CN110944005A - Defense method, device, equipment and medium based on application layer firewall - Google Patents

Defense method, device, equipment and medium based on application layer firewall Download PDF

Info

Publication number
CN110944005A
CN110944005A CN201911259266.7A CN201911259266A CN110944005A CN 110944005 A CN110944005 A CN 110944005A CN 201911259266 A CN201911259266 A CN 201911259266A CN 110944005 A CN110944005 A CN 110944005A
Authority
CN
China
Prior art keywords
firewall
target
server
information vector
server information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201911259266.7A
Other languages
Chinese (zh)
Inventor
陈曦
范渊
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
DBAPPSecurity Co Ltd
Hangzhou Dbappsecurity Technology Co Ltd
Original Assignee
Hangzhou Dbappsecurity Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou Dbappsecurity Technology Co Ltd filed Critical Hangzhou Dbappsecurity Technology Co Ltd
Priority to CN201911259266.7A priority Critical patent/CN110944005A/en
Publication of CN110944005A publication Critical patent/CN110944005A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer And Data Communications (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application discloses a defense method, a defense device, defense equipment and a defense medium based on an application layer firewall, wherein the method comprises the following steps: receiving a first server information vector acquired by a firewall agent in a target server, wherein the firewall agent is an executable file deployed in the target server and is used for acquiring the first server information vector about the target server; analyzing the first server information vector to obtain a second server information vector; determining a target firewall attack detection strategy corresponding to the target server according to the second server information vector and a local preset strategy tree; the target server is defended by the target firewall attack detection strategy, so that the detection strategy corresponding to the server can be generated, the detection efficiency and the detection accuracy are improved, the missing report rate and the false report rate are reduced, and the defense performance is enhanced.

Description

Defense method, device, equipment and medium based on application layer firewall
Technical Field
The present application relates to the field of network security technologies, and in particular, to a defense method, apparatus, device, and medium based on an application layer firewall.
Background
Currently, in the process of defending a relevant server and the like, an application layer firewall needs to execute a corresponding detection strategy to detect a corresponding data stream so as to judge whether the data stream attacks the server.
In the prior art, in the data stream detection process of an application-layer firewall, all preset attack detection strategies need to be executed for all protection servers to prevent missed detection, but for many servers, some attack detection strategies are redundant, which causes a problem of low detection efficiency. And black box detection is carried out on the server in the detection process, namely, a corresponding request is sent to the server, and the type of the application on the server is obtained according to the response, so that the server is interfered by the protection of a firewall, the detection accuracy is reduced, and the false alarm rate are high.
Disclosure of Invention
In view of this, an object of the present application is to provide a method, an apparatus, a device, and a medium for defending based on an application-layer firewall, which can generate an attack detection policy corresponding to a server, improve detection efficiency and detection accuracy, reduce a false negative rate and a false positive rate, and enhance defense performance. The specific scheme is as follows:
in a first aspect, the present application discloses a defense method based on an application layer firewall, applied to an application layer firewall device, including:
receiving a first server information vector acquired by a firewall agent in a target server, wherein the firewall agent is an executable file deployed in the target server and is used for acquiring the first server information vector about the target server;
analyzing the first server information vector to obtain a second server information vector;
determining a target firewall attack detection strategy corresponding to the target server according to the second server information vector and a local preset strategy tree;
and defending the target server by using the target firewall attack detection strategy.
Optionally, the receiving the first server information vector acquired by the firewall agent in the target server includes:
and receiving a first server information vector acquired by a firewall agent in the target server according to a preset time interval.
Optionally, the receiving the first server information vector acquired by the firewall agent in the target server includes:
receiving a first server information vector which is acquired by a firewall agent in a target server and comprises an operating system type, an operating system type version, an application container type version, application type software and an application software type version.
Optionally, the receiving the first server information vector acquired by the firewall agent in the target server includes:
and receiving a first server information vector acquired by a firewall agent in the target server through a TCP socket.
Optionally, the analyzing the first server information vector to obtain a second server information vector includes:
decrypting the first server information vector to obtain a second server information vector;
and/or decoding the first server information vector to obtain a second server information vector.
Optionally, the defending the target server by using the target firewall attack detection policy includes:
if the application layer firewall equipment is an application layer firewall controller, the target firewall attack detection strategy is sent to the corresponding application layer firewall so as to control the application layer firewall to defend the target server by utilizing the target firewall attack detection strategy;
and if the application layer firewall equipment is the application layer firewall, executing the target firewall attack detection strategy to detect corresponding data flow so as to defend the target server.
Optionally, the determining a target firewall attack detection policy corresponding to the target server according to the second server information vector and a local preset policy tree includes:
pruning the local preset strategy tree according to the second server information vector to obtain a target strategy tree;
and combining the strategy information in the target strategy tree according to the sequence of the information in the second server information vector to determine a target firewall attack detection strategy corresponding to the target server.
In a second aspect, the present application discloses a defense apparatus based on an application layer firewall, applied to an application layer firewall device, including:
the firewall agent is an executable file deployed in the target server and used for acquiring the first server information vector related to the target server;
the vector analysis module is used for analyzing the first server information vector to obtain a second server information vector;
the strategy determining module is used for determining a target firewall attack detection strategy corresponding to the target server according to the second server information vector and a local preset strategy tree;
and the attack defense module is used for defending the target server by utilizing the target firewall attack detection strategy.
In a third aspect, the application discloses an application layer firewall device, including:
a memory and a processor;
wherein the memory is used for storing a computer program;
the processor is used for executing the computer program to realize the defense method based on the application layer firewall disclosed in the foregoing.
In a fourth aspect, the present application discloses a computer readable storage medium for storing a computer program, wherein the computer program, when executed by a processor, implements the application-layer firewall-based defense method disclosed above.
As can be seen, the method includes receiving a first server information vector acquired by a firewall agent in a target server, where the firewall agent is an executable file deployed in the target server and is configured to acquire the first server information vector about the target server; then, analyzing the first server information vector to obtain a second server information vector; then determining a target firewall attack detection strategy corresponding to the target server according to the second server information vector and a local preset strategy tree; and defending the target server by using the target firewall attack detection strategy. Therefore, after receiving a first server information vector acquired by a firewall agent in a target server, the first server information vector is analyzed to obtain a second server information vector, the target firewall attack detection strategy corresponding to the target server is determined according to the second server information vector and a local preset strategy tree, and the target firewall attack detection strategy is utilized to defend the target server, so that the attack detection strategy corresponding to the server is generated, the detection efficiency and the detection accuracy are improved, the false alarm rate and the false alarm rate are reduced, and the defense performance is enhanced.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly introduced below, it is obvious that the drawings in the following description are only embodiments of the present application, and for those skilled in the art, other drawings can be obtained according to the provided drawings without creative efforts.
FIG. 1 is a flow chart of a defense method based on an application layer firewall according to the present disclosure;
FIG. 2 is a schematic diagram of a firewall agent and firewall linkage deployment architecture disclosed herein;
FIG. 3 is a schematic diagram of a firewall agent and firewall controller linkage deployment structure disclosed in the present application;
FIG. 4 is a flowchart of a specific defense method based on an application-level firewall according to the present disclosure;
FIG. 5 is a schematic diagram illustrating a target firewall attack detection policy obtained by using a preset policy tree according to the present disclosure;
FIG. 6 is a schematic diagram of an application-level firewall-based defense apparatus according to the present disclosure;
fig. 7 is a diagram of an application-layer firewall device according to the present disclosure.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
At present, in the data flow detection process of an application layer firewall, all preset attack detection strategies need to be executed for all protection servers to prevent missed detection, but for many servers, some attack detection strategies are redundant, so that the problem of low detection efficiency is caused. And black box detection is carried out on the server in the detection process, namely, a corresponding request is sent to the server, and the type of the application on the server is obtained according to the response, so that the server is interfered by the protection of a firewall, the detection accuracy is reduced, and the false alarm rate are high. In view of this, the present application provides a defense method based on an application layer firewall, which can generate an attack detection policy corresponding to a server, improve detection efficiency and detection accuracy, reduce a false negative rate and a false positive rate, and enhance defense performance.
Referring to fig. 1, an embodiment of the present application discloses a defense method based on an application layer firewall, which is applied to an application layer firewall device, and the method includes:
step S11: receiving a first server information vector acquired by a firewall agent in a target server, wherein the firewall agent is an executable file deployed in the target server and is used for acquiring the first server information vector about the target server.
In a specific implementation process, a firewall agent needs to be deployed in a server, where the firewall agent is an executable file deployed inside the server and is used to obtain target information about the server to obtain a server information vector related to the server. The firewall agent may be one or more executable files that run as a separate daemon or script inside the server. The application layer firewall device can be an application layer firewall or an application layer firewall controller.
Referring to fig. 2, a schematic diagram of a deployment structure of a firewall agent and a firewall linkage is shown. Firewall agents (FW-agents) are respectively deployed on two servers using Linux as an operating System, application services running in a WEB software container Nginx on Linux1 include WEB services and CMS (Content Management System), and application services running in a WEB software container Apache on Linux2 include Mail. And the firewall agent respectively acquires related first server information vectors of the two servers and sends the first server information vectors to the firewall. Wherein the firewall is also the application layer firewall. Referring to fig. 3, a schematic diagram of a linkage deployment structure of a firewall agent and a firewall controller is shown. Firewall agents (FW-agents) are respectively deployed on two servers using Linux as an operating system, application services running in a WEB software container Nginx on Linux1 include WEB services and CMS, and application services running in a WEB software container Apache on Linux2 include Mail. The firewall agent respectively obtains related first server information vectors of the two servers and sends the first server information vectors to the firewall controller. Wherein, the firewall controller is also the application layer firewall controller.
In this embodiment, a first server information vector acquired by a firewall agent in a target server needs to be received first, where the first server information vector includes, but is not limited to, server hardware information, an operating system type version, an application container type version, application software, and an application software type version. The first server information vector is an information vector in which server information is arranged according to the sequence from operating system information to application software information. The receiving a first server information vector acquired by a firewall agent in a target server includes: and receiving a first server information vector acquired by a firewall agent in the target server through a local TCP socket. The receiving a first server information vector acquired by a firewall agent in a target server includes: and receiving a first server information vector acquired by a firewall agent in the target server according to a preset time interval. That is, the firewall agent may obtain the first server information vector of the target server according to a preset time interval, and send the first server information vector to the application layer firewall device in real time. And the application layer firewall equipment receives the first server information vector sent by the firewall agent through a local TCP socket. In addition, the firewall agent can also acquire the first server information vector of the target server by taking a specific condition as a trigger.
In this embodiment, the obtaining, by the guard wall agent, the first server information vector of the target server includes: acquiring a process list running by the target server through system call, and acquiring the type of the application container through a target executable file path and a corresponding name in the process list; searching a version character string from a target binary file in the target executable path to acquire the application container type version; and analyzing the configuration file or registry key of the application container to acquire the application software type and the application software type version.
Step S12: and analyzing the first server information vector to obtain a second server information vector.
In a specific implementation process, the received first server information vector obtained and sent by the firewall agent is generally encrypted and/or encoded, so that the first server information vector needs to be analyzed to obtain a second server information vector. The analyzing the first server information vector to obtain a second server information vector includes: decrypting the first server information vector to obtain a second server information vector; and/or decoding the first server information vector to obtain a second server information vector. That is, if the first server information vector is an encrypted information vector, the first server information vector needs to be decrypted to obtain the second server information vector; if the first server information vector is the encoded information vector, decoding the first server information vector to obtain a second server information vector; and if the first server information vector is the encoded and encrypted information vector, decrypting and decrypting the first server information vector to obtain the second server information vector.
Step S13: and determining a target firewall attack detection strategy corresponding to the target server according to the second server information vector and a local preset strategy tree.
It can be understood that after the second server information vector is obtained, a target firewall attack detection policy corresponding to the target server needs to be determined according to the second server information vector and a local preset policy tree. The local preset policy tree may be a general policy tree stored locally, or a policy tree stored locally and generated according to different server information vectors. When the local preset policy tree is a policy tree stored locally and generated according to different server information vectors, a corresponding policy tree may be selected from the local preset policy tree according to the second server information vector, and a target firewall attack detection policy corresponding to the target server is determined according to the policy tree. And when the local preset strategy tree is a general strategy tree stored locally, pruning the target strategy tree according to a second server information vector to obtain a target strategy tree, and determining a target firewall attack detection strategy corresponding to the target server according to the target strategy tree.
Step S14: and defending the target server by using the target firewall attack detection strategy.
In a specific implementation process, after the target protecting wall detection strategy is determined, defense needs to be performed by using the target protecting wall detection strategy. The application layer firewall equipment comprises an application layer firewall and a WEB application firewall request controller, and correspondingly, the defense for the target server by using the target firewall attack detection strategy comprises the following steps: if the application layer firewall equipment is an application layer firewall controller, the target firewall attack detection strategy is sent to the corresponding application layer firewall so as to control the application layer firewall to defend the target server by utilizing the target firewall attack detection strategy; and if the application layer firewall equipment is the application layer firewall, executing the target firewall attack detection strategy to detect corresponding data flow so as to defend the target server.
As can be seen, the method includes receiving a first server information vector acquired by a firewall agent in a target server, where the firewall agent is an executable file deployed in the target server and is configured to acquire the first server information vector about the target server; then, analyzing the first server information vector to obtain a second server information vector; then determining a target firewall attack detection strategy corresponding to the target server according to the second server information vector and a local preset strategy tree; and defending the target server by using the target firewall attack detection strategy. Therefore, after receiving a first server information vector acquired by a firewall agent in a target server, the first server information vector is analyzed to obtain a second server information vector, the target firewall attack detection strategy corresponding to the target server is determined according to the second server information vector and a local preset strategy tree, and the target firewall attack detection strategy is utilized to defend the target server, so that the attack detection strategy corresponding to the server can be generated, the detection efficiency and the detection accuracy are improved, the false alarm rate and the false alarm rate are reduced, and the defense performance is enhanced.
Referring to fig. 4, an embodiment of the present application discloses a specific defense method based on an application layer firewall, which is applied to an application layer firewall device, and the method includes:
step S21: receiving a first server information vector which is acquired by a firewall agent in a target server and comprises an operating system type, an operating system type version, an application container type version, application type software and an application software type version, wherein the firewall agent is an executable file deployed in the target server and is used for acquiring the first server information vector about the target server.
In a specific implementation process, a first server information vector acquired and sent by a firewall agent in a target server needs to be received, where the first server information vector includes, but is not limited to, server hardware information, an operating system type version, an application type, an application container type version, an application software type version, an application software language version, and the like. Wherein, the application types include but are not limited to web pages, mails, FTP, etc., the application container types include but are not limited to Nginx, Apache, etc., the application software includes but is not limited to phpBB, Joomla, WordPress, etc., and the application software languages include but are not limited to PHP5, ASP.
Step S22: and analyzing the first server information vector to obtain a second server information vector.
Step S23: and pruning the local preset strategy tree according to the second server information vector to obtain a target strategy tree.
In a specific real-time process, the local preset policy tree may be a general policy tree that is pre-stored locally, and after the second server information vector is obtained, the local preset policy tree needs to be pruned according to the second server information vector, and the policies that do not correspond to the application container type, the application container type version, the application software type, and the application software type version are deleted, so that the target policy tree is obtained.
Step S24: and combining the strategy information in the target strategy tree according to the sequence of the information in the second server information vector to determine a target firewall attack detection strategy corresponding to the target server.
It can be understood that after the target policy tree is obtained, policy information in the target policy tree needs to be combined according to the sequence of each information in the second server information vector, so as to determine a target firewall attack detection policy corresponding to the target server.
Referring to fig. 5, a schematic diagram of obtaining a target firewall attack detection policy by using a preset policy tree is shown. The information in the second server information vector includes, for an application type: web Service, application container type: nginx, application container type version: version a, application software type: PHP, application type version. According to the application type, a general web attack detection strategy in a strategy tree is reserved, then a Nginx attack detection strategy under the general web attack detection strategy is reserved according to the application container type, then a Nginx version A attack detection strategy under the Nginx attack detection strategy is reserved according to the application container type version, then a PHP application attack detection strategy of the Nginx version A attack detection strategy under the Nginx version A attack detection strategy is reserved according to the application software type, and a target firewall attack detection strategy aiming at a target server web is obtained.
Step S25: and defending the target server by using the target firewall attack detection strategy.
Referring to fig. 6, an embodiment of the present application discloses a defense apparatus based on an application layer firewall, which is applied to an application layer firewall device, and includes:
a vector receiving module 11, configured to receive a first server information vector obtained by a firewall agent in a target server, where the firewall agent is an executable file deployed in the target server and is configured to obtain the first server information vector about the target server;
the vector analyzing module 12 is configured to analyze the first server information vector to obtain a second server information vector;
the policy determining module 13 is configured to determine a target firewall attack detection policy corresponding to the target server according to the second server information vector and a local preset policy tree;
and the attack defense module 14 is used for defending the target server by utilizing the target firewall attack detection strategy.
As can be seen, the method includes receiving a first server information vector acquired by a firewall agent in a target server, where the firewall agent is an executable file deployed in the target server and is configured to acquire the first server information vector about the target server; then, analyzing the first server information vector to obtain a second server information vector; then determining a target firewall attack detection strategy corresponding to the target server according to the second server information vector and a local preset strategy tree; and defending the target server by using the target firewall attack detection strategy. Therefore, after receiving a first server information vector acquired by a firewall agent in a target server, the first server information vector is analyzed to obtain a second server information vector, the target firewall attack detection strategy corresponding to the target server is determined according to the second server information vector and a local preset strategy tree, and the target firewall attack detection strategy is utilized to defend the target server, so that the attack detection strategy corresponding to the server can be generated, the detection efficiency and the detection accuracy are improved, the false alarm rate and the false alarm rate are reduced, and the defense performance is enhanced.
Further, referring to fig. 7, an embodiment of the present application further discloses an application layer firewall device, including: a processor 21 and a memory 22.
Wherein the memory 22 is used for storing a computer program; the processor 21 is configured to execute the computer program to implement the defense method based on the application-layer firewall disclosed in the foregoing embodiment.
For the specific process of the defense method based on the application layer firewall, reference may be made to the corresponding contents disclosed in the foregoing embodiments, and details are not repeated here.
Further, an embodiment of the present application also discloses a computer readable storage medium for storing a computer program, wherein the computer program, when executed by a processor, implements the following steps:
receiving a first server information vector acquired by a firewall agent in a target server, wherein the firewall agent is an executable file deployed in the target server and is used for acquiring the first server information vector about the target server; analyzing the first server information vector to obtain a second server information vector; determining a target firewall attack detection strategy corresponding to the target server according to the second server information vector and a local preset strategy tree; and defending the target server by using the target firewall attack detection strategy.
As can be seen, the method includes receiving a first server information vector acquired by a firewall agent in a target server, where the firewall agent is an executable file deployed in the target server and is configured to acquire the first server information vector about the target server; then, analyzing the first server information vector to obtain a second server information vector; then determining a target firewall attack detection strategy corresponding to the target server according to the second server information vector and a local preset strategy tree; and defending the target server by using the target firewall attack detection strategy. Therefore, after receiving a first server information vector acquired by a firewall agent in a target server, the first server information vector is analyzed to obtain a second server information vector, the target firewall attack detection strategy corresponding to the target server is determined according to the second server information vector and a local preset strategy tree, and the target firewall attack detection strategy is utilized to defend the target server, so that the attack detection strategy corresponding to the server can be generated, the detection efficiency and the detection accuracy are improved, the false alarm rate and the false alarm rate are reduced, and the defense performance is enhanced.
In this embodiment, when the computer subprogram stored in the computer-readable storage medium is executed by the processor, the following steps may be specifically implemented: and receiving a first server information vector acquired by a firewall agent in the target server according to a preset time interval.
In this embodiment, when the computer subprogram stored in the computer-readable storage medium is executed by the processor, the following steps may be specifically implemented: receiving a first server information vector which is acquired by a firewall agent in a target server and comprises an operating system type, an operating system type version, an application container type version, application type software and an application software type version.
In this embodiment, when the computer subprogram stored in the computer-readable storage medium is executed by the processor, the following steps may be specifically implemented: and receiving a first server information vector acquired by a firewall agent in the target server through a TCP socket.
In this embodiment, when the computer subprogram stored in the computer-readable storage medium is executed by the processor, the following steps may be specifically implemented: decrypting the first server information vector to obtain a second server information vector; and/or decoding the first server information vector to obtain a second server information vector.
In this embodiment, when the computer subprogram stored in the computer-readable storage medium is executed by the processor, the following steps may be specifically implemented: if the application layer firewall equipment is an application layer firewall controller, the target firewall attack detection strategy is sent to the corresponding application layer firewall so as to control the application layer firewall to defend the target server by utilizing the target firewall attack detection strategy; and if the application layer firewall equipment is the application layer firewall, executing the target firewall attack detection strategy to detect corresponding data flow so as to defend the target server.
In this embodiment, when the computer subprogram stored in the computer-readable storage medium is executed by the processor, the following steps may be specifically implemented: pruning the local preset strategy tree according to the second server information vector to obtain a target strategy tree; and combining the strategy information in the target strategy tree according to the sequence of the information in the second server information vector to determine a target firewall attack detection strategy corresponding to the target server.
The embodiments are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same or similar parts among the embodiments are referred to each other. The device disclosed by the embodiment corresponds to the method disclosed by the embodiment, so that the description is simple, and the relevant points can be referred to the method part for description.
The steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. A software module may reside in Random Access Memory (RAM), memory, Read Only Memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art.
Finally, it is further noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of other elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
The application-layer firewall-based defense method, device, equipment and medium provided by the application are introduced in detail, a specific example is applied in the description to explain the principle and the implementation of the application, and the description of the embodiment is only used for helping to understand the method and the core idea of the application; meanwhile, for a person skilled in the art, according to the idea of the present application, there may be variations in the specific embodiments and the application scope, and in summary, the content of the present specification should not be construed as a limitation to the present application.

Claims (10)

1. A defense method based on an application layer firewall is characterized in that the defense method is applied to application layer firewall equipment and comprises the following steps:
receiving a first server information vector acquired by a firewall agent in a target server, wherein the firewall agent is an executable file deployed in the target server and is used for acquiring the first server information vector about the target server;
analyzing the first server information vector to obtain a second server information vector;
determining a target firewall attack detection strategy corresponding to the target server according to the second server information vector and a local preset strategy tree;
and defending the target server by using the target firewall attack detection strategy.
2. The method according to claim 1, wherein receiving the first server information vector obtained by the firewall agent in the target server comprises:
and receiving a first server information vector acquired by a firewall agent in the target server according to a preset time interval.
3. The method according to claim 2, wherein receiving the first server information vector obtained by the firewall agent in the target server comprises:
receiving a first server information vector which is acquired by a firewall agent in a target server and comprises an operating system type, an operating system type version, an application container type version, an application software type and an application software type version.
4. The method according to claim 1, wherein receiving the first server information vector obtained by the firewall agent in the target server comprises:
and receiving a first server information vector acquired by a firewall agent in the target server through a local TCP socket.
5. The method of claim 1, wherein parsing the first server information vector to obtain a second server information vector comprises:
decrypting the first server information vector to obtain a second server information vector;
and/or decoding the first server information vector to obtain a second server information vector.
6. The application layer firewall-based defense method according to claim 1, wherein the defending the target server with the target firewall attack detection policy comprises:
if the application layer firewall equipment is an application layer firewall controller, the target firewall attack detection strategy is sent to the corresponding application layer firewall so as to control the application layer firewall to defend the target server by utilizing the target firewall attack detection strategy;
and if the application layer firewall equipment is the application layer firewall, executing the target firewall attack detection strategy to detect corresponding data flow so as to defend the target server.
7. The method as claimed in any one of claims 1 to 6, wherein the determining a target firewall attack detection policy corresponding to the target server according to the second server information vector and a local preset policy tree includes:
pruning the local preset strategy tree according to the second server information vector to obtain a target strategy tree;
and combining the strategy information in the target strategy tree according to the sequence of the information in the second server information vector to determine a target firewall attack detection strategy corresponding to the target server.
8. The utility model provides a defense device based on application layer is prevented hot wall, its characterized in that is applied to application layer and prevents hot wall equipment, includes:
the firewall agent is an executable file deployed in the target server and used for acquiring the first server information vector related to the target server;
the vector analysis module is used for analyzing the first server information vector to obtain a second server information vector;
the strategy determining module is used for determining a target firewall attack detection strategy corresponding to the target server according to the second server information vector and a local preset strategy tree;
and the attack defense module is used for defending the target server by utilizing the target firewall attack detection strategy.
9. An application layer firewall device, comprising:
a memory and a processor;
wherein the memory is used for storing a computer program;
the processor, configured to execute the computer program to implement the method for application-layer firewall based defense of any of claims 1 to 7.
10. A computer-readable storage medium for storing a computer program, wherein the computer program when executed by a processor implements the application-layer firewall-based defense method according to any one of claims 1 to 7.
CN201911259266.7A 2019-12-10 2019-12-10 Defense method, device, equipment and medium based on application layer firewall Pending CN110944005A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911259266.7A CN110944005A (en) 2019-12-10 2019-12-10 Defense method, device, equipment and medium based on application layer firewall

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911259266.7A CN110944005A (en) 2019-12-10 2019-12-10 Defense method, device, equipment and medium based on application layer firewall

Publications (1)

Publication Number Publication Date
CN110944005A true CN110944005A (en) 2020-03-31

Family

ID=69910530

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911259266.7A Pending CN110944005A (en) 2019-12-10 2019-12-10 Defense method, device, equipment and medium based on application layer firewall

Country Status (1)

Country Link
CN (1) CN110944005A (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101964804A (en) * 2010-10-22 2011-02-02 北京工业大学 Attack defense system under IPv6 protocol and implementation method thereof
US20140150052A1 (en) * 2010-08-23 2014-05-29 Akihiro Mihara Web service provision system, server device, and method
CN105959331A (en) * 2016-07-19 2016-09-21 上海携程商务有限公司 Firewall policy optimization method and device
CN107800709A (en) * 2017-11-06 2018-03-13 杭州迪普科技股份有限公司 A kind of method and device for generating network attack detection strategy
CN109104399A (en) * 2017-11-23 2018-12-28 新华三信息安全技术有限公司 A kind of security strategy rule configuration method and device

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20140150052A1 (en) * 2010-08-23 2014-05-29 Akihiro Mihara Web service provision system, server device, and method
CN101964804A (en) * 2010-10-22 2011-02-02 北京工业大学 Attack defense system under IPv6 protocol and implementation method thereof
CN105959331A (en) * 2016-07-19 2016-09-21 上海携程商务有限公司 Firewall policy optimization method and device
CN107800709A (en) * 2017-11-06 2018-03-13 杭州迪普科技股份有限公司 A kind of method and device for generating network attack detection strategy
CN109104399A (en) * 2017-11-23 2018-12-28 新华三信息安全技术有限公司 A kind of security strategy rule configuration method and device

Similar Documents

Publication Publication Date Title
Kok et al. Early detection of crypto-ransomware using pre-encryption detection algorithm
US20190332771A1 (en) System and method for detection of malicious hypertext transfer protocol chains
CN107196895B (en) Network attack tracing implementation method and device
US8677493B2 (en) Dynamic cleaning for malware using cloud technology
EP3557843B1 (en) Content delivery network (cdn) bot detection using compound feature sets
Hiesgen et al. The race to the vulnerable: Measuring the log4j shell incident
CN109842632B (en) Vulnerability determination method and system of network system and related components
CN111737696A (en) Method, system and equipment for detecting malicious file and readable storage medium
CN112685682B (en) Method, device, equipment and medium for identifying forbidden object of attack event
US20050216764A1 (en) Systems and methods for dynamic threat assessment
CN111726364B (en) Host intrusion prevention method, system and related device
CN107733725B (en) Safety early warning method, device, equipment and storage medium
CN108400955B (en) Network attack protection method and system
CN106790189B (en) intrusion detection method and device based on response message
CN103701816A (en) Scanning method and scanning device of server executing DOS (Denial Of service)
Al-Mohannadi et al. Analysis of adversary activities using cloud-based web services to enhance cyber threat intelligence
CN113746781A (en) Network security detection method, device, equipment and readable storage medium
KR101487476B1 (en) Method and apparatus to detect malicious domain
Kim et al. Agent-based honeynet framework for protecting servers in campus networks
CN113315785B (en) Alarm reduction method, device, equipment and computer readable storage medium
Naveed et al. Network intrusion prevention by configuring acls on the routers, based on snort ids alerts
Repetto Adaptive monitoring, detection, and response for agile digital service chains
CN112953895A (en) Attack behavior detection method, device, equipment and readable storage medium
Yermalovich et al. Formalization of attack prediction problem
CN110944005A (en) Defense method, device, equipment and medium based on application layer firewall

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20200331