CN114257403B

CN114257403B - False alarm detection method, equipment and readable storage medium

Info

Publication number: CN114257403B
Application number: CN202111355392.XA
Authority: CN
Inventors: 陈水文; 殷声芳; 林燕文
Original assignee: Beijing Mesh Technology Co ltd
Current assignee: Beijing Mesh Technology Co ltd
Priority date: 2021-11-16
Filing date: 2021-11-16
Publication date: 2024-03-26
Anticipated expiration: 2041-11-16
Also published as: CN114257403A

Abstract

The application discloses a false alarm detection method, equipment and a readable storage medium.A WAF automatically determines an access log set, determines an attack log from the access log set to obtain the attack log set, determines the attack log which contains a target state code and has a interception state of a preset state from the attack log set to obtain an attack subset, and analyzes the attack log in the attack subset to determine a security policy causing false alarm. By adopting the scheme, the attack log containing the target state code and the preset state is analyzed by automatically acquiring the access log set and the attack log set, so that the security policy causing false alarm is automatically determined, the security policy is not dependent on operation and maintenance personnel, and the security method is high in automation degree, high in efficiency and high in accuracy.

Description

False alarm detection method, equipment and readable storage medium

Technical Field

the present application relates to the field of network security technologies, and in particular, to a false alarm detection method, apparatus, and readable storage medium.

Background

With the increasing popularity of Web applications, network attacks on Web applications are also increasing, such as cross-site scripting attacks (Cross Site Scripting, XSS), structured query language (Structured Query Language, SQL) injection, and the like. Meanwhile, the system of the Web application and the dependent basic application program are endless in loopholes.

A Web application firewall (Web Application Firewall, WAF) is an important tool to defend against network attacks on Web applications. The WAF is positioned between a user and a background server of the application, and is used for carrying out real-time security detection on the network access request and blocking various network attack requests. Currently, the WAF is mainly defensive based on rules, that is, security operators abstract characteristic data from known security vulnerabilities and attack cases according to their own security experiences to form rules (i.e., a blacklist) for detecting network attacks, and finally the rules are configured to the WAF to realize security detection and defensive.

In the security detection method, security operators are required to have abundant WEB attack and defense countermeasure experiences, are familiar with specific service scenes, are difficult to accurately judge in many cases, and are easy to report by mistake.

Disclosure of Invention

the embodiment of the application provides a false alarm detection method, equipment and a readable storage medium, which realize the purpose of automatically and quickly analyzing false alarms from mass data by constructing an analysis model and utilizing the analysis model.

In a first aspect, an embodiment of the present application provides a false alarm detection method, including:

determining an access log set and an attack log set, the attack log set being a subset of the access log set;

determining an attack log with a HTTP (hyper text transfer protocol) state code as a target state code and an interception state as a preset state from the attack log set to obtain an attack subset;

and determining a security policy causing false alarm according to the attack subset.

In a second aspect, an embodiment of the present application provides an electronic device, including: a processor, a memory and a computer program stored on the memory and executable on the processor, which processor, when executing the computer program, causes the electronic device to carry out the method as described above in the first aspect or in the various possible implementations of the first aspect.

In a third aspect, embodiments of the present application provide a computer readable storage medium having stored therein computer instructions which, when executed by a processor, are adapted to carry out the method according to the first aspect or the various possible implementations of the first aspect.

According to the false alarm detection method, the equipment and the readable storage medium provided by the embodiment of the application, the WAF automatically determines the access log set, determines the attack log from the access log set to obtain the attack log set, determines the attack log which contains the target state code and has the interception state of a preset state from the attack log set to obtain an attack subset, and analyzes the attack log in the attack subset to determine the security policy causing false alarm. By adopting the scheme, the attack log containing the target state code and the preset state is analyzed by automatically acquiring the access log set and the attack log set, so that the security policy causing false alarm is automatically determined, the security policy is not dependent on operation and maintenance personnel, and the security method is high in automation degree, high in efficiency and high in accuracy.

Drawings

In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings required for the description of the embodiments will be briefly described below, and it is apparent that the drawings in the following description are only some embodiments of the present application, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.

FIG. 1 is a schematic diagram of an implementation environment of a false alarm detection method according to an embodiment of the present application;

FIG. 2 is a flow chart of a false positive detection method provided by an embodiment of the present application;

FIG. 3 is another flow chart of a false alarm detection method provided by an embodiment of the present application;

FIG. 4 is a flowchart of a false alarm detection method according to an embodiment of the present application;

FIG. 5 is a flowchart of a false alarm detection method according to an embodiment of the present application;

FIG. 6 is a further flowchart of a false alarm detection method according to an embodiment of the present application;

FIG. 7 is a flowchart of a false alarm detection method according to an embodiment of the present application;

FIG. 8 is an exploded flow chart of step 706 of FIG. 7;

FIG. 9 is an exploded flow chart of step 707 in FIG. 7;

FIG. 10 is an exploded flow chart of step 708 of FIG. 7;

FIG. 11 is an exploded flow chart of step 709 of FIG. 7;

fig. 12 is a schematic diagram of a false alarm detection device according to an embodiment of the present application;

fig. 13 is a schematic structural diagram of an electronic device according to an embodiment of the present application.

Detailed Description

for the purpose of making the objects, technical solutions and advantages of the present application more apparent, the embodiments of the present application will be described in further detail with reference to the accompanying drawings.

WAF is used as a safety product and is mainly used for protecting various website services. Because of the wide variety of different website services, the service and security policy always require an adaptation process. In the adapting process, the most core work is false alarm analysis and elimination.

Typically, the WAF includes a hardware WAF and a software WAF. The current situation in which the hardware WAF needs to be implemented on site by an operation and maintenance personnel is difficult to change. As a cloud service, the cloud WAF is usually a public service, and the traffic and the log amount are larger. Whether hardware WAF or software WAF, false alarm analysis is often completed manually, so that operation and maintenance personnel are required to have abundant WEB attack and defense countermeasure experience, and are required to be familiar with specific business scenes, otherwise, accurate judgment is difficult to make in many cases. Moreover, omission and the like are easy to occur in the process of analyzing mass data by relying on manpower to obtain false alarms. Obviously, the false alarm analysis relying on manpower has high cost and low efficiency.

Based on the above, the embodiments of the present application provide a false alarm detection method, apparatus and readable storage medium, which automatically acquire an access log set and an attack log set, analyze an attack log including a target state code and a preset state in the attack log, automatically determine a security policy causing false alarm, and are independent of operation and maintenance personnel, and have high automation degree, high efficiency and high accuracy.

Fig. 1 is a schematic diagram of an implementation environment of a false alarm detection method according to an embodiment of the present application. Referring to fig. 1, the implementation environment includes: WAF11, service server 12 and terminal equipment 13. Network connection is established between the WAF11 and the service server 12 and between the WAF11 and the terminal device 13, respectively.

WAF11 may be a hardware WAF or a software WAF. When WAF11 is hardware, WAF11 is a single server or a distributed server cluster of multiple servers. When WAF11 is software, it may be a plurality of software modules or a single software module, etc., and embodiments of the present application are not limited. The WAF11 detects the service request with a security policy each time it receives the service request from the terminal device 13. If the service request passes the detection, the service request is forwarded to the service server 12, and the service server 12 responds to the service request, and meanwhile, the WAF11 generates an access log for the service request, wherein the access log is an original file for recording the security detection related information.

The access log contains a time field, a domain name field, an HTTP request header field, an attack type field, an interception status field, and the like. The time field is used for indicating the generation time of the access log, the domain name field is used for indicating the domain name carried by the service request corresponding to the access log, the HTTP request field is accept, accept-encoding, and the like, the attack type field is represented by an attack_type, when the value of the attack_type is WAF_NONE, the service request is a normal request, and when the value of the attack_type is other enumerated values, the service request is an attack request. The intercept status field is identified by act, which is also referred to as the processing action field.

To facilitate subsequent false positive analysis, WAF11 structures unstructured access logs into standard files, such as structured-to-standard json files, via ELK techniques or the like, and stores the json files in a search server, such as an ES cluster or the like. By adopting the scheme, each access log in the access log set is structured into the standard file, so that the subsequent determination of attack types, interception states and the like is facilitated, and the purpose of rapidly determining the security policy causing false alarm is realized.

The WAF11 stores security policies for a plurality of attack types thereon. For each attack type, WAF11 can detect with multiple security policies, each with a policy identification. If a service request is an attack request, the service request is certainly not detected by a certain security policy, and the access of the service request contains the policy identification of the security policy. For example, the WAF11 detects whether a service request is SQL injected by using 100 security policies, and if the service request fails to pass the detection of the 50 th security policy, the service request is SQL injected, and the access log of the service request includes the policy identifier of the 50 th security policy.

When the WAF11 performs security detection on the service request every time, if the service request passes the security detection, the value of the attack type field (attack_type) in the access log is waf_none, and the value of the interception state (act) field is 0, which indicates that the WAF11 considers that the service request is a security request and does not intercept the service request.

If the service request fails detection, WAF11 intercepts the service request, which is also referred to as blocking the service request. Meanwhile, WAF11 generates an access log for the service request, where the value of the attack type field (attack_type) in the access log is not waf_none, but other enumerated values, and the value of the intercept state (act) field is 1, which indicates that WAF11 considers the service request as an attack request, and has intercepted the service request. The intercepted traffic request is referred to as an attack request. Accordingly, the access log corresponding to the attack request is referred to as an attack log.

If the service request fails detection, but WAF11 does not intercept the service request. In this case, in the access log generated by WAF11, the value of attack type field (attack_type) is not waf_none, but is another enumerated value, and the value of interception status (act) field is 2, which means that WAF11 considers the service request as an attack request, but does not intercept the service request, but only generates an alarm.

In the false alarm analysis process, WAF11 screens out access logs conforming to analysis requests from a plurality of historical access logs according to the analysis requests to obtain an access log set, screens out attack logs from the access log set, further obtains an attack subset from the attack logs, wherein the attack log comprises a target state code and an interception state of the attack subset is a preset state, and determines a security policy causing false alarm according to the attack subset. The interception state being a preset state means that the value of the act field is a preset value, for example, act=1 or act=2.

The service server 12 may be hardware or software. When the service server 12 is hardware, the service server 12 is a single server or a distributed server cluster composed of a plurality of servers. When the service server 12 is software, it may be a plurality of software modules or a single software module, and the embodiment of the present application is not limited. The service server 12 is a server that actually provides a response service request, and the service server 12 and the WAF11 may be two physically independent servers, or may be two logically independent servers, that is, may be deployed on the same physical machine.

The terminal device 13 may be hardware or software. When the terminal device 13 is hardware, the terminal device 13 is, for example, a mobile phone, a tablet computer, an electronic book reader, a laptop, a desktop computer, a server, or the like. When the terminal device 13 is software, it may be installed in the above-listed hardware device, and in this case, the terminal device 13 is, for example, a plurality of software modules or a single software module, etc., the embodiment of the present application is not limited.

It should be understood that the number of WAFs 11, service servers 12 and terminal devices 13 in fig. 1 is merely illustrative. In practical implementation, any number of WAFs 11, service servers 12 and terminal devices 13 are deployed according to practical requirements.

The following describes in detail the false alarm detection method provided by the embodiment of the present application based on the implementation environment shown in fig. 1. For example, please refer to fig. 2.

Fig. 2 is a flowchart of a false alarm detection method provided in an embodiment of the present application. This embodiment is described in terms of WAF 11. The embodiment comprises the following steps:

201. an access log set and an attack log set are determined, the attack log set being a subset of the access log set.

WAF11 is used to securely detect service requests to access a service server. In the false alarm analysis process, the WAF11 may analyze false alarms of all services of the service server, or may analyze false alarms of part of the services. For example, the access log in the access log set is a log obtained by performing security detection on all service requests of the service server in a period of time, that is, the access log is a full log. For another example, the access logs in the access log set are access logs related to partial domain names, for example, the domain name of a service server includes www.xxx.com, pic. Xxx.com, vedio. Xxx.com, but the access logs in the access log set include only www.xxx.com, pic. Xxx.com related access logs.

The WAF determines access logs meeting analysis conditions from a plurality of historical access logs according to preset rules or instructions of operation staff to obtain an access log set, and determines attack logs from the access log set to obtain an attack log set. For example, after the WAF determines the access log set, it determines, from the access logs included in the access log set, that the value of the attack type field is not the access log of the waf_none, but is the access log of other enumerated values, and obtains the attack log set according to the access logs. The plurality of history access logs are generated by the WAF performing security detection on the access request from the terminal equipment to the service server.

Optionally, the WAF receives an analysis request from the terminal device, where the analysis request carries at least one of a customer identifier to be analyzed, a time range to be analyzed, a domain name to be analyzed, and an identifier of a preset attack type. The WAF then queries historical access logs based on the analysis request to obtain the set of access logs.

Illustratively, the operation and maintenance personnel inputs at least one of a customer identification to be analyzed, a time range to be analyzed, a domain name to be analyzed, an identification of a preset attack type, and the like on the terminal device. The terminal device obtains an analysis request according to the input of the user and sends the analysis request to the WAF. The WAF queries the historical access log according to the analysis request to obtain the historical access log which accords with the analysis request, and further obtains an access log set.

The client identifier is, for example, xxx, etc., and the time range to be analyzed is, for example, the last 24 hours, the last 3 days, the last 10 days, etc., which is not limited by the embodiment of the application. The domain name to be analyzed is, for example, a generic domain name, such as, for example, xxx. After the WAF obtains the universal domain name, the true domain name, such as pic. Xxx. Xom, vedio. Xxx. Com, etc., is automatically determined according to the universal domain name. In addition, the operator may send specific domain names to the WAF, such as www.xxx.com.

The value of the preset attack type is other enumerated values besides waf_none, and is generally expressed as attack_type=waf.

By adopting the scheme, the purpose of targeted detection of false alarms is realized by flexibly setting the customer representation to be analyzed, the domain name to be analyzed and the like.

In general, the plurality of historical access logs are massive logs, and include access logs of non-attack requests and access logs of attack requests. Moreover, some of the attack logs of the attack request must not be false positives, while other attack logs may be false-positive attack request logs. Optionally, in order to accelerate false alarm detection, the WAF filters out the attack logs meeting the blacklist from the attack logs contained in the access log set, and/or, obtains the attack log set according to the remaining attack logs, wherein the attack logs meet a preset security policy.

Illustratively, the WAF excludes from the attack logs the attack log corresponding to the attack type that will not be misreported. For example, the WAF locally stores a blacklist (waf_dynmic_black_ip), where some IP addresses are stored, and if an IP address in an attack log hits the blacklist, i.e. the IP address in the attack log is an IP address recorded in the blacklist, the WAF determines that the attack request corresponding to the attack log is a real attack request, not a false alarm, and thus the WAF filters out the attack log.

For another example, some values of attack types are stored on the WAF, if the value of the attack type in one attack log is a preset value, the WAF determines that the attack request corresponding to the attack log is a real attack request and is not a false report, so that the WAF filters the attack log. Wherein the attack type values are represented by attack_type=waf, including waf_force_cracking, waf_dunamic_black_ip, waf_invalid, waf_crawler, waf_ip_ol, waf_co_ol, and the like.

By adopting the scheme, the aim of quickly determining the security policy causing false alarm is fulfilled by filtering out some attack logs which are certainly not caused by false alarm and only analyzing the rest attack logs.

202. and determining an attack log with the HTTP state code as a target state code and the interception state as a preset state from the attack log set to obtain an attack subset.

Illustratively, the attack log set contains attack logs with intercepted, non-intercepted, alarm, etc. interception states, and the HTTP status code includes 200, 301, 403, etc. The interception status is generally indicated by an act field, act=1 indicates that the WAF considers the service request corresponding to the attack log as an attack request, and the WAF has intercepted the service request. act=2 indicates that the WAF considers the service request corresponding to the attack log as an attack request, but the WAF does not intercept the service request and only generates an alarm.

The WAF determines an attack log meeting a certain condition from the attack logs so as to obtain an attack subset. For example, the WAF determines, from the set of attack logs, an attack log with an interception status of "intercepted" and an HTTP status code of 403, thereby obtaining an attack subset, which is hereinafter referred to as a first attack subset. For another example, the WAF determines that the interception status is "not intercepted but has been alerted", an attack log containing any one of the status codes 200, 301, 302, 304, thereby obtaining an attack subset, which will be referred to as a second attack subset hereinafter.

The false alarm probability of the first attack subset is far smaller than that of the second attack subset, and the analysis conditions and analysis logic have certain differences in the false alarm analysis process of the two attack subsets. By adopting the scheme, the attack logs in the attack log set are divided into different attack subsets, and different analysis conditions, analysis logics and the like are adopted for the different attack subsets, so that the pertinence is high, and the security policy causing false alarm can be accurately analyzed.

203. and determining a security policy causing false alarm according to the attack subset.

Illustratively, the WAF analyzes the IP, URL, etc. of each attack log in the attack subset to determine the security policy that resulted in the false alarm. Optionally, during the analysis of the attack subset by the WAF, the analysis may also be performed in conjunction with the access logs in the access log set.

According to the false alarm detection method provided by the embodiment of the application, the WAF automatically determines the access log set, determines the attack log from the access log set to obtain the attack log set, determines the attack log which contains the target state code and has the interception state of a preset state from the attack log set to obtain the attack subset, and analyzes the attack log in the attack subset to determine the security policy causing false alarm. By adopting the scheme, the attack log containing the target state code and the preset state is analyzed by automatically acquiring the access log set and the attack log set, so that the security policy causing false alarm is automatically determined, the security policy is not dependent on operation and maintenance personnel, and the security method is high in automation degree, high in efficiency and high in accuracy.

Optionally, in the foregoing embodiment, the WAF determines, from the set of attack logs, two attack subsets, that is, the first attack subset and the second attack subset described above, according to the HTTP status code and the interception status in each attack log in the set of attack logs.

a first subset of attacks: HTTP status code=403, intercept status field, i.e., act=1.

A second subset of attacks: HTTP status code=200, 301, 302, 304, act=2.

The first attack subset comprises attack logs corresponding to the intercepted attack requests identified as attacks by the WAF, and by analyzing the first attack subset, the security policies can be determined to trigger the WAF to intercept a normal service request.

The second attack subset contains attack logs corresponding to attack requests which are identified as attacks by the WAF but not intercepted only with alarms, and by analyzing the second attack subset, it can be determined which security policies trigger the WAF to identify a normal service request as an attack request but not intercepted but only generate alarms.

Alternatively, in the foregoing embodiment, whether the security policy that causes the false alarm is determined according to the first attack subset or the security policy that causes the false alarm is determined according to the second attack subset, the WAF may analyze from at least one of an IP granularity, a uniform resource locator (Uniform Resource Locator, URL) granularity, and an attack type granularity. In the analysis process, the WAF firstly determines a specific analysis granularity, and then analyzes the attack subset to determine a security policy causing false alarm according to the analysis granularity. The attack subset is, for example, the first attack subset or the second attack subset.

by adopting the scheme, the aim of determining the security policy causing false alarm aiming at the continuous analysis granularity is fulfilled by analyzing the attack subset with different analysis granularities.

In general, in the case that the WAF version is not upgraded and stably operated, there are two scenarios in which a WAF false alarm may occur. In one scenario, the security policy is changed, for example, to defend against a new WEB security hole, a new attack, etc., to bring a new security policy on line urgently. For another example, to more accurately identify and defend against some type of WEB attack, existing security policies are modified to cause false positives.

In another scenario, the traffic on the WAF protected traffic server is changed. For example, the new service is online without strict authentication and the WAF blocking is directly turned on. For another example, the WAF security policy is started after the existing service interface is changed.

In the embodiment of the application, whether the analysis of the first attack subset or the analysis of the second attack subset aims at determining false alarms in the two scenes.

Fig. 3 is another flowchart of a false alarm detection method according to an embodiment of the present application. The embodiment comprises the following steps:

301. The WAF receives an analysis request from the terminal device.

the analysis request carries at least one of a customer identification to be analyzed, a time range to be analyzed, a domain name to be analyzed, and a value of a preset attack type.

302. The WAF determines a set of access logs based on the analysis request.

illustratively, the WAF screens out access logs from the plurality of historical access logs that meet the analysis request to obtain an access log set.

303. The WAF filters out the attack logs which accord with the blacklist from the access log set, and/or the attack type value is a preset value, and the attack log set is obtained according to the rest attack logs.

304. the WAF determines an attack subset from the set of attack logs.

the attack subset includes the first attack subset or the second attack subset described above.

305. the WAF determines a security policy causing false alarms according to the attack subset.

Optionally, step 305 includes at least one of step 3051, step 3052, and step 3053.

3051. The WAF analyzes the attack subset according to IP granularity to determine security policies that lead to false positives.

The process aims at identifying false alarms by analyzing the behavior characteristics of normal service requests and attack requests of each IP.

3052. The WAF analyzes the attack subset according to the attack type granularity to determine the security policy causing the false alarm.

When the service on the service server is changed or the security policy stored on the WAF is updated, if false alarm occurs, the false alarm data is often concentrated on the same attack type. Therefore, the false positive analysis based on the attack type aims at determining the attack type in the false positive data set, and further determines the security policy causing false positive according to the attack type.

3053. The WAF analyzes the attack subset according to the URL granularity to determine the security policy that causes the false alarm.

When a certain service on a service server is changed, false alarms are easy to occur and concentrated on the changed URL, and the normal attack URL usually appears to be more scattered. Therefore, false positive analysis based on URL granularity can identify false positive caused by service change.

next, step 3051, step 3052, and step 3053 are described in detail. In the following description, the attack subset may be the first attack subset or the second attack subset, unless otherwise specified.

fig. 4 is a flowchart of a false alarm detection method according to an embodiment of the present application, where the WAF analyzes the attack subset according to the IP granularity to determine a security policy that causes false alarm. The embodiment comprises the following steps:

401. The WAF extracts an IP address from each attack log contained in the attack subset to obtain at least one IP address.

Illustratively, each attack log includes an IP field, some attack logs include the same value of the IP field, and some attack logs include different values of the IP field. The WAF obtains at least one IP address according to the IP addresses extracted from the attack logs, and any two IP addresses in the at least one IP address are different. For example, there are a total of 50 attack logs in the attack subset, where 1-10 attack logs contain the same IP address, 11-20 attack logs contain the same IP address, 21-50 attack logs contain the same IP address, and at least one IP address contains 3 different IP addresses.

402. And for each IP address in the at least one IP address, inquiring the access log set according to the IP address to determine a first access subset corresponding to each IP address.

the access logs in the first access subset contain corresponding IP addresses, each access log in the first access subset is located in a target time period, and the target time period is determined according to an attack log containing the corresponding IP addresses in the first attack subset.

For each IP address in the IP addresses, a plurality of attack logs containing the IP address may exist in the attack subset, the WAF sorts the attack logs according to the sequence of the generation time of each attack log, determines the first attack log containing the IP according to the sorting, and further determines a target time period according to the attack log, wherein the time range indicated by the target time period is a time range of 1 hour before and after the attack log, and the total time range is 2 hours. Then, the WAF determines an access log which is located in the time period range from the access log set and contains the corresponding IP address, so as to obtain a first access subset of the IP address.

Continuing with the example above, assume that the 3 IP addresses are IP1, IP2, and IP2, respectively. Taking IP1 as an example, the WAF determines a first attack log containing IP1 from the attack subset, and determines a target time range according to the first attack log containing IP 1. And then determining the access logs which are positioned in the target time range and contain the IP1 from the access log set, wherein the access logs are the first access subset of the IP 1. Obviously, the access logs in the first access subset include access logs for normal traffic requests of IP1 and attack logs for attack requests.

Similarly, the WAF can obtain a first access subset for IP2 and a first access subset for IP 3.

403. The WAF determines a target IP address from the at least one IP address according to a first access subset of each IP address in the at least one IP address, wherein the first access subset of the target IP address meets preset conditions.

In an exemplary embodiment, if there is an IP address in at least one IP address, the first access subset of the IP address meets a preset condition, and the IP address is taken as a target IP address, and a next analysis is performed on the target IP address to determine a security policy that causes false alarm. If the target IP address does not exist in at least one IP address, no false alarm is considered, namely the attack request corresponding to each attack log in the attack subset is a real attack request, and the normal service request is not mistakenly identified as the attack request.

404. and determining a security policy causing false alarm aiming at the target IP address.

Illustratively, for the target IP address, the WAF continues to analyze the attack type field of the attack log containing the target IP address, etc., to determine a security policy that leads to false positives for the target IP address.

By adopting the scheme, the target IP address which is likely to generate false alarm is determined from at least one IP address, and the security policy which causes false alarm is only analyzed on the target IP address, so that the analysis speed is high and the pertinence is strong.

Optionally, in the foregoing embodiment, when the attack subset is the first attack subset, the normal service request amount is far greater than the service request amount intercepted by the WAF under the condition of false alarm. Thus, for the first subset of attacks, the preset conditions are: the ratio of the number of access logs in the first access subset to the number of attack logs in the attack subset containing the target IP address exceeds a first threshold. The first threshold is, for example, 10, and embodiments of the present application are not limited.

When at least one IP address exists in the target IP addresses, the WAF counts the types of attack types corresponding to the target IP addresses. In the statistical process, the WAF extracts an attack type from an attack log containing the target IP address to obtain at least one attack type. The WAF then determines the type of attack. When the type corresponding to at least one attack type is smaller than or equal to a second threshold value, determining that the security policy corresponding to the policy identifier contained in each access log in the first access subset is the security policy causing false alarm, and then outputting the policy identifier of the security policy causing false alarm.

For example, in the event of a false alarm, the terminal device, i.e. the client side, only triggers a small number of attack types. Therefore, when the type of attack of the target IP address is less than or equal to the second threshold, it may be determined that the target IP address is an IP address where false alarm occurs, and at this time, the WAF outputs the target IP address and the policy identifier of the security policy that causes false alarm.

For example, there are 10 attack logs containing the target IP address in the first attack subset, wherein the attack types of 5 attack logs are SQL inputs, and the attack types of the other 5 attack logs are XXS, and there are two attack types in total, namely, the kinds of attack types are 2 kinds. Assuming that the second threshold is 2, the WAF considers: for the target IP address, the security policies corresponding to the policy identifications contained in each access log in the first access subset of the target IP address are all security policies causing false alarm.

It should be noted that, although the above is directed to the attack log including the target IP address in the first attack subset when the type of attack is counted. However, embodiments of the present application are not limited, and in other possible implementations, the type of attack may be counted according to the first access subset of the target IP address.

By adopting the scheme, the purpose of determining the security policy causing false report from the security policies triggered by the intercepted attack request is realized by analyzing the IP granularity of the intercepted attack request by the WAF.

Optionally, in the foregoing embodiment, when the attack subset is the second attack subset, in a false alarm case, the client access is relatively rich, and one feature is that the access number is relatively high. Thus, for the second subset of attacks, the preset conditions are: the number of access logs in the first access subset is greater than a third threshold, for example, 20, and the embodiment of the present application is not limited. If the access number of an IP address is greater than the third threshold, it indicates that the access number of the IP address is relatively large, and the IP address may be an IP address where a false alarm occurs. Therefore, the IP address is used as a target IP address, which is also called a suspicious IP address or the like, for further analysis. The WAF can effectively screen out the target IP address through the third threshold.

After screening out the target IP address, WAF counts the type of attack type corresponding to the target IP address to obtain at least one attack type. The WAF then determines the type of attack type and the number of attacks corresponding to each attack type. When the type corresponding to at least one attack type is smaller than or equal to a fourth threshold value and the attack number of each attack type in at least one attack type is larger than a fifth threshold value, the WAF determines that the security policy corresponding to the policy identifier contained in each access log in the first access subset is the security policy causing false alarm.

For example, in the case of false alarm, the client may trigger only a small number of attack types, and the number of attacks is greater than the fifth threshold. Therefore, when the type of attack type of the target IP address is less than or equal to the fourth threshold value and the number of attacks of each attack type is greater than the fifth threshold value, it can be determined that the target IP address is an IP address that sent a false alarm. At this time, the WAF outputs the target IP and the policy identification of the security policy that caused the false alarm.

For example, there are 12 attack logs in the first attack subset, where 6 attack logs have SQL inputs and the other 6 attack logs have XXS, there are two attack types. Assuming that the fourth threshold is 2 and the fifth threshold is 5, the WAF considers: for the target IP address, the security policies corresponding to the policy identifications contained in each access log in the first access subset of the target IP address are all security policies causing false alarm.

By adopting the scheme, the aim of determining the security policy causing false alarm from the security policies triggered by the non-intercepted attack request is fulfilled by analyzing the IP granularity of the attack request which is not intercepted by the WAF but is monitored by the alarm.

Alternatively, in the above embodiment, when the attack type is greater than the fourth threshold, false alarm may occur. When the alarm is false, the occupation of a certain attack type is larger. When false alarm does not occur, various attack types are uniformly distributed. Therefore, the WAF calculates the duty cycle of each attack type and determines the security policy that causes false positives based on the duty cycle. That is, when the attack subset is the second attack subset and the target IP address exists, after determining the type corresponding to the at least one attack type and the attack number of each attack type for the target IP address, determining the duty ratio of each attack type in the at least one attack type when the type corresponding to the at least one attack type is greater than the fourth threshold value and/or when the attack type with the attack number less than or equal to the fifth threshold value exists in the at least one attack type. And then, determining an access log containing the attack types with the duty ratio larger than a sixth threshold value from the first access subset when the attack types with the duty ratio larger than the sixth threshold value exist in the at least one attack type aiming at the target IP address, and extracting a strategy identifier to obtain a security strategy causing false alarm.

For example, there are 12 attack logs in the first attack subset that contain the target IP address, where 10 attack logs are of SQL input type, 1 attack log is of XXS type, and 1 attack log is of cross-site domain request forging (Cross site Request Forgery, CSRF) type, then there are a total of 3 attack types. Assuming that the sixth threshold is 80%, the WAF considers: for the target IP address, the security policy indicated by the policy identifier contained in the access log with the attack type of CSRF in the first access subset is the security policy causing false alarm.

By adopting the scheme, when the WAF determines that the attack type with the duty ratio exceeding the sixth threshold exists, the security policy corresponding to the policy identifier corresponding to the attack type in the first access subset is used as the security policy causing false alarm, so that the security policy causing false alarm can be effectively identified.

Fig. 5 is a flowchart of a false alarm detection method according to an embodiment of the present application, where the WAF analyzes the attack subset according to the attack type granularity to determine a security policy that causes false alarm. The embodiment comprises the following steps:

501. The WAF extracts the attack type from each attack log contained in the attack subset to obtain at least one attack type.

Illustratively, each attack log contains an attack type field, and the value of the attack type field is not WAF_NONE, but is another enumerated value. Some attack logs contain the same values of the attack type fields, and some attack logs contain different values of the attack type fields. The WAF obtains at least one attack type according to the attack types extracted from the attack logs, and any two attack types in the at least one attack type are different. For example, there are 50 attack logs in the attack subset, wherein the value of the attack type field in the 1 st to 10 th attack logs is attack type 1, the value of the attack type field in the 11 th to 20 th attack logs is attack type 2, and the value of the attack type field in the 21 st to 50 th attack logs is attack type 3, and at least one attack type includes 3 different attack types, namely attack type 1, attack type 2 and attack type 3.

502. And extracting a strategy identifier from an attack log containing the target attack type aiming at the target attack type in the at least one attack type so as to obtain at least one strategy identifier.

Wherein the target attack type is an attack type, in which the duty ratio exceeds a seventh threshold value and the number of the corresponding attack logs is greater than an eighth threshold value, in the at least one attack type;

In a practical implementation, the size of the seventh threshold and the eighth threshold may be set according to the requirement. For example, when the attack subset is the first attack subset, the seventh threshold is 30% and the eighth threshold is 50. When the attack subset is the second attack subset, the seventh threshold is 20% and the eighth threshold is 100. When the duty ratio of one attack type is larger than the seventh threshold value and the attack number is larger than the eighth threshold value, the attack identified by the WAF is concentrated in the attack type within a period of time, and the possibility of false alarm is higher. The purpose of setting the seventh threshold is to screen out attack types that are relatively high, i.e. relatively concentrated. The eighth threshold is set to filter out attack types with a smaller number of attacks. The filtered data may be subjected to additional analysis by IP analysis or URL analysis.

Assuming that 100 attack logs are in the attack subset, wherein the field value of the attack type of 20 attack logs is attack type 1, the field value of the attack type of 20 attack logs is attack type 2, the field value of the attack type of the other 60 attack logs is attack type 3, the attack types in the total 3 are attack type 1, attack type 2 and attack type 3 respectively, the occupation ratio is 20%, 20% and 60%, and the attack quantity is 20, 20 and 60 respectively. Assuming that the seventh threshold is 30% and the eighth threshold is 50, it is apparent that attack type 3 is the target attack type.

The WAF continues to extract policy identifications from the attack logs in the attack subset, each of which contains attack type 3. Since the WAF is detected with multiple security policies for each attack type, there may be policy identifications of the multiple security policies in 60 attack logs.

503. and aiming at the target attack type, determining a security policy causing false alarm according to the at least one policy identifier.

Illustratively, for the target attack type, the WAF continues to analyze the policy identification field or the like of the attack log containing the target attack type, thereby determining a security policy that leads to false positives for the target attack type.

By adopting the scheme, the target attack type which is likely to generate false alarm is determined from at least one attack type, and the security policy which causes false alarm is only analyzed on the target attack type, so that the analysis speed is high and the pertinence is strong.

Optionally, in determining the security policy causing false alarm according to the attack type, the WAF determines at least one policy identifier for the target attack type, determines the duty ratio of each policy identifier, and uses the policy identifier with the duty ratio exceeding a ninth threshold value as the target policy identifier. This is because when the duty cycle of a certain policy identification exceeds a ninth threshold, the likelihood that this policy is a security policy that results in false positives is high.

For example, the target attack type is SQL injection, the field value of the total 60 attack types is SQL injected attack logs, wherein the policy of the security policy hit by 40 attack logs is identified as policy a, the policy of the security policy hit by 10 attack logs is identified as policy b, and the policy of the security policy hit by 10 attack logs is identified as policy c. Assuming that the ninth duty cycle is 50%, then policy a is a duty cycle greater than 50% and policy a is the target policy identification.

the WAF then determines an attack log from the attack subset that contains the target security policy to obtain a second access subset. Obviously, each access log in the second access subset is an attack log. The second access subset is for example a set of 40 access logs identified for policy a as described above for the policy.

The WAF then extracts the IP address from each access log contained in the second access subset to obtain at least one IP address.

continuing with the example above: a total of 40 attack logs containing the target security policy in the attack subset, and assuming that every 10 attack logs in the 40 attack logs contain the same IP address, there are a total of 4 IP addresses.

Finally, for the target attack type, the WAF determines a security policy that causes false positives according to each IP address in the at least one IP address.

By adopting the scheme, since one attack type can be detected through a plurality of security policies, after the target attack type is determined, the target policy identification is further determined from the identifications of the security policies, and then the access log set is further reversely searched according to the target policy identification to determine the security policy causing false alarm, the accuracy is high and the speed is high.

Optionally, in the foregoing embodiment, after determining at least one IP address, the WAF queries the access log set according to each IP address in the at least one IP address to determine a third access subset, where an access log in the third access subset includes any one IP address in the at least one IP address. For the target attack type, when the third access subset is empty, the WAF determines that the security policy corresponding to the policy identifier contained in each access log in the second access subset is the security policy causing false alarm.

Continuing with the example above, the WAF determines 4 IP addresses, and each of the 4 IP addresses is used to look back at the access log set, and the access log containing any one of the 4 IP addresses is found to obtain a third access subset. And if the third access subset is empty, determining that the security policy corresponding to the policy identifier contained in each access log in the second access subset is the security policy causing false alarm. I.e. for the target attack type, the policy a described above is a security policy that causes false alarms.

In the embodiment of the present application, the storage period of the access log may be preset, for example, the storage period is 7 days, which indicates that: an access log is automatically deleted 7 days after generation. Therefore, if the time range to be analyzed carried in the analysis request is relatively early, a case may occur in which the third access subset is empty.

By adopting the scheme, the aim of accurately determining the security policy causing false alarm is fulfilled.

Optionally, in the foregoing embodiment, when the attack subset is the first attack subset and the third access subset is not null, the WAF extracts each attack type from an access log included in the third access subset, so as to obtain at least one attack type. And then, the WAF determines whether the types corresponding to the attack types are smaller than a tenth threshold, and if the types of the attack types are smaller than the tenth threshold, determines that the security policy corresponding to the policy identifier contained in each access log in the third access subset is the security policy causing false alarm.

When the target policy identifier exists, the WAF determines at least one IP address according to the target policy identifier, and uses the IP addresses to reversely access the logs, and further extracts the attack types of the access logs in the third access subset after obtaining the third access subset, so as to count the types of attack types, and when the types of attack types are few, that is, less than or equal to the tenth threshold, the possibility of false alarm is considered to be higher. Since the typical attack scenario, i.e. the malicious scanning scenario, is characterized by a particularly large number of attack types, the types of attack are also very large. Therefore, by setting the tenth threshold, a security policy causing false alarm in a malicious scanning scene can be effectively identified.

By adopting the scheme, the purpose of accurately determining the security policy causing false alarm from the security policies triggered by the intercepted attack request is realized by analyzing the attack type granularity of the intercepted attack request by the WAF.

Optionally, in the foregoing embodiment, when the attack subset is the second attack subset and the third access subset is not empty, the WAF determines an access log corresponding to the non-attack service request from access logs included in the third access subset, and further determines a duty ratio of the access log corresponding to the non-attack service request. Wherein, the value of the attack type field of the access log corresponding to the non-attack service request is WAF_NONE. Non-attacking service requests are also referred to as normal service requests. When the duty ratio of the normal service request is higher, the possibility of false alarm is higher. Therefore, by setting the eleventh threshold, when the duty ratio of the non-attacked service request exceeds the eleventh threshold, the security policy corresponding to the policy identifier included in each access log in the third access subset is determined to be the security policy causing false alarm. The WAF then outputs the target attack type and the policy identification of the security policy that caused the false alarm.

By adopting the scheme, the purpose of determining the security policy causing false alarm from the security policies triggered by the non-intercepted attack request is realized by analyzing the attack type granularity of the attack request which is not intercepted by the WAF but is monitored by the alarm.

fig. 6 is a flowchart of a false alarm detection method according to an embodiment of the present application, where the WAF analyzes the attack subset according to URL granularity to determine a security policy that causes false alarm. The embodiment comprises the following steps:

601. the WAF extracts URLs from each of the attack logs contained in the attack subset to obtain at least one URL.

illustratively, each attack log includes a URL field, some attack logs include the same value of the URL field, and some attack logs include different values of the URL field. The WAF obtains at least one URL address according to the URL addresses extracted from the attack logs, and any two URL addresses in the at least one URL address are different. For example, there are 50 total attack logs in the attack subset, wherein 1-10 attack logs contain the same URL address, 11-20 attack logs contain the same URL address, 21-50 attack logs contain the same URL address, and at least one URL address contains 3 different URL addresses.

602. And extracting the strategy identification from the attack log containing the target URL aiming at the target URL in the at least one URL so as to obtain at least one strategy identification.

Wherein the target URL is a URL of which the duty ratio exceeds a twelfth threshold value and the number of corresponding attack logs is greater than a thirteenth threshold value in the at least one URL.

In a practical implementation, the magnitude of the twelfth threshold and the thirteenth threshold may be set according to the requirements. For example, when the attack subset is the first attack subset, the twelfth threshold is 30% and the thirteenth threshold is 50. When the attack subset is the second attack subset, the twelfth threshold is 10% and the thirteenth threshold is 100. When the duty ratio of one attack type is larger than the twelfth threshold value and the attack number is larger than the thirteenth threshold value, the attack identified by the WAF is concentrated in the URL within a period of time, and the possibility of false alarm is higher. The twelfth threshold is set to screen out URLs that occupy a higher, i.e., more concentrated, size. The thirteenth threshold is set to filter out URLs with a smaller number of attacks. The filtered data may be subjected to additional analysis by IP analysis or attack type analysis.

603. and determining a security policy causing false alarm for the target URL.

Illustratively, for the target URL, the WAF continues to analyze the policy identification field or the like of the attack log containing the target URL, thereby determining a security policy that resulted in false positives for the target URL.

By adopting the scheme, the target URL which is likely to generate false alarm is determined from at least one URL, and only the security policy which causes false alarm is analyzed on the target URL, so that the analysis speed is high and the pertinence is strong.

Optionally, in determining the security policy causing false alarm according to the URL granularity, after determining the target URL, the WAF extracts the policy identifier from the attack log containing the target URL to obtain at least one policy identifier. Then, the WAF determines the duty ratio of each policy identifier, and takes the policy identifier with the duty ratio exceeding a fourteenth threshold value as a target policy identifier. This is because when the duty cycle of a policy identification exceeds the fourteenth threshold, the likelihood of indicating that this security policy is one that causes false positives is relatively high. When the attack subset is the first attack subset, the fourteenth threshold is, for example, 50%; when the attack subset is the second attack subset, the fourteenth threshold is, for example, 10%.

For example, there are 50 attack logs in the attack subset, wherein the value of the URL field in the 1 st to 5 th attack logs is URL1, the value of the URL field in the 6 th to 10 th attack logs is URL2, and the value of the URL field in the 11 th to 50 th attack logs is URL3, and at least one URL contains 3 different URLs, namely URL1, URL2 and URL3. The ratio is 10%, 10% and 80%, and the number is 5, 5 and 40. Assuming that the twelfth threshold is 30% and the thirteenth threshold is 50, URL3 is the target URL.

And 40 attack logs containing URL3 have strategy identifiers in 3, namely a security policy a, a security policy b and a security policy c, respectively, and the accounts for 80%, 10% and 10% respectively. Assuming that the fourteenth threshold is 50%, the target policy is identified as security policy a, which is the security policy that causes false positives for the target URL.

by adopting the scheme, after the target URL is determined, the strategy identification is further analyzed, and the aim of accurately determining the security strategy causing false alarm aiming at the target URL is fulfilled.

fig. 7 is a flowchart of a false alarm detection method according to an embodiment of the present application. The embodiment comprises the following steps:

701. The WAF determines an access log from the analysis request to obtain a set of access logs.

Illustratively, the WAF determines an access log that meets the analysis request from a plurality of historical access logs according to the domain name to be analyzed, the time range to be analyzed, and the like, so as to obtain an access log set.

702. Determining an attack log from the access log set, filtering the attack log which accords with the blacklist, and/or obtaining the attack log set according to the rest attack logs, wherein the attack log with the value of the attack type being a preset value.

703. for each attack log in the attack log set, determining a state code and an interception state contained in the attack log.

704. The attack log with the state code 403 and the intercepted state is stored in the first attack subset.

705. An attack log with any one of the state codes 200, 301, 302, 304 and intercepted state is stored to a second attack subset.

706. An analysis of IP granularity is performed on the first subset of attacks.

707. and analyzing the attack type granularity of the first attack subset.

708. The first subset of attacks is analyzed for URL granularity.

709. the second subset of attacks is analyzed for IP granularity.

710. and analyzing the attack type granularity of the second attack subset.

711. The second subset of attacks is analyzed for URL granularity.

Alternatively, in the above embodiment, the detailed flow of step 706 may be referred to fig. 8. Fig. 8 is an exploded flow chart of step 706 in fig. 7. The method comprises the following steps:

7061. At least one IP address is determined from the first subset of attacks and a first subset of accesses is determined for each IP address.

Illustratively, the WAF extracts an IP address for each of the attack logs in the first subset of attacks, resulting in at least one IP address. And for each IP address, determining a target time range according to the attack log of the earliest occurrence of the IP address in the first attack subset. And then, determining the access logs which are positioned in the target time range and contain the corresponding IP addresses from the access log set, thereby obtaining a first access subset.

7062. Judging whether a target IP address exists in at least one IP address, if so, executing step 7063; and if the target IP address does not exist in the at least one IP address, ending.

The target IP address is an IP address of which the first access subset meets a preset condition, where the preset condition is: the ratio of the number of access logs in the first access subset to the number of attack logs in the attack subset containing the target IP address exceeds a first threshold. The first threshold is, for example, 10, and the embodiment of the application is not limited.

7063. At least one attack type is determined from the first access subset of the target IP address.

illustratively, the WAF extracts attack types contained in each access log in the first access subset to obtain at least one attack type.

7064. Judging whether the type corresponding to the at least one attack type is smaller than or equal to a second threshold value, and executing step 7065 if the type is smaller than or equal to the second threshold value; if the category is greater than the second threshold, ending. The second threshold is, for example, 2.

7065. outputting the target IP address and the security policy causing false alarm.

The security policy that causes false positives is, for example, the security policy contained in each access log in the first access subset of the target IP address.

alternatively, in the above embodiment, the detailed flow of step 707 may be referred to fig. 9. Fig. 9 is an exploded flow chart of step 707 in fig. 7. The method comprises the following steps:

7071. At least one attack type is determined from the first attack subset and a duty cycle of each attack type is determined.

7072. Determining whether a target attack type exists in the at least one attack type, and if the target attack type exists in the at least one attack type, executing step 7073; and ending if the target attack type does not exist in the at least one attack type.

Wherein the target attack type is an attack type whose duty ratio exceeds a seventh threshold and whose number exceeds an eighth threshold.

7073. At least one policy identification of the target attack type is determined, and the duty cycle of each policy identification is determined.

For example, the WAF may detect the target attack type with multiple security policies, and the policy identification of the security policies may be different in an attack log containing the target attack type. The WAF determines the number of each security policy and thus the duty cycle of each policy identifier.

7074. Determining whether a target policy identifier exists in the at least one policy identifier, and if the target policy identifier exists in the at least one policy identifier, executing step 7075; and if the target strategy identifier does not exist in the at least one strategy identifier, ending.

wherein the target policy identity is a policy identity of the at least one policy identity having a ratio exceeding a ninth threshold, e.g. 50%.

7075. A second subset of accesses is determined based on the target policy identification.

Illustratively, the WAF determines an attack log containing the target policy identifier from the first attack subset, and obtains a second access subset. The second access subset is also referred to as the full IP log set of target policy identifications.

in addition, when there are more attack logs including the target policy identifier, the WAF may also determine a part of the attack logs therefrom, for example, determine the earliest 100 attack logs in time sequence.

7076. And querying the access log set according to each IP address in the second access subset to obtain a third access subset.

Illustratively, the WAF extracts the IP addresses of the access logs in the second access subset to obtain at least one IP address, queries the set of access logs using the IP addresses to obtain access logs containing the IP addresses in the at least one IP address, the access logs stored in the third access subset,

7077. Determining whether the third subset of accesses is empty, if not, executing step 7078; if the third subset of accesses is empty, then step 70711 is performed.

7078. at least one attack type is determined from the third subset of accesses.

7079. Determining whether the type of the at least one attack type is less than a tenth threshold, if the type is less than the tenth threshold, executing step 70710, and if the type is greater than or equal to the tenth threshold, ending.

70710. And outputting the attack types contained in the attack logs in the third access subset and the corresponding security policies causing false alarm.

70711. and outputting the attack types contained in the attack logs in the second access subset and the corresponding security policies causing false alarm.

alternatively, in the above embodiment, the detailed flow of step 708 may be referred to as fig. 10. Fig. 10 is an exploded flow chart of step 708 in fig. 7. The method comprises the following steps:

7081. At least one URL is determined from the first subset of attacks and the duty cycle of each URL is determined.

7082. Determining whether the target URL exists in the at least one URL, and if the target URL exists in the at least one URL, executing step 7083; and if the target URL does not exist in the at least one URL, ending.

Wherein the target URL is a URL whose duty ratio exceeds the twelfth threshold value and whose number exceeds the thirteenth threshold value. The twelfth threshold is, for example, 30%, and the thirteenth threshold is, for example, 50.

7083. At least one policy identification of the target URL is determined, and a duty cycle of each policy identification is determined.

In an exemplary embodiment, some of the attack logs containing the target URL contain the same policy identifier, and some of the attack logs contain different policy identifiers. The WAF determines at least one policy identifier according to the attack logs.

7084. Determining whether a target policy identifier exists in the at least one policy identifier, and if the target policy identifier exists in the at least one policy identifier, executing step 7085; and if the target strategy identifier does not exist in the at least one strategy identifier, ending.

Wherein the target policy identity is a policy identity of the at least one policy identity having a duty cycle exceeding a fourteenth threshold, e.g. 50%.

7085. outputting the target URL and the target policy identification.

the security policy indicated by the target policy identifier is the security policy corresponding to the target URL and causing false alarm.

alternatively, in the above embodiment, the detailed flow of step 709 may be referred to fig. 11. Fig. 11 is an exploded flow chart of step 709 in fig. 7. The method comprises the following steps:

7091. At least one IP address is determined from the second subset of attacks and a first subset of accesses is determined for each IP address.

7092. Judging whether a target IP address exists in at least one IP address, if so, executing step 7093; and if the target IP address does not exist in the at least one IP address, ending.

The target IP address is an IP address of which the first access subset meets a preset condition, where the preset condition is: the number of access logs in the first access subset is greater than a third threshold. The third threshold is, for example, 20, and the embodiment of the application is not limited.

obviously, the judgment conditions in this step are different from those in step 7062.

7093. At least one attack type is determined from the first access subset of the target IP address.

7094. Judging whether the type corresponding to at least one attack type is smaller than or equal to a fourth threshold value and whether the attack number corresponding to each attack type is larger than a fifth threshold value, if the type corresponding to at least one attack type is smaller than or equal to the fourth threshold value and the attack number corresponding to each attack type is larger than the fifth threshold value, executing step 7095; if the type corresponding to the at least one attack type is greater than the fourth threshold, and/or the attack type with the number of attacks less than or equal to the fifth threshold exists in the at least one attack type, step 7096 is executed.

Wherein the fourth threshold is, for example, 2, and the fifth threshold is, for example, 5, and embodiments of the present application are not limited.

7095. and determining the security policy corresponding to the policy identifier contained in each access log in the first access subset as the security policy causing false alarm.

7096. A duty cycle of each of the at least one attack type is determined.

7097. Determining whether an attack type with a duty ratio exceeding a sixth threshold exists in the at least one attack type, and if the attack type with the duty ratio exceeding the sixth threshold exists, executing the complement 7098; if the attack type with the duty ratio exceeding the sixth threshold value does not exist, ending.

7098. And determining an access log containing attack types with the duty ratio larger than a sixth threshold value from the first access subset, and extracting a strategy identifier to obtain a security strategy causing false alarm.

in the above embodiment, the detailed process of step 710 may be described with reference to fig. 9, with the difference that: in fig. 9, the target attack type is an attack type whose duty ratio exceeds a seventh threshold value and whose number exceeds an eighth threshold value, and the values of the seventh threshold value and the eighth threshold value are 30% and 50%, respectively. In step 710, the target attack type is an attack type whose duty ratio exceeds a seventh threshold and whose number exceeds an eighth threshold, and the values of the seventh threshold and the eighth threshold are 20% and 100, respectively, for example.

In addition, in step 7079 of fig. 9, it is determined whether the kind of the at least one attack type is smaller than a tenth threshold. In step 710, it is determined whether the duty ratio of the access log corresponding to the non-attacking service request exceeds an eleventh threshold.

In the above embodiment, the detailed process of step 711 may be described with reference to fig. 10, with the difference that: in fig. 10, the target URL is a URL whose duty ratio exceeds the twelfth threshold value and whose number exceeds the thirteenth threshold value, the twelfth threshold value and the thirteenth threshold value are 30% and 50, respectively, and the twelfth threshold value and the thirteenth threshold value are 10% and 100, respectively, in step 711.

in addition, in step 7084 of fig. 10, the target policy identifier is a policy identifier whose duty ratio exceeds a fourteenth threshold value in the at least one policy identifier. The fourteenth threshold is, for example, 50%, and in step 711, the fourteenth threshold is, for example, 10%.

The following are examples of the apparatus of the present application that may be used to perform the method embodiments of the present application. For details not disclosed in the embodiments of the apparatus of the present application, please refer to the embodiments of the method of the present application.

Fig. 12 is a schematic diagram of a false alarm detection device according to an embodiment of the present application. The false alarm detection device 1200 includes: a first determination module 121, a second determination module 122, and a processing module 123.

A first determining module 121, configured to determine an access log set and an attack log set, where the attack log set is a subset of the access log set;

A second determining module 122, configured to determine, from the attack log set, an attack log with a HTTP status code of a hypertext transfer protocol as a target status code and an interception status of a preset status, so as to obtain an attack subset;

And the processing module 123 is configured to determine a security policy that causes false alarms according to the attack subset.

in a possible implementation, the processing module 123 is configured to determine an analysis granularity, where the analysis granularity includes at least one of an IP granularity, a uniform resource locator URL granularity, and an attack type granularity; analyzing the attack subset to determine a security policy that results in false positives for the analysis granularity.

In a possible implementation manner, the processing module 123 analyzes the attack subset to determine, for the analysis granularity, a security policy that causes false alarm, and when the analysis granularity is IP granularity, extracts an IP address from each attack log included in the attack subset to obtain at least one IP address; for each IP address in the at least one IP address, inquiring the access log set according to the IP address to determine a first access subset corresponding to each IP address, wherein the access logs in the first access subset comprise corresponding IP addresses, each access log in the first access subset is positioned in a target time period range, and the target time period is determined according to an attack log comprising the corresponding IP address in the first attack subset; determining a target IP address from the at least one IP address according to a first access subset of each IP address in the at least one IP address, wherein the first access subset of the target IP address meets a preset condition; and determining a security policy causing false alarm aiming at the target IP address.

In a possible implementation manner, when the processing module 123 determines, for the target IP address, a security policy that causes false alarm, the processing module is configured to extract an attack type from the first access subset including the target IP address when the preset condition is that a ratio of a number of access logs in the first access subset to a number of attack logs including the target IP address in the attack subset exceeds a first threshold, so as to obtain at least one attack type; and determining that the security policy corresponding to the policy identifier contained in each access log in the first access subset is the security policy causing false alarm when the type corresponding to the at least one attack type is smaller than or equal to a second threshold value aiming at the target IP address.

in a possible implementation manner, when the processing module 123 determines, for the target IP address, a security policy that causes false alarm, the processing module is configured to extract an attack type from an attack log including the target IP address to obtain at least one attack type when the preset condition is that the number of access logs in the first access subset is greater than a third threshold; and determining that the security policy corresponding to the policy identifier contained in each access log in the first access subset is the security policy causing false alarm when the type corresponding to the at least one attack type is smaller than or equal to a fourth threshold value and the attack number of each attack type in the at least one attack type is larger than a fifth threshold value aiming at the target IP address.

In a possible implementation manner, the processing module 123 is further configured to determine a duty ratio of each attack type in the at least one attack type when the type corresponding to the at least one attack type is greater than a fourth threshold, and/or when the number of attack types in the at least one attack type is less than or equal to a fifth threshold; and determining an access log containing attack types with the duty ratio larger than a sixth threshold value from the first access subset when the attack types with the duty ratio larger than the sixth threshold value exist in the at least one attack type aiming at the target IP address, and extracting a strategy identifier to obtain a security strategy causing false alarm.

In a possible implementation manner, the processing module 123 analyzes the attack subset to determine, for the analysis granularity, a security policy that causes false alarm, and when the analysis granularity is an attack type, extracts an attack type from each attack log included in the attack subset to obtain at least one attack type; extracting a policy identifier from an attack log containing at least one attack type aiming at the target attack type in the at least one attack type to obtain at least one policy identifier, wherein the target attack type is an attack type with a duty ratio exceeding a seventh threshold value and the number of the corresponding attack logs being larger than an eighth threshold value in the at least one attack type; and aiming at the target attack type, determining a security policy causing false alarm according to the at least one policy identifier.

In a possible implementation manner, when the processing module 123 determines, for the target attack type, a security policy that causes false alarm according to the at least one policy identifier, the processing module is configured to determine, for a target policy identifier in the at least one policy identifier, an attack log including the target security policy from the attack subset to obtain a second access subset, where the target policy identifier is a policy identifier whose duty ratio in the at least one policy identifier exceeds a ninth threshold; extracting an IP address from each attack log contained in the second access subset to obtain at least one IP address; and determining a security policy causing false alarm according to each IP address in the at least one IP address aiming at the target attack type.

In a possible implementation manner, when the processing module 123 determines, for the target attack type, a security policy that causes false alarm according to each of the at least one IP address, the processing module is configured to query the access log set according to each of the at least one IP address to determine a third access subset, where the access log in the third access subset includes any one of the at least one IP address; and aiming at the target attack type, when the third access subset is empty, determining that the security policy corresponding to the policy identifier contained in each access log in the second access subset is the security policy causing false alarm.

In a possible implementation manner, the processing module 123 is further configured to extract an attack type from an access log included in the third access subset when the third access subset is not empty, so as to obtain at least one attack type; and when the type corresponding to the at least one attack type is smaller than a tenth threshold value, determining that the security policy corresponding to the policy identifier contained in each access log in the third access subset is the security policy causing false alarm.

In a possible implementation manner, when the third access subset is not empty, the processing module 123 is further configured to determine an access log corresponding to the non-attack service request from access logs included in the third access subset; determining the duty ratio of an access log corresponding to the non-attacking service request; and when the duty ratio is larger than an eleventh threshold value, determining a security policy corresponding to a policy identifier contained in each access log in the third access subset as a security policy causing false alarm.

In a possible implementation manner, the processing module 123 analyzes the attack subset to determine, for the analysis granularity, a security policy that causes false alarm, and extracts, when the analysis granularity is URL granularity, URLs from attack logs included in the attack subset to obtain at least one URL; extracting policy identifications from attack logs containing the target URL aiming at the target URL in the at least one URL to obtain at least one policy identification, wherein the target URL is a URL with the duty ratio exceeding a twelfth threshold value and the number of the corresponding attack logs being larger than a thirteenth threshold value in the at least one URL; and determining a security policy causing false alarm for the target URL.

in a possible implementation manner, when the processing module 123 determines, for the target URL, a security policy that causes false alarm, it is configured to determine whether a target policy identifier exists in the at least one policy identifier, where the target policy identifier is a policy identifier whose duty ratio in the at least one policy identifier exceeds a fourteenth threshold; and aiming at the target URL, when the target strategy identifier exists in the at least one strategy identifier, determining the security strategy corresponding to the target strategy identifier as the security strategy causing false alarm.

In a possible implementation manner, the second determining module 122 filters out the attack logs that meet the blacklist from the attack logs included in the access log set, and/or obtains the attack log set according to the remaining attack logs, where the attack log has a value of a preset value.

In a possible implementation manner, the first determining module 121 is configured to obtain an analysis request, where the analysis request carries at least one of a client identifier to be analyzed, a time range to be analyzed, a domain name to be analyzed, and a value of a preset attack type; and querying historical access logs according to the analysis request to obtain the access log set, and determining the attack log set according to the access log set.

In a possible implementation manner, after the first determining module 121 determines the access log set and the attack log set, it is further configured to structure each access log in the access log set to obtain a standard file corresponding to each access log, where the standard file includes an attack type field and an interception status field.

in a possible implementation manner, the target state code is 403, and the preset state is intercepted;

In a possible implementation manner, the target state code is any one of 200, 301, 302 and 304, and the preset state is non-interception but alarming.

The false alarm detection device provided by the embodiment of the application can execute the action of the WAF in the embodiment, and the implementation principle and the technical effect are similar, and are not repeated here.

Fig. 13 is a schematic structural diagram of an electronic device according to an embodiment of the present application. As shown in fig. 13, the electronic device 130 is, for example, the WAF described above, and the electronic device 1300 includes:

A processor 131 and a memory 132;

the memory 132 stores computer instructions;

The processor 131 executes the computer instructions stored by the memory 132, causing the processor 131 to perform the false positive detection method implemented by the WAF as above.

The specific implementation process of the processor 131 can be referred to the above method embodiment, and its implementation principle and technical effects are similar, and this embodiment will not be described herein again.

Optionally, the electronic device 1300 further comprises a communication component 133. The processor 131, the memory 132, and the communication unit 133 may be connected via a bus 134.

The embodiment of the application also provides a computer readable storage medium, wherein the computer readable storage medium stores computer instructions, and the computer instructions are executed by a processor to implement the false alarm detection method implemented by the WAF.

The embodiment of the application also provides a computer program product, which comprises a computer program, and the computer program is used for executing the false alarm detection method implemented by the WAF.

Other embodiments of the application will be apparent to those skilled in the art from consideration of the specification and practice of the application disclosed herein. This application is intended to cover any variations, uses, or adaptations of the application following, in general, the principles of the application and including such departures from the present disclosure as come within known or customary practice within the art to which the application pertains. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the application being indicated by the following claims.

It is to be understood that the application is not limited to the precise arrangements and instrumentalities shown in the drawings, which have been described above, and that various modifications and changes may be effected without departing from the scope thereof. The scope of the application is limited only by the appended claims.

Claims

1. A false positive detection method, comprising:

determining an analysis granularity, the analysis granularity including at least one of IP granularity, uniform resource locator URL granularity, and attack type granularity;

Analyzing the attack subset to determine a security policy that results in false positives for the analysis granularity; when the analysis granularity is URL granularity, extracting a URL from each attack log contained in the attack subset to obtain at least one URL;

Extracting policy identifications from attack logs containing the target URL aiming at the target URL in the at least one URL to obtain at least one policy identification, wherein the target URL is a URL with the duty ratio exceeding a twelfth threshold value and the number of the corresponding attack logs being larger than a thirteenth threshold value in the at least one URL;

determining whether a target strategy identifier exists in the at least one strategy identifier, wherein the target strategy identifier is a strategy identifier with the duty ratio exceeding a fourteenth threshold value in the at least one strategy identifier;

And aiming at the target URL, when the target strategy identifier exists in the at least one strategy identifier, determining the security strategy corresponding to the target strategy identifier as the security strategy causing false alarm.

2. The method of claim 1, wherein the analyzing the subset of attacks to determine security policies that result in false positives for the analysis granularity comprises:

when the analysis granularity is IP granularity, extracting IP addresses from each attack log contained in the attack subset to obtain at least one IP address;

For each IP address in the at least one IP address, inquiring the access log set according to the IP address to determine a first access subset corresponding to each IP address, wherein the access logs in the first access subset comprise corresponding IP addresses, each access log in the first access subset is positioned in a target time period range, and the target time period is determined according to an attack log comprising the corresponding IP address in the first attack subset;

determining a target IP address from the at least one IP address according to a first access subset of each IP address in the at least one IP address, wherein the first access subset of the target IP address meets a preset condition;

When the preset condition is that the ratio of the number of access logs in the first access subset to the number of attack logs containing the target IP address in the attack subset exceeds a first threshold, extracting an attack type from the first access subset containing the target IP address to obtain at least one attack type; for the target IP address, when the type corresponding to the at least one attack type is smaller than or equal to a second threshold value, determining that the security policy corresponding to the policy identifier contained in each access log in the first access subset is the security policy causing false alarm;

When the preset condition is that the number of access logs in the first access subset is larger than a third threshold, extracting an attack type from the attack logs containing the target IP address to obtain at least one attack type; and determining that the security policy corresponding to the policy identifier contained in each access log in the first access subset is the security policy causing false alarm when the type corresponding to the at least one attack type is smaller than or equal to a fourth threshold value and the attack number of each attack type in the at least one attack type is larger than a fifth threshold value aiming at the target IP address.

3. the method according to claim 2, wherein when the preset condition is that the number of access logs in the first access subset is greater than a third threshold, after extracting an attack type from the attack log containing the target IP address to obtain at least one attack type, further comprising:

For the target IP address, when the type corresponding to the at least one attack type is greater than a fourth threshold value and/or the attack type with the number smaller than or equal to a fifth threshold value exists in the at least one attack type, determining the duty ratio of each attack type in the at least one attack type;

And determining an access log containing attack types with the duty ratio larger than a sixth threshold value from the first access subset when the attack types with the duty ratio larger than the sixth threshold value exist in the at least one attack type aiming at the target IP address, and extracting a strategy identifier to obtain a security strategy causing false alarm.

4. the method of claim 1, wherein the analyzing the subset of attacks to determine security policies that result in false positives for the analysis granularity comprises:

When the analysis granularity is the attack type, extracting the attack type from each attack log contained in the attack subset to obtain at least one attack type;

extracting a policy identifier from an attack log containing at least one attack type aiming at the target attack type in the at least one attack type to obtain at least one policy identifier, wherein the target attack type is an attack type with a duty ratio exceeding a seventh threshold value and the number of the corresponding attack logs being larger than an eighth threshold value in the at least one attack type;

Determining an attack log containing the target strategy identifier from the attack subset aiming at the target strategy identifier in the at least one strategy identifier to obtain a second access subset, wherein the target strategy identifier is a strategy identifier with the duty ratio exceeding a ninth threshold value in the at least one strategy identifier;

Extracting an IP address from each attack log contained in the second access subset to obtain at least one IP address;

querying the access log set according to each IP address in the at least one IP address to determine a third access subset, wherein the access log in the third access subset contains any one IP address in the at least one IP address;

And aiming at the target attack type, when the third access subset is empty, determining that the security policy corresponding to the policy identifier contained in each access log in the second access subset is the security policy causing false alarm.

5. The method as recited in claim 4, further comprising:

when the third access subset is not empty, extracting an attack type from an access log contained in the third access subset to obtain at least one attack type;

And when the type corresponding to the at least one attack type is smaller than a tenth threshold value, determining that the security policy corresponding to the policy identifier contained in each access log in the third access subset is the security policy causing false alarm.

6. The method as recited in claim 4, further comprising:

When the third access subset is not empty, determining an access log corresponding to the non-attack service request from access logs contained in the third access subset;

Determining the duty ratio of an access log corresponding to the non-attacking service request;

And when the duty ratio is larger than an eleventh threshold value, determining a security policy corresponding to a policy identifier contained in each access log in the third access subset as a security policy causing false alarm.

7. the method of any of claims 1-6, wherein the determining the set of access logs and the set of attack logs comprises:

and filtering the attack logs which accord with the blacklist from the attack logs contained in the access log set, and/or obtaining the attack log set according to the rest attack logs, wherein the attack log with the value of the attack type being a preset value.

8. the method of any of claims 1-6, wherein the determining the set of access logs and the set of attack logs comprises:

acquiring an analysis request, wherein the analysis request carries at least one of a client identifier to be analyzed, a time range to be analyzed, a domain name to be analyzed and a value of a preset attack type;

and querying historical access logs according to the analysis request to obtain the access log set.

9. The method according to any one of claims 1-6, further comprising, after said determining the set of access logs and the set of attack logs:

And structuring each access log in the access log set to obtain a standard file corresponding to each access log, wherein the standard file comprises an attack type field and an interception state field.

10. The method according to any one of claims 1-2, 4-5, wherein,

the target state code is 403, and the preset state is intercepted.

11. The method according to any one of claims 1 to 4, 6, wherein,

the target state code is any one of 200, 301, 302 and 304, and the preset state is non-interception but alarming.

12. An electronic device comprising a processor, a memory and a computer program stored on the memory and executable on the processor, wherein execution of the computer program by the processor causes the electronic device to implement the method of any one of claims 1 to 11.

13. A computer readable storage medium, on which a computer program is stored, characterized in that the computer program, when being executed by a processor, implements the method according to any one of claims 1 to 11.