logical code can also can offline be encoded in line coding.Code is write, can be by anti-
The UI interfaces that wall with flues provides are write or are write with arbitrary third party's the text edit tool online, have write also by pre-processing,
Emulating etc. could store into the code library of programmable engine after verifications.
For fire wall as gateway device, the metadata of processing is exactly IP data packets.IP data packets are network application flow,
Network application flow needs to first pass through the progress flow pretreatment of flow preprocessor before programmable engine analysis is entered.It is right
It in network flow, first has to be recombinated, eliminates the transmission problems such as out of order, overlapping, re-transmission.Subsequently into answering built in fire wall
With identification module, identify the bearing protocol type and application type of network flow, bearing protocol mainly include HTTP, FTP,
TFTP、SMTP、POP3、IMAP.In the WEB2.0 epoch, a large amount of network application is all based on http protocol and is extended.
In practical applications, such as:TCP sessions (the request and response) number basic as one
According to unit, programmable engine is sent to by a message queue and is further analyzed, being sent to utility cession can
The information of programming engine further includes bearing protocol type and network application type.Such as:The flow of sina microbloggings, bearing protocol
For HTTP, application type is sina microbloggings.
In addition, with the extensive use of SSL, more and more network applications are encrypted using ssl protocol and certification.It is right
In the flow of this SSL encryption, flow preprocessor can open ssl proxy function, and a SSL encryption connection is split into two
SSL connections are client respectively to fire wall, fire wall to server.Therefore for the network application stream by SSL encryption
Encryption flow after first passing through ssl proxy processing, is reduced into plaintext flow and carries out subsequent processing again by amount.
Flow preprocessor is letters such as the bearing protocol type of network application flow, application types (being represented with an id)
Breath, programmable engine is sent to by a message queue.Code pre-processes and flow pretreatment is come from two different dimensions
Illustrate programmable frame, the logical code write needs the generation that could be stored after being pre-processed by code to programmable engine
In code library, once loading is completed, fire wall increases a kind of new applied analysis energy when network data flow
Power.
Programmable engine once receives message, is looked for first according to the type of its bearing protocol (such as HTTP or FTP)
To corresponding bearing protocol decoding code, the characteristic information of bearing protocol is parsed.For example, for http protocol, parse
The HTTP headers information such as url, Host, cookie, whether the load for then judging bearing protocol is that MIME is needed to decode, while right
Network application flow is further verified, and prevents programmable engine misrecognition or lopsided message from entering at subsequent logic
Manage flow.
Next, corresponding code block in code library is searched according to application type, then from the entrance letter of corresponding code block
Number starts to perform, and is matched with predefined application feature according to the characteristic information of bearing protocol, is matched from code block
Corresponding logical code.Transmitting network by a message queue between fire wall data forwarding plane and programmable engine should
With data, and the logical code of acquisition is stored in one piece of pre-assigned shared drive, fire wall data forwarding plane exists
After programmable engine has performed, logical code can be read out from shared drive, and according to the configuration of fire wall to phase
Network application is answered to perform as defined in corresponding logical code to act.For example, programmable engine has parsed net by logical code
The file that network application is transmitted, this file can be submitted to built-in or external antivirus engine and kill virus.
Exemplary means
With reference to the Organization Chart of Fig. 1, the device of exemplary embodiment of the invention is introduced respectively with reference to figure 2.
Understand spirit and principles of the present invention it should be noted that above application scene is for only for ease of and show, this
The embodiment of invention is unrestricted in this regard.On the contrary, embodiments of the present invention can be applied to it is applicable any
Scene.
Referring to Fig. 2, the functional block diagram of the application layer detection device for extension fire wall provided in an embodiment of the present invention.Such as figure
It is shown, including:Flow pretreatment unit 201, feature extraction unit 202 and detection unit 203;Wherein,
Flow pretreatment unit 201 for carrying out flow pretreatment to network application flow, obtains the network flow
Bearing protocol type and network application type;
Feature extraction unit 202 obtains for the bearing protocol type according to network application flow and network application type
Corresponding bearing protocol decoding code parses the characteristic information of bearing protocol;
Detection unit 203, should for carrying out matching acquisition network by the characteristic information and predefined application feature
Digital ID may be programmed and this kind application is corresponded in engine code library using the Digital ID as index search and execution
Logical code.
In the present embodiment, the logical code that the detection unit is found out be for network application line coding or from
Line coding is completed.
In order to ensure the logical code of fire wall extension can get a desired effect, on the basis of Fig. 2, extension fire prevention
The application layer detection device of wall further includes code preprocessor.Logical code in the detection unit is pre-processed by code
Device is handled.Wherein, the code pretreatment unit includes:
Load-on module, for being loaded to the logical code;
Pre-execution module for performing respective logic to the logical code after loading processing, detects the logical code and holds
Error message during row, and judge whether implementing result meets expection;
Correcting module, for being modified according to testing result to the logical code.
For another embodiment, on the basis of Fig. 2, the application layer detection device for extending fire wall further includes:
MIME decodes verification unit, for carrying out MIME decodings to the load for needing the decoded bearing protocols of MIME, simultaneously
The network application flow is verified.
In the present embodiment, the flow pretreatment unit includes:
Recombination module, for being recombinated to the network flow;
Identification module for the network flow data after recombination to be identified, obtains the bearing protocol class of network flow
Type and application type.
Further, in flow pretreatment unit other than recombination module and identification module, if the network flow
It is by the network flow of ssl protocol encryption certification, flow pretreatment unit further includes:Ssl proxy module.Wherein,
The ssl proxy module, for before being recombinated, the network flow to be handled by ssl proxy, will be encrypted
Network flow recovery into plaintext network flow.
For the present apparatus, the logical code involved in detection unit can be write or write offline in advance corresponding online
Logical code, directly the code library in device is extended so that firewall platform itself has using the dynamic of detection
State extended capability is equivalent to the ability that fire wall is allowed to have studying new knowledge knowledge, dynamic flexible, in different application scenarios
Under, network application that fire wall association can be allowed different.
In addition, although being referred to several units of device in above-detailed, this division is only not strong
Property processed.In fact, according to the embodiment of the present invention, the feature and function of two or more above-described units can be
It is embodied in one unit.Equally, the feature and function of an above-described unit can also be further divided by multiple
Unit embodies.
Illustrative methods
After the equipment of exemplary embodiment of the invention is described, next, with reference to figure 3 to the exemplary reality of the present invention
The method for applying mode is introduced.
As shown in figure 3, the application layer detection method flow chart for extension fire wall provided in an embodiment of the present invention.Including:
Step 301):Flow pretreatment is carried out to network application flow, obtains the bearing protocol type of the network flow
With network application type;
In this step, the step of flow pretreatment includes:
The network flow is recombinated;
Network flow data after recombination is identified, obtains the bearing protocol type of network flow and network application class
Type.
Further, if the network flow is by the network flow of ssl protocol encryption certification, the flow is located in advance
The step of reason, further includes:
Before being recombinated, the network flow is handled by ssl proxy, by encrypted network flow recovery into plain text
Network flow.
Step 302):Corresponding carrying association is obtained according to the bearing protocol type of network application flow and network application type
Decoding code is discussed, parses the characteristic information of bearing protocol;
Step 303):Pass through the characteristic information and the predefined number that matching acquisition network application is carried out using feature
Mark as index search and performs the logic generation that this kind is corresponded in programmable engine code library and is applied using the Digital ID
Code.
In the present embodiment, code logical code in the block is pre-processed by code.The code pretreatment
Step includes:
The logical code is loaded;
Respective logic is performed to the logical code after loading processing, detects the mistake letter in the logical code implementation procedure
Breath, and judge whether implementing result meets expection;
The logical code is modified according to testing result.
On the basis of Fig. 3, the application layer detection method for extending fire wall further includes:
MIME decodings are carried out, while make school to the network application flow to the load for needing the decoded bearing protocols of MIME
It tests.
By this method it is found that the logical code that this case is related to can be write or write corresponding logic offline in advance online
Code is directly extended the code library in this case so that firewall platform itself has the dynamic expansion using detection
Ability is equivalent to allow fire wall to have an ability of studying new knowledge knowledge, dynamic flexible, can be under different application scenarios
The network application for making fire wall association different.
It should be noted that although describing the operation of the method for the present invention with particular order in the accompanying drawings, this is not required that
Or it implies and must could realize the phase according to the particular order come the operation for performing these operations or having to carry out shown in whole
The result of prestige.Additionally or alternatively, it is convenient to omit multiple steps are merged into a step and perform and/or incite somebody to action by certain steps
One step is decomposed into execution of multiple steps.
Example devices
Based on above-mentioned example device and method, the present embodiment also proposes a kind of electronic equipment, as shown in Figure 4.The electronics
Equipment is used to the application layer of operation extension fire wall be gone to detect program according to various network application request instructions, including:
Memory 401, for storing network application request instruction;
Processor 402 is coupled with the memory, which is configured as performing and be stored in the memory
Network application request instruction, wherein, the application program that the processor is configured is used for:
Flow pretreatment is carried out to network application flow, obtains bearing protocol type and the network application of the network flow
Type;
In corresponding bearing protocol decoding generation, is obtained according to the bearing protocol type of network application flow and network application type
Code parses the characteristic information of bearing protocol;
By the characteristic information and the predefined Digital ID that matching acquisition network application is carried out using feature, with institute
Digital ID is stated as index search and performs the logical code that this kind is corresponded in programmable engine code library and is applied.
The embodiment of the present invention also provides a kind of computer-readable program, wherein when performing described program in the electronic device
When, described program causes computer to perform the application layer detection side of extension fire wall as described in Figure 3 in the electronic equipment
Method.
The embodiment of the present invention also provides a kind of storage medium for being stored with computer-readable program, wherein the computer can
Reader causes computer to perform the application layer detection method of extension fire wall as described in Figure 3 in the electronic device.
Embodiment
In order to more intuitively describe the features of the present invention and operation principle, below in conjunction with a practice field
Scape describes.
Embodiment one:
Application scenarios explanation:
Certain enterprise is supplied to certain business cloud disk service of employee, is allowed corporate intranet employee due to the needs of mobile office
The relevant data of uploading operation can also download data from cloud disk to intranet handles official business pc to cloud disk.Enterprise requirements record uploads money
The relevant information of material in case audit below, need to record in have:The time of upload, user name upload file type, text
Part title, file MD5 codes;Meanwhile for download content, need record download time, user name, file type, file name,
File MD5 codes, while require to carry out virus scan to the file of download.
In the demand, network application type belongs to internet and discloses application, but the dimension that user audits for such application
It spends more, and subsequently can may also increase, common application layer firewall cannot well adapt to, but programmable fire wall
But can meet the needs of user's whole and support the adjustment of subsequent need.
According to the demand of user, online or compiled offline goes out for the corresponding logical code of the network application.For public affairs
Application is opened, coder first analyzes the flow using interaction, finds the feature of such application.For example, data when Dropbox logs in
Bao Zhong, including username:Xxx represents login user name, there is upload fields, represents and uploads, under download field references
It carries, filename:Xxx represents file name, behind be file content after a line null.Extract login user name, file
Name, upload or download, file content are as characteristic information, according in the code library of characteristic information and application type slave firewall
Match corresponding logical code.Then according to the demand of user, corresponding logical code operation is performed.Operation content includes:
First with the MD5 codes for the API calculation documents that engine provides, the true type of file is judged, the IO then provided using engine
Relevant API forms the log information of specific format.In addition for the file of download, the antivirus API provided using engine (is adjusted
With the antivirus engine built in fire wall) virus scan is carried out to file.
Embodiment two:
Application scenarios explanation:
After certain national surveying and mapping unit have passed through digitlization reform for many years, mapping total digitalization.Digitally
Diagram data is the unit core asset, and the map of different accuracy has different security classifications.The unit strictly forbids protecting
Numerical map in close range flows into internet inside surveying and mapping unit.Digital map data has extremely strong professional, common peace
The basic None- identified of full equipment, it is even more impossible to carry out fine-grained differentiation according to attributes such as precision to manage with control.
In this demand scene, the relevant information of electronic map data, such as map file sample are first provided by the unit,
Map file format illustrates, then can compiled by specialty safety personnel or the developer of the measuring unit information departments
Programming development is carried out on journey fire wall, realizes and the electronic map data included in network flow is identified, what is identified is laggard
The fine-grained parsing of row, according to the specific requirements of surveying and mapping unit, can parse the accuracy of map, the area of ground map combining, if
Comprising government offices' geographical indication etc. attribute, then can be determined that the electronic map whether concerning security matters, if can be in internet
It transmits.After programming development finishes, programmable fire wall can be deployed in the Internet exportation of surveying and mapping unit, from inflow and outflow
Network flow in detect the map datum of violation, connection or transmission to violation access the pipes such as control, log audit
Reason operation.It is the problem of products such as application layer filter fire-proof wall are all had no way out, complete by programmable fire wall by practice examining
Beautiful solves.
The technical program devises a set of programmable mechanism, has firewall platform itself and expands using the dynamic of detection
Exhibition ability, and code performs the logic level in network application, therefore the full details of network application can pass through customization
Code excavate completely.Coder is directed to a certain network application and writes logical code, the application identification inspection of fire wall
Measure the logical code for execution just being gone to be directed to such application after corresponding network application.So as to quickly extend fire wall
Application layer depth detection ability, the privately owned application for solving the network application limited amount and enterprises of fire wall support is deep
Spend the problem of analysis.
Above-described specific embodiment has carried out the purpose of the present invention, technical solution and advantageous effect further
It is described in detail, it should be understood that the foregoing is merely the specific embodiment of the present invention, is not intended to limit the present invention
Protection domain, all within the spirits and principles of the present invention, any modification, equivalent substitution, improvement and etc. done should all include
Within protection scope of the present invention.
Claims (13)
1. a kind of application layer detection method for extending fire wall, including:
Flow pretreatment is carried out to network application flow, obtains bearing protocol type and the network application of the network application flow
Type;
Corresponding bearing protocol decoding code, solution are obtained according to the bearing protocol type of network application flow and network application type
The characteristic information of bearing protocol is precipitated;
It is characterized in that,
By the characteristic information and it is predefined using feature carry out code matches obtain network application flow Digital ID,
In the logic generation that may be programmed storage in engine code library and correspond to the network application, as index search and is performed using the Digital ID
Code.
2. the method as described in claim 1, which is characterized in that the logical code be for network application in line coding or
Offline coding is completed.
3. method as claimed in claim 2, which is characterized in that the logical code is located in advance after writing completion into line code
Reason;Wherein, the step of code pretreatment includes:
The logical code is loaded;
Respective logic is performed to the logical code after loading processing, detects the error message in the logical code implementation procedure,
And judge whether implementing result meets expection;
The logical code is modified according to testing result.
4. the method as described in claims 1 to 3 any claim, which is characterized in that the method further includes:
MIME decodings are carried out, while the network application flow is verified to the load for needing the decoded bearing protocols of MIME.
5. the method as described in claims 1 to 3 any claim, which is characterized in that the step of flow pre-processes is wrapped
It includes:
The network flow is recombinated;
Network flow data after recombination is identified, obtains the bearing protocol type of network flow and network application type.
6. method as claimed in claim 5, which is characterized in that the step of flow pre-processes further includes:
If the network flow is by the network flow of ssl protocol encryption certification, before being recombinated, the network
Flow is handled by ssl proxy, by encrypted network flow recovery into the network flow of plaintext.
7. a kind of application layer detection device for extending fire wall, including:
Flow pretreatment unit for carrying out flow pretreatment to network application flow, obtains holding for the network application flow
Carry protocol type and network application type;
Feature extraction unit obtains corresponding hold for the bearing protocol type according to network application flow and network application type
Protocol-decoding code is carried, parses the characteristic information of bearing protocol;
It is characterized in that,
Detection unit, for carrying out code matches by the characteristic information and predefined application feature and obtaining network application stream
The Digital ID of amount as index search and performs corresponding network of storage in programmable engine code library using the Digital ID
The logical code of application.
8. device as claimed in claim 7, which is characterized in that the logical code that the detection unit is found out is for network
It applies and is completed in line coding or offline coding.
9. device as claimed in claim 8, which is characterized in that described device further includes code pretreatment unit;Wherein, it is described
Code pretreatment unit includes:
Load-on module, for being loaded to the logical code;
Pre-execution module for performing respective logic to the logical code after loading processing, detects the logical code and performed
Error message in journey, and judge whether implementing result meets expection;
Correcting module, for being modified according to testing result to the logical code.
10. the device as described in claim 7~9 any claim, which is characterized in that described device further includes:
MIME decodes verification unit, for carrying out MIME decodings, while to institute to the load for needing the decoded bearing protocols of MIME
Network application flow is stated to verify.
11. the device as described in claim 7~9 any claim, which is characterized in that the flow pretreatment unit packet
It includes:
Recombination module, for being recombinated to the network flow;
Identification module, for the network flow data after recombination to be identified, obtain network flow bearing protocol type and
Network application type.
12. device as claimed in claim 11, which is characterized in that the flow pretreatment unit further includes:
Ssl proxy module if being by the network flow of ssl protocol encryption certification for the network flow, is carrying out
Before recombination, the network flow is handled by ssl proxy, by encrypted network flow recovery into the network flow of plaintext.
13. a kind of electronic equipment, the electronic equipment includes answering such as claim 7 to 12 any one of them extension fire wall
With layer detection device.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201611260548.5A CN108270730A (en) | 2016-12-30 | 2016-12-30 | A kind of application layer detection method, device and electronic equipment for extending fire wall |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201611260548.5A CN108270730A (en) | 2016-12-30 | 2016-12-30 | A kind of application layer detection method, device and electronic equipment for extending fire wall |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN108270730A true CN108270730A (en) | 2018-07-10 |
Family
ID=62753825
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201611260548.5A Pending CN108270730A (en) | 2016-12-30 | 2016-12-30 | A kind of application layer detection method, device and electronic equipment for extending fire wall |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN108270730A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111158683A (en) * | 2019-12-30 | 2020-05-15 | 北京长亭未来科技有限公司 | Method, device and system for customizing extension function of WEB application firewall and electronic equipment |
| CN112738221A (en) * | 2020-12-28 | 2021-04-30 | 中国建设银行股份有限公司 | Auditing method and device for object storage flow |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101562560A (en) * | 2008-04-18 | 2009-10-21 | 北京启明星辰信息技术股份有限公司 | Universal traffic control method and system |
| US20100095367A1 (en) * | 2008-10-09 | 2010-04-15 | Juniper Networks, Inc. | Dynamic access control policy with port restrictions for a network security appliance |
| CN101741644A (en) * | 2009-12-16 | 2010-06-16 | 成都市华为赛门铁克科技有限公司 | Flow detection method and apparatus |
| CN102857486A (en) * | 2012-04-01 | 2013-01-02 | 深信服网络科技(深圳)有限公司 | Next-generation application firewall system and defense method |
| CN103763154A (en) * | 2014-01-11 | 2014-04-30 | 浪潮电子信息产业股份有限公司 | Network flow detection method |
-
2016
- 2016-12-30 CN CN201611260548.5A patent/CN108270730A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101562560A (en) * | 2008-04-18 | 2009-10-21 | 北京启明星辰信息技术股份有限公司 | Universal traffic control method and system |
| US20100095367A1 (en) * | 2008-10-09 | 2010-04-15 | Juniper Networks, Inc. | Dynamic access control policy with port restrictions for a network security appliance |
| CN101741644A (en) * | 2009-12-16 | 2010-06-16 | 成都市华为赛门铁克科技有限公司 | Flow detection method and apparatus |
| CN102857486A (en) * | 2012-04-01 | 2013-01-02 | 深信服网络科技(深圳)有限公司 | Next-generation application firewall system and defense method |
| CN103763154A (en) * | 2014-01-11 | 2014-04-30 | 浪潮电子信息产业股份有限公司 | Network flow detection method |
Non-Patent Citations (3)
| Title |
|---|
| 于莉莉等: "《网络信息安全》", 31 March 2011 * |
| 刘萌: "基于下一代防火墙技术的网络应用识别控制系统设计与实现", 《中国优秀硕士学位论文全文数据库信息科技辑》 * |
| 李彬等: "《Linux Qt GUI开发详解》", 31 January 2013 * |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111158683A (en) * | 2019-12-30 | 2020-05-15 | 北京长亭未来科技有限公司 | Method, device and system for customizing extension function of WEB application firewall and electronic equipment |
| CN112738221A (en) * | 2020-12-28 | 2021-04-30 | 中国建设银行股份有限公司 | Auditing method and device for object storage flow |
| CN112738221B (en) * | 2020-12-28 | 2022-05-27 | 中国建设银行股份有限公司 | Auditing method and device for object storage flow |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9832213B2 (en) | System and method for network intrusion detection of covert channels based on off-line network traffic | |
| Gupta et al. | PHP-sensor: a prototype method to discover workflow violation and XSS vulnerabilities in PHP web applications | |
| Ab Rahman et al. | Forensic-by-design framework for cyber-physical cloud systems | |
| EP2822248B1 (en) | Methods and systems for use in analyzing cyber-security threats in an aviation platform | |
| CN111177779B (en) | Database auditing method, device, electronic equipment and computer storage medium | |
| Joshi et al. | Fundamentals of Network Forensics | |
| CN111191246A (en) | Spring annotation based security development verification method | |
| US11558414B1 (en) | Autonomous penetration tester | |
| CN104683327A (en) | Method for detecting safety of user login interface of Android software | |
| Munea et al. | Network protocol fuzz testing for information systems and applications: a survey and taxonomy | |
| CN108270730A (en) | A kind of application layer detection method, device and electronic equipment for extending fire wall | |
| Papalitsas et al. | A honeypot proxy framework for deceiving attackers with fabricated content | |
| Rezaei et al. | A novel automated framework for modeling and evaluating covert channel algorithms | |
| Esseghir et al. | AKER: An open-source security platform integrating IDS and SIEM functions with encrypted traffic analytic capability | |
| Pooj et al. | Understanding File Upload Security for Web Applications | |
| CN108366040B (en) | Programmable firewall logic code detection method and device and electronic equipment | |
| Janith et al. | SentinelPlus: A Cost-Effective Cyber Security Solution for Healthcare Organizations | |
| Verma | A comparison of web framework efficiency: performance and network analysis of modern web frameworks | |
| KR102363404B1 (en) | Method of interworking web-firewall and weak point analyzer | |
| DeYoung | Dynamic protocol reverse engineering a grammatical inference approach | |
| Krishnan | Role and Impact of Digital Forensics in Cyber Crime Investigations | |
| Kayacik et al. | Evolving buffer overflow attacks with detector feedback | |
| CN109688108A (en) | A kind of defence file uploads the security mechanism and its implementation method of loophole | |
| Horan | Open-Source Intelligence Investigations: Development and Application of Efficient Tools | |
| US20240111892A1 (en) | Systems and methods for facilitating on-demand artificial intelligence models for sanitizing sensitive data |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20180710 |
|
| RJ01 | Rejection of invention patent application after publication |