CN107454096B - A kind of wrong report removing method based on log playback - Google Patents
A kind of wrong report removing method based on log playback Download PDFInfo
- Publication number
- CN107454096B CN107454096B CN201710734958.7A CN201710734958A CN107454096B CN 107454096 B CN107454096 B CN 107454096B CN 201710734958 A CN201710734958 A CN 201710734958A CN 107454096 B CN107454096 B CN 107454096B
- Authority
- CN
- China
- Prior art keywords
- test sample
- playback
- sample library
- test
- new
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000009825 accumulation Methods 0.000 claims description 10
- 238000000034 method Methods 0.000 claims description 6
- 230000000875 corresponding Effects 0.000 claims description 3
- 238000001514 detection method Methods 0.000 claims description 2
- 238000001914 filtration Methods 0.000 claims 1
- 238000011017 operating method Methods 0.000 claims 1
- 230000002159 abnormal effect Effects 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 241000208340 Araliaceae Species 0.000 description 1
- 235000003140 Panax quinquefolius Nutrition 0.000 description 1
- 229940092174 Safe-Guard Drugs 0.000 description 1
- 230000000903 blocking Effects 0.000 description 1
- 235000005035 ginseng Nutrition 0.000 description 1
- 235000008434 ginseng Nutrition 0.000 description 1
- 230000000977 initiatory Effects 0.000 description 1
- 238000002347 injection Methods 0.000 description 1
- 239000007924 injection Substances 0.000 description 1
- 239000000243 solution Substances 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
- H04L63/205—Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/16—Threshold monitoring
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/50—Testing arrangements
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
Abstract
The present invention relates to network security technologies, it is desirable to provide a kind of wrong report removing method based on log playback.The wrong report removing method that this kind is played back based on log is comprising steps of dynamic generation test sample library;After updating security strategy, playback test is carried out to rule base;Obtained new regular testing result is analyzed, obtains rate of false alarm of the new rule in test sample library;By obtained rate of false alarm compared with reporting threshold values by mistake, automatically configure whether new rule opens.The present invention can intelligently, efficiently judge the applicability of new security strategy, can eliminate wrong report caused by new security strategy enables, and eliminate caused by new security strategy enables and accidentally block.
Description
Technical field
The present invention relates to technical field of network security, in particular to a kind of wrong report removing method based on log playback.
Background technique
When WEB application is extensive, while enrich, WEB server is with its powerful computing capability, process performance and contains
Higher-value is increasingly becoming primary challenge target.The security incidents such as SQL injection, webpage tamper, web page horse hanging frequently occur.
In reality, the first line of defence using firewall as safe-guard system can still have such-and-such ask
Topic, thereby produces Web application guard system WAF.Web application guard system is to solve such as firewall one kind traditional equipment
Helpless Web application safety problem.
Different from traditional firewall, WAF works in application layer, therefore has inborn technical advantage to Web application protection.
Based on the profound understanding to Web applied business and logic, WAF carries out content detection to all kinds of requests from Web application access
And verifying, it is ensured that its safety and legitimacy give real-time blocking to illegal request, to have to all kinds of web-sites
Effect protection.
WAF is generally divided into rule-based protection and based on abnormal protection:
It is to be based on establishing model to lawful acts application data, and judge behavior on this basis based on abnormal protection
Exception.But this needs to be well understood by using behavior business and is likely to accomplish, can this be very difficult something in reality
Feelings.
Rule-based protection is to provide the safety regulation of various Web applications, establishes rule base and real-time servicing, update.
User can be detected and be protected in all directions to Web application according to these rules.This mode is high-efficient, comprehensive, but this meeting
Generate certain wrong report.
In actual application, for different system internal and external environments, WAF can configure applicable rule set as safety
Strategy.But it before security strategy enabling, needs largely to manually check, monitor whether the security strategy is applicable in really, will not generate
Wrong report accidentally blocks, to influence the progress of regular traffic.
Summary of the invention
It is a primary object of the present invention to overcome deficiency in the prior art, provide it is a kind of based on log playback wrong report disappear
Except method.In order to solve the above technical problems, solution of the invention is:
There is provided it is a kind of based on log playback wrong report removing method, for the rule base to Web application guard system WAF into
Row maintenance, the wrong report removing method based on log playback include the following steps:
Step 1: it is realized especially by following sub-steps in dynamic generation test sample library:
Step A: the access log of some period (the specific period can be configured) interior Web application is obtained first (i.e.
The access log saved in WEB server);
Step B: in the access log that step A is obtained, extracting Web request, (Web request is that client is answered to Web
With the access request of initiation);
Step C: according to the Web request obtained in step B, corresponding Web request parameter is obtained from access log and is requested
Content forms test sample library;
Web request, Web request parameter are preserved in the test sample library, and test sample library is Web application guard system
WAF passes through in the sample database that line service detects accumulation and is formed;
Step 2: after updating security strategy, playback test is carried out to rule base;It is realized especially by following sub-steps:
Step D: interior change and external change (online operation system environment, i.e. Web application for Web application environment
Variation present in environment includes but is not limited to following: hacker attempt different new attack modes to constitute a threat to, online
New security breaches are found in operation system), to security strategy, (security strategy is for all security-related movable a set of
Regular collection) it is updated, it is including but not limited to following: to reconfigure in rule base and newly advised in regular, addition rule base
Then;
The rule base is on Web application guard system WAF, for carrying out rule match, detection and mistake to network flow
Filter the rule feature library of malicious attack flow;
Step E: playback test detecting and alarm is loaded into updated security strategy and test sample library;
The playback test detecting and alarm and regular traffic detecting and alarm are the same working mechanisms, i.e. operation rule library pair
Access request is detected, but the rule base for playing back test detecting and alarm input is updated rule base, the data flow of input
Amount is sample database flow, is only used for carrying out playback test;
Step F: playback test is carried out, the security strategy that playback test detecting and alarm operating procedure E is loaded into is to test sample
Web request in library is detected, and new regular testing result is obtained;
Step 3: analyzing new regular testing result obtained in step F, obtains new rule in test sample library
Rate of false alarm (since which sample is attack in test sample library, it is all known, therefore according to this which sample, which is not attack,
A little known cases can obtain new security strategy wrong report situation, to calculate rate of false alarm);
Step 4: by rate of false alarm that step 3 obtains compared with wrong report threshold values (wrong report threshold values is configurable item), match automatically
Set whether new rule opens: if rate of false alarm closes new security strategy not less than wrong report threshold values;If rate of false alarm is lower than wrong report valve
Value, then open new security strategy, for the security strategy as Web application guard system WAF.
In the present invention, in the step C, the accumulation in test sample library is divided into two kinds:
1) configured with test sample library integration time (i.e. periodically): being configured when the integration time in test sample library reaches
When integration time, accumulation is completed in test sample library;
2) it is configured with test sample library accumulated number (i.e. quantitative): being configured when the accumulated number in test sample library reaches
When accumulated number, accumulation is completed in test sample library.
In the present invention, in the step 2, traversal test is offline to be carried out, and does not influence on-line checking business.
In the present invention, the playback test detecting and alarm is arranged in Web application guard system WAF, and plays back test
The regular traffic detecting and alarm of detecting and alarm and Web application guard system WAF are two independent engine processes, therefore play back and survey
Examination does not influence regular traffic.
Compared with prior art, the beneficial effects of the present invention are:
The present invention can intelligently, efficiently judge the applicability of new security strategy, can eliminate caused by new security strategy enabling
Wrong report, and eliminate caused by new security strategy enables and accidentally block.
Detailed description of the invention
Fig. 1 is implementation flow chart of the invention.
Fig. 2 is the product process schematic diagram in test sample library in the present invention.
Fig. 3 is the flow diagram of new strategy test in the present invention.
Specific embodiment
Present invention is further described in detail with specific embodiment with reference to the accompanying drawing:
A kind of wrong report removing method based on log playback as shown in Figure 1, for Web application guard system WAF's
Rule base safeguarded, specifically include the following steps:
S1 it is realized especially by following sub-steps in) dynamic generation test sample library:
Step A: the access log of some period (the specific period can be configured) interior Web application is obtained first, i.e.,
The access log saved in WEB server.
Step B: in the access log that step A is obtained, Web request is extracted.Web request is that client is sent out to Web application
The access request risen.
Step C: according to the Web request obtained in step B, corresponding Web request parameter is obtained from access log and is requested
Content forms test sample library;
Web request, Web request parameter are preserved in the test sample library, and test sample library is Web application guard system
WAF passes through the accumulation detected in line service.Accumulation can be divided to two kinds:
1) test sample library integration time is configured;When the integration time in test sample library reaching the configured time, survey
Trying sample database will complete to accumulate.
2) test sample library accumulated number is configured;When the accumulated number in test sample library reaches configured accumulated number
When, test sample library will complete to accumulate.
S2 after) updating security strategy, playback test is carried out to rule base.It is realized especially by following sub-steps:
Step D: it for the inside and outside variation of online operation system environment, needs to be updated security strategy.More
New security strategy, it is including but not limited to following: to reconfigure new regular in regular, addition rule base in rule base.
It specifically refers to, changes present in online operation system environment, including but not limited to following: hacker may attempt
Different new attack modes to constitute a threat to, new security breaches are found in online operation system.For these variations, safety
Guard system need to update security strategy and be protected.
The security strategy is for all security-related movable set of rule set.
The rule base refers in network safety prevention equipment, for carrying out rule match, detection and mistake to access request
Filter the rule feature library of malicious attack access.
Step E: playback test detecting and alarm is loaded into updated security strategy and test sample library.
The playback test detecting and alarm is arranged in Web application guard system WAF, playback test detecting and alarm and Web
Regular traffic detecting and alarm using guard system WAF is two independent engine processes, therefore playback test does not influence normally
Business.And playback test detecting and alarm and actual motion engine are the same working mechanisms, i.e. operation rule library is to access request
The engine detected, but the rule base and access request that input are different.The rule base that detecting and alarm inputs is tested in playback
Updated rule base, the data of input are sample databases, are only used for carrying out playback test.
Step F: playback test is carried out, the security strategy that playback test detecting and alarm operating procedure E is loaded into is to test sample
Web request in library is detected, and new regular testing result is obtained.
S3) new regular testing result obtained in step F is analyzed, obtains new security strategy in test sample library
In rate of false alarm.
Specifically, due in test sample library which sample be attack, which sample be not attack, be all known.Root
According to these known cases, new security strategy wrong report situation can be obtained, to calculate rate of false alarm.
S4) rate of false alarm that step 3 obtains is automatically configured new compared with wrong report threshold values (wrong report threshold values is configurable item)
Whether rule opens: if rate of false alarm closes new security strategy not less than wrong report threshold values;If rate of false alarm is lower than wrong report threshold values,
New security strategy is then opened, for the security strategy as Web application guard system WAF.New security strategy before enabling,
It must carry out playback test
The following examples can make the professional technician of this profession that the present invention be more fully understood, but not with any side
The formula limitation present invention.
Web application guard system WAF detects log according in line service, will nearest a certain amount of Web request and request ginseng
Number preserves, and forms test sample library.Such as: Web request url1, url2, url3 ..., when having accumulated 10,000 or one
Between the period (the two be configurable item).Assuming that one will newly be opened by having newly increased rule A, Web an application guard system WAF now
A detecting and alarm process is called playback test detecting and alarm, is loaded into new rule base A, the web request library of storage is played back, playback stream
Amount passes through this detecting and alarm newly opened.All Web requests of playback test detecting and alarm traversal sample database simultaneously carry out playback survey
Examination.Web application guard system WAF by the test result of regular A compared with reporting threshold values by mistake after, be confirmed whether to open this new rule
A, to eliminate wrong report.
Finally it should be noted that the above enumerated are only specific embodiments of the present invention.It is clear that the invention is not restricted to
Above embodiments can also have many variations.Those skilled in the art can directly lead from present disclosure
Out or all deformations for associating, it is considered as protection scope of the present invention.
Claims (4)
1. a kind of wrong report removing method based on log playback, is tieed up for the rule base to Web application guard system WAF
Shield, which is characterized in that the wrong report removing method based on log playback includes the following steps:
Step 1: it is realized especially by following sub-steps in dynamic generation test sample library:
Step A: the access log that Web is applied in some period is obtained first;
Step B: in the access log that step A is obtained, Web request is extracted;
Step C: according to the Web request obtained in step B, obtaining corresponding Web request parameter i.e. request content from access log,
Form test sample library;
Web request, Web request parameter are preserved in the test sample library, and test sample library is Web application guard system WAF warp
It crosses in the sample database that line service detects accumulation and is formed;
Step 2: after updating security strategy, playback test is carried out to rule base;It is realized especially by following sub-steps:
Step D: for the interior change and external change of Web application environment, security strategy is updated, including but not limited to
Below: reconfiguring new regular in regular, addition rule base in rule base;
The rule base is on Web application guard system WAF, and for carrying out rule match to network flow, detection and filtering are disliked
The rule feature library for attack traffic of anticipating;
The interior change and external change of the Web application environment refer to deposits in online operation system environment i.e. Web application environment
Variation, attempting different new attack mode including hacker to constitute a threat to and find new peace in online operation system
Full loophole;
Step E: playback test detecting and alarm is loaded into updated security strategy and test sample library;
The playback test detecting and alarm and regular traffic detecting and alarm are the same working mechanisms, i.e. operation rule library is to access
Request is detected, but the rule base for playing back test detecting and alarm input is updated rule base, and the data traffic of input is
Sample database flow is only used for carrying out playback test;
Step F: playback test is carried out, the security strategy that playback test detecting and alarm operating procedure E is loaded into is in test sample library
Web request detected, obtain new regular testing result;
Step 3: analyzing new regular testing result obtained in step F, obtains mistake of the new rule in test sample library
Report rate;
Step 4: the rate of false alarm that step 3 is obtained automatically configures whether new rule opens compared with reporting threshold values by mistake: if rate of false alarm
Not less than wrong report threshold values, then new security strategy is closed;If rate of false alarm opens new security strategy lower than wrong report threshold values, use
In the security strategy as Web application guard system WAF.
2. a kind of wrong report removing method based on log playback according to claim 1, which is characterized in that the step C
In, the accumulation in test sample library is divided into two kinds:
1) it is configured with test sample library integration time: when the integration time in test sample library reaching configured integration time,
Complete accumulation in test sample library;
2) it is configured with test sample library accumulated number: when the accumulated number in test sample library reaches configured accumulated number,
Complete accumulation in test sample library.
3. a kind of wrong report removing method based on log playback according to claim 1, which is characterized in that the step 2
In, traversal test is offline to be carried out, and does not influence on-line checking business.
4. a kind of wrong report removing method based on log playback according to claim 1, which is characterized in that the playback is surveyed
It tries detecting and alarm to be arranged in Web application guard system WAF, and plays back test detecting and alarm and Web application guard system WAF's
Regular traffic detecting and alarm is two independent engine processes, therefore playback test does not influence regular traffic.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710734958.7A CN107454096B (en) | 2017-08-24 | 2017-08-24 | A kind of wrong report removing method based on log playback |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710734958.7A CN107454096B (en) | 2017-08-24 | 2017-08-24 | A kind of wrong report removing method based on log playback |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN107454096A CN107454096A (en) | 2017-12-08 |
| CN107454096B true CN107454096B (en) | 2019-11-29 |
Family
ID=60494004
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710734958.7A Active CN107454096B (en) | 2017-08-24 | 2017-08-24 | A kind of wrong report removing method based on log playback |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN107454096B (en) |
Families Citing this family (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109040128B (en) * | 2018-09-18 | 2020-09-22 | 四川长虹电器股份有限公司 | WAF reverse proxy detection method based on offline pcap flow packet |
| CN109413108B (en) * | 2018-12-18 | 2021-07-02 | 杭州安恒信息技术股份有限公司 | WAF detection method and system based on safety |
| CN113542204B (en) * | 2020-04-22 | 2023-04-07 | 中国电信股份有限公司 | Protection rule generation method and device and storage medium |
| CN113726779A (en) * | 2021-08-31 | 2021-11-30 | 北京天融信网络安全技术有限公司 | Rule false alarm test method and device, electronic equipment and computer storage medium |
| CN113992438B (en) * | 2021-12-27 | 2022-03-22 | 北京微步在线科技有限公司 | Network security detection method and device |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103491060A (en) * | 2012-06-13 | 2014-01-01 | 北京新媒传信科技有限公司 | Method, device and system for defending against Web attacks |
| CN103581180A (en) * | 2013-10-28 | 2014-02-12 | 深信服网络科技(深圳)有限公司 | Method and device for adjusting target hitting characteristics according to attacking logs |
| CN104601530A (en) * | 2013-10-31 | 2015-05-06 | 中兴通讯股份有限公司 | Implementing method and system for could security service |
| CN105262720A (en) * | 2015-09-07 | 2016-01-20 | 深信服网络科技(深圳)有限公司 | Web robot traffic identification method and device |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9369478B2 (en) * | 2014-02-06 | 2016-06-14 | Nicira, Inc. | OWL-based intelligent security audit |
-
2017
- 2017-08-24 CN CN201710734958.7A patent/CN107454096B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103491060A (en) * | 2012-06-13 | 2014-01-01 | 北京新媒传信科技有限公司 | Method, device and system for defending against Web attacks |
| CN103581180A (en) * | 2013-10-28 | 2014-02-12 | 深信服网络科技(深圳)有限公司 | Method and device for adjusting target hitting characteristics according to attacking logs |
| CN104601530A (en) * | 2013-10-31 | 2015-05-06 | 中兴通讯股份有限公司 | Implementing method and system for could security service |
| CN105262720A (en) * | 2015-09-07 | 2016-01-20 | 深信服网络科技(深圳)有限公司 | Web robot traffic identification method and device |
Non-Patent Citations (1)
| Title |
|---|
| "防火墙封阻引用攻击技术综述";丁威;《安防科技》;20030715;全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN107454096A (en) | 2017-12-08 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107454096B (en) | A kind of wrong report removing method based on log playback | |
| US20200026594A1 (en) | System and method for real-time detection of anomalies in database usage | |
| CN107888574B (en) | Method, server and storage medium for detecting database risk | |
| US8418247B2 (en) | Intrusion detection method and system | |
| CN111245793A (en) | Method and device for analyzing abnormity of network data | |
| WO2016150313A1 (en) | Method and apparatus for detecting suspicious process | |
| CN106790023A (en) | Network security Alliance Defense method and apparatus | |
| CN106209826A (en) | A kind of safety case investigation method of Network Security Device monitoring | |
| Taveras | SCADA live forensics: real time data acquisition process to detect, prevent or evaluate critical situations | |
| CN105573291B (en) | A kind of threat detection method and safety device based on key parameter fusion verification | |
| Ficco et al. | A weight-based symptom correlation approach to SQL injection attacks | |
| CN108111463A (en) | The self study of various dimensions baseline and abnormal behaviour analysis based on average value and standard deviation | |
| Wu et al. | Alert correlation for cyber-manufacturing intrusion detection | |
| CN111079271A (en) | Industrial information physical system attack detection method based on system residual fingerprint | |
| US20150358292A1 (en) | Network security management | |
| CN106570131A (en) | Sensitive data exception access detection method based on clustering analysis | |
| Eigner et al. | Towards resilient artificial intelligence: Survey and research issues | |
| JP4843546B2 (en) | Information leakage monitoring system and information leakage monitoring method | |
| CN110597691A (en) | Computer monitoring system | |
| Stavrou et al. | Keep your friends close: the necessity for updating an anomaly sensor with legitimate environment changes | |
| Hong et al. | $ R $-print: A system residuals-based fingerprinting for attack detection in industrial cyber-physical systems | |
| CN109787964A (en) | Process behavior is traced to the source device and method | |
| Fovino et al. | Distributed intrusion detection system for SCADA protocols | |
| Erba et al. | Assessing Model-free Anomaly Detection in Industrial Control Systems Against Generic Concealment Attacks | |
| US11575702B2 (en) | Systems, devices, and methods for observing and/or securing data access to a computer network |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information |
Address after: 310051 No. 188 Lianhui Street, Xixing Street, Binjiang District, Hangzhou City, Zhejiang Province Applicant after: Hangzhou Annan information technology Limited by Share Ltd Address before: Zhejiang Zhongcai Building No. 68 Binjiang District road Hangzhou City, Zhejiang Province, the 310051 and 15 layer Applicant before: Dbappsecurity Co.,ltd. |
|
| CB02 | Change of applicant information | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |