Disclosure of Invention
The present invention aims to overcome or at least partially solve or alleviate the above-mentioned problems.
According to the protection method designed by the technical scheme provided by the invention, the execution sequence of the safety protection modules is dynamically adjusted, the specific safety strategy of each safety protection module is configured, and different Web application firewalls are integrated to realize targeted protection.
In a first aspect, the present invention provides a method for protecting a Web application firewall, where the Web application firewall includes a plurality of security protection modules, and the method includes:
identifying a plurality of safety protection modules;
according to different safety protection requirements, arranging the execution sequence of a plurality of safety protection modules;
configuring protection strategies of a plurality of safety protection modules according to different safety protection requirements;
and integrating a plurality of safety protection modules subjected to execution sequence arrangement and protection strategy configuration into a Web application protection wall, so as to meet the different safety protection requirements.
Preferably, each security protection module is identified according to a proprietary name of each security protection module.
Preferably, the arranging the execution sequence of the plurality of safety protection modules according to different safety protection requirements includes:
forming a configuration file for the execution sequence of each safety protection module by using byte codes, and defining the execution sequence of each safety protection module by using the configuration file;
and changing the arrangement of the execution sequence of each safety protection module by changing the configuration file.
Preferably, the configuring the protection policy of the plurality of the security protection modules according to different security protection requirements includes:
determining the functions of each safety protection module according to different safety protection requirements;
determining specific protection strategy content aiming at the functions of the safety protection modules;
and configuring the specific protection strategy content to each safety protection module.
Preferably, the specific protection policy content includes:
matching hit strategies based on regular expressions;
and/or, counting frequency limitation policies based on source and destination traffic;
and/or, a penetration protection policy based on security logic.
Preferably, the security protection modules for arranging and configuring the execution sequences are integrated into a Web application protection wall through a security engine platform, so as to meet different security protection requirements.
Compared with the prior art, the flexible protection method for the Web application firewall provided by the embodiment of the invention can dynamically define the execution sequence of the safety protection modules forming the Web application firewall, dynamically configure the specific protection policy content of each safety protection module, dynamically integrate the Web application firewall with different protection functions according to different safety protection requirements, and realize targeted protection.
In a second aspect, the present invention further provides a flexible protection device for a Web application firewall, including:
the identification unit is used for identifying a plurality of safety protection modules according to an identification rule;
the arrangement unit is used for arranging the execution sequence of the safety protection modules according to different safety protection requirements;
the configuration unit is used for configuring protection strategies of a plurality of safety protection modules according to different safety protection requirements;
and the integration unit is used for integrating the plurality of safety protection modules which are arranged and configured to be Web reference firewalls, so as to meet the different safety protection requirements.
Compared with the prior art, the beneficial effects of the Web application firewall protection device provided by the invention are the same as those of the Web application firewall protection method provided by any one of the technical schemes, and the beneficial effects are not repeated here.
In a third aspect, an embodiment of the present invention provides a computer readable storage medium having stored thereon a computer program, wherein the program when executed by a processor implements a Web application firewall protection method as in the first aspect or any implementation of the first aspect.
Compared with the prior art, the beneficial effects of the computer readable storage medium provided by the invention are the same as those of the Web application firewall protection method provided by any one of the technical schemes, and are not repeated here.
In a fourth aspect, the present invention also provides an electronic device, including,
a plurality of memories for storing computer programs, respectively;
and the processors are used for respectively executing the computer programs so as to realize the functions and the operations of the service module in any one of the technical schemes.
Compared with the prior art, the beneficial effects of the electronic equipment provided by the invention are the same as those of the Web application firewall protection method provided by any one of the technical schemes, and are not repeated here.
Detailed Description
In order to make the present application solution better understood by those skilled in the art, the following description will be made in detail and with reference to the accompanying drawings in the embodiments of the present application, it is apparent that the described embodiments are only some embodiments of the present application, not all embodiments. All other embodiments, which can be made by one of ordinary skill in the art based on the embodiments herein without making any inventive effort, shall fall within the scope of the present application.
The applicant discovers that the Web application firewall needs to dynamically define the protection function of the Web application firewall according to different security protection requirements so as to meet the scene that the service requirements of the safe operation of the enterprise Web application are continuously changed. At present, although the protection capability and the protection range of the Web application firewall are gradually enlarged, and under the condition of continuously introducing new technology, the detection protection capability can be more accurate, the operation sequence of a plurality of different protection modules forming the Web application firewall is established for all the current Web application firewalls, and the operation sequence cannot be dynamically adjusted according to different protection requirements, so that the Web application firewall cannot be subjected to targeted protection according to the different protection safety requirements.
In order to solve the technical problems, the method comprises the steps of marking a plurality of safety protection modules, arranging the execution sequence of the safety protection modules according to different safety protection requirements, configuring the protection strategies of the safety protection modules according to different safety protection requirements, integrating the safety protection modules subjected to the execution sequence arrangement and the protection strategy configuration into a Web application protection wall, and meeting the different safety protection requirements.
In a first aspect, as shown in fig. 1, the present invention provides a flexible protection method for a Web application firewall, including the following steps:
and step S01, marking a plurality of safety protection modules.
It should be noted that, according to the naming rule, the plurality of security protection modules forming the Web application firewall have proprietary names, in the Web application firewall, the security protection module can be uniquely identified by the proprietary names of the security protection modules, and the call of the Web application firewall system to the proprietary names is the call of the security protection module.
And step S02, arranging the execution sequence of the safety protection modules according to different safety protection requirements.
It should be noted that, in the embodiment of the present invention, a configuration file is formed by byte codes for the execution sequence of each security protection module, and the execution sequence of each security protection module is defined by the configuration file; and changing the arrangement of the execution sequence of each safety protection module by changing the configuration file.
Specifically, a configuration file is described by a 32-bit byte code, the execution sequence of a plurality of safety protection modules forming a Web application firewall is defined by the configuration file, and according to different safety protection requirements, the change of the arrangement of the execution sequence of the plurality of safety protection modules is realized by changing the configuration file of the 32-bit byte code, so that the definition of the execution sequence of the plurality of safety protection modules is realized.
And S03, configuring protection strategies of a plurality of safety protection modules according to different safety protection requirements.
It should be noted that, in the embodiment of the present invention, the functions of each safety protection module are determined according to different safety protection requirements; determining specific protection strategy content aiming at the functions of the safety protection modules; and configuring the specific protection strategy content to each safety protection module.
According to different safety protection requirements, specific detection content provided by different safety protection modules is determined, different safety protection strategies are configured for a plurality of safety protection modules, and the specific protection strategy content comprises a matching hit strategy based on a regular expression, and/or a frequency limiting strategy based on source and destination flow statistics, and/or a penetration protection strategy based on safety logic.
According to different security protection requirements, a matching hit strategy based on regular expressions is configured for a plurality of different security protection modules, and a traditional WEB application firewall can only identify and defend against the security of a data stream, so that the traditional WEB application firewall has certain limitation.
And configuring a frequency limiting strategy based on source and destination traffic statistics for a plurality of different safety protection modules according to different safety protection requirements. Based on the network flow collection and IP statistics technology, the access condition of the Web application can be known more accurately through analysis of the collected data, so that monitoring of the network flow and alarm of abnormal conditions are realized. In the embodiment of the invention, according to different network hardware devices, a packet analysis mode based on interception network data packets, an SNMP mode based on gateway equipment MIB of a flow system, an IP flow data capturing mode based on a network probe and a data flow capturing mode based on a network data flow technology are adopted to collect network flow. Based on the collected network flow, flow data statistics based on a source IP address and a destination IP address is carried out, an output result comprises a data packet from the source host to the destination host and a corresponding byte number, the transmission time of the data packet is given, and the data information is matched with a preset threshold value of the flow statistics of the source IP address and the destination IP address, so that abnormality is found and an alarm is given.
And according to different safety protection requirements, configuring penetration protection strategies based on safety logic for a plurality of different safety protection modules. According to the embodiment of the invention, by utilizing the business flow and HTTP/HTTPS request tampering, after the key points are found, attack Web application loopholes can be completed without constructing malicious requests, wherein protection strategies are configured for a plurality of different security protection modules mainly aiming at three Web application loophole scenes of password recovery, transaction tampering and override defects.
Step S04, integrating a plurality of safety protection modules subjected to execution sequence arrangement and protection policy configuration into a Web application protection wall, so as to meet different safety protection requirements.
It should be noted that, the security engine platform integrates the security protection modules configured by the execution sequence arrangement and the protection policy into a Web application protection wall, so as to meet different security protection requirements.
Compared with the prior art, the Web application firewall protection method provided by the invention has the advantages that the matching hit strategy based on the regular expression and/or the frequency limiting strategy based on source and destination traffic statistics and/or the penetration protection strategy based on the safety logic are configured for each safety protection module according to the safety protection requirements, and the execution sequence of the safety modules defined by the 32-bit byte code configuration file is used for forming the Web application firewall according to different safety protection requirements, so that the on-demand targeted protection of Web application services according to the safety protection requirements is realized.
In a second aspect, as shown in fig. 2, the present invention further provides a firewall protection device for a WEB application, including:
an identification unit 01, configured to identify a plurality of the security protection modules according to an identification rule;
an arrangement unit 02, configured to arrange execution sequences of a plurality of the security modules according to different security requirements;
a configuration unit 03, configured to configure protection policies of a plurality of the security protection modules according to different security protection requirements;
and the integration unit 04 is used for integrating the arranged and configured safety protection modules into a Web reference firewall so as to meet the different safety protection requirements.
The execution flow of the apparatus shown in fig. 2 is the same as that of fig. 1, and will not be described again here.
Compared with the prior art, the beneficial effects of the Web application firewall protection device provided by the invention are the same as those of the Web application firewall protection method provided by any one of the technical schemes, and the beneficial effects are not repeated here.
In a third aspect, as shown in fig. 3, the present invention also provides an electronic device, including,
a plurality of memories for storing computer software, respectively;
and the processors respectively execute computer software to realize the functions and the operations of the service module according to any one of the technical schemes.
In particular, the electronic device may include a processing means (e.g., a central processing unit, a graphics processor, etc.) 31 that may perform various suitable actions and processes in accordance with programs stored in a Read Only Memory (ROM) 32 or loaded from a storage means 38 into a Random Access Memory (RAM) 33. In the RAM 33, various programs and data required for the operation of the electronic device are also stored. The processing device 31, the ROM32 and the RAM 33 are connected to each other via a bus 34. An input/output (I/O) interface 35 is also connected to bus 34.
In general, the following devices may be connected to the I/O interface 35: input devices 36 including, for example, a touch screen, touchpad, keyboard, mouse, camera, microphone, accelerometer, gyroscope, etc.; an output device 37 including, for example, a liquid crystal display (LCD, liquid Crystal Display), a speaker, a vibrator, and the like; storage devices 38 including, for example, magnetic tape, hard disk, etc.; and a communication device 39. The communication means 39 may allow the electronic device to communicate with other devices wirelessly or by wire to exchange data. While fig. 3 shows an electronic device having various means, it is to be understood that not all of the illustrated means are required to be implemented or provided. More or fewer devices may be implemented or provided instead. Each block shown in fig. 3 may represent one device or a plurality of devices as needed. .
Compared with the prior art, the beneficial effects of the electronic equipment provided by the invention are the same as those of the Web application firewall protection method provided by any one of the technical schemes, and are not repeated here.
In a fourth aspect, an embodiment of the present invention further provides a computer readable storage medium, where a computer program is stored, where the program when executed by a processor implements the Web application firewall protection method according to the first aspect.
Compared with the prior art, the beneficial effects of the storage medium provided by the invention are the same as those of the Web application firewall protection method provided by the technical scheme of the first aspect, and are not repeated here.
In an embodiment of the invention, the various modules or systems may be processors formed by computer program instructions, which may be an integrated circuit chip having signal processing capabilities. The processor may be a general purpose processor, a digital signal processor (Digital Signal Processor, DSP for short), an application specific integrated circuit (Application Specific Integrated Circuit, ASIC for short), a field programmable gate array (FieldProgrammable Gate Array, FPGA for short), or other programmable logic device, discrete gate or transistor logic device, discrete hardware components.
The disclosed methods, steps, and logic blocks in the embodiments of the present invention may be implemented or performed. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like. The steps of the method disclosed in connection with the embodiments of the present invention may be embodied directly in the execution of a hardware decoding processor, or in the execution of a combination of hardware and software modules in a decoding processor. The software modules may be located in a random access memory, flash memory, read only memory, programmable read only memory, or electrically erasable programmable memory, registers, etc. as well known in the art. The processor reads the information in the storage medium and, in combination with its hardware, performs the steps of the above method.
The storage medium may be memory, for example, may be volatile memory or nonvolatile memory, or may include both volatile and nonvolatile memory.
The nonvolatile Memory may be a Read-Only Memory (ROM), a Programmable ROM (PROM), an Erasable PROM (EPROM), an electrically Erasable ROM (Electrically EPROM, EEPROM), or a flash Memory.
The volatile memory may be a random access memory (Random Access Memory, RAM for short) which acts as an external cache. By way of example, and not limitation, many forms of RAM are available, such as Static RAM (SRAM), dynamic RAM (DRAM), synchronous DRAM (SDRAM), double data rate SDRAM (Double Data RateSDRAM), enhanced SDRAM (ESDRAM), synchronous DRAM (SLDRAM), and direct memory bus RAM (directracram, DRRAM).
The storage media described in embodiments of the present invention are intended to comprise, without being limited to, these and any other suitable types of memory.
Those skilled in the art will appreciate that in one or more of the examples described above, the functions described in the present invention may be implemented in a combination of hardware and software. When the software is applied, the corresponding functions may be stored in a computer-readable medium or transmitted as one or more instructions or code on the computer-readable medium. Computer-readable media includes both computer storage media and communication media including any medium that facilitates transfer of a computer program from one place to another. A storage media may be any available media that can be accessed by a general purpose or special purpose computer.
Finally, it should be noted that: the above embodiments are only for illustrating the technical solution of the present invention, and not for limiting the same; although the invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some or all of the technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit of the invention.