CN107835179B - Application program protection method and device based on virtualization container - Google Patents
Application program protection method and device based on virtualization container Download PDFInfo
- Publication number
- CN107835179B CN107835179B CN201711121041.6A CN201711121041A CN107835179B CN 107835179 B CN107835179 B CN 107835179B CN 201711121041 A CN201711121041 A CN 201711121041A CN 107835179 B CN107835179 B CN 107835179B
- Authority
- CN
- China
- Prior art keywords
- application
- container
- firewall
- application program
- application layer
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/554—Detecting local intrusion or implementing counter-measures involving event detection and direct action
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Computer Hardware Design (AREA)
- Theoretical Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Physics & Mathematics (AREA)
- Computing Systems (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses an application program protection method and device based on a virtualization container, which comprises the following steps: monitoring an external port and acquiring an application program access request from the outside; extracting application layer information from a data packet of an application program access request; filtering the application layer information by using a firewall strategy to generate legal application layer information; and transmitting the legal application layer information to an application program container for processing. The application program protection method and device based on the virtualization container can effectively protect the application layer security of the server system and avoid the influence of SQL injection, cross-site scripts, information leakage and other attack means.
Description
Technical Field
The present invention relates to the field of network security, and more particularly, to a method and an apparatus for protecting an application program based on a virtualized container.
Background
With the rapid development of internet technology, B/S (browser/server) architecture application based on the combination of Web and database has been widely used in business systems inside and outside enterprises, and Web systems play more and more important roles. Meanwhile, more and more Web systems are frequently attacked due to the existence of security risks, which causes sensitive data and pages of the Web systems to be tampered, or even used as puppets for propagating trojans, and finally causes harm to more visitors, resulting in severe loss.
For the front end of a Web system, network security devices such as a firewall and an intrusion prevention device are widely deployed, a network access control policy is set strictly, and generally only necessary service ports such as HTTP (hyper text transport protocol) are opened, so that a hacker has difficulty in attacking a website through a traditional network layer attack mode (finding and attacking operating system bugs and database bugs). However, the existence of the Web application program vulnerability is more common, with the deep popularization of the Web application technology, the speed of discovering and attacking the Web application program vulnerability becomes faster and faster, and the attack based on the Web vulnerability is easier to be utilized and becomes the first choice for hackers.
At present, 75% of information security attacks occur at the application layer rather than at the network layer. The application layer security situation is great, and the following problems mainly exist: most Web system designs focus only on normal applications and do not focus on code security; application layer security defense measures lag behind, even without true defense; hacker intrusion is not discovered in time and is used as a springboard to attack other application systems.
In the face of such serious application layer security issues, deploying application firewalls is the most effective means. However, in the cloud computing mode, the virtual network makes the network boundary in the traditional sense very fuzzy, and traditional network security devices such as a firewall, an IDS (intrusion detection system), an IPS (intrusion prevention system) and the like are deployed at the boundary of a physical network, so that communication between different applications in the same cloud platform cannot be controlled, and once an application in the cloud platform directly attacks other applications from inside, all network boundary protection measures can be bypassed, thereby directly threatening the security of the application and even the whole cloud computing platform.
Aiming at the problem that an application firewall on a cloud platform cannot effectively protect an application layer in the prior art, no effective solution is provided at present.
Disclosure of Invention
In view of this, an object of the embodiments of the present invention is to provide an application program protection method and apparatus based on a virtualized container, which can perform application program protection based on a virtualized container for different applications or different types of applications, effectively protect application layer security of a server system, and avoid the influence of attack means such as SQL injection, cross-site scripting, information leakage, and the like.
Based on the above object, an aspect of the embodiments of the present invention provides an application program protection method based on a virtualized container, which is applied to a server, and includes the following steps:
monitoring an external port and acquiring an application program access request from the outside;
extracting application layer information from a data packet of an application program access request;
filtering the application layer information by using a firewall strategy to generate legal application layer information;
and transmitting the legal application layer information to an application program container for processing.
In some embodiments, further comprising the steps of:
the application program container generates feedback information after processing;
filtering the feedback information by using a firewall strategy to generate legal feedback information;
and packaging the legal feedback information and feeding back the legal feedback information through an external interface.
In some embodiments, the firewall policies are recorded in the policy repository in the form of firewall parameters.
In some embodiments, the policy repository is connected to a specific programming interface through which the firewall policy is configured.
In some embodiments, the application requesting access is disposed in an application container.
In some embodiments, the firewall policy is in effect at the start of the application container, and the firewall policy shares a network namespace and an external network address with the application container.
On the other hand, the embodiment of the invention also provides an application program protection device based on the virtualization container, which is applied to a server and comprises a reverse proxy server, a policy library and a programming interface.
In another aspect of the embodiments of the present invention, there is also provided a computer device including a memory, at least one processor, and a computer program stored on the memory and executable on the processor, the processor executing the program to perform the method described above.
In another aspect of the embodiments of the present invention, a computer-readable storage medium is further provided, in which a computer program is stored, and the computer program is executed by a processor to perform the above method.
In another aspect of the embodiments of the present invention, there is also provided a computer program product including a computer program stored on a computer-readable storage medium, the computer program including instructions which, when executed by a computer, cause the computer to perform the above method.
The invention has the following beneficial technical effects: according to the application program protection method and device based on the virtualization container, provided by the embodiment of the invention, by the technical scheme that the external port is monitored, the access request of the application program from the outside is obtained, the application layer information is extracted from the data packet, and the firewall policy is used for filtering and transmitting the application layer information to the application program container for processing, so that the application layer safety of the server system is effectively protected, and the application layer safety is prevented from being influenced by attack means such as SQL injection, cross-site scripts and information leakage.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
FIG. 1 is a flowchart illustrating a first embodiment of a method for protecting an application based on a virtualized container according to the present invention;
FIG. 2 is a schematic diagram illustrating a first embodiment of a virtualized container-based application guard according to the present invention;
fig. 3 is a schematic hardware structure diagram of an embodiment of a computer device for executing the virtualized container-based application protection method according to the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the following embodiments of the present invention are described in further detail with reference to the accompanying drawings.
It should be noted that all expressions using "first" and "second" in the embodiments of the present invention are used for distinguishing two entities with the same name but different names or different parameters, and it should be noted that "first" and "second" are merely for convenience of description and should not be construed as limitations of the embodiments of the present invention, and they are not described in any more detail in the following embodiments.
In view of the above, a first aspect of the embodiments of the present invention provides a first embodiment of a method for protecting an application program based on a virtualized container for different applications or different types of applications. Fig. 1 is a flowchart illustrating a first embodiment of a virtualized container-based application protection method according to the present invention.
The application program protection method based on the virtualized container is optionally applied to a server, and comprises the following steps:
step S101, monitoring an external port and acquiring an access request of an application program from the outside;
step S103, extracting application layer information from the data packet of the application program access request;
step S105, filtering the application layer information by using a firewall policy to generate legal application layer information;
step S107, the legal application layer information is transmitted to the application program container for processing.
In some embodiments, further comprising the steps of:
the application program container generates feedback information after processing;
filtering the feedback information by using a firewall strategy to generate legal feedback information;
and packaging the legal feedback information and feeding back the legal feedback information through an external interface.
Optionally, the firewall policy performs the same filtering process on the feedback information generated by the application container. This is a technical measure taken to cope with network attacks from inside the system, which makes other applications unaffected if a particular application is infected.
In some embodiments, the firewall policies are recorded in the policy repository in the form of firewall parameters.
In some embodiments, the policy repository is connected to a specific programming interface through which the firewall policy is configured.
Wherein optionally, the policy base is also arranged in one container. The policy repository can be considered a special application, and the policy repository is connected to a different external port than the general application; the general application is connected to a common external port, the strategy library is connected to a specific programming interface, and a specific application program can access and read and write firewall parameters from the outside through the specific programming interface so as to modify the firewall strategy.
In some embodiments, the application requesting access is disposed in an application container.
In some embodiments, the firewall policy is in effect at the start of the application container, and the firewall policy shares a network namespace and an external network address with the application container.
Wherein optionally, the firewall policy acts as a reverse proxy server by sharing a network namespace with an external network address.
It can be seen from the foregoing embodiments that, in the application protection method based on a virtualized container provided in the embodiments of the present invention, by monitoring an external port and obtaining an access request of an application from the outside, application layer information is extracted from a data packet, and filtered by using a firewall policy and transmitted to an application container for processing, the application layer security of a server system is effectively protected from the influence of attack means such as SQL injection, cross-site scripting, information leakage, and the like.
The embodiment of the invention also provides a second embodiment of the application program protection method based on the virtualization container, which can be used for different applications or different types of applications.
The virtual application firewall is issued in the form of a docker mirror container, is started together when the application container is started, and shares a network name space with the application container, so that the virtual firewall container and the application container share an external IP.
The core of the virtual application firewall is a reverse proxy server. The reverse proxy server can proxy the external network to access the internal network and monitor the external IP port according to the configuration. The reverse proxy server obtains the network packet of the access application by receiving the connection request of the external network, and performs sequencing and recombination to extract the application layer information. The reverse proxy server runs a strategy engine, loads firewall strategy when the strategy engine is started, compares the extracted application layer information with the firewall strategy, filters out attack flow, forwards the legal application layer information to the internal network, and processes the information by the application container. After the application is processed, the return information is forwarded to the reverse proxy server, the reverse proxy server strategy engine filters the return information again, and the legal return information is sent to an external network through an external IP. When the virtual application firewall is used as a reverse proxy, the network flow is analyzed and compared with the firewall strategy, the attack flow is cleaned, and the application safety is protected.
The virtual firewall provides an RESTFul API (application program interface) for external programs to configure firewall parameters and a policy base.
It can be seen from the foregoing embodiments that, in the application protection method based on a virtualized container provided in the embodiments of the present invention, by monitoring an external port and obtaining an access request of an application from the outside, application layer information is extracted from a data packet, and filtered by using a firewall policy and transmitted to an application container for processing, the application layer security of a server system is effectively protected from the influence of attack means such as SQL injection, cross-site scripting, information leakage, and the like.
It should be particularly noted that, the steps in the embodiments of the application protection method based on the virtualized container may be mutually intersected, replaced, added, and deleted, and therefore, these reasonable permutation and combination transformations to the application protection method based on the virtualized container should also belong to the scope of the present invention, and should not limit the scope of the present invention to the described embodiments.
In view of the above, a second aspect of the embodiments of the present invention provides a first embodiment of a virtualized container-based application program guard for different applications or different types of applications. The application program protection device based on the virtualized container is applied to a server and comprises a reverse proxy server, a policy base and a programming interface, and the application program protection method based on the virtualized container is used. Fig. 2 is a schematic structural diagram of a first embodiment of a virtualized container-based application guard according to the present invention.
As shown in fig. 2, a virtual firewall docker container mirror image is constructed based on an Apache application server, the Apache is configured to monitor a fixed port, and an RESTFul API interface is provided on the fixed port, so as to implement the function of configuring an application port and a policy library. The Apache is then configured to listen to the application port (e.g., the default 80 port) and configure the Apache mode of operation of the application port as the reverse proxy mode. The strategy engine is realized on the Apache application server in the mode of Apache module plug-in, and the functions of application layer information analysis, strategy loading, strategy comparison and the like are realized along the path of the dotted line shown in FIG. 2. After the function test of the virtual firewall is finished, the Apache application server, the configuration file, the policy engine module and the like are packaged into a docker mirror image, the starting operation parameters are configured, and the application program works along the path of the solid line shown in FIG. 2.
According to the application program protection device based on the virtualization container, the technical scheme that the application layer information is extracted from the data packet, filtered by the firewall strategy and transmitted to the application program container for processing is adopted by monitoring the external port and acquiring the access request of the application program from the outside, so that the application layer safety of the server system is effectively protected, and the application program protection device is prevented from being influenced by SQL injection, cross-site scripts, information leakage and other attack means.
It should be particularly noted that the above embodiment of the application protection apparatus based on the virtualized container uses the embodiment of the application protection method based on the virtualized container to specifically describe the working process of each module, and those skilled in the art can easily think that these modules are applied to other embodiments of the application protection method based on the virtualized container. Of course, since the steps in the embodiment of the application protection method based on the virtualized container may be intersected, replaced, added, or deleted, these reasonable permutations and combinations should also fall within the scope of the present invention, and should not limit the scope of the present invention to the embodiment.
In view of the foregoing, according to a third aspect of the embodiments of the present invention, an embodiment of a computer device for executing the virtualized container-based application protection method is provided.
The computer device for executing the virtualized container-based application protection method includes a memory, at least one processor, and a computer program stored in the memory and running on the processor, wherein the processor executes the computer program to perform any one of the methods described above.
Fig. 3 is a schematic hardware structural diagram of an embodiment of a computer device for executing the virtualized container-based application protection method according to the present invention.
Taking the computer device shown in fig. 3 as an example, the computer device includes a processor 301 and a memory 302, and may further include: an input device 303 and an output device 304.
The processor 301, the memory 302, the input device 303 and the output device 304 may be connected by a bus or other means, and fig. 3 illustrates the connection by a bus as an example.
The memory 302 is a non-volatile computer-readable storage medium, and can be used to store non-volatile software programs, non-volatile computer-executable programs, and modules, such as program instructions/modules corresponding to the virtualized container-based application protection method in this embodiment of the present application. The processor 301 executes various functional applications of the server and data processing by running the nonvolatile software programs, instructions and modules stored in the memory 302, that is, implements the application program protection method based on the virtualized container of the above-described method embodiment.
The memory 302 may include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program required for at least one function; the storage data area may store data created from use of the virtualized container-based application guard, and the like. Further, the memory 302 may include high speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other non-volatile solid state storage device. In some embodiments, memory 302 optionally includes memory located remotely from processor 301, which may be connected to a local module via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The input device 303 may receive input numeric or character information and generate key signal inputs related to user settings and function controls of the virtualized container-based application guard. The output means 304 may comprise a display device such as a display screen.
Program instructions/modules corresponding to the one or more virtualized container-based application protection methods are stored in the memory 302 and, when executed by the processor 301, perform the virtualized container-based application protection method in any of the above-described method embodiments.
Any embodiment of the computer device executing the virtualized container-based application protection method may achieve the same or similar effects as any corresponding method embodiment described above.
In view of the foregoing, a fourth aspect of the embodiments of the present invention provides a computer-readable storage medium, where computer-executable instructions are stored, and the computer-executable instructions may execute the virtualized container based application protection method in any of the above method embodiments and implement the virtualized container based application protection apparatus in any of the above apparatus embodiments. Embodiments of the computer-readable storage medium may achieve the same or similar effects as any of the aforementioned method and apparatus embodiments corresponding thereto.
In view of the above object, a fifth aspect of the embodiments of the present invention provides a computer program product, which includes a computer program stored on a computer-readable storage medium, where the computer program includes instructions that, when executed by a computer, cause the computer to execute a virtualized container based application protection method in any of the above method embodiments and a virtualized container based application protection apparatus implementing any of the above apparatus embodiments. Embodiments of the computer program product may achieve the same or similar effects as any of the aforementioned method and apparatus embodiments corresponding thereto.
Finally, it should be noted that, as will be understood by those skilled in the art, all or part of the processes of the methods of the above embodiments may be implemented by a computer program, which may be stored in a computer-readable storage medium, and when executed, may include the processes of the embodiments of the methods described above. The storage medium may be a magnetic disk, an optical disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), or the like. Embodiments of the computer program may achieve the same or similar effects as any of the preceding method embodiments to which it corresponds.
In addition, the apparatuses, devices and the like disclosed in the embodiments of the present invention may be various electronic terminal devices, such as a mobile phone, a Personal Digital Assistant (PDA), a tablet computer (PAD), a smart television and the like, or may be a large terminal device, such as a server and the like, and therefore the scope of protection disclosed in the embodiments of the present invention should not be limited to a specific type of apparatus, device. The client disclosed in the embodiment of the present invention may be applied to any one of the above electronic terminal devices in the form of electronic hardware, computer software, or a combination of both.
Furthermore, the method disclosed according to an embodiment of the present invention may also be implemented as a computer program executed by a CPU, and the computer program may be stored in a computer-readable storage medium. The computer program, when executed by the CPU, performs the above-described functions defined in the method disclosed in the embodiments of the present invention.
Further, the above method steps and system elements may also be implemented using a controller and a computer readable storage medium for storing a computer program for causing the controller to implement the functions of the above steps or elements.
Further, it should be appreciated that the computer-readable storage media (e.g., memory) described herein can be either volatile memory or nonvolatile memory, or can include both volatile and nonvolatile memory. By way of example, and not limitation, nonvolatile memory can include Read Only Memory (ROM), Programmable ROM (PROM), Electrically Programmable ROM (EPROM), Electrically Erasable Programmable ROM (EEPROM), or flash memory. Volatile memory can include Random Access Memory (RAM), which can act as external cache memory. By way of example and not limitation, RAM is available in a variety of forms such as synchronous RAM (DRAM), Dynamic RAM (DRAM), Synchronous DRAM (SDRAM), double data rate SDRAM (DDR SDRAM), Enhanced SDRAM (ESDRAM), Synchronous Link DRAM (SLDRAM), and Direct Rambus RAM (DRRAM). The storage devices of the disclosed aspects are intended to comprise, without being limited to, these and other suitable types of memory.
Those of skill would further appreciate that the various illustrative logical blocks, modules, circuits, and algorithm steps described in connection with the disclosure herein may be implemented as electronic hardware, computer software, or combinations of both. To clearly illustrate this interchangeability of hardware and software, various illustrative components, blocks, modules, circuits, and steps have been described above generally in terms of their functionality. Whether such functionality is implemented as software or hardware depends upon the particular application and design constraints imposed on the overall system. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the disclosed embodiments of the present invention.
The various illustrative logical blocks, modules, and circuits described in connection with the disclosure herein may be implemented or performed with the following components designed to perform the functions described herein: a general purpose processor, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA) or other programmable logic device, discrete gate or transistor logic, discrete hardware components, or any combination of these components. A general purpose processor may be a microprocessor, but in the alternative, the processor may be any conventional processor, controller, microcontroller, or state machine. A processor may also be implemented as a combination of computing devices, e.g., a combination of a DSP and a microprocessor, a plurality of microprocessors, one or more microprocessors in conjunction with a DSP, and/or any other such configuration.
The steps of a method or algorithm described in connection with the disclosure herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. A software module may reside in RAM memory, flash memory, ROM memory, EPROM memory, EEPROM memory, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art. An exemplary storage medium is coupled to the processor such the processor can read information from, and write information to, the storage medium. In the alternative, the storage medium may be integral to the processor. The processor and the storage medium may reside in an ASIC. The ASIC may reside in a user terminal. In the alternative, the processor and the storage medium may reside as discrete components in a user terminal.
In one or more exemplary designs, the functions may be implemented in hardware, software, firmware, or any combination thereof. If implemented in software, the functions may be stored on or transmitted over as one or more instructions or code on a computer-readable medium. Computer-readable media includes both computer storage media and communication media including any medium that facilitates transfer of a computer program from one place to another. A storage media may be any available media that can be accessed by a general purpose or special purpose computer. By way of example, and not limitation, such computer-readable media can comprise RAM, ROM, EEPROM, CD-ROM or other optical disk storage, magnetic disk storage or other magnetic storage devices, or any other medium that can be used to carry or store desired program code in the form of instructions or data structures and that can be accessed by a general-purpose or special-purpose computer, or a general-purpose or special-purpose processor. Also, any connection is properly termed a computer-readable medium. For example, if the software is transmitted from a website, server, or other remote source using a coaxial cable, fiber optic cable, twisted pair, Digital Subscriber Line (DSL), or wireless technologies such as infrared, radio, and microwave, then the coaxial cable, fiber optic cable, twisted pair, DSL, or wireless technologies such as infrared, radio, and microwave are included in the definition of medium. Disk and disc, as used herein, includes Compact Disc (CD), laser disc, optical disc, Digital Versatile Disc (DVD), floppy disk, blu-ray disc where disks usually reproduce data magnetically, while discs reproduce data optically with lasers. Combinations of the above should also be included within the scope of computer-readable media.
The foregoing is an exemplary embodiment of the present disclosure, but it should be noted that various changes and modifications could be made herein without departing from the scope of the present disclosure as defined by the appended claims. The functions, steps and/or actions of the method claims in accordance with the disclosed embodiments described herein need not be performed in any particular order. Furthermore, although elements of the disclosed embodiments of the invention may be described or claimed in the singular, the plural is contemplated unless limitation to the singular is explicitly stated.
It should be understood that, as used herein, the singular forms "a," "an," "the" are intended to include the plural forms as well, unless the context clearly supports the exception. It should also be understood that "and/or" as used herein is meant to include any and all possible combinations of one or more of the associated listed items.
The numbers of the embodiments disclosed in the embodiments of the present invention are merely for description, and do not represent the merits of the embodiments.
It will be understood by those skilled in the art that all or part of the steps for implementing the above embodiments may be implemented by hardware, or may be implemented by a program instructing relevant hardware, where the program may be stored in a computer-readable storage medium, and the above-mentioned storage medium may be a read-only memory, a magnetic disk or an optical disk, etc.
Those of ordinary skill in the art will understand that: the discussion of any embodiment above is meant to be exemplary only, and is not intended to intimate that the scope of the disclosure, including the claims, of embodiments of the invention is limited to these examples; within the idea of an embodiment of the invention, also technical features in the above embodiment or in different embodiments may be combined and there are many other variations of the different aspects of an embodiment of the invention as described above, which are not provided in detail for the sake of brevity. Therefore, any omissions, modifications, substitutions, improvements, and the like that may be made without departing from the spirit and principles of the embodiments of the present invention are intended to be included within the scope of the embodiments of the present invention.
Claims (8)
1. A method for protecting an application program based on a virtualized container is applied to a server and comprises the following steps:
monitoring an external port and acquiring an application program access request from the outside;
extracting application layer information from a data packet of the application program access request;
filtering the application layer information by using a firewall policy to generate legal application layer information;
transmitting the legal application layer information to an application program container for processing;
wherein the method further comprises the steps of:
the application program container generates feedback information after processing;
filtering the feedback information by using the firewall strategy to generate legal feedback information;
packing the legal feedback information and feeding back through an external interface;
wherein the firewall policy to filter the application layer information and the feedback information is the same.
2. The method of claim 1, wherein the firewall policies are recorded in a policy repository in the form of firewall parameters.
3. The method of claim 2, wherein the policy repository is connected to a specific programming interface through which the firewall policy is configured.
4. The method of claim 1, wherein the application requesting access is disposed in the application container.
5. The method of claim 1, wherein the firewall policy is in effect at startup of the application container, and wherein the firewall policy shares a network namespace and an external network address with the application container.
6. A virtualized container-based application guard comprising a reverse proxy server, a policy repository and a programming interface, the application guard using the method of any of claims 1-5.
7. A computer device comprising a memory, at least one processor and a computer program stored on the memory and executable on the processor, characterized in that the processor performs the method according to any of claims 1-5 when executing the computer program.
8. A computer-readable storage medium, in which a computer program is stored which, when being executed by a processor, is adapted to carry out the method of any one of claims 1 to 5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201711121041.6A CN107835179B (en) | 2017-11-14 | 2017-11-14 | Application program protection method and device based on virtualization container |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201711121041.6A CN107835179B (en) | 2017-11-14 | 2017-11-14 | Application program protection method and device based on virtualization container |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN107835179A CN107835179A (en) | 2018-03-23 |
| CN107835179B true CN107835179B (en) | 2021-05-04 |
Family
ID=61654392
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201711121041.6A Active CN107835179B (en) | 2017-11-14 | 2017-11-14 | Application program protection method and device based on virtualization container |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN107835179B (en) |
Families Citing this family (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108259514B (en) * | 2018-03-26 | 2020-11-24 | 平安科技(深圳)有限公司 | Vulnerability detection method and device, computer equipment and storage medium |
| CN110351219A (en) * | 2018-04-02 | 2019-10-18 | 蓝盾信息安全技术有限公司 | A kind of database security access technique based on Net Strobe System |
| CN112764878B (en) * | 2021-01-13 | 2024-04-23 | 中科曙光(南京)计算技术有限公司 | Deep learning-based big data all-in-one container cluster risk prediction method |
| CN114172698A (en) * | 2021-11-19 | 2022-03-11 | 重庆川仪自动化股份有限公司 | Service request processing method, Web server, equipment and medium |
| CN114978610A (en) * | 2022-04-29 | 2022-08-30 | 北京火山引擎科技有限公司 | Flow transmission control method, device, equipment and storage medium |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104468632A (en) * | 2014-12-31 | 2015-03-25 | 北京奇虎科技有限公司 | Loophole attack prevention method, device and system |
| CN105210323A (en) * | 2013-03-15 | 2015-12-30 | 鲁库斯无线公司 | Localizing a multicast service |
| CN105721479A (en) * | 2016-03-02 | 2016-06-29 | 北京网康科技有限公司 | URL filtering method and device |
| CN105871845A (en) * | 2016-03-31 | 2016-08-17 | 深圳市深信服电子科技有限公司 | Method and device for detecting Web vulnerability scanning behavior |
| CN106160226A (en) * | 2016-07-28 | 2016-11-23 | 全球能源互联网研究院 | A kind of method of precision when improving intelligent substation PTP pair |
Family Cites Families (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1555170A (en) * | 2003-12-23 | 2004-12-15 | 沈阳东软软件股份有限公司 | Flow filtering fine wall |
| CN101707619B (en) * | 2009-12-10 | 2012-11-21 | 福建星网锐捷网络有限公司 | Message filtering method, device and network device |
| US20130019314A1 (en) * | 2011-07-14 | 2013-01-17 | International Business Machines Corporation | Interactive virtual patching using a web application server firewall |
| CN103825953B (en) * | 2014-03-04 | 2017-01-04 | 武汉理工大学 | A kind of user model encrypted file system |
| CN103973700A (en) * | 2014-05-21 | 2014-08-06 | 成都达信通通讯设备有限公司 | Mobile terminal preset networking address firewall isolation application system |
| US9888034B2 (en) * | 2014-12-24 | 2018-02-06 | Oracle International Corporation | Pluggable API firewall filter |
| CN105391703B (en) * | 2015-10-28 | 2019-02-12 | 南方电网科学研究院有限责任公司 | A kind of WEB application firewall system based on cloud and its safety protecting method |
| CN107026821B (en) * | 2016-02-01 | 2021-06-01 | 阿里巴巴集团控股有限公司 | Message processing method and device |
-
2017
- 2017-11-14 CN CN201711121041.6A patent/CN107835179B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105210323A (en) * | 2013-03-15 | 2015-12-30 | 鲁库斯无线公司 | Localizing a multicast service |
| CN104468632A (en) * | 2014-12-31 | 2015-03-25 | 北京奇虎科技有限公司 | Loophole attack prevention method, device and system |
| CN105721479A (en) * | 2016-03-02 | 2016-06-29 | 北京网康科技有限公司 | URL filtering method and device |
| CN105871845A (en) * | 2016-03-31 | 2016-08-17 | 深圳市深信服电子科技有限公司 | Method and device for detecting Web vulnerability scanning behavior |
| CN106160226A (en) * | 2016-07-28 | 2016-11-23 | 全球能源互联网研究院 | A kind of method of precision when improving intelligent substation PTP pair |
Also Published As
| Publication number | Publication date |
|---|---|
| CN107835179A (en) | 2018-03-23 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107835179B (en) | Application program protection method and device based on virtualization container | |
| US11550909B2 (en) | Tracking malicious software movement with an event graph | |
| JP6639588B2 (en) | System and method for detecting malicious files | |
| US20220070184A1 (en) | Forensic analysis of computing activity | |
| JP6758581B2 (en) | Systems and methods for detecting malicious code | |
| US8353036B2 (en) | Method and system for protecting cross-domain interaction of a web application on an unmodified browser | |
| US20170126677A1 (en) | Extended context delivery for context-based authorization | |
| Sood et al. | An empirical study of HTTP-based financial botnets | |
| JP6055574B2 (en) | Context-based switching to a secure operating system environment | |
| CN107506648B (en) | Method, device and system for searching application vulnerability | |
| Sood et al. | Dissecting SpyEye–Understanding the design of third generation botnets | |
| US9081956B2 (en) | Remote DOM access | |
| US8955138B1 (en) | Systems and methods for reevaluating apparently benign behavior on computing devices | |
| US8990932B2 (en) | System and method for prevention of malware attacks on data | |
| US11799876B2 (en) | Web crawler systems and methods to efficiently detect malicious sites | |
| US20230118204A1 (en) | Tracking malicious software movement with an event graph | |
| Singh | Social networking for botnet command and control | |
| JP2009223375A (en) | Malicious web site decision device, malicious web site decision system, method thereof, and program | |
| Deng et al. | Lexical analysis for the webshell attacks | |
| Fan et al. | Privacy theft malware multi‐process collaboration analysis | |
| JP7353251B2 (en) | System and method for preventing malicious software from destroying digital forensic information | |
| Arul | Hypervisor injection attack using X-cross API calls (HI-API attack) | |
| US20240028707A1 (en) | In-memory scan for threat detection with binary instrumentation backed generic unpacking, decryption, and deobfuscation | |
| Campbell et al. | Protection of systems | |
| PÎRNĂU | General Aspects of Some Causes of Web Application Vulnerabilities |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information | ||
| CB02 | Change of applicant information |
Address after: 250104 No. 2877 Kehang Road, Sun Village Town, Jinan High-tech Zone, Shandong Province Applicant after: Chaoyue Technology Co.,Ltd. Address before: 250104 No. 2877 Kehang Road, Sun Village Town, Jinan High-tech Zone, Shandong Province Applicant before: SHANDONG CHAOYUE DATA CONTROL ELECTRONICS Co.,Ltd. |
|
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| PE01 | Entry into force of the registration of the contract for pledge of patent right | ||
| PE01 | Entry into force of the registration of the contract for pledge of patent right |
Denomination of invention: Application program protection method and device based on Virtualization container Effective date of registration: 20211104 Granted publication date: 20210504 Pledgee: China Merchants Bank Co.,Ltd. Jinan Branch Pledgor: Chaoyue Technology Co.,Ltd. Registration number: Y2021370000126 |
|
| PC01 | Cancellation of the registration of the contract for pledge of patent right | ||
| PC01 | Cancellation of the registration of the contract for pledge of patent right |
Date of cancellation: 20230413 Granted publication date: 20210504 Pledgee: China Merchants Bank Co.,Ltd. Jinan Branch Pledgor: Chaoyue Technology Co.,Ltd. Registration number: Y2021370000126 |