CN109167754B - Network application layer safety protection system - Google Patents
Network application layer safety protection system Download PDFInfo
- Publication number
- CN109167754B CN109167754B CN201810832633.7A CN201810832633A CN109167754B CN 109167754 B CN109167754 B CN 109167754B CN 201810832633 A CN201810832633 A CN 201810832633A CN 109167754 B CN109167754 B CN 109167754B
- Authority
- CN
- China
- Prior art keywords
- module
- message
- behavior
- attack
- detection module
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/16—Implementing security features at a particular protocol layer
- H04L63/168—Implementing security features at a particular protocol layer above the transport layer
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/06—Protocols specially adapted for file transfer, e.g. file transfer protocol [FTP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/14—Session management
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Power Engineering (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention discloses a network application layer safety protection system, which comprises: the message analysis module is used for judging and analyzing the message, including SSL decryption, coding and decoding standard normalization processing and message field information extraction, and then sending the extracted message characteristics to the detection module for attack detection; the detection module comprises a filter, a black and white list detection module and a feature matching module; the behavior analysis module is used for carrying out DDos attack verification on the message characteristic data passing through the detection module and outputting the verified message to the Web server; and the log auditing module is used for performing behavior and abnormal auditing in the Web protection process, transmitting the behaviors of Web mail uploading, SMTP and FTP data uploading to the log auditing module for recording and analyzing in the characteristic analysis and matching process, and recording access records violating the strategy and the rule in the safety protection process.
Description
Technical Field
The invention belongs to the technical field of network security, and particularly relates to a network application layer security protection system.
Background
With the rapid development of networks, a large number of organizations transfer services to a Web application layer by the aid of special high efficiency, usability and timeliness of Web services, electronic commerce, electronic government affairs, online banking and social websites are accessed in a Web application mode, and Web applications become an indispensable part of life of people. However, with the rapid development of Web applications, the security situation is not optimistic, and the security risk from the Web level is higher and higher. According to statistics, 75% of network attacks occur in the Web application layer, and more seriously, the traditional security protection measures (network firewall, IDS/IPS and antivirus software) cannot effectively prevent the attacks of the Web application layer, and the Web application layer protection measures become the best weapons for protecting the Web application layer attacks.
Disclosure of Invention
The present invention is directed to a network application layer security protection system, which is used to solve the above problems of the prior art.
The invention relates to a network application layer safety protection system, which comprises: the system comprises a log auditing module, a detecting module, a behavior analyzing module and a message analyzing module; the message analysis module is used for judging and analyzing the message, including SSL decryption, coding and decoding standard normalization processing and message field information extraction, and then sending the extracted message characteristics to the detection module for attack detection; the detection module comprises a filter, a black and white list detection module and a feature matching module; the filter discards the message if matching the malicious characters, otherwise, sends the message characteristics to the black and white list detection module; the black and white list detection module is used for filtering and limiting the IP address of the input message characteristic and sending the message characteristic of the IP address passing through the black and white list detection module to the characteristic matching module; the characteristic matching module is used for comparing and matching the data packet with the characteristics in the attack characteristic library, judging the attack behavior, and if the attack behavior is judged to be the attack behavior, discarding the corresponding message; the behavior analysis module is used for carrying out DDos attack verification on the message characteristic data passing through the detection module and outputting the verified message to the Web server; and the log auditing module is used for performing behavior and abnormal auditing in the Web protection process, transmitting the behaviors of Web mail uploading, SMTP and FTP data uploading to the log auditing module for recording and analyzing in the characteristic analysis and matching process, and recording access records violating the strategy and the rule in the safety protection process.
According to an embodiment of the network application layer security protection system, a behavior analysis module performs behavior analysis on subjects, objects and time attributes accessed by applications, and counts the frequency of a single IP accessing Web service by combining session management so as to identify and prevent DDoS attacks.
According to an embodiment of the network application layer security protection system, the message analysis module comprises an SSL decryption/encryption module, an encoding and decoding standardization module and a message field extraction module; the SSL encryption/decryption module processes an HTTP message transmitted from the client, judges a target Web server for message forwarding according to the HOST domain, calls a corresponding SSL certificate and a key to decrypt the message, sends a plaintext to the encoding and decoding standardization module, and encrypts a Web server response message and forwards the encrypted message to the client; the encoding and decoding standardization module is used for uniformly standardizing message data and is responsible for processing the HTTP message, and various codes and character sets are firstly normalized and standardized; the message field extraction module is used for extracting the HTTP request and response message contents after standardized coding and decoding, extracting the HOST field in the request header and the main body in the POST request, extracting the SetCookie field in the response message, and sending the SetCookie field to the detection module.
According to an embodiment of the network application layer security protection system of the present invention, the behavior analysis module includes a behavior analysis module and a session management module; the behavior analysis module establishes a behavior feature library by recording the attribute of normal application access through learning based on the learning of the application access, and performs behavior analysis on the application access according to the behavior feature library so as to identify the access behavior with abnormal attribute; and the Session management module carries out IP authentication by using Session, counts the access number of a single IP, and carries out blocking in time when the access number exceeds a threshold value so as to prevent DDoS attack of an application layer.
According to an embodiment of the network application layer security protection system of the present invention, the attributes of the normal application access include: subject attributes, object attributes, time attributes, parameter attributes, and statistical attributes.
According to an embodiment of the network application layer security protection system of the present invention, the feature matching module is configured to analyze each content feature of the packet, analyze each feature, represent the feature by using a feature syntax of a regular expression, perform feature matching on the feature of the packet to be detected and a feature string in an attack feature library, determine an attack behavior if the matching is successful, and discard the corresponding packet.
According to an embodiment of the network application layer security protection system of the present invention, in the black and white list detection module, if the corresponding IP address exists in the black list, the message of the IP address is selected to be directly rejected to be received; and if the corresponding IP address exists in the white list, sending the message to an anomaly detection module, wherein the anomaly detection module is used for detecting the attack of maliciously tampering the HTTP protocol specification and the input parameters. .
The invention provides a network application layer safety protection system aiming at the problem of multi-type attacks of a network application layer, which extracts the characteristic contents of different application layer protocols through message analysis and pretreatment of the application layer, performs special character filtering and characteristic matching through a detection module, and performs dynamic behavior analysis on the messages, thereby filtering malicious attack messages and finally performing effective safety protection on network malicious attacks such as SQL injection, XSS, DDoS attack and the like.
Drawings
FIG. 1 is a schematic diagram of a network application layer security protection system;
FIG. 2 is a schematic diagram of a workflow of a message parsing module;
FIG. 3 is a flowchart illustrating a complete HTTP request message detection and security protection process;
Detailed Description
In order to make the objects, contents, and advantages of the present invention clearer, the following detailed description of the embodiments of the present invention will be made in conjunction with the accompanying drawings and examples.
Fig. 1 is a schematic diagram of a network application layer security protection system, and as shown in fig. 1, the network application layer security protection system includes: the system comprises a log auditing module 2, a detecting module 4, a behavior analyzing module 3 and a message analyzing module 1.
As shown in fig. 1, the application layer security protection system is composed of a message analysis module 1, a detection module 4, a behavior analysis module 3, and a log audit module 2.
Fig. 2 is a schematic diagram of a work flow of the message parsing module, and as shown in fig. 1 and fig. 2, the message parsing module 1 includes an SSL decryption/encryption module 11, a codec standardization module 12, and a message field extraction module 13. The output of the message analysis module 1 is the operation object when the rule of the detection module 4 is matched and filtered, and the analysis effect directly influences the defense effect of the web firewall of the application layer. The message analysis module 1 has the main function of analyzing messages of different protocols of an application layer, including HTTP/HTTPS, SMTP, FTP and the like, acquiring a field to be detected, and submitting the field to a feature matching engine for web attack detection. As more and more high security web applications use primarily the HTTPS protocol, SSL encrypted traffic must be decoded for effective detection of all attacks.
As shown in fig. 1 and fig. 2, SSL (Secure Socket Layer) is located between TCP/IP protocol and various application Layer protocols to provide security support for data communication. The SSL encryption/decryption module 11 processes the HTTP message transmitted from the client, determines the destination Web server to which the message is forwarded according to the HOST domain, and invokes the corresponding SSL certificate and the key to decrypt the message, and sends the plaintext to the codec standardization module 12, and is responsible for encrypting and forwarding the Web server response message to the client.
As shown in fig. 1 and 2, due to the particularity of web applications, web applications support various character sets and various encoding standards. These methods may be the main methods for the attacker to bypass the existing defense measures, and the codec standardization module 12 is used to standardize the input data uniformly, so as to provide a technical preparation for the detection module 4 to effectively prevent various attacks. The encoding and decoding standardization module 12 is responsible for processing the HTTP message, firstly, various codes such as URL codes, Unicode codes and the like and various character sets such as UTF-8, GB2312 and the like are normalized and standardized, so that various codes are effectively identified and restored, and it is prevented that defensive measures are bypassed due to deformation attacks using different encoding modes or different character sets.
As shown in fig. 1 and 2, the extraction message field module 13 is configured to extract the content of the HTTP request and response message standardized by the codec standardization 12, and extract the HOST field in the request header and the main body in the POST request. And for the response message, extracting the contents such as the SetCookie field and the like. And the message characteristics (characters) extracted by the message field extraction module 13 are sent to the detection module 4.
As shown in fig. 1 and 2, the detection module 4 mainly includes a filter 41, a black-and-white list detection module 42, and a feature matching module 43.
Fig. 3 is a flowchart illustrating a complete HTTP request message detection and security protection process, and as shown in fig. 3, the filter 41 discards the message if matching with malicious characters is achieved, or sends the message characteristics to the black and white list detection module 42. The main design idea is that any effective SQL injection attack occurs because the malicious input becomes a part of the database query or command, so the malicious input needs to close the front section or cut off the subsequent code in the program, and the inserted database operation needs to effectively utilize various spacers. Therefore, special characters such as spacers and comments of various closed, truncated and database languages can be filtered to effectively prevent the injection of the vulnerability.
As shown in fig. 3, the black and white list detecting module 42 is used for filtering and effectively limiting the IP addresses of the features of the incoming message. In addition to common rule sets, specific rules can be customized according to self needs, a white list module is adopted to regulate the input of a user, and a black list module is adopted to prevent some malicious input and access to sensitive information, such as database files, configuration files and the like. And if the corresponding IP address exists in the blacklist or the white list, directly rejecting or sending the IP address to the abnormality detection module. The anomaly detection module is used for detecting attacks such as malicious tampering of HTTP protocol specifications and input parameters and the like so as to perform one-layer security protection to realize deep defense. And if the IP address is on the white list module and passes through the abnormity detection module, directly forwarding the behavior analysis module 3.
As shown in fig. 3, the feature matching module 43 is responsible for comparing and matching the data packet with features in the attack feature library to determine an attack behavior. The feature analysis module reads the message, analyzes each content feature of the message, analyzes each feature, and expresses each content feature by using a feature grammar of a regular expression. And the characteristic matching module performs characteristic matching on the characteristics of the message to be detected and the characteristic character strings in the attack characteristic library, if the matching is successful, the attack behavior can be judged, and the corresponding message is discarded.
As shown in fig. 3, the behavior analysis module 3 mainly includes a behavior analysis module 31 and a session management module, and is an effective means for defending against DDos attacks.
As shown in fig. 3, the behavior analysis 31 is based on learning of application access, and records attributes of normal application access by learning. These attributes include: the system comprises a plurality of dimensions of a subject attribute, an object attribute, a time attribute, a parameter attribute and a statistic attribute. And a behavior feature library is established through learning, and behavior analysis is performed on application access according to the behavior feature library, so that access behaviors with abnormal attributes are identified. If an attack against the Web server is found by the behavioral analysis.
As shown in fig. 3, session management module 32 may effectively defend against application layer DDoS attacks. The session management module 32 based on the session can effectively make up the session management vulnerability of the Web application itself, and the authentication rule based on the session can also effectively protect the application layer DDoS attack. And (4) using Session to carry out IP authentication, counting the access number of a single IP, and blocking in time when the access number exceeds a threshold value. The 'Refresh' variable is inserted to prevent malicious refreshing, so that time-consuming page access can be effectively limited, normal access is hardly influenced, and DDoS attack of an application layer is effectively prevented.
As shown in fig. 1 to 3, the log audit module 2 performs behavior and exception audit in the Web defense process. In the process of feature analysis and matching, the behaviors of Web mail uploading, SMTP and FTP data outward transmission and the like can be transmitted to the log auditing module for recording and analysis. Meanwhile, in the safety protection process, the access violating the strategy and the rule can be recorded, so that the statistical analysis and evidence collection can be facilitated in the future.
As shown in fig. 1 to fig. 3, the principle of the network application layer security protection system of the present invention is specifically described, wherein the principle includes:
and (5) message parsing. After a client initiates an application access request to a Web server, firstly, a message analysis module 1 judges and analyzes a message, including SSL decryption, encoding and decoding standard normalization processing and message field information extraction, and then sends the extracted message characteristic information to a subsequent detection module 4 for attack detection.
After receiving the feature information of the message, the detection module 4 firstly filters out special characters which can cause malicious attack, then screens the feature information through a black and white list to prevent the message information with attack features, and finally matches and compares the feature information with an attack feature library to judge the attack traffic. Through attack detection, high-occurrence Web attack behaviors such as SQL injection, XSS and the like can be effectively prevented.
The flow of the behavior analysis module 3 passing through the message analysis module 1 and the flow of the behavior detection module 4 are both normal access flow after screening and filtering. And performing behavior analysis on attributes such as subjects, objects and time of application access, and counting the frequency of accessing the Web service by a single IP in combination with session management, thereby effectively identifying and preventing DDoS attack.
The log audit module 2 records abnormal information in the application layer security protection process, including access records violating the policy and the rule. And simultaneously, auditing behaviors such as Web mail uploading, SMTP (simple mail transfer protocol) and FTP (file transfer protocol) data uploading and the like. Facilitating the statistical analysis in the future.
The invention provides a network application layer safety protection system aiming at the problem of multi-type attacks of a network application layer, which extracts the characteristic contents of different application layer protocols through message analysis and pretreatment of the application layer, performs special character filtering and characteristic matching through a detection module, and performs dynamic behavior analysis on the messages, thereby filtering malicious attack messages and finally performing effective safety protection on network malicious attacks such as SQL injection, XSS, DDoS attack and the like.
The above description is only a preferred embodiment of the present invention, and it should be noted that, for those skilled in the art, several modifications and variations can be made without departing from the technical principle of the present invention, and these modifications and variations should also be regarded as the protection scope of the present invention.
Claims (6)
1. A network application layer security protection system, comprising: the system comprises a log auditing module, a detecting module, a behavior analyzing module and a message analyzing module;
the message analysis module is used for judging and analyzing the message, including SSL decryption, coding and decoding standard normalization processing and message field information extraction, and then sending the extracted message characteristics to the detection module for attack detection;
the detection module comprises a filter, a black and white list detection module and a feature matching module;
the filter discards the message if matching the malicious characters, otherwise, sends the message characteristics to the black and white list detection module;
the black and white list detection module is used for filtering and limiting the IP address of the input message characteristic and sending the message characteristic of the IP address passing through the black and white list detection module to the characteristic matching module;
the characteristic matching module is used for comparing and matching the data packet with the characteristics in the attack characteristic library, judging the attack behavior, and if the attack behavior is judged to be the attack behavior, discarding the corresponding message;
the behavior analysis module is used for carrying out DDos attack verification on the message characteristic data passing through the detection module and outputting the verified message to the Web server;
the log auditing module is used for performing behavior and abnormal auditing in the Web protection process, transmitting behaviors of Web mail uploading, SMTP and FTP data uploading to the log auditing module for recording and analyzing in the characteristic analysis and matching process, and recording access records violating strategies and rules in the safety protection process;
the message analysis module comprises an SSL decryption/encryption module, an encoding and decoding standardization module and a message field extraction module;
the SSL encryption/decryption module processes an HTTP message transmitted from the client, judges a target Web server for message forwarding according to the HOST domain, calls a corresponding SSL certificate and a key to decrypt the message, sends a plaintext to the encoding and decoding standardization module, and encrypts a Web server response message and forwards the encrypted message to the client;
the encoding and decoding standardization module is used for uniformly standardizing message data and is responsible for processing the HTTP message, and various codes and character sets are firstly normalized and standardized;
the message field extraction module is used for extracting the HTTP request and response message contents after standardized coding and decoding, extracting the HOST field in the request header and the main body in the POST request, extracting the SetCookie field in the response message, and sending the SetCookie field to the detection module.
2. The network application layer security protection system of claim 1, wherein the behavior analysis module performs behavior analysis on subjects, objects and time attributes accessed by the application, and counts frequency of access of a single IP to the Web service in combination with session management to identify and prevent DDoS attacks.
3. The network application layer security protection system of claim 1, wherein the behavior analysis module comprises a behavior analysis module and a session management module;
the behavior analysis module establishes a behavior feature library by recording the attribute of normal application access through learning based on the learning of the application access, and performs behavior analysis on the application access according to the behavior feature library so as to identify the access behavior with abnormal attribute;
and the Session management module carries out IP authentication by using Session, counts the access number of a single IP, and carries out blocking in time when the access number exceeds a threshold value so as to prevent DDoS attack of an application layer.
4. The network application layer security protection system of claim 3, wherein the attributes of normal application access include: subject attributes, object attributes, time attributes, parameter attributes, and statistical attributes.
5. The network application layer security protection system of claim 1, wherein the feature matching module is configured to analyze each content feature of the packet, analyze each feature, represent the feature by using a feature syntax of a regular expression, perform feature matching on the feature of the packet to be detected and a feature string in the attack feature library, determine an attack behavior if the matching is successful, and discard the corresponding packet.
6. The network application layer security protection system of claim 1, wherein in the black and white list detection module, if the corresponding IP address exists in the black list, it selects to directly refuse to receive the message of the IP address; and if the corresponding IP address exists in the white list, sending the message to an anomaly detection module, wherein the anomaly detection module is used for detecting the attack of maliciously tampering the HTTP protocol specification and the input parameters.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810832633.7A CN109167754B (en) | 2018-07-26 | 2018-07-26 | Network application layer safety protection system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810832633.7A CN109167754B (en) | 2018-07-26 | 2018-07-26 | Network application layer safety protection system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109167754A CN109167754A (en) | 2019-01-08 |
| CN109167754B true CN109167754B (en) | 2021-03-02 |
Family
ID=64898252
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201810832633.7A Active CN109167754B (en) | 2018-07-26 | 2018-07-26 | Network application layer safety protection system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109167754B (en) |
Families Citing this family (23)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US10685293B1 (en) * | 2017-01-20 | 2020-06-16 | Cybraics, Inc. | Methods and systems for analyzing cybersecurity threats |
| CN109698840B (en) * | 2019-02-27 | 2022-02-25 | 新华三大数据技术有限公司 | Method and device for detecting DHCP (dynamic host configuration protocol) malicious event |
| CN110177113B (en) * | 2019-06-06 | 2021-08-31 | 北京奇艺世纪科技有限公司 | Internet protection system and access request processing method |
| CN110545259A (en) * | 2019-07-27 | 2019-12-06 | 苏州哈度软件有限公司 | application layer attack protection method based on message replacement and protection system thereof |
| CN110933069A (en) * | 2019-11-27 | 2020-03-27 | 上海明耿网络科技有限公司 | Network protection method, device and storage medium |
| CN113114609A (en) * | 2020-01-13 | 2021-07-13 | 国际关系学院 | Webshell detection evidence obtaining method and system |
| CN113141331A (en) * | 2020-01-17 | 2021-07-20 | 深信服科技股份有限公司 | XSS attack detection method, device, equipment and medium |
| CN111641589A (en) * | 2020-04-30 | 2020-09-08 | 中国移动通信集团有限公司 | Advanced sustainable threat detection method, system, computer and storage medium |
| CN111683102B (en) * | 2020-06-17 | 2022-12-06 | 绿盟科技集团股份有限公司 | FTP behavior data processing method, and method and device for identifying abnormal FTP behavior |
| CN111953668B (en) * | 2020-07-30 | 2023-04-07 | 中国工商银行股份有限公司 | Network security information processing method and device |
| CN112001533A (en) * | 2020-08-06 | 2020-11-27 | 众安信息技术服务有限公司 | Parameter detection method and device and computer system |
| CN112272186B (en) * | 2020-10-30 | 2023-07-18 | 深信服科技股份有限公司 | Network traffic detection device and method, electronic equipment and storage medium |
| CN112751839B (en) * | 2020-12-25 | 2023-04-18 | 江苏省未来网络创新研究院 | Anti-virus gateway processing acceleration strategy based on user traffic characteristics |
| CN113297577B (en) * | 2021-06-16 | 2024-05-28 | 深信服科技股份有限公司 | Request processing method and device, electronic equipment and readable storage medium |
| CN113645224B (en) * | 2021-08-09 | 2022-12-09 | 杭州安恒信息技术股份有限公司 | Network attack detection method, device, equipment and storage medium |
| CN113676473B (en) * | 2021-08-19 | 2023-05-02 | 中国电信股份有限公司 | Network service safety protection device, method and storage medium |
| CN113612800B (en) * | 2021-09-08 | 2023-02-24 | 中国工商银行股份有限公司 | Network attack processing method, device, system, device, medium and program product |
| CN113992423B (en) * | 2021-11-05 | 2023-01-17 | 枣庄科技职业学院 | Use method of computer network firewall |
| CN115412359B (en) * | 2022-09-02 | 2024-03-19 | 中国电信股份有限公司 | Web application security protection method and device, electronic equipment and storage medium |
| CN115801459A (en) * | 2023-02-03 | 2023-03-14 | 北京六方云信息技术有限公司 | Message detection method, device, system and storage medium |
| CN116107912B (en) * | 2023-04-07 | 2023-07-04 | 石家庄学院 | Security detection method and system based on application software |
| CN116633594B (en) * | 2023-04-18 | 2024-02-27 | 上海亿阁科技有限公司 | Flamingo gateway security system |
| CN118400199B (en) * | 2024-06-27 | 2024-09-06 | 杭州迪普科技股份有限公司 | Multi-scale white, fast and black and slow rapid attack flow screening method |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104917776A (en) * | 2015-06-23 | 2015-09-16 | 北京威努特技术有限公司 | Industrial control network safety protection equipment and industrial control network safety protection method |
| CN105049437A (en) * | 2015-08-04 | 2015-11-11 | 浪潮电子信息产业股份有限公司 | Method for filtering data of network application layer |
| CN105391703A (en) * | 2015-10-28 | 2016-03-09 | 南方电网科学研究院有限责任公司 | Cloud-based WEB application firewall system and safety protection method thereof |
| CN107872456A (en) * | 2017-11-09 | 2018-04-03 | 深圳市利谱信息技术有限公司 | Network intrusion prevention method, apparatus, system and computer-readable recording medium |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8949955B2 (en) * | 2008-10-29 | 2015-02-03 | Symantec Corporation | Method and apparatus for mobile time-based UI for VIP |
-
2018
- 2018-07-26 CN CN201810832633.7A patent/CN109167754B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104917776A (en) * | 2015-06-23 | 2015-09-16 | 北京威努特技术有限公司 | Industrial control network safety protection equipment and industrial control network safety protection method |
| CN105049437A (en) * | 2015-08-04 | 2015-11-11 | 浪潮电子信息产业股份有限公司 | Method for filtering data of network application layer |
| CN105391703A (en) * | 2015-10-28 | 2016-03-09 | 南方电网科学研究院有限责任公司 | Cloud-based WEB application firewall system and safety protection method thereof |
| CN107872456A (en) * | 2017-11-09 | 2018-04-03 | 深圳市利谱信息技术有限公司 | Network intrusion prevention method, apparatus, system and computer-readable recording medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN109167754A (en) | 2019-01-08 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109167754B (en) | Network application layer safety protection system | |
| US10505900B2 (en) | Data leak protection in upper layer protocols | |
| Kumar | Survey of current network intrusion detection techniques | |
| CN100443910C (en) | Active network defense system and method | |
| US8954725B2 (en) | Sanitization of packets | |
| CN111277587A (en) | Malicious encrypted traffic detection method and system based on behavior analysis | |
| KR102045468B1 (en) | Apparatus for detection of anomalous connection behavior based on network data analytics and method using the same | |
| WO2014129587A1 (en) | Network monitoring device, network monitoring method, and network monitoring program | |
| US20050262556A1 (en) | Methods and apparatus for computer network security using intrusion detection and prevention | |
| US20130298254A1 (en) | Methods and systems for detecting suspected data leakage using traffic samples | |
| Kaur et al. | Comparison of network security tools-firewall, intrusion detection system and Honeypot | |
| CN101631026A (en) | Method and device for defending against denial-of-service attacks | |
| KR100684602B1 (en) | Corresponding system for invasion on scenario basis using state-transfer of session and method thereof | |
| KR102244036B1 (en) | Method for Classifying Network Asset Using Network Flow data and Method for Detecting Threat to the Network Asset Classified by the Same Method | |
| KR102501372B1 (en) | AI-based mysterious symptom intrusion detection and system | |
| CN103124226A (en) | Household broadband net-system play monitoring system and method | |
| KR20120000942A (en) | Bot-infected host detection apparatus and method based on blacklist access statistics | |
| Stanciu | Technologies, methodologies and challenges in network intrusion detection and prevention systems. | |
| Sulieman et al. | Detecting zero-day polymorphic worm: A review | |
| RU183015U1 (en) | Intrusion detection tool | |
| KR20050095147A (en) | Hacking defense apparatus and method with hacking type scenario | |
| US20220131885A1 (en) | Methods for tracing malicious endpoints in direct communication with application back ends using tls fingerprinting techniques | |
| Kaskar et al. | A system for detection of distributed denial of service (DDoS) attacks using KDD cup data set | |
| Khamdamovich et al. | Web application firewall method for detecting network attacks | |
| Punia et al. | Current trends and approaches of network intrusion detection system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |