CN111385270A - WAF-based network attack detection method and device - Google Patents
WAF-based network attack detection method and device Download PDFInfo
- Publication number
- CN111385270A CN111385270A CN201811641653.2A CN201811641653A CN111385270A CN 111385270 A CN111385270 A CN 111385270A CN 201811641653 A CN201811641653 A CN 201811641653A CN 111385270 A CN111385270 A CN 111385270A
- Authority
- CN
- China
- Prior art keywords
- data request
- network attack
- attack
- request
- data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 54
- 230000004044 response Effects 0.000 claims abstract description 72
- 238000000034 method Methods 0.000 claims abstract description 52
- 238000013473 artificial intelligence Methods 0.000 claims description 20
- 238000012546 transfer Methods 0.000 claims description 18
- 238000012549 training Methods 0.000 claims description 14
- 230000000903 blocking effect Effects 0.000 claims description 10
- 238000006243 chemical reaction Methods 0.000 claims description 3
- 230000006399 behavior Effects 0.000 description 12
- 230000006870 function Effects 0.000 description 9
- 230000007123 defense Effects 0.000 description 6
- 230000008569 process Effects 0.000 description 5
- 230000008901 benefit Effects 0.000 description 3
- 238000013145 classification model Methods 0.000 description 3
- 238000004590 computer program Methods 0.000 description 3
- 238000000605 extraction Methods 0.000 description 3
- 238000010586 diagram Methods 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 238000004891 communication Methods 0.000 description 1
- 238000013135 deep learning Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000010801 machine learning Methods 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 239000000126 substance Substances 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
Abstract
The invention discloses a WAF-based network attack detection method and device, relates to the technical field of network security, and can solve the problem that the conventional WAF cannot timely identify other network attacks except the successful rule matching. The method mainly comprises the following steps: acquiring a data request sent to a target host; detecting whether a network attack exists in the data request; if the network attack exists, the data request is blocked from reaching the target host; and if the network attack does not exist, releasing the data request, and successfully detecting the network attack of the data response made by the target host. The method and the device are mainly suitable for the scene of detecting the network attack.
Description
Technical Field
The invention relates to the technical field of network security, in particular to a WAF-based network attack detection method and device.
Background
With the continuous development of computer technology and the continuous popularization of the internet, the form of network attack is endless, the network security problem is increasingly prominent, the social impact and the economic loss caused by the network attack are larger and larger, and new requirements and challenges are provided for network threat detection and defense. Users such as enterprises generally adopt firewalls as the first line of defense of security systems. However, in reality, they have such a problem that a Web Application Firewall (WAF) is generated. WAF represents an emerging class of information security technologies to address Web application security issues that cannot be addressed by traditional security devices such as firewalls.
Specifically, the WAF can perform content detection and verification on various data requests from the Web application client in a rule matching manner, ensure the security and the validity of the data requests, and block illegal data requests in real time, thereby effectively protecting various website sites. However, the rules used in the detection process are descriptions of the known network attack characteristics, so that the WAF blocks the data request to be detected only when the data request is completely consistent with the known network attack characteristics, and the data request is directly released when the data request is not consistent with the known network attack characteristics, and any subsequent processing is not performed on the released data request. Therefore, the existing WAF cannot identify other hidden network attacks except the matching success of the known rules in time.
Disclosure of Invention
In view of this, the present invention provides a method and an apparatus for detecting a network attack based on a WAF, which aim to solve the problem that the existing WAF cannot timely identify other network attacks except that the rule matching is successful.
The purpose of the invention is realized by adopting the following technical scheme:
in a first aspect, the present invention provides a method for detecting a network attack based on a WAF, where the method includes:
acquiring a data request sent to a target host;
detecting whether a network attack exists in the data request;
if the network attack exists, the data request is blocked from reaching the target host;
and if the network attack does not exist, releasing the data request, and successfully detecting the network attack of the data response made by the target host.
Optionally, when the data request is a hypertext transfer security protocol HTTPS request, before detecting whether a network attack exists in the data request, the method further includes:
converting the data request from an HTTPS request into a hypertext transfer protocol (HTTP) request.
Optionally, converting the data request from an HTTPS request to a hypertext transfer protocol HTTP request includes:
and converting the data request from the HTTPS request into an HTTP request through an uninstalled Secure Socket Layer (SSL) certificate.
Optionally, the successfully detecting the network attack on the data response made by the target host includes:
extracting features to be compared from the data response;
comparing the features to be compared with more than one attack response rule in a pre-established feature library one by one, wherein the attack response rule is a rule set according to the existing data response of successful attack;
and if the features to be compared are matched with the attack response rule, determining that the data request corresponding to the data response successfully attacks the target host network.
Optionally, the detecting whether the data request has a network attack includes:
and detecting whether the data request has network attack or not by using an artificial intelligence model, wherein the artificial intelligence model is obtained by training the attack characteristics of the known network attack data.
Optionally, the method is applied to an Nginx server side having a Web application firewall function.
In a second aspect, the present invention provides a device for detecting a network attack based on a WAF, where the device includes:
the acquisition unit is used for acquiring a data request sent to a target host;
the attack detection unit is used for detecting whether the data request has a network attack or not;
the blocking unit is used for blocking the data request from reaching the target host when network attack exists;
the releasing unit is used for releasing the data request when no network attack exists;
and the attack success detection unit is used for carrying out network attack success detection on the data response made by the target host.
Optionally, the apparatus further comprises:
and the conversion unit is used for converting the data request into a hypertext transfer protocol HTTP request from the HTTPS request before detecting whether the network attack exists in the data request when the data request is the hypertext transfer security protocol HTTPS request.
Optionally, the converting unit is configured to convert the data request from an HTTPS request to an HTTP request by offloading a secure socket layer SSL certificate.
Optionally, the attack success detecting unit includes:
the extraction module is used for extracting the features to be compared from the data response;
the comparison module is used for comparing the characteristics to be compared with more than one attack response rule in a pre-established characteristic library one by one, wherein the attack response rule is a rule set according to the existing data response of successful attack;
and the determining module is used for determining that the data request corresponding to the data response successfully attacks the target host network when the features to be compared are matched with the attack response rule.
Optionally, the attack detection unit is configured to detect whether a network attack exists in the data request by using an artificial intelligence model, where the artificial intelligence model is obtained by training attack features of known network attack data.
Optionally, the apparatus is applied to a nginnx server side having a Web application firewall function.
In a third aspect, the present invention provides a storage medium storing a plurality of instructions, the instructions being adapted to be loaded by a processor and to execute the method for detecting a WAF-based network attack according to the first aspect.
In a fourth aspect, the present invention provides an electronic device comprising a storage medium and a processor;
the processor is suitable for realizing instructions;
the storage medium adapted to store a plurality of instructions;
the instructions are adapted to be loaded by the processor and to perform the WAF-based network attack detection method according to the first aspect.
By means of the technical scheme, the WAF-based network attack detection method and device provided by the invention can detect whether the data request has network attack or not after the data request sent to the target host is obtained, directly block the data request from reaching the target host when the network attack exists, and not only pass the data request when the network attack does not exist, but also continue to detect whether the target host is successfully attacked by other attacking behaviors after receiving the data request according to data response, so that when the attack is determined to be successfully attacked, the attacking behaviors can be analyzed, and the next time of defense is facilitated.
The foregoing description is only an overview of the technical solutions of the present invention, and the embodiments of the present invention are described below in order to make the technical means of the present invention more clearly understood and to make the above and other objects, features, and advantages of the present invention more clearly understandable.
Drawings
Various other advantages and benefits will become apparent to those of ordinary skill in the art upon reading the following detailed description of the preferred embodiments. The drawings are only for purposes of illustrating the preferred embodiments and are not to be construed as limiting the invention. Also, like reference numerals are used to refer to like parts throughout the drawings. In the drawings:
fig. 1 shows a flowchart of a method for detecting a WAF-based network attack according to an embodiment of the present invention;
fig. 2 is a flowchart illustrating another method for detecting a WAF-based network attack according to an embodiment of the present invention;
fig. 3 is a block diagram illustrating a WAF-based network attack detection apparatus according to an embodiment of the present invention;
fig. 4 is a block diagram illustrating another apparatus for detecting a network attack based on WAF according to an embodiment of the present invention.
Detailed Description
Exemplary embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the present disclosure are shown in the drawings, it should be understood that the present disclosure may be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the disclosure to those skilled in the art.
The embodiment of the invention provides a WAF-based network attack detection method, as shown in FIG. 1, the method mainly comprises the following steps:
101. a data request sent to a target host is obtained.
Specifically, the target host may be a server providing various services, a personal computer capable of implementing specific functions, or other network devices capable of providing network services. When the terminal accesses the target host, security detection can be performed through the WAF, and then the data request is processed correspondingly according to the detection result.
102. And detecting whether the network attack exists in the data request.
When detecting whether the data request has a network attack, a rule matching mode can be adopted, and a model identification mode can also be adopted. Specifically, the specific implementation manner of rule matching is as follows: extracting the feature to be matched from the data request, matching the feature to be matched with more than one attack rule in a pre-established attack rule base, determining that the data request has network attack when the feature to be matched is successfully matched with a certain attack rule, and determining that the data request does not have network attack when the feature to be matched is failed to be matched with all the attack rules. The specific implementation of the model identification is described in detail in step 203 of the following embodiments.
103. And if the network attack exists, blocking the data request from reaching the target host.
When it is determined that the data request has a network attack, in order to prevent the data request from attacking the target host after being sent to the target host, the data request can be directly blocked from reaching the target host. For example, the data request may be destroyed directly, or the data request may be stored in a malicious request library for subsequent analysis.
104. And if the network attack does not exist, releasing the data request, and successfully detecting the network attack of the data response made by the target host.
When the WAF determines that the data request is not under a network attack, the data request may be a secure data request or a malicious data request that is not detected by the WAF. In order to timely determine that the data request can not cause damage to the target host at all, the data request can be released first to enable the data request to access the target host, then the data response made by the target host is obtained, the data response is analyzed, whether the corresponding data request can successfully attack the network or not is judged, so that when the network attack is determined to be successful, the data response is analyzed in time, the attack characteristic of the network attack is found, the next time the target host is prevented from being attacked again, and other hosts are prevented from being attacked.
The WAF-based network attack detection method provided by the embodiment of the invention can firstly detect whether the data request has network attack after the data request sent to the target host is obtained, directly blocks the data request from reaching the target host when the network attack exists, and not only passes the data request but also continues to detect whether the target host is successfully attacked by other attack behaviors after receiving the data request according to the data response when the network attack does not exist, so that the attack behaviors can be analyzed when the attack is determined to be successfully attacked, thereby being convenient for defending in time next time.
Further, according to the method shown in fig. 1, another embodiment of the present invention further provides a method for detecting a network attack based on a WAF, as shown in fig. 2, the method mainly includes:
201. a data request sent to a target host is obtained.
202. When the data request is a Hypertext Transfer Protocol secure (HTTPS) request, the data request is converted from the HTTPS request to a HTTP request.
HTTPS is a secure-targeted HTTP channel, simply a secure version of HTTP. Specifically, HTTPS adds an offload Secure socket Layer (SSL for short) to HTTP, and SSL verifies the identity of a device by means of a certificate and encrypts communication between the two devices. Therefore, when the data request sent to the target host is an HTTPS request, since the HTTPS request is encrypted, the network attack detection operation needs to be performed by decrypting the HTTPS request to obtain the original data request. Specifically, the data request may be converted from an HTTPS request to an HTTP request by offloading a Secure Sockets Layer (SSL) certificate.
Furthermore, when the data request is an HTTP request, step 203 may be directly performed.
203. And detecting whether the network attack exists in the data request.
In the step 102, the method for detecting whether the data request has the network attack may be a rule matching method or a model identification method, that is, whether the data request has the network attack may be detected by using an artificial intelligence model, where the artificial intelligence model is obtained by training attack features of known network attack data. The specific method for training the artificial intelligence model can be as follows: the method comprises the steps of firstly collecting model training data, then extracting the characteristics of known network attacks from the model training data to obtain attack characteristic data, classifying the attack characteristic data to obtain training samples, and finally carrying out model training according to the training samples to obtain the artificial intelligence model. The specific method for detecting whether the data request has the network attack by using the artificial intelligence model can be as follows: extracting features to be detected from a data request, importing the features to be detected into an artificial intelligence model, classifying the features to be detected through the artificial intelligence model, and determining whether the data request has network attack according to a classification result. If the classification result is that the feature to be detected is classified as an attack type which does not belong to any pre-established known network attack, determining that the target host is not attacked by the network attack; and if the classification result is that the characteristics to be detected are classified as an attack type belonging to a certain pre-established known network attack, determining that the target host is subjected to the network attack of the attack type. In addition, the artificial intelligence model can be a machine learning classification model, such as a naive Bayes classification model, and can also be a deep learning classification model.
Specifically, the model training data includes one or more combinations of internet published attack data, internet published vulnerability data, attack data collected by the target host, and vulnerability data collected by the target host. The attack data is extracted from the existing network attack case, and the vulnerability data is extracted from the existing vulnerability case. The attack data and the vulnerability data can be disclosed by the Internet, or can be analyzed and refined by the target host according to the network attack events suffered in the past.
204. And if the network attack exists, blocking the data request from reaching the target host.
205. And if the network attack does not exist, releasing the data request, and successfully detecting the network attack of the data response made by the target host.
The specific implementation manner of successfully detecting the network attack in response to the data sent by the target host may be as follows: firstly, extracting features to be compared from the data response; then comparing the features to be compared with more than one attack response rule in a pre-established feature library one by one; if the features to be compared are matched with the attack response rule, determining that the data request corresponding to the data response successfully attacks the target host network; if the matching of the features to be compared with all attack response rules fails, it is determined that the data request corresponding to the data response does not attack the target host successfully (the data request may attack the target host, but the data request may not attack the target host successfully, or the data request may not attack the target host), that is, the target host is not damaged. Wherein, the attack response rule is a rule set according to the data response of the successful attack. Specifically, attack response characteristics can be extracted from data responses successful in attack, and attack response rules are formed by performing deterministic description on the attack response characteristics.
It should be added that the above method can be applied to the nginnx server side with the WAF function, and also can be applied to other servers with the WAF function.
According to the WAF-based network attack detection method provided by the embodiment of the invention, when the acquired data request is an HTTPS request, the HTTPS request is converted into the HTTP request, then whether the network attack exists in the converted data request is detected, when the network attack exists, the data request is directly blocked from reaching the target host, and when the network attack does not exist, the data request is released, and whether the target host is successfully attacked by other attacking behaviors after receiving the data request is continuously detected according to the data response, so that when the attack is determined to be successfully attacked, the attacking behaviors can be analyzed, and the next time of timely defense is facilitated. Therefore, the embodiment of the invention can realize network attack detection on HTTP data, can also realize network attack detection on HTTPS data, and enlarges the range of network attack detection.
Further, according to the foregoing method embodiment, another embodiment of the present invention further provides a device for detecting a network attack based on a WAF, as shown in fig. 3, where the device mainly includes: an acquisition unit 31, an attack detection unit 32, a blocking unit 33, a release unit 34, and an attack success detection unit 35. Wherein the content of the first and second substances,
an acquiring unit 31, configured to acquire a data request sent to a target host;
an attack detection unit 32, configured to detect whether a network attack exists in the data request;
a blocking unit 33, configured to block the data request from reaching the target host when there is a network attack;
a releasing unit 34, configured to release the data request when there is no network attack;
and the attack success detection unit 35 is configured to perform network attack success detection on the data response made by the target host.
Optionally, as shown in fig. 4, the apparatus further includes:
a converting unit 36, configured to, when the data request is a hypertext transfer security protocol HTTPS request, convert the data request from an HTTPS request to a hypertext transfer protocol HTTP request before detecting whether a network attack exists in the data request.
Optionally, the converting unit 36 is configured to convert the data request from an HTTPS request to an HTTP request by offloading a secure socket layer SSL certificate.
Optionally, as shown in fig. 4, the attack success detecting unit 35 includes:
an extraction module 351, configured to extract features to be compared from the data response;
a comparison module 352, configured to compare the feature to be compared with one or more attack response rules in a pre-established feature library, where the attack response rule is a rule set according to a data response of a successful attack;
the determining module 353 is configured to determine that the data request corresponding to the data response successfully attacks the target host network when the to-be-compared feature matches the attack response rule.
Optionally, the attack detection unit 32 is configured to detect whether a network attack exists in the data request by using an artificial intelligence model, where the artificial intelligence model is obtained by training attack features of known network attack data.
Optionally, the apparatus is applied to a nginnx server side having a Web application firewall WAF function.
The device for detecting the network attack based on the WAF provided by the embodiment of the invention can firstly detect whether the data request has the network attack after the data request sent to the target host is obtained, directly block the data request from reaching the target host when the network attack exists, and continuously detect whether the target host is successfully attacked by other attack behaviors after receiving the data request according to the data response when the network attack does not exist, thereby analyzing the attack behaviors when the attack is determined to be successfully attacked so as to defend in time next time. In addition, when the acquired data request is an HTTPS request, the HTTPS request may be converted into an HTTP request, and then network attack detection may be performed, so that a range of network attack detection may be expanded.
Further, according to the above method embodiments, another embodiment of the present invention further provides a storage medium, where the storage medium stores a plurality of instructions, and the instructions are adapted to be loaded by a processor and executed by the processor, the method for detecting a WAF-based network attack as described above.
The storage medium may include volatile storage medium in computer readable medium, random access storage medium (RAM) and/or nonvolatile memory, such as read only memory (rom) or flash memory, and the storage medium includes at least one memory chip.
The instruction stored in the storage medium provided by the embodiment of the invention can detect whether the data request has a network attack or not after the data request sent to the target host is obtained, directly block the data request from reaching the target host when the network attack exists, and continuously detect whether the target host is successfully attacked by other attacking behaviors or not after receiving the data request according to the data response when the network attack does not exist, so that the attacking behaviors can be analyzed when the attack is determined to be successfully attacked, and the next defense can be carried out in time. In addition, when the acquired data request is an HTTPS request, the HTTPS request may be converted into an HTTP request, and then network attack detection may be performed, so that a range of network attack detection may be expanded.
Further, according to the above method embodiment, another embodiment of the present invention also provides an electronic device, which includes a storage medium and a processor;
the processor is suitable for realizing instructions;
the storage medium adapted to store a plurality of instructions;
the instructions are adapted to be loaded by the processor and to perform the WAF-based network attack detection method as described above.
The processor comprises a kernel, and the kernel calls the corresponding program unit from the memory. The kernel can be set to one or more, and network attacks are detected by adjusting kernel parameters.
The electronic device provided by the embodiment of the invention can firstly detect whether the data request has network attack after acquiring the data request sent to the target host, directly block the data request from reaching the target host when the network attack exists, and continuously detect whether the data request is successfully attacked by other attacking behaviors after the data request is received by the target host according to the data response when the network attack does not exist, so that the attacking behaviors can be analyzed when the attack is determined to be successfully attacked, and the next time of timely defense is facilitated. In addition, when the acquired data request is an HTTPS request, the HTTPS request may be converted into an HTTP request, and then network attack detection may be performed, so that a range of network attack detection may be expanded.
The present application further provides a computer program product adapted to perform program code for initializing the following method steps when executed on a WAF:
acquiring a data request sent to a target host;
detecting whether a network attack exists in the data request;
if the network attack exists, the data request is blocked from reaching the target host;
and if the network attack does not exist, releasing the data request, and successfully detecting the network attack of the data response made by the target host.
The embodiment of the invention also discloses:
a1, a WAF-based network attack detection method, the method comprising:
acquiring a data request sent to a target host;
detecting whether a network attack exists in the data request;
if the network attack exists, the data request is blocked from reaching the target host;
and if the network attack does not exist, releasing the data request, and successfully detecting the network attack of the data response made by the target host.
A2, according to the method in A1, when the data request is a hypertext transfer security protocol (HTTPS) request, before detecting whether there is a network attack on the data request, the method further includes:
converting the data request from an HTTPS request into a hypertext transfer protocol (HTTP) request.
A3, according to the method of A2, the converting the data request from an HTTPS request into a hypertext transfer protocol (HTTP) request includes:
and converting the data request from the HTTPS request into an HTTP request through an uninstalled Secure Socket Layer (SSL) certificate.
A4, according to the method of A1, the successful detection of network attack on the data response made by the target host comprises:
extracting features to be compared from the data response;
comparing the features to be compared with more than one attack response rule in a pre-established feature library one by one, wherein the attack response rule is a rule set according to the existing data response of successful attack;
and if the features to be compared are matched with the attack response rule, determining that the data request corresponding to the data response successfully attacks the target host network.
A5, according to the method of A1, the detecting whether the data request has a network attack includes:
and detecting whether the data request has network attack or not by using an artificial intelligence model, wherein the artificial intelligence model is obtained by training the attack characteristics of the known network attack data.
A6, the method according to any of A1-A5, applied to Nginx server side with Web application firewall function.
B7, a WAF-based network attack detection device, the device comprising:
the acquisition unit is used for acquiring a data request sent to a target host;
the attack detection unit is used for detecting whether the data request has a network attack or not;
the blocking unit is used for blocking the data request from reaching the target host when network attack exists;
the releasing unit is used for releasing the data request when no network attack exists;
and the attack success detection unit is used for carrying out network attack success detection on the data response made by the target host.
B8, the apparatus of B7, the apparatus further comprising:
and the conversion unit is used for converting the data request into a hypertext transfer protocol HTTP request from the HTTPS request before detecting whether the network attack exists in the data request when the data request is the hypertext transfer security protocol HTTPS request.
B9, the apparatus according to B8, the converting unit is configured to convert the data request from an HTTPS request to an HTTP request by offloading a Secure Socket Layer (SSL) certificate.
B10, according to the method of B7, the attack success detection unit includes:
the extraction module is used for extracting the features to be compared from the data response;
the comparison module is used for comparing the characteristics to be compared with more than one attack response rule in a pre-established characteristic library one by one, wherein the attack response rule is a rule set according to the existing data response of successful attack;
and the determining module is used for determining that the data request corresponding to the data response successfully attacks the target host network when the features to be compared are matched with the attack response rule.
B11, the device according to B7, the attack detection unit is used for detecting whether the network attack exists in the data request by using an artificial intelligence model, and the artificial intelligence model is obtained by training the attack characteristics of known network attack data.
B12, the device according to any one of B7-B11, applied to a Nginx server side with Web application firewall function.
C13, a storage medium storing a plurality of instructions adapted to be loaded by a processor and to perform the WAF-based cyber attack detection method as described in any one of a1-a 6.
D14, an electronic device comprising a storage medium and a processor;
the processor is suitable for realizing instructions;
the storage medium adapted to store a plurality of instructions;
the instructions are adapted to be loaded and executed by the processor to perform the WAF-based network attack detection method as described in any one of a1-a 6.
In the foregoing embodiments, the descriptions of the respective embodiments have respective emphasis, and for parts that are not described in detail in a certain embodiment, reference may be made to related descriptions of other embodiments.
It will be appreciated that the relevant features of the method and apparatus described above are referred to one another. In addition, "first", "second", and the like in the above embodiments are for distinguishing the embodiments, and do not represent merits of the embodiments.
It is clear to those skilled in the art that, for convenience and brevity of description, the specific working processes of the above-described systems, apparatuses and units may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.
The algorithms and displays presented herein are not inherently related to any particular computer, virtual machine, or other apparatus. Various general purpose systems may also be used with the teachings herein. The required structure for constructing such a system will be apparent from the description above. Moreover, the present invention is not directed to any particular programming language. It is appreciated that a variety of programming languages may be used to implement the teachings of the present invention as described herein, and any descriptions of specific languages are provided above to disclose the best mode of the invention.
In the description provided herein, numerous specific details are set forth. It is understood, however, that embodiments of the invention may be practiced without these specific details. In some instances, well-known methods, structures and techniques have not been shown in detail in order not to obscure an understanding of this description.
Similarly, it should be appreciated that in the foregoing description of exemplary embodiments of the invention, various features of the invention are sometimes grouped together in a single embodiment, figure, or description thereof for the purpose of streamlining the disclosure and aiding in the understanding of one or more of the various inventive aspects. However, the disclosed method should not be interpreted as reflecting an intention that: that the invention claimed requires more features than are expressly recited in each claim. Rather, as the following claims reflect, inventive aspects lie in less than all features of a single foregoing disclosed embodiment. Thus, the claims following the detailed description are hereby expressly incorporated into this detailed description, with each claim standing on its own as a separate embodiment of this invention.
Those skilled in the art will appreciate that the modules in the device in an embodiment may be adaptively changed and disposed in one or more devices different from the embodiment. The modules or units or components of the embodiments may be combined into one module or unit or component, and furthermore they may be divided into a plurality of sub-modules or sub-units or sub-components. All of the features disclosed in this specification (including any accompanying claims, abstract and drawings), and all of the processes or elements of any method or apparatus so disclosed, may be combined in any combination, except combinations where at least some of such features and/or processes or elements are mutually exclusive. Each feature disclosed in this specification (including any accompanying claims, abstract and drawings) may be replaced by alternative features serving the same, equivalent or similar purpose, unless expressly stated otherwise.
Furthermore, those skilled in the art will appreciate that while some embodiments described herein include some features included in other embodiments, rather than other features, combinations of features of different embodiments are meant to be within the scope of the invention and form different embodiments. For example, in the following claims, any of the claimed embodiments may be used in any combination.
The various component embodiments of the invention may be implemented in hardware, or in software modules running on one or more processors, or in a combination thereof. Those skilled in the art will appreciate that a microprocessor or Digital Signal Processor (DSP) may be used in practice to implement some or all of the functions of some or all of the components of the WAF-based network attack detection method and apparatus according to embodiments of the present invention. The present invention may also be embodied as apparatus or device programs (e.g., computer programs and computer program products) for performing a portion or all of the methods described herein. Such programs implementing the present invention may be stored on computer-readable media or may be in the form of one or more signals. Such a signal may be downloaded from an internet website or provided on a carrier signal or in any other form.
It should be noted that the above-mentioned embodiments illustrate rather than limit the invention, and that those skilled in the art will be able to design alternative embodiments without departing from the scope of the appended claims. In the claims, any reference signs placed between parentheses shall not be construed as limiting the claim. The word "comprising" does not exclude the presence of elements or steps not listed in a claim. The word "a" or "an" preceding an element does not exclude the presence of a plurality of such elements. The invention may be implemented by means of hardware comprising several distinct elements, and by means of a suitably programmed computer. In the unit claims enumerating several means, several of these means may be embodied by one and the same item of hardware. The usage of the words first, second and third, etcetera do not indicate any ordering. These words may be interpreted as names.
Claims (10)
1. A WAF-based network attack detection method is characterized by comprising the following steps:
acquiring a data request sent to a target host;
detecting whether a network attack exists in the data request;
if the network attack exists, the data request is blocked from reaching the target host;
and if the network attack does not exist, releasing the data request, and successfully detecting the network attack of the data response made by the target host.
2. The method according to claim 1, wherein when the data request is a hypertext transfer security protocol (HTTPS) request, before detecting whether there is a network attack on the data request, the method further comprises:
converting the data request from an HTTPS request into a hypertext transfer protocol (HTTP) request.
3. The method of claim 2, wherein converting the data request from an HTTPS request to a hypertext transfer protocol (HTTP) request comprises:
and converting the data request from the HTTPS request into an HTTP request through an uninstalled Secure Socket Layer (SSL) certificate.
4. The method of claim 1, wherein successfully detecting a network attack on a data response by the target host comprises:
extracting features to be compared from the data response;
comparing the features to be compared with more than one attack response rule in a pre-established feature library one by one, wherein the attack response rule is a rule set according to the existing data response of successful attack;
and if the features to be compared are matched with the attack response rule, determining that the data request corresponding to the data response successfully attacks the target host network.
5. The method of claim 1, wherein detecting whether a network attack is present in the data request comprises:
and detecting whether the data request has network attack or not by using an artificial intelligence model, wherein the artificial intelligence model is obtained by training the attack characteristics of the known network attack data.
6. The method according to any of claims 1-5, applied to a Nginx server side with Web application firewall functionality.
7. A WAF-based network attack detection apparatus, the apparatus comprising:
the acquisition unit is used for acquiring a data request sent to a target host;
the attack detection unit is used for detecting whether the data request has a network attack or not;
the blocking unit is used for blocking the data request from reaching the target host when network attack exists;
the releasing unit is used for releasing the data request when no network attack exists;
and the attack success detection unit is used for carrying out network attack success detection on the data response made by the target host.
8. The apparatus of claim 7, further comprising:
and the conversion unit is used for converting the data request into a hypertext transfer protocol HTTP request from the HTTPS request before detecting whether the network attack exists in the data request when the data request is the hypertext transfer security protocol HTTPS request.
9. A storage medium storing a plurality of instructions adapted to be loaded by a processor and to perform the WAF-based network attack detection method according to any one of claims 1-6.
10. An electronic device, comprising a storage medium and a processor;
the processor is suitable for realizing instructions;
the storage medium adapted to store a plurality of instructions;
the instructions are adapted to be loaded by the processor and to perform the WAF-based network attack detection method of any one of claims 1-6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811641653.2A CN111385270A (en) | 2018-12-29 | 2018-12-29 | WAF-based network attack detection method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811641653.2A CN111385270A (en) | 2018-12-29 | 2018-12-29 | WAF-based network attack detection method and device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN111385270A true CN111385270A (en) | 2020-07-07 |
Family
ID=71214819
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811641653.2A Pending CN111385270A (en) | 2018-12-29 | 2018-12-29 | WAF-based network attack detection method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111385270A (en) |
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111988280A (en) * | 2020-07-24 | 2020-11-24 | 网宿科技股份有限公司 | Server and request processing method |
| CN112165447A (en) * | 2020-08-21 | 2021-01-01 | 杭州安恒信息技术股份有限公司 | WAF equipment-based network security monitoring method, system and electronic device |
| CN113660251A (en) * | 2021-08-12 | 2021-11-16 | 杭州安恒信息技术股份有限公司 | Method, system, storage medium and terminal device for reducing WAF false alarm |
| CN113965363A (en) * | 2021-10-11 | 2022-01-21 | 北京天融信网络安全技术有限公司 | Vulnerability studying and judging method and device based on Web user behaviors |
| CN114244576A (en) * | 2021-11-24 | 2022-03-25 | 中盈优创资讯科技有限公司 | Flow protection method and device in cloud environment |
| CN114257415A (en) * | 2021-11-25 | 2022-03-29 | 中国建设银行股份有限公司 | Network attack defense method and device, computer equipment and storage medium |
| CN114257432A (en) * | 2021-12-13 | 2022-03-29 | 北京天融信网络安全技术有限公司 | Network attack detection method and device |
| CN114465744A (en) * | 2021-09-15 | 2022-05-10 | 中科方德软件有限公司 | Safety access method and network firewall system |
| CN116582364A (en) * | 2023-07-12 | 2023-08-11 | 苏州浪潮智能科技有限公司 | Data access method, system, device, electronic equipment and readable storage medium |
| CN114257415B (en) * | 2021-11-25 | 2024-04-30 | 中国建设银行股份有限公司 | Network attack defending method, device, computer equipment and storage medium |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101478540A (en) * | 2008-12-31 | 2009-07-08 | 成都市华为赛门铁克科技有限公司 | Method and apparatus for defending and challenge collapsar attack |
| CN101827081A (en) * | 2010-02-09 | 2010-09-08 | 蓝盾信息安全技术股份有限公司 | Method and system for detecting request safety |
| CN103634307A (en) * | 2013-11-19 | 2014-03-12 | 北京奇虎科技有限公司 | Method for certificating webpage content and browser |
| CN106357696A (en) * | 2016-11-14 | 2017-01-25 | 北京神州绿盟信息安全科技股份有限公司 | Detection method and detection system for SQL injection attack |
| US20170244737A1 (en) * | 2016-02-23 | 2017-08-24 | Zenedge, Inc. | Analyzing Web Application Behavior to Detect Malicious Requests |
| CN108683687A (en) * | 2018-06-29 | 2018-10-19 | 北京奇虎科技有限公司 | A kind of network attack identification method and system |
| CN108810019A (en) * | 2018-07-13 | 2018-11-13 | 腾讯科技(深圳)有限公司 | Refusal service attack defending method, apparatus, equipment and storage medium |
-
2018
- 2018-12-29 CN CN201811641653.2A patent/CN111385270A/en active Pending
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101478540A (en) * | 2008-12-31 | 2009-07-08 | 成都市华为赛门铁克科技有限公司 | Method and apparatus for defending and challenge collapsar attack |
| CN101827081A (en) * | 2010-02-09 | 2010-09-08 | 蓝盾信息安全技术股份有限公司 | Method and system for detecting request safety |
| CN103634307A (en) * | 2013-11-19 | 2014-03-12 | 北京奇虎科技有限公司 | Method for certificating webpage content and browser |
| US20170244737A1 (en) * | 2016-02-23 | 2017-08-24 | Zenedge, Inc. | Analyzing Web Application Behavior to Detect Malicious Requests |
| CN106357696A (en) * | 2016-11-14 | 2017-01-25 | 北京神州绿盟信息安全科技股份有限公司 | Detection method and detection system for SQL injection attack |
| CN108683687A (en) * | 2018-06-29 | 2018-10-19 | 北京奇虎科技有限公司 | A kind of network attack identification method and system |
| CN108810019A (en) * | 2018-07-13 | 2018-11-13 | 腾讯科技(深圳)有限公司 | Refusal service attack defending method, apparatus, equipment and storage medium |
Cited By (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111988280A (en) * | 2020-07-24 | 2020-11-24 | 网宿科技股份有限公司 | Server and request processing method |
| CN112165447B (en) * | 2020-08-21 | 2023-12-19 | 杭州安恒信息技术股份有限公司 | WAF equipment-based network security monitoring method, system and electronic device |
| CN112165447A (en) * | 2020-08-21 | 2021-01-01 | 杭州安恒信息技术股份有限公司 | WAF equipment-based network security monitoring method, system and electronic device |
| CN113660251A (en) * | 2021-08-12 | 2021-11-16 | 杭州安恒信息技术股份有限公司 | Method, system, storage medium and terminal device for reducing WAF false alarm |
| CN113660251B (en) * | 2021-08-12 | 2023-02-28 | 杭州安恒信息技术股份有限公司 | Method, system, storage medium and terminal device for reducing WAF false alarm |
| CN114465744A (en) * | 2021-09-15 | 2022-05-10 | 中科方德软件有限公司 | Safety access method and network firewall system |
| CN113965363A (en) * | 2021-10-11 | 2022-01-21 | 北京天融信网络安全技术有限公司 | Vulnerability studying and judging method and device based on Web user behaviors |
| CN114244576A (en) * | 2021-11-24 | 2022-03-25 | 中盈优创资讯科技有限公司 | Flow protection method and device in cloud environment |
| CN114257415A (en) * | 2021-11-25 | 2022-03-29 | 中国建设银行股份有限公司 | Network attack defense method and device, computer equipment and storage medium |
| CN114257415B (en) * | 2021-11-25 | 2024-04-30 | 中国建设银行股份有限公司 | Network attack defending method, device, computer equipment and storage medium |
| CN114257432A (en) * | 2021-12-13 | 2022-03-29 | 北京天融信网络安全技术有限公司 | Network attack detection method and device |
| CN116582364B (en) * | 2023-07-12 | 2023-10-03 | 苏州浪潮智能科技有限公司 | Data access method, system, device, electronic equipment and readable storage medium |
| CN116582364A (en) * | 2023-07-12 | 2023-08-11 | 苏州浪潮智能科技有限公司 | Data access method, system, device, electronic equipment and readable storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111385270A (en) | WAF-based network attack detection method and device | |
| US10805346B2 (en) | Phishing attack detection | |
| AU2018217323B2 (en) | Methods and systems for identifying potential enterprise software threats based on visual and non-visual data | |
| CN107659583B (en) | Method and system for detecting attack in fact | |
| US10417420B2 (en) | Malware detection and classification based on memory semantic analysis | |
| CN107612924B (en) | Attacker positioning method and device based on wireless network intrusion | |
| US10643259B2 (en) | Systems and methods for dynamic vendor and vendor outlet classification | |
| US20160057169A1 (en) | Apparatus and method | |
| CN111786966A (en) | Method and device for browsing webpage | |
| CN112751815B (en) | Message processing method, device, equipment and computer readable storage medium | |
| CN112134897B (en) | Network attack data processing method and device | |
| CN107465702B (en) | Early warning method and device based on wireless network intrusion | |
| US20200228566A1 (en) | Mitigating automated attacks in a computer network environment | |
| US9998482B2 (en) | Automated network interface attack response | |
| CN107332804B (en) | Method and device for detecting webpage bugs | |
| CN107566401B (en) | Protection method and device for virtualized environment | |
| CN114826663B (en) | Honeypot identification method, device, equipment and storage medium | |
| Djanali et al. | SQL injection detection and prevention system with raspberry Pi honeypot cluster for trapping attacker | |
| CN106790102A (en) | A kind of QR based on URL features yards of phishing recognition methods and system | |
| CN112087414A (en) | Detection method and device for mining trojans | |
| CN107517226B (en) | Alarm method and device based on wireless network intrusion | |
| Seifert et al. | Robust scareware image detection | |
| CN111385271A (en) | Network attack detection method, device and system | |
| Kim et al. | HAS-Analyzer: Detecting HTTP-based C&C based on the Analysis of HTTP Activity Sets | |
| CN114697049B (en) | WebShell detection method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |