CN113190838A - Web attack behavior detection method and system based on expression - Google Patents
Web attack behavior detection method and system based on expression Download PDFInfo
- Publication number
- CN113190838A CN113190838A CN202110336048.XA CN202110336048A CN113190838A CN 113190838 A CN113190838 A CN 113190838A CN 202110336048 A CN202110336048 A CN 202110336048A CN 113190838 A CN113190838 A CN 113190838A
- Authority
- CN
- China
- Prior art keywords
- detection
- expression
- access request
- data
- attack behavior
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/552—Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computing Systems (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention provides a web attack behavior detection method and a system based on an expression, comprising the following steps: receiving an access request from at least one user based on a plurality of web applications; extracting IP data carried in the access request, and judging whether the IP meets a preset condition or not based on a first preset rule; if the IP meets the condition, performing expression detection on the access request through a WAF virtual machine, outputting a result based on the non-attack behavior of the expression detection, and returning a content response message based on the access request to the user through a server after a second preset rule is met; and if the IP does not meet the preset condition, extracting the characteristic data carried by the data of the access request, inputting the characteristic data into an expression training model of the WAF virtual machine, and simultaneously returning error information to the user. According to the invention, a three-level detection program is arranged in the detection, so that the accuracy and efficiency of vulnerability detection are improved.
Description
Technical Field
The invention relates to the technical field of network security, in particular to a web attack behavior detection method and system based on an expression.
Background
The Web application program is an application program running on the Internet, a browser on a user PC is used as a universal client, the user sends an HTTP or HTTPS request to a server by using the browser, the server responds according to the request of the user, acquires corresponding data content after analyzing the requested data and packages the data content into a message to be returned to the browser, and the browser presents the corresponding content to the user.
The web-based attack is an attack that occurs by an attacker based on a possible defect or bug in the web application in the process of sending a request to a server to acquire corresponding content, and the attacker breaks the web security by accessing unauthorized data. The existing web attack behavior detection method comprises structured Query language SQL (structured Query language) injection detection and cross-site script XSS detection, the detection modes comprise that character string matching is carried out by deleting URL (uniform resource locator) of an expression, the use method of a regular expression is simple, the regular keywords are simple and easy to understand, and has strong flexibility, any rule can be written to control the character string, but the use of regular expression needs to match according to Uniform Resource Locator (URL), therefore, the accuracy and efficiency of the vulnerability scanning system can be improved only by efficiently inquiring the complete URL, how to effectively extract the URL based on the web attack behavior and distinguish and detect based on different types of attack behaviors becomes a technical problem to be solved by the invention.
Disclosure of Invention
In order to solve the technical problems, the invention provides a web attack behavior detection method and system based on an expression so as to improve the accuracy and efficiency of vulnerability scanning.
The purpose of the first aspect of the invention is realized by the following technical scheme:
a web attack behavior detection method based on expressions comprises the following steps:
receiving an access request from at least one user based on a plurality of web applications;
extracting IP data carried in the access request, and judging whether the IP meets a preset condition or not based on a first preset rule;
if the IP meets the condition, performing expression detection on the access request through a WAF virtual machine, outputting a result based on the non-attack behavior of the expression detection, and returning a content response message based on the access request to the user through a server after a second preset rule is met;
and if the IP does not meet the preset condition, extracting the characteristic data carried by the data of the access request, inputting the characteristic data into an expression training model of the WAF virtual machine, and simultaneously returning error information to the user.
Further, the determining, based on the first preset rule, whether the IP meets a preset condition specifically includes setting a blacklist detection model and a whitelist detection model based on the IP, respectively, if the IP meets the whitelist detection model, the IP is a legal IP, if the IP matches the blacklist detection model, the IP is an illegal IP, if the IP does not belong to either the whitelist or the blacklist model, a tag is added to an access request carried by the IP to define that validity of the IP needs to be determined when performing expression detection, where the preset condition is a legal IP or an IP to which the tag is added.
Further, if the access request is an IP meeting the condition, the step of detecting the expression of the access request through the WAF virtual machine specifically comprises the steps of detecting the attack behavior of the access request of a legal IP or an IP added with a label through an expression detection model of the WAF virtual machine, inputting IP data into a blacklist model when detecting that the access request added with the IP added with the label contains the attack behavior, and inputting the IP data into a white list model and updating the white list model or the blacklist model if the access request does not contain the attack behavior.
Further, if the IP satisfies the condition, the step of performing regular matching on the access request through the waf virtual machine further includes: and when the attack behavior is detected through an expression detection model of the WAF virtual machine in the access request of the legal IP or the IP added with the label, returning error information to the user if the attack behavior is found.
Further, the attack behavior detection includes: SQL injection detection, cross-site script XSS detection, identity authentication and session management detection, invalid access control detection, security configuration error detection and one or more attack behavior detection in sensitive information leakage detection.
Further, the step of returning a content response message based on the access request to the user through the server after outputting a result based on the non-attack behavior detected by the expression and after a second preset rule specifically includes:
the virtual database receives the output result of the attack-free behavior output from the virtual machine based on the expression detection;
extracting the address of the content carried by the corresponding data access request in the output result;
forming a request queue based on priority setting, respectively carrying out address matching query in a virtual database according to data requests in the queue to obtain content positions based on addresses, and sending requests for obtaining the content to a web server;
the Web server calls corresponding contents to a virtual database and sends the contents to the WAF virtual machine according to the same priority order;
and the WAF virtual machine calls a sensitive data detection model to perform content detection, judges whether the data carried in the data access request belongs to sensitive data or not, and returns the content data based on the request to the user if the data does not belong to the sensitive data.
Further, the setting of the priority comprises one or more of time, access authority level and data acquisition importance degree.
Further, if the IP does not meet the preset condition, extracting feature data carried by the data of the access request, inputting the feature data into an expression training model of the WAF virtual machine, and simultaneously returning error information to the user.
The second aspect of the present invention aims to provide an expression-based web attack behavior detection system, which includes a WAF virtual machine, a virtual database and a web server to execute the attack behavior detection method.
It is an object of a third aspect of the invention to propose a readable storage medium having stored thereon a computer program which, when being executed by a processor, carries out the steps of the attack behavior detection method as described above.
The invention has the beneficial effects that:
the invention provides a web attack behavior detection method and a system based on an expression, comprising the following steps: receiving an access request from at least one user based on a plurality of web applications; extracting IP data carried in the access request, and judging whether the IP meets a preset condition or not based on a first preset rule; if the IP meets the condition, performing expression detection on the access request through a WAF virtual machine, outputting a result based on the non-attack behavior of the expression detection, and returning a content response message based on the access request to the user through a server after a second preset rule is met; and if the IP does not meet the preset condition, extracting the characteristic data carried by the data of the access request, inputting the characteristic data into an expression training model of the WAF virtual machine, and simultaneously returning error information to the user. According to the invention, a three-level detection program is arranged in the detection, so that the accuracy and efficiency of vulnerability detection are improved.
Additional advantages, objects, and features of the invention will be set forth in part in the description which follows and in part will become apparent to those having ordinary skill in the art upon examination of the following or may be learned from practice of the invention. The objectives and other advantages of the present invention will be realized and attained by the structure particularly pointed out in the written description and claims hereof as well as the appended drawings.
Drawings
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention will be further described in detail with reference to the accompanying drawings, in which:
fig. 1 is a flowchart of a web attack behavior detection method based on expressions.
Detailed Description
Hereinafter, preferred embodiments of the present invention will be described in detail with reference to the accompanying drawings. It should be understood that the preferred embodiments are illustrative of the invention only and are not limiting upon the scope of the invention.
As shown in fig. 1, the present invention provides a web attack behavior detection method based on an expression, which specifically includes:
step S101: receiving an access request from at least one user based on a plurality of web applications;
in the invention, a user sends a content access request to a server through a web application program in a browser, and the content access request is used for causing the web application program to be easily utilized by an attacker due to possible bugs and other reasons of the application program in practice and illegally accessing data after the application program is bypassed, so that an attack behavior is launched to the server or a database, and therefore, the bug detection is necessary. Meanwhile, there may be multiple users accessing content simultaneously for different web applications and browsers, which requires multi-threaded processing. The invention can carry out corresponding thread processing operation according to the received access request.
Step S102: extracting IP data carried in the access request, and judging whether the IP meets a preset condition or not based on a first preset rule;
in the invention, a multi-level attack detection process is set, which comprises IP attack behavior detection and twice expression model detection, thereby realizing vulnerability detection efficiency.
In step S102, a first layer detection based on IP is set, where the purpose of the detection is to find whether an IP source of malicious attack exists, and the IP source usually carries an IP address when data access is performed, so that the implementation of the detection through the IP address is not complicated, and such a mode also exists in the prior art. Therefore, firstly, the data characteristics carried in the illegal IP access request are extracted instead of directly returning error information after the illegal IP access, and the expression injection vulnerability characteristics possibly carried by the illegal IP attack are judged through the characteristics, so that data support is provided for the expression training model; secondly, although the invention also sets up the IP library of the white list or black list mode, the invention aims to label the IP for relevant detection when the IP data in neither the white list nor the black list appears, and not all the IPs are offensive in practice, so that the IP which really threatens needs to be accurately distinguished to be the detection aim of the invention, namely the detection accuracy.
Based on the above, the present invention sets a first preset rule, which is to set a blacklist detection model rule and a whitelist detection model rule, so as to determine whether the IP satisfies a preset condition, where the preset condition is defined as belonging to the blacklist, the whitelist or not, so as to determine a legal IP, an illegal IP, and an IP to which a tag is added. Specifically, the determining whether the IP meets the preset condition based on the first preset rule includes setting a blacklist detection model and a whitelist detection model based on the IP, respectively, if the IP meets the whitelist detection model, the IP is a legal IP, if the IP matches the blacklist detection model, the IP is an illegal IP, and if the IP does not belong to either the whitelist or the blacklist model, tagging an access request carried by the IP to define validity of the IP to be determined when performing expression detection, where the preset condition is a legal IP or an IP to which a tag is added.
And S103, if the IP meets the condition, performing expression detection on the access request through the WAF virtual machine, outputting a result based on the non-attack behavior of the expression detection, and returning a content response message based on the access request to the user through the server after a second preset rule is met.
In the present invention, by step S102, when it is detected that the IP is a legitimate or tagged IP, that is, the IP at this time is temporarily not threatening, then the airborne access request may also be without threat, but for the accuracy of vulnerability detection, the present invention performs expression injection detection on the access request by setting the WAF virtual machine, the expression detection in the existing is a conventional detection model, the expression detection model of the present invention is different from the prior art, and is a comprehensive detection model integrating a plurality of attack behavior detection models, the model is obtained by training all vulnerability data before the current time period, and determines whether a vulnerability exists by the detection model, in order to more clearly describe the content of the present invention, the WAF virtual machine of the present invention is set to prevent the data access request from directly accessing the web server without detection, only access requests satisfying the detection result can acquire the content.
In the invention, when the IP is legal after being detected or the IP added with a label enters the virtual machine for detection, the detection is carried out on the second layer, and the step of carrying out expression detection on the access request through the WAF virtual machine specifically comprises the steps of carrying out attack behavior detection on the legal IP or the access request added with the label IP through an expression detection model of the WAF virtual machine, inputting IP data into a blacklist model when detecting that the access request added with the label IP contains an attack behavior, and inputting the IP data into a white list model and carrying out model updating on the white list model or the blacklist model if the access request added with the label IP does not contain the attack behavior.
If the IP meets the condition, the step of performing regular matching on the access request through the waf virtual machine further comprises the following steps: and when the attack behavior is detected through an expression detection model of the WAF virtual machine in the access request of the legal IP or the IP added with the label, returning error information to the user if the attack behavior is found.
The attack behavior detection comprises: SQL injection detection, cross-site script XSS detection, identity authentication and session management detection, invalid access control detection, security configuration error detection and one or more attack behavior detection in sensitive information leakage detection.
The step of returning a content response message based on the access request to the user through the server after outputting a result based on the non-attack behavior detected by the expression and after a second preset rule specifically includes:
the virtual database receives the output result of the attack-free behavior output from the virtual machine based on the expression detection;
extracting the address of the content carried by the corresponding data access request in the output result;
forming a request queue based on priority setting, respectively carrying out address matching query in a virtual database according to data requests in the queue to obtain content positions based on addresses, and sending requests for obtaining the content to a web server;
the Web server calls corresponding contents to a virtual database and sends the contents to the WAF virtual machine according to the same priority order;
the invention also sets a third layer of attack behavior detection, and the detection at this time aims at the detection of the content and judges whether sensitive data content possibly exists. And the WAF virtual machine calls a sensitive data detection model to perform content detection, judges whether the data carried in the data access request belongs to sensitive data or not, and returns the content data based on the request to the user if the data does not belong to the sensitive data.
The setting of the priority comprises one or more of time, access authority level and data acquisition importance degree.
And S104, if the IP does not meet the preset condition, extracting the characteristic data carried by the data of the access request, inputting the characteristic data into an expression training model of the WAF virtual machine, and simultaneously returning error information to the user.
If the IP does not meet the preset condition, extracting the characteristic data carried by the data of the access request, inputting the characteristic data into an expression training model of the WAF virtual machine, and simultaneously returning error information to the user.
According to an embodiment of the present invention, the present invention further provides an expression-based web attack behavior detection system, which includes a WAF virtual machine, a virtual database, and a web server, so as to execute the attack behavior detection method described above.
According to an embodiment of the present invention, the present invention proposes a readable storage medium having stored thereon a computer program which, when being executed by a processor, implements the steps of the attack behavior detection method as described above.
It should be recognized that embodiments of the present invention can be realized and implemented by computer hardware, a combination of hardware and software, or by computer instructions stored in a non-transitory computer readable memory. The methods may be implemented in a computer program using standard programming techniques, including a non-transitory computer-readable storage medium configured with the computer program, where the storage medium so configured causes a computer to operate in a specific and predefined manner, according to the methods and figures described in the detailed description. Each program may be implemented in a high level procedural or object oriented programming language to communicate with a computer system. However, the program(s) can be implemented in assembly or machine language, if desired. In any case, the language may be a compiled or interpreted language. Furthermore, the program can be run on a programmed application specific integrated circuit for this purpose.
Further, the operations of processes described herein can be performed in any suitable order unless otherwise indicated herein or otherwise clearly contradicted by context. The processes described herein (or variations and/or combinations thereof) may be performed under the control of one or more computer systems configured with executable instructions, and may be implemented as code (e.g., executable instructions, one or more computer programs, or one or more applications) collectively executed on one or more processors, by hardware, or combinations thereof. The computer program includes a plurality of instructions executable by one or more processors.
Further, the method may be implemented in any type of computing platform operatively connected to a suitable interface, including but not limited to a personal computer, mini computer, mainframe, workstation, networked or distributed computing environment, separate or integrated computer platform, or in communication with a charged particle tool or other imaging device, and the like. Aspects of the invention may be embodied in machine-readable code stored on a non-transitory storage medium or device, whether removable or integrated into a computing platform, such as a hard disk, optically read and/or write storage medium, RAM, ROM, or the like, such that it may be read by a programmable computer, which when read by the storage medium or device, is operative to configure and operate the computer to perform the procedures described herein. Further, the machine-readable code, or portions thereof, may be transmitted over a wired or wireless network. The invention described herein includes these and other different types of non-transitory computer-readable storage media when such media include instructions or programs that implement the steps described above in conjunction with a microprocessor or other data processor. The invention also includes the computer itself when programmed according to the methods and techniques described herein.
A computer program can be applied to input data to perform the functions described herein to transform the input data to generate output data that is stored to non-volatile memory. The output information may also be applied to one or more output devices, such as a display. In a preferred embodiment of the invention, the transformed data represents physical and tangible objects, including particular visual depictions of physical and tangible objects produced on a display.
Finally, the above embodiments are only intended to illustrate the technical solutions of the present invention and not to limit the present invention, and although the present invention has been described in detail with reference to the preferred embodiments, it will be understood by those skilled in the art that modifications or equivalent substitutions may be made on the technical solutions of the present invention without departing from the spirit and scope of the technical solutions, and all of them should be covered by the claims of the present invention.
Claims (10)
1. A web attack behavior detection method based on expressions is characterized by comprising the following steps:
step S101: receiving an access request from at least one user based on a plurality of web applications;
step S102: extracting IP data carried in the access request, and judging whether the IP meets a preset condition or not based on a first preset rule; if yes, go to step S103; if not, entering step S104;
step S103: performing expression detection on the access request through a WAF virtual machine, outputting a result based on the non-attack behavior of the expression detection, and returning a content response message based on the access request to the user through a server after a second preset rule is met;
and step S104, extracting characteristic data carried by the data of the access request, inputting the characteristic data into an expression training model of the WAF virtual machine, and simultaneously returning error information to a user.
2. The method for detecting web attack behavior based on expression as claimed in claim 1, wherein the step 102 of determining whether the IP satisfies the preset condition based on the first preset rule specifically includes: respectively setting a blacklist detection model and a white list detection model based on an IP, if the IP accords with the white list detection model, the IP is a legal IP, if the IP is matched with the blacklist detection model, the IP is an illegal IP, if the IP does not belong to the white list or the blacklist model, a label is added to an access request carried by the IP so as to define the legality of the IP which needs to be judged when expression detection is carried out, wherein the preset condition is the legal IP or the IP added with the label.
3. The expression-based web attack behavior detection method according to claim 2, wherein: in step S104, the step of performing expression detection on the access request through the waf virtual machine specifically includes:
and carrying out attack behavior detection on the access request of a legal IP or an IP with a label through an expression detection model of the WAF virtual machine, inputting IP data to a blacklist model when detecting that the access request of the IP with the label contains an attack behavior, and inputting the IP data to a white list model and carrying out model updating on the white list model or the blacklist model if the access request does not contain the attack behavior.
4. The expression-based web attack behavior detection method according to claim 3, wherein: the step of performing regular matching on the access request through the waf virtual machine further comprises: and when the attack behavior is detected through an expression detection model of the WAF virtual machine in the access request of the legal IP or the IP added with the label, returning error information to the user if the attack behavior is found.
5. The expression-based web attack behavior detection method according to claim 4, wherein: the attack behavior detection comprises: SQL injection detection, cross-site script XSS detection, identity authentication and session management detection, invalid access control detection, security configuration error detection and one or more attack behavior detection in sensitive information leakage detection.
6. The expression-based web attack behavior detection method according to claim 5, wherein: in step S103, the step of returning a content response message based on the access request to the user through the server specifically includes:
the virtual database receives the output result of the attack-free behavior output from the virtual machine based on the expression detection;
extracting the address of the content carried by the corresponding data access request in the output result;
forming a request queue based on priority setting, respectively carrying out address matching query in a virtual database according to data requests in the queue to obtain content positions based on addresses, and sending requests for obtaining the content to a web server;
the Web server calls corresponding contents to a virtual database and sends the contents to the WAF virtual machine according to the same priority order;
and the WAF virtual machine calls a sensitive data detection model to perform content detection, judges whether the data carried in the data access request belongs to sensitive data or not, and returns the content data based on the request to the user if the data does not belong to the sensitive data.
7. The expression-based web attack behavior detection method according to claim 6, wherein: the setting of the priority comprises one or more of time, access authority level and data acquisition importance degree.
8. The expression-based web attack behavior detection method according to claim 6, wherein: the step S104 further includes, when the IP is successfully matched in the blacklist model, regarding the IP meeting a preset condition, extracting feature data carried by data of an access request from the IP, inputting the feature data to an expression training model of the WAF virtual machine, determining whether the feature exists in the training model, if the feature does not exist, storing the feature data, and updating the training model, if the feature data exists, counting the feature data in the expression training model, and finally returning error information to the user.
9. A web attack behavior detection system based on expressions is characterized in that: the system comprises a WAF virtual machine, a virtual database and a web server to execute the attack behavior detection method according to any one of claims 1 to 8.
10. A readable storage medium, characterized by: the readable storage medium has stored thereon a computer program which, when being executed by a processor, carries out the steps of the attack behavior detection method according to any one of claims 1 to 8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110336048.XA CN113190838A (en) | 2021-03-29 | 2021-03-29 | Web attack behavior detection method and system based on expression |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110336048.XA CN113190838A (en) | 2021-03-29 | 2021-03-29 | Web attack behavior detection method and system based on expression |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113190838A true CN113190838A (en) | 2021-07-30 |
Family
ID=76974395
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110336048.XA Pending CN113190838A (en) | 2021-03-29 | 2021-03-29 | Web attack behavior detection method and system based on expression |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113190838A (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113660251A (en) * | 2021-08-12 | 2021-11-16 | 杭州安恒信息技术股份有限公司 | Method, system, storage medium and terminal device for reducing WAF false alarm |
| CN114070596A (en) * | 2021-11-10 | 2022-02-18 | 上海钧正网络科技有限公司 | Performance optimization method, system, terminal and medium of Web application protection system |
| CN114528908A (en) * | 2021-12-31 | 2022-05-24 | 安徽航天信息有限公司 | Network request data classification model training method, classification method and storage medium |
| CN115242535A (en) * | 2022-07-28 | 2022-10-25 | 深圳奇迹智慧网络有限公司 | Firewall defense method and device based on OpenResty, computer equipment and storage medium |
Citations (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101448007A (en) * | 2008-12-31 | 2009-06-03 | 中国电力科学研究院 | Attack prevention system based on structured query language (SQL) |
| CN105704146A (en) * | 2016-03-18 | 2016-06-22 | 四川长虹电器股份有限公司 | System and method for SQL injection prevention |
| US20160337400A1 (en) * | 2015-05-15 | 2016-11-17 | Virsec Systems, Inc. | Detection of sql injection attacks |
| CN106470214A (en) * | 2016-10-21 | 2017-03-01 | 杭州迪普科技股份有限公司 | Attack detection method and device |
| CN108111466A (en) * | 2016-11-24 | 2018-06-01 | 北京金山云网络技术有限公司 | A kind of attack detection method and device |
| CN109167780A (en) * | 2018-08-28 | 2019-01-08 | 下代互联网重大应用技术(北京)工程研究中心有限公司 | A kind of method, equipment, system and the medium of the access of control resource |
| CN109802919A (en) * | 2017-11-16 | 2019-05-24 | 中移(杭州)信息技术有限公司 | A kind of web page access interception method and device |
| CN109905410A (en) * | 2019-04-17 | 2019-06-18 | 北京搜狐新媒体信息技术有限公司 | Web application safety protecting method and Web application firewall system |
| CN110061960A (en) * | 2019-03-01 | 2019-07-26 | 西安交大捷普网络科技有限公司 | WAF rule self-study system |
| CN111031009A (en) * | 2019-11-25 | 2020-04-17 | 杭州安恒信息技术股份有限公司 | Multilayer-based NOSQL injection attack detection method and device |
| CN111404912A (en) * | 2020-03-11 | 2020-07-10 | 成都千立网络科技有限公司 | Domain name detection method and device based on IP white list |
| CN111917691A (en) * | 2019-05-10 | 2020-11-10 | 张长河 | WEB dynamic self-adaptive defense system and method based on false response |
| CN112468460A (en) * | 2020-11-13 | 2021-03-09 | 平安普惠企业管理有限公司 | HTTP request detection method, device, computer equipment and storage medium |
-
2021
- 2021-03-29 CN CN202110336048.XA patent/CN113190838A/en active Pending
Patent Citations (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101448007A (en) * | 2008-12-31 | 2009-06-03 | 中国电力科学研究院 | Attack prevention system based on structured query language (SQL) |
| US20160337400A1 (en) * | 2015-05-15 | 2016-11-17 | Virsec Systems, Inc. | Detection of sql injection attacks |
| CN105704146A (en) * | 2016-03-18 | 2016-06-22 | 四川长虹电器股份有限公司 | System and method for SQL injection prevention |
| CN106470214A (en) * | 2016-10-21 | 2017-03-01 | 杭州迪普科技股份有限公司 | Attack detection method and device |
| CN108111466A (en) * | 2016-11-24 | 2018-06-01 | 北京金山云网络技术有限公司 | A kind of attack detection method and device |
| CN109802919A (en) * | 2017-11-16 | 2019-05-24 | 中移(杭州)信息技术有限公司 | A kind of web page access interception method and device |
| CN109167780A (en) * | 2018-08-28 | 2019-01-08 | 下代互联网重大应用技术(北京)工程研究中心有限公司 | A kind of method, equipment, system and the medium of the access of control resource |
| CN110061960A (en) * | 2019-03-01 | 2019-07-26 | 西安交大捷普网络科技有限公司 | WAF rule self-study system |
| CN109905410A (en) * | 2019-04-17 | 2019-06-18 | 北京搜狐新媒体信息技术有限公司 | Web application safety protecting method and Web application firewall system |
| CN111917691A (en) * | 2019-05-10 | 2020-11-10 | 张长河 | WEB dynamic self-adaptive defense system and method based on false response |
| CN111031009A (en) * | 2019-11-25 | 2020-04-17 | 杭州安恒信息技术股份有限公司 | Multilayer-based NOSQL injection attack detection method and device |
| CN111404912A (en) * | 2020-03-11 | 2020-07-10 | 成都千立网络科技有限公司 | Domain name detection method and device based on IP white list |
| CN112468460A (en) * | 2020-11-13 | 2021-03-09 | 平安普惠企业管理有限公司 | HTTP request detection method, device, computer equipment and storage medium |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113660251A (en) * | 2021-08-12 | 2021-11-16 | 杭州安恒信息技术股份有限公司 | Method, system, storage medium and terminal device for reducing WAF false alarm |
| CN113660251B (en) * | 2021-08-12 | 2023-02-28 | 杭州安恒信息技术股份有限公司 | Method, system, storage medium and terminal device for reducing WAF false alarm |
| CN114070596A (en) * | 2021-11-10 | 2022-02-18 | 上海钧正网络科技有限公司 | Performance optimization method, system, terminal and medium of Web application protection system |
| CN114528908A (en) * | 2021-12-31 | 2022-05-24 | 安徽航天信息有限公司 | Network request data classification model training method, classification method and storage medium |
| CN115242535A (en) * | 2022-07-28 | 2022-10-25 | 深圳奇迹智慧网络有限公司 | Firewall defense method and device based on OpenResty, computer equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110324311B (en) | Vulnerability detection method and device, computer equipment and storage medium | |
| US11570211B1 (en) | Detection of phishing attacks using similarity analysis | |
| US10581879B1 (en) | Enhanced malware detection for generated objects | |
| US8291500B1 (en) | Systems and methods for automated malware artifact retrieval and analysis | |
| CN113190838A (en) | Web attack behavior detection method and system based on expression | |
| CN108989355B (en) | Vulnerability detection method and device | |
| KR102271545B1 (en) | Systems and Methods for Domain Generation Algorithm (DGA) Malware Detection | |
| US11363054B2 (en) | Apparatus and method for analyzing security vulnerabilities | |
| CN111104579A (en) | Identification method and device for public network assets and storage medium | |
| WO2017071148A1 (en) | Cloud computing platform-based intelligent defense system | |
| CN103761478A (en) | Judging method and device of malicious files | |
| CN113190839A (en) | Web attack protection method and system based on SQL injection | |
| CN112084497A (en) | Method and device for detecting malicious program of embedded Linux system | |
| US20190294803A1 (en) | Evaluation device, security product evaluation method, and computer readable medium | |
| CN106250761B (en) | Equipment, device and method for identifying web automation tool | |
| CN107623693B (en) | Domain name resolution protection method, device, system, computing equipment and storage medium | |
| KR20190099816A (en) | Method and system for detecting counterfeit of web page | |
| RU2638779C1 (en) | Method and server for executing authorization of application on electronic device | |
| CN114095264A (en) | High-interaction traceability method, equipment and hardware of honeypot system | |
| JP6169497B2 (en) | Connection destination information determination device, connection destination information determination method, and program | |
| CN111131166A (en) | User behavior prejudging method and related equipment | |
| CN112202763B (en) | IDS strategy generation method, device, equipment and medium | |
| KR101077855B1 (en) | Apparatus and method for inspecting a contents and controlling apparatus of malignancy code | |
| JP6258189B2 (en) | Specific apparatus, specific method, and specific program | |
| CN112528286A (en) | Terminal device security detection method, associated device and computer program product |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20210730 |
|
| RJ01 | Rejection of invention patent application after publication |