CN111181924A - Web application firewall method and system based on application gateway - Google Patents

Web application firewall method and system based on application gateway Download PDF

Info

Publication number
CN111181924A
CN111181924A CN201911269167.7A CN201911269167A CN111181924A CN 111181924 A CN111181924 A CN 111181924A CN 201911269167 A CN201911269167 A CN 201911269167A CN 111181924 A CN111181924 A CN 111181924A
Authority
CN
China
Prior art keywords
request
web application
detection
web
gateway
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201911269167.7A
Other languages
Chinese (zh)
Inventor
苏锐丹
谭尤
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Xidian University
Original Assignee
Xidian University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Xidian University filed Critical Xidian University
Priority to CN201911269167.7A priority Critical patent/CN111181924A/en
Publication of CN111181924A publication Critical patent/CN111181924A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1001Protocols in which an application is distributed across nodes in the network for accessing one among a plurality of replicated servers

Abstract

The invention belongs to the technical field of network security, and discloses a Web application firewall method and a Web application firewall system based on an application gateway, wherein the firewall gateway with a uniform network entrance is used for scheduling in coordination with load balancing to intercept Web intrusion behaviors and data leakage; defense against day0 using an anomaly detection method; linkage detection is carried out, the certificate is managed and the private key is protected, the certificate file and the private key file are not directly stored in a certain directory of the server in a plain text mode, and browser configuration is carried out. The experimental result shows that the Web application firewall effectively defends various deformed SQL injection attacks, brute force cracking and number scanning attack Webshell detection, XSS cross-site scripting attacks, information leakage and other attacks of the main stream Web application layer; the system can cut off typical intrusion attempts on a critical path, block the detection payload and greatly improve the intrusion difficulty.

Description

Web application firewall method and system based on application gateway
Technical Field
The invention belongs to the technical field of network security, and particularly relates to a Web application firewall method and system based on an application gateway.
Background
Currently, the closest prior art: the widespread use of Web 2.0 technology has brought an increasing threat to users and related systems. Present Web applications and online services are based on Web 2.0 technologies, such as JavaScript and AJAX, and therefore a series of security attacks against the corresponding layer also appear. Web Application Firewalls (WAFs) have emerged as Web security becomes increasingly important.
Web applications have taken an absolute position in the organization's prestige. Attacks against web applications are increasing and the number of services offered on the Internet is increasing. Web applications have become a prime target for current attacks due to the lack of focus and knowledge on Web application security in development and the lack of software development techniques to use security. Approximately seventy percent of Web-based attacks are successful. Even though conventional firewalls can successfully block network layer attacks, they are not effective in Web-based attacks on Web applications. Therefore, Web applications have security requirements in terms of preventing information leakage and the weakness that a secure environment cannot be provided on the internet.
In the internet industry, Google makes security inside infrastructure, and elements are a sample of security learning. On the Web aspect, the GFE (Google Front-End) agrees to release the certificate to the outside, the service only needs to be registered in the GFE, and the GFE calls back to fetch the correct certificate, so that the TLS connection from the user to the GFE is guaranteed to be safe. Furthermore, Microsoft has a product called the Azureapplication Gateway on the Web side, which provides agreed-upon Web routing, load balancing, and WAF (Web application Firewall) functionality. But none of these products can be used for privatized deployment, and Google Front-End and azure application gateway serve only their own business and their own cloud customers. Wanting to use their products to use their cloud services is only hoped to be explicated.
In addition, Web applications use the hypertext Transfer protocol (HTTP), so attacks also come from HTTP. There are many studies on detecting HTTP traffic and displaying abnormal requests. Organizations like WebApplication Security Consortium exist to develop Security standards for the World Wide Web (WWW). There is another similar group, Thinking Stone, which developed Mod Security, which is an open source module for the Apache Web server. Mod Security implements signature-based detection so it is valid for known types of attacks, but not for day0 attacks.
Moreover, economic interest has become the driving force for security attacks, which changes the security landscape of the whole internet, and attacks have become "industrialized", with enormous organization, capital, more focused, and automation capabilities. Under the view, Web security incidents are continuously exposed, WAF solutions are produced at the same time, and various regulations and policies appear in succession in order to perform Web security protection more systematically, which more powerfully promotes the requirements and technical development of WAFs. However, the characteristics of the requirements for the WAF in the industry are not completely the same, so the WAF technology development of manufacturers in the industry is not completely the same, and products have different development tracks.
In order to unify the potential safety hazards of Web application and strengthen the consciousness on the Web application safety, the Web application safety project in the industry provides ten potential safety hazards of the Web application, summarizes the 10 most commonly-encountered attack means of the Web application at present, and carries out sequencing according to the probability of attack occurrence. Aiming at 10 major potential safety hazards of Web application, Web application firewalls are proposed in the industry, can prevent most Web application attacks, and are the current main Web application safety solution.
In addition, since the initial attack is mainly directed at online payment of the bank credit card, in the prior art, information security policies have been unified and issued: payment Card Industry data security Standard (PCI DSS for short). This is PCIDSS which generates a continuous and strong driving force for the development of WAF products, and is first Version 1.0, upgraded to Version 1.1 in 9 months 2006, upgraded to Version 1.2 in 10 months 2008, and the latest PCI DSS is Version 3.1 released in 8 months 2017.
Existing enterprises have had web page tampering events that have occurred, which has become the primary driver of the WAF. The most early advent was a web tamper-resistant system, comprising: agent programs (installed on Web servers) and centralized management programs. However, practice proves that the method only has good effect on protecting static pages, and cannot protect dynamic pages. The WAF makes up the defects of a webpage tamper-proofing system, deeply analyzes HTTP protocol flow, comprehensively defends various Web security threats, has no interference on a Web server, and is a radical webpage tamper-proofing solution in fact.
Although the WAF market has started to develop Web application firewalls by several security companies in succession since 2008, the preventive effect is still not ideal.
The Web application firewall is positioned in front of the Web application server in the network and is used for protecting the application server behind the firewall. The WAF works in an application layer, based on bidirectional analysis of HTTP/HTTPS flow, a client sends a request to a server, a Web application firewall analyzes an HTTP/HTTPS protocol and analyzes user request data, the analyzed content is retrieved and compared with an HT TP attack feature library, if an attack is found, the server is blocked, otherwise, the server forwards the request to the server, the Web application firewall also analyzes the protocol and analyzes response data, attack detection and blocking are achieved, and real-time protection is provided for Web application.
The client interacts with the server side through HT TP requests, and therefore one of the core technologies of the WAF lies in the essential understanding of HTTP. The hypertext transfer protocol is a request and response mode-based, stateless and application layer protocol, a mechanism for continuous connection is provided based on a connection mode of TCP, and most Web development is Web application built on the HTTP protocol. The client sends a request to the server, the request header containing the requested method, URL, protocol version, and MIME-like message structure containing request modifiers, client information and content. The server responds with a status line, the contents of which include the version of the message protocol, the success or error coding plus the contents of the server information, entity meta information and possibly entity content.
The header field of HTTP includes four parts of a general header, a request header, a response header and an entity header. The general header field comprises header fields supported by both request and response messages, and the general header field comprises Cache-Control, Connection, Date, Pragma, Transfer-Encoding, Upgrade and Via. The format of the first line of the request message is: method Request-URIHTTP-Version CRLF. Method represents the Method completed for Request-URI, including OPTIONS, GET, HEAD, POST, PUT, DELETE, TRACE; Request-URI is a uniform resource identifier; HTTP-Version represents the HTTP protocol Version of the request; CRLF denotes carriage return and line feed. The request header field may contain the following fields Accept, Accept-Encoding, Accept-Length, Authorization, From, Host, Proxy-Authorization, Range, Referer, User-Agent. The first action of the response message is in the following format: HTTP-Version Status-codeReason-phase CRLF. HTTP-Version denotes the supported HTTP Version, such as HTTP/1.1. Status-Code is a three digit result Code. Reason-Phrase provides a simple textual description to Status-Code. Status-Code is mainly used for machine automatic identification, and Reason-phase is mainly used for helping a user to understand. The response header field contains Age, Location, Proxy-authentication, Public, Retry-After, Server, Vary, Warning, WWW-authentication. Both the request message and the response message may contain entity information, which typically consists of an entity header and an entity. The entity header field contains original information about an entity, and the entity header includes all, Content-Base, Content-Encoding, Content-Language, Content-Length, Content-Location, Content-MD5, Content-Range, Content-Type, Expires, Last-Modified, extension-header, and the like. The entity may be an encoded byte stream, which is encoded in a manner defined by Content-Encoding or Content-Type, and whose Length is defined by Content-Length or Content-Range.
The core security issue of Web applications is that users can submit arbitrary input, i.e., any input may be an injection point for a Web attack. GET, POST, Cookies, refereer, User-Agent and request header are all common Web attack injection points. Most WAF detection methods employ pattern matching to identify attacks, but some Web attacks bypass the detection methods that employ pattern matching because:
HT TP protocol resolves vulnerabilities. If an attacker constructs an abnormal HT TP data packet, the variables cannot be extracted normally, so that the pattern matching stage cannot be entered, and WAF detection is bypassed.
The innate poor pattern matching. Whether a regular match or a match with certain logic, various side leakage is caused because the pattern is fixed.
At present, a plurality of known application layer and network layer attack methods are provided, and analysis of various different kinds of attacks aiming at Web application has strong reference significance for designing and deploying a Web application firewall. Table 1 lists these most common approaches to attack and bypass.
TABLE 1
Figure BDA0002313683730000051
In summary, the problems of the prior art are as follows: in the traditional WAF, if the WAF in an Agent mode needs to install an Agent on a target host, the workload of maintenance and management is large, and the maintenance cost is increased; pure network layer WAF and third-party reverse proxy WAF need to support HTTPS and need to provide certificates for service providers, and the problem of information leakage and the like can be caused by certificate diffusion.
In addition, in the prior art, signature detection and anomaly detection are not carried out, so that the malicious attack prevention effect of the Web application layer is poor.
The difficulty of solving the technical problems is as follows: according to the statistics of the CNNVD of the national information security vulnerability library, the hacker attack on the Web site accounts for more than 70% of all network attacks. The Web attack can cause the consequences that important data of a user is stolen, even a server is completely controlled, and the like, and huge loss is brought to the user. The Web application firewall can provide important guarantee for users as a professional website protection product. This patent can be on the critical route, cuts off typical invasion attempt, blocks most detection payload, improves the invasion degree of difficulty by a wide margin, just can utilize this to promote as gateway infrastructure from the beginning simultaneously and use HTTPS, protection extranet data transmission safety.
The significance of solving the technical problems is as follows: the invention realizes the natural support of HTTPS, does not need to provide a certificate private key to a third party, ensures the safety of the certificate, does not need to install an Agent on a target host, greatly lightens the maintenance and management work, and provides a Wed management entrance with balanced load and uniformity. The invention adopts a detection method based on signature and a detection method based on abnormal request, thus eliminating the defects of the two methods. Signature-based detection works faster, but it is not efficient against zero-day attacks. On the other hand, the anomaly detection method is effective against a zero-day attack.
Disclosure of Invention
Aiming at the problems in the prior art, the invention provides a Web application firewall method and system based on an application gateway.
The invention is realized in such a way, a Web application firewall method based on an application gateway, which utilizes a firewall gateway with a uniform network entrance to cooperate with load balance to carry out scheduling and intercept Web invasion behaviors and data leakage;
HTTP requests pass through Gateway, the Gateway WAF module detects it, if signature detection module and abnormal detection module pass, the request passes and reaches the application layer; and if the request is malicious, blocking the request, sending the request to an interception log, and warning WAF management personnel.
Defense against day0 using an anomaly detection method; linkage detection is carried out, the certificate is managed and the private key is protected, the certificate file and the private key file are not directly stored in a certain directory of the server in a plain text mode, and browser configuration is carried out.
Furthermore, the firewall gateway is configured with a plurality of nodes and is matched with load balancing for scheduling.
Further, the anomaly detection method comprises request counting analysis, request length analysis and request frequency analysis, and reasonable anomaly score calculation parameters are selected for important anomaly score information to detect anomaly data.
Further, the method for request count analysis comprises: and judging whether the request is attacked or not according to the application program by sending the same request times to different places. The number of normal requests is much lower than that of abnormal requests (especially brute force attack, which requests hundreds of thousands times more than normal requests), and the abnormal requests also request many non-existent pages (increasing the number of requests).
Further, the request length analysis method includes: according to the architecture of the web application program, the request values of the request memory overflow and the cross-site script attack entering the web site are larger than normal requests; evaluation was performed by Kruegel and Vigna using mean and variance values;
Figure BDA0002313683730000071
p: probability; σ: variance, which is the variance value of the request length; l: a detected request length value; u: the average of the requests;
obtaining a value indicated by request length anomaly detection according to the web application program; according to the above formula, a value of 0 for the length of the HTTP request represents an abnormal limit value; and if the abnormal probability value of each request is smaller than the abnormal value of the request with the length value of 0, defining the request as abnormal.
Further, the request frequency analysis method includes: determining a requested character frequency value using a character distribution model (in alphabetical text, letters are not evenly distributed but appear at different frequencies); the letter frequency value of the characters forming the normal request of the web application program is higher than that of the abnormal request; ASCII characters are used for character distribution.
Further, in the character frequency value determination, the total number of requests and the average value of each character are detected through letter frequency analysis; php? Obtaining the frequency value and the average value of the letters in the expression by using a request of 9& mid & 50;
requests having an average frequency value of less than 0.9 are determined to be anomalous when the frequency values of the 100 requests sent to the web application are ranked from minimum to maximum.
Further, in linkage detection, signature detection is included, a signature database is updated according to an attack technology, so that abnormal detection is effective, and otherwise, the abnormal detection is invalid.
Another object of the present invention is to provide an application gateway-based Web application firewall system implementing the application gateway-based Web application firewall method, including:
the anomaly detection module comprises a request counting analysis module, a request length analysis module and a request frequency analysis module, and the request counting analysis module is used for scoring important anomaly information; selecting reasonable abnormal score calculation parameters, and detecting abnormal data;
and the signature detection module updates the signature database according to the attack technology to enable the abnormal detection to be effective, otherwise, the abnormal detection is invalid.
Further, the request counting and analyzing module sends the same request times to different places and judges whether the request is attacked or not according to the application program;
the request length analysis module is used for evaluating the abnormity of the request entering the web site according to the architecture of the web application program;
and the request frequency analysis module determines the frequency value of the requested character by using the character distribution model.
In summary, the advantages and positive effects of the invention are: the invention designs a firewall gateway with an application security foundation by using GFE and Azure application gateways, so that the firewall gateway has a uniform network inlet and can be provided with a plurality of nodes for scheduling by matching with load balancing. Except the WAF function, such as interception of common Web invasion behaviors, data leakage events and the like, an abnormity detection method is used for effectively defending day0, linkage detection (request and response association check) can be carried out, the certificate is managed, the private key is protected, the certificate file and the private key file are not directly stored in a certain directory of a server in a plaintext mode (a hacker is prevented from stealing the private key), browser configuration is carried out, Agent installation is omitted, and maintenance cost is reduced.
Figure BDA0002313683730000081
The invention analyzes the HTTP protocol and the attack and bypass mode of the common Web application layer in detail, provides a method based on signature detection and anomaly detection, and can effectively prevent the malicious attack of the common Web application layer through testing.
The experimental result shows that the Web application firewall can effectively defend attacks of main stream Web application layers such as S QL injection attack, brute force cracking, number scanning attack Webshell detection, XSS cross-site script attack, information leakage and the like of various deformations. When a three-dimensional security defense system (particularly an application security defense system) is constructed from scratch, the system can cut off a typical intrusion attempt on a key path, block most of detection payload, greatly improve the intrusion difficulty, and meanwhile, the system can be used as gateway infrastructure to popularize and use HTTPS from scratch to protect the security of data transmission of an external network.
Drawings
Fig. 1 is a flowchart of a Web application firewall method based on an application gateway according to an embodiment of the present invention.
Fig. 2 is a schematic diagram of a Web application firewall method based on an application gateway according to an embodiment of the present invention.
Fig. 3 is a schematic diagram of a Web application firewall system based on an application gateway according to an embodiment of the present invention.
In the figure: 1. an anomaly detection module; 1-1, a request counting analysis module; 1-2, a request length analysis module; 1-3, a request frequency analysis module; 2. a signature-based detection module.
Fig. 4 is a schematic diagram of request repetition times provided by the embodiment of the present invention.
Fig. 5 is a request length exception detection diagram provided by an embodiment of the present invention.
Fig. 6 is a schematic diagram of an average request frequency according to an embodiment of the present invention.
FIG. 7 is a diagram of a signature definition interface in the configuration of the present invention for web attacks provided by an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is further described in detail with reference to the following embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
In the traditional WAF, if the WAF in an Agent mode needs to install an Agent on a target host, the workload of maintenance and management is large, and the maintenance cost is increased; pure network layer WAF and third-party reverse proxy WAF need to support HTTPS and need to provide certificates for service providers, and the problem of information leakage and the like can be caused by certificate diffusion. In addition, in the prior art, signature detection and anomaly detection are not carried out, so that the malicious attack prevention effect of the Web application layer is poor.
Aiming at the problems in the prior art, the invention provides a Web application firewall method and system based on an application gateway, and the invention is described in detail below with reference to the accompanying drawings.
As shown in fig. 1, the Web application firewall method based on the application gateway provided in the embodiment of the present invention has a unified network entry, and may have a plurality of nodes, and perform scheduling in cooperation with load balancing, that is, an application gateway (application gateway); the method has the function of WAF (Web application firewall), and can intercept common Web intrusion behaviors (such as SQL injection/command injection/XSS/Webshell uploading or connection), data leakage events and the like. The invention also designs the browser as an architecture without installing Agent, which is troublesome to maintain and simpler to configure by the browser. The certificate can be managed, the private key is protected, and the certificate file and the private key file are not stored in a certain directory of the server in a direct plaintext mode (a hacker is prevented from stealing the private key); only the gateway administrator is allowed to apply and configure the certificate, and the business personnel can start the HTTPS without contacting the certificate file.
The method specifically comprises the following steps:
and S101, scheduling by using a firewall gateway with a uniform network entrance in cooperation with load balancing, and intercepting Web intrusion behaviors and data leakage.
S102 protects day0 using an abnormality detection method.
And S103, linkage detection is carried out, the certificate is managed and the private key is protected, the certificate file and the private key file are not directly stored in a certain directory of the server in a plaintext mode, and browser configuration is carried out.
Fig. 2 is a schematic diagram of a Web application firewall method based on an application gateway according to an embodiment of the present invention.
As shown in fig. 3, the Web application firewall system (WAF application gateway) based on the application gateway provides a uniform network entry, and may be configured to implement load balancing for multiple nodes. The FrontEnd can be directly configured on a browser, solves the step of installing the Agent, and can directly configure application, signature detection rules and the like. BackEnd mainly performs database configuration and initialization, loads configuration application to data, and then sends data in the data to Utils (toolset), and the Utils can generate a certificate and output errors to a log. The WAF is a core part of the whole application gateway, and mainly comprises two parts, namely Signature Detection (based on a Signature Detection module 2) and anomallydetection (based on an anomaly Detection module 1).
In the embodiment of the present invention, the anomaly detection module 1 includes a request count analysis module, a request length analysis module, and a request frequency analysis module, which score important anomaly information. And reasonable abnormal score calculation parameters are selected, and the success rate of the system is improved.
In the embodiment of the present invention, the request count analysis module 1-1 may send the same request from different places because different users may send the same request, so that normal requests may be repeated continuously according to the access amount of the website. The probability of repetition of an attack request is lower than that of a normal request.
As shown in fig. 4 for request repeat times, a request count of up to 20 repeat times is given. As can be seen from fig. 4, the probability of the attack occurring repeatedly is greater for a small number than for a large number. Depending on the application developed, requests repeated more than 15 times are not attacked.
In the embodiment of the present invention, the request length analysis module 1-2 has a certain structure for the request to enter the web site according to the architecture of the web application. One of the characteristics of the request structure is the request length. The requested values of memory overflow and cross-site scripting attack are greater than normal requests. Evaluation was performed by Kruegel and Vigna, using mean and variance values.
Figure BDA0002313683730000111
P: probability. σ: variance (variance value of request length). l: a detected request length value. u: average value of the request.
Using the developed application, the values shown in fig. 5 for the request length exception detection can be obtained. According to the formula, a value of 0 for the length of the HTTP request represents an anomaly limit value. A request is defined as anomalous if the anomaly probability value for each request is less than the anomaly value for a request having a length value of 0.
In the embodiment of the present invention, the request frequency analyzing module 1-3 determines the requested character frequency value by using the character distribution model. The alpha frequency values of the characters making up the normal request of the web application are higher than the alpha frequency values of the exception request. ASCII characters are used for character distribution.
In the present invention, the total number of requests and the average value of each character are detected by the letter frequency analysis. Php if using the image index. A request for secim-9 & mid-50 results in the frequency value and average value of the letters in the expression. Although the frequency value represents the number of letters per letter for all requests, the average is obtained by dividing the total value of each character by the number of requests.
When the frequency values of the 100 requests sent to the web application are ranked from minimum to maximum, requests having an average frequency value less than 0.9 will be determined to be anomalous. The average frequency value of the evaluation request is shown in fig. 6.
In the embodiment of the invention, the signature detection module 2 updates the signature database according to the attack technology so as to ensure the validity of the system. Otherwise, it will be an invalid attack.
Signature-based detection is also referred to as misuse detection. Signature-based systems typically run faster, but they are effective against attacks that exist only in the signature database. Intrusion detection systems and antivirus programs typically operate in signature-based detection.
The signature definition in the present configuration for web attacks (e.g., SQL injection and cross-site scripting attacks) is shown in FIG. 7. HTTP requests containing attacks are blocked using the above defined keys.
The invention is further described below in connection with testing and analysis.
The test environment is as follows: centos7, Nginx and a system pikachu target station platform with a vulnerability are used as attacked test objects. The application layer hair kit burpesite and the sql scanner SQLmap.
In the test experiment process, Burpesite and sqlmap are used for simulating application layer attack and comprehensively testing the WAF Gateway.
Experimental results show that the Web application firewall can effectively defend attacks of main stream Web application layers such as S QL injection attacks, brute force cracking, number scanning attack Webshell detection, XSS cross-site script attacks and information leakage of various kinds of deformation. When a three-dimensional security defense system (particularly an application security defense system) is constructed from scratch, the system can cut off a typical intrusion attempt on a key path, block most of detection payload, greatly improve the intrusion difficulty, and meanwhile, the system can be used as gateway infrastructure to popularize and use HTTPS from scratch to protect the security of data transmission of an external network.
The present invention will be further described with reference to effects.
The invention analyzes the HTTP protocol, analyzes the attack and the bypass mode of the main Web application, aims at the defects of the HTTP protocol and the defects of pattern matching, adopts a method of combining detection based on the feature code and abnormal request detection, and develops a mixed system. The system adopts a detection method based on signature and a detection method based on abnormal request, and the defects of the two methods are eliminated. Signature-based detection works faster, but it is not efficient against zero-day attacks. On the other hand, the anomaly detection method is effective against a zero-day attack. The WAF is integrated on the Gateway, so that the Gateway has a uniform network entrance, has a load balancing function, improves the high availability of application, naturally supports HTTPS, does not need to place a certificate under a server, effectively prevents a private key from being stolen, and improves the safety performance.
The above description is only for the purpose of illustrating the preferred embodiments of the present invention and is not to be construed as limiting the invention, and any modifications, equivalents and improvements made within the spirit and principle of the present invention are intended to be included within the scope of the present invention.

Claims (10)

1. The Web application firewall method based on the application gateway is characterized in that the Web application firewall method based on the application gateway utilizes firewall gateways with uniform network inlets to cooperate with load balancing to carry out scheduling, and Web intrusion behaviors and data leakage are intercepted;
defense against day0 using an anomaly detection method; linkage detection is carried out, the certificate is managed and the private key is protected, the certificate file and the private key file are not directly stored in a certain directory of the server in a plain text mode, and browser configuration is carried out.
2. The Web application firewall method based on application gateway of claim 1, wherein the firewall gateway is configured with a plurality of nodes for scheduling in coordination with load balancing.
3. The Web application firewall method based on the application gateway as claimed in claim 1, wherein the anomaly detection method comprises request count analysis, request length analysis and request frequency analysis, and selects reasonable anomaly score calculation parameters for important anomaly score information to detect anomaly data.
4. The application gateway based Web application firewall method of claim 3, wherein the request count analysis method comprises: and judging whether the request is attacked or not according to the application program by sending the same request times to different places.
5. The application gateway based Web application firewall method of claim 3, wherein the request length analysis method comprises: according to the architecture of the web application program, the request values of the request memory overflow and the cross-site script attack entering the web site are larger than normal requests; evaluation was performed by Kruegel and Vigna using mean and variance values;
Figure FDA0002313683720000011
p: probability; σ: variance, which is the variance value of the request length; l: a detected request length value; u: the average of the requests;
obtaining a value indicated by request length anomaly detection according to the web application program; according to the above formula, a value of 0 for the length of the HTTP request represents an abnormal limit value; and if the abnormal probability value of each request is smaller than the abnormal value of the request with the length value of 0, defining the request as abnormal.
6. The application gateway based Web application firewall method of claim 3,
the request frequency analysis method comprises the following steps: determining a requested character frequency value using a character distribution model; the letter frequency value of the characters forming the normal request of the web application program is higher than that of the abnormal request; ASCII characters are used for character distribution.
7. The application gateway-based Web application firewall method of claim 6, wherein in the character frequency value determination, the total number of requests and the average value of each character are detected through letter frequency analysis; php? Obtaining the frequency value and the average value of the letters in the expression by using a request of 9& mid & 50;
requests having an average frequency value of less than 0.9 are determined to be anomalous when the frequency values of the 100 requests sent to the web application are ranked from minimum to maximum.
8. The Web application firewall method based on application gateway of claim 6, wherein the linkage detection comprises signature detection, and the signature database is updated according to the attack technology to enable the abnormal detection to operate effectively, otherwise, the abnormal detection is invalid.
9. An application gateway-based Web application firewall system for implementing the application gateway-based Web application firewall method according to any one of claims 1 to 8, wherein the application gateway-based Web application firewall system comprises:
the anomaly detection module comprises a request counting analysis module, a request length analysis module and a request frequency analysis module, and the request counting analysis module is used for scoring important anomaly information; selecting reasonable abnormal score calculation parameters, and detecting abnormal data;
and the signature detection module updates the signature database according to the attack technology to enable the abnormal detection to be effective, otherwise, the abnormal detection is invalid.
10. The Web application firewall system based on application gateway of claim 9, wherein the request count analysis module judges whether the request is attacked or not according to the application program for transmitting the same number of requests to different places;
the request length analysis module is used for evaluating the abnormity of the request entering the web site according to the architecture of the web application program;
and the request frequency analysis module determines the frequency value of the requested character by using the character distribution model.
CN201911269167.7A 2019-12-11 2019-12-11 Web application firewall method and system based on application gateway Pending CN111181924A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911269167.7A CN111181924A (en) 2019-12-11 2019-12-11 Web application firewall method and system based on application gateway

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911269167.7A CN111181924A (en) 2019-12-11 2019-12-11 Web application firewall method and system based on application gateway

Publications (1)

Publication Number Publication Date
CN111181924A true CN111181924A (en) 2020-05-19

Family

ID=70655479

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911269167.7A Pending CN111181924A (en) 2019-12-11 2019-12-11 Web application firewall method and system based on application gateway

Country Status (1)

Country Link
CN (1) CN111181924A (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111723378A (en) * 2020-06-17 2020-09-29 浙江网新恒天软件有限公司 Website directory blasting method based on website map
CN112395304A (en) * 2020-10-30 2021-02-23 迅鳐成都科技有限公司 Data security calculation method, system and storage medium based on data behavior simulation
CN112906003A (en) * 2021-03-28 2021-06-04 黑龙江朝南科技有限责任公司 Detection technology for HTTP smuggling vulnerability
CN113014598A (en) * 2021-03-20 2021-06-22 北京长亭未来科技有限公司 Protection method for robot malicious attack, firewall, electronic device and storage medium
CN114726650A (en) * 2022-05-17 2022-07-08 北京航天驭星科技有限公司 Task request processing method and device, electronic equipment and computer readable medium

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
CHRISTOPHER KRUEGEL等: ""A multi-model approach to the detection of web-based attacks"", 《COMPUTER NETWORKS》 *
U2: ""打造一款开源的WAF网关"", 《HTTPS://MP.WEIXIN.QQ.COM/S?__BIZ=MZAWOTC3NZMWMQ==&MID=2655245896&IDX=1&SN=1775AC46EE1ACE64D972F192AC43C784&SCENE=21#WECHAT_REDIRECT》 *

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111723378A (en) * 2020-06-17 2020-09-29 浙江网新恒天软件有限公司 Website directory blasting method based on website map
CN111723378B (en) * 2020-06-17 2023-03-10 浙江网新恒天软件有限公司 Website directory blasting method based on website map
CN112395304A (en) * 2020-10-30 2021-02-23 迅鳐成都科技有限公司 Data security calculation method, system and storage medium based on data behavior simulation
CN112395304B (en) * 2020-10-30 2024-01-02 迅鳐成都科技有限公司 Data security calculation method, system and storage medium based on data behavior simulation
CN113014598A (en) * 2021-03-20 2021-06-22 北京长亭未来科技有限公司 Protection method for robot malicious attack, firewall, electronic device and storage medium
CN112906003A (en) * 2021-03-28 2021-06-04 黑龙江朝南科技有限责任公司 Detection technology for HTTP smuggling vulnerability
CN114726650A (en) * 2022-05-17 2022-07-08 北京航天驭星科技有限公司 Task request processing method and device, electronic equipment and computer readable medium

Similar Documents

Publication Publication Date Title
US10193909B2 (en) Using instrumentation code to detect bots or malware
CN111181924A (en) Web application firewall method and system based on application gateway
US11212305B2 (en) Web application security methods and systems
CA2966408C (en) A system and method for network intrusion detection of covert channels based on off-line network traffic
US8429751B2 (en) Method and apparatus for phishing and leeching vulnerability detection
US10693901B1 (en) Techniques for application security
US20090100518A1 (en) System and method for detecting security defects in applications
WO2017074622A1 (en) Web transaction status tracking
US9336396B2 (en) Method and system for generating an enforceable security policy based on application sitemap
Mirheidari et al. Cached and confused: Web cache deception in the wild
US20230291758A1 (en) Malware Detection Using Document Object Model Inspection
CN106209907B (en) Method and device for detecting malicious attack
Yassin et al. SQLIIDaaS: A SQL injection intrusion detection framework as a service for SaaS providers
Xiaopeng et al. A distributed vulnerability scanning on machine learning
Parimala et al. Efficient web vulnerability detection tool for sleeping giant-cross site request forgery
Tanakas et al. A novel system for detecting and preventing SQL injection and cross-site-script
Duraisamy et al. A server side solution for protection of web applications from cross-site scripting attacks
Modi et al. Design and implementation of RESTFUL API based model for vulnerability detection and mitigation
CN112104625A (en) Process access control method and device
Das et al. Defeating Cyber Attacks Due to Script Injection.
CN117040904A (en) Interception policy generation method, device, equipment and storage medium
Prasher Security Assurance of REST API based applications
Falguni et al. 'E-SPY': DETECTION AND PREDICTION OF WEBSITE ATTACKS.
Zaidan et al. Website Vulnerability Analysis of AB and XY Office in East Java
Sarma A Study on Common Web Based Hacking and Preventive Measure

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20200519

RJ01 Rejection of invention patent application after publication