CN112165450B - Security protection method and device for WEB application firewall and electronic device - Google Patents
Security protection method and device for WEB application firewall and electronic device Download PDFInfo
- Publication number
- CN112165450B CN112165450B CN202010875522.1A CN202010875522A CN112165450B CN 112165450 B CN112165450 B CN 112165450B CN 202010875522 A CN202010875522 A CN 202010875522A CN 112165450 B CN112165450 B CN 112165450B
- Authority
- CN
- China
- Prior art keywords
- event
- abnormal
- state information
- information
- condition
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/06—Management of faults, events, alarms or notifications
- H04L41/0631—Management of faults, events, alarms or notifications using root cause analysis; using analysis of correlation between notifications, alarms or events based on decision criteria, e.g. hierarchy, tree or time analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/08—Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Environmental & Geological Engineering (AREA)
- Computer And Data Communications (AREA)
- Debugging And Monitoring (AREA)
Abstract
The application relates to a safety protection method, a safety protection device, an electronic device and a storage medium of a WEB application firewall, wherein the method comprises the following steps: acquiring state information of an event related to the stability of a WEB application firewall; judging whether the event is an abnormal event according to the state information of the event; inquiring exception handling operation information corresponding to the exception event in preset configuration information and displaying the exception handling operation information under the condition that the event is judged to be the exception event; the preset configuration information comprises association relation between an abnormal event and abnormal processing operation information. The problem that a user cannot timely process abnormal events of the WEB application firewall in the related technology is solved, the user can timely process the abnormal events of the WEB application firewall, and the technical effect of improving the stability of the WEB application firewall is achieved.
Description
Technical Field
The present disclosure relates to the field of network security technologies, and in particular, to a security protection method and apparatus for a WEB application firewall, an electronic device, and a storage medium.
Background
With the continuous development of network technology, WEB applications are becoming more and more abundant, and WEB servers gradually become a main attack target with their strong computing power, processing performance and higher economic value.
The WEB application protection wall (Web Application Firewall, abbreviated as WAF) is a product which is specially used for providing protection for WEB applications by executing a series of security policies for HTTP/HTTPs, and is mainly used for defending against attacks for a network application layer, such as SQL injection, cross-site scripting attack, parameter tampering, application platform vulnerability attack, denial of service attack, and the like.
The WAF in the related art usually scans and filters the user request before the user request reaches the WEB server in front of the WEB application, analyzes and verifies the network packet of each user request, ensures that each user request is effective and safe, and blocks or isolates the request with invalid or aggressive behavior. By checking HTTP traffic, attacks originating from security vulnerabilities of WEB applications (e.g., SQL injection, cross-site scripting attacks, file inclusion, and security configuration errors) can be prevented. However, such a technical solution often cannot timely display the resource status of the WAF. The system state of the current WAF cannot be known at the front end in time, and the user cannot directly know which process occupies high CPU, occupies high memory or how the current network card state is, so that the user cannot timely carry out emergency treatment on the processes, files or network cards causing the abnormality when the WAF finds the abnormality.
At present, no effective solution is proposed for the problem that a user cannot timely process abnormal events of a WEB application firewall in the related art.
Disclosure of Invention
The embodiment of the application provides a safety protection method, a safety protection device, an electronic device and a storage medium of a WEB application firewall, which are used for at least solving the problem that a user cannot timely process abnormal events of the WEB application firewall in the related technology.
In a first aspect, an embodiment of the present application provides a security protection method for a WEB application firewall, including: acquiring state information of an event related to the stability of a WEB application firewall; judging whether the event is an abnormal event or not according to the state information of the event; under the condition that the event is judged to be an abnormal event, inquiring abnormal processing operation information corresponding to the abnormal event in preset configuration information, and displaying the abnormal processing operation information; the preset configuration information comprises association relation between an abnormal event and abnormal processing operation information.
In some of these embodiments, the status information includes at least one of: process state information, resource state information and network card state information; judging whether the event is an abnormal event according to the state information of the event comprises the following steps: judging whether a process abnormal exit event exists in the event or not under the condition that the state information comprises the process state information, and marking the event as an abnormal event under the condition that the process abnormal exit event exists in the event; judging whether an abnormal resource utilization rate event exists in the event or not under the condition that the state information comprises resource state information, and marking the event as an abnormal event under the condition that the abnormal resource utilization rate event exists in the event; judging whether a network card abnormal packet loss rate event and/or a network card DOWN event exists in the event or not under the condition that the state information comprises the network card state information, and marking the event as an abnormal event under the condition that the network card abnormal packet loss rate event and/or the network card DOWN event exists in the event.
In some embodiments, in the event that the exception event comprises a process exception exit event, exception handling operation information comprises restarting a process associated with the process exception exit event and sending error reporting information; in the case that the abnormal event includes an abnormal resource usage event, the abnormal processing operation information includes closing at least one process and/or file associated with the abnormal resource usage event, and transmitting error reporting information; and in the case that the abnormal event comprises a network card abnormal packet loss rate event and/or a network card DOWN event, the abnormal processing operation information comprises a network card associated with restarting the network card abnormal packet loss rate event and/or the network card DOWN event, and the error reporting information is sent.
In some of these embodiments, the resource status information includes at least one of: CPU occupation state information, memory occupation state information and disk occupation state information; in the case where the state information includes resource state information, determining whether an abnormal resource usage event exists in the event includes: judging whether the current CPU occupancy rate is higher than a first threshold value or not under the condition that the state information comprises CPU occupancy state information, and judging that an abnormal resource utilization rate event exists in the event under the condition that the current CPU occupancy rate is higher than the first threshold value; judging whether the current memory occupancy rate is higher than a second threshold value or not under the condition that the state information comprises memory occupancy state information, and judging that an abnormal resource utilization rate event exists in the event under the condition that the current memory occupancy rate is higher than the second threshold value; and judging whether the current disk occupation space is higher than a third threshold value or not under the condition that the state information comprises the disk occupation state information, and judging that an abnormal resource utilization rate event exists in the event under the condition that the current disk occupation space is higher than the third threshold value.
In some embodiments, when the event is determined to be an abnormal event, querying, in preset configuration information, exception handling operation information corresponding to the abnormal event, and displaying the exception handling operation information includes: under the condition that the abnormal event comprises a process abnormal exit event, a network card abnormal packet loss rate event and a network card DOWN event, inquiring abnormal processing operation information corresponding to the abnormal event in preset configuration information, and displaying the abnormal processing operation information; and under the condition that the abnormal event comprises an abnormal resource utilization rate event, displaying a process and/or a file associated with the abnormal resource utilization rate event, inquiring abnormal processing operation information corresponding to the abnormal event in preset configuration information, and displaying the abnormal processing operation information.
In some of these embodiments, the resource status information includes at least one of: CPU occupation state information, memory occupation state information and disk occupation state information; in the case where the abnormal event comprises an abnormal resource usage event, exposing a process and/or file associated with the abnormal resource usage event comprises: under the condition that the state information comprises CPU occupation state information, sequencing the processes according to the CPU occupation rate of the processes from high to low, and selecting a preset number of processes from high to low in a sequencing sequence for display; under the condition that the state information comprises memory occupation state information, sequencing the processes according to the memory occupation rate of the processes from high to low, and selecting a preset number of processes from high to low in a sequencing sequence for display; and under the condition that the state information comprises the disk occupation state information, sorting the files according to the disk occupation space of the files from large to small, and selecting a preset number of files from high to low in the sorting sequence for displaying.
In some of these embodiments, obtaining state information for an event related to WEB application firewall stability includes: acquiring starting information and registration information of a reporter; and receiving state information of events related to the firewall stability of the WEB application, which is sent by the reporter at intervals of preset time, under the condition that the starting information of the reporter is started and the registration information is registered.
In a second aspect, an embodiment of the present application provides a security protection device for a WEB application firewall, including: the system comprises an acquisition module, a state information management module and a control module, wherein the acquisition module acquires an event related to the stability of a WEB application firewall, and judges whether the event is an abnormal event according to the state information of the event; the display module is used for inquiring the abnormal processing operation information corresponding to the abnormal event in preset configuration information and displaying the abnormal processing operation information under the condition that the event is judged to be the abnormal event; the preset configuration information comprises association relation between an abnormal event and abnormal processing operation information.
In a third aspect, an embodiment of the present application provides an electronic device, including a memory, a processor, and a computer program stored in the memory and capable of running on the processor, where the processor implements the method for protecting against security of a WEB application firewall according to the first aspect when the processor executes the computer program.
In a fourth aspect, an embodiment of the present application provides a storage medium, where a computer program is stored, where the program is executed by a processor to implement a method for protecting security of a WEB application firewall according to the first aspect.
Compared with the related art, the safety protection method, the safety protection device, the electronic device and the storage medium of the WEB application firewall provided by the embodiment of the application solve the problem that a user cannot timely process abnormal events of the WEB application firewall in the related art, and the user can timely process the abnormal events of the WEB application firewall, so that the technical effect of improving the stability of the WEB application firewall is achieved.
The details of one or more embodiments of the application are set forth in the accompanying drawings and the description below to provide a more thorough understanding of the other features, objects, and advantages of the application.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this application, illustrate embodiments of the application and together with the description serve to explain the application and do not constitute an undue limitation to the application. In the drawings:
FIG. 1 is a flow chart of a method of security protection of a WEB application firewall according to an embodiment of the application;
FIG. 2 is a block diagram of the security guard of a WEB application firewall according to an embodiment of the application;
fig. 3 is a schematic diagram of a hardware structure of an electronic device according to an embodiment of the present application.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the present application is described and illustrated below with reference to the accompanying drawings and examples. It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the present application. All other embodiments, which can be made by one of ordinary skill in the art without undue burden on the person of ordinary skill in the art based on the embodiments provided herein, are intended to be within the scope of the present application. Moreover, it should be appreciated that while such a development effort might be complex and lengthy, it would nevertheless be a routine undertaking of design, fabrication, or manufacture for those of ordinary skill having the benefit of this disclosure, and thus should not be construed as having the benefit of this disclosure.
Reference in the specification to "an embodiment" means that a particular feature, structure, or characteristic described in connection with the embodiment may be included in at least one embodiment of the application. The appearances of such phrases in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments. It is to be expressly and implicitly understood by those of ordinary skill in the art that the embodiments described herein can be combined with other embodiments without conflict.
Unless defined otherwise, technical or scientific terms used herein should be given the ordinary meaning as understood by one of ordinary skill in the art to which this application belongs. Reference to "a," "an," "the," and similar terms herein do not denote a limitation of quantity, but rather denote the singular or plural. The terms "comprising," "including," "having," and any variations thereof, are intended to cover a non-exclusive inclusion; for example, a process, method, system, article, or apparatus that comprises a list of steps or modules (elements) is not limited to only those steps or elements but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus. The terms "connected," "coupled," and the like in this application are not limited to physical or mechanical connections, but may include electrical connections, whether direct or indirect. The term "plurality" as used herein means greater than or equal to two. "and/or" describes an association relationship of an association object, meaning that there may be three relationships, e.g., "a and/or B" may mean: a exists alone, A and B exist together, and B exists alone. The terms "first," "second," "third," and the like, as used herein, are merely distinguishing between similar objects and not representing a particular ordering of objects.
The embodiment provides a security protection method of a WEB application firewall, and fig. 1 is a flowchart of the security protection method of the WEB application firewall according to an embodiment of the application, as shown in fig. 1, where the flowchart includes the following steps:
step S101, acquiring status information of an event related to the firewall stability of the WEB application.
In this embodiment, the status information of the WEB application firewall may be obtained from the reporter of the WEB application firewall. The method comprises the following steps:
step 1, acquiring starting information and registration information of a reporter.
And step 2, receiving state information of events related to the firewall stability of the WEB application, which is sent by the reporter at intervals of preset time, under the condition that the starting information of the reporter is started and the registration information is registered.
In this embodiment, the preset time may be 5 seconds, and configuration may be performed on a page of the WEB application firewall to determine which reporters to start receiving and processing the status information sent by. The operation information in the abnormality corresponding to the abnormal event can be searched in the preset configuration information. The preset configuration information may be in the following format: if yes/no, opening-reporter-state information, the state information of the WEB application firewall can be obtained from the reporter only when the preset configuration information is loaded and the reporter in the preset configuration information is in an opening state, and the preset configuration information also comprises the association relation between the abnormal event and the abnormal processing operation information.
In other embodiments, the preset time may be other values.
Meanwhile, the reporter can register in the management end in advance, and the management end can only receive the information sent by the reporter registered in the management end, so that the safety and predictability of the information sent by the reporter are ensured.
Step S102, judging whether the event is an abnormal event according to the state information of the event.
In this embodiment, the status information may include, but is not limited to, at least one of: process state information, resource state information and network card state information.
The process state information, the resource state information and the network card state information can be respectively sent to the management end by a first reporter, a second reporter and a third reporter, wherein the first reporter is used for guaranteeing the key process of the WEB application firewall and timely reporting the process state information to the management end; the second reporter is used for guaranteeing the system resource state of the WEB application firewall and reporting the resource state information to the management end in time; the third reporter is used for guaranteeing the network card running state of the WEB application firewall and reporting the network card state information to the management end in time.
The management end can judge whether an abnormal event occurs or not based on the state information, and send error reporting information under the condition that the abnormal event occurs, and process the abnormal event according to the abnormal processing operation information corresponding to the abnormal event.
The association relationship among the report, the event state and the abnormal processing operation information corresponding to the event is shown in table 1.
TABLE 1
Judging whether a process abnormal exit event exists in the event or not under the condition that the state information comprises the process state information, and marking the event as an abnormal event under the condition that the process abnormal exit event exists in the event; judging whether an abnormal resource utilization rate event exists in the event or not under the condition that the state information comprises the resource state information, and marking the event as an abnormal event under the condition that the abnormal resource utilization rate event exists in the event; judging whether a network card abnormal packet loss rate event and/or a network card DOWN event exists in the event or not under the condition that the state information comprises the network card state information, and marking the event as an abnormal event under the condition that the network card abnormal packet loss rate event and/or the network card DOWN event exists in the event.
As shown in table 1, in the case where the state information includes process state information, the key processes may be monitored according to the key processes selected in the preset configuration information, for example, process 1 may be Haproxy, process 2 may be nginnx, and meanwhile, more key processes may be added to the preset configuration information.
In some of these embodiments, the resource status information may include, but is not limited to, at least one of: CPU occupation state information, memory occupation state information and disk occupation state information.
As shown in table 1, wherein, in the case where the status information includes resource status information, determining whether an abnormal resource usage event exists in the event includes: judging whether the current CPU occupancy rate is higher than a first threshold value or not under the condition that the state information comprises CPU occupancy state information, and judging that an abnormal resource utilization rate event exists in the event under the condition that the current CPU occupancy rate is higher than the first threshold value; judging whether the current memory occupancy rate is higher than a second threshold value or not under the condition that the state information comprises the memory occupancy state information, and judging that an abnormal resource utilization rate event exists in the event under the condition that the current memory occupancy rate is higher than the second threshold value; and judging whether the current disk occupation space is higher than a third threshold value or not under the condition that the state information comprises the disk occupation state information, and judging that an abnormal resource utilization rate event exists in the event under the condition that the current disk occupation space is higher than the third threshold value.
In this embodiment, the first threshold may be 90%, the second threshold may be 90%, the third threshold may be 80%, the fourth threshold may be 20%, and in other embodiments, the first threshold, the second threshold, the third threshold, and the fourth threshold may be other values.
Step S103, inquiring exception handling operation information corresponding to the exception event in preset configuration information and displaying the exception handling operation information when judging that the event is the exception event; the preset configuration information comprises association relation between an abnormal event and abnormal processing operation information.
In some embodiments, when the event is determined to be an abnormal event, querying, in preset configuration information, exception handling operation information corresponding to the abnormal event, and displaying the exception handling operation information includes: under the condition that the abnormal event comprises a process abnormal exit event, a network card abnormal packet loss rate event and a network card DOWN event, inquiring abnormal processing operation information corresponding to the abnormal event in preset configuration information, and displaying the abnormal processing operation information; and under the condition that the abnormal event comprises an abnormal resource utilization rate event, displaying a process and/or a file associated with the abnormal resource utilization rate event, inquiring abnormal processing operation information corresponding to the abnormal event in preset configuration information, and displaying the abnormal processing operation information.
As shown in table 1, in this embodiment, in the case where the state information includes CPU occupancy state information, the processes may be ordered from high to low according to the CPU occupancy rate of the processes, and a preset number of processes are selected from high to low in the ordered sequence to be displayed; under the condition that the state information comprises memory occupation state information, the processes can be ordered from high to low according to the memory occupation rate of the processes, and a preset number of processes are selected from high to low in an ordering sequence to be displayed; under the condition that the state information comprises the disk occupation state information, the files can be ordered according to the disk occupation space of the files from large to small, and a preset number of files are selected from high to low in the ordering sequence to be displayed.
In this embodiment, the preset number may be 10, and in other embodiments, the preset number may also be other values. After the preset number of processes are displayed, a restarting process, a closing process or an error message sending process can be selected based on the corresponding abnormal processing operation information; after the preset number of files are displayed, the files can be deleted or error information can be sent based on the abnormal processing operation information.
As shown in table 1, in the case where the abnormal event includes a process abnormal exit event, the abnormal processing operation information includes restarting a process associated with the process abnormal exit event, and transmitting error reporting information; in the case that the abnormal event includes an abnormal resource usage event, the abnormal processing operation information includes closing at least one process and/or file associated with the abnormal resource usage event, and transmitting error reporting information; in the case where the abnormal event includes a network card abnormal packet loss rate event and/or a network card DOWN event, the abnormal processing operation information includes a network card associated with restarting the network card abnormal packet loss rate event and/or the network card DOWN event, and the error reporting information is transmitted.
In some embodiments, when the state information is resource state information, closing at least one process and/or file in the abnormal resource usage event, and sending error reporting information includes: under the condition that the resource state information is CPU occupation state information, the processes can be ordered from high to low according to the memory occupancy rate of the processes, and at least one process is selected from high to low in an ordering sequence to be closed; under the condition that the state information is memory occupation state information, the processes can be ordered according to the memory occupation rate of the processes from high to low, and at least one process is selected from the ordered sequence from high to low to perform closing processing; under the condition that the state information is the disk occupation state information, the files can be ordered according to the disk occupation space of the files from large to small, and at least one file is selected from high to low in the ordering sequence to be deleted.
After the preset number of processes are displayed, a restarting process, a closing process or an error message sending process can be selected based on the corresponding abnormal processing operation information; after the preset number of files are displayed, the files can be deleted or error information can be sent based on the abnormal processing operation information.
Under the condition that the state information is the disk occupation state information, only the selected disk catalogs in the preset configuration information are monitored, a plurality of catalogs can be added in the preset configuration information, and the safety protection method of the WEB application firewall can display the files with the preset quantity, which occupy the largest space, of the disk under each catalogs.
In other embodiments, since the management end may receive the status information of the WEB application firewall sent by the reporter at each interval of preset time, if the interval is 5 seconds, the management end may replace the current status information with the status information of the event obtained before 5 seconds, and only if the current status information does not conform to the status information of the event obtained before 5 seconds, the management end may determine that the event is an abnormal event. For example, if the state information of the event obtained 5 seconds before is normal and the current state information is abnormal in process 1, the event is determined to be an abnormal event.
The WAF in the related art usually scans and filters the user request before the user request reaches the WEB server in front of the WEB application, analyzes and verifies the network packet of each user request, ensures that each user request is effective and safe, and blocks or isolates the request with invalid or aggressive behavior. By checking HTTP traffic, attacks originating from security vulnerabilities of WEB applications (e.g., SQL injection, cross-site scripting attacks, file inclusion, and security configuration errors) can be prevented. However, such a technical solution often cannot timely display the resource status of the WAF. The system state of the current WAF cannot be known at the front end in time, and the user cannot directly know which process occupies high CPU, occupies high memory or how the current network card state is, so that the user cannot timely carry out emergency treatment on the processes, files or network cards causing the abnormality when the WAF finds the abnormality.
Through the steps S101 to S103, after the event related to the stability of the WEB application firewall is found to be an abnormal event, the user can intuitively see which events cause the abnormality by querying the abnormality processing operation information corresponding to the abnormal event in the preset configuration information and displaying the abnormality processing operation information, and process the abnormal events based on the abnormality processing operation information.
The embodiment also provides a security protection device for a WEB application firewall, which is used for implementing the foregoing embodiments and preferred embodiments, and is not described in detail. While the means described in the following embodiments are preferably implemented in software, implementation in hardware, or a combination of software and hardware, is also possible and contemplated.
Fig. 2 is a block diagram of a security protection apparatus for a WEB application firewall according to an embodiment of the present application, and as shown in fig. 2, the apparatus includes: the acquiring module 20 acquires state information of an event related to the stability of the WEB application firewall; the management module 21 judges whether the event is an abnormal event according to the state information of the event; the display module 22 queries the exception handling operation information corresponding to the exception event in the preset configuration information and displays the exception handling operation information when judging that the event is the exception event; the preset configuration information comprises association relation between an abnormal event and abnormal processing operation information.
In one embodiment, the status information includes, but is not limited to, at least one of: process state information, resource state information and network card state information; the management module 21 is configured to determine whether a process exception exit event exists in the event in the case where the state information includes process state information, and mark the event as an exception event in the case where the process exception exit event exists in the event; judging whether an abnormal resource utilization rate event exists in the event or not under the condition that the state information comprises the resource state information, and marking the event as an abnormal event under the condition that the abnormal resource utilization rate event exists in the event; judging whether a network card abnormal packet loss rate event and/or a network card DOWN event exists in the event or not under the condition that the state information comprises the network card state information, and marking the event as an abnormal event under the condition that the network card abnormal packet loss rate event and/or the network card DOWN event exists in the event.
In one embodiment, in the case where the exception event includes a process exception exit event, the exception handling operation information includes restarting a process associated with the process exception exit event, and sending error reporting information; in the case that the abnormal event includes an abnormal resource usage event, the abnormal processing operation information includes closing at least one process and/or file associated with the abnormal resource usage event, and transmitting error reporting information; in the case where the abnormal event includes a network card abnormal packet loss rate event and/or a network card DOWN event, the abnormal processing operation information includes a network card associated with restarting the network card abnormal packet loss rate event and/or the network card DOWN event, and the error reporting information is transmitted.
In one embodiment, the resource status information includes, but is not limited to, at least one of: CPU occupation state information, memory occupation state information and disk occupation state information; the management module 21 is further configured to determine whether the current CPU occupancy is above a first threshold if the status information includes CPU occupancy status information, and determine that an abnormal resource usage event exists in the event if the current CPU occupancy is above the first threshold; judging whether the current memory occupancy rate is higher than a second threshold value or not under the condition that the state information comprises the memory occupancy state information, and judging that an abnormal resource utilization rate event exists in the event under the condition that the current memory occupancy rate is higher than the second threshold value; and judging whether the current disk occupation space is higher than a third threshold value or not under the condition that the state information comprises the disk occupation state information, and judging that an abnormal resource utilization rate event exists in the event under the condition that the current disk occupation space is higher than the third threshold value.
In one embodiment, the presentation module 22 is configured to query exception handling operation information corresponding to an exception event in preset configuration information and present the exception handling operation information when the exception event includes a process exception exit event and/or a network card exception packet loss rate event, a network card DOWN event; and under the condition that the abnormal event comprises an abnormal resource utilization rate event, displaying a process and/or a file associated with the abnormal resource utilization rate event, inquiring abnormal processing operation information corresponding to the abnormal event in preset configuration information, and displaying the abnormal processing operation information.
In one embodiment, the presenting module 22 is further configured to, in a case where the state information includes CPU occupancy state information, sort the processes from high to low according to the CPU occupancy rate of the processes, and select a preset number of processes from high to low in the sorted sequence for presentation; under the condition that the state information comprises memory occupation state information, sequencing the processes from high to low according to the memory occupation rate of the processes, and selecting a preset number of processes from high to low in a sequencing sequence for display; under the condition that the state information comprises disk occupation state information, sorting the files according to the disk occupation space of the files from large to small, and selecting a preset number of files from high to low in the sorting sequence for displaying.
In one embodiment, the obtaining module 20 is configured to obtain the start information and the registration information of the reporter; and receiving state information of events related to the firewall stability of the WEB application, which is sent by the reporter at intervals of preset time, under the condition that the starting information of the reporter is started and the registration information is registered.
The above-described respective modules may be functional modules or program modules, and may be implemented by software or hardware. For modules implemented in hardware, the various modules described above may be located in the same processor; or the above modules may be located in different processors in any combination.
The present embodiment also provides an electronic device comprising a memory 304 and a processor 302, the memory 304 having stored therein a computer program, the processor 302 being arranged to run the computer program to perform the steps of any of the method embodiments described above.
In particular, the processor 302 may include a Central Processing Unit (CPU), or an application specific integrated circuit (Application Specific Integrated Circuit, abbreviated as ASIC), or may be configured to implement one or more integrated circuits of embodiments of the present application.
Optionally, the electronic apparatus may further include a transmission device 306 and an input/output device 308, where the transmission device 306 is connected to the processor 302, and the input/output device 308 is connected to the processor 302.
Alternatively, in the present embodiment, the above-mentioned processor 302 may be configured to execute the following steps by a computer program:
s1, acquiring state information of an event related to the stability of a WEB application firewall.
S2, judging whether the event is an abnormal event according to the state information of the event.
S3, under the condition that the event is judged to be an abnormal event, inquiring abnormal processing operation information corresponding to the abnormal event in preset configuration information, and displaying the abnormal processing operation information; the preset configuration information comprises association relation between an abnormal event and abnormal processing operation information.
It should be noted that, specific examples in this embodiment may refer to examples described in the foregoing embodiments and alternative implementations, and this embodiment is not repeated herein.
In addition, in combination with the security protection method of the WEB application firewall in the above embodiment, the embodiment of the application may provide a storage medium for implementation. The storage medium has a computer program stored thereon; the computer program, when executed by the processor, implements the security protection method of any one of the WEB application firewalls in the above embodiments.
It should be understood by those skilled in the art that the technical features of the above embodiments may be combined in any manner, and for brevity, all of the possible combinations of the technical features of the above embodiments are not described, however, they should be considered as being within the scope of the description provided herein, as long as there is no contradiction between the combinations of the technical features.
The foregoing examples merely represent several embodiments of the present application, the description of which is more specific and detailed and which should not be construed as limiting the scope of the present application in any way. It should be noted that it would be apparent to those skilled in the art that various modifications and improvements could be made without departing from the spirit of the present application, which would be within the scope of the present application. Accordingly, the scope of protection of the present application shall be subject to the appended claims.
Claims (9)
1. A safety protection method of a WEB application firewall is characterized by comprising the following steps:
acquiring state information of an event related to the stability of a WEB application firewall;
the state information of the event related to the firewall stability of the WEB application is specifically: acquiring registration information of the reporter and an opening state in preset configuration information from the reporter of the WEB application firewall, and receiving state information of events related to the stability of the WEB application firewall, which is sent by the reporter at intervals of preset time, under the condition that the opening state of the reporter is started and the registration information is registered;
judging whether the event is an abnormal event or not according to the state information of the event;
under the condition that the event is judged to be an abnormal event, inquiring abnormal processing operation information corresponding to the abnormal event in preset configuration information, and displaying the abnormal processing operation information; the preset configuration information comprises association relation between an abnormal event and abnormal processing operation information.
2. The method for protecting security of a WEB application firewall according to claim 1, wherein the status information comprises at least one of: process state information, resource state information and network card state information; judging whether the event is an abnormal event according to the state information of the event comprises the following steps:
judging whether a process abnormal exit event exists in the event or not under the condition that the state information comprises the process state information, and marking the event as an abnormal event under the condition that the process abnormal exit event exists in the event;
judging whether an abnormal resource utilization rate event exists in the event or not under the condition that the state information comprises resource state information, and marking the event as an abnormal event under the condition that the abnormal resource utilization rate event exists in the event;
judging whether a network card abnormal packet loss rate event and/or a network card DOWN event exists in the event or not under the condition that the state information comprises the network card state information, and marking the event as an abnormal event under the condition that the network card abnormal packet loss rate event and/or the network card DOWN event exists in the event.
3. The method for protecting security of a WEB application firewall according to claim 2, wherein,
under the condition that the abnormal event comprises a process abnormal exit event, the abnormal processing operation information comprises restarting a process associated with the process abnormal exit event and sending error reporting information;
in the case that the abnormal event includes an abnormal resource usage event, the abnormal processing operation information includes closing at least one process and/or file associated with the abnormal resource usage event, and transmitting error reporting information;
and in the case that the abnormal event comprises a network card abnormal packet loss rate event and/or a network card DOWN event, the abnormal processing operation information comprises a network card associated with restarting the network card abnormal packet loss rate event and/or the network card DOWN event, and the error reporting information is sent.
4. The method for protecting security of a WEB application firewall according to claim 2, wherein the resource status information comprises at least one of: CPU occupation state information, memory occupation state information and disk occupation state information; in the case where the state information includes resource state information, determining whether an abnormal resource usage event exists in the event includes:
judging whether the current CPU occupancy rate is higher than a first threshold value or not under the condition that the state information comprises CPU occupancy state information, and judging that an abnormal resource utilization rate event exists in the event under the condition that the current CPU occupancy rate is higher than the first threshold value;
judging whether the current memory occupancy rate is higher than a second threshold value or not under the condition that the state information comprises memory occupancy state information, and judging that an abnormal resource utilization rate event exists in the event under the condition that the current memory occupancy rate is higher than the second threshold value;
and judging whether the current disk occupation space is higher than a third threshold value or not under the condition that the state information comprises the disk occupation state information, and judging that an abnormal resource utilization rate event exists in the event under the condition that the current disk occupation space is higher than the third threshold value.
5. The method for protecting security of a WEB application firewall according to claim 2, wherein, when the event is determined to be an abnormal event, querying, in preset configuration information, exception handling operation information corresponding to the abnormal event, and displaying the exception handling operation information includes:
under the condition that the abnormal event comprises a process abnormal exit event, a network card abnormal packet loss rate event and a network card DOWN event, inquiring abnormal processing operation information corresponding to the abnormal event in preset configuration information, and displaying the abnormal processing operation information;
and under the condition that the abnormal event comprises an abnormal resource utilization rate event, displaying a process and/or a file associated with the abnormal resource utilization rate event, inquiring abnormal processing operation information corresponding to the abnormal event in preset configuration information, and displaying the abnormal processing operation information.
6. The method of claim 5, wherein the resource status information includes at least one of: CPU occupation state information, memory occupation state information and disk occupation state information; in the case where the abnormal event comprises an abnormal resource usage event, exposing a process and/or file associated with the abnormal resource usage event comprises:
under the condition that the state information comprises CPU occupation state information, sequencing the processes according to the CPU occupation rate of the processes from high to low, and selecting a preset number of processes from high to low in a sequencing sequence for display;
under the condition that the state information comprises memory occupation state information, sequencing the processes according to the memory occupation rate of the processes from high to low, and selecting a preset number of processes from high to low in a sequencing sequence for display;
and under the condition that the state information comprises the disk occupation state information, sorting the files according to the disk occupation space of the files from large to small, and selecting a preset number of files from high to low in the sorting sequence for displaying.
7. A security device for a WEB application firewall, comprising:
the acquisition module acquires state information of an event related to the stability of the WEB application firewall; the state information of the event related to the firewall stability of the WEB application is specifically: acquiring registration information of the reporter and an opening state in preset configuration information from the reporter of the WEB application firewall, and receiving state information of events related to the stability of the WEB application firewall, which is sent by the reporter at intervals of preset time, under the condition that the opening state of the reporter is started and the registration information is registered;
the management module judges whether the event is an abnormal event according to the state information of the event;
the display module is used for inquiring the abnormal processing operation information corresponding to the abnormal event in preset configuration information and displaying the abnormal processing operation information under the condition that the event is judged to be the abnormal event; the preset configuration information comprises association relation between an abnormal event and abnormal processing operation information.
8. An electronic device comprising a memory and a processor, wherein the memory has stored therein a computer program, the processor being arranged to run the computer program to perform the method of security protection of a WEB application firewall according to any one of claims 1 to 6.
9. A storage medium having a computer program stored therein, wherein the computer program is configured to perform the WEB application firewall security method of any one of claims 1 to 6 at run-time.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202010875522.1A CN112165450B (en) | 2020-08-27 | 2020-08-27 | Security protection method and device for WEB application firewall and electronic device |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202010875522.1A CN112165450B (en) | 2020-08-27 | 2020-08-27 | Security protection method and device for WEB application firewall and electronic device |
Publications (2)
Publication Number | Publication Date |
---|---|
CN112165450A CN112165450A (en) | 2021-01-01 |
CN112165450B true CN112165450B (en) | 2023-04-21 |
Family
ID=73860368
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202010875522.1A Active CN112165450B (en) | 2020-08-27 | 2020-08-27 | Security protection method and device for WEB application firewall and electronic device |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN112165450B (en) |
Families Citing this family (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113660215A (en) * | 2021-07-26 | 2021-11-16 | 杭州安恒信息技术股份有限公司 | Attack behavior detection method and device based on Web application firewall |
CN113886118A (en) * | 2021-09-16 | 2022-01-04 | 杭州安恒信息技术股份有限公司 | Abnormal resource processing method, device, system, electronic device and storage medium |
CN114816558B (en) * | 2022-03-07 | 2023-06-30 | 深圳市九州安域科技有限公司 | Script injection method, equipment and computer readable storage medium |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106209425A (en) * | 2016-06-28 | 2016-12-07 | 上海携程商务有限公司 | The method and system of the automatic bypass of fire wall based on switch |
CN107205008A (en) * | 2016-03-18 | 2017-09-26 | 上海有云信息技术有限公司 | The loaded self-adaptive method of WEB application fire wall under cloud computing environment |
CN109067807A (en) * | 2018-10-16 | 2018-12-21 | 杭州安恒信息技术股份有限公司 | Safety protecting method, device and electronic equipment based on WEB application firewall overload |
CN109800131A (en) * | 2018-12-18 | 2019-05-24 | 平安健康保险股份有限公司 | Monitor processing method, device, computer equipment and the storage medium of Linux server |
CN111314290A (en) * | 2019-12-30 | 2020-06-19 | 北京长亭未来科技有限公司 | Method and device for protecting continuity of WEB application firewall service and electronic equipment |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20180013722A1 (en) * | 2016-07-06 | 2018-01-11 | Eric Enos | Distributed firewall device and system |
-
2020
- 2020-08-27 CN CN202010875522.1A patent/CN112165450B/en active Active
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107205008A (en) * | 2016-03-18 | 2017-09-26 | 上海有云信息技术有限公司 | The loaded self-adaptive method of WEB application fire wall under cloud computing environment |
CN106209425A (en) * | 2016-06-28 | 2016-12-07 | 上海携程商务有限公司 | The method and system of the automatic bypass of fire wall based on switch |
CN109067807A (en) * | 2018-10-16 | 2018-12-21 | 杭州安恒信息技术股份有限公司 | Safety protecting method, device and electronic equipment based on WEB application firewall overload |
CN109800131A (en) * | 2018-12-18 | 2019-05-24 | 平安健康保险股份有限公司 | Monitor processing method, device, computer equipment and the storage medium of Linux server |
CN111314290A (en) * | 2019-12-30 | 2020-06-19 | 北京长亭未来科技有限公司 | Method and device for protecting continuity of WEB application firewall service and electronic equipment |
Non-Patent Citations (1)
Title |
---|
"基于分布式对等架构的Web应用防火墙设计与实现";姚琳琳;《中国优秀博硕士学位论文全文数据库(硕士)信息科技辑》;20121115;第I139-24页 * |
Also Published As
Publication number | Publication date |
---|---|
CN112165450A (en) | 2021-01-01 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN112165450B (en) | Security protection method and device for WEB application firewall and electronic device | |
CN109831487B (en) | Fragmented file verification method and terminal equipment | |
US20200244676A1 (en) | Detecting outlier pairs of scanned ports | |
CN112422484B (en) | Method, apparatus, and storage medium for determining scenario for processing security event | |
CN112003838B (en) | Network threat detection method, device, electronic device and storage medium | |
CN110661658A (en) | Node management method and device of block chain network and computer storage medium | |
CN111756761A (en) | Network defense system and method based on flow forwarding and computer equipment | |
US20200244685A1 (en) | Scanner probe detection | |
US20210400072A1 (en) | Port scan detection using destination profiles | |
CN110958249A (en) | Information processing method, information processing device, electronic equipment and storage medium | |
CN113660215A (en) | Attack behavior detection method and device based on Web application firewall | |
CN112232957A (en) | Transaction consensus method and device and electronic equipment | |
CN112019519A (en) | Method and device for detecting threat degree of network security information and electronic device | |
CN110209347B (en) | Traceable data storage method | |
CN116016174A (en) | Rule base upgrading method and device, electronic equipment and storage medium | |
CN113765914B (en) | CC attack protection method, system, computer equipment and readable storage medium | |
CN113162997B (en) | Data transmission method and device, electronic equipment and readable storage medium | |
CN116112216A (en) | Cloud data verification method and device, electronic equipment and nonvolatile storage medium | |
CN108650249A (en) | POC attack detection methods, device, computer equipment and storage medium | |
CN110798356B (en) | Firmware monitoring method and device, storage medium and computer equipment | |
CN114428704A (en) | Method and device for full-link distributed monitoring, computer equipment and storage medium | |
CN111814205B (en) | Computing processing method, computing processing system, computing processing device, computing processing memory, computing processing device and computer device | |
CN111221847A (en) | Monitoring data storage method and device and computer readable storage medium | |
US12013830B2 (en) | System and method using bloom filters to improve system reliability | |
CN117424762B (en) | DDOS attack detection method, medium and device |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |