Summary of the invention
For the defect existed in prior art, the invention provides a kind of security sweep method, equipment and system, to realize the object improving security sweep efficiency and save the resource that security sweep consumes.
First aspect, provides a kind of security sweep method, comprising:
Obtain the HTTP request of user to webpage WEB server requested webpage;
Obtain the scanning rule storehouse corresponding with described HTTP request, scanning rule storehouse corresponding to described HTTP request comprises the security breaches relevant to described HTTP request, and scanning rule storehouse corresponding to described HTTP request is the subset in the universal class type scanning rule storehouse being applicable to any HTTP request;
According to described scanning rule storehouse, security sweep is carried out to described HTTP request.
In the first possible implementation of first aspect, the described acquisition scanning rule storehouse corresponding with described HTTP request specifically comprises:
According to the type of the type of described WEB server and/or the webpage of request, determine the scanning rule storehouse corresponding with described HTTP request.
In conjunction with the first possible implementation of first aspect, in the implementation that the second of first aspect is possible, the described type according to the type of described WEB server and/or the webpage of request, determine the scanning rule storehouse corresponding with described HTTP request, and according to described scanning rule storehouse, security sweep is carried out to described HTTP request, comprising:
Judge whether to there is the first scanning rule storehouse corresponding with the type of described WEB server;
If there is described first scanning rule storehouse, then according to described first scanning rule storehouse, the first security sweep is carried out to described HTTP request;
If there is not described first scanning rule storehouse, if or described first security sweep do not find attack, then the second corresponding according to the type of the webpage of described request scanning rule storehouse, carries out the second security sweep to described HTTP request.
In conjunction with the first possible implementation of first aspect, in the third possible implementation of first aspect, the described type according to described WEB server, determine the scanning rule storehouse corresponding with described HTTP request, also comprise before:
Obtain the uniform resource position mark URL of described HTTP request;
The type of described WEB server is determined according to described URL.
Second aspect, provides a kind of security scanner, comprising:
Acquisition request module, for obtaining the HTTP request of user to WEB server requested webpage;
Scanning rule acquisition module, for obtaining the scanning rule storehouse corresponding with described HTTP request, scanning rule storehouse corresponding to described HTTP request comprises the security breaches relevant to described HTTP request, and scanning rule storehouse corresponding to described HTTP request is the subset in the universal class type scanning rule storehouse being applicable to any HTTP request;
Security sweep module, for according to described scanning rule storehouse, carries out security sweep to described HTTP request.
In the first possible implementation of second aspect, scanning rule acquisition module is used for:
According to the type of the type of described WEB server and/or the webpage of request, determine the scanning rule storehouse corresponding with described HTTP request.
In conjunction with the first possible implementation of second aspect, in the implementation that the second of second aspect is possible, described scanning rule acquisition module, and security sweep module specifically for:
First scanning rule corresponding with the type of described WEB server is there is in described scanning rule acquisition module for judging whether; If there is described first scanning rule storehouse, then trigger described security sweep module executable operations;
Correspondingly, described security sweep module is used for carrying out the first security sweep according to described first scanning rule storehouse to described HTTP request;
If also for there is not described first scanning rule storehouse in described scanning rule acquisition module, if or described first security sweep does not find to attack, the second then corresponding according to the type of the webpage of described request scanning rule storehouse, triggers described security sweep module executable operations;
Correspondingly, described security sweep module also for according to described second scanning rule storehouse, is stated HTTP request to fearness and is carried out the second security sweep.
In conjunction with the first possible implementation of second aspect, in the third possible implementation of second aspect, described scanning rule acquisition module also for:
Obtain the URL of described HTTP request;
The type of described WEB server is judged according to described UTL.
The third aspect, a kind of security protection system is provided, comprise subscriber equipment, WEB server, be connected to safety protection equipment between described subscriber equipment and WEB server, and the security scanner to be connected with described safety protection equipment, wherein, the security scanner that provides for the embodiment of the present invention of described security scanner.
According to security sweep method of the present invention, equipment and system, the software/program corresponding due to different HTTP request is distinct, causes the security breaches that different HTTP request is relevant also different.Therefore, when after getting the HTTP request that user sends to WEB server, from pre-configured different scanning rule storehouse, search corresponding with this HTTP request and only comprise the scanning rule storehouse of the part in universal class type scanning rule storehouse, and according to the scanning rule storehouse of this correspondence, security sweep is carried out to HTTP request, while effectively realizing security sweep, can significantly reduce the deal with data amount of security sweep, effectively save device resource, improve sweep speed.
Embodiment
The security sweep method of the embodiment of the present invention is performed by security scanner, this security scanner both can by mode shown in Fig. 1, be deployed in network system, any alternate manner also can be adopted to be deployed in network system, to realize carrying out security sweep to HTTP request.
Fig. 2 is the schematic flow sheet of the security sweep method of one embodiment of the invention, and as shown in Figure 2, this security sweep method comprises:
Step 201, obtains the HTTP request of user to WEB server requested webpage;
Step 202, obtain the scanning rule storehouse corresponding with described HTTP request, scanning rule storehouse corresponding to described HTTP request comprises the security breaches relevant to described HTTP request, and scanning rule storehouse corresponding to described HTTP request is the subset in the universal class type scanning rule storehouse being applicable to any HTTP request;
Step 203, according to described scanning rule storehouse, carries out security sweep to described HTTP request.
Particularly, pre-configured multiple different scanning rule storehouse in security scanner, each scanning rule storehouse is applicable to different HTTP request, and the type etc. of the webpage that the type of such as corresponding with HTTP request WEB server, HTTP request are asked adapts.This scanning rule storehouse comprises the known security breaches of part, is the subset in the universal class type scanning rule storehouse (i.e. scanning rule storehouse of the prior art) of the security breaches comprising known whole WEB server.Such as, a certain scanning rule storehouse is corresponding with the type of a certain WEB server, the security breaches that the WEB server that then this scanning rule storehouse only comprises the type may exist, and the WEB server not comprising other type may exist but can not be present in the security breaches of the WEB server of the type.
After security scanner gets the HTTP request that user sends to WEB server, according in WEB server to the configuration mode in scanning rule storehouse, from pre-configured multiple scanning rule storehouses, search the scanning rule storehouse corresponding with this HTTP request.More specifically, such as: in security scanner, WEB server for different types configures different scanning rule storehouses, and store the mapping relations of the type of WEB server and the mark in scanning rule storehouse in security scanner, then security scanner is according to the type of WEB server corresponding to HTTP request, searches the scanning rule storehouse corresponding with it.
After security scanner determines the scanning rule storehouse corresponding with the HTTP request received, according to determined scanning rule storehouse, security sweep is carried out to this HTTP request, various security breaches in HTTP request and scanning rule storehouse are matched, to judge that whether this HTTP request is the attack for certain security breaches.Wherein, carry out mating and determine whether that the detailed process of attacking can adopt any existing security sweep mode, do not limit in the embodiment of the present invention.
Normally attack for the security breaches of software or program owing to attacking, the security breaches that different software or program may exist are also different.Therefore, according to the security sweep method of above-described embodiment, the software/program corresponding due to different HTTP request is distinct, causes the security breaches that different HTTP request is relevant also different.Therefore, when after getting the HTTP request that user sends to WEB server, from pre-configured different scanning rule storehouse, search corresponding with this HTTP request and only comprise the scanning rule storehouse of the part in universal class type scanning rule storehouse, and according to the scanning rule storehouse of this correspondence, security sweep is carried out to HTTP request, while effectively realizing security sweep, can significantly reduce the deal with data amount of security sweep, effectively save device resource, improve sweep speed.
Further, in the security sweep method of above-described embodiment, the described acquisition scanning rule storehouse corresponding with described HTTP request specifically comprises:
According to the type of the type of described WEB server and/or the webpage of request, determine the scanning rule storehouse corresponding with described HTTP request.
More specifically, such as, in security scanner, dissimilar according to WEB server, as Tomcat server, Light server, Apache Server etc., loads different scanning rule storehouses.Whole leaks that the WEB server that each scanning rule storehouse comprises respective type is known.
For the configuration mode in this kind of scanning rule storehouse, after security scanner gets the HTTP request that user sends to WEB server, obtain the type of WEB server corresponding to this HTTP request, and from the scanning rule storehouse of device, search the scanning rule storehouse corresponding according to the type of this WEB server with this, and utilize the scanning rule storehouse found to carry out security sweep to this HTTP request.Wherein, be provided with WEB server type judgment rule in security scanner in advance, security scanner, after receiving HTTP request, according to the WEB server type judgment rule that this is pre-configured, identifies the type of the WEB server that HTTP request is corresponding.More specifically, WEB server type judgment rule is such as the URL(uniform resource locator) (UniversalResourceLocator, URL) according to HTTP request, determines the type of WEB server.
In security scanner, can also dissimilar according to webpage, such as comprise for providing the webpage of text, for providing the webpage of video file and for providing the webpage etc. of picture file, loading different scanning rule storehouses.Whole leaks that the webpage that each scanning rule storehouse comprises respective type is known.
For the configuration mode in this kind of scanning rule storehouse, after security scanner gets the HTTP request that user sends to WEB server, obtain the type of the webpage that this HTTP request is asked, and from the scanning rule storehouse of device, search the scanning rule storehouse corresponding according to the type of this webpage with this, and utilize the scanning rule storehouse found to carry out security sweep to this HTTP request.
Further, can also load the scanning rule storehouse differently configured in security scanner, such as, be both mounted with the scanning rule storehouse of the type configuration according to WEB server, returning apparatus has the scanning rule storehouse of the type configuration according to webpage simultaneously.Correspondingly, in the security sweep method of above-described embodiment, can according to default scanning logic, multiple exercise obtains scanning rule storehouse corresponding to HTTP request and carries out the operation of security sweep according to determined scanning rule storehouse.
Fig. 3 is the schematic flow sheet of the security sweep method of another embodiment of the present invention, and as shown in Figure 3, this security sweep method comprises:
Step 301, security scanner starts, and loads the scanning rule storehouse of predefined dissimilar WEB server, and the scanning rule storehouse of different web pages type;
Step 302, security scanner obtains the type of WEB server corresponding to this HTTP request after receiving the HTTP request of user's transmission;
Step 303, security scanner judges whether the scanning rule storehouse (being such as called the first scanning rule storehouse) that the type of the WEB server that existence is corresponding with this HTTP request is corresponding; If so, then step 304 is performed; If not, then step 305 is performed;
Step 304, carries out security sweep (being such as called the first security sweep) according to described first scanning rule storehouse to HTTP request, judges whether HTTP request is query-attack; If so, then security sweep is completed; If not, then step 305 is performed;
Step 305, obtains the type of the webpage that HTTP request is asked;
Step 306, the scanning rule storehouse (be such as called second scanning rule storehouse) corresponding according to the type of described webpage, carries out security sweep (being such as called the second security sweep) to HTTP request, and completes security sweep.
According to the security sweep method of above-described embodiment, respectively from different angles, the different scanning rule storehouse that HTTP request is corresponding can be determined, and when adopting a kind of scanning rule storehouse not scan attack, recycle other scanning rule storehouse and rescaning.Therefore, significantly can either reduce the deal with data amount of security sweep, effective saving device resource, improve sweep speed, reliability and the success rate of security sweep can be improved again, avoid holiday leak in the incomplete or scanning rule storehouse of certain type of the kind in the scanning rule storehouse owing to loading in security scanner, and cause the problem that effectively cannot identify attack.
In addition, in order to improve reliability and the success rate of security sweep further, universal class type scanning rule storehouse can also be loaded in security scanner.
In such cases, also comprise before above-mentioned steps 306: judge whether existence second scanning rule storehouse, if exist, then perform step 306, that is: according to the second scanning rule storehouse, the second security sweep is carried out to HTTP request, if judge that this HTTP request is for attacking, then complete security sweep by the second security sweep; If do not judge that this HTTP request is for attacking by the second security sweep, or there is the second scanning rule storehouse, then universal class type scanning rule storehouse is adopted again to scan HTTP request.
Fig. 4 is the flow chart of an example of the security sweep method applying the embodiment of the present invention in network system.In the diagram, with in the system shown in figure 1, the security sweep method of application above-described embodiment is example, is described the flow process realizing security protection.
As shown in Figure 4, following flow process is comprised:
Step 401, safety protection equipment intercepts and captures the HTTP request that user sends, and is sent to security scanner;
Step 402, security scanner judges the type of corresponding WEB server according to the URL that this HTTP request is carried;
Step 403, security scanner judges whether to there is the scanning rule corresponding with the type of this WEB server, i.e. the first scanning rule storehouse; If exist, then perform step 404; If do not exist, then perform step 405;
Step 404, carries out security sweep according to described first scanning rule storehouse to HTTP request, i.e. the first security sweep, to judge that whether HTTP request is for query-attack; If so, then step 409 is performed; If not, then step 405 is performed;
Step 405, obtains the type of the webpage that HTTP request is asked;
Step 406, security scanner judges whether to there is the scanning rule storehouse corresponding with the type of this webpage, i.e. the second scanning rule storehouse; If exist, then perform step 407; If do not exist, then perform step 408;
Step 407, carries out security sweep according to described second scanning rule storehouse to HTTP request, i.e. the second security sweep, to judge that whether HTTP request is for query-attack; If so, then step 409 is performed; If not, then step 408 is performed;
Step 408, carries out security sweep according to universal class type scanning rule storehouse to HTTP request, to judge that whether HTTP request is for attack; If so, then step 409 is performed; If not, then step 411 is performed;
Step 409, security scanner returns to safety protection equipment the scanning result that HTTP request is query-attack; Perform step 410 afterwards;
Step 410, safety protection equipment returns warning message to user, and process ends;
Step 411, security scanner returns to safety protection equipment the scanning result that HTTP request is normal request; Perform step 412 afterwards;
Step 412, HTTP request is forwarded to corresponding WEB server by safety protection equipment, and process ends.
Although in above-mentioned Fig. 4, to apply the security sweep method of above-described embodiment in the system shown in figure 1, be described, but it is only used as the Application Scenarios-Example of security sweep method of the application embodiment of the present invention, but not the restriction of security sweep method to the embodiment of the present invention.Hereinafter, in Another Application scene, the process of the security sweep method of the application embodiment of the present invention is described.
Fig. 5 is the system architecture diagram that another kind is deployed with the network system of safety protection equipment.As shown in Figure 5, safety protection equipment 51 is with bypass mode, be connected on same switch with WEB server 53, subscriber equipment 52 carries out data interaction by switch 55 and WEB server 53, the HTTP request that subscriber equipment 52 sends to WEB server 53 by switch 55 and WEB server 53 return to the http response of subscriber equipment 52, are mirrored on safety protection equipment 51.
After the HTTP request that safety protection equipment 51 receives mirror image and http response, HTTP request and http response are sent to connected security scanner 54.Security scanner 54, according to the security sweep method of above-mentioned any embodiment, carries out security sweep to HTTP request, to judge whether this user attacks the server returning http response, and scanning result is returned to safety protection equipment 51; Safety protection equipment 51 is according to scanning result record attack logs, and this attack logs can be used for the mode subsequently through determining subscriber blacklist, realizes, to the protection of WEB server, not limiting in the embodiment of the present invention.
Wherein, in above process, the http response that the WEB server that can get mirror image due to security scanner returns, so security scanner can directly by resolving server (Server) head of http response, determine the type of WEB server, therefore without the need to configuring WEB server type judgment rule.
Fig. 6 is the structural representation of the security scanner of one embodiment of the invention.As shown in Figure 6, this security scanner 60 comprises:
Acquisition request module 61, for obtaining the HTTP request of user to WEB server requested webpage;
Scanning rule acquisition module 62, for obtaining the scanning rule storehouse corresponding with described HTTP request, scanning rule storehouse corresponding to described HTTP request comprises the security breaches relevant to described HTTP request, and scanning rule storehouse corresponding to described HTTP request is the subset in the universal class type scanning rule storehouse being applicable to any HTTP request;
Security sweep module 63, for according to described scanning rule storehouse, carries out security sweep to described HTTP request.
The idiographic flow of the security scanner execution security sweep of above-described embodiment is identical with the security sweep method of above-mentioned any embodiment, so place is not repeating.
Normally attack for the security breaches of software or program owing to attacking, the security breaches that different software or program may exist are also different.Therefore, according to the security scanner of above-described embodiment, the software/program corresponding due to different HTTP request is distinct, causes the security breaches that different HTTP request is relevant also different.Therefore, when after getting the HTTP request that user sends to WEB server, from pre-configured different scanning rule storehouse, search corresponding with this HTTP request and only comprise the scanning rule storehouse of the part in universal class type scanning rule storehouse, and according to the scanning rule storehouse of this correspondence, security sweep is carried out to HTTP request, while effectively realizing security sweep, can significantly reduce the deal with data amount of security sweep, effectively save device resource, improve sweep speed.
Further, in the security scanner of above-described embodiment, scanning rule acquisition module is used for:
According to the type of the type of described WEB server and/or the webpage of request, determine the scanning rule storehouse corresponding with described HTTP request.
Further, in the security scanner of above-described embodiment, described scanning rule acquisition module, and security sweep module specifically for:
First scanning rule corresponding with the type of described WEB server is there is in described scanning rule acquisition module for judging whether; If there is described first scanning rule storehouse, then trigger described security sweep module executable operations;
Correspondingly, described security sweep module is used for carrying out the first security sweep according to described first scanning rule storehouse to described HTTP request;
If also for there is not described first scanning rule storehouse in described scanning rule acquisition module, if or described first security sweep does not find to attack, the second then corresponding according to the type of the webpage of described request scanning rule storehouse, triggers described security sweep module executable operations;
Correspondingly, described security sweep module also for according to described second scanning rule storehouse, is stated HTTP request to fearness and is carried out the second security sweep.
Further, in the security scanner of above-described embodiment, described scanning rule acquisition module also for:
Obtain the URL of described HTTP request;
The type of described WEB server is judged according to described UTL.
Fig. 7 is the structural representation of the security scanner of another embodiment of the present invention.As shown in Figure 7, this security scanner 70 comprises memory 71, and the processor 72 be connected with memory 71.
Wherein, in memory 71, store batch processing code, and processor 72 is for calling the program code stored in memory, for performing following operation:
Obtain the HTTP request of user to WEB server requested webpage;
Obtain the scanning rule storehouse corresponding with described HTTP request, scanning rule storehouse corresponding to described HTTP request comprises the security breaches relevant to described HTTP request, and scanning rule storehouse corresponding to described HTTP request is the subset in the universal class type scanning rule storehouse being applicable to any HTTP request;
According to described scanning rule storehouse, security sweep is carried out to described HTTP request.
Certainly, in the security scanner of above-described embodiment, input/output interface, hard disc apparatus and network interface unit etc. can also be comprised, do not limit in the embodiment of the present invention.And, memory can also comprise random access memory (RandomAccessMemory, and read-only memory (ReadOnlyMemory RAM), ROM), wherein, such as run in ROM and have basic input output system (BasicInputOutputSystem, BIOS), such as running in RAM has operating system, control and management device and said procedure code.
The embodiment of the present invention also provides a kind of security protection system, this security protection system comprises subscriber equipment, WEB server, is connected to safety protection equipment between described subscriber equipment and WEB server, and the security scanner to be connected with described safety protection equipment, wherein, described security scanner is the security scanner of above-mentioned any embodiment.
Wherein, security scanner can with safety protection equipment integrated or scattering device, do not limit in the embodiment of the present invention.
One of ordinary skill in the art will appreciate that: all or part of step realizing above-mentioned each embodiment of the method can have been come by the hardware that program command is relevant.Aforesaid program can be stored in a computer read/write memory medium.This program, when performing, performs the step comprising above-mentioned each embodiment of the method; And aforesaid storage medium comprises: ROM, RAM, magnetic disc or CD etc. various can be program code stored medium.
Last it is noted that above embodiment is only in order to illustrate technical scheme of the present invention, be not intended to limit; Although with reference to previous embodiment to invention has been detailed description, those of ordinary skill in the art is to be understood that: it still can be modified to the technical scheme described in foregoing embodiments, or carries out equivalent replacement to wherein portion of techniques feature; And these amendments or replacement, do not make the essence of appropriate technical solution depart from the spirit and scope of various embodiments of the present invention technical scheme.