CN106534346A - Virtual WAF-based flow control method, apparatus and system - Google Patents
Virtual WAF-based flow control method, apparatus and system Download PDFInfo
- Publication number
- CN106534346A CN106534346A CN201611118613.0A CN201611118613A CN106534346A CN 106534346 A CN106534346 A CN 106534346A CN 201611118613 A CN201611118613 A CN 201611118613A CN 106534346 A CN106534346 A CN 106534346A
- Authority
- CN
- China
- Prior art keywords
- control platform
- cloud
- waf
- virtual
- security control
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 80
- 238000001914 filtration Methods 0.000 claims abstract description 38
- 230000001960 triggered effect Effects 0.000 claims description 9
- 230000005540 biological transmission Effects 0.000 claims description 6
- 238000012545 processing Methods 0.000 claims description 5
- 206010033799 Paralysis Diseases 0.000 abstract description 13
- 230000008569 process Effects 0.000 abstract description 10
- 241001269238 Data Species 0.000 description 9
- 238000001514 detection method Methods 0.000 description 4
- 230000006870 function Effects 0.000 description 4
- 238000004458 analytical method Methods 0.000 description 3
- 230000008901 benefit Effects 0.000 description 3
- 230000006399 behavior Effects 0.000 description 2
- 238000013507 mapping Methods 0.000 description 2
- 238000012360 testing method Methods 0.000 description 2
- 230000009471 action Effects 0.000 description 1
- 230000003321 amplification Effects 0.000 description 1
- 230000015556 catabolic process Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000004590 computer program Methods 0.000 description 1
- 230000002596 correlated effect Effects 0.000 description 1
- 230000000875 corresponding effect Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000001035 drying Methods 0.000 description 1
- 238000002361 inverse photoelectron spectroscopy Methods 0.000 description 1
- 238000011068 loading method Methods 0.000 description 1
- 230000000116 mitigating effect Effects 0.000 description 1
- 238000003199 nucleic acid amplification method Methods 0.000 description 1
- 238000011897 real-time detection Methods 0.000 description 1
- GOLXNESZZPUPJE-UHFFFAOYSA-N spiromesifen Chemical compound CC1=CC(C)=CC(C)=C1C(C(O1)=O)=C(OC(=O)CC(C)(C)C)C11CCCC1 GOLXNESZZPUPJE-UHFFFAOYSA-N 0.000 description 1
- 230000009885 systemic effect Effects 0.000 description 1
- 239000011800 void material Substances 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/16—Threshold monitoring
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/45—Network directories; Name-to-address mapping
- H04L61/4505—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
- H04L61/4511—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention discloses a virtual WAF-based flow control method, apparatus and system, and relates to the technical field of data safety. Paralysis due to excessively great virtual WAF factor data flow is effectively prevented when data safety filter is realized. The method comprises the steps of generating a cloud starting instruction carrying a flow traction strategy according to the cloud starting trigger condition in the process of filtering the data traffic sent by a client using the virtual web application firewall (WAF), starting a website cloud security control platform by calling an embedded interface of the management interface of the website cloud security control platform according to the cloud starting instruction, sending the flow traction strategy to the domain name parsing server through a host of the virtual WAF, so that the domain name parsing server pulls the data flow sent by the client to the website cloud security control platform for filtering. The virtual WAF-based flow control method, apparatus and system are mainly applicable to data security protection based on virtual WAF.
Description
Technical field
The present invention relates to technical field of data security, more particularly to a kind of based on the flow control methods of virtual WAF, dress
Put and system.
Background technology
WAF (Web Application Firewall, Web application protection fire wall) represents the emerging information peace of a class
Full technology, to solve the such as insurmountable Web applications safety problem of one quasi-tradition safety equipment of fire wall.Website cloud security
Control platform can carry out secure cloud protection to website, including Web IPSs, DDoS (Distributed Denial
Of service, distributed denial of service) protection, CC (Challenge Collapsar) protection, DNS (Domain Name
System, domain name system) protection etc., it can be ensured that website is not invaded under protection and is attacked paralysis.
In actual applications, for save resources and cost, several virtual nets can be fictionalized in a physical machine
Site server, uses for different clients.Additionally, the safety in order to ensure virtual site server, in same physical machine also
One or some virtual WAF can be fictionalized, to be filtered to request of data and to be cleaned.Conventionally, as
Website cloud security control platform is cloud service, is sightless for enterprise, and the host of virtual WAF is located in enterprise
The hardware device in portion, is visible, it is contemplated that to the safety of data, enterprise often pays the utmost attention to make for enterprise in the industry
Security protection is carried out with virtual WAF.However, when website is attacked, often producing substantial amounts of request of data, due to virtual
The load capacity of WAF is limited, if needing virtual WAF to filter so there is substantial amounts of request of data, is likely to so that virtual
WAF paralyses.It is in order to prevent virtual WAF paralysis, existing being achieved in that from allowing operator to increase bandwidth, virtual so as to cause as far as possible
WAF filters all of request of data.But, allow operator to increase bandwidth, it is not only cumbersome, and also operating efficiency is also very low
Under, so as to virtual WAF paralysis problem cannot be effectively prevented.
The content of the invention
In view of this, the present invention provide based on the flow control methods of virtual WAF, apparatus and system, can realize
In the case that data safety is filtered, effectively prevent virtual WAF factor datas flow excessive and paralyse.
The purpose of the present invention employs the following technical solutions to realize:
In a first aspect, the invention provides a kind of flow control methods based on virtual WAF, methods described is applied to virtually
WAF sides, methods described include:
During the data traffic sent using virtual web application firewall WAF filtering client, opened according to cloud
Trigger condition, generates cloud open command, carries flow lead strategy in the cloud open command;
According to the cloud open command, the interface of the administration interface by calling embedded website cloud security control platform,
Open the website cloud security control platform;
The flow lead strategy is sent to by domain name resolution server by the host of the virtual WAF, with toilet
State domain name resolution server and the data traffic that client sends is drawn to the website cloud security control platform and filtered.
Second aspect, the invention provides a kind of flow control methods based on virtual WAF, methods described is applied to domain name
Resolution server side, methods described include:
The flow lead strategy that virtual web application firewall WAF sends is received, the flow lead strategy is described virtual
What WAF was generated when generating for indicating and opening the cloud open command of website cloud security control platform, the website cloud security management and control
The administration interface of platform is embedded in the virtual WAF;
The data traffic that client sends is drawn to website cloud security control platform according to the flow lead strategy
Row is filtered.
The third aspect, the invention provides a kind of volume control device based on virtual WAF, described device is applied to virtually
WAF sides, described device include:
Signal generating unit, for the process in the data traffic sent using virtual web application firewall WAF filtering client
In, trigger condition is opened according to cloud, cloud open command is generated, in the cloud open command, is carried flow lead strategy;
Opening unit, for the cloud open command generated according to the signal generating unit, by calling embedded website
The interface of the administration interface of cloud security control platform, opens the website cloud security control platform;
Transmitting element, for the flow lead strategy is sent to domain name mapping by the host of the virtual WAF
Server, puts down so that domain name resolution server draws the data traffic that client sends to the website cloud security management and control
Platform is filtered.
Fourth aspect, the invention provides a kind of volume control device based on virtual WAF, described device is applied to domain name
Resolution server side, described device include:
Receiving unit, for receiving the flow lead strategy of virtual web application firewall WAF transmission, the flow lead
Strategy is generated when the virtual WAF is generated for indicating and opening the cloud open command of website cloud security control platform, described
The administration interface of website cloud security control platform is embedded in the virtual WAF;
Traction unit, the data that client is sent by the flow lead strategy for being received according to the receiving unit
Flow lead is filtered to website cloud security control platform.
In terms of 5th, the invention provides a kind of flow control system based on virtual WAF, the system includes virtually
Web application firewalls WAF and domain name resolution server;Wherein described virtual WAF includes the device as described in the third aspect;Institute
Stating domain name resolution server includes the device as described in fourth aspect.
By above-mentioned technical proposal, the present invention provide based on the flow control methods of virtual WAF, apparatus and system, energy
It is enough that the administration interface of website cloud security control platform is embedded in the middle of virtual WAF, sent using virtual WAF filtering clients
Data traffic during, can be according to real needs (such as when virtual WAF loads be more than threshold value), come embedded by calling
The interface of administration interface of website cloud security control platform open website cloud security control platform, and domain is notified by host
Name resolution server carries out flow lead operation, so that website cloud security control platform is virtual WAF sharing datas
Flow, and safety filtering is carried out to data traffic, so that virtual WAF needs the data traffic for filtering to load not over which
Ability, and then avoid factor data flow excessive and cause virtual WAF paralysis.
Described above is only the general introduction of technical solution of the present invention, in order to better understand the technological means of the present invention,
And can be practiced according to the content of description, and in order to allow the above and other objects of the present invention, feature and advantage can
Become apparent, below especially exemplified by the specific embodiment of the present invention.
Description of the drawings
By the detailed description for reading hereafter preferred implementation, various other advantages and benefit are common for this area
Technical staff will be clear from understanding.Accompanying drawing is only used for the purpose for illustrating preferred implementation, and is not considered as to the present invention
Restriction.And in whole accompanying drawing, it is denoted by the same reference numerals identical part.In the accompanying drawings:
The flow chart that Fig. 1 shows a kind of flow control methods based on virtual WAF provided in an embodiment of the present invention;
The flow chart that Fig. 2 shows another kind of flow control methods based on virtual WAF provided in an embodiment of the present invention;
The flow chart that Fig. 3 shows another kind of flow control methods based on virtual WAF provided in an embodiment of the present invention;
Fig. 4 shows a kind of composition frame chart of volume control device based on virtual WAF provided in an embodiment of the present invention;
Fig. 5 shows the composition frame chart of another kind of volume control device based on virtual WAF provided in an embodiment of the present invention;
Fig. 6 shows the composition frame chart of another kind of volume control device based on virtual WAF provided in an embodiment of the present invention;
Fig. 7 shows the composition frame chart of another kind of volume control device based on virtual WAF provided in an embodiment of the present invention;
Fig. 8 shows a kind of structural representation of flow control system based on virtual WAF provided in an embodiment of the present invention.
Specific embodiment
The exemplary embodiment of the disclosure is more fully described below with reference to accompanying drawings.Although the disclosure is shown in accompanying drawing
Exemplary embodiment, it being understood, however, that may be realized in various forms the disclosure and should not be by embodiments set forth here
Limited.On the contrary, there is provided these embodiments are able to be best understood from the disclosure, and can be by the scope of the present disclosure
Complete conveys to those skilled in the art.
Cause virtual WAF paralysis in order to prevent the data traffic that client is accessed excessive, embodiments provide
A kind of flow control methods based on virtual WAF, methods described are mainly used in virtual WAF sides, as shown in figure 1, methods described
Mainly include:
101st, during the data traffic sent using virtual WAF filtering clients, trigger condition is opened according to cloud,
Generate cloud open command.
Wherein, cloud is opened trigger condition and can be triggered for management personnel manually, or and virtual WAF is triggered automatically, its
Concrete triggering mode here is not limited.Either management personnel are triggered manually, or virtual WAF is triggered automatically,
Which triggers the purpose of cloud unlatching primarily to mitigating the current load capacity of virtual WAF, prevents virtual WAF because of heavy traffic load
Cause systemic breakdown.
Additionally, flow lead strategy is carried in cloud open command.Flow lead strategy mainly can be with actual applications
For:All data traffics that the client sends are drawn to the website cloud security control platform;Can also be:According to pre-
If traction rule, the partial data flow that the client sends is drawn to the website cloud security control platform.
It should be noted that can only include virtual WAF and virtual site server in host, it is also possible to
Including a virtual WAF and multiple virtual site servers, it is also possible to including multiple virtual WAF and multiple virtual site services
Device.It follows that the virtual WAF in the embodiment of the present invention may only service a virtual site server, it is also possible to which service is more
Individual virtual site server.
102nd, according to the cloud open command, connect by calling the administration interface of embedded website cloud security control platform
Mouthful, open the website cloud security control platform.
As the administration interface of website cloud security control platform is embedded in the middle of virtual WAF, so virtual WAF can pass through
The interface of embedded administration interface is called, to be turned on or off to website cloud security control platform, so as to realize being based on
The function of virtual WAF indirect controls website cloud security control platform.When virtual WAF generates cloud open command, virtual WAF is known
Which is now with flow lead demand, therefore begins through the administration interface of the website cloud security control platform of calling embedded and connect
Mouthful, website cloud security control platform is opened, to be virtual WAF sharing datas flow by website cloud security control platform, from
And mitigate the burden of virtual WAF.
103rd, the flow lead strategy is sent to by domain name resolution server by the host of the virtual WAF, with
Toilet is stated domain name resolution server and the data traffic that client sends is drawn to the website cloud security control platform and carried out
Filter.
After website cloud security control platform is opened, virtual WAF can pass through the host of its own by flow lead plan
Domain name resolution server is sent to slightly, so that data traffic is drawn to enter to website cloud security control platform by domain name resolution server
Row is filtered, so as to mitigate the virtual WAF burdens of itself.Wherein, flow lead strategy is sent to domain by host by virtual WAF
The specific implementation of name resolution server is included but is not limited to:Virtual WAF passes through the Microsoft Loopback Adapter of its own by flow lead
Strategy is sent to the physical network card of host, then flow lead strategy is sent to domain name solution by physical network card by host
Analysis server.
Flow control methods based on virtual WAF provided in an embodiment of the present invention, can be by website cloud security control platform
Administration interface be embedded in the middle of virtual WAF, during the data traffic sent using virtual WAF filtering clients, can
With according to real needs (such as when virtual WAF loads are more than threshold value), come by calling embedded website cloud security control platform
Administration interface interface open website cloud security control platform, and by host notice domain name resolution server carry out flow
Draw operations, so that website cloud security control platform is virtual WAF sharing datas flow, and are carried out to data traffic
Safety filtering, so that virtual WAF needs the data traffic for filtering not over its load capacity, and then avoids factor data stream
Measure excessive and cause virtual WAF paralysis.
Further, according to the method shown in Fig. 1, an alternative embodiment of the invention additionally provides a kind of based on virtual
The flow control methods of WAF, methods described can apply to virtual WAF sides, as shown in Fig. 2 methods described mainly includes:
201st, during the data traffic sent using virtual WAF filtering clients, trigger condition is opened according to cloud,
Generate cloud open command.
Refer in 101 the step of above-described embodiment, it can be artificial triggering that cloud opens trigger condition, or it is virtual
WAF is triggered automatically.
If artificial trigger, the specific implementation of this step can be:When receive input for indicate open institute
After stating the operation information of website cloud security control platform, the cloud open command is generated.
Specifically, can increase in the management platform of virtual WAF and the operation for switching website cloud security control platform is set
Region, so that management personnel are by being operated in the operating area, triggers the generation of cloud open command.
If virtual WAF is triggered automatically, then the specific implementation of this step can be:Detect that the virtual WAF is current
Resources occupation rate whether reach predetermined threshold value, and when the resources occupation rate reaches the predetermined threshold value, generate the cloud
Open command.
Wherein, predetermined threshold value can be virtual WAF each performance of system preferably in the case of, what virtual WAF can bear
Maximum process range.The resource of virtual WAF includes CPU, internal memory etc..Resources occupation rate can be accounting for for any one of these resources
With rate, it is also possible to the comprehensive occupancy of arbitrarily several.You need to add is that, it is which that the resource of virtual WAF is actually host
The resource of distribution, when the resources occupation rate of virtual WAF increases, the resources occupation rate of host can also increase.
202nd, according to the cloud open command, connect by calling the administration interface of embedded website cloud security control platform
Mouthful, open the website cloud security control platform.
The specific implementation of this step is consistent with the specific implementation of above-mentioned steps 102, will not be described here.
203rd, the flow lead strategy is sent to by domain name resolution server by the host of the virtual WAF, with
Toilet is stated domain name resolution server and the data traffic that client sends is drawn to the website cloud security control platform and carried out
Filter.
As website cloud security control platform is based primarily upon universal safety aspect to filter data traffic, and it is virtual
WAF is also based on service security aspect to data in addition to it can filter to data traffic based on universal safety aspect
Flow is filtered, so the fine granularity of virtual WAF is thinner.Therefore, put down to website cloud security management and control data traffic is drawn
After platform is filtered, for the safety for further ensureing data traffic in service security aspect, virtual WAF can also pass through host
Machine receives the data traffic after the filtration that the website cloud security control platform sends, and the data traffic to receiving carries out two
Secondary filtration.
Wherein, the filtration of universal safety aspect mainly include hitting DDOS, CC attacks, amplification attack etc. these general attack
Hit and filtered;The filtration rule that the filtration of service security aspect is mainly arranged according to the business demand that Website server is specified
Then, certain URL (Uniform Resource Locator, URL) of such as website only allows some IP
(Internet Protocol, IP(Internet Protocol)) address accesses, and other IP address forbid accessing.
204th, trigger condition is closed according to cloud, generates cloud out code.
As website not at every moment suffers from attacking, so client is sent to the data traffic of virtual WAF not
It is at every moment all so much.Again as enterprise often pays the utmost attention to carry out security protection using virtual WAF, so by calling
The interface of the administration interface of embedded website cloud security control platform, after opening website cloud security control platform, if client
The data traffic of transmission greatly reduces, then can shut down web sites cloud security control platform, to be continuing with virtual WAF to data
Flow is filtered.
Similar with cloud unlatching trigger condition, cloud is closed trigger condition and can be triggered for management personnel, or and it is empty
Intend WAF to trigger automatically.
If artificial trigger, the specific implementation of this step can be:When receive input for indicate close institute
After stating the operation information of website cloud security control platform, the cloud out code is generated.
If virtual WAF is triggered automatically, then the specific implementation of this step can be:According to the website cloud security pipe
The current resources occupation rate of the data traffic processing information and/or the virtual WAF of platform feedback is controlled, the cloud closing is generated and is referred to
Order.
Specifically, if all data traffics are drawn by domain name resolution server gives website cloud security control platform, in domain
Name resolution server draws all data traffics to after the cloud security control platform of website, and website cloud security control platform can be real
When or timing detect which needs the quantity of request of data to be processed in preset time period (such as one second), and the quantity is fed back
To virtual WAF, so as to virtual WAF according to the quantity and current resources occupation rate judging whether to need phase down website
Cloud security control platform.
If the data traffic outside predetermined threshold value being drawn and giving website cloud security control platform, outside by predetermined threshold value
Data traffic draw to after the cloud security control platform of website, virtual WAF can work as money with the resources occupation rate of real-time detection itself
Source occupancy is less than predetermined threshold value, then illustrate do not had unnecessary data traffic to need traction to give website cloud security control platform,
Such that it is able to the cloud security control platform that shuts down web sites.
205th, according to the cloud out code, connect by calling the administration interface of embedded website cloud security control platform
Mouthful, close the website cloud security control platform.
206th, flow lead halt instruction is sent to by domain name resolution server by the host, so as to described
Domain name resolution server stops the data traffic that the client sends being drawn to the website cloud security control platform to be carried out
Filter.
In the interface of the administration interface by calling embedded website cloud security control platform, the website cloud security is closed
After control platform, can notify that domain name resolution server stops drawing data traffic giving website cloud security pipe by host
Control platform, and all of data traffic is drawn to virtual WAF.
Flow control methods based on virtual WAF provided in an embodiment of the present invention, can not only be sent to void in client
Intend WAF data traffic it is excessive when, virtual WAF can be by calling the administration interface of embedded website cloud security control platform
Interface opens website cloud security control platform so that cloud security control platform in website is virtual WAF sharing datas flow, can be with
When the data traffic that virtual WAF is sent in client greatly reduces, by calling embedded website cloud security control platform
The interface of administration interface shuts down web sites cloud security control platform, enters row major mistake to all data traffics so as to recover virtual WAF
The function of filter.
Further, according to the method shown in Fig. 1, an alternative embodiment of the invention additionally provides a kind of based on virtual
The flow control methods of WAF, methods described can apply to domain name resolution server side, as shown in figure 3, methods described is mainly wrapped
Include:
301st, receive the flow lead strategy that virtual WAF sends.
Wherein, the flow lead strategy is that the virtual WAF is generated for indicating to open website cloud security control platform
Cloud open command when generate, the administration interface of the website cloud security control platform is embedded in the virtual WAF.
Wherein, the flow lead strategy can be all data traffics that the client sends to be drawn to the net
Stand cloud security control platform;It can also be the partial data flow traction that the client is sent according to default traction rule
To the website cloud security control platform.
Wherein, according to default traction rule, the partial data flow that the client sends is drawn to the website cloud
The specific implementation of safety control platform is including but not limited to following two:
(1) if virtual WAF current resources occupation rate exceedes predetermined threshold value, can be by the data flow beyond predetermined threshold value
Amount traction is filtered to website cloud security control platform, i.e., virtual WAF filters the data traffic of predetermined threshold value, website cloud security
Control platform filters remaining data traffic.
Wherein, predetermined threshold value can for each performance of virtual WAF systems preferably in the case of, virtual WAF can bear most
Big process range.The resource of virtual WAF includes CPU, internal memory etc..Resources occupation rate can be the occupancy of any one of these resources
Rate, it is also possible to the comprehensive occupancy of arbitrarily several.
(2) data traffic of preset ratio is drawn and gives website cloud security control platform.Wherein, preset ratio is according to reality
Border experience is calculated, virtual WAF over loadings will not be made ratio value.For example, 70% data traffic is drawn and gives website Yunan County
Full control platform, remaining 30% is still filtered by virtual WAF.
302nd, the data traffic that client sends is drawn to website cloud security management and control according to the flow lead strategy and puts down
Platform is filtered.
Flow control methods based on virtual WAF provided in an embodiment of the present invention, can be embedded by calling in virtual WAF
Website cloud security control platform administration interface interface open website cloud security control platform after, virtual WAF pass through host
Machine to domain name resolution server transmitted traffic traction policy, by domain name resolution server according to flow lead strategy by data traffic
Draw to website cloud security control platform, so that website cloud security control platform is virtual WAF sharing datas flow, and it is right
Data traffic carries out safety filtering, so that virtual WAF needs the data traffic for filtering not over its load capacity, and then
Avoid factor data flow excessive and cause virtual WAF paralysis.
Further, refer in the embodiment shown in Figure 2, it is contemplated that the safety of data, generally, enterprise
Industry is often paid the utmost attention to carry out security protection using virtual WAF, so when data traffic is greatly reduced, virtual WAF can be closed
Website cloud security control platform is closed, and halt instruction is drawn to domain name resolution server transmitted traffic by host.Therefore, exist
The data traffic that client sends is drawn to website cloud security control platform according to the flow lead strategy carries out filtration
Afterwards, domain name resolution server can also receive the flow lead halt instruction that the virtual WAF is sent by host, and stop
The data traffic that the client sends is drawn to the website cloud security control platform and is filtered.
Further, according to the method described in Fig. 1 or Fig. 2, an alternative embodiment of the invention additionally provides one kind and is based on
The volume control device of virtual WAF, described device can apply to virtual WAF sides, as shown in figure 4, described device mainly includes:
Signal generating unit 41, opening unit 42 and transmitting element 43.Wherein,
Signal generating unit 41, for the mistake in the data traffic sent using virtual web application firewall WAF filtering client
Cheng Zhong, opens trigger condition according to cloud, generates cloud open command, carries flow lead strategy in the cloud open command;
Opening unit 42, it is for the cloud open command generated according to the signal generating unit 31, embedded by calling
The interface of the administration interface of website cloud security control platform, opens the website cloud security control platform.
Transmitting element 43, for the flow lead strategy is sent to domain name solution by the host of the virtual WAF
Analysis server, so that domain name resolution server draws the data traffic that client sends to the website cloud security management and control
Platform is filtered.
Optionally, as shown in figure 5, the signal generating unit 41 includes:
First generation module 411, for when receive input for indicating to open the website cloud security control platform
Operation information after, generate the cloud open command;
Detection module 412, for detecting whether the current resources occupation rates of the virtual WAF reach predetermined threshold value;
Wherein, predetermined threshold value can for each performance of system preferably in the case of, what virtual WAF can bear maximum processes model
Enclose.The resource of virtual WAF includes CPU, internal memory etc..Resources occupation rate can be the occupancy of any one of these resources, also may be used
With the comprehensive occupancy of arbitrarily several.
Second generation module 413, for reaching institute for the resources occupation rate in the testing result of the detection module 412
When stating predetermined threshold value, the cloud open command is generated.
Optionally, as shown in figure 5, described device also includes:
Receiving unit 44, for the data traffic that client sends being drawn to the net in domain name resolution server
After cloud security control platform of standing is filtered, the mistake that the website cloud security control platform sends is received by the host
Data traffic after filter;
Filter element 45, the data traffic for receiving to the receiving unit 44 carry out secondary filter.
Optionally, the signal generating unit 41 is additionally operable to the data traffic sent client in domain name resolution server
Draw to the website cloud security control platform after being filtered, trigger condition is closed according to cloud, generate cloud out code;
As shown in figure 5, closing unit 46, for the cloud out code generated according to the signal generating unit 41, passes through
The interface of the administration interface of embedded website cloud security control platform is called, the website cloud security control platform is closed.
The transmitting element 43 is additionally operable to flow lead halt instruction is sent to domain name solution by the host
Analysis server, so that domain name resolution server stops the data traffic that the client sends being drawn to the website cloud
Safety control platform is filtered.
Optionally, as shown in figure 5, the signal generating unit 41 also includes:
3rd generation module 414, for when receive input for indicating to close the website cloud security control platform
Operation information after, generate the cloud out code;
4th generation module 415, for the data traffic processing information fed back according to the website cloud security control platform
And/or the resources occupation rate that the virtual WAF is current, generate the cloud out code.
Optionally, the flow lead strategy includes:
All data traffics that the client sends are drawn to the website cloud security control platform;
Or, according to default traction rule, the partial data flow that the client sends is drawn to the website cloud
Safety control platform.
Volume control device based on virtual WAF provided in an embodiment of the present invention, can be by website cloud security control platform
Administration interface be embedded in the middle of virtual WAF, during the data traffic sent using virtual WAF filtering clients, can
With according to real needs (such as when virtual WAF loads are more than threshold value), come by calling embedded website cloud security control platform
Administration interface interface open website cloud security control platform, and by host notice domain name resolution server carry out flow
Draw operations, so that website cloud security control platform is virtual WAF sharing datas flow, and are carried out to data traffic
Safety filtering, so that virtual WAF needs the data traffic for filtering not over its load capacity, and then avoids factor data stream
Measure excessive and cause virtual WAF paralysis.Additionally, when the data traffic for being sent to virtual WAF in client greatly reduces, by adjusting
Shut down web sites cloud security control platform with the interface of the administration interface of embedded website cloud security control platform, so as to recover virtual
WAF enters the function of row major filtration to all data traffics.
Further, according to the method shown in Fig. 3, an alternative embodiment of the invention additionally provides a kind of based on virtual
The volume control device of WAF, described device are applied to domain name resolution server side, as shown in fig. 6, described device mainly includes:
Receiving unit 51 and traction unit 52.Wherein,
Receiving unit 51, for receiving the flow lead strategy of virtual web application firewall WAF transmission, the flow leads
Drawing strategy is generated when the virtual WAF is generated for indicating and opening the cloud open command of website cloud security control platform, institute
The administration interface for stating website cloud security control platform is embedded in the virtual WAF;
Traction unit 52, what client was sent by the flow lead strategy for being received according to the receiving unit 51
Data traffic is drawn to website cloud security control platform and is filtered.
Optionally, as shown in fig. 7, the traction unit 52 includes:
First traction module 521, for all data traffics that the client sends are drawn to described website Yunan County
Full control platform;
Second traction module 522, for according to default traction rule, the partial data flow that the client sends being led
Cause the website cloud security control platform.
Optionally, the receiving unit 51 is additionally operable in the data flow sent client according to the flow lead strategy
After amount traction is filtered to website cloud security control platform, receive the virtual WAF and led by the flow that host sends
Draw halt instruction;
As shown in fig. 7, described device also includes:
Stop element 53, for stopping the data traffic that the client sends being drawn to the website cloud security management and control
Platform is filtered.
Volume control device based on virtual WAF provided in an embodiment of the present invention, can be embedded by calling in virtual WAF
Website cloud security control platform administration interface interface open website cloud security control platform after, virtual WAF pass through host
Machine to domain name resolution server transmitted traffic traction policy, by domain name resolution server according to flow lead strategy by data traffic
Draw to website cloud security control platform, so that website cloud security control platform is virtual WAF sharing datas flow, and it is right
Data traffic carries out safety filtering, so that virtual WAF needs the data traffic for filtering not over its load capacity, and then
Avoid factor data flow excessive and cause virtual WAF paralysis.
Further, according to said apparatus embodiment, an alternative embodiment of the invention additionally provides a kind of based on virtual
The flow control system of WAF, as shown in figure 8, the system includes virtual WAF 61 and domain name resolution server 62;Wherein institute
State the device that virtual WAF 61 includes as shown in fig. 4 or 5;Domain name resolution server 62 includes dress as shown in figs. 6 or 7
Put.
Flow control system based on virtual WAF provided in an embodiment of the present invention, can be by website cloud security control platform
Administration interface be embedded in the middle of virtual WAF, during the data traffic sent using virtual WAF filtering clients, can
With according to real needs (such as when virtual WAF loads are more than threshold value), come by calling embedded website cloud security control platform
Administration interface interface open website cloud security control platform, and by host notice domain name resolution server carry out flow
Draw operations, so that website cloud security control platform is virtual WAF sharing datas flow, and are carried out to data traffic
Safety filtering, so that virtual WAF needs the data traffic for filtering not over its load capacity, and then avoids factor data stream
Measure excessive and cause virtual WAF paralysis.
The embodiment of the invention also discloses:
A1, a kind of flow control methods based on virtual WAF, methods described are applied to virtual WAF sides, methods described bag
Include:
During the data traffic sent using virtual web application firewall WAF filtering client, opened according to cloud
Trigger condition, generates cloud open command, carries flow lead strategy in the cloud open command;
According to the cloud open command, the interface of the administration interface by calling embedded website cloud security control platform,
Open the website cloud security control platform;
The flow lead strategy is sent to by domain name resolution server by the host of the virtual WAF, with toilet
State domain name resolution server and the data traffic that client sends is drawn to the website cloud security control platform and filtered.
A2, the method according to A1, described to open trigger condition according to cloud, generating cloud open command includes:
When after opening the operation information of the website cloud security control platform for instruction of input is received, generate described
Cloud open command;
Or, detect whether the current resources occupation rates of the virtual WAF reach predetermined threshold value, and in the resource occupation
When rate reaches the predetermined threshold value, the cloud open command is generated.
A3, the method according to A1, domain name resolution server by the data traffic that client sends draw to
After the website cloud security control platform is filtered, methods described also includes:
Data traffic after the host receives the filtration that the website cloud security control platform sends;
Data traffic to receiving carries out secondary filter.
A4, the method according to A1, domain name resolution server by the data traffic that client sends draw to
After the website cloud security control platform is filtered, methods described also includes:
Trigger condition is closed according to cloud, cloud out code is generated;
According to the cloud out code, the interface of the administration interface by calling embedded website cloud security control platform,
Close the website cloud security control platform;
Flow lead halt instruction is sent to by domain name resolution server by the host, so as to domain name
Resolution server stopping is drawn the data traffic that the client sends to the website cloud security control platform and is filtered.
A5, the method according to A4, described to close trigger condition according to cloud, generating cloud out code includes:
When after closing the operation information of the website cloud security control platform for instruction of input is received, generate described
Cloud out code;
Or, according to the data traffic processing information and/or the virtual WAF of website cloud security control platform feedback
Current resources occupation rate, generates the cloud out code.
A6, the method according to any one of A1 to A5, the flow lead strategy include:
All data traffics that the client sends are drawn to the website cloud security control platform;
Or, according to default traction rule, the partial data flow that the client sends is drawn to the website cloud
Safety control platform.
B7, a kind of flow control methods based on virtual WAF, methods described is applied to domain name resolution server side, described
Method includes:
The flow lead strategy that virtual web application firewall WAF sends is received, the flow lead strategy is described virtual
What WAF was generated when generating for indicating and opening the cloud open command of website cloud security control platform, the website cloud security management and control
The administration interface of platform is embedded in the virtual WAF;
The data traffic that client sends is drawn to website cloud security control platform according to the flow lead strategy
Row is filtered.
B8, the method according to B7, it is described the data traffic that client sends to be led according to the flow lead strategy
Causing website cloud security control platform and carrying out filtration includes:
All data traffics that the client sends are drawn to the website cloud security control platform;
Or, according to default traction rule, the partial data flow that the client sends is drawn to the website cloud
Safety control platform.
B9, the method according to B7 or B8, in the data traffic sent client according to the flow lead strategy
Draw to website cloud security control platform after being filtered, methods described also includes:
Receive the flow lead halt instruction that the virtual WAF is sent by host;
Stop the data traffic that the client sends being drawn to the website cloud security control platform and filtered.
C10, a kind of volume control device based on virtual WAF, described device are applied to virtual WAF sides, described device bag
Include:
Signal generating unit, for the process in the data traffic sent using virtual web application firewall WAF filtering client
In, trigger condition is opened according to cloud, cloud open command is generated, in the cloud open command, is carried flow lead strategy;
Opening unit, for the cloud open command generated according to the signal generating unit, by calling embedded website
The interface of the administration interface of cloud security control platform, opens the website cloud security control platform;
Transmitting element, for the flow lead strategy is sent to domain name mapping by the host of the virtual WAF
Server, puts down so that domain name resolution server draws the data traffic that client sends to the website cloud security management and control
Platform is filtered.
C11, the device according to C10, the signal generating unit include:
First generation module, for as the behaviour for indicating the unlatching website cloud security control platform for receiving input
After making information, the cloud open command is generated;
Detection module, for detecting whether the current resources occupation rates of the virtual WAF reach predetermined threshold value;
Second generation module, it is described default for reaching for the resources occupation rate in the testing result of the detection module
During threshold value, the cloud open command is generated.
C12, the device according to C10, described device also include:
Receiving unit, for the data traffic that client sends being drawn to the website in domain name resolution server
After cloud security control platform is filtered, the filtration that the website cloud security control platform sends is received by the host
Data traffic afterwards;
Filter element, the data traffic for receiving to the receiving unit carry out secondary filter.
C13, the device according to C10, the signal generating unit are additionally operable to client in domain name resolution server
The data traffic of transmission is drawn to the website cloud security control platform after being filtered, and closes trigger condition according to cloud, raw
Into cloud out code;
Closing unit, for the cloud out code generated according to the signal generating unit, by calling embedded website
The interface of the administration interface of cloud security control platform, closes the website cloud security control platform;
The transmitting element is additionally operable to flow lead halt instruction is sent to domain name parsing by the host
Server, so that domain name resolution server stops the data traffic that the client sends being drawn to described website Yunan County
Full control platform is filtered.
C14, the device according to C13, the signal generating unit also include:
3rd generation module, for as the behaviour for indicating the closing website cloud security control platform for receiving input
After making information, the cloud out code is generated;
4th generation module, for the data traffic processing information fed back according to the website cloud security control platform and/
Or the resources occupation rate that the virtual WAF is current, generate the cloud out code.
C15, the device according to any one of C10 to C14, the flow lead strategy include:
All data traffics that the client sends are drawn to the website cloud security control platform;
Or, according to default traction rule, the partial data flow that the client sends is drawn to the website cloud
Safety control platform.
D16, a kind of volume control device based on virtual WAF, described device is applied to domain name resolution server side, described
Device includes:
Receiving unit, for receiving the flow lead strategy of virtual web application firewall WAF transmission, the flow lead
Strategy is generated when the virtual WAF is generated for indicating and opening the cloud open command of website cloud security control platform, described
The administration interface of website cloud security control platform is embedded in the virtual WAF;
Traction unit, the data that client is sent by the flow lead strategy for being received according to the receiving unit
Flow lead is filtered to website cloud security control platform.
D17, the device according to D16, the traction unit include:
First traction module, for all data traffics that the client sends are drawn to the website cloud security pipe
Control platform;
Second traction module, for according to default traction rule, the partial data flow traction that the client is sent
To the website cloud security control platform.
D18, the device according to D16 or D17, the receiving unit are additionally operable to incited somebody to action according to the flow lead strategy
The data traffic that client sends is drawn to website cloud security control platform after being filtered, and receives the virtual WAF and passes through
The flow lead halt instruction that host sends;
Described device also includes:
Stop element, puts down for stopping the data traffic that the client sends being drawn to the website cloud security management and control
Platform is filtered.
E19, a kind of flow control system based on virtual WAF, the system include virtual web application firewall WAF with
And domain name resolution server;Wherein described virtual WAF includes the device as any one of C10 to C15;Domain name is parsed
Server includes the device as any one of D16 to D18.
It is understood that the correlated characteristic in said method, apparatus and system mutually can be referred to.In addition, above-mentioned reality
It is, for distinguishing each embodiment, and not represent the quality of each embodiment to apply " first ", " second " in example etc..
Those skilled in the art can be understood that, for convenience and simplicity of description, the system of foregoing description,
The specific work process of device and unit, may be referred to the corresponding process in preceding method embodiment, will not be described here.
Algorithm and display be not inherently related to any certain computer, virtual system or miscellaneous equipment provided herein.
Various general-purpose systems can also be used together based on teaching in this.As described above, construct required by this kind of system
Structure be obvious.Additionally, the present invention is also not for any certain programmed language.It is understood that, it is possible to use it is various
Programming language realizes the content of invention described herein, and the description done to language-specific above is to disclose this
Bright preferred forms.
In description mentioned herein, a large amount of details are illustrated.It is to be appreciated, however, that the enforcement of the present invention
Example can be put into practice in the case where not having these details.In some instances, known method, structure is not been shown in detail
And technology, so as not to obscure the understanding of this description.
Similarly, it will be appreciated that in order to simplify the disclosure and help understand one or more in each inventive aspect, exist
Above to, in the description of the exemplary embodiment of the present invention, each feature of the present invention is grouped together into single enforcement sometimes
In example, figure or descriptions thereof.However, should the method for the disclosure be construed to reflect following intention:I.e. required guarantor
The more features of feature is expressly recited in each claim by the application claims ratio of shield.More precisely, such as following
Claims it is reflected as, inventive aspect is less than all features of single embodiment disclosed above.Therefore,
Thus the claims for following specific embodiment are expressly incorporated in the specific embodiment, wherein each claim itself
All as the separate embodiments of the present invention.
Those skilled in the art are appreciated that can be carried out adaptively to the module in the equipment in embodiment
Change and they are arranged in one or more different from embodiment equipment.Can be the module or list in embodiment
Unit or component are combined into a module or unit or component, and can be divided in addition multiple submodule or subelement or
Sub-component.In addition at least some in such feature and/or process or unit is excluded each other, can adopt any
Combine to all features disclosed in this specification (including adjoint claim, summary and accompanying drawing) and so disclosed
Where all processes or unit of method or equipment are combined.Unless expressly stated otherwise, this specification (includes adjoint power
Profit is required, summary and accompanying drawing) disclosed in each feature can it is identical by offers, be equal to or the alternative features of similar purpose carry out generation
Replace.
Although additionally, it will be appreciated by those of skill in the art that some embodiments described herein include other embodiments
In some included features rather than further feature, but the combination of the feature of different embodiments means in of the invention
Within the scope of and form different embodiments.For example, in the following claims, embodiment required for protection appoint
One of meaning can in any combination mode using.
The present invention all parts embodiment can be realized with hardware, or with one or more processor operation
Software module realize, or with combinations thereof realize.It will be understood by those of skill in the art that can use in practice
Microprocessor or digital signal processor (DSP) are realizing the flow-control based on virtual WAF according to embodiments of the present invention
The some or all functions of some or all parts in method, apparatus and system.The present invention be also implemented as
Perform some or all equipment or program of device (for example, computer program and the calculating of method as described herein
Machine program product).Such program for realizing the present invention can be stored on a computer-readable medium, or can have one
Or the form of multiple signals.Such signal can be downloaded from internet website and be obtained, or provide on carrier signal,
Or provided with any other form.
It should be noted that above-described embodiment the present invention will be described rather than limits the invention, and ability
Field technique personnel can design alternative embodiment without departing from the scope of the appended claims.In the claims,
Any reference markss between bracket should not be configured to limitations on claims.Word "comprising" is not excluded the presence of not
Element listed in the claims or step.Word "a" or "an" before element does not exclude the presence of multiple such
Element.The present invention can come real by means of the hardware for including some different elements and by means of properly programmed computer
It is existing.If in the unit claim for listing equipment for drying, several in these devices can be by same hardware branch
To embody.The use of word first, second, and third does not indicate that any order.These words can be explained and be run after fame
Claim.
Claims (10)
1. a kind of flow control methods based on virtual WAF, methods described are applied to virtual WAF sides, it is characterised in that the side
Method includes:
During the data traffic sent using virtual web application firewall WAF filtering client, opened according to cloud and triggered
Condition, generates cloud open command, carries flow lead strategy in the cloud open command;
According to the cloud open command, the interface of the administration interface by calling embedded website cloud security control platform, open
The website cloud security control platform;
The flow lead strategy is sent to by domain name resolution server by the host of the virtual WAF, so as to the domain
Name resolution server draws the data traffic that client sends to the website cloud security control platform and is filtered.
2. method according to claim 1, it is characterised in that described to open trigger condition according to cloud, generates cloud and opens and refer to
Order includes:
When after the operation information of the website cloud security control platform being opened for instruction of input is received, generate the cloud and open
Open instruction;
Or, detect whether the current resources occupation rates of the virtual WAF reach predetermined threshold value, and reach in the resources occupation rate
During to the predetermined threshold value, the cloud open command is generated.
3. method according to claim 1, it is characterised in that in the number that client is sent by domain name resolution server
After being filtered to the website cloud security control platform according to flow lead, methods described also includes:
Data traffic after the host receives the filtration that the website cloud security control platform sends;
Data traffic to receiving carries out secondary filter.
4. method according to claim 1, it is characterised in that in the number that client is sent by domain name resolution server
After being filtered to the website cloud security control platform according to flow lead, methods described also includes:
Trigger condition is closed according to cloud, cloud out code is generated;
According to the cloud out code, the interface of the administration interface by calling embedded website cloud security control platform, close
The website cloud security control platform;
Flow lead halt instruction is sent to by domain name resolution server by the host, so that domain name is parsed
Server stopping is drawn the data traffic that the client sends to the website cloud security control platform and is filtered.
5. method according to claim 4, it is characterised in that described to close trigger condition according to cloud, generates cloud and closes and refer to
Order includes:
When after the operation information of the website cloud security control platform being closed for instruction of input is received, generate the cloud and close
Close instruction;
Or, it is current according to the data traffic processing information and/or the virtual WAF of website cloud security control platform feedback
Resources occupation rate, generate the cloud out code.
6. method according to any one of claim 1 to 5, it is characterised in that the flow lead strategy includes:
All data traffics that the client sends are drawn to the website cloud security control platform;
Or, according to default traction rule, the partial data flow that the client sends is drawn to the website cloud security
Control platform.
7. a kind of flow control methods based on virtual WAF, methods described are applied to domain name resolution server side, and its feature exists
In methods described includes:
The flow lead strategy that virtual web application firewall WAF sends is received, the flow lead strategy is the virtual WAF
Generate when generating for indicating and opening the cloud open command of website cloud security control platform, the website cloud security control platform
Administration interface be embedded in the virtual WAF;
The data traffic that client sends is drawn to website cloud security control platform according to the flow lead strategy was carried out
Filter.
8. a kind of volume control device based on virtual WAF, described device are applied to virtual WAF sides, it is characterised in that the dress
Put including:
Signal generating unit, for during the data traffic sent using virtual web application firewall WAF filtering client,
Trigger condition is opened according to cloud, cloud open command is generated, in the cloud open command, is carried flow lead strategy;
Opening unit, for the cloud open command generated according to the signal generating unit, by calling embedded website Yunan County
The interface of the administration interface of full control platform, opens the website cloud security control platform;
Transmitting element, for the flow lead strategy is sent to domain name resolution service by the host of the virtual WAF
Device, so that the data traffic that client sends is drawn to the website cloud security control platform by domain name resolution server
Row is filtered.
9. a kind of volume control device based on virtual WAF, described device are applied to domain name resolution server side, and its feature exists
In described device includes:
Receiving unit, for receiving the flow lead strategy of virtual web application firewall WAF transmission, the flow lead strategy
It is to generate when the virtual WAF is generated for indicating and opening the cloud open command of website cloud security control platform, the website
The administration interface of cloud security control platform is embedded in the virtual WAF;
Traction unit, the data traffic that client is sent by the flow lead strategy for being received according to the receiving unit
Draw to website cloud security control platform and filtered.
10. a kind of flow control system based on virtual WAF, it is characterised in that the system includes virtual web application firewall
WAF and domain name resolution server;Wherein described virtual WAF includes device as claimed in claim 8;Domain name parsing clothes
Business device includes device as claimed in claim 9.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201611118613.0A CN106534346B (en) | 2016-12-07 | 2016-12-07 | Flow control method, device and system based on virtual WAF |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201611118613.0A CN106534346B (en) | 2016-12-07 | 2016-12-07 | Flow control method, device and system based on virtual WAF |
Publications (2)
Publication Number | Publication Date |
---|---|
CN106534346A true CN106534346A (en) | 2017-03-22 |
CN106534346B CN106534346B (en) | 2019-12-10 |
Family
ID=58341962
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201611118613.0A Active CN106534346B (en) | 2016-12-07 | 2016-12-07 | Flow control method, device and system based on virtual WAF |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN106534346B (en) |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107426252A (en) * | 2017-09-15 | 2017-12-01 | 北京百悟科技有限公司 | The method and apparatus that web application firewall services are provided |
CN107911375A (en) * | 2017-11-28 | 2018-04-13 | 四川长虹电器股份有限公司 | Operation system safety protecting method based on flow monitoring |
CN110781429A (en) * | 2019-09-24 | 2020-02-11 | 支付宝(杭州)信息技术有限公司 | Internet data detection method, device, equipment and computer readable storage medium |
CN116155838A (en) * | 2023-04-24 | 2023-05-23 | 远江盛邦(北京)网络安全科技股份有限公司 | Flow transparent transmission method and device and electronic equipment |
Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101212453A (en) * | 2006-12-29 | 2008-07-02 | 凹凸科技(中国)有限公司 | Network access control method and firewall device |
CN102420825A (en) * | 2011-11-30 | 2012-04-18 | 北京星网锐捷网络技术有限公司 | Network attack defense and detection method and system thereof |
CN103532866A (en) * | 2013-10-28 | 2014-01-22 | 曙光云计算技术有限公司 | Flow control method and system for virtual machine |
CN104023035A (en) * | 2014-06-26 | 2014-09-03 | 浪潮电子信息产业股份有限公司 | Method for protecting flow among virtual machines in same security domain |
CN104917653A (en) * | 2015-06-26 | 2015-09-16 | 北京奇虎科技有限公司 | Virtual flow monitoring method based on cloud platform and device thereof |
CN105100026A (en) * | 2014-05-22 | 2015-11-25 | 杭州华三通信技术有限公司 | Safe message forwarding method and safe message forwarding device |
CN105656841A (en) * | 2014-11-11 | 2016-06-08 | 杭州华三通信技术有限公司 | Method and device for realizing virtual firewall in software defined network |
-
2016
- 2016-12-07 CN CN201611118613.0A patent/CN106534346B/en active Active
Patent Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101212453A (en) * | 2006-12-29 | 2008-07-02 | 凹凸科技(中国)有限公司 | Network access control method and firewall device |
CN102420825A (en) * | 2011-11-30 | 2012-04-18 | 北京星网锐捷网络技术有限公司 | Network attack defense and detection method and system thereof |
CN103532866A (en) * | 2013-10-28 | 2014-01-22 | 曙光云计算技术有限公司 | Flow control method and system for virtual machine |
CN105100026A (en) * | 2014-05-22 | 2015-11-25 | 杭州华三通信技术有限公司 | Safe message forwarding method and safe message forwarding device |
CN104023035A (en) * | 2014-06-26 | 2014-09-03 | 浪潮电子信息产业股份有限公司 | Method for protecting flow among virtual machines in same security domain |
CN105656841A (en) * | 2014-11-11 | 2016-06-08 | 杭州华三通信技术有限公司 | Method and device for realizing virtual firewall in software defined network |
CN104917653A (en) * | 2015-06-26 | 2015-09-16 | 北京奇虎科技有限公司 | Virtual flow monitoring method based on cloud platform and device thereof |
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107426252A (en) * | 2017-09-15 | 2017-12-01 | 北京百悟科技有限公司 | The method and apparatus that web application firewall services are provided |
CN107426252B (en) * | 2017-09-15 | 2019-10-25 | 北京百悟科技有限公司 | The method and apparatus of web application firewall service is provided |
CN107911375A (en) * | 2017-11-28 | 2018-04-13 | 四川长虹电器股份有限公司 | Operation system safety protecting method based on flow monitoring |
CN110781429A (en) * | 2019-09-24 | 2020-02-11 | 支付宝(杭州)信息技术有限公司 | Internet data detection method, device, equipment and computer readable storage medium |
CN116155838A (en) * | 2023-04-24 | 2023-05-23 | 远江盛邦(北京)网络安全科技股份有限公司 | Flow transparent transmission method and device and electronic equipment |
Also Published As
Publication number | Publication date |
---|---|
CN106534346B (en) | 2019-12-10 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11082401B2 (en) | Cloud based firewall system and service | |
CN106789981A (en) | Flow control methods, apparatus and system based on WAF | |
US9325725B2 (en) | Automated deployment of protection agents to devices connected to a distributed computer network | |
CN103634306B (en) | The safety detection method and safety detection server of network data | |
CN103646209B (en) | The method and apparatus intercepting bundled software based on cloud security | |
DE60312235T2 (en) | METHOD AND SYSTEM FOR INHIBITING PREVENTION AND DEFLECTION | |
US7774832B2 (en) | Systems and methods for implementing protocol enforcement rules | |
EP1904988B1 (en) | Immunizing html browsers and extensions from known vulnerabilities | |
US7428590B2 (en) | Systems and methods for reflecting messages associated with a target protocol within a network | |
CN106534346A (en) | Virtual WAF-based flow control method, apparatus and system | |
US20040073811A1 (en) | Web service security filter | |
US20040111623A1 (en) | Systems and methods for detecting user presence | |
CN104994094B (en) | Virtual platform safety protecting method based on virtual switch, device and system | |
US9661006B2 (en) | Method for protection of automotive components in intravehicle communication system | |
CN105407106A (en) | Access control method and device | |
CN107370715A (en) | Network safety protection method and device | |
Krit et al. | Overview of firewalls: Types and policies: Managing windows embedded firewall programmatically | |
Razumov et al. | Developing of algorithm of HTTP FLOOD DDoS protection | |
US7587759B1 (en) | Intrusion prevention for active networked applications | |
CN101854359A (en) | Access control method based on virtualized calculation | |
CN104363230B (en) | A kind of method that flood attack is protected in desktop virtualization | |
EP1820293A2 (en) | Systems and methods for implementing protocol enforcement rules | |
AU2004272201A1 (en) | Systems and methods for dynamically updating software in a protocol gateway | |
Alaria | Analysis of WAF and Its Contribution to Improve Security of Various Web Applications: Benefits, Challenges | |
CN106529292A (en) | Virus checking and killing method and apparatus |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
CB02 | Change of applicant information |
Address after: 100088 Beijing city Xicheng District xinjiekouwai Street 28, block D room 112 (Desheng Park) Applicant after: BEIJING QIHOO TECHNOLOGY Co.,Ltd. Applicant after: QAX Technology Group Inc. Address before: 100088 Beijing city Xicheng District xinjiekouwai Street 28, block D room 112 (Desheng Park) Applicant before: BEIJING QIHOO TECHNOLOGY Co.,Ltd. Applicant before: BEIJING QIANXIN TECHNOLOGY Co.,Ltd. |
|
CB02 | Change of applicant information | ||
GR01 | Patent grant | ||
GR01 | Patent grant |