CN108683685A - A kind of cloud security CDN system and monitoring method for XSS attack - Google Patents

A kind of cloud security CDN system and monitoring method for XSS attack Download PDF

Info

Publication number
CN108683685A
CN108683685A CN201810634321.5A CN201810634321A CN108683685A CN 108683685 A CN108683685 A CN 108683685A CN 201810634321 A CN201810634321 A CN 201810634321A CN 108683685 A CN108683685 A CN 108683685A
Authority
CN
China
Prior art keywords
module
request
threat
security
cdn
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201810634321.5A
Other languages
Chinese (zh)
Inventor
曹鹏飞
杨君
李�杰
郭泳劭
王博宙
曹旺
沈丽
康锦涛
钱铭铭
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Sanjiang University
Original Assignee
Sanjiang University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Sanjiang University filed Critical Sanjiang University
Priority to CN201810634321.5A priority Critical patent/CN108683685A/en
Publication of CN108683685A publication Critical patent/CN108683685A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0281Proxies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]

Abstract

The present invention discloses a kind of cloud security CDN system for XSS attack, including CDN server and Cloud Server, CDN server includes suspicious requests judgment module and reverse proxy module, and suspicious requests are committed to Cloud Server by suspicious requests judgment module for judging client request;The request that reverse proxy module is used to will be not present suspected threat is sent to Web server;Cloud Server includes Situation Awareness module, requirement analysis module, request filtering module and journal module, and Situation Awareness module is for building Situation Awareness library;Requirement analysis module is used to carry out security threat detection to suspicious requests and level of security threat is evaluated, and feeds back to CDN server;Filtering module is asked to be used to ask low-risk to carry out information filtering;Journal module is used for all operation informations of other modules for storing.The present invention carries out safety monitoring to the data for flowing through CDN server, analyzes security threat present in flow in real time.

Description

A kind of cloud security CDN system and monitoring method for XSS attack
Technical field
The safe CDN based on cloud situational awareness techniques that the present invention relates to a kind of based on XSS attack defense system, specifically It is related to a kind of cloud security CDN system and monitoring method for XSS attack.
Background technology
With the rapid development of Internet, while bringing various convenient for the mankind, many safety problems are also brought. In recent years, network security situation is constantly severe, and domestic and international major safety problems occur again and again, and the Cyberthreat that people are subject to also is got over The needs of current internet development can not be adapted to by carrying out more, traditional systems of defense.It is reported that traditional XSS defence is more It using characteristic matching mode, is all checked in the information of all submissions, for such XSS attack (across station Script is attacked), the method for mode matching of use generally may require that this keyword is retrieved to " JavaScript ", once hair It includes " JavaScript " now to submit in information, it is assumed that being XSS attack.The defect of this detection method is it is clear that hacker Detection can be hidden by way of being inserted into character or encoding completely, it is as follows specifically to hide method:
1, multiple tab keys are added in JavaScript, obtain:
<IMG SRC=" JavaScript:alert('XSS');">;
2, (space) character is added in JavaScript, obtains:
<IMG SRC=" JavaScript pt:alert('XSS');">;
3, (carriage return) character is added in JavaScript, obtains:
<IMG SRC=" JavaScript:alert('XSS');">;
4, new line symbol is added in each intercharacter in JavaScript, obtains:
<IMG SRC=JavaScript r
\nt:alert('XSS');">
5, to " JavaScript:Alert (' XSS') " using coding completely, obtain:
<IMGSRC=JavaScript74:alert('XSS')>
The above method can easily hide the detection of feature based.And other than having a large amount of fail to report, it is based on The detection of feature is possible there is also largely reporting by mistake, such as to the above-mentioned such a address in certain website, due to containing keyword " JavaScript " will also trigger alarm.
However, single defence is difficult to cope with the attack in terms of network security, the safety that can not be also directed to user information carry For sufficient guarantee.For network security, current existing solution has following several classes:Server end defence, client are anti- Imperial, specialized security device defence, safe CDN (Content Delivery Network, content distributing network) service defence.But It is to encounter XSS attack, above-mentioned traditional safety measure is difficult to play significant effect.
Invention content
Goal of the invention:Present invention aims in view of the deficiencies of the prior art, provide a kind of cloud security for XSS attack CDN system, while monitoring method is given, the protection to user can be reinforced in terms of defence capability, preferably protect user Service privacy.
Technical solution:A kind of cloud security CDN system for XSS attack of the present invention, including CDN server and cloud clothes Business device, the CDN server include suspicious requests judgment module and reverse proxy module, and the suspicious requests judgment module is used Judge in the request that client is sent, and suspicious requests are committed to Cloud Server and are analyzed;
The reverse proxy module, for receive the transmission of suspicious requests judgment module there is no the request of suspected threat, And there will be no the requests of suspected threat to be sent to Web server;
The Cloud Server includes Situation Awareness module, requirement analysis module, asks filtering module and journal module, described Situation Awareness module, the data structure Situation Awareness library for being stored according to journal module;
The requirement analysis module, for carrying out security threat detection and level of security threat evaluation to suspicious requests, and Result is fed back into CDN server;
The request filtering module, for receive requirement analysis module transmission low-risk request and to low-risk ask into Row filtering, then feeds back to CDN server by filtered safe result;
The journal module, for storing suspicious requests judgment module, reverse proxy module, Situation Awareness module, request All requests and its handling result that analysis module, request filtering module all operation information and client are sent.
The present invention is mainly made of CDN server and Cloud Server, using CDN service+cloud computing technology+Situation Awareness skill The novel solution of art makes whole system generate good effect in terms of network attack defence.In overall system design, no But there is the considerations of defence capability aspect, while having the protection to user, the true host address of user is hidden, use Family, attacker and cloud security CDN server constitute a loop, avoid user from directly meeting with attacker, compared with traditional peace Full CDN architectural frameworks, preferably protect user service privacy.It is thorough that overal system design considers, compatibility is strong, and environment adapts to Ability is strong, based on cloud situational awareness techniques, constructs good XSS attack defense system.
The present invention also provides a kind of cloud security CDN monitoring methods for XSS attack, include the following steps:
S1, client send HTTP request, suspicious requests judgment module pair to the suspicious requests judgment module of CDN server HTTP request is tentatively judged, will tentatively judge that structure is sent to journal module and is correspondingly executed according to preliminary judging result Step S2 or step S3;
If suspected threat is not present in S2, HTTP request, it is determined as normal request, normal request is sent to reverse proxy mould Normal request is sent to Web server by block, reverse proxy module again;
If there are suspected threats for S3, HTTP request, it is determined as suspicious requests, suspicious requests is sent to asking for Cloud Server Analysis module, requirement analysis module is asked to carry out secondary judgement to suspicious requests, secondary judging result is sent to journal module simultaneously Step S4 or step S5 are correspondingly executed according to secondary judging result;
If security threat is not present in S4, suspicious requests, it is judged to, without request is threatened, to ask be sent to reversed generation without threatening Module is managed, reverse proxy module will ask to be committed to Web server without threatening again;
If S5, suspicious requests there are security threat, are judged to having threat to ask, requirement analysis module is from Situation Awareness module Middle calling Situation Awareness library threatens request to carry out depth analysis to having, to determine the threat level for having and threatening and asking, then will analysis As a result it is sent to journal module storage, step S6 or step S7 is then executed according to the threat level for having threat to ask;
If S6, having threat request risk high, requested analysis module is determined as that intrusion behavior, requirement analysis module lead to immediately The reverse proxy module of CDN server is accused, which is terminated;
If S7, having threat request risk low, requested analysis module is determined as client's maloperation behavior, then requirement analysis mould The request of maloperation is sent to request filtering module by block, and request filtering module carries out information filtering to the request of maloperation, with By dangerous code escape, the replacement in the request, security request is obtained, security request is sent to reversed generation by request filtering module Module is managed, security request is committed to Web server by reverse proxy module again.
Preferably, the journal module from suspicious requests judgment module, reverse proxy module, Situation Awareness module, request Analysis module, request filtering module obtain the information of all operations.
Preferably, the Situation Awareness module uses network situation awareness technology by network equipment operation conditions, network row For and user behavior carry out global analysis, to the changed all security factors of Network Situation can be caused to be obtained, Understand and show, all threat behaviors is therefrom extracted, and assess level of security threat, to build Situation Awareness library.
Preferably, the Situation Awareness module can extract novel threat behavior from journal module, and to novel threat row For level of security threat assessed, to update Situation Awareness library, obtain new Situation Awareness library.
Preferably, the Situation Awareness module can to journal module store daily record data be analyzed, disposed of in its entirety, and Judge in conjunction with the behavior of client, to extract correlated characteristic information, generates Status view.
The beneficial effects of the invention are as follows:(1) cloud computing is merged with traditional CDN service, is allowed to defend in network attack Aspect generates good effect;
(2) the true host address of user is hidden, user, attacker and cloud security CDN server constitute one Loop avoids user and attacker from directly meeting, and preferably protects user service privacy;
(3) visualization attack logs are provided;
(4) by the optimization for several times to rule and algorithm, rate of false alarm and rate of failing to report are reduced to 10% or less.
In short, the present invention provides a kind of cloud security CDN solutions, it is right by being improved to existing CDN system The data traffic for flowing through CDN server carries out safety monitoring, and the assessment of safety is placed in CDN server, analyzes flow in real time Present in security threat, and security threat and Prevention-Security are visualized by cloud computing technology and situational awareness techniques, it is right Security incident makes a policy.
Description of the drawings
Fig. 1 is the principle of the present invention block diagram.
Fig. 2 is the work flow diagram of the present invention.
Fig. 3 is the present invention based on cloud security CDN Organization Charts.
Fig. 4 is the DAT figures in the present invention.
Fig. 5 is the DAT state transition process figures in the present invention.
Specific implementation mode
Technical solution of the present invention is described in detail below by attached drawing, but protection scope of the present invention is not limited to The embodiment.
As shown in Figure 1, the system of the present invention includes CDN server and Cloud Server, CDN server includes that suspicious requests are sentenced Disconnected module and reverse proxy module, Cloud Server include Situation Awareness module, requirement analysis module, request filtering module and daily record Module.Wherein, the request that suspicious requests judgment module, reverse proxy module mainly access user judges, if request It is suspicious, submit Cloud Server to be analyzed, suspicious requests judgment module, reverse proxy module be intended that with Nginx Server and Python is realized, the use of Lua and C language module is that Nginx writes extension, suspicious requests judgment module judges access request Whether it is suspicious requests, suspicious requests is sent to Cloud Server, reverse proxy module is completed according to Cloud Server feedback result Respective operations;Situation Awareness module uses network situation awareness technology by network equipment operation conditions, network behavior and user Behavior carries out global analysis, to the changed all security factors of Network Situation can be caused to be obtained, understanding, showing, Novel threat behavior is extracted, level of security threat is assessed, builds new Situation Awareness library, this module is mainly to day Will data are analyzed, and the behavior that data are carried out with disposed of in its entirety combination user judges, and data are generated Status view; Requirement analysis module is mainly responsible for security threat detection and level of security threat evaluation, this module is related to system bottom operation, It is quasi- to use C/C++ language developments, the GET/POST contents in request message are disassembled, are analyzed, detect potential safety It threatens, and evaluates threat level, result is fed back into server, waits for and handling in next step;Ask filtering module according to request point It analyses module and carries out interpretation of result, dangerous field, operation behavior are filtered, the operations such as escape, the result of safety is exported, Return to server;Journal module stores all threats with analysis result.
The cloud security CDN monitoring methods for XSS attack of the present invention, as shown in Fig. 2, including the following steps:
S1, client send HTTP request, suspicious requests judgment module pair to the suspicious requests judgment module of CDN server Whether HTTP request tentatively judged, be suspected threat with screening, suspected threat include the combination of some spcial characters, JavaScript function etc. will tentatively judge that structure is sent to journal module and correspondingly executes step according to preliminary judging result S2 or step S3;
If suspected threat is not present in S2, HTTP request, it is determined as normal request, normal request is directly sent to reversed generation Module is managed, normal request is forwarded Web server by reverse proxy module using reverse proxy mode;
If there are suspected threats for S3, HTTP request, it is determined as suspicious requests, suspicious requests is sent to asking for Cloud Server Analysis module is asked to be analyzed, requirement analysis module carries out secondary judgement to suspicious requests, and secondary judging result is sent the Summer Solstice or the Winter Solstice Will module simultaneously correspondingly executes step S4 or step S5 according to secondary judging result;
If security threat is not present in S4, suspicious requests, it is judged to asking without threatening, then notices Web server receiving in this Row, will be without threatening request to be sent to reverse proxy module, and reverse proxy module will ask to be committed to Web server without threatening again;
If S5, suspicious requests there are security threat, are judged to having threat to ask, requirement analysis module is from Situation Awareness module Middle calling Situation Awareness library threatens request to carry out depth analysis to having, to determine the threat level for having and threatening and asking, then will analysis As a result it is sent to journal module storage, step S6 or step S7 is then executed according to the threat level for having threat to ask;
If S6, having threat request risk high, requested analysis module is determined as that intrusion behavior, requirement analysis module lead to immediately The reverse proxy module of CDN server is accused, which is terminated;
If S7, having threat request risk low, requested analysis module is determined as client's maloperation behavior, then requirement analysis mould The request of maloperation is sent to request filtering module by block, and request filtering module carries out information filtering to the request of maloperation, with By dangerous code escape, the replacement in the request, security request is obtained, security request is sent to reversed generation by request filtering module Module is managed, security request is committed to Web server by reverse proxy module again.
In the above method, journal module is recorded in all operations, and the Situation Awareness module on Cloud Server is periodically right Journal module is assessed, and is extracted correlated characteristic information, analysis result can be stored in Situation Awareness database, and to novel prestige Side of body setting respective level passes through the forms such as chart, analysis report and presents for request next time decision, detailed results.
Embodiment 1:A kind of cloud security CDN system for XSS attack, including CDN server and Cloud Server, CDN clothes Business device includes suspicious requests judgment module and reverse proxy module, Cloud Server include Situation Awareness module, requirement analysis module, Ask filtering module and journal module.The system of the present embodiment adds cloud computing technology in traditional CDN frameworks, pacifies for WEB A kind of new solution is provided entirely.As shown in figure 3, after user sends request to CDN server, CDN server is tentatively sentenced Whether disconnected request contains suspicious content, then suspicious requests are submitted to Cloud Server and are handled.In this framework, CDN service Device is only responsible for preliminary judgement, and detailed analysis strategy is then deployed in Cloud Server, and system manager can be on Cloud Server If security strategy is defined to need to issue security strategy respectively to every server using traditional safe CDN architectural frameworks.
OpenResty is the Web server based on Lua language and Nginx, it supports the institute of Nginx functional, and props up It holds and writes expansion module using Lua.For the system for realizing the present embodiment, using OpenResty as Reverse Proxy, and It is extended by Lua and calls suspicious requests judgment module.For ensure suspicious requests judgment module, requirement analysis module big flow, Treatment effeciency under high concurrent environment, code are developed using C language completely.Journal module is completed using Mysql databases Log recording, log recording mainly include user's hyperlink request, source IP, purpose website, request time, threat level, attack to The contents such as amount, user browser feature.Situation Awareness module has used a series of statistic algorithm using B/S architecture designs, attacks It hits behavior to connect with attack signature, and is JSON by result output, be transferred to browser end.It is raw after browser resolves JSON At correspondence graph, data visualization is realized using HTML5 and CSS3 so that user may not need any client-side program of installation, Intuitive data experience is directly obtained in a browser.
The implementation method of the present embodiment system is as follows:
1. reverse proxy module realizes process
Reverse proxy module needs are judged and are shunted to the request received, enter server process flow in request When, Nginx gives access control power to request judgment module.Configuration file is as follows:
After request is passed to request judgment module (request_judge.lua), request judgment module can be read out The information such as url, source IP in request, request body, required parameter, and adjust the suspicious requests judgment module that shows a C language to The threat degree that family is passed to parameter is tentatively given a mark.Score range is 0-5, if more than 0 point, then by solicited message with JSON's Mode passes to rear end Cloud Server and is judged, rear end Cloud Server can return the result after the completion of judging, and be held according to result The operation that row is blocked or let pass.
2. suspicious requests judgment module realizes process
Suspicious requests judgment module is per second will to handle mass data, the journey as a CPU-bound (computation-intensive) Sequence, how to improve efficiency is to realize the key point of the module.
For recall precision problem, it is based on the Trie trees of DFA (Deterministic Finite Automaton) theory It can be described as a kind of quick and efficient solution.
Trie trees related definition and principle are provided herein:
Trie trees are a kind of digital search tree and a kind of efficient index mode based on DFA theories.In entire tree construction In, each node corresponds to a kind of DFA states, and every side that child node is directed toward from father node corresponds to a change procedure of DFA.Time Process is gone through since root node, according to the character in target string, determines the position of next state successively.If in target Character in character string is matched to leaf node before using up, then searches for successfully and terminate to search for;Otherwise search failure is indicated.And The search flexibility of Trie trees is also very high, can be accomplished not by slight spelling by the specific character skipped in target string Erroneous effects, but consider safety problem, this characteristic meaning is simultaneously little.
The main method used about Trie trees has a certain node in establishment dictionary tree, insertion node elements, return Trie The number that is added, to digital dictionary tree by actual numerical value size sequence i.e. breadth first search etc..
But since simple Trie tree constructions are sparse, can cause server operation, storage resource significant wastage.This implementation Example carries out flow examination using DAT (Double Array Trie) algorithm, at this to the principle of DAT and its state migration procedure It is illustrated:Assuming that there is one section of user's input:I'm a aa hack hacker.DAT figures are generated, as shown in figure 4, by Simplify, each node on behalf one " state " in figure, each edge represents one " variable ", from a node to next node Transformation is known as " state transfer ".Traditional text canonical retrieval is changed into the operation to state by state metastasis, by right The record of state and processing, greatly improve matching efficiency and precision, save server operation resource, memory space, Also there is preferable mitigation to class regex-DDOS attacks.
The state transition process of DAT is as shown in figure 5, in transition processes of the input character c from state s to t, before transformation State (s) is saved in check arrays, i.e. check [t]=s, here it is the state transition processes of DAT.With Tripple- Array Trie are compared, and base and next, which are merged into base, saves space, while enhancing algorithm locality, improves effect Rate.According to the above process, following pseudocode can be obtained:
What is preserved in check arrays is the preceding state (t) of some state (s), and the index of base arrays is in DFA State number, that base [s] is preserved is offset when state s finds next state, offset for find it is subsequent can Use memory headroom.A character is inputted under s states, according to the offset and inputting character code preserved at base [s] by shape State is transferred to t.
When algorithm detects dangerous keyword (such as double quotation marks, the angle brackets occurred in pairs, script keywords etc.) then Risk assessment marking is carried out to the dangerous keyword of response, and returns result to reverse proxy resume module.
3. requirement analysis module realization process,
Requirement analysis module is run on Cloud Server, is responsible for judging whether request is XSS attack.Requirement analysis module is got rid of Rule-based XSS defense mechanisms have been abandoned, but content is analyzed and judged based on HTML semantemes, have greatly reduced wrong report Rate and rate of failing to report.Requirement analysis module first can analyze HTML semantemes after finding html tag, parse HTML marks Tag name, attribute-name, attribute value of label etc..After being parsed, analysis can be associated to each attribute.Such as go out in the label Onload attributes are showed, the value of the attribute is not sky, then is XSS.Because the attribute can execute attribute after the completion of the page is loaded into Code in value.After completing discriminatory analysis, CDN server is returned result to.
4. filtering module is asked to realize process
The low-risk request that the request filtering module of Cloud Server is exported according to requirement analysis module carries out interpretation of result, right The operations such as dangerous field, operation behavior be filtered, escape, the result of safety is exported, CDN server is returned to.
As described above, although the present invention has been indicated and described with reference to specific preferred embodiment, must not explain For the limitation to invention itself.It without prejudice to the spirit and scope of the invention as defined in the appended claims, can be right Various changes can be made in the form and details for it.

Claims (6)

1. a kind of cloud security CDN system for XSS attack, it is characterised in that:It is described including CDN server and Cloud Server CDN server includes suspicious requests judgment module and reverse proxy module, the suspicious requests judgment module, for client The request of transmission is judged, and suspicious requests are committed to Cloud Server and are analyzed;
The reverse proxy module, for receive suspicious requests judgment module transmission be not present the request of suspected threat, and general There is no the requests of suspected threat to be sent to Web server;
The Cloud Server includes Situation Awareness module, requirement analysis module, request filtering module and journal module, the situation Sensing module, the data structure Situation Awareness library for being stored according to journal module;
The requirement analysis module, for carrying out security threat detection and level of security threat evaluation to suspicious requests, and will knot Fruit feeds back to CDN server;
The request filtering module, the low-risk for receiving the transmission of requirement analysis module ask and in low-risk request progress Hold filtering, filtered safe result is then fed back into CDN server;
The journal module, for storing suspicious requests judgment module, reverse proxy module, Situation Awareness module, requirement analysis All operation informations of module, request filtering module.
2. a kind of cloud security CDN monitoring methods for XSS attack, which is characterized in that include the following steps:
S1, client send HTTP request to the suspicious requests judgment module of CDN server, and suspicious requests judgment module is to HTTP Request is tentatively judged, will tentatively judge that structure is sent to journal module and correspondingly executes step according to preliminary judging result S2 or step S3;
If suspected threat is not present in S2, HTTP request, it is determined as normal request, normal request is sent to reverse proxy module, Normal request is sent to Web server by reverse proxy module again;
If there are suspected threats for S3, HTTP request, it is determined as suspicious requests, suspicious requests is sent to the request point of Cloud Server Module is analysed, requirement analysis module carries out secondary judgement to suspicious requests, and secondary judging result is sent to journal module and basis Secondary judging result correspondingly executes step S4 or step S5;
If security threat is not present in S4, suspicious requests, it is judged to, without request is threatened, to ask be sent to reverse proxy mould without threatening Block, reverse proxy module will ask to be committed to Web server without threatening again;
If S5, suspicious requests there are security threat, are determined as having threat to ask, requirement analysis module is adjusted from Situation Awareness module Request is threatened to carry out depth analysis to having with Situation Awareness library, to determine the threat level for having and threatening request, then by analysis result It is sent to journal module storage, step S6 or step S7 is then executed according to the threat level for having threat to ask;
If S6, having threat request risk high, requested analysis module is determined as intrusion behavior, which is terminated;
If S7, having threat request risk low, requested analysis module is determined as client's maloperation behavior, then requirement analysis module will The request of maloperation is sent to request filtering module, and request filtering module carries out information filtering to the request of maloperation, should Dangerous code escape, replacement in request, obtain security request, and security request is sent to reverse proxy mould by request filtering module Security request is committed to Web server by block, reverse proxy module again.
3. a kind of cloud security CDN monitoring methods for XSS attack according to claim 2, it is characterised in that:The daily record Module is obtained from suspicious requests judgment module, reverse proxy module, Situation Awareness module, requirement analysis module, request filtering module Take the information of all operations.
4. a kind of cloud security CDN monitoring methods for XSS attack according to claim 3, it is characterised in that:The situation Network equipment operation conditions, network behavior and user behavior are carried out whole point by sensing module with network situation awareness technology Analysis, to the changed all security factors of Network Situation can be caused to be obtained, understood and shown, therefrom extracts all prestige Side of body behavior, and level of security threat is assessed, to build Situation Awareness library.
5. a kind of cloud security CDN monitoring methods for XSS attack according to claim 4, it is characterised in that:The situation Sensing module can extract novel threat behavior from journal module, and comment the level of security threat of novel threat behavior Estimate, to update Situation Awareness library, obtains new Situation Awareness library.
6. a kind of cloud security CDN monitoring methods for XSS attack according to claim 5, it is characterised in that:The situation Sensing module can to journal module store daily record data be analyzed, disposed of in its entirety, and combine client behavior judge, To extract correlated characteristic information, Status view is generated.
CN201810634321.5A 2018-06-19 2018-06-19 A kind of cloud security CDN system and monitoring method for XSS attack Pending CN108683685A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810634321.5A CN108683685A (en) 2018-06-19 2018-06-19 A kind of cloud security CDN system and monitoring method for XSS attack

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810634321.5A CN108683685A (en) 2018-06-19 2018-06-19 A kind of cloud security CDN system and monitoring method for XSS attack

Publications (1)

Publication Number Publication Date
CN108683685A true CN108683685A (en) 2018-10-19

Family

ID=63811554

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810634321.5A Pending CN108683685A (en) 2018-06-19 2018-06-19 A kind of cloud security CDN system and monitoring method for XSS attack

Country Status (1)

Country Link
CN (1) CN108683685A (en)

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109508548A (en) * 2018-11-19 2019-03-22 四川长虹电器股份有限公司 A kind of threat behavior gathering system and method based on emulator technology
CN109543404A (en) * 2018-12-03 2019-03-29 北京芯盾时代科技有限公司 A kind of methods of risk assessment and device of access behavior
CN109766715A (en) * 2018-12-24 2019-05-17 贵州航天计量测试技术研究所 One kind is towards the leakage-preventing automatic identifying method of big data environment privacy information and system
CN110795677A (en) * 2019-11-12 2020-02-14 成都知道创宇信息技术有限公司 CDN node distribution method and device
CN111416724A (en) * 2019-01-04 2020-07-14 天津科技大学 Server intrusion detection alarm design method
CN113206840A (en) * 2021-04-19 2021-08-03 三江学院 Intelligent security CDN system for moving target defense
CN114189376A (en) * 2021-12-07 2022-03-15 中国电子科技集团公司第三十研究所 CDN service platform-based cloud host state information security monitoring method

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106506545A (en) * 2016-12-21 2017-03-15 深圳市深信服电子科技有限公司 A kind of network security threats assessment system and method
CN107046543A (en) * 2017-04-26 2017-08-15 国家电网公司 A kind of threat intelligence analysis system traced to the source towards attack

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106506545A (en) * 2016-12-21 2017-03-15 深圳市深信服电子科技有限公司 A kind of network security threats assessment system and method
CN107046543A (en) * 2017-04-26 2017-08-15 国家电网公司 A kind of threat intelligence analysis system traced to the source towards attack

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
钱铭铭等: "一种基于XSS攻击防御的安全CDN研究", 《网络安全技术与应用》 *

Cited By (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109508548A (en) * 2018-11-19 2019-03-22 四川长虹电器股份有限公司 A kind of threat behavior gathering system and method based on emulator technology
CN109508548B (en) * 2018-11-19 2022-06-03 四川长虹电器股份有限公司 Threat behavior collecting system and method based on simulator technology
CN109543404A (en) * 2018-12-03 2019-03-29 北京芯盾时代科技有限公司 A kind of methods of risk assessment and device of access behavior
CN109543404B (en) * 2018-12-03 2019-10-25 北京芯盾时代科技有限公司 A kind of methods of risk assessment and device of access behavior
CN109766715A (en) * 2018-12-24 2019-05-17 贵州航天计量测试技术研究所 One kind is towards the leakage-preventing automatic identifying method of big data environment privacy information and system
CN109766715B (en) * 2018-12-24 2023-07-25 贵州航天计量测试技术研究所 Big data environment-oriented privacy information anti-leakage automatic identification method and system
CN111416724A (en) * 2019-01-04 2020-07-14 天津科技大学 Server intrusion detection alarm design method
CN110795677A (en) * 2019-11-12 2020-02-14 成都知道创宇信息技术有限公司 CDN node distribution method and device
CN113206840A (en) * 2021-04-19 2021-08-03 三江学院 Intelligent security CDN system for moving target defense
CN114189376A (en) * 2021-12-07 2022-03-15 中国电子科技集团公司第三十研究所 CDN service platform-based cloud host state information security monitoring method
CN114189376B (en) * 2021-12-07 2023-05-16 中国电子科技集团公司第三十研究所 Cloud host state information security monitoring method based on CDN service platform

Similar Documents

Publication Publication Date Title
CN108683685A (en) A kind of cloud security CDN system and monitoring method for XSS attack
US10909241B2 (en) Event anomaly analysis and prediction
US11689557B2 (en) Autonomous report composer
US20210019674A1 (en) Risk profiling and rating of extended relationships using ontological databases
EP4111343A1 (en) An artificial intelligence adversary red team
CN103733590B (en) Compiler for regular expressions
US20210021616A1 (en) Method and system for classifying data objects based on their network footprint
Tan et al. A graph-theoretic approach for the detection of phishing webpages
CN112131882A (en) Multi-source heterogeneous network security knowledge graph construction method and device
Desai et al. Malicious web content detection using machine leaning
CN114679338A (en) Network risk assessment method based on network security situation awareness
US10505986B1 (en) Sensor based rules for responding to malicious activity
CN110602021A (en) Safety risk value evaluation method based on combination of HTTP request behavior and business process
Zhang et al. Cross-site scripting (XSS) detection integrating evidences in multiple stages
CN114070642A (en) Network security detection method, system, device and storage medium
Kumar et al. Cross site scripting (xss) vulnerability detection using machine learning and statistical analysis
CN114465741B (en) Abnormality detection method, abnormality detection device, computer equipment and storage medium
US20230087309A1 (en) Cyberattack identification in a network environment
KR20230024184A (en) Apparatus for processing cyber threat information, method for processing cyber threat information, and medium for storing a program processing cyber threat information
Liao et al. An Intelligent Cyber Threat Classification System
CN114338195A (en) Web traffic anomaly detection method and device based on improved isolated forest algorithm
CN112804192A (en) Method, apparatus, electronic device, program, and medium for monitoring hidden network leakage
CN107341396A (en) Intrusion detection method, device and server
Khatun et al. An Approach to Detect Phishing Websites with Features Selection Method and Ensemble Learning
CN113806732B (en) Webpage tampering detection method, device, equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
WD01 Invention patent application deemed withdrawn after publication
WD01 Invention patent application deemed withdrawn after publication

Application publication date: 20181019