CN112511593A - Traffic distribution method in mimicry WAF - Google Patents
Traffic distribution method in mimicry WAF Download PDFInfo
- Publication number
- CN112511593A CN112511593A CN202011212311.6A CN202011212311A CN112511593A CN 112511593 A CN112511593 A CN 112511593A CN 202011212311 A CN202011212311 A CN 202011212311A CN 112511593 A CN112511593 A CN 112511593A
- Authority
- CN
- China
- Prior art keywords
- waf
- online
- traffic distribution
- information
- executive
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/16—Threshold monitoring
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/45—Network directories; Name-to-address mapping
- H04L61/4505—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
- H04L61/4511—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
Abstract
The invention discloses a traffic distribution method in a simulated WAF, which can randomly distribute traffic received by an entry node to k executors, thereby realizing the dynamic property and the redundancy of traffic distribution. The invention designs a replication request sending module, a random selection module and the like, dispatches the same flow to a heterogeneous WAF execution body in a heterogeneous server, and judges the same flow for multiple times while finishing the due function of the WAF, thereby enhancing the safety of the WAF and greatly reducing the successful attack probability of an attacker. Firstly, flow content received by an entry node is copied, then n execution body information of an online line is determined, k execution bodies are randomly selected from the n execution bodies through a random selection module to send flow in parallel, a result is waited to be returned, and corresponding content is returned according to a judgment result of a mimicry WAF.
Description
Technical Field
The invention belongs to the technical field of network security, and particularly relates to a traffic distribution method in a mimic WAF.
Background
Websites are the main source of information and services acquired from the internet, and various information and services acquired from websites have become important components of social life. Web server systems are currently the most important internet Web sites, service carrying and providing platforms, being virtual representations of governments, businesses, and individuals on the internet. Because of the tangible loss and the intangible loss caused by the stored document, the supported service and the damaged organization, the Web server system has become the main target of the network attack, and the attacking means such as webpage tampering, back door implantation, denial of service attack, etc. are endless, and the attacker uses the means to paralyze the service of the target server, steal the sensitive information of the user, or control the relevant equipment and resources to be used by the attacker. The security of Web server systems has become a focus of the cyberspace security domain.
The WAF, known as a web application firewall, is a product that specifically provides protection to web applications by enforcing a series of security policies against HTTP, HTTPs. The WAF initial stage is based on the protection equipment of rule protection; the protection based on the rules can provide various safety rules of the web application, the WAF manufacturer maintains the rule base and updates the rule base in real time, and a user can comprehensively protect the application according to the rules. The mimicry WAF is a web application firewall based on a mimicry defense idea, and the mimicry defense idea has good defense capability. Different from the traditional network defense means, the mimicry defense changes the operation or execution environment of a network information system by means of dynamic, randomization and active means, breaks through the embarrassment of the traditional network information security passive defense, converts the passive defense of 'sheep death reinforcement' type into the active defense which is difficult to detect, and changes the current situation of easy attack and difficulty in defending.
Disclosure of Invention
The invention aims to provide a traffic distribution method in a mimic WAF aiming at the defects of the prior art. The invention can make the mimic WAF have dynamic property and randomness, and can judge the same flow for many times while finishing the due function of the WAF, thereby enhancing the self security of the WAF and greatly reducing the successful attack probability of an attacker.
The purpose of the invention is realized by the following technical scheme: a method of traffic distribution in a mock-up WAF, the method comprising the steps of:
(1) determining the online executive information, specifically:
(1.1) M executors E ═ E are deployed in the simulated WAF i1,2, …, M, wherein the M executants are subjected to isomerization processing in the aspects of an operating system, a WAF platform, a rule base and the like;
(1.2) collecting executive body information of an online from M executive bodies, setting the number of the executive bodies of the online as n, setting the initial value of n as 0, judging the state of each executive body by inquiring an executive body information base, if the state is the online, storing the corresponding n +1 into C ═ { C ═ C of the executive body information of the onlinej1,2, …, n };
(2) setting k as the number randomly sent to an executive body, searching the value of k in a database or a configuration file, and assigning the value to a variable k after the query is successful;
(3) analyzing http(s) flow received by an entry node, extracting flow content, and copying the flow content by k parts;
(4) randomly selecting k executables from the n pieces of online executable information stored in C as destinations of traffic transmission, selecting the k executables using a random selection algorithm including an algorithm such as a monte carlo method or normal random number generation, and storing the selected k pieces of executable information in D ═ { D ═ D }l1,2, …, k };
(5) and taking out the randomly selected execution body information from the D, sending the copied k flow contents to the k execution bodies in parallel, waiting for the result to return, and returning the corresponding contents according to the judgment result of the mimic WAF.
Further, in the step (3), the traffic content includes a request method, a request header, parameters, a request body, and the like.
Further, in the step (3), the required information is added to the request header.
Further, in the step (3), a tag flag required by the mimic WAF arbitration module for synchronizing the request is added to the request header.
Further, in the step (4), the random selection algorithm includes a monte carlo method and normal random number generation for selection.
Compared with the prior art, the invention has the following beneficial effects: the technical scheme of the invention adopts a mimicry defense idea, and particularly introduces a flow dividing method in a mimicry WAF, which has the following characteristics:
(1) by adopting the mimicry defense idea, the exploration and the understanding of the attacker on the internal characteristics of the target object can be disturbed, the WAF is prevented from being broken, and the cognition and the attack difficulty of the internal permeator and the external attacker on the WAF are increased.
(2) The adopted flow distribution method ensures that the mimic WAF has better dynamic property and randomness, so that an attacker cannot find an attack path.
Drawings
Fig. 1 is a schematic diagram of a traffic distribution method in a pseudo WAF.
Detailed Description
The invention relates to a traffic distribution method in a mimicry WAF, which is an important part in the mimicry WAF. The method comprises the steps of firstly copying flow content received by an entry node, then determining n execution body information of an online, randomly selecting k execution bodies from the n execution bodies through a random selection module to send flow in parallel, waiting for result return, and returning corresponding content according to a judgment result of a mimicry WAF.
As shown in fig. 1, the present invention comprises the steps of:
(1) determining the online executive information, specifically:
(1.1) M executors E ═ E are deployed in the simulated WAF i1,2, …, M, the M executables eiThe method is characterized in that isomerization processing is carried out on the aspects of an operating system, a WAF platform, a rule base and the like, wherein the operating system of a Server on the cloud can select Windows Server, CentOS, Ubuntu and the like, the virtualization technology of the cloud selects kvm, Xen and the like, and the micro-container software selects Docker, Solaris contacts, Podman and the like.
(1.2) Collecting executive body information of an online from M executive bodies, setting the number of the executive bodies of the online as n, setting the initial value of n as 0, judging the state of each executive body by inquiring an executive body information base, if the state is the online, storing the corresponding n +1 into C ═ C j1,2, …, n }, cjIs the ith execution body information.
(2) And setting k as the number of randomly sending flow to the executive bodies, searching the value of k in a database or a configuration file, and assigning the value to a variable k after the query is successful.
(3) Analyzing http(s) traffic received by an entry node, extracting contents such as a request method, a request header, parameters, a request body and the like in the traffic, adding required information such as a tag mark required by a mimic WAF arbitration module synchronous request to the request header, and copying the traffic contents by k parts.
(4) Randomly selecting k executables from the n pieces of online executable information stored in C as destinations of traffic transmission, selecting the k executables using a random selection algorithm including an algorithm such as a monte carlo method or normal random number generation, and storing the selected k pieces of executable information in D ═ { D ═ D }l1,2, …, k.
(5) And taking out the randomly selected execution body information from the D, sending the copied k flow contents to the k execution bodies in parallel, waiting for the result to return, and returning the corresponding contents according to the judgment result of the mimic WAF.
The traffic distribution method in the mimicry WAF provided by the invention can disturb the exploration and understanding of attackers on the internal characteristics of the target object, prevent the WAF from being broken, and increase the cognition and attack difficulty of internal permeators and external attackers on the WAF, thereby enhancing the safety of the WAF.
Claims (5)
1. A method for traffic distribution in a pseudo-WAF, the method comprising the steps of:
(1) determining the online executive information, specifically:
(1.1) M executors E ═ E are deployed in the simulated WAFi1,2, …, M, where M execution blocks are in the os,Isomerization treatment is carried out on the WAF platform, the rule base and the like;
(1.2) collecting executive body information of an online from M executive bodies, setting the number of the executive bodies of the online as n, setting the initial value of n as 0, judging the state of each executive body by inquiring an executive body information base, if the state is the online, storing the corresponding n +1 into C ═ { C ═ C of the executive body information of the onlinej1,2, …, n };
(2) setting k as the number randomly sent to an executive body, searching the value of k in a database or a configuration file, and assigning the value to a variable k after the query is successful;
(3) analyzing http(s) flow received by an entry node, extracting flow content, and copying the flow content by k parts;
(4) from the n pieces of online executable information stored in C, k executable entities are randomly selected as destinations of traffic transmission, and the selected k pieces of executable information are stored in D ═ Dl1,2, …, k };
(5) and taking out the randomly selected execution body information from the D, sending the copied k flow contents to the k execution bodies in parallel, waiting for the result to return, and returning the corresponding contents according to the judgment result of the mimic WAF.
2. The traffic distribution method in the pseudo-WAF according to claim 1, wherein in the step (3), the traffic content includes a request method, a request header, parameters, a request body, and the like.
3. The traffic distribution method in the pseudo-WAF of claim 2, wherein in the step (3), the required information is added in a request header.
4. The traffic distribution method in the pseudo-WAF according to claim 3, wherein in the step (3), a tag mark required by the pseudo-WAF arbitration module for synchronous request is added at the request header.
5. The traffic distribution method in the mimetic WAF of claim 1, wherein in the step (4), the random selection algorithm comprises a monte carlo method and a normal random number generation for selection.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011212311.6A CN112511593A (en) | 2020-11-03 | 2020-11-03 | Traffic distribution method in mimicry WAF |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011212311.6A CN112511593A (en) | 2020-11-03 | 2020-11-03 | Traffic distribution method in mimicry WAF |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN112511593A true CN112511593A (en) | 2021-03-16 |
Family
ID=74955299
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011212311.6A Pending CN112511593A (en) | 2020-11-03 | 2020-11-03 | Traffic distribution method in mimicry WAF |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112511593A (en) |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2016043739A1 (en) * | 2014-09-17 | 2016-03-24 | Resurgo, Llc | Heterogeneous sensors for network defense |
| CN109525418A (en) * | 2018-10-11 | 2019-03-26 | 浙江工商大学 | A kind of dispatching method that mimicry defends lower service arrangement execution body set isomery degree to guarantee |
| CN111191229A (en) * | 2019-12-24 | 2020-05-22 | 国网天津市电力公司 | Power Web application mimicry defense system |
| CN111585952A (en) * | 2020-03-23 | 2020-08-25 | 浙江大学 | Solution method for coping with virtual host layer attack by Web application on cloud |
| CN111628979A (en) * | 2020-05-21 | 2020-09-04 | 河南信大网御科技有限公司 | Protocol-state-free ring mimicry architecture, defense method and readable storage medium |
-
2020
- 2020-11-03 CN CN202011212311.6A patent/CN112511593A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2016043739A1 (en) * | 2014-09-17 | 2016-03-24 | Resurgo, Llc | Heterogeneous sensors for network defense |
| CN109525418A (en) * | 2018-10-11 | 2019-03-26 | 浙江工商大学 | A kind of dispatching method that mimicry defends lower service arrangement execution body set isomery degree to guarantee |
| CN111191229A (en) * | 2019-12-24 | 2020-05-22 | 国网天津市电力公司 | Power Web application mimicry defense system |
| CN111585952A (en) * | 2020-03-23 | 2020-08-25 | 浙江大学 | Solution method for coping with virtual host layer attack by Web application on cloud |
| CN111628979A (en) * | 2020-05-21 | 2020-09-04 | 河南信大网御科技有限公司 | Protocol-state-free ring mimicry architecture, defense method and readable storage medium |
Non-Patent Citations (2)
| Title |
|---|
| 仝青 等: "拟态防御Web服务器设计与实现", 《软件学报》 * |
| 沈丛麒 等: "基于信誉度与相异度的自适应拟态控制器研究", 《通信学报》 * |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Alkhalil et al. | Phishing attacks: A recent comprehensive study and a new anatomy | |
| CN110677380B (en) | Method and related apparatus for cyber threat indicator extraction and response | |
| Goel | Cyberwarfare: connecting the dots in cyber intelligence | |
| Le et al. | Anatomy of drive-by download attack | |
| US20180189697A1 (en) | Methods and apparatus for processing threat metrics to determine a risk of loss due to the compromise of an organization asset | |
| Chu et al. | Protect sensitive sites from phishing attacks using features extractable from inaccessible phishing URLs | |
| Çeker et al. | Deception-based game theoretical approach to mitigate DoS attacks | |
| Shabut et al. | Cyber attacks, countermeasures, and protection schemes—A state of the art survey | |
| Trujillo | The limits of cyberspace deterrence | |
| CN111786966A (en) | Method and device for browsing webpage | |
| US20170142147A1 (en) | Rating threat submitter | |
| WO2014114127A1 (en) | Method, apparatus and system for webpage access control | |
| Baror et al. | A taxonomy for cybercrime attack in the public cloud | |
| Le Page et al. | Domain classifier: Compromised machines versus malicious registrations | |
| Han et al. | WHAP: Web-hacking profiling using case-based reasoning | |
| Pasha et al. | Artificial intelligence implementation to counteract cybercrimes against children in Pakistan | |
| Haddadi et al. | Malicious automatically generated domain name detection using stateful-SBB | |
| Zeeuwen et al. | Improving malicious URL re-evaluation scheduling through an empirical study of malware download centers | |
| Traer et al. | Motives behind ddos attacks | |
| Mezzour et al. | Global mapping of cyber attacks | |
| Ispahany et al. | Detecting malicious urls of covid-19 pandemic using ml technologies | |
| CN112511593A (en) | Traffic distribution method in mimicry WAF | |
| Welch et al. | Two-stage classification model to detect malicious web pages | |
| Mezzour | Assessing the Global Cyber and Biological Threat. | |
| Epiphaniou et al. | The dark Web: Cyber-security intelligence gathering opportunities, risks and rewards |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20210316 |
|
| WD01 | Invention patent application deemed withdrawn after publication |