CN109167754A - A kind of network application layer security protection system - Google Patents

A kind of network application layer security protection system Download PDF

Info

Publication number
CN109167754A
CN109167754A CN201810832633.7A CN201810832633A CN109167754A CN 109167754 A CN109167754 A CN 109167754A CN 201810832633 A CN201810832633 A CN 201810832633A CN 109167754 A CN109167754 A CN 109167754A
Authority
CN
China
Prior art keywords
module
message
detection module
application layer
characteristic
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201810832633.7A
Other languages
Chinese (zh)
Other versions
CN109167754B (en
Inventor
施雪成
姚金利
陈志浩
吴明杰
常承伟
贾琼
曾淑娟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Institute of Computer Technology and Applications
Original Assignee
Beijing Institute of Computer Technology and Applications
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Institute of Computer Technology and Applications filed Critical Beijing Institute of Computer Technology and Applications
Priority to CN201810832633.7A priority Critical patent/CN109167754B/en
Publication of CN109167754A publication Critical patent/CN109167754A/en
Application granted granted Critical
Publication of CN109167754B publication Critical patent/CN109167754B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/168Implementing security features at a particular protocol layer above the transport layer
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/06Protocols specially adapted for file transfer, e.g. file transfer protocol [FTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/14Session management

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Power Engineering (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention discloses a kind of network application layer security protection systems, wherein, it include: packet parsing module for message to be judged and parsed, including SSL decryption, the information extraction of encoding and decoding standard normalized and message field (MFLD), the message characteristic extracted is then sent to detection module and carries out attack detecting;Detection module includes filter, black and white lists detection module and characteristic matching module;Behavioural analysis module is used to carry out the message characteristic data by detection module DDos attack verifying, and exports the message by verifying to Web server;Log audit module, for carrying out the behavior in Web protection process and abnormal audit, in feature analysis and matching process, Web mail is uploaded, SMTP and FTP data unofficial biography behavior send log audit module to and recorded and analyzed, during security protection, the access for violating strategy and rule is recorded.

Description

A kind of network application layer security protection system
Technical field
The invention belongs to technical field of network security, especially a kind of network application layer security protection system.
Background technique
With the fast development of network, Web service makes big measuring mechanism with its distinctive high efficiency, ease for use and timeliness Business is gone into Web application layer, e-commerce, E-Government, Web bank and social category website all use Web application mode into Row access, Web are applied to indispensable a part in for people's lives.However as the fast development of Web application, safe shape Gesture but allows of no optimist, and the security risk from Web level is higher and higher.According to statistics, 75% network attack all occurs to answer in Web With layer, more seriously traditional safety prevention measure (network firewall, IDS/IPS and antivirus software) cannot effective ground resistance The only attack of Web application layer, and Web application layer preventive means becomes the best weapon of protection Web application layer attack.
Summary of the invention
The purpose of the present invention is to provide a kind of network application layer security protection systems, for solving the above-mentioned prior art Problem.
A kind of network application layer security protection system of the present invention, wherein include: log audit module, detection module, behavior Analysis module and packet parsing module;Packet parsing module is used to that message to be judged and be parsed, including SSL decryption, volume The information extraction of decoding standard normalized and message field (MFLD), then by the message characteristic extracted be sent to detection module into Row attack detecting;Detection module includes filter, black and white lists detection module and characteristic matching module;Filter passes through matching The character of malice, is such as matched to, then gives up message, and message characteristic is otherwise sent to black and white lists detection module;Black and white name Single detection module is filtered and is limited with the IP address then to incoming message feature, will pass through black and white lists detection module The message characteristic of IP address is sent to characteristic matching module;Characteristic matching module is used for the spy in data packet and intrusion feature database Matching is compared in sign, judges attack, if it is determined that attack, by corresponding packet loss;Behavioural analysis module is used It is verified in carrying out DDos attack to the message characteristic data by detection module, and the message by verifying is exported and is taken to Web Business device;Log audit module, for carrying out the behavior in Web protection process and abnormal audit, in feature analysis and matching process In, Web mail is uploaded, SMTP and FTP data unofficial biography behavior send log audit module to and recorded and analyzed, in safety In protection process, the access for violating strategy and rule is recorded.
One embodiment of the network according to the invention application layer security guard system, wherein behavioural analysis module is to application Main body, object and the time attribute of access carry out behavioural analysis, and the frequency of single IP access Web service is counted in conjunction with session management Rate, to identify and prevent ddos attack.
One embodiment of the network according to the invention application layer security guard system, wherein packet parsing module includes SSL Decryption/encryption module, coding standardization module and extraction message field (MFLD) module;SSL encryption/deciphering module is handled from client The HTTP message transmitted, the purpose Web server of message forwarding is determined according to the domain HOST, and calls corresponding SSL certificate and close Key carries out message decryption, carries out encryption forwarding issuing coding standardization module in plain text, and web server response message To client;Coding standardization module carries out unified standard to message data, is responsible for processing HTTP message, first to each Kind coding and character set are normalized and standardize;Message field (MFLD) module is extracted to be used for coding standardization standardization The request of HTTP afterwards and response message content extract, and extract the master in the HOST field and POST request in request header Body also extracts SetCookie field therein, and be sent to detection module for response message.
One embodiment of the network according to the invention application layer security guard system, wherein behavioural analysis module includes row For analysis module and session management module;Behavioural analysis module is normally answered based on the study to application access, by learning records With the attribute of access, behavioural characteristic library is established, behavioural analysis is carried out to application access according to behavioural characteristic library, to identify The access behavior of abnormal attribute;Session management module carries out IP certification using Session, counts the access number of single IP, exceeds Threshold value is blocked in time, to prevent the ddos attack of application layer.
One embodiment of the network according to the invention application layer security guard system, wherein the attribute of normal use access It include: body attribute, object attribute, time attribute, parameter attribute and statistical attribute.
One embodiment of the network according to the invention application layer security guard system, wherein characteristic matching module is for dividing The each content characteristic for analysing message, parses every feature, is indicated with the attribute grammar of regular expression, will be to Feature string in the feature and intrusion feature database of detection messages carries out characteristic matching, if successful match, can determine whether for Attack, by corresponding packet loss.
One embodiment of the network according to the invention application layer security guard system, wherein in black and white lists detection module, If corresponding IP address is present in blacklist the message for selecting directly rejection IP address;If corresponding IP address is present in In white list, then message is sent to abnormality detection module, abnormality detection module distorts http protocol specification for detecting malice With the attack of input parameter.
The present invention attacks problem for network application layer polymorphic type, proposes a kind of network application layer security protection system, leads to Packet parsing and the pretreatment of application layer are crossed, different application layer protocol feature is extracted, special word is carried out by detection module Symbol filtering and characteristic matching, and the dynamic style of writing analysis for carrying out message finally infuses SQL to filter out malicious attack message Enter, the networks malicious attack such as XSS, ddos attack carries out effectively security protection.
Detailed description of the invention
Fig. 1 show the schematic diagram of network application layer security protection system;
Fig. 2 show the workflow schematic diagram of packet parsing module;
Fig. 3 show a complete HTTP request packet check and security protection flow chart;
Specific embodiment
To keep the purpose of the present invention, content and advantage clearer, with reference to the accompanying drawings and examples, to of the invention Specific embodiment is described in further detail.
Fig. 1 show the schematic diagram of network application layer security protection system, as shown in Figure 1, network application layer security protection System includes: log audit module 2, detection module 4, behavioural analysis module 3 and packet parsing module 1.
As shown in Figure 1, application layer security guard system is by packet parsing module 1, detection module 4,3 and of behavioural analysis module Log audit module 2 forms.
Fig. 2 show the workflow schematic diagram of packet parsing module, as shown in Figure 1 and Figure 2, packet parsing module 1 Including SSL decryption/encryption module 11, coding standardization module 12 and extract message field (MFLD) module 13.Packet parsing module 1 Operation object when output is exactly the rule match filtering of detection module 4, the effect of parsing directly affect application layer web firewall Protection effect.The major function of packet parsing module 1 be analyze application layer different agreement message, including HTTP/HTTPS, SMTP, FTP etc. obtain field to be detected, submit to characteristic matching engine and carry out web attack detecting.Due to more and more High security web application mainly uses HTTPS agreement, all attacks are done effective detection must to SSL encryption flow into Row decoding.
As shown in Figure 1 and Figure 2, SSL (Secure Socket Layer, secure socket layer protocol layer) is located at TCP/IP Between agreement and various application layer protocols, safe support is provided for data communication.SSL encryption/deciphering module 11 is handled from client Hold the HTTP message that transmits, the purpose Web server of message forwarding determined according to the domain HOST, and call corresponding SSL certificate and Key carries out message decryption, issuing coding standardization module 12 in plain text, while web server response message being responsible for carry out Encryption is transmitted to client.
As shown in Figure 1 and Figure 2, due to the particularity of web application, various character set and a variety of codings are supported in web application Standard.These may become the main method that attacker bypasses existing defensive measure, right using coding standardization module 12 Input data carries out unified standard, effectively prevents various attacks from doing technique preparation for detection module 4.Coding standardization module 12 be responsible for processing HTTP messages, first to various coding such as URL encode, Unicode encode and various character set such as UTF-8, GB2312 etc. is normalized and standardizes, and effectively identifies all kinds of codings and it is restored, prevent due to using different coding side The deformation attack of formula or different character set bypasses defensive measure.
As shown in Figure 1 and Figure 2, after extraction message field (MFLD) module 13 is used for 12 standardization of coding standardization The request of HTTP and response message content extract, and extract the main body in the HOST field and POST request in request header.It is right In response message, the contents such as SetCookie field therein are also extracted.Extract the message characteristic that message field (MFLD) module 13 is extracted (character), and it is sent to detection module 4.
As shown in Figure 1 and Figure 2, detection module 4 is mainly by filter 41, black and white lists detection module 42, characteristic matching Module 43 forms.
Fig. 3 show a complete HTTP request packet check and security protection flow chart, as shown in figure 3, filter 41 pass through the character of matching malice, are matched to, then give up message, message characteristic is otherwise sent to black and white lists detection module 42.Its main design idea is the generation of any effective SQL injection attack, is all since malice input becomes data base querying Or a part of order, so the input of malice needs leading portion or the subsequent code of truncation in closed routine, there are also the data of insertion Library operation will efficiently use various blank characters.So blank character, the annotation of the various closures of filtering, truncation and database language The spcial characters such as symbol can be effectively prevented injection loophole.
As shown in figure 3, black and white lists detection module 42 is to be filtered to the IP address of incoming message feature and effectively limit System.Other than common rule set, can customized specific rule according to their needs, using white list module come specification user Input, black list module prevents some malice from inputting and access sensitive information, such as database file and configuration file.If Corresponding IP address is present in blacklist or white list, then abnormality detection module is directly refused or is sent in selection.Abnormal inspection Module is surveyed to detect malice and distort the attack such as http protocol specification and input parameter, to do the security protection into one layer to realize depth Degree defence.If IP address has passed through abnormality detection module in white list module, then behavioural analysis module 3 is directly forwarded.
As shown in figure 3, characteristic matching module 43 is responsible for data packet matching is compared with the feature in intrusion feature database, Judge attack.Feature analysis module reads message, analyzes each content characteristic of message, solves to every feature Analysis, is indicated with the attribute grammar of regular expression.Characteristic matching module is by the feature and intrusion feature database of message to be detected In feature string carry out characteristic matching, if successful match, can determine whether as attack, by corresponding packet loss.
As shown in figure 3, behavioural analysis module 3 is mainly made of behavioural analysis 31 and session management module, it is defence DDos The effective means of attack.
As shown in figure 3, behavioural analysis 31 is to be accessed based on the study to application access by learning records normal use Attribute.These attributes include: body attribute, object attribute, time attribute, parameter attribute and the multiple dimensions of statistical attribute.Pass through Behavioural characteristic library is established in study, behavioural analysis is carried out to application access according to behavioural characteristic library, to identify abnormal attribute Access behavior.If having found the attack for Web server by behavioural analysis.
As shown in figure 3, session management module 32 can effectively security application layer ddos attack.Dialogue-based session pipe Reason module 32 can effectively make up the session management loophole that Web applies itself, and dialogue-based proof rule can also be effectively Security application layer ddos attack.IP certification is carried out using Session, the access number of single IP is counted, is carried out in time beyond threshold value It blocks.One " Refresh " variable of insertion can prevent the refreshing of malice, and the page that can effectively limit time-consuming in this way is visited It asks, normal access is had little effect, the ddos attack of application layer is effectively prevented.
As shown in Figure 1 to Figure 3, log audit module 2 carries out behavior and abnormal audit in Web protection process.Characteristic solution In analysis and matching process, Web mail can be uploaded, the behaviors such as SMTP and FTP data unofficial biography send to log audit module into Row record and analysis.Simultaneously during security protection, the access for violating strategy and rule can be recorded, convenient for uniting in the future Meter analysis and evidence obtaining.
As shown in Figure 1 to Figure 3, the principle of inventive network application layer security guard system is illustrated, wherein include:
Packet parsing work.After client initiates application access request to Web server, packet parsing module 1 is right first Message is judged and is parsed, and is decrypted including SSL, the information extraction of encoding and decoding standard normalized and message field (MFLD), then The message characteristic information extracted is sent to subsequent detection module 4 and carries out attack detecting.
After detection module 4 receives the characteristic information of message, the spcial character that can cause malicious attack is filtered out first, so Characteristic information is screened by black and white lists afterwards, prevent have attack signature message information, finally by characteristic information with Intrusion feature database carries out matching comparison, to judge attack traffic.By attack detecting, SQL injection, XSS can be effectively prevented Etc. high-incidence Web attack.
Behavioural analysis module 3 is by the normal of screening and filtering by the flow of packet parsing module 1 and detection module 4 Flowing of access.Behavioural analysis is carried out to attributes such as the main body of application access, object, times at this time, counts single in conjunction with session management The frequency of a IP access Web service, to effectively identify and prevent ddos attack.
Log audit module 2 will record the exception information in application layer security protection process, including violate strategy and rule Access record.Meanwhile it auditing to behaviors such as Web mail upload, SMTP and FTP data unofficial biography.Convenient for statistical in the future Analysis.
The present invention attacks problem for network application layer polymorphic type, proposes a kind of network application layer security protection system, leads to Packet parsing and the pretreatment of application layer are crossed, different application layer protocol feature is extracted, special word is carried out by detection module Symbol filtering and characteristic matching, and the dynamic style of writing analysis for carrying out message finally infuses SQL to filter out malicious attack message Enter, the networks malicious attack such as XSS, ddos attack carries out effectively security protection.
The above is only a preferred embodiment of the present invention, it is noted that for the ordinary skill people of the art For member, without departing from the technical principles of the invention, several improvement and deformations can also be made, these improvement and deformations Also it should be regarded as protection scope of the present invention.

Claims (7)

1. a kind of network application layer security protection system characterized by comprising log audit module, detection module, behavior point Analyse module and packet parsing module;
Packet parsing module is used to that message to be judged and be parsed, including SSL decryption, encoding and decoding standard normalized and report The message characteristic extracted is then sent to detection module and carries out attack detecting by the information extraction of text section;
Detection module includes filter, black and white lists detection module and characteristic matching module;
Filter is such as matched to by the character of matching malice, then gives up message, message characteristic is otherwise sent to black and white name Single detection module;
Black and white lists detection module is filtered and is limited with the IP address then to incoming message feature, will pass through black and white lists The message characteristic of the IP address of detection module is sent to characteristic matching module;
Characteristic matching module is used to data packet matching is compared with the feature in intrusion feature database, judges attack, such as Fruit is judged as attack, by corresponding packet loss;
Behavioural analysis module is verified for carrying out DDos attack verifying to the message characteristic data by detection module to passing through Message export to Web server;
Log audit module, for carrying out the behavior in Web protection process and abnormal audit, in feature analysis and matching process In, Web mail is uploaded, SMTP and FTP data unofficial biography behavior send log audit module to and recorded and analyzed, in safety In protection process, the access for violating strategy and rule is recorded.
2. network application layer security protection system as described in claim 1, which is characterized in that behavioural analysis module visits application Main body, object and the time attribute asked carry out behavioural analysis, and the frequency of single IP access Web service is counted in conjunction with session management Rate, to identify and prevent ddos attack.
3. network application layer security protection system as described in claim 1, which is characterized in that packet parsing module includes SSL Decryption/encryption module, coding standardization module and extraction message field (MFLD) module;
The HTTP message that SSL encryption/deciphering module processing is transmitted from client, the purpose of message forwarding is determined according to the domain HOST Web server, and corresponding SSL certificate and key is called to carry out message decryption, issuing coding standardization module in plain text, with And web server response message is carried out encryption and is transmitted to client;
Coding standardization module carries out unified standard to message data, is responsible for processing HTTP message, first to various codings It is normalized and standardizes with character set;
Message field (MFLD) module is extracted for the request and response message content to the HTTP after coding standardization standardization It extracts, the main body extracted in HOST field and POST request in request header also extracts therein response message SetCookie field, and it is sent to detection module.
4. network application layer security protection system as described in claim 1, which is characterized in that behavioural analysis module includes behavior Analysis module and session management module;
For behavioural analysis module based on the study to application access, the attribute accessed by learning records normal use establishes behavior Feature database carries out behavioural analysis to application access according to behavioural characteristic library, to identify the access behavior of abnormal attribute;
Session management module carries out IP certification using Session, counts the access number of single IP, is hindered in time beyond threshold value It is disconnected, to prevent the ddos attack of application layer.
5. network application layer security protection system as claimed in claim 4, which is characterized in that the attribute packet of normal use access It includes: body attribute, object attribute, time attribute, parameter attribute and statistical attribute.
6. network application layer security protection system as described in claim 1, which is characterized in that characteristic matching module is for analyzing Each content characteristic of message, parses every feature, is indicated with the attribute grammar of regular expression, will be to be checked The feature string progress characteristic matching observed and predicted in the feature and intrusion feature database of text can determine whether if successful match to attack Behavior is hit, by corresponding packet loss.
7. network application layer security protection system as described in claim 1, which is characterized in that in black and white lists detection module, If corresponding IP address is present in blacklist the message for selecting directly rejection IP address;If corresponding IP address is present in In white list, then message is sent to abnormality detection module, abnormality detection module distorts http protocol specification for detecting malice With the attack of input parameter.
CN201810832633.7A 2018-07-26 2018-07-26 Network application layer safety protection system Active CN109167754B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810832633.7A CN109167754B (en) 2018-07-26 2018-07-26 Network application layer safety protection system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810832633.7A CN109167754B (en) 2018-07-26 2018-07-26 Network application layer safety protection system

Publications (2)

Publication Number Publication Date
CN109167754A true CN109167754A (en) 2019-01-08
CN109167754B CN109167754B (en) 2021-03-02

Family

ID=64898252

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810832633.7A Active CN109167754B (en) 2018-07-26 2018-07-26 Network application layer safety protection system

Country Status (1)

Country Link
CN (1) CN109167754B (en)

Cited By (22)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109698840A (en) * 2019-02-27 2019-04-30 新华三大数据技术有限公司 Detect DHCP malicious event method and device
CN110177113A (en) * 2019-06-06 2019-08-27 北京奇艺世纪科技有限公司 Internet guard system and access request processing method
CN110545259A (en) * 2019-07-27 2019-12-06 苏州哈度软件有限公司 application layer attack protection method based on message replacement and protection system thereof
CN110933069A (en) * 2019-11-27 2020-03-27 上海明耿网络科技有限公司 Network protection method, device and storage medium
US20200258004A1 (en) * 2017-01-20 2020-08-13 Cybraics, Inc. Methods and systems for analyzing cybersecurity threats
CN111641589A (en) * 2020-04-30 2020-09-08 中国移动通信集团有限公司 Advanced sustainable threat detection method, system, computer and storage medium
CN111683102A (en) * 2020-06-17 2020-09-18 绿盟科技集团股份有限公司 FTP behavior data processing method, and method and device for identifying abnormal FTP behavior
CN111953668A (en) * 2020-07-30 2020-11-17 中国工商银行股份有限公司 Network security information processing method and device
CN112001533A (en) * 2020-08-06 2020-11-27 众安信息技术服务有限公司 Parameter detection method and device and computer system
CN112272186A (en) * 2020-10-30 2021-01-26 深信服科技股份有限公司 Network flow detection framework, method, electronic equipment and storage medium
CN112751839A (en) * 2020-12-25 2021-05-04 江苏省未来网络创新研究院 Anti-virus gateway processing acceleration strategy based on user traffic characteristics
CN113114609A (en) * 2020-01-13 2021-07-13 国际关系学院 Webshell detection evidence obtaining method and system
CN113141331A (en) * 2020-01-17 2021-07-20 深信服科技股份有限公司 XSS attack detection method, device, equipment and medium
CN113297577A (en) * 2021-06-16 2021-08-24 深信服科技股份有限公司 Request processing method and device, electronic equipment and readable storage medium
CN113612800A (en) * 2021-09-08 2021-11-05 中国工商银行股份有限公司 Network attack processing method, device, system, device, medium and program product
CN113645224A (en) * 2021-08-09 2021-11-12 杭州安恒信息技术股份有限公司 Network attack detection method, device, equipment and storage medium
CN113676473A (en) * 2021-08-19 2021-11-19 中国电信股份有限公司 Network service safety protection device, method and storage medium
CN113992423A (en) * 2021-11-05 2022-01-28 枣庄科技职业学院 Computer network firewall with high safety and use method thereof
CN115412359A (en) * 2022-09-02 2022-11-29 中国电信股份有限公司 Web application security protection method and device, electronic equipment and storage medium
CN115801459A (en) * 2023-02-03 2023-03-14 北京六方云信息技术有限公司 Message detection method, device, system and storage medium
CN116107912A (en) * 2023-04-07 2023-05-12 石家庄学院 Security detection method and system based on application software
CN116633594A (en) * 2023-04-18 2023-08-22 上海亿阁科技有限公司 Flamingo gateway security system

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100107229A1 (en) * 2008-10-29 2010-04-29 Maryam Najafi Method and Apparatus for Mobile Time-Based UI for VIP
CN104917776A (en) * 2015-06-23 2015-09-16 北京威努特技术有限公司 Industrial control network safety protection equipment and industrial control network safety protection method
CN105049437A (en) * 2015-08-04 2015-11-11 浪潮电子信息产业股份有限公司 Method for filtering network application layer data
CN105391703A (en) * 2015-10-28 2016-03-09 南方电网科学研究院有限责任公司 Cloud-based WEB application firewall system and security protection method thereof
CN107872456A (en) * 2017-11-09 2018-04-03 深圳市利谱信息技术有限公司 Network intrusion prevention method, apparatus, system and computer-readable recording medium

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100107229A1 (en) * 2008-10-29 2010-04-29 Maryam Najafi Method and Apparatus for Mobile Time-Based UI for VIP
CN104917776A (en) * 2015-06-23 2015-09-16 北京威努特技术有限公司 Industrial control network safety protection equipment and industrial control network safety protection method
CN105049437A (en) * 2015-08-04 2015-11-11 浪潮电子信息产业股份有限公司 Method for filtering network application layer data
CN105391703A (en) * 2015-10-28 2016-03-09 南方电网科学研究院有限责任公司 Cloud-based WEB application firewall system and security protection method thereof
CN107872456A (en) * 2017-11-09 2018-04-03 深圳市利谱信息技术有限公司 Network intrusion prevention method, apparatus, system and computer-readable recording medium

Cited By (32)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20200258004A1 (en) * 2017-01-20 2020-08-13 Cybraics, Inc. Methods and systems for analyzing cybersecurity threats
CN109698840A (en) * 2019-02-27 2019-04-30 新华三大数据技术有限公司 Detect DHCP malicious event method and device
CN110177113A (en) * 2019-06-06 2019-08-27 北京奇艺世纪科技有限公司 Internet guard system and access request processing method
CN110177113B (en) * 2019-06-06 2021-08-31 北京奇艺世纪科技有限公司 Internet protection system and access request processing method
CN110545259A (en) * 2019-07-27 2019-12-06 苏州哈度软件有限公司 application layer attack protection method based on message replacement and protection system thereof
CN110933069A (en) * 2019-11-27 2020-03-27 上海明耿网络科技有限公司 Network protection method, device and storage medium
CN113114609A (en) * 2020-01-13 2021-07-13 国际关系学院 Webshell detection evidence obtaining method and system
CN113141331A (en) * 2020-01-17 2021-07-20 深信服科技股份有限公司 XSS attack detection method, device, equipment and medium
CN111641589A (en) * 2020-04-30 2020-09-08 中国移动通信集团有限公司 Advanced sustainable threat detection method, system, computer and storage medium
CN111683102B (en) * 2020-06-17 2022-12-06 绿盟科技集团股份有限公司 FTP behavior data processing method, and method and device for identifying abnormal FTP behavior
CN111683102A (en) * 2020-06-17 2020-09-18 绿盟科技集团股份有限公司 FTP behavior data processing method, and method and device for identifying abnormal FTP behavior
CN111953668A (en) * 2020-07-30 2020-11-17 中国工商银行股份有限公司 Network security information processing method and device
CN112001533A (en) * 2020-08-06 2020-11-27 众安信息技术服务有限公司 Parameter detection method and device and computer system
CN112272186A (en) * 2020-10-30 2021-01-26 深信服科技股份有限公司 Network flow detection framework, method, electronic equipment and storage medium
CN112751839A (en) * 2020-12-25 2021-05-04 江苏省未来网络创新研究院 Anti-virus gateway processing acceleration strategy based on user traffic characteristics
CN113297577A (en) * 2021-06-16 2021-08-24 深信服科技股份有限公司 Request processing method and device, electronic equipment and readable storage medium
CN113297577B (en) * 2021-06-16 2024-05-28 深信服科技股份有限公司 Request processing method and device, electronic equipment and readable storage medium
CN113645224A (en) * 2021-08-09 2021-11-12 杭州安恒信息技术股份有限公司 Network attack detection method, device, equipment and storage medium
CN113645224B (en) * 2021-08-09 2022-12-09 杭州安恒信息技术股份有限公司 Network attack detection method, device, equipment and storage medium
CN113676473A (en) * 2021-08-19 2021-11-19 中国电信股份有限公司 Network service safety protection device, method and storage medium
CN113676473B (en) * 2021-08-19 2023-05-02 中国电信股份有限公司 Network service safety protection device, method and storage medium
CN113612800B (en) * 2021-09-08 2023-02-24 中国工商银行股份有限公司 Network attack processing method, device, system, device, medium and program product
CN113612800A (en) * 2021-09-08 2021-11-05 中国工商银行股份有限公司 Network attack processing method, device, system, device, medium and program product
CN113992423B (en) * 2021-11-05 2023-01-17 枣庄科技职业学院 Use method of computer network firewall
CN113992423A (en) * 2021-11-05 2022-01-28 枣庄科技职业学院 Computer network firewall with high safety and use method thereof
CN115412359B (en) * 2022-09-02 2024-03-19 中国电信股份有限公司 Web application security protection method and device, electronic equipment and storage medium
CN115412359A (en) * 2022-09-02 2022-11-29 中国电信股份有限公司 Web application security protection method and device, electronic equipment and storage medium
CN115801459A (en) * 2023-02-03 2023-03-14 北京六方云信息技术有限公司 Message detection method, device, system and storage medium
CN116107912B (en) * 2023-04-07 2023-07-04 石家庄学院 Security detection method and system based on application software
CN116107912A (en) * 2023-04-07 2023-05-12 石家庄学院 Security detection method and system based on application software
CN116633594A (en) * 2023-04-18 2023-08-22 上海亿阁科技有限公司 Flamingo gateway security system
CN116633594B (en) * 2023-04-18 2024-02-27 上海亿阁科技有限公司 Flamingo gateway security system

Also Published As

Publication number Publication date
CN109167754B (en) 2021-03-02

Similar Documents

Publication Publication Date Title
CN109167754A (en) A kind of network application layer security protection system
CN109951500B (en) Network attack detection method and device
US10721245B2 (en) Method and device for automatically verifying security event
EP2633646B1 (en) Methods and systems for detecting suspected data leakage using traffic samples
WO2014129587A1 (en) Network monitoring device, network monitoring method, and network monitoring program
CN112468520B (en) Data detection method, device and equipment and readable storage medium
US20030083847A1 (en) User interface for presenting data for an intrusion protection system
Sun et al. Detection and classification of malicious patterns in network traffic using Benford's law
Kiani et al. Evaluation of anomaly based character distribution models in the detection of SQL injection attacks
CN106161453A (en) A kind of SSLstrip defence method based on historical information
CN107209834A (en) Malicious communication pattern extraction apparatus, malicious communication schema extraction system, malicious communication schema extraction method and malicious communication schema extraction program
CN108390857B (en) Method and device for exporting file from high-sensitivity network to low-sensitivity network
Baykara et al. A novel hybrid approach for detection of web-based attacks in intrusion detection systems
WO2022001577A1 (en) White list-based content lock firewall method and system
La et al. Network monitoring using mmt: An application based on the user-agent field in http headers
JP2002041468A (en) Illegal access preventing service system
KR101468798B1 (en) Apparatus for tracking and preventing pharming or phishing, method using the same
Tanakas et al. A novel system for detecting and preventing SQL injection and cross-site-script
CN114157504A (en) Safety protection method based on Servlet interceptor
Choi et al. Detection of Insider Attacks to the Web Server.
EP3989519B1 (en) Method for tracing malicious endpoints in direct communication with an application back end using tls fingerprinting technique
Moure-Garrido et al. Real time detection of malicious DoH traffic using statistical analysis
TW201818289A (en) Method of detecting internet information security and its implemented system
Erlacher Efficient intrusion detection in high-speed networks.
Bortolameotti Detection and evaluation of data exfiltration

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant