CN110728575A - WEB security depth monitoring method for electric power transaction platform - Google Patents
WEB security depth monitoring method for electric power transaction platform Download PDFInfo
- Publication number
- CN110728575A CN110728575A CN201910637356.9A CN201910637356A CN110728575A CN 110728575 A CN110728575 A CN 110728575A CN 201910637356 A CN201910637356 A CN 201910637356A CN 110728575 A CN110728575 A CN 110728575A
- Authority
- CN
- China
- Prior art keywords
- web
- class
- monitoring
- java
- request
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000012544 monitoring process Methods 0.000 title claims abstract description 40
- 238000000034 method Methods 0.000 title claims abstract description 30
- 238000005516 engineering process Methods 0.000 claims abstract description 23
- 238000004458 analytical method Methods 0.000 claims abstract description 13
- 238000003780 insertion Methods 0.000 claims abstract description 4
- 230000037431 insertion Effects 0.000 claims abstract description 4
- 239000003795 chemical substances by application Substances 0.000 claims description 19
- 230000009471 action Effects 0.000 claims description 18
- 238000002347 injection Methods 0.000 claims description 15
- 239000007924 injection Substances 0.000 claims description 15
- 238000004422 calculation algorithm Methods 0.000 claims description 12
- 238000010801 machine learning Methods 0.000 claims description 9
- 230000008569 process Effects 0.000 claims description 8
- 238000003860 storage Methods 0.000 claims description 8
- 230000006399 behavior Effects 0.000 claims description 7
- 230000004044 response Effects 0.000 claims description 7
- 238000007619 statistical method Methods 0.000 claims description 7
- 238000012986 modification Methods 0.000 claims description 4
- 230000004048 modification Effects 0.000 claims description 4
- 238000004140 cleaning Methods 0.000 claims description 3
- 230000002452 interceptive effect Effects 0.000 claims description 3
- 238000012360 testing method Methods 0.000 claims description 3
- 238000012549 training Methods 0.000 claims description 3
- 238000009434 installation Methods 0.000 abstract description 2
- 238000012423 maintenance Methods 0.000 description 9
- 238000007726 management method Methods 0.000 description 4
- 230000006870 function Effects 0.000 description 3
- 238000012545 processing Methods 0.000 description 3
- 230000000903 blocking effect Effects 0.000 description 2
- 238000001514 detection method Methods 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 238000005206 flow analysis Methods 0.000 description 2
- 230000008676 import Effects 0.000 description 2
- 230000007246 mechanism Effects 0.000 description 2
- 230000008520 organization Effects 0.000 description 2
- 238000004806 packaging method and process Methods 0.000 description 2
- 239000011814 protection agent Substances 0.000 description 2
- 241000700605 Viruses Species 0.000 description 1
- 230000003044 adaptive effect Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 238000003745 diagnosis Methods 0.000 description 1
- 238000001914 filtration Methods 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 239000003607 modifier Substances 0.000 description 1
- 239000000523 sample Substances 0.000 description 1
- 238000013024 troubleshooting Methods 0.000 description 1
- 229960005486 vaccine Drugs 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q40/00—Finance; Insurance; Tax strategies; Processing of corporate or income taxes
- G06Q40/04—Trading; Exchange, e.g. stocks, commodities, derivatives or currency exchange
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45504—Abstract machines for programme code execution, e.g. Java virtual machine [JVM], interpreters, emulators
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q50/00—Information and communication technology [ICT] specially adapted for implementation of business processes of specific business sectors, e.g. utilities or tourism
- G06Q50/06—Energy or water supply
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
- G06F2009/45587—Isolation or security of virtual machine instances
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
- G06F2009/45595—Network integration; Enabling network access in virtual machine instances
Landscapes
- Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Business, Economics & Management (AREA)
- General Physics & Mathematics (AREA)
- Physics & Mathematics (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Economics (AREA)
- Marketing (AREA)
- Computer Hardware Design (AREA)
- Finance (AREA)
- Signal Processing (AREA)
- Health & Medical Sciences (AREA)
- Computer Networks & Wireless Communication (AREA)
- Accounting & Taxation (AREA)
- General Business, Economics & Management (AREA)
- Strategic Management (AREA)
- Public Health (AREA)
- Primary Health Care (AREA)
- Human Resources & Organizations (AREA)
- Tourism & Hospitality (AREA)
- General Health & Medical Sciences (AREA)
- Water Supply & Treatment (AREA)
- Computing Systems (AREA)
- Development Economics (AREA)
- Technology Law (AREA)
- Computer And Data Communications (AREA)
- Debugging And Monitoring (AREA)
Abstract
A WEB security depth monitoring method for an electric power transaction platform comprises the following steps of deploying a Java virtual machine and a Java bytecode manipulation framework (ASM) on a WEB application server, and running an application program on the JVM; monitoring the operation of the application program by using a Java byte code technology, and acquiring various WEB request data; collecting web request data by adopting a Java Script code insertion technology; specifically, the method comprises the steps of source IP, destination IP, time and frequency statistics of URL request; performing web security analysis according to the web request data; the method has the advantages of simple installation, accurate attack identification, code level fault location and suitability for virtual scenes.
Description
Technical Field
The invention relates to a monitoring method, in particular to a WEB security deep monitoring method for an electric power transaction platform.
Background
With the reformation of the power system and the continuous adjustment of the innovative idea, the power trading platform is produced. The electric power trading platform is responsible for the construction and management of an electric power market system under the guidance of relevant government departments and electric power supervision and search mechanisms; the system is responsible for the management of the quarterly and monthly electric power market trading plans; responsible for organizing power transactions; under the principle of 'open, fair and fair', the system is responsible for the organization work of signing transaction contracts and purchase and sale agreements and carries out electric quantity settlement and transaction statistical analysis; the system is responsible for making a power market rule and coordinating related matters in the rule making process; the system is responsible for building and managing an electric power market transaction information issuing platform, issuing transaction information and reporting the market transaction information to an electric power supervision organization; the system is responsible for managing market subject transaction behaviors, reporting violation behaviors and proposing punishment suggestions to an electric power supervision mechanism; in this context, the security of the electric power trading platform is particularly important.
With the development of attack technology, viruses outbreak in a large scale are gradually reduced, but enterprises do not feel more and more secure, on the contrary, as the IT architecture of the enterprises gradually migrates to the cloud, the network boundary is fuzzified, the target of hacker attack also shifts from the system layer to the application layer, and according to the report, more than 80% of the attacks are targeted by the application layer and the data stealing is taken as the target. Meanwhile, with the continuous deepening of the work of safety detection of the Ministry of industry and communications, the detection work emphasis has been changed from the aspects of the safety of the omnidirectional application and the safety of services of the traditional network security.
At present, more and more attacks are applied to an application layer, and the loss caused by the attacks is more and more huge. And the traditional WAF product based on flow analysis cannot effectively identify WEB attacks through sub-packaging, URL camouflage and secondary coding. Meanwhile, in a virtualization and container environment, all service systems run on a set of physical hosts in the form of VMs and containers, so that the traditional boundary security protection type WAF product cannot effectively detect attacks between VMs and containers.
A service Line (LOB) application is the basis of all services, the security of an application layer is very important, the security of a network layer is far from sufficient, and a security decision maker needs to put more energy and resources on the protection of the application.
Network layer boundary protection technologies (such as NGFW, UTM, IPS, IDS, etc.) have become standard configurations for most enterprises, and some application layer protection technologies (WAF, etc.) are gradually applied. The technologies can partially protect enterprise security in some scenes, but in the virtualization and cloud era, the network boundary is increasingly blurred, and in many cases, enterprises do not know where the application is specifically deployed, and meanwhile, hackers are very familiar with firewall technologies and wall turning technologies are very mature. Traditional security technologies are invaluable to the new generation of threats. It is essential to cope with new security threats using adaptive application security technologies.
Nowadays, IT technology is changing day by day, new advanced security attacks come out endlessly, attack modes become more and more concealed and fatal, and iterative development and rapid deployment are becoming more and more popular in order to adapt to new business requirements and technological innovation. Modern software systems are often complex, requiring many programmers to assist together, each programmer having different code capabilities, and often also having many legacy code or using third party programs. Only when the code-level bugs are accurately positioned, the operation and maintenance efficiency of the whole enterprise can be improved, and various risks faced by the production environment can be reduced.
The requirement of the national network company on the service quality is higher and higher at present, the service quality of an application system can be greatly improved by researching a new technology of application layer monitoring and fault analysis, and the national network market image and enterprise competitiveness are improved by assistance. The service quality of the application system is improved, and the national network market image and the enterprise competitiveness are improved in an assisting manner.
The internal drive consists in: the business scale and the application technology of the national network company develop rapidly; the national network company puts higher requirements on the information operation and maintenance work; the national network has been analyzing and researching the monitoring and guaranteeing means of the application service quality for many years.
The external opportunities lie in: the IT technology is developed rapidly, and the operation and maintenance capacity and level can be improved rapidly by the novel application layer monitoring technology; the effect of the automation operation and maintenance concept on IT management is more and more emphasized in China at present.
The challenges facing national networks are: the application systems of the state network companies are various, the system calling relationship is complex, and the influence of shutdown maintenance is difficult to comprehensively evaluate; passive operation and maintenance, the problem can not be reproduced: when the system performance is in problem, manual troubleshooting is needed; the operation and maintenance cost is high; the number of team members is small, the carrying capacity is limited, the positioning of system problems needs a long time, and the system problems need to be solved repeatedly.
The main threats are: the complexity brought by new technologies such as cloud computing and mobile internet provides new challenges for national network companies. The complex application environment prevents the national network company from timely finding and solving the faults of the application system, reduces the brand effect of the national network, and causes more loss to the national network company.
No matter based on a real application environment or oriented to the introduction of a new future technology, the national network company needs an application system monitoring and fault analysis means, a system fault management platform and an early warning system of the national network company are perfected, and the national network company is supported to develop from passive operation and maintenance to active operation and maintenance.
Disclosure of Invention
The invention aims to solve the problem that the traditional WAF product based on flow analysis cannot effectively identify WEB attacks through sub-packaging, URL camouflage and secondary coding. Meanwhile, in a virtualization and container environment, all service systems run on a group of physical hosts in the form of VMs and containers, so that the traditional boundary security protection type WAF product cannot effectively detect attacks between VMs and containers.
The technical scheme adopted by the invention is as follows: a WEB security deep monitoring method for an electric power transaction platform is characterized by comprising the following steps:
s1, deploying a Java virtual machine and a Java bytecode manipulation framework (ASM) (open source application framework for analyzing, creating and modifying JAVA bytecode) on the WEB application server, and running an application program on the JVM;
s2, monitoring the operation of the application program by using a Java byte code technology, and acquiring various WEB request data;
s3, collecting web request data by adopting Java Script code insertion technology; specifically, the method comprises the steps of source IP, destination IP, time and frequency statistics of URL request;
and S4, performing web security analysis according to the web request data.
Further, the specific process of step S2 is as follows:
s2l, directly generating a binary file A.class in the ASM;
s22, loading the A.class into the JVM by using a class loader in the JVM, embedding a monitoring code in the byte code of the A.class by using Java t in the call during the loading process, and generating the A'. class;
s23, when the request needs to call A.class, the engine in the JVM finds and executes A.class, A'. class
Executing normal business logic of A.class, executing monitoring codes in the A.class and capturing web request data;
s24, finishing the execution of the A.class, and writing the monitoring data into a monitoring data temporary storage area by the engine in the ASM;
and S25, sending the web request data to the application server by the agent thread in every 60S, and cleaning the temporary storage area.
Description of the drawings:
the JVM is a java virtual machine, and the system realizes the safety protection of the web system by installing a probe in the java virtual machine
Javaagent is a software probe installed in java virtual machine
Class is the source file of the web application written by java (each application has many class files), and is imported into the java virtual machine by class loader each time the system is started.
The classLoader inserts java agent (a component of the system) into the class a to generate an a '. class file, the a '. class file can realize the same function as the class a, and finally the class loader imports the class a ' class file into the JVM.
The engine is a class execution engine of jvm, and is used for receiving a url request sent by a user to jvm, analyzing and executing the url in cooperation with a responding class file, and returning the execution result to the user (response) through the engine. While the A' class inserted with java agent realizes the above functions, the system resources (corresponding SQL statements, execution time, status values of execution process, error codes and the like) requested by url and url of the user are written into the monitoring data temporary storage area.
The agent is another component of the system, and the agent is used for periodically reading the data in the monitoring data temporary storage area and sending the data to a server side (one component of the system) of the system for analysis, statistics and presentation.
The agent also receives various control rules defined by the server side and writes the rules into the Javaagent, and the rules comprise URL (web request) filtering rules (a class annotation mode, a class annotation regular + method name regular expression, a class name mode, an interface name mode, an access modifier + class name regular + method name regular + return value + method parameter mode) and interception processing rules (a character string formatting processing rule, a character string matching rule, a local thread processing rule and the like).
After receiving the rules from the agent, the Javaagent is compiled and written into the A.class by jvm, generates an A'. class file, and imports a java virtual machine to realize the functions of real-time safety check and blocking.
Further, the monitoring data comprises an application system web request URL, average response time of a single transaction in the application system, code execution time, slow SQL statement execution indexes, third-party interface service performance indexes and Java virtual machine performance indexes.
Further, the contents of the secure deep analysis in step S4 include:
regular matching analysis: the matching rule of the algorithm is from the rule codes of the network and some CMS manufacturers, and common known Web attacks including SQL injection, XSS attack, command execution and other common Web vulnerabilities can be identified through multiple modification tests.
And (3) numerical statistical analysis: the collected mass log texts contain a large amount of information such as user behaviors, interactive IP (Internet protocol), access times and the like, and some actions are difficult to discover through the traditional modes such as rule matching, black and white lists, policy control and the like; however, the statistical characteristics of the information can express a network action explicitly, such as the number of Agent connections accessing a target website in a period of time, the number of times of the same URL appearing in different domain names, and the request proportion of non-200 in access response results, all of which express a specific network action, and the action can be found by a numerical statistical method if the action accords with the network attack action.
Analyzing a machine learning algorithm: analyzing by using a machine learning algorithm, wherein the premise of using the machine learning algorithm is to construct a characteristic vector, the log identification mainly aims at a request, a referrer and a user-agent in log records, the request and the referrer are URL paths, the user-agent is a browser name, and the three parts are controllable by a user and can be injected into a payload; the training set is divided into two parts, one is a malicious URL request, the other is a well-known payload warehouse mainly collected in github, and about 30000 pieces of data comprise SQL injection, Traversal (directory Traversal), XSS (cross-site scripting attack), LFI (local file inclusion), XML injection, SSI injection, XPATH injection and Webshell attack.
The invention has the advantages and characteristics that:
1. simple installation
The system is integrated with the application program, the safety protection code can be injected into the application program like a vaccine only by simply modifying the start configuration of the JVM without modifying the service system code, and known bugs are repaired instantly, so that all codes become safety codes and any attack cannot be bypassed.
2. Attack recognition accuracy
Different from the attack pattern matching principle of the WAF, the system comprehensively insights the logic, configuration, data and event flow of an application program, combines application context, precisely detects each request and can effectively resist the attack behavior which cannot be detected by the WAF.
3. Code level fault location
The system acquires detailed web request information and stack information from a JAVA virtual machine and a frame bottom layer, realizes code-level system vulnerability location, and enables security problem location to avoid a sea fishing needle.
4. Adapting to virtualized scenarios
The system is inserted into a JAVA virtual machine in a software probe mode, and decoding and rule matching are carried out on WEB requests among different VMs through a safety protection agent, so that real-time blocking of attack behaviors can be realized. Meanwhile, the safety protection agent can be dynamically migrated along with the VM, so that the consistency of safety protection strategies is ensured.
5. Based on the agent working mode, WEB security monitoring and protection under a virtualization scene are realized;
drawings
FIG. 1 is a schematic diagram of a preferred embodiment of the present invention;
FIG. 2 is a schematic diagram of the code level fault diagnosis location principle according to the preferred embodiment of the present invention;
Detailed Description
The invention is further illustrated with reference to the accompanying drawings:
example 1:
referring to fig. 1, a method for deeply monitoring the security of a power transaction platform WEB includes the following steps:
s1, deploying a Java virtual machine and a Java bytecode manipulation framework (ASM) (open source application framework for analyzing, creating and modifying JAVA bytecode) on a WEB application server, and running an application program on the JVM;
s2, monitoring the operation of the application program by using a Java byte code technology, and acquiring various WEB request data;
s3, collecting web request data by adopting Java Script code insertion technology; specifically, the method comprises the steps of source IP, destination IP, time and frequency statistics of URL request;
and S4, performing web security analysis according to the web request data.
The specific process of step S2 is as follows:
s2l, directly generating a binary file A.class in the ASM;
s22, loading the A.class into the JVM by using a class loader in the JVM, embedding a monitoring code in the byte code of the A.class by using Java t in the call during the loading process, and generating the A'. class;
s23, when the request needs to call A.class, the engine in the JVM finds and executes A.class, A'. class
Executing normal business logic of A.class, executing monitoring codes in the A.class and capturing web request data;
s24, finishing the execution of the A.class, and writing the monitoring data into a monitoring data temporary storage area by the engine in the ASM;
and S25, sending the web request data to the application server by the agent thread in every 60S, and cleaning the temporary storage area.
The monitoring data comprises a web request URL of the application system, the average response time of a single transaction in the application system, code execution time, slow SQL statement execution indexes, third-party interface service performance indexes and Java virtual machine performance indexes.
The contents of the secure deep analysis in step S4 include:
regular matching analysis: the matching rule of the algorithm is from the rule codes of the network and some CMS manufacturers, and common known Web attacks including SQL injection, XSS attack, command execution and other common Web vulnerabilities can be identified through multiple modification tests.
And (3) numerical statistical analysis: the collected mass log texts contain a large amount of information such as user behaviors, interactive IP (Internet protocol), access times and the like, and some actions are difficult to discover through the traditional modes such as rule matching, black and white lists, policy control and the like; however, the statistical characteristics of the information can express a network action explicitly, such as the number of Agent connections accessing a target website in a period of time, the number of times of the same URL appearing in different domain names, and the request proportion of non-200 in access response results, all of which express a specific network action, and the action can be found by a numerical statistical method if the action accords with the network attack action.
Analyzing a machine learning algorithm: analyzing by using a machine learning algorithm, wherein the premise of using the machine learning algorithm is to construct a characteristic vector, the log identification mainly aims at a request, a referrer and a user-agent in log records, the request and the referrer are URL paths, the user-agent is a browser name, and the three parts are controllable by a user and can be injected into a payload; the training set is divided into two parts, one is a malicious URL request, the other is a well-known payload warehouse mainly collected in github, and about 30000 pieces of data comprise SQL injection, Traversal (directory Traversal), XSS (cross-site scripting attack), LFI (local file inclusion), XML injection, SSI injection, XPATH injection and Webshell attack.
The foregoing shows and describes the general principles and broad features of the present invention and advantages thereof. It will be understood by those skilled in the art that the present invention is not limited to the embodiments described above, which are described in the specification and illustrated only for the purpose of illustrating the structural relationship and principles of the present invention, but that various changes and modifications may be made without departing from the spirit and scope of the invention as defined in the appended claims. The scope of the invention is defined by the appended claims and equivalents thereof.
Claims (4)
1. A WEB security deep monitoring method for an electric power transaction platform is characterized by comprising the following steps:
s1, deploying a Java Virtual Machine (JVM) and a Java bytecode manipulation framework (ASM) on a WEB application server, and running an application program on the JVM;
s2, monitoring the operation of the application program by using a Java byte code technology, and acquiring various WEB request data;
s3, collecting web request data by adopting Java Script code insertion technology; specifically, the method comprises the steps of source IP, destination IP, time and frequency statistics of URL request;
and S4, performing web security analysis according to the web request data.
2. The power trading platform WEB security deep monitoring method according to claim 1, wherein the monitoring method comprises the following steps: the specific process of step S2 is as follows:
s2l, directly generating a binary file A.class in the ASM;
s22, loading the A.class into the JVM by using a class loader in the JVM, embedding a monitoring code in the byte code of the A.class by using Java t in the call during the loading process, and generating the A'. class;
s23, when the request needs to call A.class, the engine in the JVM finds and executes A.class, A'. class;
executing normal business logic of A.class, executing monitoring codes in the A.class and capturing web request data;
s24, when the class execution is finished, the engine writes the monitoring data into a monitoring data temporary storage area;
and S25, sending the web request data to the application server by the agent thread in every 60S, and cleaning the temporary storage area.
3. The power trading platform WEB security deep monitoring method according to claim 1, wherein the monitoring method comprises the following steps: the monitoring data comprises a web request URL of the application system, the average response time of a single transaction in the application system, code execution time, slow SQL statement execution indexes, third-party interface service performance indexes and Java virtual machine performance indexes.
4. The power trading platform WEB security deep monitoring method according to claim 1, wherein the monitoring method comprises the following steps: the contents of the secure deep analysis in step S4 include:
regular matching analysis: the matching regular of the algorithm is from regular codes of a network and CMS manufacturers, and common known Web attacks including SQL injection, XSS attack, command execution and other common Web vulnerabilities can be identified through multiple modification tests;
and (3) numerical statistical analysis: the collected mass log texts contain a large amount of information such as user behaviors, interactive IP (Internet protocol), access times and the like, and some actions are difficult to discover through the traditional modes such as rule matching, black and white lists, policy control and the like; however, the statistical characteristics of the information can express a network action definitely, such as the number of Agent connections accessing a target website within a period of time, the number of times of the same URL appearing under different domain names, and the request proportion of non-200 in access response results, all of which express a specific network action, and if the action conforms to the action of network attack, the action can be found by a numerical statistical method;
analyzing a machine learning algorithm: analyzing by using a machine learning algorithm, wherein the premise of using the machine learning algorithm is to construct a characteristic vector, the log identification mainly aims at a request, a referrer and a user-agent in log records, the request and the referrer are URL paths, the user-agent is a browser name, and the three parts are controllable by a user and can be injected into a payload; the training set is divided into two parts, one is a malicious URL request, the other is a well-known payload warehouse mainly collected in github, and about 30000 pieces of data comprise SQL injection, Traversal and XSS), LFI, XML injection, SSI injection, XPATH injection and Webshell attack.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910637356.9A CN110728575A (en) | 2019-07-15 | 2019-07-15 | WEB security depth monitoring method for electric power transaction platform |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910637356.9A CN110728575A (en) | 2019-07-15 | 2019-07-15 | WEB security depth monitoring method for electric power transaction platform |
Publications (1)
Publication Number | Publication Date |
---|---|
CN110728575A true CN110728575A (en) | 2020-01-24 |
Family
ID=69217094
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201910637356.9A Pending CN110728575A (en) | 2019-07-15 | 2019-07-15 | WEB security depth monitoring method for electric power transaction platform |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN110728575A (en) |
Cited By (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111371695A (en) * | 2020-03-03 | 2020-07-03 | 中国工商银行股份有限公司 | Service current limiting method and device |
CN111367768A (en) * | 2020-03-30 | 2020-07-03 | 中国建设银行股份有限公司 | Method and device for monitoring function response time of program |
CN112054993A (en) * | 2020-08-04 | 2020-12-08 | 南京焦点领动云计算技术有限公司 | Website cross-site scripting attack defense method |
CN112181784A (en) * | 2020-10-21 | 2021-01-05 | 中国工商银行股份有限公司 | Code fault analysis method and system based on bytecode injection |
CN112398833A (en) * | 2020-11-04 | 2021-02-23 | 深圳供电局有限公司 | Network WEB vulnerability identification and blocking system and method |
CN112422581A (en) * | 2020-11-30 | 2021-02-26 | 杭州安恒信息技术股份有限公司 | Webshell webpage detection method, device and equipment in JVM (Java virtual machine) |
CN112487434A (en) * | 2020-11-05 | 2021-03-12 | 杭州孝道科技有限公司 | Application software self-adaptive safety protection method |
CN114489838A (en) * | 2022-01-11 | 2022-05-13 | 江苏京玉信息技术有限公司 | Method, device and storage medium for intercepting HTTP server data |
-
2019
- 2019-07-15 CN CN201910637356.9A patent/CN110728575A/en active Pending
Cited By (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111371695A (en) * | 2020-03-03 | 2020-07-03 | 中国工商银行股份有限公司 | Service current limiting method and device |
CN111367768A (en) * | 2020-03-30 | 2020-07-03 | 中国建设银行股份有限公司 | Method and device for monitoring function response time of program |
CN112054993A (en) * | 2020-08-04 | 2020-12-08 | 南京焦点领动云计算技术有限公司 | Website cross-site scripting attack defense method |
CN112054993B (en) * | 2020-08-04 | 2022-05-06 | 南京焦点领动云计算技术有限公司 | Website cross-site scripting attack defense method |
CN112181784A (en) * | 2020-10-21 | 2021-01-05 | 中国工商银行股份有限公司 | Code fault analysis method and system based on bytecode injection |
CN112181784B (en) * | 2020-10-21 | 2024-03-26 | 中国工商银行股份有限公司 | Code fault analysis method and system based on byte code injection |
CN112398833A (en) * | 2020-11-04 | 2021-02-23 | 深圳供电局有限公司 | Network WEB vulnerability identification and blocking system and method |
CN112487434A (en) * | 2020-11-05 | 2021-03-12 | 杭州孝道科技有限公司 | Application software self-adaptive safety protection method |
CN112422581A (en) * | 2020-11-30 | 2021-02-26 | 杭州安恒信息技术股份有限公司 | Webshell webpage detection method, device and equipment in JVM (Java virtual machine) |
CN112422581B (en) * | 2020-11-30 | 2022-04-26 | 杭州安恒信息技术股份有限公司 | Webshell webpage detection method, device and equipment in JVM (Java virtual machine) |
CN114489838A (en) * | 2022-01-11 | 2022-05-13 | 江苏京玉信息技术有限公司 | Method, device and storage medium for intercepting HTTP server data |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN110728575A (en) | WEB security depth monitoring method for electric power transaction platform | |
Groce et al. | What are the actual flaws in important smart contracts (and how can we find them)? | |
Wu et al. | Automated adaptive intrusion containment in systems of interacting services | |
KR20070043707A (en) | Apparatus and method for developing, testing and monitoring secure software | |
Irshad et al. | Trace: Enterprise-wide provenance tracking for real-time apt detection | |
Liao et al. | SmartDagger: a bytecode-based static analysis approach for detecting cross-contract vulnerability | |
WO2022147339A1 (en) | Automated threat model generation | |
WO2023035751A1 (en) | Intelligent confusion for mobile terminal application | |
JP6282217B2 (en) | Anti-malware system and anti-malware method | |
Chen et al. | {CLARION}: Sound and clear provenance tracking for microservice deployments | |
Alyas et al. | Container performance and vulnerability management for container security using docker engine | |
Gauthier et al. | Fast detection of access control vulnerabilities in php applications | |
Luo et al. | Tainting-assisted and context-migrated symbolic execution of android framework for vulnerability discovery and exploit generation | |
Bello et al. | Towards a taint mode for cloud computing web applications | |
Qin et al. | Towards automated security analysis of smart contracts based on execution property graph | |
Malik et al. | An empirical study of vulnerabilities in edge frameworks to support security testing improvement | |
Nirumand et al. | A model‐based framework for inter‐app Vulnerability analysis of Android applications | |
CN117032894A (en) | Container security state detection method and device, electronic equipment and storage medium | |
Moffie et al. | Hunting trojan horses | |
Zhang et al. | A survey on security of cloud environment: threats, solutions, and innovation | |
Aarya et al. | Web scanning: existing techniques and future | |
Meenakshi et al. | Literature survey on log-based anomaly detection framework in cloud | |
Min et al. | Android software vulnerability mining framework based on dynamic taint analysis technology | |
Lu et al. | Static detection of file access control vulnerabilities on windows system | |
Cornelius et al. | Recommended practice: Creating cyber forensics plans for control systems |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination |