CN104967589B - A kind of safety detecting method, device and system - Google Patents
A kind of safety detecting method, device and system Download PDFInfo
- Publication number
- CN104967589B CN104967589B CN201410227945.7A CN201410227945A CN104967589B CN 104967589 B CN104967589 B CN 104967589B CN 201410227945 A CN201410227945 A CN 201410227945A CN 104967589 B CN104967589 B CN 104967589B
- Authority
- CN
- China
- Prior art keywords
- access request
- data flow
- application server
- data
- sent
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Landscapes
- Computer And Data Communications (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The embodiment of the invention discloses a kind of safety detecting methods, device and system, the embodiment of the present invention is sent to the data flow of application server using intercepting, the tracking of stream based on five-tuple is carried out to the data flow, to determine the data flow for belonging to same access request, then data recombination is carried out to the data flow for belonging to the same access request, to restore the access request, and the access request is detected, if malicious requests, then block the access request, otherwise, then the data flow is sent to the application server, to realize the purpose for the malicious requests for preventing loophole from attacking.The program can lower exploitation and O&M cost, moreover, being conducive to improve server performance without the resource for occupying application server.
Description
Technical field
The present invention relates to fields of communication technology, and in particular to a kind of safety detecting method, device and system.
Background technique
With the development of communication technology, various network english teachings are also increasingly various, at the same time, provide service
The threat that application server is faced also increasingly increases, and how to guarantee the safety of server, for the health of whole network
It is also extremely important for development.
Carrying out protection to loophole is an important content for ensureing Server Security.For the anti-of webpage (Web) loophole
Shield, conventional method is that Intrusion Detection based on host layer is realized, for example, can usually be connect by the way that corresponding safety is arranged on the application server
Mouth/module, to reach detection and analysis and the malicious intercepted protection, etc. to user's request, wherein for different application services
Device characteristic needs to be respectively set corresponding safe interface/module, for example, if it is apache (a kind of application server software),
Then need specially to be arranged for apache corresponding safe interface/module, if it is nginx (a kind of application server software), then
Need specially to be arranged for nginx corresponding safe interface/module, and so on, etc., then, when application server receives
After the access request of user, such as hypertext transfer protocol (Http, Hypertext transfer protocol) request, adjust
The access request received is parsed with the safe interface/module, to carry out safety detection, if it is determined that the access row
For for malice, then blocked.
In the research and practice process to the prior art, it was found by the inventors of the present invention that due to application server characteristic
It is many kinds of, and safe interface/module is required to be customized according to different characteristics, therefore, exploitation and O&M cost are higher,
Moreover, the relatively complicated complexity of safe interface/module installation, when work, is also required to occupy the certain resource of application server, institute
With the performance of application server itself also has certain influence, is unfavorable for improving the performance of application server.
Summary of the invention
The embodiment of the present invention provides a kind of safety detecting method, device and system, can not only lower exploitation and O&M
Cost, moreover, being conducive to improve server performance without the resource for occupying application server.
A kind of safety detecting method characterized by comprising
Intercept the data flow for being sent to application server;
The tracking of stream based on five-tuple is carried out to the data flow, to determine the data flow for belonging to same access request;
Data recombination is carried out to the data flow for belonging to same access request, to restore the access request;
The access request is detected, whether is malicious requests with the determination access request;
If so, blocking the access request;
If it is not, then sending the data flow to the application server.
A kind of safety detection device, comprising:
Interception unit, for intercepting the data flow for being sent to application server;
Tracking cell is flowed, for carrying out the stream tracking based on five-tuple to the data flow, same access is belonged to determination
The data flow of request;
Recomposition unit, for carrying out data recombination to the data flow for belonging to same access request, to restore the visit
Ask request;
Whether detection unit is malicious requests with the determination access request for detecting to the access request;
Blocking unit, for blocking the access request when detection unit determines that the access request is malicious requests;
Transmission unit, for when it is malicious requests that detection unit, which determines the access request not, to the application service
Device sends the data flow.
A kind of communication system, including any safety detection device provided in an embodiment of the present invention.
The embodiment of the present invention is sent to the data flow of application server using intercepting, and carries out the data flow based on five-tuple
Then stream tracking counts the data flow for belonging to the same access request with determining the data flow for belonging to same access request
According to recombination, to restore the access request, and the access request is detected, to determine whether the access request is that malice is asked
It asks, if malicious requests, then blocks the access request, otherwise, if not malicious requests, then send the number to the application server
According to stream, to realize the purpose for the malicious requests for preventing loophole from attacking.Due in this scenario, entering using in data flow
Before application server, safety detection is carried out to the data flow by dedicated safety detection device and is therefore not limited to
The characteristic of application server service software, compared with the existing technology in need to be arranged in application server according to different characteristics
For different safe interface/modules, exploitation and O&M cost can be lowered significantly, moreover, without occupying application server
Resource is conducive to improve server performance.
Detailed description of the invention
To describe the technical solutions in the embodiments of the present invention more clearly, make required in being described below to embodiment
Attached drawing is briefly described, it should be apparent that, drawings in the following description are only some embodiments of the invention, for
For those skilled in the art, without creative efforts, it can also be obtained according to these attached drawings other attached
Figure.
Fig. 1 is the flow chart of safety detecting method provided in an embodiment of the present invention;
Fig. 2 a is the network diagram of safety detecting method provided in an embodiment of the present invention;
Fig. 2 b is the schematic diagram of a scenario of safety detecting method provided in an embodiment of the present invention;
Fig. 2 c is another flow chart of safety detecting method provided in an embodiment of the present invention;
Fig. 3 is the structural schematic diagram of safety detection device provided in an embodiment of the present invention;
Fig. 4 is the structural schematic diagram of network safety prevention equipment provided in an embodiment of the present invention.
Specific embodiment
Following will be combined with the drawings in the embodiments of the present invention, and technical solution in the embodiment of the present invention carries out clear, complete
Site preparation description, it is clear that described embodiments are only a part of the embodiments of the present invention, instead of all the embodiments.It is based on
Embodiment in the present invention, those skilled in the art's every other implementation obtained without creative efforts
Example, shall fall within the protection scope of the present invention.
The embodiment of the present invention provides a kind of safety detecting method, device and system.It is described in detail separately below.
Embodiment one,
The present embodiment will be described from the angle of safety detection device, which can be used as independence
Entity realize, also can integrate in other equipment such as gateway.
A kind of safety detecting method, comprising: intercept the data flow for being sent to application server, which is based on
The stream of five-tuple tracks, to determine the data flow for belonging to same access request;The data for belonging to same access request are flowed into
Row data recombination, to restore the access request;The access request is detected, to determine whether the access request is that malice is asked
It asks, if so, blocking the access request;If it is not, then sending the data flow to the application server.
As shown in Figure 1, the safety detecting method, detailed process can be such that
101, the data flow for being sent to application server is intercepted, for example, specifically can be such that
Dynamic traction instruction is sent to the corresponding core layer routing device of the application server, core layer routing is received and sets
It is standby that drawn data flow is instructed according to the dynamic traction.
It is of course also possible to use other can be to the instruction that data stream is drawn, alternatively, can also be blocked using others
The technology of cutting, details are not described herein.
102, the tracking of the stream based on five-tuple is carried out to the data flow, to determine the data flow for belonging to same access request.
For example, having can be such that
The packet header of data packet in the data flow is parsed, extracts source address and destination address, with there will being same source
All data packets of location and destination address are as the data flow for belonging to same access request.
103, data recombination is carried out to the data flow for belonging to same access request, to restore the access request.
Belong to same access to described based on transmission control protocol (TCP, Transmission Control Protocol)
The data flow of request carries out data recombination, to restore the access request.
104, the access request is detected, to determine whether the access request is malicious requests, if malicious requests,
105 are thened follow the steps, if not malicious requests, then follow the steps 106.
Wherein, the technology of detection can there are many, for example, virus base can be preset, by by access request with should
Virus base carries out fields match, whether there is the field for having application server to threaten in the access request to determine, from
And judge whether the access request is malicious requests;I.e. step " detects the access request, is with the determining access request
No is malicious requests " specifically it can be such that
According to the access request inquire virus base, if in the access request exist with the matched field of the virus base,
Determine that the access request is malicious requests;If being not present and the matched field of the virus base in the access request, it is determined that the visit
Ask that request is not malicious requests.
Wherein, which can be configured according to the demand of practical application, be mainly used for collecting and record it is various can
Field entrained by the access request that energy meeting application server threatens, details are not described herein.
105, when determining the access request is malicious requests, the access request is blocked, it is corresponding to avoid the access request
It is threatened with server.
Optionally, after blocking the access request, the blocking situation of access request can also be notified to application service
Device, i.e., after step " blocking the access request ", which can also include:
The notice that instruction access request has been blocked is sent to the server.
106, when determining the access request not is malicious requests, the data flow is sent to the application server, i.e., to original
The data flow intercepted carries out re-injection.
For example, can specifically send the data flow to core routing device, so that the core routing device is by the data flow
It is sent to application server.
It should be noted that being carried out in order to avoid malicious requests are transparent to application server completely to the access request
Before detection, the data flow for belonging to same access request can be cached, then determining the access request again not is malice
When request, just by these data streams to application server.But in order to mitigate load, efficiency of transmission is improved, this is being cached
When needing to carry out the data flow of data recombination a bit, a part can also be only cached, another part is then directly forwarded to application service
Device, if the subsequent determination access request is malicious requests, it is not necessary that the data flow of caching is sent to application server, and such as
The fruit subsequent determination access request is not malicious requests, then the data flow of caching is sent to application server, so that answering
It can receive the complete data flow about the access request with server.That is, " belonging to same access request to this in step
Data flow carry out data recombination, to restore the access request (step 103) " after, can be with
Caching belongs at least one data packet in the data flow of same access request, and this is belonged to same access request
Data flow in other data packets (other data packets i.e. in addition to the data packet cached) be sent to the application service
Device.
Then at this point, step " when determining the access request not is malicious requests, sends the data to the application server
Flow " may include:
The data packet of caching is sent to the application server.
Wherein, the quantity of the data packet of caching and position can be configured according to the demand of practical application, for example, can be with
Cache the last one data packet (also referred to as fragment packets) in some data flow, last two data packets, first three data packet or in
Between a data packet, all data packets, etc. can also be cached, details are not described herein.
From the foregoing, it will be observed that the present embodiment carries out based on five the data flow using the data flow for being sent to application server is intercepted
The stream of tuple tracks, to determine the data flow for belonging to same access request, then to the data flow for belonging to the same access request
Data recombination is carried out, to restore the access request, and the access request is detected, to determine whether the access request is evil
Meaning request, if malicious requests, then blocks the access request, otherwise, if not malicious requests, then send to the application server
The data flow, to realize the purpose for the malicious requests for preventing loophole from attacking.Due in this scenario, using in data flow
Into before application server, by dedicated safety detection device to the data flow carry out safety detection, therefore, not by
Be formed on the characteristic of application server service software, compared with the existing technology in need according to different characteristics in application server
It is arranged for different safe interface/modules, exploitation and O&M cost can be lowered significantly, moreover, without occupies application service
The resource of device is conducive to improve server performance.
Embodiment two,
According to method described in embodiment one, citing is described in further detail below.
In the present embodiment, will using the safety detection device as independent entity for be illustrated.In order to describe
The entity is known as Web application firewall (WAF, Web Application Firewall) in embodiments of the present invention by scheme
Safeguard.
A and Fig. 2 b referring to fig. 2, wherein Fig. 2 a is the network diagram of safety detecting method provided in an embodiment of the present invention,
Fig. 2 b is the schematic diagram of a scenario of safety detecting method provided in an embodiment of the present invention, and in this scenario, core routing device exists
It receives after user is sent to the access request of application server, data flow corresponding to the access request can be drawn to WAF
In safeguard, the safety of the access request is detected by WAF safeguard, if safety (is not that malice is asked
Ask), just give data flow re-injection corresponding to the access request to core layer routing device, to be sent to application server, otherwise,
If it is determined that the access request is malicious requests, then the access request is blocked.Certainly, core layer routing device will count
When being sent to application server according to stream, also need to come out by some intermediate equipments or progress are some, for example access data
Layer exchange, etc., details are not described herein.
In addition, it should be noted that, the characteristic of each application server can be identical, be also possible to difference, for example, answering
It can be installation apache service software with server 1, application server can be according to nginx service software, application server 3
It can be according to tomcat service software, etc..
Based on above-mentioned application scenarios, the safety detecting method will be described in detail below, as shown in Figure 2 c, specifically
Process can be such that
201, WAF safeguard sends dynamic traction instruction to core layer routing device.
202, after core layer routing device receives dynamic traction instruction, it will be sent to and be answered according to dynamic traction instruction
It is drawn with the data flow of server to WAF safeguard.
For example, received for user is sent to the access request K of server 1 by the core layer routing device, then the core
Layer routing device can instruct according to the dynamic traction and draw the data flow of access request K to WAF safeguard, i.e., temporarily
It is not sent to server 1, and is destined to WAF safeguard.
Wherein, which can be hypertext transfer protocol (HTTP, Hypertext transfer protocol)
Access request or File Transfer Protocol (FTP, File Transfer Protocol) access request etc..
203, after WAF safeguard receives the data flow, the tracking of the stream based on five-tuple is carried out to the data flow, with true
Surely belong to the data flow of same access request.
For example, can specifically parse to the packet header of data packet in the data flow, source address and destination address are extracted, it will
All data packets with same source address and destination address are as the data flow for belonging to same access request.
It should be noted that since an access request may need multiple data packets to be transmitted, only rely only on
Parse a data packet and be not sufficient to obtain the complete information of the access request, therefore, it is necessary to these data flows flowed with
Track can restore the access request to determine the data flow for belonging to same access request so as to subsequent.
204, WAF safeguard carries out data recombination to the data flow for belonging to same access request based on Transmission Control Protocol, with
Restore the access request.
205, WAF safeguard detects the access request, to determine whether the access request is malicious requests, if
For malicious requests, 206 are thened follow the steps, if not malicious requests, then follow the steps 207.
For example, virus base can be inquired according to the access request, if existing in the access request matched with the virus base
Field, it is determined that the access request is malicious requests;If in the access request there is no with the matched field of the virus base, really
The fixed access request is not malicious requests.
Wherein, which can be configured according to the demand of practical application, be mainly used for collecting and record it is various can
Field entrained by the access request that energy meeting application server threatens, details are not described herein.
206, when determining the access request is malicious requests, WAF safeguard blocks the access request, to avoid the visit
Ask that request application server threatens.
At this point, WAF safeguard can also send the notice that instruction access request has been blocked to the server, to answer
The blocking situation of access request is known with server.
207, when determining the access request not is malicious requests, WAF safeguard is sent to the core routing device should
Data flow carries out re-injection to the data flow that original is intercepted, then executes step 208.
208, core routing device sends the injected data flow of WAF safeguard to application server.
For example, still by taking the access request is to be sent to the access request K of server 1 as an example, then at this point, core routing device
The data flow of access request K is sent to application server 1.
It should be noted that being carried out in order to avoid malicious requests are transparent to application server completely to the access request
Before detection, the data flow for belonging to same access request can be cached, then determining the access request again not is malice
When request, just by these data streams to application server.But in order to mitigate load, efficiency of transmission is improved, this is being cached
When needing to carry out the data flow of data recombination a bit, a part can also be only cached, another part is then directly forwarded to application service
Device, if the subsequent determination access request is malicious requests, it is not necessary that the data flow of caching is sent to application server, and such as
The fruit subsequent determination access request is not malicious requests, then the data flow of caching is sent to application server, so that answering
It can receive the complete data flow about the access request with server.For details, reference can be made to embodiments one, no longer superfluous herein
It states.
From the foregoing, it will be observed that the present embodiment carries out based on five the data flow using the data flow for being sent to application server is intercepted
The stream of tuple tracks, to determine the data flow for belonging to same access request, then to the data flow for belonging to the same access request
Data recombination is carried out, to restore the access request, and the access request is detected, to determine whether the access request is evil
Meaning request, if malicious requests, then blocks the access request, otherwise, if not malicious requests, then send to the application server
The data flow, to realize the purpose for the malicious requests for preventing loophole from attacking.Due in this scenario, using in data flow
Into before application server, by dedicated safety detection device to the data flow carry out safety detection, therefore, not by
Be formed on the characteristic of application server service software, compared with the existing technology in need according to different characteristics in application server
It is arranged for different safe interface/modules, exploitation and O&M cost can be lowered significantly, moreover, without occupies application service
The resource of device is conducive to improve server performance.
Embodiment three,
In order to better implement above method, the embodiment of the present invention also provides a kind of safety detection device, such as Fig. 3 institute
Show, which includes interception unit 301, stream tracking cell 302, recomposition unit 303, detection unit 304, blocks
Unit 305 and transmission unit 306, as follows:
Interception unit 301, for intercepting the data flow for being sent to application server.
Tracking cell 302 is flowed, for carrying out the stream tracking based on five-tuple to the data flow, same visit is belonged to determination
Ask the data flow of request;
Recomposition unit 303, for carrying out data recombination to the data flow for belonging to same access request, to restore the visit
Ask request.
For example, specifically data recombination can be carried out to the data flow for belonging to same access request based on Transmission Control Protocol, with also
The former access request.
Detection unit 304, for being detected to the access request, to determine whether the access request is malicious requests;
Blocking unit 305, for blocking the access request when detection unit determines that the access request is malicious requests;
Transmission unit 306, for when it is malicious requests that detection unit, which determines the access request not, to the application server
Send the data flow.
Wherein, the technology of detection can there are many, for example, virus base can be preset, by by access request with should
Virus base carries out fields match, whether there is the field for having application server to threaten in the access request to determine, from
And judge whether the access request is malicious requests, it may be assumed that
Detection unit 305, specifically can be used for according to the access request inquire virus base, if in the access request exist with
The matched field of virus base, it is determined that the access request is malicious requests;If being not present and the disease in the access request
The field of malicious storehouse matching, it is determined that the access request is not malicious requests.
Wherein, which can be configured according to the demand of practical application, be mainly used for collecting and record it is various can
Field entrained by the access request that energy meeting application server threatens, details are not described herein.
In addition, various ways can also be specifically used when intercepting to the data flow for being sent to application server, than
Such as, dynamic traction instruction can be sent to the corresponding core layer routing device of the application server, so that core layer routing is set
Standby instructed according to the dynamic traction draws the data flow for being sent to application server to the safety detection device, it may be assumed that
Interception unit 301 specifically can be used for sending dynamic to the corresponding core layer routing device of the application server and lead
Draw instruction, receives the core layer routing device and instruct drawn data flow according to the dynamic traction.
Optionally, after blocking the access request, the blocking situation of access request can also be notified to application service
Device, it may be assumed that
Transmission unit 306 can be also used for sending the notice that instruction access request has been blocked to the server.
It should be noted that being carried out in order to avoid malicious requests are transparent to application server completely to the access request
Before detection, the data flow for belonging to same access request can be cached, then determining the access request again not is malice
When request, just by these data streams to application server.But in order to mitigate load, efficiency of transmission is improved, this is being cached
When needing to carry out the data flow of data recombination a bit, a part can also be only cached, another part is then directly forwarded to application service
Device, if the subsequent determination access request is malicious requests, it is not necessary that the data flow of caching is sent to application server, and such as
The fruit subsequent determination access request is not malicious requests, then the data flow of caching is sent to application server, so that answering
It can receive the complete data flow about the access request with server.I.e. the safety detection device can also include slow
Memory cell, as follows:
Cache unit, for caching at least one data packet in the data flow for belonging to same access request, and by the category
Other data packets in the data flow of same access request are sent to the application server.
Then at this point, transmission unit 306, can be used for when detection unit 305 determines that the access request is not malicious requests,
The data packet of caching is sent to the application server.
Wherein, the quantity of the data packet of caching and position can be configured according to the demand of practical application, for example, can be with
Cache the last one data packet (also referred to as fragment packets) in some data flow, last two data packets, first three data packet or in
Between a data packet, all data packets, etc. can also be cached, details are not described herein.
When it is implemented, above each unit can be used as independent entity to realize, any combination can also be carried out, is made
It is realized for same or several entities, the specific implementation of above each unit can be found in the embodiment of the method for front, herein not
It repeats again.
From the foregoing, it will be observed that the interception unit 301 of the safety detection device of the present embodiment intercepts the number for being sent to application server
According to stream, the tracking of the stream based on five-tuple is carried out to the data flow by stream tracking cell 302, same access request is belonged to determination
Then data flow carries out data recombination to the data flow for belonging to the same access request by recomposition unit 303, to restore the access
Request, and the access request is detected by detection unit 304, to determine whether the access request is malicious requests, if
Malicious requests then block the access request by blocking unit 305, otherwise, if not malicious requests, then from transmission unit 306 to
The application server sends the data flow, to realize the purpose for the malicious requests for preventing loophole from attacking.Due in this scenario,
Using before data flow enters application server, safety is carried out to the data flow by dedicated safety detection device
Detection, therefore, be not limited to the characteristic of application server service software, compared with the existing technology in need according to different spies
Property is arranged for different safe interface/modules in application server, can lower exploitation and O&M cost significantly, moreover,
Without occupying the resource of application server, be conducive to improve server performance.
Example IV,
Correspondingly, the embodiment of the present invention also provides a kind of communication system, including any peace provided in an embodiment of the present invention
Full property detection device, for example, specifically can be such that
Safety detection device carries out based on five yuan the data flow for intercepting the data flow for being sent to application server
The stream tracking of group, to determine the data flow for belonging to same access request;The data flow for belonging to same access request is counted
According to recombination, to restore the access request;The access request is detected, to determine whether the access request is malicious requests,
If so, blocking the access request;If it is not, then sending the data flow to the application server.
Wherein, the technology of detection can there are many, for example, virus base can be preset, by by access request with should
Virus base carries out fields match, whether there is the field for having application server to threaten in the access request to determine, from
And judge whether the access request is malicious requests, it may be assumed that
Safety detection device specifically can be used for inquiring virus base according to the access request, if depositing in the access request
With the matched field of the virus base, it is determined that the access request be malicious requests;If being not present and institute in the access request
State the matched field of virus base, it is determined that the access request is not malicious requests.
Wherein, which can be configured according to the demand of practical application, be mainly used for collecting and record it is various can
Field entrained by the access request that energy meeting application server threatens, details are not described herein.
In addition, various ways can also be specifically used when intercepting to the data flow for being sent to application server, than
Such as, dynamic traction instruction can be sent to the corresponding core layer routing device of the application server, so that core layer routing is set
Standby instructed according to the dynamic traction draws the data flow for being sent to application server to the safety detection device, it may be assumed that
Safety detection device specifically can be used for sending dynamic to the corresponding core layer routing device of the application server
Traction instruction receives the core layer routing device and instructs drawn data flow according to the dynamic traction.
Optionally, after blocking the access request, the blocking situation of access request can also be notified to application service
Device, it may be assumed that
Safety detection device can be also used for sending the notice that instruction access request has been blocked to the server.
The specific implementation of the safety detection device can be found in the embodiment of front, and details are not described herein.
From the foregoing, it will be observed that the safety detection device in the communication system of the present embodiment can intercept and be sent to application server
Data flow carries out the tracking of the stream based on five-tuple to the data flow, then right to determine the data flow for belonging to same access request
The data flow for belonging to the same access request carries out data recombination, to restore the access request, and examines to the access request
It surveys, to determine whether the access request is malicious requests, if malicious requests, then blocks the access request, otherwise, if not disliking
Meaning request, then send the data flow to the application server, to realize the purpose for the malicious requests for preventing loophole from attacking.Due to
In this scenario, using before data flow enters application server, by dedicated safety detection device to the data
Stream carry out safety detection be therefore not limited to the characteristic of application server service software, compared with the existing technology in need
It is arranged in application server for different safe interface/modules according to different characteristics, exploitation and fortune can be lowered significantly
Cost is tieed up, moreover, being conducive to improve server performance without the resource for occupying application server.
Embodiment five,
The embodiment of the present invention also provides a kind of network safety prevention equipment, as shown in figure 4, it illustrates the embodiment of the present invention
The structural schematic diagram of related network safety prevention equipment, specifically:
The network safety prevention equipment may include one or more than one processing core processor 401, one or
Memory 402, radio frequency (Radio Frequency, RF) circuit 403, channel radio of more than one computer readable storage medium
Believe that module such as bluetooth module and/or Wireless Fidelity (WiFi, Wireless Fidelity) module 404 wait (with WIFI mould in Fig. 4
For block 404), power supply 405, sensor 406, the components such as input unit 407 and display unit 408.Those skilled in the art
It, can be with it is appreciated that network safety prevention device structure shown in Fig. 4 does not constitute the restriction to network safety prevention equipment
Including perhaps combining certain components or different component layouts than illustrating more or fewer components.Wherein:
Processor 401 is the control centre of the network safety prevention equipment, utilizes various interfaces and the entire net of connection
The various pieces of network safety protection equipment, by running or executing the software program and/or module that are stored in memory 402,
And the data being stored in memory 402 are called, the various functions and processing data of network safety prevention equipment are executed, thus
Integral monitoring is carried out to network safety prevention equipment.Optionally, processor 401 may include one or more processing cores;It is preferred that
, processor 401 can integrate application processor and modem processor, wherein the main processing operation system of application processor,
User interface and application program etc., modem processor mainly handle wireless communication.It is understood that above-mentioned modulation /demodulation
Processor can not also be integrated into processor 401.
Memory 402 can be used for storing software program and module, and processor 401 is stored in memory 402 by operation
Software program and module, thereby executing various function application and data processing.Memory 402 can mainly include storage journey
Sequence area and storage data area, wherein storing program area can the (ratio of application program needed for storage program area, at least one function
Such as sound-playing function, image player function) etc.;Storage data area, which can be stored, uses institute according to network safety prevention equipment
The data etc. of creation.In addition, memory 402 may include high-speed random access memory, it can also include non-volatile memories
Device, for example, at least a disk memory, flush memory device or other volatile solid-state parts.Correspondingly, memory
402 can also include Memory Controller, to provide access of the processor 401 to memory 402.
During RF circuit 403 can be used for receiving and sending messages, signal is sended and received, and particularly, the downlink of base station is believed
After breath receives, one or the processing of more than one processor 401 are transferred to;In addition, the data for being related to uplink are sent to base station.It is logical
Often, RF circuit 403 includes but is not limited to antenna, at least one amplifier, tuner, one or more oscillators, user identity
Module (SIM) card, transceiver, coupler, low-noise amplifier (LNA, Low Noise Amplifier), duplexer etc..This
Outside, RF circuit 403 can also be communicated with network and other equipment by wireless communication.The wireless communication can be used any logical
Beacon standard or agreement, including but not limited to global system for mobile communications (GSM, Global System of Mobile
Communication), general packet radio service (GPRS, General Packet Radio Service), CDMA
(CDMA, Code Division Multiple Access), wideband code division multiple access (WCDMA, Wideband Code
Division Multiple Access), long term evolution (LTE, Long Term Evolution), Email, short message clothes
Be engaged in (SMS, Short Messaging Service) etc..
WiFi belongs to short range wireless transmission technology, and network safety prevention equipment passes through 404 transceiver electronics postal of WiFi module
Part and access streaming video etc., it can provide wireless broadband internet access.Although Fig. 4 shows WiFi module 404,
It will be understood by, and be not belonging to must be configured into for network safety prevention equipment, can according to need do not changing completely
It is omitted in the range of the essence of invention.
Network safety prevention equipment further includes the power supply 405 (such as battery) powered to all parts, it is preferred that power supply can
With logically contiguous by power-supply management system and processor 401, thus charged, discharged by power-supply management system realization management,
And the functions such as power managed.Power supply 405 can also include one or more direct current or AC power source, recharge and be
The random components such as system, power failure detection circuit, power adapter or inverter, power supply status indicator.
The network safety prevention equipment may also include at least one sensor 406, such as optical sensor, motion sensor with
And other sensors.Gyroscope that the network safety prevention equipment can also configure, barometer, hygrometer, thermometer, infrared ray pass
The other sensors such as sensor, details are not described herein.
The network safety prevention equipment may also include input unit 407, which can be used for receiving the number of input
Word or character information, and generate keyboard related with user setting and function control, mouse, operating stick, optics or rail
The input of mark ball signal.Specifically, in a specific embodiment, input unit 407 may include touch sensitive surface and other are defeated
Enter equipment.Touch sensitive surface, also referred to as touch display screen or Trackpad collect the touch operation of user on it or nearby
(for example user uses the behaviour of any suitable object or attachment on touch sensitive surface or near touch sensitive surface such as finger, stylus
Make), and corresponding attachment device is driven according to preset formula.Optionally, touch sensitive surface may include touch detecting apparatus
With two parts of touch controller.Wherein, the touch orientation of touch detecting apparatus detection user, and detect touch operation bring
Signal transmits a signal to touch controller;Touch controller receives touch information from touch detecting apparatus, and it is converted
At contact coordinate, then processor 401 is given, and order that processor 401 is sent can be received and executed.Furthermore, it is possible to adopt
Touch sensitive surface is realized with multiple types such as resistance-type, condenser type, infrared ray and surface acoustic waves.In addition to touch sensitive surface, input is single
Member 407 can also include other input equipments.Specifically, other input equipments can include but is not limited to physical keyboard, function
One of key (such as volume control button, switch key etc.), trace ball, mouse, operating stick etc. are a variety of.
The network safety prevention equipment may also include display unit 408, which can be used for showing defeated by user
The information that enters is supplied to the information of user and the various graphical user interface of network safety prevention equipment, these graphical users
Interface can be made of figure, text, icon, video and any combination thereof.Display unit 408 may include display panel, can
Choosing, can using liquid crystal display (LCD, Liquid Crystal Display), Organic Light Emitting Diode (OLED,
Organic Light-Emitting Diode) etc. forms configure display panel.Further, touch sensitive surface can cover display
Panel sends processor 401 to after touch sensitive surface detects touch operation on it or nearby to determine touch event
Type is followed by subsequent processing device 401 according to the type of touch event and provides corresponding visual output on a display panel.Although in Fig. 4
In, touch sensitive surface and display panel are to realize input and input function as two independent components, but in certain implementations
In example, touch sensitive surface and display panel can be integrated and realize and output and input function.
Although being not shown, network safety prevention equipment can also include camera, bluetooth module etc., and details are not described herein.
Specifically in the present embodiment, processor 401 in network safety prevention equipment can according to following instruction, by one or one with
On the corresponding executable file of process of application program be loaded into memory 402, and be stored in by processor 401 to run
Application program in memory 402, thus realize various functions, it is as follows:
The data flow for being sent to application server is intercepted, the tracking of the stream based on five-tuple is carried out to the data flow, is belonged to determining
In the data flow of same access request;Data recombination is carried out to the data flow for belonging to same access request, to restore the access
Request;The access request is detected, to determine whether the access request is malicious requests, if so, the access is blocked to ask
It asks;If it is not, then sending the data flow to the application server.
Wherein, the technology of detection can there are many, for example, virus base can be preset, by by access request with should
Virus base carries out fields match, whether there is the field for having application server to threaten in the access request to determine, from
And judging whether the access request is malicious requests, i.e. operation " detects the access request, is with the determining access request
No is malicious requests " specifically it can be such that
According to the access request inquire virus base, if in the access request exist with the matched field of the virus base,
Determine that the access request is malicious requests;If being not present and the matched field of the virus base in the access request, it is determined that should
Access request is not malicious requests.
Wherein, which can be configured according to the demand of practical application, be mainly used for collecting and record it is various can
Field entrained by the access request that energy meeting application server threatens, details are not described herein.
In addition, various ways can also be specifically used when intercepting to the data flow for being sent to application server, than
Such as, dynamic traction instruction can be sent to the corresponding core layer routing device of the application server, so that core layer routing is set
Standby instructed according to the dynamic traction draws the data flow for being sent to application server to the network safety prevention equipment, that is, operates
" data flow that interception is sent to application server " specifically can be such that
Dynamic traction instruction is sent to the corresponding core layer routing device of the application server, core layer routing is received and sets
It is standby that drawn data flow is instructed according to the dynamic traction.
Optionally, after blocking the access request, the blocking situation of access request can also be notified to application service
Device can also be performed that is, after blocking the access request as given an order:
The notice that instruction access request has been blocked is sent to the server.
Above each operation specific implementation can be found in the embodiment of front, and details are not described herein.
From the foregoing, it will be observed that the network safety prevention equipment of the present embodiment can intercept the data flow for being sent to application server, it is right
The data flow carries out the tracking of the stream based on five-tuple, then same to this is belonged to determine the data flow for belonging to same access request
The data flow of one access request carries out data recombination, to restore the access request, and detects to the access request, with determination
Whether the access request is malicious requests, if malicious requests, then blocks the access request, otherwise, if not malicious requests, then
The data flow is sent to the application server, to realize the purpose for the malicious requests for preventing loophole from attacking.Due in the program
In, using before data flow enters application server, the data flow is pacified by dedicated safety detection device
Full property detection, therefore, is not limited to the characteristic of application server service software, compared with the existing technology in need according to difference
Characteristic be arranged for different safe interface/modules in application server, exploitation and O&M cost can be lowered significantly, and
And the resource without occupying application server, be conducive to improve server performance.
Those of ordinary skill in the art will appreciate that all or part of the steps in the various methods of above-described embodiment is can
It is completed with instructing relevant hardware by program, which can be stored in a computer readable storage medium, storage
Medium may include: read-only memory (ROM, Read Only Memory), random access memory (RAM, Random
Access Memory), disk or CD etc..
It is provided for the embodiments of the invention a kind of safety detecting method above, device and system have carried out detailed Jie
It continues, used herein a specific example illustrates the principle and implementation of the invention, and the explanation of above embodiments is only
It is to be used to help understand method and its core concept of the invention;Meanwhile for those skilled in the art, according to the present invention
Thought, there will be changes in the specific implementation manner and application range, in conclusion the content of the present specification should not be construed as
Limitation of the present invention.
Claims (6)
1. a kind of safety detecting method characterized by comprising
Dynamic traction instruction is sent to the corresponding core layer routing device of application server;
It receives the core layer routing device and instructs drawn data flow according to the dynamic traction;
The tracking of stream based on five-tuple is carried out to the data flow, the packet header of data packet in the data flow is parsed, is extracted
Source address and destination address, using all data packets with same source address and destination address as belonging to same access request
Data flow;
Data recombination is carried out to the data flow for belonging to same access request based on transmission control protocol, to restore the access
Request;
According to the access request inquire virus base, if in the access request exist with the matched field of the virus base,
Determine that the access request is malicious requests;If in the access request there is no with the matched field of the virus base, really
The fixed access request is not malicious requests;
When determining the access request is malicious requests, then the access request is blocked;
When determining the access request not is malicious requests, then the data flow is sent to the application server.
2. the method according to claim 1, wherein described belong to same visit to described based on transmission control protocol
Ask that the data flow of request carries out data recombination, after restoring the access request, further includes:
Caching belongs at least one data packet in the data flow of same access request, and belongs to same access request for described
Other data packets in data flow are sent to the application server.
3. method according to claim 1 or 2, which is characterized in that after the blocking access request, further includes:
The notice that instruction access request has been blocked is sent to the server.
4. a kind of safety detection device characterized by comprising
Interception unit receives the core for sending dynamic traction instruction to the corresponding core layer routing device of application server
Central layer routing device instructs drawn data flow according to the dynamic traction;
Tracking cell is flowed, for carrying out the stream tracking based on five-tuple to the data flow, to the packet of data packet in the data flow
Head is parsed, and source address and destination address are extracted, using all data packets with same source address and destination address as category
In the data flow of same access request;
Recomposition unit, for carrying out data recombination to the data flow for belonging to same access request based on transmission control protocol,
To restore the access request;
Detection unit, for inquiring virus base according to the access request, if existing and the virus base in the access request
Matched field, it is determined that the access request is malicious requests;If being not present and the virus base in the access request
The field matched, it is determined that the access request is not malicious requests;
Blocking unit, for blocking the access request when detection unit determines that the access request is malicious requests;
Transmission unit, for being sent out to the application server when it is malicious requests that detection unit, which determines the access request not,
Send the data flow.
5. safety detection device according to claim 4, which is characterized in that further include cache unit;
Cache unit belongs to for caching at least one data packet in the data flow for belonging to same access request, and by described
Other data packets in the data flow of same access request are sent to the application server;
The transmission unit, for when it is malicious requests that detection unit, which determines the access request not, by the data packet of caching
It is sent to the application server.
6. a kind of communication system, which is characterized in that including safety detection device described in claim 4 or 5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410227945.7A CN104967589B (en) | 2014-05-27 | 2014-05-27 | A kind of safety detecting method, device and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410227945.7A CN104967589B (en) | 2014-05-27 | 2014-05-27 | A kind of safety detecting method, device and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN104967589A CN104967589A (en) | 2015-10-07 |
| CN104967589B true CN104967589B (en) | 2019-02-05 |
Family
ID=54221535
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410227945.7A Active CN104967589B (en) | 2014-05-27 | 2014-05-27 | A kind of safety detecting method, device and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104967589B (en) |
Families Citing this family (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107342968A (en) * | 2016-05-03 | 2017-11-10 | 阿里巴巴集团控股有限公司 | Attack detection method, the apparatus and system of web page server |
| CN107911406B (en) * | 2017-09-30 | 2021-03-23 | 平安科技(深圳)有限公司 | Network-based task flow method, equipment and storage medium |
| CN108667802B (en) * | 2018-03-30 | 2022-12-16 | 全球能源互联网研究院有限公司 | Method and system for monitoring power application network security |
| CN108920970B (en) * | 2018-07-02 | 2019-08-30 | 北京天华星航科技有限公司 | Data managing method, system and electronic equipment |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP1960867A2 (en) * | 2005-12-13 | 2008-08-27 | Crossbeam Systems, Inc. | Systems and methods for processing data flows |
| CN101459548A (en) * | 2007-12-14 | 2009-06-17 | 北京启明星辰信息技术股份有限公司 | Script injection attack detection method and system |
| CN101572700A (en) * | 2009-02-10 | 2009-11-04 | 中科正阳信息安全技术有限公司 | Method for defending HTTP Flood distributed denial-of-service attack |
| CN101902456A (en) * | 2010-02-09 | 2010-12-01 | 北京启明星辰信息技术股份有限公司 | Safety defense system of Website |
| CN103051617A (en) * | 2012-12-18 | 2013-04-17 | 北京奇虎科技有限公司 | Method, device and system for identifying network behaviors of program |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP2005352673A (en) * | 2004-06-09 | 2005-12-22 | Fujitsu Ltd | Illegal access monitoring program, device and method |
-
2014
- 2014-05-27 CN CN201410227945.7A patent/CN104967589B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP1960867A2 (en) * | 2005-12-13 | 2008-08-27 | Crossbeam Systems, Inc. | Systems and methods for processing data flows |
| CN101459548A (en) * | 2007-12-14 | 2009-06-17 | 北京启明星辰信息技术股份有限公司 | Script injection attack detection method and system |
| CN101572700A (en) * | 2009-02-10 | 2009-11-04 | 中科正阳信息安全技术有限公司 | Method for defending HTTP Flood distributed denial-of-service attack |
| CN101902456A (en) * | 2010-02-09 | 2010-12-01 | 北京启明星辰信息技术股份有限公司 | Safety defense system of Website |
| CN103051617A (en) * | 2012-12-18 | 2013-04-17 | 北京奇虎科技有限公司 | Method, device and system for identifying network behaviors of program |
Also Published As
| Publication number | Publication date |
|---|---|
| CN104967589A (en) | 2015-10-07 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| AU2018203393B2 (en) | Path scanning for the detection of anomalous subgraphs and use of dns requests and host agents for anomaly/change detection and network situational awareness | |
| CN108667853B (en) | Malicious attack detection method and device | |
| CN106789089B (en) | The method, apparatus and system and server of management certificate | |
| US10805340B1 (en) | Infection vector and malware tracking with an interactive user display | |
| CN106686070A (en) | Database data migration method, device, terminal and system | |
| CN104967589B (en) | A kind of safety detecting method, device and system | |
| EP4060958B1 (en) | Attack behavior detection method and apparatus, and attack detection device | |
| US9628503B2 (en) | Systems and methods for network destination based flood attack mitigation | |
| US20150142948A1 (en) | Extending policy rulesets with scripting | |
| Mirshahjafari et al. | Sinkhole+ CloneID: A hybrid attack on RPL performance and detection method | |
| US20160142431A1 (en) | Session processing method and device, server and storage medium | |
| CN106454976B (en) | A kind of switching method of wireless network, device and terminal | |
| US11895148B2 (en) | Detection and mitigation of denial of service attacks in distributed networking environments | |
| CN109088844A (en) | Information intercepting method, terminal, server and system | |
| CN105992026A (en) | Method and device for displaying barrage comment information | |
| CN111859374B (en) | Method, device and system for detecting social engineering attack event | |
| CN102594780B (en) | The detection of mobile terminal virus, sweep-out method and device | |
| Saeedi | Machine learning for DDOS detection in packet core network for IoT | |
| CN106550032A (en) | A kind of data back up method, apparatus and system | |
| KR101329040B1 (en) | Sns trap collection system and url collection method by the same | |
| CN108270839A (en) | Access frequency control system and method | |
| CN105763574A (en) | Firewall system based on big data analysis | |
| CN105577627B (en) | Communication method, device, network equipment, terminal equipment and communication system | |
| WO2018209652A1 (en) | Adaptive network data collection and composition | |
| CN104104508B (en) | Method of calibration, device and terminal device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20190802 Address after: Shenzhen Futian District City, Guangdong province 518044 Zhenxing Road, SEG Science Park 2 East Room 403 Co-patentee after: Tencent cloud computing (Beijing) limited liability company Patentee after: Tencent Technology (Shenzhen) Co., Ltd. Address before: Shenzhen Futian District City, Guangdong province 518000 Zhenxing Road, SEG Science Park 2 East Room 403 Patentee before: Tencent Technology (Shenzhen) Co., Ltd. |
|
| TR01 | Transfer of patent right |