CN111182060A - Message detection method and device - Google Patents

Message detection method and device Download PDF

Info

Publication number
CN111182060A
CN111182060A CN201911399962.8A CN201911399962A CN111182060A CN 111182060 A CN111182060 A CN 111182060A CN 201911399962 A CN201911399962 A CN 201911399962A CN 111182060 A CN111182060 A CN 111182060A
Authority
CN
China
Prior art keywords
rule
service request
message
interception
request message
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201911399962.8A
Other languages
Chinese (zh)
Inventor
张志田
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Absolute Health Ltd
Original Assignee
Beijing Absolute Health Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Absolute Health Ltd filed Critical Beijing Absolute Health Ltd
Priority to CN201911399962.8A priority Critical patent/CN111182060A/en
Publication of CN111182060A publication Critical patent/CN111182060A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0281Proxies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]

Abstract

The invention discloses a message detection method and a device, wherein the method comprises the following steps: monitoring state information of a distributed cluster, wherein the state information is used for representing whether a json character string of the distributed cluster is updated or not, and the json character string carries characteristic information of a message to be intercepted; if the json character string is updated, configuring an interception rule of a web application firewall WAF according to the json character string; receiving a service request message forwarded by a proxy server, wherein the proxy server is connected with a web client; and detecting the service request message according to the interception rule. The invention solves the technical problem of low protection efficiency of the web application in the related technology, so that the web application obtains a self-defined safety protection function on the premise of not redeploying and changing the original architecture, the safety of the web application is improved, and the loss caused by the attack of the web application and the cost of safe development of a website are reduced.

Description

Message detection method and device
Technical Field
The present invention relates to the field of network security, and in particular, to a method and an apparatus for detecting a packet.
Background
In the related technologies, China is actively promoting the internet information security construction and the citizen privacy protection system, the protection of user information security and privacy is a problem to be solved urgently in the industry, the realization and improvement of the related technologies of the web application firewall are actively promoted, and the information security protection level and the protection efficiency are improved. However, the existing related services on the market are complicated in types, lack of functions, poor in flexibility of the custom rules and poor in stability of the protection program.
In the related technology, the web application firewall is based on a general protection rule, the rule is updated in a local configuration file mode, the efficiency is low, the web application firewall is integrated on a web client or a proxy server, the updating needs to restart a related module to reload the configuration file, the updating is complex, the robustness is not high, the command line operation risk coefficient is high, the service interception effect is not ideal enough, the corresponding associativity with access control is poor, and the service requirement for the web application firewall cannot be met.
In addition, the increase of the amount of business of each enterprise needs to prevent malicious accesses such as crawling website content and pulling wool in addition to defending against traditional web application attacks. In the face of malicious access, enterprises often defend by adding detection code in web applications. But doing so increases the coupling of business functions to security functions and the addition and deletion of detection code requires re-authentication and deployment of the web application, which increases the maintenance cost of the web application. Meanwhile, detection is usually carried out by screening and counting qualified access in a total station range, and web applications usually work in a mode of a web server cluster, so that the addition of the function inevitably brings the complexity of the architecture and the development cost.
In view of the above problems in the related art, no effective solution has been found at present.
Disclosure of Invention
In order to solve the technical problem of low protection efficiency of web applications in the related art, embodiments of the present invention provide a method and an apparatus for detecting a packet.
According to an embodiment of the present invention, a method for detecting a packet is provided, including: monitoring state information of a distributed cluster, wherein the state information is used for representing whether a json character string of the distributed cluster is updated or not, and the json character string carries characteristic information of a message to be intercepted; if the json character string is updated, configuring an interception rule of a web application firewall WAF according to the json character string; receiving a service request message forwarded by a proxy server, wherein the proxy server is connected with a web client; and detecting the service request message according to the interception rule.
Optionally, configuring the interception rule of the WAF according to the json character string includes: performing deserialization analysis on the json character to obtain at least one rule index, wherein each rule index is mapped with a rule content through a key value; and inserting the rule index into the tree node of the red and black tree.
Optionally, before inserting the rule index into a tree node of a red-black tree, the method further includes: determining priority information of business rules, wherein each business rule corresponds to a rule index; and sorting the rule indexes based on the priority information, wherein the sorting positions of the rule indexes correspond to the traversal order of the red and black trees.
Optionally, after configuring the interception rule of the web application firewall WAF according to the json character string, the method further includes: sending a lease application to the distributed cluster; receiving lease time fed back by the distributed cluster based on the lease application; and configuring the effective time of the interception rule on the WAF server based on the lease time.
Optionally, the detecting the service request packet according to the interception rule includes: analyzing the service request message to obtain the message characteristics of the service request message; traversing and inquiring the message characteristics according to the interception rule; if the message characteristics hit the interception rule, intercepting the service request message; and if the message characteristics do not hit the interception rule, forwarding the service request message to a web server.
Optionally, the querying, according to the interception rule, the message characteristics in a traversal manner includes: sequentially traversing and inquiring the message characteristics based on the arrangement sequence of the tree nodes of the red-black tree, wherein the rule content of the interception rule corresponds to the tree nodes one by one; if the message characteristics hit any rule content of the interception rule, stopping traversal operation, and determining that the message characteristics hit the interception rule; and if the message characteristics do not hit any rule content of the interception rules, determining that the message characteristics do not hit the interception rules.
Optionally, the receiving the service request packet forwarded by the proxy server includes: receiving a first service request message forwarded by the proxy server, wherein the first service request message is a script message in a protobuffer format; and converting the first service request message into a second service request message in a json format.
Optionally, after detecting the service request packet according to the interception rule, the method further includes: and feeding back a detection result to the proxy server, wherein the detection result is used for indicating whether the service request message is a malicious message.
Optionally, the characteristic information includes at least one of: IP address, Token, physical MAC address, account information and code sequence.
According to another embodiment of the present invention, there is provided a packet detection apparatus, including: the monitoring module is used for monitoring state information of the distributed cluster, wherein the state information is used for representing whether a json character string of the distributed cluster is updated or not, and the json character string carries characteristic information of a message to be intercepted; the configuration module is used for configuring the interception rule of the web application firewall WAF according to the json character string if the json character string is updated; the receiving module is used for receiving a service request message forwarded by a proxy server, wherein the proxy server is connected with a web client; the detection module is used for detecting the service request message according to the interception rule; and/or, the characteristic information comprises at least one of: IP address, Token, physical MAC address, account information and code sequence.
Optionally, the configuration module is configured to configure, if the json character string is updated, an interception rule of the web application firewall WAF according to the json character string, and specifically configured to: performing deserialization analysis on the json character to obtain at least one rule index, wherein each rule index is mapped with a rule content through a key value; and inserting the rule index into the tree node of the red and black tree.
Optionally, before inserting the rule index into a tree node of a red-black tree, the configuration module is further configured to: determining priority information of business rules, wherein each business rule corresponds to a rule index; and sorting the rule indexes based on the priority information, wherein the sorting positions of the rule indexes correspond to the traversal order of the red and black trees.
Optionally, after configuring the interception rule of the web application firewall WAF according to the json character string, the configuration module is further configured to: sending a lease application to the distributed cluster; receiving lease time fed back by the distributed cluster based on the lease application; and configuring the effective time of the interception rule on the WAF server based on the lease time.
Optionally, the detection module detects the service request packet according to the interception rule, and is specifically configured to: analyzing the service request message to obtain the message characteristics of the service request message; traversing and inquiring the message characteristics according to the interception rule; if the message characteristics hit the interception rule, intercepting the service request message; if the message characteristics do not hit the interception rule, forwarding the service request message to a web server; and/or the presence of a gas in the gas,
the detection module is specifically configured to, when traversing and querying the message features according to the interception rule: sequentially traversing and inquiring the message characteristics based on the arrangement sequence of the tree nodes of the red-black tree, wherein the rule content of the interception rule corresponds to the tree nodes one by one; if the message characteristics hit any rule content of the interception rule, stopping traversal operation, and determining that the message characteristics hit the interception rule; if the message characteristics miss any rule content of the interception rules, determining that the message characteristics miss the interception rules; and/or the presence of a gas in the gas,
after detecting the service request packet according to the interception rule, the detection module is further configured to: and feeding back a detection result to the proxy server, wherein the detection result is used for indicating whether the service request message is a malicious message.
Optionally, the receiving module receives a service request packet forwarded by the proxy server, and is specifically configured to: receiving a first service request message forwarded by the proxy server, wherein the first service request message is a script message in a protobuffer format; and converting the first service request message into a second service request message in a json format.
According to a further embodiment of the present invention, there is also provided a storage medium having a computer program stored therein, wherein the computer program is arranged to perform the steps of any of the above method embodiments when executed.
According to yet another embodiment of the present invention, there is also provided an electronic device, including a memory in which a computer program is stored and a processor configured to execute the computer program to perform the steps in any of the above method embodiments.
By the scheme of the embodiment, a json character string of a distributed cluster is monitored, if the json character string is updated, an interception rule of a web application firewall WAF is configured according to the json character string, a service request message forwarded by a proxy server is received, wherein the proxy server is connected with a web client, and finally the service request message is detected according to the interception rule, by deploying the WAF service in the proxy server, the real-time synchronization of the interception rule can be rapidly carried out on the basis of the service requirement without restarting or replacing the proxy server, the latest rule is thermally loaded, the technical problem of low protection efficiency of web application in the related technology is solved, the coupling of the service function and the safety function is reduced, the safety and service isolation in the web application is kept, and the web application obtains a self-defined safety protection function on the premise of not redeploying and not changing the original architecture, the security of the web application is improved, and the loss caused by the attack of the web application and the cost of safe development of the website are reduced.
The technical solution of the present invention is further described in detail by the accompanying drawings and embodiments.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments of the invention and together with the description, serve to explain the principles of the invention.
The invention will be more clearly understood from the following detailed description, taken with reference to the accompanying drawings, in which:
fig. 1 is a block diagram of a hardware configuration of a WAF server according to an embodiment of the invention;
fig. 2 is a flowchart of a message detection method according to an embodiment of the present invention;
FIG. 3 is a network architecture diagram of an embodiment of the present invention;
FIG. 4 is a flow diagram illustrating a distributed cluster update rule according to an embodiment of the present invention;
FIG. 5 is a diagram illustrating the insertion of rule indices into tree nodes according to an embodiment of the present invention;
FIG. 6 is a flow chart illustrating scenario one of the present invention;
FIG. 7 is a flow chart illustrating scenario two of the implementation of the present invention;
fig. 8 is a block diagram of a message detection apparatus according to an embodiment of the present invention.
Detailed Description
Various exemplary embodiments of the present invention will now be described in detail with reference to the accompanying drawings. It should be noted that: the relative arrangement of the components and steps, the numerical expressions and numerical values set forth in these embodiments do not limit the scope of the present invention unless specifically stated otherwise.
Meanwhile, it should be understood that the sizes of the respective portions shown in the drawings are not drawn in an actual proportional relationship for the convenience of description.
The following description of at least one exemplary embodiment is merely illustrative in nature and is in no way intended to limit the invention, its application, or uses.
Techniques, methods, and apparatus known to those of ordinary skill in the relevant art may not be discussed in detail but are intended to be part of the specification where appropriate.
It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, further discussion thereof is not required in subsequent figures.
Embodiments of the invention are operational with numerous other general purpose or special purpose computing system environments or configurations. Examples of well known computing systems, environments, and/or configurations that may be suitable for use with the computer system/server include, but are not limited to: personal computer systems, server computer systems, thin clients, thick clients, hand-held or laptop devices, microprocessor-based systems, set top boxes, programmable consumer electronics, network pcs, minicomputer systems, mainframe computer systems, distributed cloud computing environments that include any of the above systems, and the like.
The computer system/server may be described in the general context of computer system-executable instructions, such as program modules, being executed by a computer system. Generally, program modules may include routines, programs, objects, components, logic, data structures, etc. that perform particular tasks or implement particular abstract data types. The computer system/server may be practiced in distributed cloud computing environments where tasks are performed by remote processing devices that are linked through a communications network. In a distributed cloud computing environment, program modules may be located in both local and remote computer system storage media including memory storage devices.
The method provided by the first embodiment of the present application may be executed in a security server, a WEB server, a WAF server, or a similar computing device. Taking the example of running on a WAF server, fig. 1 is a block diagram of a hardware structure of a WAF server according to an embodiment of the present invention. As shown in fig. 1, the WAF server 10 may include one or more (only one shown in fig. 1) processors 102 (the processors 102 may include, but are not limited to, a processing device such as a microprocessor MCU or a programmable logic device FPGA) and a memory 104 for storing data, and optionally, a transmission device 106 for communication functions and an input/output device 108. It will be understood by those skilled in the art that the configuration shown in fig. 1 is merely illustrative and is not intended to limit the configuration of the WAF server described above. For example, WAF server 10 may also include more or fewer components than shown in fig. 1, or have a different configuration than shown in fig. 1.
The memory 104 may be configured to store a WAF server program, for example, a software program and a module of application software, such as a WAF server program corresponding to the message detection method in the embodiment of the present invention, and the processor 102 executes various functional applications and data processing by running the WAF server program stored in the memory 104, so as to implement the above-mentioned method. The memory 104 may include high speed random access memory, and may also include non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory. In some examples, memory 104 may further include memory remotely located from processor 102, which may be connected to WAF server 10 over a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The transmission device 106 is used for receiving or transmitting data via a network. Specific examples of such networks may include wireless networks provided by the communications provider of WAF server 10. In one example, the transmission device 106 includes a Network adapter (NIC), which can be connected to other Network devices through a base station so as to communicate with the internet. In one example, the transmission device 106 may be a Radio Frequency (RF) module, which is used for communicating with the internet in a wireless manner.
In this embodiment, a method for detecting a packet is provided, and fig. 2 is a flowchart of a method for detecting a packet according to an embodiment of the present invention, as shown in fig. 2, the flowchart includes the following steps:
step S202, monitoring state information of the distributed cluster, wherein the state information is used for representing whether a json character string of the distributed cluster is updated or not, and the json character string carries characteristic information of a message to be intercepted;
in this embodiment, the characteristic information may be, but is not limited to: IP address, Token, physical MAC address, account information and code sequence. The code sequence can comprise a static sequence and a dynamic sequence, and Token can be used for discovering the exploitation behavior of the code vulnerability.
Step S204, if the json character string is updated, configuring an interception rule of a web application firewall WAF according to the json character string;
the interception rule of this embodiment is applied to a Application Firewall (WAF) server, which is deployed between a proxy server and a service server; and if the json character string is not updated, not updating the current interception rule.
Step S206, receiving a service request message forwarded by a proxy server, wherein the proxy server is connected with a web client;
the service request message is initiated at the web client, and interacts with the web server through the proxy server to request the content of the service on the web server.
And step S208, detecting the service request message according to the interception rule.
Through the steps, monitoring json character strings of the distributed cluster, if the json character strings are updated, configuring an interception rule of a Web Application Firewall (WAF) according to the json character strings, receiving a service request message forwarded by a proxy server, wherein the proxy server is connected with a web client, finally detecting the service request message according to the interception rule, and through the proxy server and the deployment of the WAF service, the real-time synchronization of the interception rule and the hot loading of the latest rule can be rapidly carried out on the basis of the service requirement under the condition of not restarting and replacing the proxy server, so that the technical problem of low protection efficiency of web application in the related technology is solved, the coupling of the service function and the safety function is reduced, the safety and service isolation in the web application is kept, and the web application obtains the self-defined safety protection function on the premise of not redeploying and not changing the original architecture, the security of the web application is improved, and the loss caused by the attack of the web application and the cost of safe development of the website are reduced.
The embodiment can be applied to updating of the firewall interception rule, can also be applied to other rule updating scenes, such as flow rate limitation and authority management, and can update the latest rule without restarting a program. The method can intercept a certain type of request by combining with the actual scene of the service, such as skip Turing verification, black and white list interception and speed limit and current limit.
Fig. 3 is a network architecture diagram according to an embodiment of the present invention, and as shown in fig. 3, the distributed cluster includes an ect cluster (server) and an ect client, a WAF server (WAF _ server), a proxy server (nginx), where the proxy server is connected to a web client running a browser, and the WAF server is connected to the web server, where the WAF server provides functions of rule hot update, separation of basic rules from service rules, black and white lists, and the like, and issues rules to the distributed cluster. And forwarding the web client to the wf _ server through a service request message of nginx by using a Transmission Control Protocol (TCP) Protocol interface of the nginx, and then synchronously waiting for a detection result of the service request message returned by the wf _ server.
Fig. 4 is a schematic flow chart of a distributed cluster update rule according to an embodiment of the present invention, as shown in fig. 4, the distributed cluster is an etcd, a configuration service is set in the distributed cluster, a configuration rule (characteristic information of a message to be intercepted) is written into the etcd, a write result is fed back, then a WAF server (WAF _ server) reads the configuration rule and synchronizes, and performs real-time configuration update, a request determining program including a rule parsing engine, a request parsing engine, and a request filtering determining engine can be implemented using a Golang programming language, and a change of a value corresponding to a certain keyword in the etcd is monitored through the etcd _ client _ checker. etcd distributed key-value pair storage: the reliability of the platform in a distributed environment is enhanced by using the etcd distributed key value pair storage system based on the Raft protocol, and the updating and maintenance are convenient based on the Http + Json api interface.
In this embodiment, configuring the interception rule of the WAF according to the json string includes:
s11, performing deserialization analysis on the json character to obtain at least one rule index, wherein each rule index maps a rule content through a key value;
in an embodiment of this embodiment, before inserting the rule index into a Tree node of a Red black Tree (RB Tree, Red black Tree), the method further includes: determining priority information of business rules, wherein each business rule corresponds to a rule index; and sorting the rule indexes based on the priority information, wherein the sorting positions of the rule indexes correspond to the traversal sequence of the red and black trees.
S12, inserting the rule index into the tree node of the red-black tree.
Fig. 5 is a schematic diagram of inserting a rule index into a tree node according to an embodiment of the present invention, where a red-black tree includes 9 tree nodes, and the rule index is the id number thereof, i.e., a rule identifier, from a root node to a leaf node, where: 20020, 20010,20030,20080,20015,20025,21000,20050,21005. And storing the rule id by each node of the red and black tree, and sequencing according to the size of the rule id. Because of the red-black tree structure, the present embodiment can perform the search, insertion and deletion in O (log 2N), where N is the total number of rules. Therefore, the efficiency of rule insertion and sorting is improved by using the red and black trees. The data structure of the red and black tree can be used for replacing the current data structure with the data structure required by any service, so that the function of rapidly increasing, deleting, modifying and checking can be conveniently completed.
In this embodiment, a valid time may also be set for the interception rule on the WAF server. After the intercepting rules of the web application firewall WAF are configured according to the json character string, the method further comprises the following steps: sending a lease application to the distributed cluster; receiving lease time fed back by the distributed cluster based on lease application; and configuring the effective time of the interception rule on the WAF server based on the lease time.
In this embodiment, detecting the service request packet according to the interception rule includes:
s21, analyzing the service request message to obtain the message characteristics of the service request message;
s22, traversing the characteristics of the query message according to the interception rule;
in an implementation manner of this embodiment, traversing the query message features according to the interception rule includes: sequentially traversing the query message characteristics based on the arrangement sequence of the tree nodes of the red-black tree, wherein the rule contents of the interception rules correspond to the tree nodes one by one; if the message characteristics hit any rule content of the interception rules, stopping traversing operation, and determining that the message characteristics hit the interception rules; and if the message characteristics do not hit any rule content of the interception rules, determining the message characteristic miss interception rules.
In one example, the interception rule comprises three rule contents of abc, which are respectively inserted into tree nodes 1,2 and 3 of the red-black tree, the arrangement sequence is respectively tree node 1, tree node 3 and tree node 2, according to the sequence, firstly judging whether the message characteristics are matched with the rule content a, if so, stopping traversing operation, determining that the message characteristics hit the interception rule, otherwise, continuously judging whether the message characteristics are matched with the rule content c until all the tree nodes are traversed;
s23, if the message characteristics hit the interception rule, intercepting the service request message; and if the message characteristics do not hit the interception rule, forwarding the service request message to the web server.
In this embodiment, the proxy server and the WAF server may interact through the lua packet, and based on the embedded script, the adjustment with the original service packet is reduced. The receiving of the service request message forwarded by the proxy server includes: receiving a first service request message forwarded by a proxy server, wherein the first service request message is a script message in a protobuffer format; and converting the first service request message into a second service request message in a json format. The protobuffer is a data description language, and a script message in the protobuffer format is written by the lua language, so that structured data can be serialized, and deserialization can be performed on the serialized data to recover an original data structure.
Optionally, after detecting the service request packet according to the interception rule, the method further includes: and feeding back the detection result to the proxy server, wherein the detection result is used for indicating whether the service request message is a malicious message. The proxy server can further process the service request message, and directly intercept similar messages in the subsequent process, or the proxy server feeds back a detection result to the web client to prompt a user that the current operation has risks or illegal.
Fig. 6 is a schematic flow chart of a first scenario for implementing the present invention, where a blacklist rule with an effective duration of 30 minutes is added to a WAF server, and the step of adding a time-limited blacklist rule includes:
s61, the relevant business segment provides the ip address or other features that need to be blacked out.
And S62, compiling the waf rule according to the blacklist ip provided by the business department, and then generating a corresponding json character string.
And S63, writing the regular json character string generated by the corresponding blacklist ip into the etcd cluster according to the http + json api interface provided by the etcd.
And S64, determining whether the json character string is successfully written according to the return value of the etcd cluster, checking the log if the json character string is failed, and continuing to add the json character string until the etcd returns successful log information.
S65, after the etcd cluster updating rule is successful, the waf _ server automatically analyzes the json character string according to the change of the Key value of the monitoring Key to obtain the rule id needing to be updated, then the rule is inserted into the corresponding position according to the characteristic of quick search and insertion of the red-black tree, and when the next request is detected, the new rule set is used for detecting the request forwarded by the nginx to complete the interception function of the ip blacklist.
S66, applying for a 30-minute lease by etcd, returning an lease value by etcd, and giving the lease value to the json character string of the rule generated just before, wherein the rule is a configuration file with lease time limit.
S67, using the configuration file function with lease of etcd, etcd will delete this regular json string automatically after 30 minutes. Meanwhile, the wf-server acquires the rule id to be deleted according to the change of the Key value of the monitoring Key, then deletes the rule from the rule set according to the characteristics of quick search and insertion of the red-black tree, and when the next request is detected, the rule set without the blacklist ip is used for detecting the request forwarded by the nginx, so that the interception function of the ip blacklist is removed. The ip blacklist blocking function with time limitation is completely realized.
And updating by adopting an http client of the etcd (the entry of the etcd at the web end), establishing a rule addition record according to the update event of the etcd, deserializing the json character string of the rule, and using the rule id as the key value of the red-black tree, namely the index of the rule. The corresponding rule content can be found out according to the index of the rule, and the position where the rule should be inserted can be quickly positioned under the ordering characteristic of the red and black tree. The method can directly place the corresponding rule at the corresponding position at one time without any redundant traversal, and has high insertion efficiency. Meanwhile, according to the importance of the business rules, the value of the rule id which is preferentially matched is small, so that the rule id can be matched as soon as possible and forbidden as soon as possible, the actual business requirements are met, unnecessary rule matching is reduced, and the intercepting efficiency and the request detection efficiency of the wf are improved.
Fig. 7 is a flowchart illustrating a second implementation scenario of the present invention, where adding a virtual patch to a WAF server includes:
and S71, the security department finds that the related business uses a certain open source library with leaks, and the security department submits the leaks to the research and development department to determine the schedule of repairing the leaks.
And S72, the security department finds that the vulnerability relates to more business departments, has a larger range and longer repair time, and designs the waf interception rule aiming at the vulnerability according to the utilization principle of the vulnerability and the request characteristic of the vulnerability.
And S73, the security department synchronizes the rule to the rule of the etcd, designs a corresponding rule id, determines the check weight and the flow of the rule, and updates the json character string of the rule by using the api interface of the http of the etcd.
And S74, after the research and development department completes bug fixing, deleting the rule, recovering the waf original state, and completing the whole process of the virtual patch.
With the increasing complexity of service development, many projects may use more or less open-source codes, and some vulnerabilities that are not carelessly pointed out may exist in the codes, and are very likely to be utilized by other hackers to endanger information security of the service. Meanwhile, according to the newly exposed bugs, a long time may be needed for some services to perform bug fixing, and during the period of bug fixing, the service of the services is inconvenient to suspend, so that during the period of bug fixing, the waf directly intercepts and utilizes the existing bug requests of company services to play a role of a virtual patch, and after the bug fixing of the service items is completed, the waf deletes the virtual patch rule by using an api interface of http of etcd, and restores the original state of the waf. And the daemon business service safely and reliably realizes the bug fixing process.
The virtual patch function of the waf completes the security task of a service department in a transition stage under special conditions, the function also utilizes the hot updating characteristic of an etcd cluster and the characteristic of rapid insertion and sequencing of red and black trees, intercepts the latest vulnerability attack before the request reaches the back-end service, effectively relieves the risk of the vulnerability being utilized by a hacker, can detect and identify abnormal clients and organizations with malicious behaviors by utilizing the function, can also perform artificial intelligence big data analysis by combining the existing intercepted data, and finds and prevents other malicious attack behaviors in advance.
The embodiment provides a solution for rapidly updating the protection rule based on the business requirement by the waf, so that the balance between the processing performance and the cost is achieved, and the actual business and the safety are combined more conveniently. Under the current internet security background, the technical modes of nginx + lua + etcd + RBtree and the like are adopted to realize the solution of real-time hot updating of the waf security rule, a web application firewall is provided, simultaneously, due to the distributed characteristic of etcd, the data synchronization mode of each nginx node is greatly simplified, and meanwhile, the data structure of a red-black tree is used to improve the efficiency of rule insertion and sequencing. On the premise of not influencing the high concurrency performance of nginx, the architecture mode that nginx forwards the request to the detection server is used, the waf program is convenient to update, the restarting frequency of nginx is reduced, the forwarding efficiency in the aspect of service is optimized, and the risk of manually restarting the nginx is also reduced.
The embodiment has the following beneficial effects aiming at the security rule updating scheme of the waf application: it isolates the security from the service and reduces the coupling between the service function and the security function. The method can obtain the required self-defined safety protection function on the premise of keeping the safety and service isolation in the web application and ensuring that the web application does not need to be redeployed and does not change the original architecture. The loss caused by web application attack and the cost of website security development are reduced, the rule updating efficiency and matching efficiency are improved, and the waf performance is improved. The specific service requirements of the company are combined, the safety rules only meeting the company are generated, the service requirements are deeply combined, and the waf detection request is more targeted and specific.
Through the above description of the embodiments, those skilled in the art can clearly understand that the method according to the above embodiments can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware, but the former is a better implementation mode in many cases. Based on such understanding, the technical solutions of the present invention may be embodied in the form of a software product, which is stored in a storage medium (e.g., ROM/RAM, magnetic disk, optical disk) and includes instructions for enabling a terminal device (e.g., a mobile phone, a computer, a server, or a network device) to execute the method according to the embodiments of the present invention.
In this embodiment, a message detection apparatus is further provided, and the apparatus is used to implement the foregoing embodiments and preferred embodiments, and details of which have been already described are omitted. As used below, the term "module" may be a combination of software and/or hardware that implements a predetermined function. Although the means described in the embodiments below are preferably implemented in software, an implementation in hardware, or a combination of software and hardware is also possible and contemplated.
Fig. 8 is a block diagram of a structure of a message detection apparatus according to an embodiment of the present invention, and as shown in fig. 8, the apparatus includes: a listening module 80, a configuration module 82, a receiving module 84, a detection module 86, wherein,
a monitoring module 80, configured to monitor state information of a distributed cluster, where the state information is used to represent whether a json character string of the distributed cluster is updated, and the json character string carries characteristic information of a packet to be intercepted;
a configuration module 82, configured to configure an interception rule of a web application firewall WAF according to the json character string if the json character string is updated;
a receiving module 84, configured to receive a service request packet forwarded by a proxy server, where the proxy server is connected to a web client;
and the detection module 86 is configured to detect the service request packet according to the interception rule.
Optionally, the characteristic information includes at least one of: IP address, Token, physical MAC address, account information and code sequence.
Optionally, the configuration module is configured to configure, if the json character string is updated, an interception rule of the web application firewall WAF according to the json character string, and specifically configured to: performing deserialization analysis on the json character to obtain at least one rule index, wherein each rule index is mapped with a rule content through a key value; and inserting the rule index into the tree node of the red and black tree.
Optionally, before inserting the rule index into a tree node of a red-black tree, the configuration module is further configured to: determining priority information of business rules, wherein each business rule corresponds to a rule index; and sorting the rule indexes based on the priority information, wherein the sorting positions of the rule indexes correspond to the traversal order of the red and black trees.
Optionally, after configuring the interception rule of the web application firewall WAF according to the json character string, the configuration module is further configured to: sending a lease application to the distributed cluster; receiving lease time fed back by the distributed cluster based on the lease application; and configuring the effective time of the interception rule on the WAF server based on the lease time.
Optionally, the detection module detects the service request packet according to the interception rule, and is specifically configured to: analyzing the service request message to obtain the message characteristics of the service request message; traversing and inquiring the message characteristics according to the interception rule; if the message characteristics hit the interception rule, intercepting the service request message; and if the message characteristics do not hit the interception rule, forwarding the service request message to a web server.
Optionally, the detection module is configured to, when traversing and querying the message feature according to the interception rule, specifically: sequentially traversing and inquiring the message characteristics based on the arrangement sequence of the tree nodes of the red-black tree, wherein the rule content of the interception rule corresponds to the tree nodes one by one; if the message characteristics hit any rule content of the interception rule, stopping traversal operation, and determining that the message characteristics hit the interception rule; and if the message characteristics do not hit any rule content of the interception rules, determining that the message characteristics do not hit the interception rules.
Optionally, after detecting the service request packet according to the interception rule, the detecting module is further configured to: and feeding back a detection result to the proxy server, wherein the detection result is used for indicating whether the service request message is a malicious message.
Optionally, the receiving module receives a service request packet forwarded by the proxy server, and is specifically configured to: receiving a first service request message forwarded by the proxy server, wherein the first service request message is a script message in a protobuffer format; and converting the first service request message into a second service request message in a json format.
It should be noted that, the above modules may be implemented by software or hardware, and for the latter, the following may be implemented, but not limited to: the modules are all positioned in the same processor; alternatively, the modules are respectively located in different processors in any combination.
Embodiments of the present invention also provide a storage medium having a computer program stored therein, wherein the computer program is arranged to perform the steps of any of the above method embodiments when executed.
Alternatively, in the present embodiment, the storage medium may be configured to store a computer program for executing the steps of:
s1, monitoring state information of a distributed cluster, wherein the state information is used for representing whether a json character string of the distributed cluster is updated or not, and the json character string carries characteristic information of a message to be intercepted;
s2, if the json character string is updated, configuring an interception rule of a web application firewall WAF according to the json character string;
s3, receiving a service request message forwarded by a proxy server, wherein the proxy server is connected with a web client;
s4, detecting the service request message according to the interception rule.
Optionally, in this embodiment, the storage medium may include, but is not limited to: various media capable of storing computer programs, such as a usb disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a removable hard disk, a magnetic disk, or an optical disk.
Embodiments of the present invention also provide an electronic device comprising a memory having a computer program stored therein and a processor arranged to run the computer program to perform the steps of any of the above method embodiments.
Optionally, the electronic apparatus may further include a transmission device and an input/output device, wherein the transmission device is connected to the processor, and the input/output device is connected to the processor.
Optionally, in this embodiment, the processor may be configured to execute the following steps by a computer program:
s1, monitoring state information of a distributed cluster, wherein the state information is used for representing whether a json character string of the distributed cluster is updated or not, and the json character string carries characteristic information of a message to be intercepted;
s2, if the json character string is updated, configuring an interception rule of a web application firewall WAF according to the json character string;
s3, receiving a service request message forwarded by a proxy server, wherein the proxy server is connected with a web client;
s4, detecting the service request message according to the interception rule.
Optionally, the specific examples in this embodiment may refer to the examples described in the above embodiments and optional implementation manners, and this embodiment is not described herein again.
In the present specification, the embodiments are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same or similar parts in the embodiments are referred to each other. For the system embodiment, since it basically corresponds to the method embodiment, the description is relatively simple, and for the relevant points, reference may be made to the partial description of the method embodiment.
The method and system of the present invention may be implemented in a number of ways. For example, the methods and systems of the present invention may be implemented in software, hardware, firmware, or any combination of software, hardware, and firmware. The above-described order for the steps of the method is for illustrative purposes only, and the steps of the method of the present invention are not limited to the order specifically described above unless specifically indicated otherwise. Furthermore, in some embodiments, the present invention may also be embodied as a program recorded in a recording medium, the program including machine-readable instructions for implementing a method according to the present invention. Thus, the present invention also covers a recording medium storing a program for executing the method according to the present invention.
The description of the present invention has been presented for purposes of illustration and description, and is not intended to be exhaustive or limited to the invention in the form disclosed. Many modifications and variations will be apparent to practitioners skilled in this art. The embodiment was chosen and described in order to best explain the principles of the invention and the practical application, and to enable others of ordinary skill in the art to understand the invention for various embodiments with various modifications as are suited to the particular use contemplated.

Claims (15)

1. A method for detecting a message is characterized by comprising the following steps:
monitoring state information of a distributed cluster, wherein the state information is used for representing whether a json character string of the distributed cluster is updated or not, and the json character string carries characteristic information of a message to be intercepted;
if the json character string is updated, configuring an interception rule of a web application firewall WAF according to the json character string;
receiving a service request message forwarded by a proxy server, wherein the proxy server is connected with a web client;
and detecting the service request message according to the interception rule.
2. The method of claim 1, wherein configuring the interception rules for the WAF according to the json string comprises:
performing deserialization analysis on the json character to obtain at least one rule index, wherein each rule index is mapped with a rule content through a key value;
and inserting the rule index into the tree node of the red and black tree.
3. The method of claim 2, wherein prior to inserting the rule index into a tree node of a red-black tree, the method further comprises:
determining priority information of business rules, wherein each business rule corresponds to a rule index;
and sorting the rule indexes based on the priority information, wherein the sorting positions of the rule indexes correspond to the traversal order of the red and black trees.
4. The method according to claim 1, characterized in that after said configuration of the interception rules of the Web Application Firewall (WAF) according to said json string, the method further comprises:
sending a lease application to the distributed cluster;
receiving lease time fed back by the distributed cluster based on the lease application;
and configuring the effective time of the interception rule on the WAF server based on the lease time.
5. The method of claim 1, wherein detecting the service request packet according to the interception rule comprises:
analyzing the service request message to obtain the message characteristics of the service request message;
traversing and inquiring the message characteristics according to the interception rule;
if the message characteristics hit the interception rule, intercepting the service request message; and if the message characteristics do not hit the interception rule, forwarding the service request message to a web server.
6. The method of claim 5, wherein querying the message features according to the interception rule traversal comprises:
sequentially traversing and inquiring the message characteristics based on the arrangement sequence of the tree nodes of the red-black tree, wherein the rule content of the interception rule corresponds to the tree nodes one by one;
if the message characteristics hit any rule content of the interception rule, stopping traversal operation, and determining that the message characteristics hit the interception rule; and if the message characteristics do not hit any rule content of the interception rules, determining that the message characteristics do not hit the interception rules.
7. The method of claim 1, wherein receiving the service request message forwarded by the proxy server comprises:
receiving a first service request message forwarded by the proxy server, wherein the first service request message is a protocol buffer format message;
and converting the first service request message into a second service request message in a json format.
8. The method according to claim 1, wherein after detecting the service request packet according to the interception rule, the method further comprises:
and feeding back a detection result to the proxy server, wherein the detection result is used for indicating whether the service request message is a malicious message.
9. The method of claim 1, wherein the characteristic information comprises at least one of:
IP address, Token, physical MAC address, account information and code sequence.
10. A message detection apparatus, comprising:
the monitoring module is used for monitoring state information of the distributed cluster, wherein the state information is used for representing whether a json character string of the distributed cluster is updated or not, and the json character string carries characteristic information of a message to be intercepted;
the configuration module is used for configuring the interception rule of the web application firewall WAF according to the json character string if the json character string is updated;
the receiving module is used for receiving a service request message forwarded by a proxy server, wherein the proxy server is connected with a web client;
the detection module is used for detecting the service request message according to the interception rule; and/or the presence of a gas in the gas,
the characteristic information includes at least one of: IP address, Token, physical MAC address, account information and code sequence.
11. The apparatus according to claim 10, wherein the configuration module is configured to configure, if the json string has been updated, the interception rule of the web application firewall WAF according to the json string, and specifically is configured to:
performing deserialization analysis on the json character to obtain at least one rule index, wherein each rule index is mapped with a rule content through a key value;
and inserting the rule index into the tree node of the red and black tree.
12. The apparatus of claim 11, wherein the configuration module, prior to inserting the rule index into a tree node of a red-black tree, is further configured to:
determining priority information of business rules, wherein each business rule corresponds to a rule index;
and sorting the rule indexes based on the priority information, wherein the sorting positions of the rule indexes correspond to the traversal order of the red and black trees.
13. The apparatus according to claim 10, wherein said configuration module, after configuring the interception rule of the web application firewall WAF according to the json string, is further configured to:
sending a lease application to the distributed cluster;
receiving lease time fed back by the distributed cluster based on the lease application;
and configuring the effective time of the interception rule on the WAF server based on the lease time.
14. The apparatus according to claim 10, wherein the detection module detects the service request packet according to the interception rule, and is specifically configured to:
analyzing the service request message to obtain the message characteristics of the service request message;
traversing and inquiring the message characteristics according to the interception rule;
if the message characteristics hit the interception rule, intercepting the service request message; if the message characteristics do not hit the interception rule, forwarding the service request message to a web server;
and/or the presence of a gas in the gas,
the detection module is specifically configured to, when traversing and querying the message features according to the interception rule:
sequentially traversing and inquiring the message characteristics based on the arrangement sequence of the tree nodes of the red-black tree, wherein the rule content of the interception rule corresponds to the tree nodes one by one;
if the message characteristics hit any rule content of the interception rule, stopping traversal operation, and determining that the message characteristics hit the interception rule;
if the message characteristics miss any rule content of the interception rules, determining that the message characteristics miss the interception rules;
and/or the presence of a gas in the gas,
after detecting the service request packet according to the interception rule, the detection module is further configured to: and feeding back a detection result to the proxy server, wherein the detection result is used for indicating whether the service request message is a malicious message.
15. The apparatus according to claim 10, wherein the receiving module receives a service request packet forwarded by the proxy server, and is specifically configured to:
receiving a first service request message forwarded by the proxy server, wherein the first service request message is a script message in a protobuffer format;
and converting the first service request message into a second service request message in a json format.
CN201911399962.8A 2019-12-30 2019-12-30 Message detection method and device Pending CN111182060A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911399962.8A CN111182060A (en) 2019-12-30 2019-12-30 Message detection method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911399962.8A CN111182060A (en) 2019-12-30 2019-12-30 Message detection method and device

Publications (1)

Publication Number Publication Date
CN111182060A true CN111182060A (en) 2020-05-19

Family

ID=70658290

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911399962.8A Pending CN111182060A (en) 2019-12-30 2019-12-30 Message detection method and device

Country Status (1)

Country Link
CN (1) CN111182060A (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112182590A (en) * 2020-11-16 2021-01-05 中国银联股份有限公司 Vulnerability updating method and device for Web application
CN112367214A (en) * 2020-10-12 2021-02-12 成都精灵云科技有限公司 Method for rapidly detecting and switching main node based on etcd
CN113709112A (en) * 2021-07-30 2021-11-26 武汉思普崚技术有限公司 Method and device for rapidly filtering access control list
CN114785621A (en) * 2022-06-17 2022-07-22 上海斗象信息科技有限公司 Vulnerability detection method and device, electronic equipment and computer readable storage medium
CN115277224A (en) * 2022-07-29 2022-11-01 北京天融信网络安全技术有限公司 Method and device for determining application protection rule, storage medium and electronic equipment

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103036641A (en) * 2011-09-29 2013-04-10 北京新媒传信科技有限公司 Method and system of data exchange and deserialization method
CN104268229A (en) * 2014-09-26 2015-01-07 北京金山安全软件有限公司 Resource obtaining method and device based on multi-process browser
CN105227571A (en) * 2015-10-20 2016-01-06 福建六壬网安股份有限公司 Based on web application firewall system and its implementation of nginx+lua
US20160366096A1 (en) * 2015-06-15 2016-12-15 Tempered Networks, Inc. Overlay network with position independent insertion and tap points
CN109246064A (en) * 2017-07-11 2019-01-18 阿里巴巴集团控股有限公司 Safe access control, the generation method of networkaccess rules, device and equipment

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103036641A (en) * 2011-09-29 2013-04-10 北京新媒传信科技有限公司 Method and system of data exchange and deserialization method
CN104268229A (en) * 2014-09-26 2015-01-07 北京金山安全软件有限公司 Resource obtaining method and device based on multi-process browser
US20160366096A1 (en) * 2015-06-15 2016-12-15 Tempered Networks, Inc. Overlay network with position independent insertion and tap points
CN105227571A (en) * 2015-10-20 2016-01-06 福建六壬网安股份有限公司 Based on web application firewall system and its implementation of nginx+lua
CN109246064A (en) * 2017-07-11 2019-01-18 阿里巴巴集团控股有限公司 Safe access control, the generation method of networkaccess rules, device and equipment

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
王宇等: "Web应用防火墙的设计与实现", 《信息安全与通信保密》 *
翟涵: "基于网络爬虫的Web安全扫描工具的设计与实现", 《中国优秀硕士学位论文全文数据库(电子期刊)信息科技辑》 *

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112367214A (en) * 2020-10-12 2021-02-12 成都精灵云科技有限公司 Method for rapidly detecting and switching main node based on etcd
CN112367214B (en) * 2020-10-12 2022-06-14 成都精灵云科技有限公司 Method for rapidly detecting and switching main node based on etcd
CN112182590A (en) * 2020-11-16 2021-01-05 中国银联股份有限公司 Vulnerability updating method and device for Web application
CN113709112A (en) * 2021-07-30 2021-11-26 武汉思普崚技术有限公司 Method and device for rapidly filtering access control list
CN113709112B (en) * 2021-07-30 2023-04-18 武汉思普崚技术有限公司 Method and device for rapidly filtering access control list
CN114785621A (en) * 2022-06-17 2022-07-22 上海斗象信息科技有限公司 Vulnerability detection method and device, electronic equipment and computer readable storage medium
CN114785621B (en) * 2022-06-17 2022-11-01 上海斗象信息科技有限公司 Vulnerability detection method and device, electronic equipment and computer readable storage medium
CN115277224A (en) * 2022-07-29 2022-11-01 北京天融信网络安全技术有限公司 Method and device for determining application protection rule, storage medium and electronic equipment

Similar Documents

Publication Publication Date Title
US11853434B2 (en) System and method for creating and executing breach scenarios utilizing virtualized elements
CN111182060A (en) Message detection method and device
US10929538B2 (en) Network security protection method and apparatus
US8978137B2 (en) Method and apparatus for retroactively detecting malicious or otherwise undesirable software
Parampalli et al. A practical mimicry attack against powerful system-call monitors
US7464407B2 (en) Attack defending system and attack defending method
RU2680736C1 (en) Malware files in network traffic detection server and method
US10447726B2 (en) Mitigating attacks on server computers by enforcing platform policies on client computers
CN111737696A (en) Method, system and equipment for detecting malicious file and readable storage medium
JP2016201115A (en) Methods and apparatus for dealing with malware
US11290484B2 (en) Bot characteristic detection method and apparatus
WO2017107830A1 (en) Application installation method, apparatus and electronic device
US20210258283A1 (en) Document Tracking Method, Gateway Device, and Server
CN110880983A (en) Penetration testing method and device based on scene, storage medium and electronic device
JP6450022B2 (en) Analysis device, analysis method, and analysis program
US20230231885A1 (en) Multi-perspective security context per actor
CN106919844B (en) A kind of android system vulnerability of application program detection method
CN104796386A (en) Detection method, device and system of botnet
CN111901325B (en) Service extension method and device for honeypot nodes, electronic device and storage medium
CN113824678B (en) System, method, and non-transitory computer readable medium for processing information security events
KR20130049336A (en) Method and system for tracking attack source and attack spreading site
Marengereke et al. Cloud based security solution for android smartphones
CN116938605B (en) Network attack protection method and device, electronic equipment and readable storage medium
CN114650210B (en) Alarm processing method and protection equipment
Eisenhaur et al. Mobile Malware Madness, and How to Cap the Mad Hatters. A Preliminary Look at Mitigating Mobile Malware

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20200519