CN112165450A - Safety protection method and device for WEB application firewall and electronic device - Google Patents
Safety protection method and device for WEB application firewall and electronic device Download PDFInfo
- Publication number
- CN112165450A CN112165450A CN202010875522.1A CN202010875522A CN112165450A CN 112165450 A CN112165450 A CN 112165450A CN 202010875522 A CN202010875522 A CN 202010875522A CN 112165450 A CN112165450 A CN 112165450A
- Authority
- CN
- China
- Prior art keywords
- event
- abnormal
- state information
- information
- condition
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/06—Management of faults, events, alarms or notifications
- H04L41/0631—Management of faults, events, alarms or notifications using root cause analysis; using analysis of correlation between notifications, alarms or events based on decision criteria, e.g. hierarchy, tree or time analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/08—Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Environmental & Geological Engineering (AREA)
- Computer And Data Communications (AREA)
- Debugging And Monitoring (AREA)
Abstract
The application relates to a safety protection method, a safety protection device, an electronic device and a storage medium of a WEB application firewall, wherein the method comprises the following steps: acquiring state information of an event related to the stability of a WEB application firewall; judging whether the event is an abnormal event or not according to the state information of the event; under the condition that the event is judged to be an abnormal event, inquiring abnormal processing operation information corresponding to the abnormal event in preset configuration information, and displaying the abnormal processing operation information; the preset configuration information comprises an incidence relation between an abnormal event and abnormal processing operation information. The problem that users cannot timely process abnormal events of the WEB application firewall in the related technology is solved, the users can timely process the abnormal events of the WEB application firewall, and the technical effect of improving the stability of the WEB application firewall is achieved.
Description
Technical Field
The present application relates to the field of network security technologies, and in particular, to a security protection method and apparatus for a WEB application firewall, an electronic apparatus, and a storage medium.
Background
With the continuous development of network technology, WEB applications are more and more abundant, and WEB servers gradually become main attack targets with strong computing power, processing performance and high implied economic value.
A WEB Application Firewall (WAF for short) is a product that provides protection for WEB applications by executing a series of security policies for HTTP/HTTPs, and is mainly used to defend attacks against a network Application layer, such as SQL injection, cross-site scripting attack, parameter tampering, Application platform vulnerability attack, denial of service attack, and the like.
In the related art, the WAF usually scans and filters user requests before the user requests reach the WEB server in front of the WEB application, analyzes and verifies a network packet of each user request, ensures that each user request is valid and safe, and blocks or isolates requests with invalid or aggressive behaviors. By checking HTTP traffic, attacks from security vulnerabilities (e.g., SQL injection, cross-site scripting, file inclusion, and security configuration errors) of WEB applications can be prevented. However, such technical solutions often fail to show the resource status of the WAF in time. The user cannot know the system state of the current WAF in time at the front end, and the user cannot directly know which process occupies a high CPU, occupies a high memory or has the current network card state on a network page, so that the user cannot timely perform emergency treatment on the processes, files or network cards causing the abnormality when the WAF finds the abnormality.
At present, no effective solution is provided for the problem that users cannot timely process abnormal events of the WEB application firewall in the related technology.
Disclosure of Invention
The embodiment of the application provides a security protection method, a security protection device, an electronic device and a storage medium for a WEB application firewall, so as to at least solve the problem that a user cannot timely process abnormal events of the WEB application firewall in the related technology.
In a first aspect, an embodiment of the present application provides a security protection method for a WEB application firewall, including: acquiring state information of an event related to the stability of a WEB application firewall; judging whether the event is an abnormal event or not according to the state information of the event; under the condition that the event is judged to be an abnormal event, inquiring abnormal processing operation information corresponding to the abnormal event in preset configuration information, and displaying the abnormal processing operation information; the preset configuration information comprises an incidence relation between an abnormal event and abnormal processing operation information.
In some of these embodiments, the status information includes at least one of: process state information, resource state information and network card state information; judging whether the event is an abnormal event according to the state information of the event comprises the following steps: under the condition that the state information comprises process state information, judging whether a process abnormal exit event exists in the event, and under the condition that the process abnormal exit event exists in the event, marking the event as an abnormal event; under the condition that the state information comprises resource state information, judging whether an abnormal resource utilization rate event exists in the events, and under the condition that the abnormal resource utilization rate event exists in the events, marking the events as abnormal events; and under the condition that the state information comprises network card state information, judging whether a network card abnormal packet loss rate event and/or a network card DOWN event exist in the events, and under the condition that the network card abnormal packet loss rate event and/or the network card DOWN event exist in the events, marking the events as abnormal events.
In some of these embodiments, in the event that the exception event comprises a process exception exit event, exception handling operation information comprises restarting the process associated with the process exception exit event, and sending error reporting information; when the abnormal event comprises an abnormal resource utilization rate event, the abnormal processing operation information comprises closing at least one process and/or file associated with the abnormal resource utilization rate event and sending error reporting information; and under the condition that the abnormal event comprises a network card abnormal packet loss rate event and/or a network card DOWN event, the abnormal processing operation information comprises the network card associated with the network card abnormal packet loss rate event and/or the network card DOWN event, and error reporting information is sent.
In some of these embodiments, the resource status information includes at least one of: CPU occupation state information, memory occupation state information and disk occupation state information; under the condition that the state information comprises resource state information, judging whether an abnormal resource utilization rate event exists in the events comprises the following steps: under the condition that the state information comprises CPU occupation state information, judging whether the current CPU occupancy rate is higher than a first threshold value, and under the condition that the current CPU occupancy rate is higher than the first threshold value, judging that an abnormal resource utilization rate event exists in the events; under the condition that the state information comprises memory occupation state information, judging whether the current memory occupancy rate is higher than a second threshold value or not, and under the condition that the current memory occupancy rate is higher than the second threshold value, judging that an abnormal resource utilization rate event exists in the events; and under the condition that the state information comprises disk occupation state information, judging whether the current disk occupation space is higher than a third threshold value, and under the condition that the current disk occupation space is higher than the third threshold value, judging that an abnormal resource utilization rate event exists in the events.
In some embodiments, when it is determined that the event is an abnormal event, querying exception handling operation information corresponding to the abnormal event in preset configuration information, and displaying the exception handling operation information includes: under the condition that the abnormal event comprises a process abnormal exit event and/or a network card abnormal packet loss rate event and a network card DOWN event, inquiring abnormal processing operation information corresponding to the abnormal event in preset configuration information, and displaying the abnormal processing operation information; and under the condition that the abnormal event comprises an abnormal resource utilization rate event, displaying a process and/or a file related to the abnormal resource utilization rate event, inquiring abnormal processing operation information corresponding to the abnormal event in preset configuration information, and displaying the abnormal processing operation information.
In some of these embodiments, the resource status information includes at least one of: CPU occupation state information, memory occupation state information and disk occupation state information; in the event that the exception event comprises an exception resource usage event, presenting a process and/or file associated with the exception resource usage event comprises: when the state information comprises CPU occupation state information, sorting the processes according to the CPU occupation rate of the processes from high to low, and selecting a preset number of processes from high to low in a sorting sequence for display; when the state information comprises memory occupation state information, sorting the processes according to the memory occupation rate of the processes from high to low, and selecting a preset number of processes from high to low in a sorting sequence for display; and under the condition that the state information comprises the disk occupation state information, sorting the files according to the descending of the disk occupation space of the files, and selecting a preset number of files from high to low in a sorting sequence for displaying.
In some embodiments, obtaining state information for an event related to WEB application firewall stability comprises: acquiring starting information and registration information of a reporter; and receiving the state information of the event related to the stability of the WEB application firewall, which is sent by the reporter at intervals of preset time under the condition that the starting information of the reporter is started and the registration information is registered.
In a second aspect, an embodiment of the present application provides a security protection device for a WEB application firewall, including: the system comprises an acquisition module, a state information management module and a processing module, wherein the acquisition module acquires an event related to the stability of a WEB application firewall and judges whether the event is an abnormal event or not according to the state information of the event; the display module is used for inquiring the exception handling operation information corresponding to the exception event in preset configuration information and displaying the exception handling operation information under the condition that the event is judged to be the exception event; the preset configuration information comprises an incidence relation between an abnormal event and abnormal processing operation information.
In a third aspect, an embodiment of the present application provides an electronic apparatus, including a memory, a processor, and a computer program stored on the memory and executable on the processor, where the processor implements the security protection method for the WEB application firewall as described in the first aspect when executing the computer program.
In a fourth aspect, an embodiment of the present application provides a storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the method for securing the WEB application firewall as described in the first aspect.
Compared with the related art, the safety protection method, the device, the electronic device and the storage medium for the WEB application firewall provided by the embodiment of the application solve the problem that a user cannot timely process abnormal events of the WEB application firewall in the related art, the user can timely process the abnormal events of the WEB application firewall, and the technical effect of improving the stability of the WEB application firewall is achieved.
The details of one or more embodiments of the application are set forth in the accompanying drawings and the description below to provide a more thorough understanding of the application.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the application and together with the description serve to explain the application and not to limit the application. In the drawings:
FIG. 1 is a flow chart of a method for securing a WEB application firewall according to an embodiment of the present application;
FIG. 2 is a block diagram of a security protection device of a WEB application firewall according to an embodiment of the present application;
fig. 3 is a schematic diagram of a hardware structure of an electronic device according to an embodiment of the present application.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the present application will be described and illustrated below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the present application and are not intended to limit the present application. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments provided in the present application without any inventive step are within the scope of protection of the present application. Moreover, it should be appreciated that in the development of any such actual implementation, as in any engineering or design project, numerous implementation-specific decisions must be made to achieve the developers' specific goals, such as compliance with system-related and business-related constraints, which may vary from one implementation to another.
Reference in the specification to "an embodiment" means that a particular feature, structure, or characteristic described in connection with the embodiment can be included in at least one embodiment of the specification. The appearances of the phrase in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments. Those of ordinary skill in the art will explicitly and implicitly appreciate that the embodiments described herein may be combined with other embodiments without conflict.
Unless defined otherwise, technical or scientific terms referred to herein shall have the ordinary meaning as understood by those of ordinary skill in the art to which this application belongs. Reference to "a," "an," "the," and similar words throughout this application are not to be construed as limiting in number, and may refer to the singular or the plural. The present application is directed to the use of the terms "including," "comprising," "having," and any variations thereof, which are intended to cover non-exclusive inclusions; for example, a process, method, system, article, or apparatus that comprises a list of steps or modules (elements) is not limited to the listed steps or elements, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus. Reference to "connected," "coupled," and the like in this application is not intended to be limited to physical or mechanical connections, but may include electrical connections, whether direct or indirect. Reference herein to "a plurality" means greater than or equal to two. "and/or" describes an association relationship of associated objects, meaning that three relationships may exist, for example, "A and/or B" may mean: a exists alone, A and B exist simultaneously, and B exists alone. Reference herein to the terms "first," "second," "third," and the like, are merely to distinguish similar objects and do not denote a particular ordering for the objects.
Fig. 1 is a flowchart of a security protection method for a WEB application firewall according to an embodiment of the present application, and as shown in fig. 1, the flowchart includes the following steps:
step S101, state information of events related to the stability of the WEB application firewall is acquired.
In this embodiment, the state information of the WEB application firewall may be obtained from a reporter of the WEB application firewall. The method comprises the following steps:
step 1, acquiring the starting information and the registration information of the reporter.
And 2, receiving the state information of the event related to the stability of the WEB application firewall, which is sent by the reporter at intervals of preset time under the condition that the starting information of the reporter is started and the registration information is registered.
In this embodiment, the preset time may be 5 seconds, and the state information sent by which reporters to start receiving and processing may be configured and determined on the page of the WEB application firewall. The operation information in the exception corresponding to the exception event can be inquired in the preset configuration information. The preset configuration information may be in the following format: and if the state information is yes, opening the state information of the reporter, acquiring the state information of the WEB application firewall from the reporter only when the preset configuration information is loaded and the reporter in the preset configuration information is in an opening state, wherein the preset configuration information also comprises the association relation between the abnormal event and the abnormal processing operation information.
In other embodiments, the preset time may be other values.
Meanwhile, the reporter can also register in the management terminal in advance, and the management terminal can only receive the information sent by the reporter registered in the management terminal, so that the safety of the information sent by the reporter can be predicted.
And step S102, judging whether the event is an abnormal event or not according to the state information of the event.
In this embodiment, the status information may include, but is not limited to, at least one of: process state information, resource state information, network card state information.
The process state information, the resource state information and the network card state information can be respectively sent to the management end by a first reporter, a second reporter and a third reporter, wherein the first reporter is used for guaranteeing a key process of the WEB application firewall and reporting the process state information to the management end in time; the second reporter is used for ensuring the system resource state of the WEB application firewall and reporting the resource state information to the management terminal in time; and the third reporter is used for ensuring the network card running state of the WEB application firewall and reporting the network card state information to the management terminal in time.
The management terminal can judge whether an abnormal event occurs or not based on the state information, send error information under the condition that the abnormal event occurs and process the abnormal event according to the abnormal processing operation information corresponding to the abnormal event.
The correlation between the reporter, the event status, and the exception handling operation information corresponding to the event is shown in table 1.
TABLE 1
Under the condition that the state information comprises process state information, judging whether a process abnormal exit event exists in the event, and under the condition that the process abnormal exit event exists in the event, marking the event as an abnormal event; under the condition that the state information comprises resource state information, judging whether an abnormal resource utilization rate event exists in the event, and under the condition that the abnormal resource utilization rate event exists in the event, marking the event as an abnormal event; and under the condition that the state information comprises the network card state information, judging whether a network card abnormal packet loss rate event and/or a network card DOWN event exist in the event, and under the condition that the network card abnormal packet loss rate event and/or the network card DOWN event exist in the event, marking the event as an abnormal event.
As shown in table 1, in this embodiment, when the state information includes process state information, the critical processes may be monitored according to the selected critical processes in the preset configuration information, for example, process 1 may be Haproxy, process 2 may be Nginx, and meanwhile, more critical processes may be added to the preset configuration information.
In some of these embodiments, the resource status information may include, but is not limited to, at least one of: CPU occupation state information, memory occupation state information and disk occupation state information.
As shown in table 1, in the case that the state information includes resource state information, determining whether an abnormal resource usage event exists in the events includes: under the condition that the state information comprises CPU occupation state information, judging whether the current CPU occupancy rate is higher than a first threshold value, and under the condition that the current CPU occupancy rate is higher than the first threshold value, judging that an abnormal resource utilization rate event exists in the events; under the condition that the state information comprises memory occupation state information, judging whether the current memory occupancy rate is higher than a second threshold value or not, and under the condition that the current memory occupancy rate is higher than the second threshold value, judging that an abnormal resource utilization rate event exists in the events; and under the condition that the state information comprises disk occupation state information, judging whether the current disk occupation space is higher than a third threshold value, and under the condition that the current disk occupation space is higher than the third threshold value, judging that an abnormal resource utilization rate event exists in the events.
In this embodiment, the first threshold may be 90%, the second threshold may be 90%, the third threshold may be 80%, and the fourth threshold may be 20%, and in other embodiments, the first threshold, the second threshold, the third threshold, and the fourth threshold may have other values.
Step S103, under the condition that the event is judged to be an abnormal event, inquiring abnormal processing operation information corresponding to the abnormal event in preset configuration information, and displaying the abnormal processing operation information; the preset configuration information comprises an incidence relation between the abnormal event and the abnormal processing operation information.
In some embodiments, when it is determined that the event is an abnormal event, querying abnormal processing operation information corresponding to the abnormal event in the preset configuration information, and displaying the abnormal processing operation information includes: under the condition that the abnormal event comprises a process abnormal exit event and/or a network card abnormal packet loss rate event and a network card DOWN event, inquiring abnormal processing operation information corresponding to the abnormal event in preset configuration information, and displaying the abnormal processing operation information; and under the condition that the abnormal event comprises an abnormal resource utilization rate event, displaying a process and/or a file related to the abnormal resource utilization rate event, inquiring abnormal processing operation information corresponding to the abnormal event in preset configuration information, and displaying the abnormal processing operation information.
As shown in table 1, in this embodiment, when the state information includes CPU occupancy state information, the processes may be sorted from high to low according to the CPU occupancy of the processes, and a preset number of processes may be selected from high to low in the sorting sequence for display; when the state information comprises memory occupation state information, the processes can be sorted from high to low according to the memory occupation rate of the processes, and a preset number of processes are selected from high to low in a sorting sequence for display; under the condition that the state information comprises the disk occupation state information, the files can be sorted from large to small according to the disk occupation space of the files, and the files with preset number are selected from the sorted sequence from high to low for display.
In this embodiment, the preset number may be 10, and in other embodiments, the preset number may also be other values. After the preset number of processes are displayed, selecting to restart the processes, close the processes or send error reporting information based on the corresponding abnormal processing operation information; after the preset number of files are displayed, the files can be selected to be deleted or error information can be sent based on the abnormal processing operation information.
As shown in table 1, in the case that the exception event includes a process exception exit event, the exception handling operation information includes restarting the process associated with the process exception exit event and sending error reporting information; when the abnormal event comprises an abnormal resource utilization rate event, the abnormal processing operation information comprises closing at least one process and/or file associated with the abnormal resource utilization rate event and sending error reporting information; and under the condition that the abnormal event comprises a network card abnormal packet loss rate event and/or a network card DOWN event, the abnormal processing operation information comprises the network card associated with the network card abnormal packet loss rate event and/or the network card DOWN event, and error reporting information is sent.
In some embodiments, when the state information is resource state information, closing at least one process and/or file in the abnormal resource usage event, and sending error reporting information includes: when the resource state information is the CPU occupation state information, the processes can be sorted from high to low according to the memory occupancy rate of the processes, and at least one process is selected from the sorted sequence from high to low to be closed; when the state information is the memory occupation state information, the processes can be sorted from high to low according to the memory occupation rate of the processes, and at least one process is selected from the sorted sequence from high to low to be closed; under the condition that the state information is the disk occupation state information, the files can be sorted from large to small according to the disk occupation space of the files, and at least one file is selected from the sorted sequence from high to low to be deleted.
After the preset number of processes are displayed, selecting to restart the processes, close the processes or send error reporting information based on the corresponding abnormal processing operation information; after the preset number of files are displayed, the files can be selected to be deleted or error information can be sent based on the abnormal processing operation information.
The method for protecting the WEB application firewall comprises the steps that a state information is obtained by monitoring a disk directory selected from preset configuration information, a plurality of directories can be added into the preset configuration information, and the safety protection method of the WEB application firewall can display files with the largest preset number of disk occupied spaces under each directory.
In other embodiments, since the management end may receive the state information of the WEB application firewall sent by the reporter at every preset time, when the event is determined not to be an abnormal event according to the state information of the event, if the time interval is 5 seconds, the management end replaces the current state information with the state information of the event obtained 5 seconds ago, and only when the current state information does not conform to the state information of the event obtained 5 seconds ago, the management end determines that the event is an abnormal event. For example, if the state information of the event obtained 5 seconds ago is normal, and the current state information is process 1 abnormal, the event is determined to be an abnormal event.
In the related art, the WAF usually scans and filters user requests before the user requests reach the WEB server in front of the WEB application, analyzes and verifies a network packet of each user request, ensures that each user request is valid and safe, and blocks or isolates requests with invalid or aggressive behaviors. By checking HTTP traffic, attacks from security vulnerabilities (e.g., SQL injection, cross-site scripting, file inclusion, and security configuration errors) of WEB applications can be prevented. However, such technical solutions often fail to show the resource status of the WAF in time. The user cannot know the system state of the current WAF in time at the front end, and the user cannot directly know which process occupies a high CPU, occupies a high memory or has the current network card state on a network page, so that the user cannot timely perform emergency treatment on the processes, files or network cards causing the abnormality when the WAF finds the abnormality.
Through the steps S101 to S103, after finding that an event related to the stability of the WEB application firewall is an abnormal event, the application queries the abnormal processing operation information corresponding to the abnormal event in the preset configuration information and displays the abnormal processing operation information, so that the user can visually see which events cause the abnormality, and simultaneously processes the abnormal events based on the abnormal processing operation information, therefore, the user can timely know the abnormal event and process the abnormal event, the stability and reliability of the WEB application firewall are greatly improved, the problem that the user cannot timely process the abnormal event of the WEB application firewall in the related art is solved, and the technical effect of improving the stability of the WEB application firewall is achieved.
The embodiment further provides a security protection device for a WEB application firewall, where the security protection device is used to implement the foregoing embodiments and preferred embodiments, and the description of the security protection device that has been already made is omitted. Although the means described in the embodiments below are preferably implemented in software, an implementation in hardware, or a combination of software and hardware is also possible and contemplated.
Fig. 2 is a block diagram of a security protection device of a WEB application firewall according to an embodiment of the present application, and as shown in fig. 2, the security protection device includes: the acquiring module 20 acquires the state information of the event related to the stability of the WEB application firewall; the management module 21 judges whether the event is an abnormal event according to the state information of the event; the display module 22 is used for inquiring the abnormal processing operation information corresponding to the abnormal event in the preset configuration information and displaying the abnormal processing operation information under the condition that the event is judged to be the abnormal event; the preset configuration information comprises an incidence relation between the abnormal event and the abnormal processing operation information.
In one embodiment, the status information includes, but is not limited to, at least one of: process state information, resource state information and network card state information; the management module 21 is configured to determine whether a process exception exit event exists in the event if the state information includes the process state information, and mark the event as an exception event if the process exception exit event exists in the event; under the condition that the state information comprises resource state information, judging whether an abnormal resource utilization rate event exists in the event, and under the condition that the abnormal resource utilization rate event exists in the event, marking the event as an abnormal event; and under the condition that the state information comprises the network card state information, judging whether a network card abnormal packet loss rate event and/or a network card DOWN event exist in the event, and under the condition that the network card abnormal packet loss rate event and/or the network card DOWN event exist in the event, marking the event as an abnormal event.
In one embodiment, in the case that the exception event includes a process exception exit event, the exception handling operation information includes restarting the process associated with the process exception exit event and sending error reporting information; when the abnormal event comprises an abnormal resource utilization rate event, the abnormal processing operation information comprises closing at least one process and/or file associated with the abnormal resource utilization rate event and sending error reporting information; and under the condition that the abnormal event comprises a network card abnormal packet loss rate event and/or a network card DOWN event, the abnormal processing operation information comprises the network card associated with the network card abnormal packet loss rate event and/or the network card DOWN event, and error reporting information is sent.
In one embodiment, the resource status information includes, but is not limited to, at least one of: CPU occupation state information, memory occupation state information and disk occupation state information; the management module 21 is further configured to determine whether the current CPU occupancy is higher than a first threshold in a case that the status information includes CPU occupancy status information, and determine that an abnormal resource usage event exists in the events in a case that the current CPU occupancy is higher than the first threshold; under the condition that the state information comprises memory occupation state information, judging whether the current memory occupancy rate is higher than a second threshold value or not, and under the condition that the current memory occupancy rate is higher than the second threshold value, judging that an abnormal resource utilization rate event exists in the events; and under the condition that the state information comprises disk occupation state information, judging whether the current disk occupation space is higher than a third threshold value, and under the condition that the current disk occupation space is higher than the third threshold value, judging that an abnormal resource utilization rate event exists in the events.
In one embodiment, the displaying module 22 is configured to, when the abnormal event includes a process abnormal exit event and/or a network card abnormal packet loss rate event, and a network card DOWN event, query, in preset configuration information, abnormal processing operation information corresponding to the abnormal event, and display the abnormal processing operation information; and under the condition that the abnormal event comprises an abnormal resource utilization rate event, displaying a process and/or a file related to the abnormal resource utilization rate event, inquiring abnormal processing operation information corresponding to the abnormal event in preset configuration information, and displaying the abnormal processing operation information.
In one embodiment, the presentation module 22 is further configured to, in a case that the status information includes CPU occupancy status information, sort the processes from high to low according to their CPU occupancy, and select a preset number of processes from high to low in the sort sequence for presentation; under the condition that the state information comprises memory occupation state information, sorting the processes according to the memory occupation rate of the processes from high to low, and selecting a preset number of processes from high to low in a sorting sequence for display; and under the condition that the state information comprises the disk occupation state information, sorting the files according to the descending of the disk occupation space of the files, and selecting a preset number of files from high to low in a sorting sequence for displaying.
In one embodiment, the obtaining module 20 is configured to obtain the start information and the registration information of the reporter; and receiving the state information of the event related to the stability of the WEB application firewall, which is sent by the reporter at preset intervals under the condition that the starting information of the reporter is started and the registration information is registered.
The above modules may be functional modules or program modules, and may be implemented by software or hardware. For a module implemented by hardware, the modules may be located in the same processor; or the modules can be respectively positioned in different processors in any combination.
The present embodiment also provides an electronic device comprising a memory 304 and a processor 302, wherein the memory 304 stores a computer program, and the processor 302 is configured to execute the computer program to perform the steps of any of the above method embodiments.
Specifically, the processor 302 may include a Central Processing Unit (CPU), or A Specific Integrated Circuit (ASIC), or may be configured to implement one or more Integrated circuits of the embodiments of the present Application.
The processor 302 reads and executes the computer program instructions stored in the memory 304 to implement any one of the security methods of the WEB application firewall in the above embodiments.
Optionally, the electronic apparatus may further include a transmission device 306 and an input/output device 308, where the transmission device 306 is connected to the processor 302, and the input/output device 308 is connected to the processor 302.
Alternatively, in this embodiment, the processor 302 may be configured to execute the following steps by a computer program:
and S1, acquiring the state information of the event related to the stability of the WEB application firewall.
And S2, judging whether the event is an abnormal event or not according to the state information of the event.
S3, under the condition that the event is judged to be an abnormal event, inquiring abnormal processing operation information corresponding to the abnormal event in preset configuration information, and displaying the abnormal processing operation information; the preset configuration information comprises an incidence relation between the abnormal event and the abnormal processing operation information.
It should be noted that, for specific examples in this embodiment, reference may be made to examples described in the foregoing embodiments and optional implementations, and details of this embodiment are not described herein again.
In addition, in combination with the security protection method of the WEB application firewall in the foregoing embodiment, an embodiment of the present application may provide a storage medium to implement. The storage medium having stored thereon a computer program; when executed by a processor, the computer program implements the security protection method of any WEB application firewall in the above embodiments.
It should be understood by those skilled in the art that various features of the above embodiments can be combined arbitrarily, and for the sake of brevity, all possible combinations of the features in the above embodiments are not described, but should be considered as within the scope of the present disclosure as long as there is no contradiction between the combinations of the features.
The above examples are merely illustrative of several embodiments of the present application, and the description is more specific and detailed, but not to be construed as limiting the scope of the present application. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the concept of the present application, which falls within the scope of protection of the present application. Therefore, the protection scope of the present application shall be subject to the appended claims.
Claims (10)
1. A safety protection method for a WEB application firewall is characterized by comprising the following steps:
acquiring state information of an event related to the stability of a WEB application firewall;
judging whether the event is an abnormal event or not according to the state information of the event;
under the condition that the event is judged to be an abnormal event, inquiring abnormal processing operation information corresponding to the abnormal event in preset configuration information, and displaying the abnormal processing operation information; the preset configuration information comprises an incidence relation between an abnormal event and abnormal processing operation information.
2. The method for protecting WEB application firewall from being secure according to claim 1, wherein the status information includes at least one of the following: process state information, resource state information and network card state information; judging whether the event is an abnormal event according to the state information of the event comprises the following steps:
under the condition that the state information comprises process state information, judging whether a process abnormal exit event exists in the event, and under the condition that the process abnormal exit event exists in the event, marking the event as an abnormal event;
under the condition that the state information comprises resource state information, judging whether an abnormal resource utilization rate event exists in the events, and under the condition that the abnormal resource utilization rate event exists in the events, marking the events as abnormal events;
and under the condition that the state information comprises network card state information, judging whether a network card abnormal packet loss rate event and/or a network card DOWN event exist in the events, and under the condition that the network card abnormal packet loss rate event and/or the network card DOWN event exist in the events, marking the events as abnormal events.
3. The method of claim 2, wherein the WEB application firewall is configured to be applied to the WEB application firewall,
when the abnormal event comprises a process abnormal exit event, the abnormal processing operation information comprises restarting the process associated with the process abnormal exit event and sending error reporting information;
when the abnormal event comprises an abnormal resource utilization rate event, the abnormal processing operation information comprises closing at least one process and/or file associated with the abnormal resource utilization rate event and sending error reporting information;
and under the condition that the abnormal event comprises a network card abnormal packet loss rate event and/or a network card DOWN event, the abnormal processing operation information comprises the network card associated with the network card abnormal packet loss rate event and/or the network card DOWN event, and error reporting information is sent.
4. The WEB application firewall security protection method according to claim 2, wherein the resource status information includes at least one of the following: CPU occupation state information, memory occupation state information and disk occupation state information; under the condition that the state information comprises resource state information, judging whether an abnormal resource utilization rate event exists in the events comprises the following steps:
under the condition that the state information comprises CPU occupation state information, judging whether the current CPU occupancy rate is higher than a first threshold value, and under the condition that the current CPU occupancy rate is higher than the first threshold value, judging that an abnormal resource utilization rate event exists in the events;
under the condition that the state information comprises memory occupation state information, judging whether the current memory occupancy rate is higher than a second threshold value or not, and under the condition that the current memory occupancy rate is higher than the second threshold value, judging that an abnormal resource utilization rate event exists in the events;
and under the condition that the state information comprises disk occupation state information, judging whether the current disk occupation space is higher than a third threshold value, and under the condition that the current disk occupation space is higher than the third threshold value, judging that an abnormal resource utilization rate event exists in the events.
5. The method of claim 2, wherein when the event is determined to be an abnormal event, querying abnormal processing operation information corresponding to the abnormal event in preset configuration information, and displaying the abnormal processing operation information comprises:
under the condition that the abnormal event comprises a process abnormal exit event and/or a network card abnormal packet loss rate event and a network card DOWN event, inquiring abnormal processing operation information corresponding to the abnormal event in preset configuration information, and displaying the abnormal processing operation information;
and under the condition that the abnormal event comprises an abnormal resource utilization rate event, displaying a process and/or a file related to the abnormal resource utilization rate event, inquiring abnormal processing operation information corresponding to the abnormal event in preset configuration information, and displaying the abnormal processing operation information.
6. The WEB application firewall security protection method according to claim 5, wherein the resource status information includes at least one of the following: CPU occupation state information, memory occupation state information and disk occupation state information; in the event that the exception event comprises an exception resource usage event, presenting a process and/or file associated with the exception resource usage event comprises:
when the state information comprises CPU occupation state information, sorting the processes according to the CPU occupation rate of the processes from high to low, and selecting a preset number of processes from high to low in a sorting sequence for display;
when the state information comprises memory occupation state information, sorting the processes according to the memory occupation rate of the processes from high to low, and selecting a preset number of processes from high to low in a sorting sequence for display;
and under the condition that the state information comprises the disk occupation state information, sorting the files according to the descending of the disk occupation space of the files, and selecting a preset number of files from high to low in a sorting sequence for displaying.
7. The method of claim 1, wherein the WEB application firewall is configured to be secured,
acquiring state information of an event related to the stability of the WEB application firewall comprises the following steps:
acquiring starting information and registration information of a reporter;
and receiving the state information of the event related to the stability of the WEB application firewall, which is sent by the reporter at intervals of preset time under the condition that the starting information of the reporter is started and the registration information is registered.
8. A safety protection device of a WEB application firewall is characterized by comprising:
an acquisition module for acquiring state information of events related to WEB application firewall stability
The management module is used for judging whether the event is an abnormal event or not according to the state information of the event;
the display module is used for inquiring the exception handling operation information corresponding to the exception event in preset configuration information and displaying the exception handling operation information under the condition that the event is judged to be the exception event; the preset configuration information comprises an incidence relation between an abnormal event and abnormal processing operation information.
9. An electronic device comprising a memory and a processor, wherein the memory stores a computer program, and the processor is configured to execute the computer program to perform the method for securing the WEB application firewall according to any one of claims 1 to 7.
10. A storage medium having a computer program stored therein, wherein the computer program is configured to execute the method for securing a WEB application firewall according to any one of claims 1 to 7 when running.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202010875522.1A CN112165450B (en) | 2020-08-27 | 2020-08-27 | Security protection method and device for WEB application firewall and electronic device |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202010875522.1A CN112165450B (en) | 2020-08-27 | 2020-08-27 | Security protection method and device for WEB application firewall and electronic device |
Publications (2)
Publication Number | Publication Date |
---|---|
CN112165450A true CN112165450A (en) | 2021-01-01 |
CN112165450B CN112165450B (en) | 2023-04-21 |
Family
ID=73860368
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202010875522.1A Active CN112165450B (en) | 2020-08-27 | 2020-08-27 | Security protection method and device for WEB application firewall and electronic device |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN112165450B (en) |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113660215A (en) * | 2021-07-26 | 2021-11-16 | 杭州安恒信息技术股份有限公司 | Attack behavior detection method and device based on Web application firewall |
CN113886118A (en) * | 2021-09-16 | 2022-01-04 | 杭州安恒信息技术股份有限公司 | Abnormal resource processing method, device, system, electronic device and storage medium |
CN114816558A (en) * | 2022-03-07 | 2022-07-29 | 深圳开源互联网安全技术有限公司 | Script injection method and device and computer readable storage medium |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106209425A (en) * | 2016-06-28 | 2016-12-07 | 上海携程商务有限公司 | The method and system of the automatic bypass of fire wall based on switch |
CN107205008A (en) * | 2016-03-18 | 2017-09-26 | 上海有云信息技术有限公司 | The loaded self-adaptive method of WEB application fire wall under cloud computing environment |
US20180013722A1 (en) * | 2016-07-06 | 2018-01-11 | Eric Enos | Distributed firewall device and system |
CN109067807A (en) * | 2018-10-16 | 2018-12-21 | 杭州安恒信息技术股份有限公司 | Safety protecting method, device and electronic equipment based on WEB application firewall overload |
CN109800131A (en) * | 2018-12-18 | 2019-05-24 | 平安健康保险股份有限公司 | Monitor processing method, device, computer equipment and the storage medium of Linux server |
CN111314290A (en) * | 2019-12-30 | 2020-06-19 | 北京长亭未来科技有限公司 | Method and device for protecting continuity of WEB application firewall service and electronic equipment |
-
2020
- 2020-08-27 CN CN202010875522.1A patent/CN112165450B/en active Active
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107205008A (en) * | 2016-03-18 | 2017-09-26 | 上海有云信息技术有限公司 | The loaded self-adaptive method of WEB application fire wall under cloud computing environment |
CN106209425A (en) * | 2016-06-28 | 2016-12-07 | 上海携程商务有限公司 | The method and system of the automatic bypass of fire wall based on switch |
US20180013722A1 (en) * | 2016-07-06 | 2018-01-11 | Eric Enos | Distributed firewall device and system |
CN109067807A (en) * | 2018-10-16 | 2018-12-21 | 杭州安恒信息技术股份有限公司 | Safety protecting method, device and electronic equipment based on WEB application firewall overload |
CN109800131A (en) * | 2018-12-18 | 2019-05-24 | 平安健康保险股份有限公司 | Monitor processing method, device, computer equipment and the storage medium of Linux server |
CN111314290A (en) * | 2019-12-30 | 2020-06-19 | 北京长亭未来科技有限公司 | Method and device for protecting continuity of WEB application firewall service and electronic equipment |
Non-Patent Citations (1)
Title |
---|
姚琳琳: ""基于分布式对等架构的Web应用防火墙设计与实现"", 《中国优秀博硕士学位论文全文数据库(硕士)信息科技辑》 * |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113660215A (en) * | 2021-07-26 | 2021-11-16 | 杭州安恒信息技术股份有限公司 | Attack behavior detection method and device based on Web application firewall |
CN113886118A (en) * | 2021-09-16 | 2022-01-04 | 杭州安恒信息技术股份有限公司 | Abnormal resource processing method, device, system, electronic device and storage medium |
CN114816558A (en) * | 2022-03-07 | 2022-07-29 | 深圳开源互联网安全技术有限公司 | Script injection method and device and computer readable storage medium |
CN114816558B (en) * | 2022-03-07 | 2023-06-30 | 深圳市九州安域科技有限公司 | Script injection method, equipment and computer readable storage medium |
Also Published As
Publication number | Publication date |
---|---|
CN112165450B (en) | 2023-04-21 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN112165450A (en) | Safety protection method and device for WEB application firewall and electronic device | |
Albin et al. | A realistic experimental comparison of the Suricata and Snort intrusion-detection systems | |
US10917793B2 (en) | Verifying network subsystem integrity with blockchain | |
US9264441B2 (en) | System and method for securing a network from zero-day vulnerability exploits | |
CN110417717B (en) | Login behavior identification method and device | |
WO2014113501A1 (en) | Systems and methods for identifying and reporting application and file vulnerabilities | |
CN111756761A (en) | Network defense system and method based on flow forwarding and computer equipment | |
CN110958249B (en) | Information processing method, information processing device, electronic equipment and storage medium | |
CN110134700B (en) | Data uplink method, device, computer equipment and storage medium | |
CN111565202B (en) | Intranet vulnerability attack defense method and related device | |
CN112769775B (en) | Threat information association analysis method, system, equipment and computer medium | |
CN109561097B (en) | Method, device, equipment and storage medium for detecting security vulnerability injection of structured query language | |
CN113660215A (en) | Attack behavior detection method and device based on Web application firewall | |
CN113992403A (en) | Access speed limit interception method and device, defense server and readable storage medium | |
CN109560893B (en) | Data verification method and device and server | |
CN113965406A (en) | Network blocking method, device, electronic device and storage medium | |
CN110990844B (en) | Cloud data protection method based on kernel, cloud server and system | |
CN113765914B (en) | CC attack protection method, system, computer equipment and readable storage medium | |
CN116070210A (en) | Method and device for determining abnormal progress and virus checking and killing method | |
CN116016174A (en) | Rule base upgrading method and device, electronic equipment and storage medium | |
KR20110017173A (en) | The method of counteracting distributed denial of service attack using network filter monitoring white list and dummy web server | |
CN114362980B (en) | Protocol hanging login account identification method, device, computer equipment and storage medium | |
CN110597557B (en) | System information acquisition method, terminal and medium | |
CN110798356A (en) | Firmware monitoring method and device, storage medium and computer equipment | |
JP3730642B2 (en) | Attack packet detection apparatus and method |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |