CN114124520A - Multi-mode-based mimic WAF execution body implementation method - Google Patents
Multi-mode-based mimic WAF execution body implementation method Download PDFInfo
- Publication number
- CN114124520A CN114124520A CN202111386242.5A CN202111386242A CN114124520A CN 114124520 A CN114124520 A CN 114124520A CN 202111386242 A CN202111386242 A CN 202111386242A CN 114124520 A CN114124520 A CN 114124520A
- Authority
- CN
- China
- Prior art keywords
- flow
- module
- executor
- waf
- matching
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1483—Countermeasures against malicious traffic service impersonation, e.g. phishing, pharming or web spoofing
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/04—Architecture, e.g. interconnection topology
- G06N3/044—Recurrent networks, e.g. Hopfield networks
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/04—Architecture, e.g. interconnection topology
- G06N3/045—Combinations of networks
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/04—Architecture, e.g. interconnection topology
- G06N3/049—Temporal neural networks, e.g. delay elements, oscillating neurons or pulsed inputs
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/16—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks using machine learning or artificial intelligence
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Landscapes
- Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Computing Systems (AREA)
- Evolutionary Computation (AREA)
- Software Systems (AREA)
- Artificial Intelligence (AREA)
- General Physics & Mathematics (AREA)
- Health & Medical Sciences (AREA)
- Molecular Biology (AREA)
- Data Mining & Analysis (AREA)
- Computational Linguistics (AREA)
- Biophysics (AREA)
- Mathematical Physics (AREA)
- Biomedical Technology (AREA)
- Life Sciences & Earth Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Signal Processing (AREA)
- Computer Networks & Wireless Communication (AREA)
- Computer Hardware Design (AREA)
- Computer Vision & Pattern Recognition (AREA)
- Databases & Information Systems (AREA)
- Medical Informatics (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a multimode-based mimic WAF executor realizing method, which enables a WAF executor to identify codes with different flow rates, judges the maliciousness of the flow rate from a rule and an AI (artificial intelligence) mode and greatly improves the accuracy of the executor. The invention mainly designs a code recognition and analysis module, a flow analysis module, a rule matching module and the like to realize the function of an executive body, wherein flow is decoded through the code recognition and analysis module firstly, then the flow analysis module analyzes the flow to obtain data of an important part of the flow, and finally malicious scores with accurate flow are obtained through comprehensive judgment of two modules of rule matching and AI judgment.
Description
Technical Field
The invention belongs to the technical field of network security, and particularly relates to a multimode-based mimicry WAF executor implementation method.
Background
With the deep construction of digitization, business systems of various companies are more and more, and attacks aiming at the application layer of a web application system have more and more threats to the business systems. According to the Gartner survey, 75% of information security attacks occur in a Web application layer, an attack means based on the Web application layer is in an explosive growth trend and is continuously renewed, serious hidden dangers are brought to the security of a service system, and the Web application faces great challenges as the most extensive construction form of the service system.
Many people think that the security of the network can be improved by continuously deploying devices such as a firewall, an Intrusion Detection System (IDS), an Intrusion Prevention System (IPS) and the like in the network. But why are application-based attack events still occurring? The fundamental reason is that the traditional network security device has a very limited attack prevention effect on the application layer, especially on the Web system. Most of the existing firewalls work on a network layer, and realize the access control function by filtering data of the network layer (based on ACL of TCP/IP message header); and the internal network is ensured not to be illegally accessed by the external network through the state firewall. All processing is at the network level, and the nature of application-level attacks is undetectable at the network level. The IDS and the IPS detect the application layer flow in the network data by using a deep packet detection technology and match the application layer flow with an attack feature library, so that the known network attack is identified, and the protection of the application layer attack is achieved. However, IDS and IPS are also not effective in protecting against unknown attacks, attacks that may occur in the future, and application-level attacks that are implemented through flexible coding and packet segmentation.
In order to structurally solve the self-safety problem and simultaneously avoid potential safety hazards caused by the self-safety problem of the WAF, the mimicry safety cloud WAF is designed and realized. The WAF forms a mimic security defense capability through structural changes such as cloud termination, isomerization, redundancy, dynamics, intellectualization and the like. Meanwhile, the WAF can have the capability of defending unknown attacks in a sanction mode.
Disclosure of Invention
The invention aims to provide a multi-mode-based mimicry WAF executor implementation method aiming at the defects of the prior art.
The purpose of the invention is realized by the following technical scheme: a multi-mode-based mimic WAF executor implementation method comprises the following steps:
(1) after receiving the traffic, the mimic WAF executor needs to identify and decode through the coding identification and analysis module, which is specifically as follows:
and (1.1) the identification and analysis module of the code is internally provided with identification modes such as a current common coding mode URL code, a Base64 code, a PHP serialization code and the like, and when the scanning flow is matched with the corresponding mode, the corresponding decoding method is used for decoding the flow.
(2) Extracting partial contents which are possibly attacked by hackers in the flow by using a flow analysis module in the decoded flow obtained in the step (1), and respectively extracting url parameters, post contents, cookie contents, url itself and the like, wherein the contents are Ci(1 ≦ i ≦ m), and m represents the number of key part contents.
(3) Performing multi-mode judgment on different fragment contents obtained in the step (2), wherein the multi-mode judgment is mainly divided into a rule matching module and an AI model judgment module, and the method specifically comprises the following steps:
(3.1) the rule matching Module needs to define some rules R manuallyi(i is more than or equal to 1 and less than or equal to k), wherein k represents the number of rules, and each rule has a corresponding maliciousness score Si(i is more than or equal to 1 and less than or equal to k), setting sum to represent a rule to judge the final fraction, num to represent the number of successful matching, the initial value of sum and num is 0, sequentially traversing the rule for C to carry out matching, and if the matching is successful, executing sum to sum + SiNum +1, and finally the score PR of regular matching sum/num.
And (3.2) the characteristic extraction module respectively extracts characteristics of the content C, wherein the characteristics comprise but are not limited to the ratio of capital characters and small characters, the number of special characters, the average length of parameters and the like.
And (3.3) analyzing the features extracted in the step (3.2) by an AI model judgment module, wherein the AI model can use different classifiers including but not limited to CNN, LSTM, logistic regression and the like, and finally obtaining the malicious probability AR of the AI model.
(4) And (3) judging by using the results obtained in the steps (3.1) and (3.3) by using the comprehensive judgment module, manually setting the proportion of the rules and the proportion of the AI in the final score, setting the proportion of the rules as alpha, the proportion of the AI as beta, and setting the final malicious score as PR alpha + AR beta.
Compared with the prior art, the invention has the following beneficial effects:
(1) for application layer attacks realized by flexible coding and message segmentation, IDS and IP cannot be effectively protected, the invention well solves similar attacks by adding a coding analysis module;
(2) the invention adopts a multi-mode judgment mode, has more accurate result than a single judgment mode, and can greatly improve the defense performance of the mimicry WAF;
(3) the invention increases the heterogeneous surface of the executive body, and can perform isomerism from the three modules of the code identification and analysis module, the rule module and the AI model judgment module, so that the isomerism of the executive body is greatly improved.
Drawings
FIG. 1 is a diagram of a simulated WAF execution volume implementation overview.
Detailed Description
As shown in figure 1, the invention relates to a multimode-based mimic WAF executor realizing method, which mainly designs a coding recognition analysis module, a flow analysis module, a rule matching module, an AI model judgment module and the like to realize the function of the executor, HTTP flow is firstly decoded by the coding recognition analysis module, then the flow analysis module analyzes the flow to obtain data of important parts of the flow, and finally malicious scores with accurate flow are obtained by comprehensive judgment of the modules of the rule matching and the AI model judgment. The method specifically comprises the following steps:
(1) after receiving the traffic, the mimic WAF executor needs to identify and decode through the code identification and analysis module. The coding identification analysis module is internally provided with identification modes of currently common coding modes (URL coding, JavaScipt Unicode coding, Base64 coding, PHP serialization coding, GBK coding, Jsp/Servlet coding and the like), and when the scanning flow is matched with the corresponding modes, the corresponding decoding method is used for decoding the flow.
(2) To pairExtracting the part of contents which are possibly attacked by hackers in the flow by using a flow analysis module, wherein the part of contents comprises a url parameter part, a post content, a cookie content, a url, a session content, a User-agent part and the like, and the contents are set as Ci(i is more than or equal to 1 and less than or equal to m), i is the index of the key part content, and m represents the number of the key part content.
(3) Performing multi-mode judgment on different fragment contents obtained in the step (2), wherein the multi-mode judgment is mainly divided into a rule matching module and an AI model judgment module, and the module specifically comprises the following steps:
(3.1) the rule matching module needs to manually define some regular matching rules Rj(j is more than or equal to 1 and less than or equal to k) is used for matching, k represents the number of rules, and each rule has a corresponding maliciousness score Sj(j is more than or equal to 1 and less than or equal to k). Setting sum to represent the final score of rule matching, num to represent the successful number of rule matching, and setting the initial values of sum and num to be 0, and sequentially traversing CiWith different rules RjFor each CiMatching is carried out, and if matching is successful, sum + S is executedjNum +1, and finally the score PR of regular matching sum/num.
(3.2) feature extraction Module pairs C separatelyiAnd extracting characteristics of the content, wherein the characteristics comprise but are not limited to upper and lower case character proportion, the number of special characters, average parameter length, the number of parameters, the number of numbers and the like.
And (3.3) analyzing the features extracted in the step (3.2) by an AI model judgment module, wherein the AI model can use different classifiers including but not limited to CNN, LSTM, logistic regression and the like, and finally obtaining the malicious probability AR of the AI model.
(4) And (3) judging by using the results obtained in the steps (3.1) and (3.3) by using a comprehensive judgment module, wherein the proportion of the manually set rule and the AI in the final score is as follows: let the proportion of the rule be alpha, the proportion of the AI be beta, and the final malicious fraction score be PR alpha + AR beta.
The invention not only makes the output result more accurate, but also increases the execution body isomorphism surface, and can isomorphism from the code identification analysis module, the rule matching module and the AI model judgment module, thereby greatly improving the isomorphism of the execution body.
Claims (5)
1. A multi-mode-based simulated WAF executor implementation method is characterized by comprising the following steps:
(1) after receiving the flow, the mimic WAF executor performs identification and decoding through an encoding identification analysis module, and the method comprises the following steps:
and (1.1) the code identification analysis module is internally provided with identification modes of various coding modes, and when the scanning flow is matched with the corresponding identification mode, the corresponding decoding method is used for decoding the flow.
(2) Extracting the contents which are possibly attacked by hackers in the flow by using the flow analysis module to obtain the key part contents C of the decoded flow obtained in the step (1)i(1≤i≤m)。
(3) Performing multi-mode judgment on different fragment contents obtained in the step (2), wherein the multi-mode judgment is mainly divided into a rule matching module and an AI model judgment module, and the module comprises the following steps:
(3.1) the rule matching Module includes k rules Rj(j is more than or equal to 1 and less than or equal to k), and each rule has a corresponding maliciousness score Sj(j is more than or equal to 1 and less than or equal to k), sum represents a rule to judge the final fraction, num represents the number of successful matching, the initial value of sum and num is 0, and C is traversed sequentiallyiFor each C with different rulesiMatching is carried out, and if matching is successful, sum + S is executedjNum +1, and finally the score PR of regular matching sum/num.
(3.2) feature extraction Module pairs C separatelyiAnd extracting features from the content.
And (3.3) the AI model judging module analyzes the features extracted in the step (3.2) by using a classifier, and finally obtains the malicious probability AR.
(4) And (4) the comprehensive judgment module combines the results obtained in the steps (3.1) and (3.3) to judge, the proportion of the rule matching fraction is alpha, the proportion of the malicious probability is beta, and the final malicious fraction score is PR alpha + AR beta.
2. The multi-modality-based mimicry WAF executor implementation method of claim 1, wherein in the step (1.1), the encoding manner includes URL encoding, Base64 encoding, PHP serialization encoding, GBK encoding, Jsp/Servlet encoding, and the like.
3. The multi-modality-based mimicry WAF executor implementation method of claim 1, wherein in the step (2), the key part content includes url parameters, post content, cookie content, url itself, session content, User-agent part, and the like.
4. The multi-modality-based mimicry WAF executor implementation method of claim 1, wherein in step (3.2), the extracted features include, but are not limited to, upper and lower case character ratio, number of special characters, average length of parameters, number of digits, and the like.
5. The multi-modality-based mimicry WAF executor implementation method of claim 1, wherein in step (3.3), the AI model judgment module uses classifiers including but not limited to CNN, LSTM, logistic regression, etc.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202111386242.5A CN114124520A (en) | 2021-11-22 | 2021-11-22 | Multi-mode-based mimic WAF execution body implementation method |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202111386242.5A CN114124520A (en) | 2021-11-22 | 2021-11-22 | Multi-mode-based mimic WAF execution body implementation method |
Publications (1)
Publication Number | Publication Date |
---|---|
CN114124520A true CN114124520A (en) | 2022-03-01 |
Family
ID=80439466
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202111386242.5A Pending CN114124520A (en) | 2021-11-22 | 2021-11-22 | Multi-mode-based mimic WAF execution body implementation method |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN114124520A (en) |
Citations (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20100095367A1 (en) * | 2008-10-09 | 2010-04-15 | Juniper Networks, Inc. | Dynamic access control policy with port restrictions for a network security appliance |
CN108897721A (en) * | 2018-05-28 | 2018-11-27 | 华为技术有限公司 | A kind of method and apparatus that the data to a variety of codings are decoded |
CN110958252A (en) * | 2019-12-05 | 2020-04-03 | 深信服科技股份有限公司 | Network security device and network attack detection method, device and medium thereof |
CN112119411A (en) * | 2018-05-14 | 2020-12-22 | 宽腾矽公司 | System and method for integrating statistical models of different data modalities |
CN112131249A (en) * | 2020-09-28 | 2020-12-25 | 绿盟科技集团股份有限公司 | Attack intention identification method and device |
CN112187833A (en) * | 2020-11-09 | 2021-01-05 | 浙江大学 | AI + regular double-matching detection method in mimicry WAF |
CN112383529A (en) * | 2020-11-09 | 2021-02-19 | 浙江大学 | Method for generating confrontation flow in mimicry WAF |
CN112491803A (en) * | 2020-11-03 | 2021-03-12 | 浙江大学 | Method for judging executive in mimicry WAF |
CN112769851A (en) * | 2021-01-19 | 2021-05-07 | 汉纳森(厦门)数据股份有限公司 | Mimicry defense system based on Internet of vehicles |
-
2021
- 2021-11-22 CN CN202111386242.5A patent/CN114124520A/en active Pending
Patent Citations (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20100095367A1 (en) * | 2008-10-09 | 2010-04-15 | Juniper Networks, Inc. | Dynamic access control policy with port restrictions for a network security appliance |
CN112119411A (en) * | 2018-05-14 | 2020-12-22 | 宽腾矽公司 | System and method for integrating statistical models of different data modalities |
CN108897721A (en) * | 2018-05-28 | 2018-11-27 | 华为技术有限公司 | A kind of method and apparatus that the data to a variety of codings are decoded |
CN110958252A (en) * | 2019-12-05 | 2020-04-03 | 深信服科技股份有限公司 | Network security device and network attack detection method, device and medium thereof |
CN112131249A (en) * | 2020-09-28 | 2020-12-25 | 绿盟科技集团股份有限公司 | Attack intention identification method and device |
CN112491803A (en) * | 2020-11-03 | 2021-03-12 | 浙江大学 | Method for judging executive in mimicry WAF |
CN112187833A (en) * | 2020-11-09 | 2021-01-05 | 浙江大学 | AI + regular double-matching detection method in mimicry WAF |
CN112383529A (en) * | 2020-11-09 | 2021-02-19 | 浙江大学 | Method for generating confrontation flow in mimicry WAF |
CN112769851A (en) * | 2021-01-19 | 2021-05-07 | 汉纳森(厦门)数据股份有限公司 | Mimicry defense system based on Internet of vehicles |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN112738015B (en) | Multi-step attack detection method based on interpretable convolutional neural network CNN and graph detection | |
Yin et al. | An enhancing framework for botnet detection using generative adversarial networks | |
CN107222491B (en) | Intrusion detection rule creating method based on industrial control network variant attack | |
CN113194058B (en) | WEB attack detection method, equipment, website application layer firewall and medium | |
CN106790186A (en) | Multi-step attack detection method based on multi-source anomalous event association analysis | |
Makiou et al. | Improving Web Application Firewalls to detect advanced SQL injection attacks | |
Liu et al. | Predicting network attacks with CNN by constructing images from NetFlow data | |
CN106790105A (en) | Reptile identification hold-up interception method and system based on business datum | |
CN110611640A (en) | DNS protocol hidden channel detection method based on random forest | |
CN113965393B (en) | Botnet detection method based on complex network and graph neural network | |
CN113094707A (en) | Transverse mobile attack detection method and system based on heterogeneous graph network | |
CN112953918A (en) | Network attack protection method combined with big data server and big data protection equipment | |
Du et al. | Using Object Detection Network for Malware Detection and Identification in Network Traffic Packets. | |
CN116938507A (en) | Electric power internet of things security defense terminal and control system thereof | |
CN115622757A (en) | Network abnormal behavior detection method based on data multidimensional entropy fingerprint | |
Al-Fawa'reh et al. | Detecting stealth-based attacks in large campus networks | |
Veprytska et al. | AI powered attacks against AI powered protection: Classification, scenarios and risk analysis | |
Kamarudin et al. | Packet header intrusion detection with binary logistic regression approach in detecting R2L and U2R attacks | |
CN114124520A (en) | Multi-mode-based mimic WAF execution body implementation method | |
CN109600361B (en) | Hash algorithm-based verification code anti-attack method and device, electronic equipment and non-transitory computer readable storage medium | |
Liu et al. | LDoS attack detection method based on traffic classification prediction | |
CN113542222B (en) | Zero-day multi-step threat identification method based on dual-domain VAE | |
CN115473734A (en) | Remote code execution attack detection method based on single classification and federal learning | |
Makiou et al. | Hybrid approach to detect SQLi attacks and evasion techniques | |
Nokovic et al. | API security risk assessment based on dynamic ML models |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
WD01 | Invention patent application deemed withdrawn after publication | ||
WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20220301 |