CN114124520A - Multi-mode-based mimic WAF execution body implementation method - Google Patents

Multi-mode-based mimic WAF execution body implementation method Download PDF

Info

Publication number
CN114124520A
CN114124520A CN202111386242.5A CN202111386242A CN114124520A CN 114124520 A CN114124520 A CN 114124520A CN 202111386242 A CN202111386242 A CN 202111386242A CN 114124520 A CN114124520 A CN 114124520A
Authority
CN
China
Prior art keywords
flow
module
executor
waf
matching
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202111386242.5A
Other languages
Chinese (zh)
Inventor
吴春明
张江瑜
陈双喜
曲振青
吴至禹
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhejiang University ZJU
Original Assignee
Zhejiang University ZJU
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zhejiang University ZJU filed Critical Zhejiang University ZJU
Priority to CN202111386242.5A priority Critical patent/CN114124520A/en
Publication of CN114124520A publication Critical patent/CN114124520A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1483Countermeasures against malicious traffic service impersonation, e.g. phishing, pharming or web spoofing
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/04Architecture, e.g. interconnection topology
    • G06N3/044Recurrent networks, e.g. Hopfield networks
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/04Architecture, e.g. interconnection topology
    • G06N3/045Combinations of networks
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/04Architecture, e.g. interconnection topology
    • G06N3/049Temporal neural networks, e.g. delay elements, oscillating neurons or pulsed inputs
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/16Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks using machine learning or artificial intelligence
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Landscapes

  • Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Computing Systems (AREA)
  • Evolutionary Computation (AREA)
  • Software Systems (AREA)
  • Artificial Intelligence (AREA)
  • General Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • Molecular Biology (AREA)
  • Data Mining & Analysis (AREA)
  • Computational Linguistics (AREA)
  • Biophysics (AREA)
  • Mathematical Physics (AREA)
  • Biomedical Technology (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computer Hardware Design (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Databases & Information Systems (AREA)
  • Medical Informatics (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a multimode-based mimic WAF executor realizing method, which enables a WAF executor to identify codes with different flow rates, judges the maliciousness of the flow rate from a rule and an AI (artificial intelligence) mode and greatly improves the accuracy of the executor. The invention mainly designs a code recognition and analysis module, a flow analysis module, a rule matching module and the like to realize the function of an executive body, wherein flow is decoded through the code recognition and analysis module firstly, then the flow analysis module analyzes the flow to obtain data of an important part of the flow, and finally malicious scores with accurate flow are obtained through comprehensive judgment of two modules of rule matching and AI judgment.

Description

Multi-mode-based mimic WAF execution body implementation method
Technical Field
The invention belongs to the technical field of network security, and particularly relates to a multimode-based mimicry WAF executor implementation method.
Background
With the deep construction of digitization, business systems of various companies are more and more, and attacks aiming at the application layer of a web application system have more and more threats to the business systems. According to the Gartner survey, 75% of information security attacks occur in a Web application layer, an attack means based on the Web application layer is in an explosive growth trend and is continuously renewed, serious hidden dangers are brought to the security of a service system, and the Web application faces great challenges as the most extensive construction form of the service system.
Many people think that the security of the network can be improved by continuously deploying devices such as a firewall, an Intrusion Detection System (IDS), an Intrusion Prevention System (IPS) and the like in the network. But why are application-based attack events still occurring? The fundamental reason is that the traditional network security device has a very limited attack prevention effect on the application layer, especially on the Web system. Most of the existing firewalls work on a network layer, and realize the access control function by filtering data of the network layer (based on ACL of TCP/IP message header); and the internal network is ensured not to be illegally accessed by the external network through the state firewall. All processing is at the network level, and the nature of application-level attacks is undetectable at the network level. The IDS and the IPS detect the application layer flow in the network data by using a deep packet detection technology and match the application layer flow with an attack feature library, so that the known network attack is identified, and the protection of the application layer attack is achieved. However, IDS and IPS are also not effective in protecting against unknown attacks, attacks that may occur in the future, and application-level attacks that are implemented through flexible coding and packet segmentation.
In order to structurally solve the self-safety problem and simultaneously avoid potential safety hazards caused by the self-safety problem of the WAF, the mimicry safety cloud WAF is designed and realized. The WAF forms a mimic security defense capability through structural changes such as cloud termination, isomerization, redundancy, dynamics, intellectualization and the like. Meanwhile, the WAF can have the capability of defending unknown attacks in a sanction mode.
Disclosure of Invention
The invention aims to provide a multi-mode-based mimicry WAF executor implementation method aiming at the defects of the prior art.
The purpose of the invention is realized by the following technical scheme: a multi-mode-based mimic WAF executor implementation method comprises the following steps:
(1) after receiving the traffic, the mimic WAF executor needs to identify and decode through the coding identification and analysis module, which is specifically as follows:
and (1.1) the identification and analysis module of the code is internally provided with identification modes such as a current common coding mode URL code, a Base64 code, a PHP serialization code and the like, and when the scanning flow is matched with the corresponding mode, the corresponding decoding method is used for decoding the flow.
(2) Extracting partial contents which are possibly attacked by hackers in the flow by using a flow analysis module in the decoded flow obtained in the step (1), and respectively extracting url parameters, post contents, cookie contents, url itself and the like, wherein the contents are Ci(1 ≦ i ≦ m), and m represents the number of key part contents.
(3) Performing multi-mode judgment on different fragment contents obtained in the step (2), wherein the multi-mode judgment is mainly divided into a rule matching module and an AI model judgment module, and the method specifically comprises the following steps:
(3.1) the rule matching Module needs to define some rules R manuallyi(i is more than or equal to 1 and less than or equal to k), wherein k represents the number of rules, and each rule has a corresponding maliciousness score Si(i is more than or equal to 1 and less than or equal to k), setting sum to represent a rule to judge the final fraction, num to represent the number of successful matching, the initial value of sum and num is 0, sequentially traversing the rule for C to carry out matching, and if the matching is successful, executing sum to sum + SiNum +1, and finally the score PR of regular matching sum/num.
And (3.2) the characteristic extraction module respectively extracts characteristics of the content C, wherein the characteristics comprise but are not limited to the ratio of capital characters and small characters, the number of special characters, the average length of parameters and the like.
And (3.3) analyzing the features extracted in the step (3.2) by an AI model judgment module, wherein the AI model can use different classifiers including but not limited to CNN, LSTM, logistic regression and the like, and finally obtaining the malicious probability AR of the AI model.
(4) And (3) judging by using the results obtained in the steps (3.1) and (3.3) by using the comprehensive judgment module, manually setting the proportion of the rules and the proportion of the AI in the final score, setting the proportion of the rules as alpha, the proportion of the AI as beta, and setting the final malicious score as PR alpha + AR beta.
Compared with the prior art, the invention has the following beneficial effects:
(1) for application layer attacks realized by flexible coding and message segmentation, IDS and IP cannot be effectively protected, the invention well solves similar attacks by adding a coding analysis module;
(2) the invention adopts a multi-mode judgment mode, has more accurate result than a single judgment mode, and can greatly improve the defense performance of the mimicry WAF;
(3) the invention increases the heterogeneous surface of the executive body, and can perform isomerism from the three modules of the code identification and analysis module, the rule module and the AI model judgment module, so that the isomerism of the executive body is greatly improved.
Drawings
FIG. 1 is a diagram of a simulated WAF execution volume implementation overview.
Detailed Description
As shown in figure 1, the invention relates to a multimode-based mimic WAF executor realizing method, which mainly designs a coding recognition analysis module, a flow analysis module, a rule matching module, an AI model judgment module and the like to realize the function of the executor, HTTP flow is firstly decoded by the coding recognition analysis module, then the flow analysis module analyzes the flow to obtain data of important parts of the flow, and finally malicious scores with accurate flow are obtained by comprehensive judgment of the modules of the rule matching and the AI model judgment. The method specifically comprises the following steps:
(1) after receiving the traffic, the mimic WAF executor needs to identify and decode through the code identification and analysis module. The coding identification analysis module is internally provided with identification modes of currently common coding modes (URL coding, JavaScipt Unicode coding, Base64 coding, PHP serialization coding, GBK coding, Jsp/Servlet coding and the like), and when the scanning flow is matched with the corresponding modes, the corresponding decoding method is used for decoding the flow.
(2) To pairExtracting the part of contents which are possibly attacked by hackers in the flow by using a flow analysis module, wherein the part of contents comprises a url parameter part, a post content, a cookie content, a url, a session content, a User-agent part and the like, and the contents are set as Ci(i is more than or equal to 1 and less than or equal to m), i is the index of the key part content, and m represents the number of the key part content.
(3) Performing multi-mode judgment on different fragment contents obtained in the step (2), wherein the multi-mode judgment is mainly divided into a rule matching module and an AI model judgment module, and the module specifically comprises the following steps:
(3.1) the rule matching module needs to manually define some regular matching rules Rj(j is more than or equal to 1 and less than or equal to k) is used for matching, k represents the number of rules, and each rule has a corresponding maliciousness score Sj(j is more than or equal to 1 and less than or equal to k). Setting sum to represent the final score of rule matching, num to represent the successful number of rule matching, and setting the initial values of sum and num to be 0, and sequentially traversing CiWith different rules RjFor each CiMatching is carried out, and if matching is successful, sum + S is executedjNum +1, and finally the score PR of regular matching sum/num.
(3.2) feature extraction Module pairs C separatelyiAnd extracting characteristics of the content, wherein the characteristics comprise but are not limited to upper and lower case character proportion, the number of special characters, average parameter length, the number of parameters, the number of numbers and the like.
And (3.3) analyzing the features extracted in the step (3.2) by an AI model judgment module, wherein the AI model can use different classifiers including but not limited to CNN, LSTM, logistic regression and the like, and finally obtaining the malicious probability AR of the AI model.
(4) And (3) judging by using the results obtained in the steps (3.1) and (3.3) by using a comprehensive judgment module, wherein the proportion of the manually set rule and the AI in the final score is as follows: let the proportion of the rule be alpha, the proportion of the AI be beta, and the final malicious fraction score be PR alpha + AR beta.
The invention not only makes the output result more accurate, but also increases the execution body isomorphism surface, and can isomorphism from the code identification analysis module, the rule matching module and the AI model judgment module, thereby greatly improving the isomorphism of the execution body.

Claims (5)

1. A multi-mode-based simulated WAF executor implementation method is characterized by comprising the following steps:
(1) after receiving the flow, the mimic WAF executor performs identification and decoding through an encoding identification analysis module, and the method comprises the following steps:
and (1.1) the code identification analysis module is internally provided with identification modes of various coding modes, and when the scanning flow is matched with the corresponding identification mode, the corresponding decoding method is used for decoding the flow.
(2) Extracting the contents which are possibly attacked by hackers in the flow by using the flow analysis module to obtain the key part contents C of the decoded flow obtained in the step (1)i(1≤i≤m)。
(3) Performing multi-mode judgment on different fragment contents obtained in the step (2), wherein the multi-mode judgment is mainly divided into a rule matching module and an AI model judgment module, and the module comprises the following steps:
(3.1) the rule matching Module includes k rules Rj(j is more than or equal to 1 and less than or equal to k), and each rule has a corresponding maliciousness score Sj(j is more than or equal to 1 and less than or equal to k), sum represents a rule to judge the final fraction, num represents the number of successful matching, the initial value of sum and num is 0, and C is traversed sequentiallyiFor each C with different rulesiMatching is carried out, and if matching is successful, sum + S is executedjNum +1, and finally the score PR of regular matching sum/num.
(3.2) feature extraction Module pairs C separatelyiAnd extracting features from the content.
And (3.3) the AI model judging module analyzes the features extracted in the step (3.2) by using a classifier, and finally obtains the malicious probability AR.
(4) And (4) the comprehensive judgment module combines the results obtained in the steps (3.1) and (3.3) to judge, the proportion of the rule matching fraction is alpha, the proportion of the malicious probability is beta, and the final malicious fraction score is PR alpha + AR beta.
2. The multi-modality-based mimicry WAF executor implementation method of claim 1, wherein in the step (1.1), the encoding manner includes URL encoding, Base64 encoding, PHP serialization encoding, GBK encoding, Jsp/Servlet encoding, and the like.
3. The multi-modality-based mimicry WAF executor implementation method of claim 1, wherein in the step (2), the key part content includes url parameters, post content, cookie content, url itself, session content, User-agent part, and the like.
4. The multi-modality-based mimicry WAF executor implementation method of claim 1, wherein in step (3.2), the extracted features include, but are not limited to, upper and lower case character ratio, number of special characters, average length of parameters, number of digits, and the like.
5. The multi-modality-based mimicry WAF executor implementation method of claim 1, wherein in step (3.3), the AI model judgment module uses classifiers including but not limited to CNN, LSTM, logistic regression, etc.
CN202111386242.5A 2021-11-22 2021-11-22 Multi-mode-based mimic WAF execution body implementation method Pending CN114124520A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111386242.5A CN114124520A (en) 2021-11-22 2021-11-22 Multi-mode-based mimic WAF execution body implementation method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111386242.5A CN114124520A (en) 2021-11-22 2021-11-22 Multi-mode-based mimic WAF execution body implementation method

Publications (1)

Publication Number Publication Date
CN114124520A true CN114124520A (en) 2022-03-01

Family

ID=80439466

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111386242.5A Pending CN114124520A (en) 2021-11-22 2021-11-22 Multi-mode-based mimic WAF execution body implementation method

Country Status (1)

Country Link
CN (1) CN114124520A (en)

Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100095367A1 (en) * 2008-10-09 2010-04-15 Juniper Networks, Inc. Dynamic access control policy with port restrictions for a network security appliance
CN108897721A (en) * 2018-05-28 2018-11-27 华为技术有限公司 A kind of method and apparatus that the data to a variety of codings are decoded
CN110958252A (en) * 2019-12-05 2020-04-03 深信服科技股份有限公司 Network security device and network attack detection method, device and medium thereof
CN112119411A (en) * 2018-05-14 2020-12-22 宽腾矽公司 System and method for integrating statistical models of different data modalities
CN112131249A (en) * 2020-09-28 2020-12-25 绿盟科技集团股份有限公司 Attack intention identification method and device
CN112187833A (en) * 2020-11-09 2021-01-05 浙江大学 AI + regular double-matching detection method in mimicry WAF
CN112383529A (en) * 2020-11-09 2021-02-19 浙江大学 Method for generating confrontation flow in mimicry WAF
CN112491803A (en) * 2020-11-03 2021-03-12 浙江大学 Method for judging executive in mimicry WAF
CN112769851A (en) * 2021-01-19 2021-05-07 汉纳森(厦门)数据股份有限公司 Mimicry defense system based on Internet of vehicles

Patent Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100095367A1 (en) * 2008-10-09 2010-04-15 Juniper Networks, Inc. Dynamic access control policy with port restrictions for a network security appliance
CN112119411A (en) * 2018-05-14 2020-12-22 宽腾矽公司 System and method for integrating statistical models of different data modalities
CN108897721A (en) * 2018-05-28 2018-11-27 华为技术有限公司 A kind of method and apparatus that the data to a variety of codings are decoded
CN110958252A (en) * 2019-12-05 2020-04-03 深信服科技股份有限公司 Network security device and network attack detection method, device and medium thereof
CN112131249A (en) * 2020-09-28 2020-12-25 绿盟科技集团股份有限公司 Attack intention identification method and device
CN112491803A (en) * 2020-11-03 2021-03-12 浙江大学 Method for judging executive in mimicry WAF
CN112187833A (en) * 2020-11-09 2021-01-05 浙江大学 AI + regular double-matching detection method in mimicry WAF
CN112383529A (en) * 2020-11-09 2021-02-19 浙江大学 Method for generating confrontation flow in mimicry WAF
CN112769851A (en) * 2021-01-19 2021-05-07 汉纳森(厦门)数据股份有限公司 Mimicry defense system based on Internet of vehicles

Similar Documents

Publication Publication Date Title
CN112738015B (en) Multi-step attack detection method based on interpretable convolutional neural network CNN and graph detection
CN109167754B (en) Network application layer safety protection system
Chen et al. An effective conversation-based botnet detection method
CN107222491B (en) Intrusion detection rule creating method based on industrial control network variant attack
CN113194058B (en) WEB attack detection method, equipment, website application layer firewall and medium
CN106790186A (en) Multi-step attack detection method based on multi-source anomalous event association analysis
US11595435B2 (en) Methods and systems for detecting phishing emails using feature extraction and machine learning
CN106790105A (en) Reptile identification hold-up interception method and system based on business datum
Liu et al. Predicting network attacks with CNN by constructing images from NetFlow data
CN110611640A (en) DNS protocol hidden channel detection method based on random forest
CN112953918A (en) Network attack protection method combined with big data server and big data protection equipment
Du et al. Using Object Detection Network for Malware Detection and Identification in Network Traffic Packets.
CN116938507A (en) Electric power internet of things security defense terminal and control system thereof
CN113965393B (en) Botnet detection method based on complex network and graph neural network
Al-Fawa'reh et al. Detecting stealth-based attacks in large campus networks
Do et al. An Efficient Feature Extraction Method for Attack Classification in IoT Networks
CN114124520A (en) Multi-mode-based mimic WAF execution body implementation method
Veprytska et al. AI powered attacks against AI powered protection: Classification, scenarios and risk analysis
CN109600361B (en) Hash algorithm-based verification code anti-attack method and device, electronic equipment and non-transitory computer readable storage medium
CN113542222B (en) Zero-day multi-step threat identification method based on dual-domain VAE
CN115473734A (en) Remote code execution attack detection method based on single classification and federal learning
CN113382003B (en) RTSP mixed intrusion detection method based on two-stage filter
Makiou et al. Hybrid approach to detect SQLi attacks and evasion techniques
Liu et al. LDoS attack detection method based on traffic classification prediction
Maslan et al. Ddos detection on network protocol using neural network with feature extract optimization

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
WD01 Invention patent application deemed withdrawn after publication
WD01 Invention patent application deemed withdrawn after publication

Application publication date: 20220301