CN115296932B - Method and device for detecting WAF interception effectiveness and storage medium - Google Patents

Method and device for detecting WAF interception effectiveness and storage medium Download PDF

Info

Publication number
CN115296932B
CN115296932B CN202211210830.8A CN202211210830A CN115296932B CN 115296932 B CN115296932 B CN 115296932B CN 202211210830 A CN202211210830 A CN 202211210830A CN 115296932 B CN115296932 B CN 115296932B
Authority
CN
China
Prior art keywords
response result
attack
request
intercepted
attack request
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202211210830.8A
Other languages
Chinese (zh)
Other versions
CN115296932A (en
Inventor
聂君
宫华
孟繁强
张践鳌
姚逸
张游知
石天浩
吴佳波
陈瑜
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Zhiqi'an Technology Co ltd
Original Assignee
Beijing Zhiqi'an Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Zhiqi'an Technology Co ltd filed Critical Beijing Zhiqi'an Technology Co ltd
Priority to CN202211210830.8A priority Critical patent/CN115296932B/en
Publication of CN115296932A publication Critical patent/CN115296932A/en
Application granted granted Critical
Publication of CN115296932B publication Critical patent/CN115296932B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention relates to the technical field of information security, in particular to a method and a device for detecting WAF interception effectiveness and a storage medium, and aims to solve the problem of low efficiency in manual detection of the interception effectiveness. The method for detecting the WAF interception effectiveness comprises the following steps: adding an attack load into the original request to generate a corresponding attack request; sending an original request to a target server and receiving a first response result; sending an attack request to a target server and receiving a second response result; if the first response result is received and the second response result is not received, judging whether the attack request is intercepted according to the state of the TCP connection initiating the attack; and if the first response result and the second response result are received, judging whether the attack request is intercepted according to the contents of the first response result and the second response result. The invention provides a simple and efficient automatic testing method, which effectively reduces the labor cost and greatly improves the detection efficiency.

Description

Method and device for detecting WAF interception effectiveness and storage medium
Technical Field
The invention relates to the technical field of information security, in particular to a method and a device for detecting WAF interception effectiveness and a storage medium.
Background
A Web Application Firewall (WAF) is a product that provides protection specifically for a Web Application server by implementing a series of security policies for HTTP/HTTPs.
In the related art, the software may detect the survival status of the WAF device, so as to determine whether the WAF is started, but cannot determine the effectiveness of WAF interception. To know whether the attack request is intercepted, the response information of the WAF under attack needs to be manually checked to judge.
The inventor believes that manually checking the effectiveness of WAF interception is labor intensive and inefficient.
Disclosure of Invention
In order to solve the problems in the prior art, the invention provides a method and a device for detecting WAF interception effectiveness and a storage medium, which reduce the labor cost and improve the detection efficiency.
In a first aspect of the present invention, a method for detecting validity of WAF interception is provided, where the method includes:
adding an attack load into the original request to generate a corresponding attack request;
sending the original request to a target server and receiving a first response result; the target server is a Web server protected by the WAF;
sending the attack request to the target server and receiving a second response result;
and judging whether the attack request is intercepted or not according to the first response result and the second response result.
Preferably, the determining whether the attack request is intercepted according to the first response result and the second response result includes:
if the first response result is received and the second response result is not received, judging whether the attack request is intercepted according to the state of the TCP connection initiating the attack;
and if the first response result and the second response result are both received, judging whether the attack request is intercepted according to the contents of the first response result and the second response result.
Preferably, the determining whether the attack request has been intercepted according to the state of the TCP connection initiating the attack includes:
if the TCP connection which initiates the attack is in error, determining that the attack request is intercepted;
otherwise, judging whether the TCP connection initiating the attack is overtime;
if yes, determining that the attack request is intercepted;
otherwise, determining that the attack request is suspected to be intercepted.
Preferably, the determining whether the attack request has been intercepted according to the content of the first response result and the second response result includes:
judging whether the state code in the first response result is the same as the state code in the second response result;
if yes, judging whether the attack request is intercepted or not according to the content similarity of the first response result and the second response result;
otherwise, determining that the attack request is intercepted.
Preferably, the determining whether the attack request has been intercepted according to the content similarity between the first response result and the second response result includes:
calculating the content similarity of the first response result and the second response result by using a fuzzy hash algorithm;
if the content similarity is smaller than or equal to a preset threshold value, determining that the attack request is intercepted; otherwise, determining that the attack request is not intercepted.
Preferably, the original request and the corresponding attack request are both multiple;
the method further comprises the following steps:
and recording the attack type and/or vulnerability corresponding to the attack load and a judgment result of whether the attack request is intercepted or not.
In a second aspect of the present invention, an apparatus for detecting validity of WAF interception is provided, where the apparatus includes:
the attack request generating unit is used for adding an attack load into the original request to generate a corresponding attack request;
the original request sending and receiving unit is used for sending the original request to a target server and receiving a first response result; the target server is a Web server protected by the WAF;
the attack request sending and receiving unit is used for sending the attack request to the target server and receiving a second response result;
and the judging unit is used for judging whether the attack request is intercepted according to the first response result and the second response result.
Preferably, the determining unit is specifically configured to:
if the first response result is received and the second response result is not received, judging whether the attack request is intercepted according to a TCP connection state;
and if the first response result and the second response result are both received, judging whether the attack request is intercepted according to the contents of the first response result and the second response result.
Preferably, the original request and the corresponding attack request are both multiple;
the device further comprises:
and the recording unit is used for recording the attack type and/or the vulnerability corresponding to the attack load and the judgment result of whether the attack request is intercepted or not.
In a third aspect of the invention, a computer-readable storage medium is proposed, storing a computer program that can be loaded by a processor and which performs the method as described above.
The invention has the following beneficial effects:
the method for detecting the WAF interception effectiveness provided by the invention comprises the steps of firstly adding an attack load into a normal original request to generate a corresponding attack request; then, respectively sending an original request and an attack request to a target server, and receiving a corresponding first response result and a corresponding second response result; and finally, judging whether the attack request is intercepted or not according to the first response result and the second response result. If the first response result is received and the second response result is not received, judging whether the attack request is intercepted according to the state of the TCP connection initiating the attack; and if the first response result and the second response result are received, judging whether the attack request is intercepted according to the contents of the first response result and the second response result. The invention provides a simple and efficient automatic testing method, which effectively reduces the labor cost and greatly improves the detection efficiency.
Drawings
FIG. 1 is a schematic diagram of the main steps of a first embodiment of the method for detecting the effectiveness of WAF interception according to the present invention;
FIG. 2 is a schematic diagram of the main steps of a second embodiment of the method for detecting the effectiveness of WAF interception according to the present invention;
FIG. 3 is a schematic diagram of the main steps of a third embodiment of the method for detecting the effectiveness of WAF interception according to the present invention;
fig. 4 is a schematic diagram of the main components of an embodiment of the apparatus for detecting the validity of WAF interception according to the present invention.
Detailed Description
Preferred embodiments of the present invention are described below with reference to the accompanying drawings. It should be understood by those skilled in the art that these embodiments are only for explaining the technical principle of the present invention, and are not intended to limit the scope of the present invention.
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some embodiments of the present invention, but not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
It should be noted that the terms "first" and "second" in the description of the present invention are used for convenience of description only and do not indicate or imply relative importance of the devices, elements or parameters, and therefore should not be construed as limiting the present invention. In addition, the term "and/or" in the present invention is only one kind of association relationship describing the associated object, and means that there may be three kinds of relationships, for example, a and/or B, which may mean: a exists alone, A and B exist simultaneously, and B exists alone. In addition, the character "/" herein generally indicates that the former and latter related objects are in an "or" relationship, unless otherwise specified.
The invention adopts one or more test cases when detecting the interception effectiveness of the WAF. Wherein, each test case comprises: an original request and an attack request generated by adding the original request to the attack load. And sending the two requests to the target server in sequence, and receiving corresponding response results. Then, by comparing the response results of the two requests, the interception validity of the WAF is judged. The target server in the embodiment of the invention is a Web server specially protected by WAF, and under an ideal condition, an original request can normally pass through the WAF and be received by the target server, while an attack request can be intercepted by the WAF.
Fig. 1 is a schematic diagram of main steps of a first method for detecting WAF interception validity according to the present invention. As shown in fig. 1, the detection method of the present embodiment includes steps a10-a40:
step A10, adding an attack load into the original request to generate a corresponding attack request.
Step A20, sending the original request to the target server, and receiving the first response result.
Step A30, sending an attack request to the target server and receiving a second response result.
And step A40, judging whether the attack request is intercepted according to the first response result and the second response result.
In an alternative embodiment, there may be multiple test cases, so that the original request and the corresponding attack request are both multiple. After step a40, step a50 may also be included:
step A50, recording the attack type and/or vulnerability corresponding to the attack load and the judgment result of whether the attack request is intercepted or not.
And recording detection results corresponding to various attacks, and facilitating comprehensive evaluation of the interception effectiveness of the WAF by a user.
Fig. 2 is a schematic diagram of the main steps of a second embodiment of the method for detecting the validity of WAF interception according to the present invention. As shown in fig. 2, the detection method of the present embodiment includes steps B10-B50:
the steps B10 to B30 are the same as the steps a10 to a30 in the first embodiment, and are not described herein again.
And step B40, if the first response result is received and the second response result is not received, judging whether the attack request is intercepted according to the state of the TCP connection initiating the attack.
For example, if an error such as reset, disconnection, etc. of a TCP connection when an attack is initiated is detected or a connection timeout occurs, the attack request may be considered to be intercepted, otherwise, the attack request is considered to be intercepted.
And step B50, if the first response result and the second response result are both received, judging whether the attack request is intercepted according to the contents of the first response result and the second response result.
If the first response result and the second response result are not received, the network failure or the target server failure is indicated, and the original request message may be written with a problem. If the first response result is not received but the second response result is received (which would not theoretically occur), it is also necessary to recheck whether the original request was wrongly written.
Fig. 3 is a schematic diagram of main steps of a third embodiment of a method for detecting WAF interception validity according to the present invention. As shown in fig. 3, the detection method of the present embodiment includes steps C10-C90:
the steps C10 to C30 are the same as the steps a10 to a30 in the first embodiment, and are not described again here.
Step C40, judging whether the first response result is received and the second response result is not received; if yes, go to step C50; otherwise go to step C70.
Step C50, judging whether the TCP connection which initiates the attack is in error; if yes, determining that the attack request is intercepted; otherwise, go to step C60.
When the attack is triggered, if a TCP state error is detected, such as connection RESET (RESET) or connection disconnection (FIN), it is determined as connectioneerror, i.e. a connection error.
Step C60, judging whether the TCP connection initiating the attack is overtime; if yes, determining that the attack request is intercepted; otherwise, determining that the attack request is suspected to be intercepted.
When the attack is triggered, if it is detected that the target server does not return any response data within a preset time, it is determined that the connection timeout is reached, that is, the connection is over time.
Step C70, judging whether the first response result and the second response result are both received; if yes, go to step C80; otherwise, the program is ended, and it is necessary to check whether the test case itself is correct or check whether the network is unobstructed or not.
Step C80, judging whether the state code in the first response result is the same as the state code in the second response result; if yes, go to step C90; otherwise, determining that the attack request is intercepted.
And C90, calculating the content similarity of the first response result and the second response result by using a fuzzy hash algorithm.
If the WAF intercepts the attack request, the content of the second response result is an alarm prompt, so that the content similarity of the WAF and the alarm prompt is low.
Step C100, determining whether the content similarity is less than or equal to a preset threshold (97 in this embodiment); if yes, determining that the attack request is intercepted; otherwise, determining that the attack request is not intercepted.
Although the foregoing embodiments have described the steps in the foregoing sequence, those skilled in the art will understand that, in order to achieve the effect of the present embodiment, different steps are not necessarily performed in such a sequence, and may be performed simultaneously (in parallel) or in an inverse sequence, and these simple variations are within the scope of the present invention.
Based on the same technical concept as the method embodiment, the application also provides an embodiment of the detection device, which is specifically described below.
Fig. 4 is a schematic diagram of the main components of an embodiment of the apparatus for detecting the validity of WAF interception according to the invention. As shown in fig. 4, the detection device of the present invention includes: an attack request generation unit 10, an original request transmission and reception unit 20, an attack request transmission and reception unit 30, and a judgment unit 40.
The attack request generating unit 10 is configured to add an attack load to an original request to generate a corresponding attack request; the original request sending and receiving unit 20 is configured to send an original request to the target server, and receive a first response result; the target server is a Web server protected by WAF; the attack request sending and receiving unit 30 is configured to send an attack request to the target server and receive a second response result; the judging unit is used for judging whether the attack request is intercepted according to the first response result and the second response result.
In this embodiment, the determining unit 40 may be specifically configured to:
if the first response result is received and the second response result is not received, judging whether the attack request is intercepted according to the TCP connection state;
and if the first response result and the second response result are received, judging whether the attack request is intercepted or not according to the contents of the first response result and the second response result.
In an alternative embodiment, the original request and the corresponding attack request are both multiple. The detection device may further comprise a recording unit. The recording unit is used for recording the attack type and/or the vulnerability corresponding to the attack load and the judgment result of whether the attack request is intercepted or not.
Further, the present invention also provides an embodiment of a computer-readable storage medium storing a computer program that can be loaded by a processor and executed to perform the method as described above.
The computer-readable storage medium includes, for example: various media capable of storing program codes, such as a usb disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk.
Those of skill in the art will appreciate that the method steps of the examples described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both, and that the components and steps of the examples have been described generally in terms of their functionality in the foregoing description for the purpose of clearly illustrating the interchangeability of electronic hardware and software. Whether such functionality is implemented as electronic hardware or software depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.
So far, the technical solution of the present invention has been described in connection with the preferred embodiments shown in the accompanying drawings. However, it is to be understood by those skilled in the art that the scope of the present invention is obviously not limited to these specific embodiments. Equivalent changes or substitutions of related technical features can be made by those skilled in the art without departing from the principle of the invention, and the technical scheme after the changes or substitutions can fall into the protection scope of the invention.

Claims (8)

1. A method for detecting the effectiveness of WAF interception, which is characterized in that the method comprises the following steps:
adding an attack load into the original request to generate a corresponding attack request;
sending the original request to a target server and receiving a first response result; the target server is a Web server protected by the WAF;
sending the attack request to the target server and receiving a second response result;
judging whether the attack request is intercepted or not according to the first response result and the second response result;
wherein the content of the first and second substances,
the determining whether the attack request is intercepted according to the first response result and the second response result includes:
if the first response result is received and the second response result is not received, judging whether the attack request is intercepted according to the state of the TCP connection initiating the attack;
and if the first response result and the second response result are both received, judging whether the attack request is intercepted according to the contents of the first response result and the second response result.
2. The method according to claim 1, wherein the determining whether the attack request has been intercepted according to the state of the TCP connection initiating the attack comprises:
if the TCP connection which initiates the attack is in error, determining that the attack request is intercepted;
otherwise, judging whether the TCP connection initiating the attack is overtime;
if yes, determining that the attack request is intercepted;
otherwise, determining that the attack request is suspected to be intercepted.
3. The method according to claim 1, wherein the determining whether the attack request has been intercepted according to the content of the first response result and the second response result includes:
judging whether the state code in the first response result is the same as the state code in the second response result or not;
if yes, judging whether the attack request is intercepted or not according to the content similarity of the first response result and the second response result;
otherwise, determining that the attack request is intercepted.
4. The method according to claim 3, wherein the determining whether the attack request has been intercepted according to the content similarity between the first response result and the second response result comprises:
calculating the content similarity of the first response result and the second response result by using a fuzzy hash algorithm;
if the content similarity is smaller than or equal to a preset threshold value, determining that the attack request is intercepted; otherwise, determining that the attack request is not intercepted.
5. The method for detecting the validity of WAF interception according to claim 1,
the original requests and the corresponding attack requests are multiple;
the method further comprises the following steps:
and recording the attack type and/or the vulnerability corresponding to the attack load and the judgment result of whether the attack request is intercepted or not.
6. An apparatus for detecting validity of WAF interception, the apparatus comprising:
the attack request generating unit is used for adding an attack load into the original request to generate a corresponding attack request;
the original request sending and receiving unit is used for sending the original request to a target server and receiving a first response result; the target server is a Web server protected by the WAF;
the attack request sending and receiving unit is used for sending the attack request to the target server and receiving a second response result;
the judging unit is used for judging whether the attack request is intercepted or not according to the first response result and the second response result;
wherein the content of the first and second substances,
the judging unit is specifically configured to:
if the first response result is received and the second response result is not received, judging whether the attack request is intercepted or not according to a TCP connection state;
and if the first response result and the second response result are received, judging whether the attack request is intercepted or not according to the contents of the first response result and the second response result.
7. The apparatus for detecting WAF interception validity according to claim 6,
the original requests and the corresponding attack requests are multiple;
the device further comprises:
and the recording unit is used for recording the attack type and/or the vulnerability corresponding to the attack load and the judgment result of whether the attack request is intercepted or not.
8. A computer-readable storage medium, in which a computer program is stored which can be loaded by a processor and which executes the method according to any one of claims 1-5.
CN202211210830.8A 2022-09-30 2022-09-30 Method and device for detecting WAF interception effectiveness and storage medium Active CN115296932B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211210830.8A CN115296932B (en) 2022-09-30 2022-09-30 Method and device for detecting WAF interception effectiveness and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211210830.8A CN115296932B (en) 2022-09-30 2022-09-30 Method and device for detecting WAF interception effectiveness and storage medium

Publications (2)

Publication Number Publication Date
CN115296932A CN115296932A (en) 2022-11-04
CN115296932B true CN115296932B (en) 2023-01-06

Family

ID=83833177

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211210830.8A Active CN115296932B (en) 2022-09-30 2022-09-30 Method and device for detecting WAF interception effectiveness and storage medium

Country Status (1)

Country Link
CN (1) CN115296932B (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106161478A (en) * 2016-09-19 2016-11-23 成都知道创宇信息技术有限公司 Accurate attack recognition method based on the change of http response head
CN106341406A (en) * 2016-09-19 2017-01-18 成都知道创宇信息技术有限公司 Accurate attack identification method based on HTTP response entity text HTML DOM tree change
CN107426202A (en) * 2017-07-13 2017-12-01 北京知道未来信息技术有限公司 A kind of method that automatic test WAF intercepts rule
CN109167792A (en) * 2018-09-19 2019-01-08 四川长虹电器股份有限公司 A kind of novel WAF design method based on Nginx
CN111988280A (en) * 2020-07-24 2020-11-24 网宿科技股份有限公司 Server and request processing method

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105391703B (en) * 2015-10-28 2019-02-12 南方电网科学研究院有限责任公司 A kind of WEB application firewall system based on cloud and its safety protecting method
CN106506547B (en) * 2016-12-23 2020-07-10 北京奇虎科技有限公司 Processing method, WAF, router and system for denial of service attack
US11258809B2 (en) * 2018-07-26 2022-02-22 Wallarm, Inc. Targeted attack detection system

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106161478A (en) * 2016-09-19 2016-11-23 成都知道创宇信息技术有限公司 Accurate attack recognition method based on the change of http response head
CN106341406A (en) * 2016-09-19 2017-01-18 成都知道创宇信息技术有限公司 Accurate attack identification method based on HTTP response entity text HTML DOM tree change
CN107426202A (en) * 2017-07-13 2017-12-01 北京知道未来信息技术有限公司 A kind of method that automatic test WAF intercepts rule
CN109167792A (en) * 2018-09-19 2019-01-08 四川长虹电器股份有限公司 A kind of novel WAF design method based on Nginx
CN111988280A (en) * 2020-07-24 2020-11-24 网宿科技股份有限公司 Server and request processing method

Also Published As

Publication number Publication date
CN115296932A (en) 2022-11-04

Similar Documents

Publication Publication Date Title
CN108268354B (en) Data security monitoring method, background server, terminal and system
CN100448203C (en) System and method for identifying and preventing malicious intrusions
CN109617885B (en) Attack and subsidence host automatic judgment method and device, electronic equipment and storage medium
US20160234230A1 (en) System and method for preventing dos attacks utilizing invalid transaction statistics
JP6226990B2 (en) Server-side application assurance against security vulnerabilities
CN107493576B (en) Method and apparatus for determining security information for a wireless access point
CN109922062B (en) Source code leakage monitoring method and related equipment
CN110581827A (en) Detection method and device for brute force cracking
CN115296932B (en) Method and device for detecting WAF interception effectiveness and storage medium
US20210084060A1 (en) Cryptocurrency mining detection using network traffic
CN108282446A (en) Identify the method and apparatus of scanner
CN109040080B (en) File tampering processing method and device, cloud service platform and storage medium
CN115348086B (en) Attack protection method and device, storage medium and electronic equipment
CN114095177B (en) Information security processing method and device, electronic equipment and storage medium
CN113162933B (en) Method, device and equipment for identifying blacking state of vulnerability scanning engine
CN116248381A (en) Alarm aggregation method and device, electronic equipment and storage medium
JP2004030287A (en) Bi-directional network intrusion detection system and bi-directional intrusion detection program
CN105939315A (en) Method and device for protecting against HTTP attack
CN112507270A (en) Website tampering alarm method based on title escape in cloud protection and related device
CN112543177A (en) Network attack detection method and device
US20210073384A1 (en) System and method for generating a representation of a web resource to detect malicious modifications of the web resource
CN112073426A (en) Website scanning detection method, system and equipment in cloud protection environment
CN110968870A (en) Method for detecting safety of software in operation
CN103746861A (en) Service inter-status mutual detection method
CN112434292B (en) Method and equipment for protecting Web cache against virus exposure

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant