CN114499961A - Safety early warning method and device and computer readable storage medium - Google Patents
Safety early warning method and device and computer readable storage medium Download PDFInfo
- Publication number
- CN114499961A CN114499961A CN202111602819.1A CN202111602819A CN114499961A CN 114499961 A CN114499961 A CN 114499961A CN 202111602819 A CN202111602819 A CN 202111602819A CN 114499961 A CN114499961 A CN 114499961A
- Authority
- CN
- China
- Prior art keywords
- security
- attack
- early warning
- event
- vulnerability
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Debugging And Monitoring (AREA)
Abstract
According to the safety early warning method, the safety early warning device and the computer readable storage medium, in the input stage of a safety attack event, the first event information of the safety attack event is detected in real time through the Web container loading probe; generating corresponding initial early warning information according to the first event information; identifying security vulnerabilities existing in protected applications according to the initial early warning information; and in the transmission stage of the security attack event, if the security attack event is identified at the security vulnerability, outputting attack early warning information related to the security vulnerability. Through the implementation of the scheme, when the protected application is attacked, initial early warning information is generated in the early warning system, the security vulnerability attacked by the security attack event in the application is identified according to the initial early warning information, when the security attack event is identified at the security vulnerability, the early warning information is sent to a user, the security attack is early warned in real time, and the security of the Web application is comprehensively and timely protected.
Description
Technical Field
The present application relates to the field of network security technologies, and in particular, to a security early warning method, device, and computer-readable storage medium.
Background
The existing Web application safety protection is basically to process the attacked security loophole, and can rarely prevent the security attack in advance. Recently, RASP (Runtime Application self-protection) technology is introduced to the protection of Application software security, and the current patents formed based on RASP basically use the rule matching of the traditional hardware, such as WAF (Web Application Fire wall), and the combination of the traditional hardware, such as cloud WAF. However, most of the technologies are based on hardware combination, related hardware is erected at the front end of the Web server to defend security vulnerabilities, the technology does not really reach the code level of application, and the technologies are complex in deployment, high in cost and poor in universality; real-time early warning and defense of security attack cannot be performed; the security vulnerability information source is simplified, and the security of the Web application cannot be comprehensively and timely protected; the false alarm rate is high; the defects of the requirement of the personalized service logic of the user and the like cannot be solved.
Disclosure of Invention
The embodiment of the application provides a safety early warning method, a safety early warning device and a computer readable storage medium, and at least solves the problems of complex deployment, high cost and poor universality of related technologies; real-time early warning and defense of security attack cannot be performed; the security vulnerability information source is simplified, and the security of the web application cannot be comprehensively and timely protected; the false alarm rate is high; the problem of the need for a user's personalized business logic cannot be solved.
A first aspect of an embodiment of the present application provides a safety precaution method, including:
in the input stage of a security attack event, loading a probe through a Web container to detect first event information of the security attack event in real time;
generating corresponding initial early warning information according to the first event information;
identifying security vulnerabilities existing in protected applications according to the initial early warning information;
and in the transmission stage of the security attack event, if the security attack event is identified at the security vulnerability, outputting attack early warning information related to the security vulnerability.
A second aspect of the embodiments of the present application provides a safety precaution device, including:
the inspection module is used for detecting first event information of the security attack event in real time through a Web container loading probe in the input stage of the security attack event;
the generating module is used for generating corresponding initial early warning information according to the first event information;
the identification module is used for identifying security vulnerabilities existing in protected applications according to the initial early warning information;
and the output module is used for outputting attack early warning information related to the security vulnerability if the security attack event is identified at the security vulnerability in the transmission stage of the security attack event.
A third aspect of embodiments of the present application provides an electronic apparatus, including: the system comprises a memory, a processor and a bus, wherein the bus is used for realizing the connection and communication between the memory and the processor; the processor is configured to execute a computer program stored on the memory, and when the processor executes the computer program, the processor performs each step in the safety precaution method provided in the first aspect of the embodiment of the present application.
A fourth aspect of the embodiments of the present application provides a computer-readable storage medium, where a computer program is stored, and when the computer program is executed by a processor, the steps in the security early warning method provided in the first aspect of the embodiments of the present application are implemented.
In view of the above, according to the security early warning method, the security early warning device and the computer readable storage medium provided by the scheme of the application, in the input stage of the security attack event, the first event information of the security attack event is detected in real time by the Web container loading probe; generating corresponding initial early warning information according to the first event information; identifying security vulnerabilities existing in protected applications according to the initial early warning information; and in the transmission stage of the security attack event, if the security attack event is identified at the security vulnerability, outputting attack early warning information related to the security vulnerability. Through the implementation of the scheme, when the protected application is attacked, initial early warning information is generated in the early warning system, the security vulnerability attacked by the security attack event in the application is identified according to the initial early warning information, when the security attack event is identified at the security vulnerability, the early warning information is sent to a user, the security attack is early warned in real time, and the security of the Web application is comprehensively and timely protected.
Drawings
Fig. 1 is a schematic basic flow chart of a safety warning method according to a first embodiment of the present application;
fig. 2 is a detailed flowchart of a safety precaution method according to a second embodiment of the present application;
fig. 3 is a schematic diagram of program modules of a safety precaution device according to a third embodiment of the present application;
fig. 4 is a schematic structural diagram of an electronic device according to a fourth embodiment of the present disclosure.
Detailed description of the preferred embodiments
In order to make the objects, features and advantages of the present invention more apparent and understandable, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present application, and it is apparent that the described embodiments are only a part of the embodiments of the present application, and not all the embodiments of the present application. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
The problems that related technologies are complex in deployment, high in cost and poor in universality are solved; real-time early warning and defense of security attack cannot be performed; the security vulnerability information source is simplified, and the security of the web application cannot be comprehensively and timely protected; the false alarm rate is high; the problem that the requirement of the personalized service logic of the user cannot be met is solved, and a safety early warning method is provided in the first embodiment of the application.
As shown in fig. 1, which is a basic flowchart of the safety precaution method provided in this embodiment, the safety precaution method includes the following steps:
Specifically, in this embodiment, a Web container loading probe is inserted into a protected application for real-time protection based on the RASP technology, and when the protected application is attacked, first event information in the security attack event is detected in real time, where the event information includes a function with an attack property and corresponding parameters.
In an optional implementation manner of this embodiment, the step of detecting, in real time, first event information of a security attack event by using a Web container loading probe includes: inserting a Web container loading probe into a key class and a function of a protected application; and detecting first event information of the security attack event according to an interceptor of the Web container loading probe.
Specifically, in practical applications, existing Web application security protection is basically performed after a security vulnerability is attacked, and few security software and hardware are available for preventing security attacks in advance. In this embodiment, the Web container loading probe is inserted into the key class and the function of the protected application through an instrumentation technique, and when the Web container loading probe detects a security attack event, an interceptor of the Web container loading probe intercepts and detects the function with the attack property and corresponding parameters in real time, and the Web container loading probe does not need to check and change a source code of a user, thereby protecting privacy of private applications of the user.
And 102, generating corresponding initial early warning information according to the first event information.
Specifically, in this embodiment, after the interceptor intercepts the first event information of the security attack event, the early warning system may analyze the detected function with the attack property and the corresponding parameter, and generate initial early warning information in the early warning system according to the analysis result.
In an optional implementation manner of this embodiment, the step of generating initial warning information according to the event information includes: determining vulnerability attack characteristics of a security attack event based on the first event information; and generating corresponding initial early warning information according to the vulnerability attack characteristics.
Specifically, in this embodiment, vulnerability attack characteristics of the security vulnerability in the security attack event are determined according to a function with attack properties and corresponding parameters detected by an interceptor of the Web container loading probe, and initial early warning information is generated in the early warning system according to the vulnerability attack characteristics in the security attack event, and is only transmitted in the early warning system, so that the accuracy of security early warning is improved.
And 103, identifying security vulnerabilities existing in the protected application according to the initial early warning information.
Specifically, in this embodiment, the system server may identify whether a security vulnerability to be attacked by the security attack event exists in the protected application according to the initial early warning information in the early warning system.
In an optional implementation manner of this embodiment, the step of identifying a security vulnerability existing in the protected application according to the initial warning information includes: matching vulnerability attack characteristics corresponding to the initial early warning information with a preset vulnerability attack characteristic library; and determining the vulnerability type corresponding to the matched preset vulnerability attack characteristics as the vulnerability type of the security vulnerability existing in the protected application.
Specifically, in this embodiment, after receiving the initial early warning information, matching vulnerability attack features contained in the initial early warning information with a preset vulnerability attack feature library, and determining vulnerability types in the preset vulnerability attack feature library, which are consistent with vulnerability attack features contained in the initial early warning information, as vulnerability types of security vulnerabilities existing in protected applications. It should also be understood that, there may be multiple vulnerability attack characteristics in the initial early warning information at the same time, and correspondingly, the present solution may also identify vulnerability types of multiple security vulnerabilities existing in the protected application at the same time, and may perform real-time early warning on multiple security vulnerabilities at the same time.
And 104, in the transmission stage of the security attack event, if the security attack event is identified at the security vulnerability, outputting attack early warning information related to the security vulnerability.
Specifically, in practical application, the existing Web application security protection basically sends alarm information after a security vulnerability is attacked, and cannot perform effective early warning on a security attack event. In the embodiment, before the security attack event attacks the security vulnerability, when the security attack event is identified at the security vulnerability of the Web container loading probe, the security early warning information of the security attack vulnerability is output and sent to a user, and the user is informed of making security protection measures in advance.
It should be noted that, in this embodiment, the security early warning system is a multidimensional security early warning system, supports a multidimensional security early warning mode, sends security vulnerability early warning information to a website of a user according to the HTTP early warning sending system, sends security vulnerability early warning information to a mailbox of the user according to the mail early warning system, sends security vulnerability early warning information to a nail of the user according to the nail integration early warning system, and sends security vulnerability early warning information to the day of the user according to the log vulnerability early warning system.
In an optional implementation manner of this embodiment, before the step of outputting the attack early warning information associated with the security vulnerability, the method further includes: acquiring early warning configuration information related to user service requirements; judging whether the security loophole meets the service requirement of the user or not according to the early warning configuration information; and when the security vulnerability does not meet the service requirement of the user, executing a step of outputting attack early warning information associated with the security vulnerability.
Specifically, in practical application, the existing Web application security protection can only protect security attack according to a preset program, in this embodiment, before attack early warning information for a user security vulnerability, early warning configuration information related to a user service requirement is acquired in advance, whether the detected security vulnerability meets the service requirement of the user is judged from the early warning configuration information, if the security vulnerability does not meet the service requirement of the user, the attack early warning information is sent to the user, and if the security vulnerability meets the service requirement of the user, the security vulnerability is indicated to exist by default of the user, the security early warning information does not need to be sent to the user, and the early warning degree of the security attack can be flexibly controlled.
In an optional implementation manner of this embodiment, before the step of outputting the attack early warning information associated with the security vulnerability, the method further includes: querying a national information security vulnerability library CVE and a CNNVD; according to the security loopholes, acquiring a solution for repairing the security loopholes in a national information security loophole library CVE and a CNNVD; adding a solution to the attack warning information.
Specifically, in this embodiment, when a security vulnerability corresponding to a security attack event exists in an application of a user, the detailed information of the security vulnerability is determined by querying the CVE and the CNNVD of the national information security vulnerability library, a solution provided by the CVE and the CNNVD of the national information security vulnerability library for the security vulnerability is obtained, the solution is added to the attack early warning information to be generated, and after the user receives the attack early warning information, the security vulnerability can be patched before the security attack event, so that the security of the protected application of the user is improved.
In an optional implementation manner of this embodiment, after the step of outputting the attack early warning information associated with the security vulnerability, the method further includes: acquiring second event information of the security attack event in the transmission stage of the security attack event from the attack early warning information; executing a blocking strategy corresponding to the security attack event according to the second event information; and/or, fixing the security vulnerability according to the solution of the security vulnerability.
Specifically, in this embodiment, the second event information includes detailed information of key stages, such as a source, propagation, and output of a security attack, after the user receives the attack early warning information, the second event information of the security attack event is obtained from the attack early warning information, the attack event is blocked and intercepted through a series of blocking strategies in a transmission process of the attack event according to the second event information, and/or the user can also perform security vulnerability repair through a security vulnerability solution.
Based on the scheme of the embodiment of the application, in the input stage of the security attack event, the first event information of the security attack event is detected in real time by a Web container loading probe; generating corresponding initial early warning information according to the first event information; identifying security vulnerabilities existing in protected applications according to the initial early warning information; and in the transmission stage of the security attack event, if the security attack event is identified at the security vulnerability, outputting attack early warning information related to the security vulnerability. Through the implementation of the scheme, when the protected application is attacked, initial early warning information is generated in the early warning system, the security vulnerability attacked by the security attack event in the application is identified according to the initial early warning information, when the security attack event is identified at the security vulnerability, the early warning information is sent to a user, the security attack is early warned in real time, and the security of the Web application is comprehensively and timely protected.
The method in fig. 2 is a refined safety precaution method provided in a second embodiment of the present application, and the safety precaution method includes:
And step 203, identifying security vulnerabilities existing in the protected application according to the initial early warning information.
And step 204, inquiring the CVE and the CNNVD of the national information security vulnerability library according to the identified security vulnerability.
And step 206, obtaining a solution for repairing the security vulnerabilities in the national information security vulnerability database CVE and the CNNVD, and adding the solution to the attack early warning information.
Specifically, in this embodiment, when a security vulnerability corresponding to a security attack event exists in an application of a user, the detailed information of the security vulnerability is determined by querying the CVE and the CNNVD of the national information security vulnerability library, a solution provided by the CVE and the CNNVD of the national information security vulnerability library for the security vulnerability is obtained, the solution is added to the attack early warning information, and after the user receives the attack early warning information, the security vulnerability can be patched before the security attack event, so that the security of application security protection of the user is improved.
And step 207, outputting attack early warning information related to the security vulnerability.
And 208, acquiring second event information of the security attack event in the transmission phase of the security attack event from the attack early warning information.
Specifically, in this embodiment, the second event information includes detailed information of key stages such as a source, propagation, and output of the security attack, and after the user receives the attack early warning information, the second event information of the security attack event is obtained from the attack early warning information, and the attack event is blocked and intercepted through a series of blocking strategies in a transmission process of the attack event according to the second event information, so that accuracy of blocking the security attack is improved, and the application of the user is safer.
It should be understood that, the size of the serial number of each step in this embodiment does not mean the execution sequence of the step, and the execution sequence of each step should be determined by its function and inherent logic, and should not be limited uniquely to the implementation process of the embodiment of the present application.
According to the method provided by the scheme of the application, in the input stage of the security attack event, the first event information of the security attack event is detected in real time by a Web container loading probe; generating corresponding initial early warning information according to the first event information; identifying security vulnerabilities existing in protected applications according to the initial early warning information; querying a national information security vulnerability library CVE and a CNNVD according to the identified security vulnerability; in the transmission stage of the security attack event, if the security attack event is identified at the security vulnerability, generating attack early warning information related to the security vulnerability; acquiring a solution for repairing security vulnerabilities in a national information security vulnerability library CVE and a CNNVD, and adding the solution to attack early warning information; outputting attack early warning information associated with the security vulnerability; acquiring second event information of the security attack event in the transmission stage of the security attack event from the attack early warning information; executing a blocking strategy corresponding to the security attack event according to the second event information; and/or, fixing the security vulnerability according to the solution of the security vulnerability. Through the application of the scheme, when the security vulnerability attacked by the security attack event exists in the protected application, the solution for repairing the security vulnerability is obtained by inquiring the national information security vulnerability library CVE and the CNNVD according to the identified security vulnerability and is added to the attack early warning information, after the attack early warning information is sent to the user, the blocking strategy is executed on the security attack event according to the second event information obtained from the attack early warning information, and/or the security vulnerability is repaired according to the solution for the security vulnerability, so that the security of the protected application of the user is improved.
Fig. 3 is a safety precaution device according to a third embodiment of the present application. The safety early warning device can be used for realizing the safety early warning method in the embodiment. As shown in fig. 3, the safety precaution device mainly includes:
the detection module 301 is configured to detect first event information of a security attack event in real time through a Web container loading probe at an input stage of the security attack event;
a generating module 302, configured to generate corresponding initial warning information according to the first event information;
the identification module 303 is configured to identify a security vulnerability existing in the protected application according to the initial early warning information;
and the output module 304 is configured to, in a transmission phase of the security attack event, output attack early warning information associated with the security vulnerability if the security attack event is identified at the security vulnerability.
In an optional implementation manner of this embodiment, the detection module is specifically configured to: inserting a Web container loading probe into a key class and a function of a protected application; and detecting first event information of the security attack event according to an interceptor of the Web container loading probe.
In an optional implementation manner of this embodiment, the generating module is specifically configured to: determining vulnerability attack characteristics of a security attack event based on the first event information; and generating corresponding initial early warning information according to the vulnerability attack characteristics.
Further, in an optional implementation manner of this embodiment, the identification module is specifically configured to: matching vulnerability attack characteristics corresponding to the initial early warning information with a preset vulnerability attack characteristic library; and determining the vulnerability type corresponding to the matched preset vulnerability attack characteristics as the vulnerability type of the security vulnerability existing in the protected application.
In an optional implementation manner of this embodiment, the safety precaution device further includes: the device comprises an acquisition module and a judgment module. The acquisition module is specifically configured to: early warning configuration information associated with user service requirements is obtained. The judgment module is used for: and judging whether the security loophole meets the service requirement of the user or not according to the early warning configuration information. The output module is further configured to: and when the security vulnerability does not meet the service requirement of the user, executing a step of outputting attack early warning information associated with the security vulnerability.
In an optional implementation manner of this embodiment, the safety precaution device further includes: the device comprises a query module and an adding module. The query module is used for: and querying the cave libraries CVE and CNNVD. The acquisition module is further configured to: and according to the security loopholes, obtaining a solution for repairing the security loopholes in the CVE and the CNNVD of the cave library. The adding module is used for: adding a solution to the attack warning information.
In an optional implementation manner of this embodiment, the early warning apparatus further includes: the device comprises an execution module and a repair module. The acquisition module is further configured to: and acquiring second event information of the security attack event in the transmission phase of the security attack event from the attack early warning information. The execution module is used for: and executing a blocking strategy corresponding to the security attack event according to the second event information. The repair module is used for: and/or fixing the security vulnerability according to the security vulnerability solution.
It should be noted that, the safety early warning methods in the first and second embodiments can be implemented based on the safety early warning device provided in this embodiment, and it can be clearly understood by those skilled in the art that, for convenience and simplicity of description, the specific working process of the safety function identification device described in this embodiment may refer to the corresponding process in the foregoing method embodiment, and details are not described here.
According to the device provided by the scheme of the application, in the input stage of the security attack event, the first event information of the security attack event is detected in real time through the Web container loading probe; generating corresponding initial early warning information according to the first event information; identifying security vulnerabilities existing in protected applications according to the initial early warning information; and in the transmission stage of the security attack event, if the security attack event is identified at the security vulnerability, outputting attack early warning information related to the security vulnerability. Through the implementation of the scheme, when the protected application is attacked, initial early warning information is generated in the early warning system, the security vulnerability attacked by the security attack event in the application is identified according to the initial early warning information, when the security attack event is identified at the security vulnerability, the early warning information is sent to a user, the security attack is early warned in real time, and the security of the Web application is comprehensively and timely protected.
Fig. 4 is an electronic device according to a fourth embodiment of the present disclosure. The electronic device can be used for realizing the safety early warning method in the embodiment. As shown in fig. 4, the electronic device mainly includes:
The Memory 401 may be a high-speed Random Access Memory (RAM) Memory or a non-volatile Memory (non-volatile Memory), such as a disk Memory. The memory 401 is used for storing executable program code and the processor 402 is coupled to the memory 401.
Further, an embodiment of the present application also provides a computer-readable storage medium, where the computer-readable storage medium may be provided in an electronic device in the foregoing embodiments, and the computer-readable storage medium may be the memory in the foregoing embodiment shown in fig. 4.
The computer readable storage medium has stored thereon a computer program which, when executed by a processor, implements the safety warning method in the foregoing embodiments. Further, the computer-readable storage medium may be various media that can store program codes, such as a usb disk, a removable hard disk, a Read-Only Memory (ROM), a RAM, a magnetic disk, or an optical disk.
In the several embodiments provided in the present application, it should be understood that the disclosed apparatus and method may be implemented in other ways. For example, the above-described apparatus embodiments are merely illustrative, and for example, a division of modules is merely a division of logical functions, and an actual implementation may have another division, for example, a plurality of modules or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or modules, and may be in an electrical, mechanical or other form.
Modules described as separate parts may or may not be physically separate, and parts displayed as modules may or may not be physical modules, may be located in one place, or may be distributed on a plurality of network modules. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment.
In addition, functional modules in the embodiments of the present application may be integrated into one processing module, or each of the modules may exist alone physically, or two or more modules are integrated into one module. The integrated module can be realized in a hardware mode, and can also be realized in a software functional module mode.
The integrated module, if implemented in the form of a software functional module and sold or used as a separate product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application may be substantially implemented or contributed to by the prior art, or all or part of the technical solution may be embodied in a software product, which is stored in a readable storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method of the embodiments of the present application. And the aforementioned readable storage medium includes: various media capable of storing program codes, such as a U disk, a removable hard disk, a ROM, a RAM, a magnetic disk, or an optical disk.
It should be noted that, for the sake of simplicity, the above-mentioned method embodiments are described as a series of acts or combinations, but those skilled in the art should understand that the present application is not limited by the described order of acts, as some steps may be performed in other orders or simultaneously according to the present application. Further, those skilled in the art should also appreciate that the embodiments described in the specification are preferred embodiments and that the acts and modules referred to are not necessarily required in this application.
In the above embodiments, the descriptions of the respective embodiments have respective emphasis, and for parts that are not described in detail in a certain embodiment, reference may be made to related descriptions of other embodiments.
In view of the above description of the security early warning method, apparatus and computer-readable storage medium provided by the present application, those skilled in the art will be able to change the embodiments and application scope of the present application according to the idea of the embodiments of the present application, and in summary, the content of the present application should not be construed as limiting the present application.
Claims (10)
1. A safety precaution method, comprising:
in the input stage of a security attack event, loading a probe through a Web container to detect first event information of the security attack event in real time;
generating corresponding initial early warning information according to the first event information;
identifying security vulnerabilities existing in protected applications according to the initial early warning information;
and in the transmission stage of the security attack event, if the security attack event is identified at the security vulnerability, outputting attack early warning information related to the security vulnerability.
2. The safety precaution method according to claim 1, wherein the step of detecting the first event information of the safety attack event in real time by a Web container loading probe includes:
inserting the Web container loading probe into the key class and the function of the protected application;
and detecting first event information of the security attack event according to the interceptor of the Web container loading probe.
3. The safety precaution method according to claim 1, wherein the step of generating corresponding initial precaution information according to the first event information includes:
determining vulnerability attack characteristics of the security attack event based on the first event information;
and generating corresponding initial early warning information according to the vulnerability attack characteristics.
4. The security precaution method of claim 3, wherein the step of identifying security vulnerabilities present in the protected application based on the initial precaution information comprises:
matching the vulnerability attack characteristics corresponding to the initial early warning information with a preset vulnerability attack characteristic library;
and determining the vulnerability type corresponding to the matched preset vulnerability attack characteristics as the vulnerability type of the security vulnerability existing in the protected application.
5. The security precaution method of claim 1, wherein the step of outputting attack precaution information associated with the security breach is preceded by the step of:
acquiring early warning configuration information related to user service requirements;
judging whether the security vulnerability meets the user service requirement or not according to the early warning configuration information;
and when the security vulnerability does not meet the user service requirement, executing the step of outputting attack early warning information associated with the security vulnerability.
6. The security precaution method of any one of claim 1, wherein the step of outputting attack precaution information associated with the security breach is preceded by the step of:
querying a national information security vulnerability library CVE and a CNNVD according to the security vulnerability;
acquiring a solution for repairing the security vulnerability in the national information security vulnerability database CVE and the CNNVD;
adding the solution to the attack early warning information.
7. The security precaution method of claim 6, wherein after the step of outputting attack precaution information associated with the security breach, further comprising:
acquiring second event information of the security attack event in the transmission phase of the security attack event from the attack early warning information;
executing a blocking strategy corresponding to the security attack event according to the second event information;
and/or repairing the security vulnerability according to the solution of the security vulnerability.
8. A safety precaution device, comprising:
the detection module is used for detecting first event information of a security attack event in real time by loading a probe through a Web container at the input stage of the security attack event;
the generating module is used for generating corresponding initial early warning information according to the first event information;
the identification module is used for identifying security vulnerabilities existing in protected applications according to the initial early warning information;
and the output module is used for outputting attack early warning information related to the security vulnerability if the security attack event is identified at the security vulnerability in the transmission stage of the security attack event.
9. An electronic device, comprising: the system comprises a memory, a processor and a bus, and is characterized in that the bus is used for realizing the connection and communication between the memory and the processor; the processor is configured to execute a computer program stored on the memory, and when the processor executes the computer program, the processor implements the steps of the method of any one of claims 1 to 7.
10. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the steps of the method of any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111602819.1A CN114499961A (en) | 2021-12-24 | 2021-12-24 | Safety early warning method and device and computer readable storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111602819.1A CN114499961A (en) | 2021-12-24 | 2021-12-24 | Safety early warning method and device and computer readable storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114499961A true CN114499961A (en) | 2022-05-13 |
Family
ID=81496096
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111602819.1A Pending CN114499961A (en) | 2021-12-24 | 2021-12-24 | Safety early warning method and device and computer readable storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114499961A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115134121A (en) * | 2022-05-30 | 2022-09-30 | 深圳开源互联网安全技术有限公司 | RASP-based third-party library security attack protection method and related device |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8881282B1 (en) * | 2004-04-01 | 2014-11-04 | Fireeye, Inc. | Systems and methods for malware attack detection and identification |
| CN110266669A (en) * | 2019-06-06 | 2019-09-20 | 武汉大学 | A kind of Java Web frame loophole attacks the method and system of general detection and positioning |
| CN111131168A (en) * | 2019-11-30 | 2020-05-08 | 中国电信股份有限公司云南分公司 | Self-adaptive protection method based on Web application |
| CN111147504A (en) * | 2019-12-26 | 2020-05-12 | 深信服科技股份有限公司 | Threat detection method, apparatus, device and storage medium |
| US20200404007A1 (en) * | 2019-04-09 | 2020-12-24 | Prismo Systems Inc. | Systems and Methods for Detecting Injection Exploits |
| CN113761519A (en) * | 2021-08-19 | 2021-12-07 | 深圳开源互联网安全技术有限公司 | Detection method and device for Web application program and storage medium |
-
2021
- 2021-12-24 CN CN202111602819.1A patent/CN114499961A/en active Pending
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8881282B1 (en) * | 2004-04-01 | 2014-11-04 | Fireeye, Inc. | Systems and methods for malware attack detection and identification |
| US20200404007A1 (en) * | 2019-04-09 | 2020-12-24 | Prismo Systems Inc. | Systems and Methods for Detecting Injection Exploits |
| CN110266669A (en) * | 2019-06-06 | 2019-09-20 | 武汉大学 | A kind of Java Web frame loophole attacks the method and system of general detection and positioning |
| CN111131168A (en) * | 2019-11-30 | 2020-05-08 | 中国电信股份有限公司云南分公司 | Self-adaptive protection method based on Web application |
| CN111147504A (en) * | 2019-12-26 | 2020-05-12 | 深信服科技股份有限公司 | Threat detection method, apparatus, device and storage medium |
| CN113761519A (en) * | 2021-08-19 | 2021-12-07 | 深圳开源互联网安全技术有限公司 | Detection method and device for Web application program and storage medium |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115134121A (en) * | 2022-05-30 | 2022-09-30 | 深圳开源互联网安全技术有限公司 | RASP-based third-party library security attack protection method and related device |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| KR102210627B1 (en) | Method, apparatus and system for detecting malicious process behavior | |
| CN107659583B (en) | Method and system for detecting attack in fact | |
| CN109302426B (en) | Unknown vulnerability attack detection method, device, equipment and storage medium | |
| CN102037471B (en) | Centralized scanner database with optimal definition distribution using network queries | |
| JP6104149B2 (en) | Log analysis apparatus, log analysis method, and log analysis program | |
| WO2019153857A1 (en) | Asset protection method and apparatus for digital wallet, electronic device, and storage medium | |
| CN107302586B (en) | Webshell detection method and device, computer device and readable storage medium | |
| US20210160273A1 (en) | Method for calculating risk for industrial control system and apparatus using the same | |
| CN109155774A (en) | System and method for detecting security threat | |
| CN101978376A (en) | Method and system for protection against information stealing software | |
| CN102945348A (en) | Method and device for collecting file information | |
| US20170155683A1 (en) | Remedial action for release of threat data | |
| CN102945349A (en) | Method and device for processing unknown files | |
| JP7005936B2 (en) | Evaluation program, evaluation method and information processing equipment | |
| EP3531324B1 (en) | Identification process for suspicious activity patterns based on ancestry relationship | |
| CN102546641A (en) | Method and system for carrying out accurate risk detection in application security system | |
| CN109450929A (en) | A kind of safety detection method and device | |
| CN114003904B (en) | Information sharing method, device, computer equipment and storage medium | |
| CN112153062A (en) | Multi-dimension-based suspicious terminal equipment detection method and system | |
| CN114499961A (en) | Safety early warning method and device and computer readable storage medium | |
| JP6407184B2 (en) | Attack countermeasure determination system, attack countermeasure determination method, and attack countermeasure determination program | |
| CN111542811B (en) | Enhanced network security monitoring | |
| CN114826662A (en) | User-defined rule protection method, device, equipment and readable storage medium | |
| CN116055130A (en) | RASP-based SIEM log management method, device, equipment and medium | |
| CN108256327B (en) | File detection method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |