CN112165450B - Security protection method and device for WEB application firewall and electronic device - Google Patents

Security protection method and device for WEB application firewall and electronic device Download PDF

Info

Publication number
CN112165450B
CN112165450B CN202010875522.1A CN202010875522A CN112165450B CN 112165450 B CN112165450 B CN 112165450B CN 202010875522 A CN202010875522 A CN 202010875522A CN 112165450 B CN112165450 B CN 112165450B
Authority
CN
China
Prior art keywords
event
abnormal
state information
information
condition
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202010875522.1A
Other languages
Chinese (zh)
Other versions
CN112165450A (en
Inventor
陈加群
范渊
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
DBAPPSecurity Co Ltd
Original Assignee
DBAPPSecurity Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by DBAPPSecurity Co Ltd filed Critical DBAPPSecurity Co Ltd
Priority to CN202010875522.1A priority Critical patent/CN112165450B/en
Publication of CN112165450A publication Critical patent/CN112165450A/en
Application granted granted Critical
Publication of CN112165450B publication Critical patent/CN112165450B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/0631Management of faults, events, alarms or notifications using root cause analysis; using analysis of correlation between notifications, alarms or events based on decision criteria, e.g. hierarchy, tree or time analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/08Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Environmental & Geological Engineering (AREA)
  • Computer And Data Communications (AREA)
  • Debugging And Monitoring (AREA)

Abstract

The application relates to a safety protection method, a safety protection device, an electronic device and a storage medium of a WEB application firewall, wherein the method comprises the following steps: acquiring state information of an event related to the stability of a WEB application firewall; judging whether the event is an abnormal event according to the state information of the event; inquiring exception handling operation information corresponding to the exception event in preset configuration information and displaying the exception handling operation information under the condition that the event is judged to be the exception event; the preset configuration information comprises association relation between an abnormal event and abnormal processing operation information. The problem that a user cannot timely process abnormal events of the WEB application firewall in the related technology is solved, the user can timely process the abnormal events of the WEB application firewall, and the technical effect of improving the stability of the WEB application firewall is achieved.

Description

Security protection method and device for WEB application firewall and electronic device
Technical Field
The present disclosure relates to the field of network security technologies, and in particular, to a security protection method and apparatus for a WEB application firewall, an electronic device, and a storage medium.
Background
With the continuous development of network technology, WEB applications are becoming more and more abundant, and WEB servers gradually become a main attack target with their strong computing power, processing performance and higher economic value.
The WEB application protection wall (Web Application Firewall, abbreviated as WAF) is a product which is specially used for providing protection for WEB applications by executing a series of security policies for HTTP/HTTPs, and is mainly used for defending against attacks for a network application layer, such as SQL injection, cross-site scripting attack, parameter tampering, application platform vulnerability attack, denial of service attack, and the like.
The WAF in the related art usually scans and filters the user request before the user request reaches the WEB server in front of the WEB application, analyzes and verifies the network packet of each user request, ensures that each user request is effective and safe, and blocks or isolates the request with invalid or aggressive behavior. By checking HTTP traffic, attacks originating from security vulnerabilities of WEB applications (e.g., SQL injection, cross-site scripting attacks, file inclusion, and security configuration errors) can be prevented. However, such a technical solution often cannot timely display the resource status of the WAF. The system state of the current WAF cannot be known at the front end in time, and the user cannot directly know which process occupies high CPU, occupies high memory or how the current network card state is, so that the user cannot timely carry out emergency treatment on the processes, files or network cards causing the abnormality when the WAF finds the abnormality.
At present, no effective solution is proposed for the problem that a user cannot timely process abnormal events of a WEB application firewall in the related art.
Disclosure of Invention
The embodiment of the application provides a safety protection method, a safety protection device, an electronic device and a storage medium of a WEB application firewall, which are used for at least solving the problem that a user cannot timely process abnormal events of the WEB application firewall in the related technology.
In a first aspect, an embodiment of the present application provides a security protection method for a WEB application firewall, including: acquiring state information of an event related to the stability of a WEB application firewall; judging whether the event is an abnormal event or not according to the state information of the event; under the condition that the event is judged to be an abnormal event, inquiring abnormal processing operation information corresponding to the abnormal event in preset configuration information, and displaying the abnormal processing operation information; the preset configuration information comprises association relation between an abnormal event and abnormal processing operation information.
In some of these embodiments, the status information includes at least one of: process state information, resource state information and network card state information; judging whether the event is an abnormal event according to the state information of the event comprises the following steps: judging whether a process abnormal exit event exists in the event or not under the condition that the state information comprises the process state information, and marking the event as an abnormal event under the condition that the process abnormal exit event exists in the event; judging whether an abnormal resource utilization rate event exists in the event or not under the condition that the state information comprises resource state information, and marking the event as an abnormal event under the condition that the abnormal resource utilization rate event exists in the event; judging whether a network card abnormal packet loss rate event and/or a network card DOWN event exists in the event or not under the condition that the state information comprises the network card state information, and marking the event as an abnormal event under the condition that the network card abnormal packet loss rate event and/or the network card DOWN event exists in the event.
In some embodiments, in the event that the exception event comprises a process exception exit event, exception handling operation information comprises restarting a process associated with the process exception exit event and sending error reporting information; in the case that the abnormal event includes an abnormal resource usage event, the abnormal processing operation information includes closing at least one process and/or file associated with the abnormal resource usage event, and transmitting error reporting information; and in the case that the abnormal event comprises a network card abnormal packet loss rate event and/or a network card DOWN event, the abnormal processing operation information comprises a network card associated with restarting the network card abnormal packet loss rate event and/or the network card DOWN event, and the error reporting information is sent.
In some of these embodiments, the resource status information includes at least one of: CPU occupation state information, memory occupation state information and disk occupation state information; in the case where the state information includes resource state information, determining whether an abnormal resource usage event exists in the event includes: judging whether the current CPU occupancy rate is higher than a first threshold value or not under the condition that the state information comprises CPU occupancy state information, and judging that an abnormal resource utilization rate event exists in the event under the condition that the current CPU occupancy rate is higher than the first threshold value; judging whether the current memory occupancy rate is higher than a second threshold value or not under the condition that the state information comprises memory occupancy state information, and judging that an abnormal resource utilization rate event exists in the event under the condition that the current memory occupancy rate is higher than the second threshold value; and judging whether the current disk occupation space is higher than a third threshold value or not under the condition that the state information comprises the disk occupation state information, and judging that an abnormal resource utilization rate event exists in the event under the condition that the current disk occupation space is higher than the third threshold value.
In some embodiments, when the event is determined to be an abnormal event, querying, in preset configuration information, exception handling operation information corresponding to the abnormal event, and displaying the exception handling operation information includes: under the condition that the abnormal event comprises a process abnormal exit event, a network card abnormal packet loss rate event and a network card DOWN event, inquiring abnormal processing operation information corresponding to the abnormal event in preset configuration information, and displaying the abnormal processing operation information; and under the condition that the abnormal event comprises an abnormal resource utilization rate event, displaying a process and/or a file associated with the abnormal resource utilization rate event, inquiring abnormal processing operation information corresponding to the abnormal event in preset configuration information, and displaying the abnormal processing operation information.
In some of these embodiments, the resource status information includes at least one of: CPU occupation state information, memory occupation state information and disk occupation state information; in the case where the abnormal event comprises an abnormal resource usage event, exposing a process and/or file associated with the abnormal resource usage event comprises: under the condition that the state information comprises CPU occupation state information, sequencing the processes according to the CPU occupation rate of the processes from high to low, and selecting a preset number of processes from high to low in a sequencing sequence for display; under the condition that the state information comprises memory occupation state information, sequencing the processes according to the memory occupation rate of the processes from high to low, and selecting a preset number of processes from high to low in a sequencing sequence for display; and under the condition that the state information comprises the disk occupation state information, sorting the files according to the disk occupation space of the files from large to small, and selecting a preset number of files from high to low in the sorting sequence for displaying.
In some of these embodiments, obtaining state information for an event related to WEB application firewall stability includes: acquiring starting information and registration information of a reporter; and receiving state information of events related to the firewall stability of the WEB application, which is sent by the reporter at intervals of preset time, under the condition that the starting information of the reporter is started and the registration information is registered.
In a second aspect, an embodiment of the present application provides a security protection device for a WEB application firewall, including: the system comprises an acquisition module, a state information management module and a control module, wherein the acquisition module acquires an event related to the stability of a WEB application firewall, and judges whether the event is an abnormal event according to the state information of the event; the display module is used for inquiring the abnormal processing operation information corresponding to the abnormal event in preset configuration information and displaying the abnormal processing operation information under the condition that the event is judged to be the abnormal event; the preset configuration information comprises association relation between an abnormal event and abnormal processing operation information.
In a third aspect, an embodiment of the present application provides an electronic device, including a memory, a processor, and a computer program stored in the memory and capable of running on the processor, where the processor implements the method for protecting against security of a WEB application firewall according to the first aspect when the processor executes the computer program.
In a fourth aspect, an embodiment of the present application provides a storage medium, where a computer program is stored, where the program is executed by a processor to implement a method for protecting security of a WEB application firewall according to the first aspect.
Compared with the related art, the safety protection method, the safety protection device, the electronic device and the storage medium of the WEB application firewall provided by the embodiment of the application solve the problem that a user cannot timely process abnormal events of the WEB application firewall in the related art, and the user can timely process the abnormal events of the WEB application firewall, so that the technical effect of improving the stability of the WEB application firewall is achieved.
The details of one or more embodiments of the application are set forth in the accompanying drawings and the description below to provide a more thorough understanding of the other features, objects, and advantages of the application.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this application, illustrate embodiments of the application and together with the description serve to explain the application and do not constitute an undue limitation to the application. In the drawings:
FIG. 1 is a flow chart of a method of security protection of a WEB application firewall according to an embodiment of the application;
FIG. 2 is a block diagram of the security guard of a WEB application firewall according to an embodiment of the application;
fig. 3 is a schematic diagram of a hardware structure of an electronic device according to an embodiment of the present application.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the present application is described and illustrated below with reference to the accompanying drawings and examples. It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the present application. All other embodiments, which can be made by one of ordinary skill in the art without undue burden on the person of ordinary skill in the art based on the embodiments provided herein, are intended to be within the scope of the present application. Moreover, it should be appreciated that while such a development effort might be complex and lengthy, it would nevertheless be a routine undertaking of design, fabrication, or manufacture for those of ordinary skill having the benefit of this disclosure, and thus should not be construed as having the benefit of this disclosure.
Reference in the specification to "an embodiment" means that a particular feature, structure, or characteristic described in connection with the embodiment may be included in at least one embodiment of the application. The appearances of such phrases in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments. It is to be expressly and implicitly understood by those of ordinary skill in the art that the embodiments described herein can be combined with other embodiments without conflict.
Unless defined otherwise, technical or scientific terms used herein should be given the ordinary meaning as understood by one of ordinary skill in the art to which this application belongs. Reference to "a," "an," "the," and similar terms herein do not denote a limitation of quantity, but rather denote the singular or plural. The terms "comprising," "including," "having," and any variations thereof, are intended to cover a non-exclusive inclusion; for example, a process, method, system, article, or apparatus that comprises a list of steps or modules (elements) is not limited to only those steps or elements but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus. The terms "connected," "coupled," and the like in this application are not limited to physical or mechanical connections, but may include electrical connections, whether direct or indirect. The term "plurality" as used herein means greater than or equal to two. "and/or" describes an association relationship of an association object, meaning that there may be three relationships, e.g., "a and/or B" may mean: a exists alone, A and B exist together, and B exists alone. The terms "first," "second," "third," and the like, as used herein, are merely distinguishing between similar objects and not representing a particular ordering of objects.
The embodiment provides a security protection method of a WEB application firewall, and fig. 1 is a flowchart of the security protection method of the WEB application firewall according to an embodiment of the application, as shown in fig. 1, where the flowchart includes the following steps:
step S101, acquiring status information of an event related to the firewall stability of the WEB application.
In this embodiment, the status information of the WEB application firewall may be obtained from the reporter of the WEB application firewall. The method comprises the following steps:
step 1, acquiring starting information and registration information of a reporter.
And step 2, receiving state information of events related to the firewall stability of the WEB application, which is sent by the reporter at intervals of preset time, under the condition that the starting information of the reporter is started and the registration information is registered.
In this embodiment, the preset time may be 5 seconds, and configuration may be performed on a page of the WEB application firewall to determine which reporters to start receiving and processing the status information sent by. The operation information in the abnormality corresponding to the abnormal event can be searched in the preset configuration information. The preset configuration information may be in the following format: if yes/no, opening-reporter-state information, the state information of the WEB application firewall can be obtained from the reporter only when the preset configuration information is loaded and the reporter in the preset configuration information is in an opening state, and the preset configuration information also comprises the association relation between the abnormal event and the abnormal processing operation information.
In other embodiments, the preset time may be other values.
Meanwhile, the reporter can register in the management end in advance, and the management end can only receive the information sent by the reporter registered in the management end, so that the safety and predictability of the information sent by the reporter are ensured.
Step S102, judging whether the event is an abnormal event according to the state information of the event.
In this embodiment, the status information may include, but is not limited to, at least one of: process state information, resource state information and network card state information.
The process state information, the resource state information and the network card state information can be respectively sent to the management end by a first reporter, a second reporter and a third reporter, wherein the first reporter is used for guaranteeing the key process of the WEB application firewall and timely reporting the process state information to the management end; the second reporter is used for guaranteeing the system resource state of the WEB application firewall and reporting the resource state information to the management end in time; the third reporter is used for guaranteeing the network card running state of the WEB application firewall and reporting the network card state information to the management end in time.
The management end can judge whether an abnormal event occurs or not based on the state information, and send error reporting information under the condition that the abnormal event occurs, and process the abnormal event according to the abnormal processing operation information corresponding to the abnormal event.
The association relationship among the report, the event state and the abnormal processing operation information corresponding to the event is shown in table 1.
TABLE 1
Figure BDA0002652562390000061
Judging whether a process abnormal exit event exists in the event or not under the condition that the state information comprises the process state information, and marking the event as an abnormal event under the condition that the process abnormal exit event exists in the event; judging whether an abnormal resource utilization rate event exists in the event or not under the condition that the state information comprises the resource state information, and marking the event as an abnormal event under the condition that the abnormal resource utilization rate event exists in the event; judging whether a network card abnormal packet loss rate event and/or a network card DOWN event exists in the event or not under the condition that the state information comprises the network card state information, and marking the event as an abnormal event under the condition that the network card abnormal packet loss rate event and/or the network card DOWN event exists in the event.
As shown in table 1, in the case where the state information includes process state information, the key processes may be monitored according to the key processes selected in the preset configuration information, for example, process 1 may be Haproxy, process 2 may be nginnx, and meanwhile, more key processes may be added to the preset configuration information.
In some of these embodiments, the resource status information may include, but is not limited to, at least one of: CPU occupation state information, memory occupation state information and disk occupation state information.
As shown in table 1, wherein, in the case where the status information includes resource status information, determining whether an abnormal resource usage event exists in the event includes: judging whether the current CPU occupancy rate is higher than a first threshold value or not under the condition that the state information comprises CPU occupancy state information, and judging that an abnormal resource utilization rate event exists in the event under the condition that the current CPU occupancy rate is higher than the first threshold value; judging whether the current memory occupancy rate is higher than a second threshold value or not under the condition that the state information comprises the memory occupancy state information, and judging that an abnormal resource utilization rate event exists in the event under the condition that the current memory occupancy rate is higher than the second threshold value; and judging whether the current disk occupation space is higher than a third threshold value or not under the condition that the state information comprises the disk occupation state information, and judging that an abnormal resource utilization rate event exists in the event under the condition that the current disk occupation space is higher than the third threshold value.
In this embodiment, the first threshold may be 90%, the second threshold may be 90%, the third threshold may be 80%, the fourth threshold may be 20%, and in other embodiments, the first threshold, the second threshold, the third threshold, and the fourth threshold may be other values.
Step S103, inquiring exception handling operation information corresponding to the exception event in preset configuration information and displaying the exception handling operation information when judging that the event is the exception event; the preset configuration information comprises association relation between an abnormal event and abnormal processing operation information.
In some embodiments, when the event is determined to be an abnormal event, querying, in preset configuration information, exception handling operation information corresponding to the abnormal event, and displaying the exception handling operation information includes: under the condition that the abnormal event comprises a process abnormal exit event, a network card abnormal packet loss rate event and a network card DOWN event, inquiring abnormal processing operation information corresponding to the abnormal event in preset configuration information, and displaying the abnormal processing operation information; and under the condition that the abnormal event comprises an abnormal resource utilization rate event, displaying a process and/or a file associated with the abnormal resource utilization rate event, inquiring abnormal processing operation information corresponding to the abnormal event in preset configuration information, and displaying the abnormal processing operation information.
As shown in table 1, in this embodiment, in the case where the state information includes CPU occupancy state information, the processes may be ordered from high to low according to the CPU occupancy rate of the processes, and a preset number of processes are selected from high to low in the ordered sequence to be displayed; under the condition that the state information comprises memory occupation state information, the processes can be ordered from high to low according to the memory occupation rate of the processes, and a preset number of processes are selected from high to low in an ordering sequence to be displayed; under the condition that the state information comprises the disk occupation state information, the files can be ordered according to the disk occupation space of the files from large to small, and a preset number of files are selected from high to low in the ordering sequence to be displayed.
In this embodiment, the preset number may be 10, and in other embodiments, the preset number may also be other values. After the preset number of processes are displayed, a restarting process, a closing process or an error message sending process can be selected based on the corresponding abnormal processing operation information; after the preset number of files are displayed, the files can be deleted or error information can be sent based on the abnormal processing operation information.
As shown in table 1, in the case where the abnormal event includes a process abnormal exit event, the abnormal processing operation information includes restarting a process associated with the process abnormal exit event, and transmitting error reporting information; in the case that the abnormal event includes an abnormal resource usage event, the abnormal processing operation information includes closing at least one process and/or file associated with the abnormal resource usage event, and transmitting error reporting information; in the case where the abnormal event includes a network card abnormal packet loss rate event and/or a network card DOWN event, the abnormal processing operation information includes a network card associated with restarting the network card abnormal packet loss rate event and/or the network card DOWN event, and the error reporting information is transmitted.
In some embodiments, when the state information is resource state information, closing at least one process and/or file in the abnormal resource usage event, and sending error reporting information includes: under the condition that the resource state information is CPU occupation state information, the processes can be ordered from high to low according to the memory occupancy rate of the processes, and at least one process is selected from high to low in an ordering sequence to be closed; under the condition that the state information is memory occupation state information, the processes can be ordered according to the memory occupation rate of the processes from high to low, and at least one process is selected from the ordered sequence from high to low to perform closing processing; under the condition that the state information is the disk occupation state information, the files can be ordered according to the disk occupation space of the files from large to small, and at least one file is selected from high to low in the ordering sequence to be deleted.
After the preset number of processes are displayed, a restarting process, a closing process or an error message sending process can be selected based on the corresponding abnormal processing operation information; after the preset number of files are displayed, the files can be deleted or error information can be sent based on the abnormal processing operation information.
Under the condition that the state information is the disk occupation state information, only the selected disk catalogs in the preset configuration information are monitored, a plurality of catalogs can be added in the preset configuration information, and the safety protection method of the WEB application firewall can display the files with the preset quantity, which occupy the largest space, of the disk under each catalogs.
In other embodiments, since the management end may receive the status information of the WEB application firewall sent by the reporter at each interval of preset time, if the interval is 5 seconds, the management end may replace the current status information with the status information of the event obtained before 5 seconds, and only if the current status information does not conform to the status information of the event obtained before 5 seconds, the management end may determine that the event is an abnormal event. For example, if the state information of the event obtained 5 seconds before is normal and the current state information is abnormal in process 1, the event is determined to be an abnormal event.
The WAF in the related art usually scans and filters the user request before the user request reaches the WEB server in front of the WEB application, analyzes and verifies the network packet of each user request, ensures that each user request is effective and safe, and blocks or isolates the request with invalid or aggressive behavior. By checking HTTP traffic, attacks originating from security vulnerabilities of WEB applications (e.g., SQL injection, cross-site scripting attacks, file inclusion, and security configuration errors) can be prevented. However, such a technical solution often cannot timely display the resource status of the WAF. The system state of the current WAF cannot be known at the front end in time, and the user cannot directly know which process occupies high CPU, occupies high memory or how the current network card state is, so that the user cannot timely carry out emergency treatment on the processes, files or network cards causing the abnormality when the WAF finds the abnormality.
Through the steps S101 to S103, after the event related to the stability of the WEB application firewall is found to be an abnormal event, the user can intuitively see which events cause the abnormality by querying the abnormality processing operation information corresponding to the abnormal event in the preset configuration information and displaying the abnormality processing operation information, and process the abnormal events based on the abnormality processing operation information.
The embodiment also provides a security protection device for a WEB application firewall, which is used for implementing the foregoing embodiments and preferred embodiments, and is not described in detail. While the means described in the following embodiments are preferably implemented in software, implementation in hardware, or a combination of software and hardware, is also possible and contemplated.
Fig. 2 is a block diagram of a security protection apparatus for a WEB application firewall according to an embodiment of the present application, and as shown in fig. 2, the apparatus includes: the acquiring module 20 acquires state information of an event related to the stability of the WEB application firewall; the management module 21 judges whether the event is an abnormal event according to the state information of the event; the display module 22 queries the exception handling operation information corresponding to the exception event in the preset configuration information and displays the exception handling operation information when judging that the event is the exception event; the preset configuration information comprises association relation between an abnormal event and abnormal processing operation information.
In one embodiment, the status information includes, but is not limited to, at least one of: process state information, resource state information and network card state information; the management module 21 is configured to determine whether a process exception exit event exists in the event in the case where the state information includes process state information, and mark the event as an exception event in the case where the process exception exit event exists in the event; judging whether an abnormal resource utilization rate event exists in the event or not under the condition that the state information comprises the resource state information, and marking the event as an abnormal event under the condition that the abnormal resource utilization rate event exists in the event; judging whether a network card abnormal packet loss rate event and/or a network card DOWN event exists in the event or not under the condition that the state information comprises the network card state information, and marking the event as an abnormal event under the condition that the network card abnormal packet loss rate event and/or the network card DOWN event exists in the event.
In one embodiment, in the case where the exception event includes a process exception exit event, the exception handling operation information includes restarting a process associated with the process exception exit event, and sending error reporting information; in the case that the abnormal event includes an abnormal resource usage event, the abnormal processing operation information includes closing at least one process and/or file associated with the abnormal resource usage event, and transmitting error reporting information; in the case where the abnormal event includes a network card abnormal packet loss rate event and/or a network card DOWN event, the abnormal processing operation information includes a network card associated with restarting the network card abnormal packet loss rate event and/or the network card DOWN event, and the error reporting information is transmitted.
In one embodiment, the resource status information includes, but is not limited to, at least one of: CPU occupation state information, memory occupation state information and disk occupation state information; the management module 21 is further configured to determine whether the current CPU occupancy is above a first threshold if the status information includes CPU occupancy status information, and determine that an abnormal resource usage event exists in the event if the current CPU occupancy is above the first threshold; judging whether the current memory occupancy rate is higher than a second threshold value or not under the condition that the state information comprises the memory occupancy state information, and judging that an abnormal resource utilization rate event exists in the event under the condition that the current memory occupancy rate is higher than the second threshold value; and judging whether the current disk occupation space is higher than a third threshold value or not under the condition that the state information comprises the disk occupation state information, and judging that an abnormal resource utilization rate event exists in the event under the condition that the current disk occupation space is higher than the third threshold value.
In one embodiment, the presentation module 22 is configured to query exception handling operation information corresponding to an exception event in preset configuration information and present the exception handling operation information when the exception event includes a process exception exit event and/or a network card exception packet loss rate event, a network card DOWN event; and under the condition that the abnormal event comprises an abnormal resource utilization rate event, displaying a process and/or a file associated with the abnormal resource utilization rate event, inquiring abnormal processing operation information corresponding to the abnormal event in preset configuration information, and displaying the abnormal processing operation information.
In one embodiment, the presenting module 22 is further configured to, in a case where the state information includes CPU occupancy state information, sort the processes from high to low according to the CPU occupancy rate of the processes, and select a preset number of processes from high to low in the sorted sequence for presentation; under the condition that the state information comprises memory occupation state information, sequencing the processes from high to low according to the memory occupation rate of the processes, and selecting a preset number of processes from high to low in a sequencing sequence for display; under the condition that the state information comprises disk occupation state information, sorting the files according to the disk occupation space of the files from large to small, and selecting a preset number of files from high to low in the sorting sequence for displaying.
In one embodiment, the obtaining module 20 is configured to obtain the start information and the registration information of the reporter; and receiving state information of events related to the firewall stability of the WEB application, which is sent by the reporter at intervals of preset time, under the condition that the starting information of the reporter is started and the registration information is registered.
The above-described respective modules may be functional modules or program modules, and may be implemented by software or hardware. For modules implemented in hardware, the various modules described above may be located in the same processor; or the above modules may be located in different processors in any combination.
The present embodiment also provides an electronic device comprising a memory 304 and a processor 302, the memory 304 having stored therein a computer program, the processor 302 being arranged to run the computer program to perform the steps of any of the method embodiments described above.
In particular, the processor 302 may include a Central Processing Unit (CPU), or an application specific integrated circuit (Application Specific Integrated Circuit, abbreviated as ASIC), or may be configured to implement one or more integrated circuits of embodiments of the present application.
Memory 304 may include, among other things, mass storage 304 for data or instructions. By way of example, and not limitation, memory 304 may comprise a Hard Disk Drive (HDD), floppy Disk Drive, solid state Drive (Solid State Drive, SSD), flash memory, optical Disk, magneto-optical Disk, tape, or universal serial bus (Universal Serial Bus, USB) Drive, or a combination of two or more of the foregoing. Memory 304 may include removable or non-removable (or fixed) media, where appropriate. Memory 304 may be internal or external to the data processing apparatus, where appropriate. In a particular embodiment, the memory 304 is a Non-Volatile (Non-Volatile) memory. In a particular embodiment, the Memory 304 includes Read-Only Memory (ROM) and random access Memory (Random Access Memory, RAM). Where appropriate, the ROM may be a mask-programmed ROM, a programmable ROM (Programmable Read-Only Memory, abbreviated PROM), an erasable PROM (Erasable Programmable Read-Only Memory, abbreviated EPROM), an electrically erasable PROM (Electrically Erasable Programmable Read-Only Memory, abbreviated EEPROM), an electrically rewritable ROM (Electrically Alterable Read-Only Memory, abbreviated EAROM), or a FLASH Memory (FLASH), or a combination of two or more of these. The RAM may be Static Random-Access Memory (SRAM) or dynamic Random-Access Memory (Dynamic Random Access Memory DRAM), where the DRAM may be flash-mode dynamic Random-Access Memory 304 (Fast Page Mode Dynamic Random Access Memory FPMDRAM), extended-data-output dynamic Random-Access Memory (Extended Date Out Dynamic Random Access Memory EDODRAM), synchronous dynamic Random-Access Memory (Synchronous Dynamic Random-Access Memory SDRAM), or the like, as appropriate.
Memory 304 may be used to store or cache various data files that need to be processed and/or communicated, as well as possible computer program instructions for execution by processor 302.
Processor 302 implements the security protection method of the WEB application firewall in any of the above embodiments by reading and executing the computer program instructions stored in memory 304.
Optionally, the electronic apparatus may further include a transmission device 306 and an input/output device 308, where the transmission device 306 is connected to the processor 302, and the input/output device 308 is connected to the processor 302.
Alternatively, in the present embodiment, the above-mentioned processor 302 may be configured to execute the following steps by a computer program:
s1, acquiring state information of an event related to the stability of a WEB application firewall.
S2, judging whether the event is an abnormal event according to the state information of the event.
S3, under the condition that the event is judged to be an abnormal event, inquiring abnormal processing operation information corresponding to the abnormal event in preset configuration information, and displaying the abnormal processing operation information; the preset configuration information comprises association relation between an abnormal event and abnormal processing operation information.
It should be noted that, specific examples in this embodiment may refer to examples described in the foregoing embodiments and alternative implementations, and this embodiment is not repeated herein.
In addition, in combination with the security protection method of the WEB application firewall in the above embodiment, the embodiment of the application may provide a storage medium for implementation. The storage medium has a computer program stored thereon; the computer program, when executed by the processor, implements the security protection method of any one of the WEB application firewalls in the above embodiments.
It should be understood by those skilled in the art that the technical features of the above embodiments may be combined in any manner, and for brevity, all of the possible combinations of the technical features of the above embodiments are not described, however, they should be considered as being within the scope of the description provided herein, as long as there is no contradiction between the combinations of the technical features.
The foregoing examples merely represent several embodiments of the present application, the description of which is more specific and detailed and which should not be construed as limiting the scope of the present application in any way. It should be noted that it would be apparent to those skilled in the art that various modifications and improvements could be made without departing from the spirit of the present application, which would be within the scope of the present application. Accordingly, the scope of protection of the present application shall be subject to the appended claims.

Claims (9)

1. A safety protection method of a WEB application firewall is characterized by comprising the following steps:
acquiring state information of an event related to the stability of a WEB application firewall;
the state information of the event related to the firewall stability of the WEB application is specifically: acquiring registration information of the reporter and an opening state in preset configuration information from the reporter of the WEB application firewall, and receiving state information of events related to the stability of the WEB application firewall, which is sent by the reporter at intervals of preset time, under the condition that the opening state of the reporter is started and the registration information is registered;
judging whether the event is an abnormal event or not according to the state information of the event;
under the condition that the event is judged to be an abnormal event, inquiring abnormal processing operation information corresponding to the abnormal event in preset configuration information, and displaying the abnormal processing operation information; the preset configuration information comprises association relation between an abnormal event and abnormal processing operation information.
2. The method for protecting security of a WEB application firewall according to claim 1, wherein the status information comprises at least one of: process state information, resource state information and network card state information; judging whether the event is an abnormal event according to the state information of the event comprises the following steps:
judging whether a process abnormal exit event exists in the event or not under the condition that the state information comprises the process state information, and marking the event as an abnormal event under the condition that the process abnormal exit event exists in the event;
judging whether an abnormal resource utilization rate event exists in the event or not under the condition that the state information comprises resource state information, and marking the event as an abnormal event under the condition that the abnormal resource utilization rate event exists in the event;
judging whether a network card abnormal packet loss rate event and/or a network card DOWN event exists in the event or not under the condition that the state information comprises the network card state information, and marking the event as an abnormal event under the condition that the network card abnormal packet loss rate event and/or the network card DOWN event exists in the event.
3. The method for protecting security of a WEB application firewall according to claim 2, wherein,
under the condition that the abnormal event comprises a process abnormal exit event, the abnormal processing operation information comprises restarting a process associated with the process abnormal exit event and sending error reporting information;
in the case that the abnormal event includes an abnormal resource usage event, the abnormal processing operation information includes closing at least one process and/or file associated with the abnormal resource usage event, and transmitting error reporting information;
and in the case that the abnormal event comprises a network card abnormal packet loss rate event and/or a network card DOWN event, the abnormal processing operation information comprises a network card associated with restarting the network card abnormal packet loss rate event and/or the network card DOWN event, and the error reporting information is sent.
4. The method for protecting security of a WEB application firewall according to claim 2, wherein the resource status information comprises at least one of: CPU occupation state information, memory occupation state information and disk occupation state information; in the case where the state information includes resource state information, determining whether an abnormal resource usage event exists in the event includes:
judging whether the current CPU occupancy rate is higher than a first threshold value or not under the condition that the state information comprises CPU occupancy state information, and judging that an abnormal resource utilization rate event exists in the event under the condition that the current CPU occupancy rate is higher than the first threshold value;
judging whether the current memory occupancy rate is higher than a second threshold value or not under the condition that the state information comprises memory occupancy state information, and judging that an abnormal resource utilization rate event exists in the event under the condition that the current memory occupancy rate is higher than the second threshold value;
and judging whether the current disk occupation space is higher than a third threshold value or not under the condition that the state information comprises the disk occupation state information, and judging that an abnormal resource utilization rate event exists in the event under the condition that the current disk occupation space is higher than the third threshold value.
5. The method for protecting security of a WEB application firewall according to claim 2, wherein, when the event is determined to be an abnormal event, querying, in preset configuration information, exception handling operation information corresponding to the abnormal event, and displaying the exception handling operation information includes:
under the condition that the abnormal event comprises a process abnormal exit event, a network card abnormal packet loss rate event and a network card DOWN event, inquiring abnormal processing operation information corresponding to the abnormal event in preset configuration information, and displaying the abnormal processing operation information;
and under the condition that the abnormal event comprises an abnormal resource utilization rate event, displaying a process and/or a file associated with the abnormal resource utilization rate event, inquiring abnormal processing operation information corresponding to the abnormal event in preset configuration information, and displaying the abnormal processing operation information.
6. The method of claim 5, wherein the resource status information includes at least one of: CPU occupation state information, memory occupation state information and disk occupation state information; in the case where the abnormal event comprises an abnormal resource usage event, exposing a process and/or file associated with the abnormal resource usage event comprises:
under the condition that the state information comprises CPU occupation state information, sequencing the processes according to the CPU occupation rate of the processes from high to low, and selecting a preset number of processes from high to low in a sequencing sequence for display;
under the condition that the state information comprises memory occupation state information, sequencing the processes according to the memory occupation rate of the processes from high to low, and selecting a preset number of processes from high to low in a sequencing sequence for display;
and under the condition that the state information comprises the disk occupation state information, sorting the files according to the disk occupation space of the files from large to small, and selecting a preset number of files from high to low in the sorting sequence for displaying.
7. A security device for a WEB application firewall, comprising:
the acquisition module acquires state information of an event related to the stability of the WEB application firewall; the state information of the event related to the firewall stability of the WEB application is specifically: acquiring registration information of the reporter and an opening state in preset configuration information from the reporter of the WEB application firewall, and receiving state information of events related to the stability of the WEB application firewall, which is sent by the reporter at intervals of preset time, under the condition that the opening state of the reporter is started and the registration information is registered;
the management module judges whether the event is an abnormal event according to the state information of the event;
the display module is used for inquiring the abnormal processing operation information corresponding to the abnormal event in preset configuration information and displaying the abnormal processing operation information under the condition that the event is judged to be the abnormal event; the preset configuration information comprises association relation between an abnormal event and abnormal processing operation information.
8. An electronic device comprising a memory and a processor, wherein the memory has stored therein a computer program, the processor being arranged to run the computer program to perform the method of security protection of a WEB application firewall according to any one of claims 1 to 6.
9. A storage medium having a computer program stored therein, wherein the computer program is configured to perform the WEB application firewall security method of any one of claims 1 to 6 at run-time.
CN202010875522.1A 2020-08-27 2020-08-27 Security protection method and device for WEB application firewall and electronic device Active CN112165450B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010875522.1A CN112165450B (en) 2020-08-27 2020-08-27 Security protection method and device for WEB application firewall and electronic device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010875522.1A CN112165450B (en) 2020-08-27 2020-08-27 Security protection method and device for WEB application firewall and electronic device

Publications (2)

Publication Number Publication Date
CN112165450A CN112165450A (en) 2021-01-01
CN112165450B true CN112165450B (en) 2023-04-21

Family

ID=73860368

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010875522.1A Active CN112165450B (en) 2020-08-27 2020-08-27 Security protection method and device for WEB application firewall and electronic device

Country Status (1)

Country Link
CN (1) CN112165450B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113660215A (en) * 2021-07-26 2021-11-16 杭州安恒信息技术股份有限公司 Attack behavior detection method and device based on Web application firewall
CN113886118A (en) * 2021-09-16 2022-01-04 杭州安恒信息技术股份有限公司 Abnormal resource processing method, device, system, electronic device and storage medium
CN114816558B (en) * 2022-03-07 2023-06-30 深圳市九州安域科技有限公司 Script injection method, equipment and computer readable storage medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106209425A (en) * 2016-06-28 2016-12-07 上海携程商务有限公司 The method and system of the automatic bypass of fire wall based on switch
CN107205008A (en) * 2016-03-18 2017-09-26 上海有云信息技术有限公司 The loaded self-adaptive method of WEB application fire wall under cloud computing environment
CN109067807A (en) * 2018-10-16 2018-12-21 杭州安恒信息技术股份有限公司 Safety protecting method, device and electronic equipment based on WEB application firewall overload
CN109800131A (en) * 2018-12-18 2019-05-24 平安健康保险股份有限公司 Monitor processing method, device, computer equipment and the storage medium of Linux server
CN111314290A (en) * 2019-12-30 2020-06-19 北京长亭未来科技有限公司 Method and device for protecting continuity of WEB application firewall service and electronic equipment

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20180013722A1 (en) * 2016-07-06 2018-01-11 Eric Enos Distributed firewall device and system

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107205008A (en) * 2016-03-18 2017-09-26 上海有云信息技术有限公司 The loaded self-adaptive method of WEB application fire wall under cloud computing environment
CN106209425A (en) * 2016-06-28 2016-12-07 上海携程商务有限公司 The method and system of the automatic bypass of fire wall based on switch
CN109067807A (en) * 2018-10-16 2018-12-21 杭州安恒信息技术股份有限公司 Safety protecting method, device and electronic equipment based on WEB application firewall overload
CN109800131A (en) * 2018-12-18 2019-05-24 平安健康保险股份有限公司 Monitor processing method, device, computer equipment and the storage medium of Linux server
CN111314290A (en) * 2019-12-30 2020-06-19 北京长亭未来科技有限公司 Method and device for protecting continuity of WEB application firewall service and electronic equipment

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
"基于分布式对等架构的Web应用防火墙设计与实现";姚琳琳;《中国优秀博硕士学位论文全文数据库(硕士)信息科技辑》;20121115;第I139-24页 *

Also Published As

Publication number Publication date
CN112165450A (en) 2021-01-01

Similar Documents

Publication Publication Date Title
CN112165450B (en) Security protection method and device for WEB application firewall and electronic device
CN109831487B (en) Fragmented file verification method and terminal equipment
US20200244676A1 (en) Detecting outlier pairs of scanned ports
CN112422484B (en) Method, apparatus, and storage medium for determining scenario for processing security event
CN112003838B (en) Network threat detection method, device, electronic device and storage medium
CN110661658A (en) Node management method and device of block chain network and computer storage medium
CN111756761A (en) Network defense system and method based on flow forwarding and computer equipment
US20200244685A1 (en) Scanner probe detection
US20210400072A1 (en) Port scan detection using destination profiles
CN110958249A (en) Information processing method, information processing device, electronic equipment and storage medium
CN113660215A (en) Attack behavior detection method and device based on Web application firewall
CN112232957A (en) Transaction consensus method and device and electronic equipment
CN112019519A (en) Method and device for detecting threat degree of network security information and electronic device
CN110209347B (en) Traceable data storage method
CN116016174A (en) Rule base upgrading method and device, electronic equipment and storage medium
CN113765914B (en) CC attack protection method, system, computer equipment and readable storage medium
CN113162997B (en) Data transmission method and device, electronic equipment and readable storage medium
CN116112216A (en) Cloud data verification method and device, electronic equipment and nonvolatile storage medium
CN108650249A (en) POC attack detection methods, device, computer equipment and storage medium
CN110798356B (en) Firmware monitoring method and device, storage medium and computer equipment
CN114428704A (en) Method and device for full-link distributed monitoring, computer equipment and storage medium
CN111814205B (en) Computing processing method, computing processing system, computing processing device, computing processing memory, computing processing device and computer device
CN111221847A (en) Monitoring data storage method and device and computer readable storage medium
US12013830B2 (en) System and method using bloom filters to improve system reliability
CN117424762B (en) DDOS attack detection method, medium and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant