CN112165450A - Safety protection method and device for WEB application firewall and electronic device - Google Patents

Safety protection method and device for WEB application firewall and electronic device Download PDF

Info

Publication number
CN112165450A
CN112165450A CN202010875522.1A CN202010875522A CN112165450A CN 112165450 A CN112165450 A CN 112165450A CN 202010875522 A CN202010875522 A CN 202010875522A CN 112165450 A CN112165450 A CN 112165450A
Authority
CN
China
Prior art keywords
event
abnormal
state information
information
condition
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202010875522.1A
Other languages
Chinese (zh)
Other versions
CN112165450B (en
Inventor
陈加群
范渊
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou Dbappsecurity Technology Co Ltd
Original Assignee
Hangzhou Dbappsecurity Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou Dbappsecurity Technology Co Ltd filed Critical Hangzhou Dbappsecurity Technology Co Ltd
Priority to CN202010875522.1A priority Critical patent/CN112165450B/en
Publication of CN112165450A publication Critical patent/CN112165450A/en
Application granted granted Critical
Publication of CN112165450B publication Critical patent/CN112165450B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/0631Management of faults, events, alarms or notifications using root cause analysis; using analysis of correlation between notifications, alarms or events based on decision criteria, e.g. hierarchy, tree or time analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/08Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Environmental & Geological Engineering (AREA)
  • Computer And Data Communications (AREA)
  • Debugging And Monitoring (AREA)

Abstract

The application relates to a safety protection method, a safety protection device, an electronic device and a storage medium of a WEB application firewall, wherein the method comprises the following steps: acquiring state information of an event related to the stability of a WEB application firewall; judging whether the event is an abnormal event or not according to the state information of the event; under the condition that the event is judged to be an abnormal event, inquiring abnormal processing operation information corresponding to the abnormal event in preset configuration information, and displaying the abnormal processing operation information; the preset configuration information comprises an incidence relation between an abnormal event and abnormal processing operation information. The problem that users cannot timely process abnormal events of the WEB application firewall in the related technology is solved, the users can timely process the abnormal events of the WEB application firewall, and the technical effect of improving the stability of the WEB application firewall is achieved.

Description

Safety protection method and device for WEB application firewall and electronic device
Technical Field
The present application relates to the field of network security technologies, and in particular, to a security protection method and apparatus for a WEB application firewall, an electronic apparatus, and a storage medium.
Background
With the continuous development of network technology, WEB applications are more and more abundant, and WEB servers gradually become main attack targets with strong computing power, processing performance and high implied economic value.
A WEB Application Firewall (WAF for short) is a product that provides protection for WEB applications by executing a series of security policies for HTTP/HTTPs, and is mainly used to defend attacks against a network Application layer, such as SQL injection, cross-site scripting attack, parameter tampering, Application platform vulnerability attack, denial of service attack, and the like.
In the related art, the WAF usually scans and filters user requests before the user requests reach the WEB server in front of the WEB application, analyzes and verifies a network packet of each user request, ensures that each user request is valid and safe, and blocks or isolates requests with invalid or aggressive behaviors. By checking HTTP traffic, attacks from security vulnerabilities (e.g., SQL injection, cross-site scripting, file inclusion, and security configuration errors) of WEB applications can be prevented. However, such technical solutions often fail to show the resource status of the WAF in time. The user cannot know the system state of the current WAF in time at the front end, and the user cannot directly know which process occupies a high CPU, occupies a high memory or has the current network card state on a network page, so that the user cannot timely perform emergency treatment on the processes, files or network cards causing the abnormality when the WAF finds the abnormality.
At present, no effective solution is provided for the problem that users cannot timely process abnormal events of the WEB application firewall in the related technology.
Disclosure of Invention
The embodiment of the application provides a security protection method, a security protection device, an electronic device and a storage medium for a WEB application firewall, so as to at least solve the problem that a user cannot timely process abnormal events of the WEB application firewall in the related technology.
In a first aspect, an embodiment of the present application provides a security protection method for a WEB application firewall, including: acquiring state information of an event related to the stability of a WEB application firewall; judging whether the event is an abnormal event or not according to the state information of the event; under the condition that the event is judged to be an abnormal event, inquiring abnormal processing operation information corresponding to the abnormal event in preset configuration information, and displaying the abnormal processing operation information; the preset configuration information comprises an incidence relation between an abnormal event and abnormal processing operation information.
In some of these embodiments, the status information includes at least one of: process state information, resource state information and network card state information; judging whether the event is an abnormal event according to the state information of the event comprises the following steps: under the condition that the state information comprises process state information, judging whether a process abnormal exit event exists in the event, and under the condition that the process abnormal exit event exists in the event, marking the event as an abnormal event; under the condition that the state information comprises resource state information, judging whether an abnormal resource utilization rate event exists in the events, and under the condition that the abnormal resource utilization rate event exists in the events, marking the events as abnormal events; and under the condition that the state information comprises network card state information, judging whether a network card abnormal packet loss rate event and/or a network card DOWN event exist in the events, and under the condition that the network card abnormal packet loss rate event and/or the network card DOWN event exist in the events, marking the events as abnormal events.
In some of these embodiments, in the event that the exception event comprises a process exception exit event, exception handling operation information comprises restarting the process associated with the process exception exit event, and sending error reporting information; when the abnormal event comprises an abnormal resource utilization rate event, the abnormal processing operation information comprises closing at least one process and/or file associated with the abnormal resource utilization rate event and sending error reporting information; and under the condition that the abnormal event comprises a network card abnormal packet loss rate event and/or a network card DOWN event, the abnormal processing operation information comprises the network card associated with the network card abnormal packet loss rate event and/or the network card DOWN event, and error reporting information is sent.
In some of these embodiments, the resource status information includes at least one of: CPU occupation state information, memory occupation state information and disk occupation state information; under the condition that the state information comprises resource state information, judging whether an abnormal resource utilization rate event exists in the events comprises the following steps: under the condition that the state information comprises CPU occupation state information, judging whether the current CPU occupancy rate is higher than a first threshold value, and under the condition that the current CPU occupancy rate is higher than the first threshold value, judging that an abnormal resource utilization rate event exists in the events; under the condition that the state information comprises memory occupation state information, judging whether the current memory occupancy rate is higher than a second threshold value or not, and under the condition that the current memory occupancy rate is higher than the second threshold value, judging that an abnormal resource utilization rate event exists in the events; and under the condition that the state information comprises disk occupation state information, judging whether the current disk occupation space is higher than a third threshold value, and under the condition that the current disk occupation space is higher than the third threshold value, judging that an abnormal resource utilization rate event exists in the events.
In some embodiments, when it is determined that the event is an abnormal event, querying exception handling operation information corresponding to the abnormal event in preset configuration information, and displaying the exception handling operation information includes: under the condition that the abnormal event comprises a process abnormal exit event and/or a network card abnormal packet loss rate event and a network card DOWN event, inquiring abnormal processing operation information corresponding to the abnormal event in preset configuration information, and displaying the abnormal processing operation information; and under the condition that the abnormal event comprises an abnormal resource utilization rate event, displaying a process and/or a file related to the abnormal resource utilization rate event, inquiring abnormal processing operation information corresponding to the abnormal event in preset configuration information, and displaying the abnormal processing operation information.
In some of these embodiments, the resource status information includes at least one of: CPU occupation state information, memory occupation state information and disk occupation state information; in the event that the exception event comprises an exception resource usage event, presenting a process and/or file associated with the exception resource usage event comprises: when the state information comprises CPU occupation state information, sorting the processes according to the CPU occupation rate of the processes from high to low, and selecting a preset number of processes from high to low in a sorting sequence for display; when the state information comprises memory occupation state information, sorting the processes according to the memory occupation rate of the processes from high to low, and selecting a preset number of processes from high to low in a sorting sequence for display; and under the condition that the state information comprises the disk occupation state information, sorting the files according to the descending of the disk occupation space of the files, and selecting a preset number of files from high to low in a sorting sequence for displaying.
In some embodiments, obtaining state information for an event related to WEB application firewall stability comprises: acquiring starting information and registration information of a reporter; and receiving the state information of the event related to the stability of the WEB application firewall, which is sent by the reporter at intervals of preset time under the condition that the starting information of the reporter is started and the registration information is registered.
In a second aspect, an embodiment of the present application provides a security protection device for a WEB application firewall, including: the system comprises an acquisition module, a state information management module and a processing module, wherein the acquisition module acquires an event related to the stability of a WEB application firewall and judges whether the event is an abnormal event or not according to the state information of the event; the display module is used for inquiring the exception handling operation information corresponding to the exception event in preset configuration information and displaying the exception handling operation information under the condition that the event is judged to be the exception event; the preset configuration information comprises an incidence relation between an abnormal event and abnormal processing operation information.
In a third aspect, an embodiment of the present application provides an electronic apparatus, including a memory, a processor, and a computer program stored on the memory and executable on the processor, where the processor implements the security protection method for the WEB application firewall as described in the first aspect when executing the computer program.
In a fourth aspect, an embodiment of the present application provides a storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the method for securing the WEB application firewall as described in the first aspect.
Compared with the related art, the safety protection method, the device, the electronic device and the storage medium for the WEB application firewall provided by the embodiment of the application solve the problem that a user cannot timely process abnormal events of the WEB application firewall in the related art, the user can timely process the abnormal events of the WEB application firewall, and the technical effect of improving the stability of the WEB application firewall is achieved.
The details of one or more embodiments of the application are set forth in the accompanying drawings and the description below to provide a more thorough understanding of the application.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the application and together with the description serve to explain the application and not to limit the application. In the drawings:
FIG. 1 is a flow chart of a method for securing a WEB application firewall according to an embodiment of the present application;
FIG. 2 is a block diagram of a security protection device of a WEB application firewall according to an embodiment of the present application;
fig. 3 is a schematic diagram of a hardware structure of an electronic device according to an embodiment of the present application.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the present application will be described and illustrated below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the present application and are not intended to limit the present application. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments provided in the present application without any inventive step are within the scope of protection of the present application. Moreover, it should be appreciated that in the development of any such actual implementation, as in any engineering or design project, numerous implementation-specific decisions must be made to achieve the developers' specific goals, such as compliance with system-related and business-related constraints, which may vary from one implementation to another.
Reference in the specification to "an embodiment" means that a particular feature, structure, or characteristic described in connection with the embodiment can be included in at least one embodiment of the specification. The appearances of the phrase in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments. Those of ordinary skill in the art will explicitly and implicitly appreciate that the embodiments described herein may be combined with other embodiments without conflict.
Unless defined otherwise, technical or scientific terms referred to herein shall have the ordinary meaning as understood by those of ordinary skill in the art to which this application belongs. Reference to "a," "an," "the," and similar words throughout this application are not to be construed as limiting in number, and may refer to the singular or the plural. The present application is directed to the use of the terms "including," "comprising," "having," and any variations thereof, which are intended to cover non-exclusive inclusions; for example, a process, method, system, article, or apparatus that comprises a list of steps or modules (elements) is not limited to the listed steps or elements, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus. Reference to "connected," "coupled," and the like in this application is not intended to be limited to physical or mechanical connections, but may include electrical connections, whether direct or indirect. Reference herein to "a plurality" means greater than or equal to two. "and/or" describes an association relationship of associated objects, meaning that three relationships may exist, for example, "A and/or B" may mean: a exists alone, A and B exist simultaneously, and B exists alone. Reference herein to the terms "first," "second," "third," and the like, are merely to distinguish similar objects and do not denote a particular ordering for the objects.
Fig. 1 is a flowchart of a security protection method for a WEB application firewall according to an embodiment of the present application, and as shown in fig. 1, the flowchart includes the following steps:
step S101, state information of events related to the stability of the WEB application firewall is acquired.
In this embodiment, the state information of the WEB application firewall may be obtained from a reporter of the WEB application firewall. The method comprises the following steps:
step 1, acquiring the starting information and the registration information of the reporter.
And 2, receiving the state information of the event related to the stability of the WEB application firewall, which is sent by the reporter at intervals of preset time under the condition that the starting information of the reporter is started and the registration information is registered.
In this embodiment, the preset time may be 5 seconds, and the state information sent by which reporters to start receiving and processing may be configured and determined on the page of the WEB application firewall. The operation information in the exception corresponding to the exception event can be inquired in the preset configuration information. The preset configuration information may be in the following format: and if the state information is yes, opening the state information of the reporter, acquiring the state information of the WEB application firewall from the reporter only when the preset configuration information is loaded and the reporter in the preset configuration information is in an opening state, wherein the preset configuration information also comprises the association relation between the abnormal event and the abnormal processing operation information.
In other embodiments, the preset time may be other values.
Meanwhile, the reporter can also register in the management terminal in advance, and the management terminal can only receive the information sent by the reporter registered in the management terminal, so that the safety of the information sent by the reporter can be predicted.
And step S102, judging whether the event is an abnormal event or not according to the state information of the event.
In this embodiment, the status information may include, but is not limited to, at least one of: process state information, resource state information, network card state information.
The process state information, the resource state information and the network card state information can be respectively sent to the management end by a first reporter, a second reporter and a third reporter, wherein the first reporter is used for guaranteeing a key process of the WEB application firewall and reporting the process state information to the management end in time; the second reporter is used for ensuring the system resource state of the WEB application firewall and reporting the resource state information to the management terminal in time; and the third reporter is used for ensuring the network card running state of the WEB application firewall and reporting the network card state information to the management terminal in time.
The management terminal can judge whether an abnormal event occurs or not based on the state information, send error information under the condition that the abnormal event occurs and process the abnormal event according to the abnormal processing operation information corresponding to the abnormal event.
The correlation between the reporter, the event status, and the exception handling operation information corresponding to the event is shown in table 1.
TABLE 1
Figure BDA0002652562390000061
Under the condition that the state information comprises process state information, judging whether a process abnormal exit event exists in the event, and under the condition that the process abnormal exit event exists in the event, marking the event as an abnormal event; under the condition that the state information comprises resource state information, judging whether an abnormal resource utilization rate event exists in the event, and under the condition that the abnormal resource utilization rate event exists in the event, marking the event as an abnormal event; and under the condition that the state information comprises the network card state information, judging whether a network card abnormal packet loss rate event and/or a network card DOWN event exist in the event, and under the condition that the network card abnormal packet loss rate event and/or the network card DOWN event exist in the event, marking the event as an abnormal event.
As shown in table 1, in this embodiment, when the state information includes process state information, the critical processes may be monitored according to the selected critical processes in the preset configuration information, for example, process 1 may be Haproxy, process 2 may be Nginx, and meanwhile, more critical processes may be added to the preset configuration information.
In some of these embodiments, the resource status information may include, but is not limited to, at least one of: CPU occupation state information, memory occupation state information and disk occupation state information.
As shown in table 1, in the case that the state information includes resource state information, determining whether an abnormal resource usage event exists in the events includes: under the condition that the state information comprises CPU occupation state information, judging whether the current CPU occupancy rate is higher than a first threshold value, and under the condition that the current CPU occupancy rate is higher than the first threshold value, judging that an abnormal resource utilization rate event exists in the events; under the condition that the state information comprises memory occupation state information, judging whether the current memory occupancy rate is higher than a second threshold value or not, and under the condition that the current memory occupancy rate is higher than the second threshold value, judging that an abnormal resource utilization rate event exists in the events; and under the condition that the state information comprises disk occupation state information, judging whether the current disk occupation space is higher than a third threshold value, and under the condition that the current disk occupation space is higher than the third threshold value, judging that an abnormal resource utilization rate event exists in the events.
In this embodiment, the first threshold may be 90%, the second threshold may be 90%, the third threshold may be 80%, and the fourth threshold may be 20%, and in other embodiments, the first threshold, the second threshold, the third threshold, and the fourth threshold may have other values.
Step S103, under the condition that the event is judged to be an abnormal event, inquiring abnormal processing operation information corresponding to the abnormal event in preset configuration information, and displaying the abnormal processing operation information; the preset configuration information comprises an incidence relation between the abnormal event and the abnormal processing operation information.
In some embodiments, when it is determined that the event is an abnormal event, querying abnormal processing operation information corresponding to the abnormal event in the preset configuration information, and displaying the abnormal processing operation information includes: under the condition that the abnormal event comprises a process abnormal exit event and/or a network card abnormal packet loss rate event and a network card DOWN event, inquiring abnormal processing operation information corresponding to the abnormal event in preset configuration information, and displaying the abnormal processing operation information; and under the condition that the abnormal event comprises an abnormal resource utilization rate event, displaying a process and/or a file related to the abnormal resource utilization rate event, inquiring abnormal processing operation information corresponding to the abnormal event in preset configuration information, and displaying the abnormal processing operation information.
As shown in table 1, in this embodiment, when the state information includes CPU occupancy state information, the processes may be sorted from high to low according to the CPU occupancy of the processes, and a preset number of processes may be selected from high to low in the sorting sequence for display; when the state information comprises memory occupation state information, the processes can be sorted from high to low according to the memory occupation rate of the processes, and a preset number of processes are selected from high to low in a sorting sequence for display; under the condition that the state information comprises the disk occupation state information, the files can be sorted from large to small according to the disk occupation space of the files, and the files with preset number are selected from the sorted sequence from high to low for display.
In this embodiment, the preset number may be 10, and in other embodiments, the preset number may also be other values. After the preset number of processes are displayed, selecting to restart the processes, close the processes or send error reporting information based on the corresponding abnormal processing operation information; after the preset number of files are displayed, the files can be selected to be deleted or error information can be sent based on the abnormal processing operation information.
As shown in table 1, in the case that the exception event includes a process exception exit event, the exception handling operation information includes restarting the process associated with the process exception exit event and sending error reporting information; when the abnormal event comprises an abnormal resource utilization rate event, the abnormal processing operation information comprises closing at least one process and/or file associated with the abnormal resource utilization rate event and sending error reporting information; and under the condition that the abnormal event comprises a network card abnormal packet loss rate event and/or a network card DOWN event, the abnormal processing operation information comprises the network card associated with the network card abnormal packet loss rate event and/or the network card DOWN event, and error reporting information is sent.
In some embodiments, when the state information is resource state information, closing at least one process and/or file in the abnormal resource usage event, and sending error reporting information includes: when the resource state information is the CPU occupation state information, the processes can be sorted from high to low according to the memory occupancy rate of the processes, and at least one process is selected from the sorted sequence from high to low to be closed; when the state information is the memory occupation state information, the processes can be sorted from high to low according to the memory occupation rate of the processes, and at least one process is selected from the sorted sequence from high to low to be closed; under the condition that the state information is the disk occupation state information, the files can be sorted from large to small according to the disk occupation space of the files, and at least one file is selected from the sorted sequence from high to low to be deleted.
After the preset number of processes are displayed, selecting to restart the processes, close the processes or send error reporting information based on the corresponding abnormal processing operation information; after the preset number of files are displayed, the files can be selected to be deleted or error information can be sent based on the abnormal processing operation information.
The method for protecting the WEB application firewall comprises the steps that a state information is obtained by monitoring a disk directory selected from preset configuration information, a plurality of directories can be added into the preset configuration information, and the safety protection method of the WEB application firewall can display files with the largest preset number of disk occupied spaces under each directory.
In other embodiments, since the management end may receive the state information of the WEB application firewall sent by the reporter at every preset time, when the event is determined not to be an abnormal event according to the state information of the event, if the time interval is 5 seconds, the management end replaces the current state information with the state information of the event obtained 5 seconds ago, and only when the current state information does not conform to the state information of the event obtained 5 seconds ago, the management end determines that the event is an abnormal event. For example, if the state information of the event obtained 5 seconds ago is normal, and the current state information is process 1 abnormal, the event is determined to be an abnormal event.
In the related art, the WAF usually scans and filters user requests before the user requests reach the WEB server in front of the WEB application, analyzes and verifies a network packet of each user request, ensures that each user request is valid and safe, and blocks or isolates requests with invalid or aggressive behaviors. By checking HTTP traffic, attacks from security vulnerabilities (e.g., SQL injection, cross-site scripting, file inclusion, and security configuration errors) of WEB applications can be prevented. However, such technical solutions often fail to show the resource status of the WAF in time. The user cannot know the system state of the current WAF in time at the front end, and the user cannot directly know which process occupies a high CPU, occupies a high memory or has the current network card state on a network page, so that the user cannot timely perform emergency treatment on the processes, files or network cards causing the abnormality when the WAF finds the abnormality.
Through the steps S101 to S103, after finding that an event related to the stability of the WEB application firewall is an abnormal event, the application queries the abnormal processing operation information corresponding to the abnormal event in the preset configuration information and displays the abnormal processing operation information, so that the user can visually see which events cause the abnormality, and simultaneously processes the abnormal events based on the abnormal processing operation information, therefore, the user can timely know the abnormal event and process the abnormal event, the stability and reliability of the WEB application firewall are greatly improved, the problem that the user cannot timely process the abnormal event of the WEB application firewall in the related art is solved, and the technical effect of improving the stability of the WEB application firewall is achieved.
The embodiment further provides a security protection device for a WEB application firewall, where the security protection device is used to implement the foregoing embodiments and preferred embodiments, and the description of the security protection device that has been already made is omitted. Although the means described in the embodiments below are preferably implemented in software, an implementation in hardware, or a combination of software and hardware is also possible and contemplated.
Fig. 2 is a block diagram of a security protection device of a WEB application firewall according to an embodiment of the present application, and as shown in fig. 2, the security protection device includes: the acquiring module 20 acquires the state information of the event related to the stability of the WEB application firewall; the management module 21 judges whether the event is an abnormal event according to the state information of the event; the display module 22 is used for inquiring the abnormal processing operation information corresponding to the abnormal event in the preset configuration information and displaying the abnormal processing operation information under the condition that the event is judged to be the abnormal event; the preset configuration information comprises an incidence relation between the abnormal event and the abnormal processing operation information.
In one embodiment, the status information includes, but is not limited to, at least one of: process state information, resource state information and network card state information; the management module 21 is configured to determine whether a process exception exit event exists in the event if the state information includes the process state information, and mark the event as an exception event if the process exception exit event exists in the event; under the condition that the state information comprises resource state information, judging whether an abnormal resource utilization rate event exists in the event, and under the condition that the abnormal resource utilization rate event exists in the event, marking the event as an abnormal event; and under the condition that the state information comprises the network card state information, judging whether a network card abnormal packet loss rate event and/or a network card DOWN event exist in the event, and under the condition that the network card abnormal packet loss rate event and/or the network card DOWN event exist in the event, marking the event as an abnormal event.
In one embodiment, in the case that the exception event includes a process exception exit event, the exception handling operation information includes restarting the process associated with the process exception exit event and sending error reporting information; when the abnormal event comprises an abnormal resource utilization rate event, the abnormal processing operation information comprises closing at least one process and/or file associated with the abnormal resource utilization rate event and sending error reporting information; and under the condition that the abnormal event comprises a network card abnormal packet loss rate event and/or a network card DOWN event, the abnormal processing operation information comprises the network card associated with the network card abnormal packet loss rate event and/or the network card DOWN event, and error reporting information is sent.
In one embodiment, the resource status information includes, but is not limited to, at least one of: CPU occupation state information, memory occupation state information and disk occupation state information; the management module 21 is further configured to determine whether the current CPU occupancy is higher than a first threshold in a case that the status information includes CPU occupancy status information, and determine that an abnormal resource usage event exists in the events in a case that the current CPU occupancy is higher than the first threshold; under the condition that the state information comprises memory occupation state information, judging whether the current memory occupancy rate is higher than a second threshold value or not, and under the condition that the current memory occupancy rate is higher than the second threshold value, judging that an abnormal resource utilization rate event exists in the events; and under the condition that the state information comprises disk occupation state information, judging whether the current disk occupation space is higher than a third threshold value, and under the condition that the current disk occupation space is higher than the third threshold value, judging that an abnormal resource utilization rate event exists in the events.
In one embodiment, the displaying module 22 is configured to, when the abnormal event includes a process abnormal exit event and/or a network card abnormal packet loss rate event, and a network card DOWN event, query, in preset configuration information, abnormal processing operation information corresponding to the abnormal event, and display the abnormal processing operation information; and under the condition that the abnormal event comprises an abnormal resource utilization rate event, displaying a process and/or a file related to the abnormal resource utilization rate event, inquiring abnormal processing operation information corresponding to the abnormal event in preset configuration information, and displaying the abnormal processing operation information.
In one embodiment, the presentation module 22 is further configured to, in a case that the status information includes CPU occupancy status information, sort the processes from high to low according to their CPU occupancy, and select a preset number of processes from high to low in the sort sequence for presentation; under the condition that the state information comprises memory occupation state information, sorting the processes according to the memory occupation rate of the processes from high to low, and selecting a preset number of processes from high to low in a sorting sequence for display; and under the condition that the state information comprises the disk occupation state information, sorting the files according to the descending of the disk occupation space of the files, and selecting a preset number of files from high to low in a sorting sequence for displaying.
In one embodiment, the obtaining module 20 is configured to obtain the start information and the registration information of the reporter; and receiving the state information of the event related to the stability of the WEB application firewall, which is sent by the reporter at preset intervals under the condition that the starting information of the reporter is started and the registration information is registered.
The above modules may be functional modules or program modules, and may be implemented by software or hardware. For a module implemented by hardware, the modules may be located in the same processor; or the modules can be respectively positioned in different processors in any combination.
The present embodiment also provides an electronic device comprising a memory 304 and a processor 302, wherein the memory 304 stores a computer program, and the processor 302 is configured to execute the computer program to perform the steps of any of the above method embodiments.
Specifically, the processor 302 may include a Central Processing Unit (CPU), or A Specific Integrated Circuit (ASIC), or may be configured to implement one or more Integrated circuits of the embodiments of the present Application.
Memory 304 may include, among other things, mass storage 304 for data or instructions. By way of example, and not limitation, memory 304 may include a Hard Disk Drive (Hard Disk Drive, abbreviated to HDD), a floppy Disk Drive, a Solid State Drive (SSD), flash memory, an optical Disk, a magneto-optical Disk, tape, or a Universal Serial Bus (USB) Drive or a combination of two or more of these. Memory 304 may include removable or non-removable (or fixed) media, where appropriate. The memory 304 may be internal or external to the data processing apparatus, where appropriate. In a particular embodiment, the memory 304 is a Non-Volatile (Non-Volatile) memory. In particular embodiments, Memory 304 includes Read-Only Memory (ROM) and Random Access Memory (RAM). The ROM may be mask-programmed ROM, Programmable ROM (PROM), Erasable PROM (EPROM), Electrically Erasable PROM (EEPROM), Electrically rewritable ROM (EAROM), or FLASH Memory (FLASH), or a combination of two or more of these, where appropriate. The RAM may be a Static Random-Access Memory (SRAM) or a Dynamic Random-Access Memory (DRAM), where the DRAM may be a Fast Page Mode Dynamic Random-Access Memory 304 (FPMDRAM), an Extended data output Dynamic Random-Access Memory (eddram), a Synchronous Dynamic Random-Access Memory (SDRAM), and the like.
Memory 304 may be used to store or cache various data files for processing and/or communication purposes, as well as possibly computer program instructions for execution by processor 302.
The processor 302 reads and executes the computer program instructions stored in the memory 304 to implement any one of the security methods of the WEB application firewall in the above embodiments.
Optionally, the electronic apparatus may further include a transmission device 306 and an input/output device 308, where the transmission device 306 is connected to the processor 302, and the input/output device 308 is connected to the processor 302.
Alternatively, in this embodiment, the processor 302 may be configured to execute the following steps by a computer program:
and S1, acquiring the state information of the event related to the stability of the WEB application firewall.
And S2, judging whether the event is an abnormal event or not according to the state information of the event.
S3, under the condition that the event is judged to be an abnormal event, inquiring abnormal processing operation information corresponding to the abnormal event in preset configuration information, and displaying the abnormal processing operation information; the preset configuration information comprises an incidence relation between the abnormal event and the abnormal processing operation information.
It should be noted that, for specific examples in this embodiment, reference may be made to examples described in the foregoing embodiments and optional implementations, and details of this embodiment are not described herein again.
In addition, in combination with the security protection method of the WEB application firewall in the foregoing embodiment, an embodiment of the present application may provide a storage medium to implement. The storage medium having stored thereon a computer program; when executed by a processor, the computer program implements the security protection method of any WEB application firewall in the above embodiments.
It should be understood by those skilled in the art that various features of the above embodiments can be combined arbitrarily, and for the sake of brevity, all possible combinations of the features in the above embodiments are not described, but should be considered as within the scope of the present disclosure as long as there is no contradiction between the combinations of the features.
The above examples are merely illustrative of several embodiments of the present application, and the description is more specific and detailed, but not to be construed as limiting the scope of the present application. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the concept of the present application, which falls within the scope of protection of the present application. Therefore, the protection scope of the present application shall be subject to the appended claims.

Claims (10)

1. A safety protection method for a WEB application firewall is characterized by comprising the following steps:
acquiring state information of an event related to the stability of a WEB application firewall;
judging whether the event is an abnormal event or not according to the state information of the event;
under the condition that the event is judged to be an abnormal event, inquiring abnormal processing operation information corresponding to the abnormal event in preset configuration information, and displaying the abnormal processing operation information; the preset configuration information comprises an incidence relation between an abnormal event and abnormal processing operation information.
2. The method for protecting WEB application firewall from being secure according to claim 1, wherein the status information includes at least one of the following: process state information, resource state information and network card state information; judging whether the event is an abnormal event according to the state information of the event comprises the following steps:
under the condition that the state information comprises process state information, judging whether a process abnormal exit event exists in the event, and under the condition that the process abnormal exit event exists in the event, marking the event as an abnormal event;
under the condition that the state information comprises resource state information, judging whether an abnormal resource utilization rate event exists in the events, and under the condition that the abnormal resource utilization rate event exists in the events, marking the events as abnormal events;
and under the condition that the state information comprises network card state information, judging whether a network card abnormal packet loss rate event and/or a network card DOWN event exist in the events, and under the condition that the network card abnormal packet loss rate event and/or the network card DOWN event exist in the events, marking the events as abnormal events.
3. The method of claim 2, wherein the WEB application firewall is configured to be applied to the WEB application firewall,
when the abnormal event comprises a process abnormal exit event, the abnormal processing operation information comprises restarting the process associated with the process abnormal exit event and sending error reporting information;
when the abnormal event comprises an abnormal resource utilization rate event, the abnormal processing operation information comprises closing at least one process and/or file associated with the abnormal resource utilization rate event and sending error reporting information;
and under the condition that the abnormal event comprises a network card abnormal packet loss rate event and/or a network card DOWN event, the abnormal processing operation information comprises the network card associated with the network card abnormal packet loss rate event and/or the network card DOWN event, and error reporting information is sent.
4. The WEB application firewall security protection method according to claim 2, wherein the resource status information includes at least one of the following: CPU occupation state information, memory occupation state information and disk occupation state information; under the condition that the state information comprises resource state information, judging whether an abnormal resource utilization rate event exists in the events comprises the following steps:
under the condition that the state information comprises CPU occupation state information, judging whether the current CPU occupancy rate is higher than a first threshold value, and under the condition that the current CPU occupancy rate is higher than the first threshold value, judging that an abnormal resource utilization rate event exists in the events;
under the condition that the state information comprises memory occupation state information, judging whether the current memory occupancy rate is higher than a second threshold value or not, and under the condition that the current memory occupancy rate is higher than the second threshold value, judging that an abnormal resource utilization rate event exists in the events;
and under the condition that the state information comprises disk occupation state information, judging whether the current disk occupation space is higher than a third threshold value, and under the condition that the current disk occupation space is higher than the third threshold value, judging that an abnormal resource utilization rate event exists in the events.
5. The method of claim 2, wherein when the event is determined to be an abnormal event, querying abnormal processing operation information corresponding to the abnormal event in preset configuration information, and displaying the abnormal processing operation information comprises:
under the condition that the abnormal event comprises a process abnormal exit event and/or a network card abnormal packet loss rate event and a network card DOWN event, inquiring abnormal processing operation information corresponding to the abnormal event in preset configuration information, and displaying the abnormal processing operation information;
and under the condition that the abnormal event comprises an abnormal resource utilization rate event, displaying a process and/or a file related to the abnormal resource utilization rate event, inquiring abnormal processing operation information corresponding to the abnormal event in preset configuration information, and displaying the abnormal processing operation information.
6. The WEB application firewall security protection method according to claim 5, wherein the resource status information includes at least one of the following: CPU occupation state information, memory occupation state information and disk occupation state information; in the event that the exception event comprises an exception resource usage event, presenting a process and/or file associated with the exception resource usage event comprises:
when the state information comprises CPU occupation state information, sorting the processes according to the CPU occupation rate of the processes from high to low, and selecting a preset number of processes from high to low in a sorting sequence for display;
when the state information comprises memory occupation state information, sorting the processes according to the memory occupation rate of the processes from high to low, and selecting a preset number of processes from high to low in a sorting sequence for display;
and under the condition that the state information comprises the disk occupation state information, sorting the files according to the descending of the disk occupation space of the files, and selecting a preset number of files from high to low in a sorting sequence for displaying.
7. The method of claim 1, wherein the WEB application firewall is configured to be secured,
acquiring state information of an event related to the stability of the WEB application firewall comprises the following steps:
acquiring starting information and registration information of a reporter;
and receiving the state information of the event related to the stability of the WEB application firewall, which is sent by the reporter at intervals of preset time under the condition that the starting information of the reporter is started and the registration information is registered.
8. A safety protection device of a WEB application firewall is characterized by comprising:
an acquisition module for acquiring state information of events related to WEB application firewall stability
The management module is used for judging whether the event is an abnormal event or not according to the state information of the event;
the display module is used for inquiring the exception handling operation information corresponding to the exception event in preset configuration information and displaying the exception handling operation information under the condition that the event is judged to be the exception event; the preset configuration information comprises an incidence relation between an abnormal event and abnormal processing operation information.
9. An electronic device comprising a memory and a processor, wherein the memory stores a computer program, and the processor is configured to execute the computer program to perform the method for securing the WEB application firewall according to any one of claims 1 to 7.
10. A storage medium having a computer program stored therein, wherein the computer program is configured to execute the method for securing a WEB application firewall according to any one of claims 1 to 7 when running.
CN202010875522.1A 2020-08-27 2020-08-27 Security protection method and device for WEB application firewall and electronic device Active CN112165450B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010875522.1A CN112165450B (en) 2020-08-27 2020-08-27 Security protection method and device for WEB application firewall and electronic device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010875522.1A CN112165450B (en) 2020-08-27 2020-08-27 Security protection method and device for WEB application firewall and electronic device

Publications (2)

Publication Number Publication Date
CN112165450A true CN112165450A (en) 2021-01-01
CN112165450B CN112165450B (en) 2023-04-21

Family

ID=73860368

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010875522.1A Active CN112165450B (en) 2020-08-27 2020-08-27 Security protection method and device for WEB application firewall and electronic device

Country Status (1)

Country Link
CN (1) CN112165450B (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113660215A (en) * 2021-07-26 2021-11-16 杭州安恒信息技术股份有限公司 Attack behavior detection method and device based on Web application firewall
CN113886118A (en) * 2021-09-16 2022-01-04 杭州安恒信息技术股份有限公司 Abnormal resource processing method, device, system, electronic device and storage medium
CN114816558A (en) * 2022-03-07 2022-07-29 深圳开源互联网安全技术有限公司 Script injection method and device and computer readable storage medium

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106209425A (en) * 2016-06-28 2016-12-07 上海携程商务有限公司 The method and system of the automatic bypass of fire wall based on switch
CN107205008A (en) * 2016-03-18 2017-09-26 上海有云信息技术有限公司 The loaded self-adaptive method of WEB application fire wall under cloud computing environment
US20180013722A1 (en) * 2016-07-06 2018-01-11 Eric Enos Distributed firewall device and system
CN109067807A (en) * 2018-10-16 2018-12-21 杭州安恒信息技术股份有限公司 Safety protecting method, device and electronic equipment based on WEB application firewall overload
CN109800131A (en) * 2018-12-18 2019-05-24 平安健康保险股份有限公司 Monitor processing method, device, computer equipment and the storage medium of Linux server
CN111314290A (en) * 2019-12-30 2020-06-19 北京长亭未来科技有限公司 Method and device for protecting continuity of WEB application firewall service and electronic equipment

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107205008A (en) * 2016-03-18 2017-09-26 上海有云信息技术有限公司 The loaded self-adaptive method of WEB application fire wall under cloud computing environment
CN106209425A (en) * 2016-06-28 2016-12-07 上海携程商务有限公司 The method and system of the automatic bypass of fire wall based on switch
US20180013722A1 (en) * 2016-07-06 2018-01-11 Eric Enos Distributed firewall device and system
CN109067807A (en) * 2018-10-16 2018-12-21 杭州安恒信息技术股份有限公司 Safety protecting method, device and electronic equipment based on WEB application firewall overload
CN109800131A (en) * 2018-12-18 2019-05-24 平安健康保险股份有限公司 Monitor processing method, device, computer equipment and the storage medium of Linux server
CN111314290A (en) * 2019-12-30 2020-06-19 北京长亭未来科技有限公司 Method and device for protecting continuity of WEB application firewall service and electronic equipment

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
姚琳琳: ""基于分布式对等架构的Web应用防火墙设计与实现"", 《中国优秀博硕士学位论文全文数据库(硕士)信息科技辑》 *

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113660215A (en) * 2021-07-26 2021-11-16 杭州安恒信息技术股份有限公司 Attack behavior detection method and device based on Web application firewall
CN113886118A (en) * 2021-09-16 2022-01-04 杭州安恒信息技术股份有限公司 Abnormal resource processing method, device, system, electronic device and storage medium
CN114816558A (en) * 2022-03-07 2022-07-29 深圳开源互联网安全技术有限公司 Script injection method and device and computer readable storage medium
CN114816558B (en) * 2022-03-07 2023-06-30 深圳市九州安域科技有限公司 Script injection method, equipment and computer readable storage medium

Also Published As

Publication number Publication date
CN112165450B (en) 2023-04-21

Similar Documents

Publication Publication Date Title
CN112165450A (en) Safety protection method and device for WEB application firewall and electronic device
Albin et al. A realistic experimental comparison of the Suricata and Snort intrusion-detection systems
US10917793B2 (en) Verifying network subsystem integrity with blockchain
US9264441B2 (en) System and method for securing a network from zero-day vulnerability exploits
CN110417717B (en) Login behavior identification method and device
WO2014113501A1 (en) Systems and methods for identifying and reporting application and file vulnerabilities
CN111756761A (en) Network defense system and method based on flow forwarding and computer equipment
CN110958249B (en) Information processing method, information processing device, electronic equipment and storage medium
CN110134700B (en) Data uplink method, device, computer equipment and storage medium
CN111565202B (en) Intranet vulnerability attack defense method and related device
CN112769775B (en) Threat information association analysis method, system, equipment and computer medium
CN109561097B (en) Method, device, equipment and storage medium for detecting security vulnerability injection of structured query language
CN113660215A (en) Attack behavior detection method and device based on Web application firewall
CN113992403A (en) Access speed limit interception method and device, defense server and readable storage medium
CN109560893B (en) Data verification method and device and server
CN113965406A (en) Network blocking method, device, electronic device and storage medium
CN110990844B (en) Cloud data protection method based on kernel, cloud server and system
CN113765914B (en) CC attack protection method, system, computer equipment and readable storage medium
CN116070210A (en) Method and device for determining abnormal progress and virus checking and killing method
CN116016174A (en) Rule base upgrading method and device, electronic equipment and storage medium
KR20110017173A (en) The method of counteracting distributed denial of service attack using network filter monitoring white list and dummy web server
CN114362980B (en) Protocol hanging login account identification method, device, computer equipment and storage medium
CN110597557B (en) System information acquisition method, terminal and medium
CN110798356A (en) Firmware monitoring method and device, storage medium and computer equipment
JP3730642B2 (en) Attack packet detection apparatus and method

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant