CN117040904A - Interception policy generation method, device, equipment and storage medium - Google Patents

Interception policy generation method, device, equipment and storage medium Download PDF

Info

Publication number
CN117040904A
CN117040904A CN202311141842.4A CN202311141842A CN117040904A CN 117040904 A CN117040904 A CN 117040904A CN 202311141842 A CN202311141842 A CN 202311141842A CN 117040904 A CN117040904 A CN 117040904A
Authority
CN
China
Prior art keywords
log
attack
attack request
suspicious
request list
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202311141842.4A
Other languages
Chinese (zh)
Inventor
陈超
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
CCB Finetech Co Ltd
Original Assignee
CCB Finetech Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by CCB Finetech Co Ltd filed Critical CCB Finetech Co Ltd
Priority to CN202311141842.4A priority Critical patent/CN117040904A/en
Publication of CN117040904A publication Critical patent/CN117040904A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer And Data Communications (AREA)

Abstract

The disclosure provides a method for generating an interception policy, which can be applied to the technical field of information security and the technical field of finance. The method comprises the following steps: calling an application firewall to provide a monitoring interface of the enhanced log scanning analysis component, and acquiring a distribution log and an application service log under the condition that the times of intercepting an attack request by the application firewall meet preset conditions; analyzing the distribution log and the application service log according to the configuration information to obtain a confident attack request list and a suspicious attack request list; and generating an interception strategy corresponding to the application firewall according to the confirmed attack request list and the suspicious attack request list. The disclosure also provides a device, equipment, a storage medium and a program product for generating the interception policy.

Description

Interception policy generation method, device, equipment and storage medium
Technical Field
The present disclosure relates to the field of information security technologies and financial technologies, and in particular, to a method, an apparatus, a device, a medium, and a program product for generating an interception policy.
Background
In the daily cloud application operation and maintenance work, sudden network attacks or planned guard attack and defense exercises can be encountered in a period of time. For application services deployed on the cloud, most of attack requests are intercepted by security products such as high anti-IP (a means for defending DDOS attacks, DDOS, distribution Denial of Service, distributed denial of service attacks) and application firewalls (WAF, web Application Firewall) provided by the cloud platform under the condition of large-scale network attacks, but a small part of high-risk attack requests bypass the existing high anti-IP and application firewalls and the like, and are distributed to the application services by an SLB layer (Server Load Balancing ), which can pose a threat to the application services.
Therefore, how to quickly and accurately identify the high-risk attack request penetrating to the application service and customize the interception policy for the high-risk attack request is a technical problem to be solved in the related art.
Disclosure of Invention
In view of the foregoing, the present disclosure provides a method, apparatus, device, medium, and program product for generating an interception policy.
In one aspect of the present disclosure, a method for generating an interception policy is provided, including:
calling an application firewall to provide a monitoring interface of the enhanced log scanning analysis component, and acquiring a distribution log and an application service log under the condition that the times of intercepting an attack request by the application firewall meet preset conditions;
analyzing the distribution log and the application service log according to the configuration information to obtain a confirmed attack request list and a suspicious attack request list; and
and generating an interception policy corresponding to the application firewall according to the confirmed attack request list and the suspicious attack request list.
According to an embodiment of the present disclosure, the configuration information includes attack features and an analysis policy corresponding to each of the attack features, and the analyzing, according to the configuration information, the distribution log and the application service log to obtain a confident attack request list and a suspicious attack request list includes:
Respectively extracting characteristics of each log in the distribution log and the application service log by using a log intelligent analysis module in the enhanced log scanning analysis component to obtain attack characteristics corresponding to each log;
carrying out feature matching on the attack features corresponding to each log and the attack features in the configuration information to obtain a matching result corresponding to each log; and
and dividing the request corresponding to each log into the confident attack request list and the suspicious attack request list according to the matching result corresponding to each log.
According to an embodiment of the present disclosure, the matching result includes a matching degree and an analysis policy, and the dividing the request corresponding to each log into the confident attack request list and the suspicious attack request list according to the matching result corresponding to each log includes:
dividing, for each log, a certain attack request, an attack feature and an analysis policy corresponding to the log into the certain attack request list when the matching degree corresponding to the log is greater than or equal to a first threshold; and
And dividing the suspicious attack request, the attack characteristics and the analysis strategy corresponding to the log into the suspicious attack request list under the condition that the matching degree corresponding to the log is larger than or equal to a second threshold value and smaller than the first threshold value.
According to an embodiment of the present disclosure, the generating, according to the confident attack request list and the suspicious attack request list, an interception policy corresponding to the application firewall includes:
and determining the analysis strategy in the ensured attack request list as a first interception strategy corresponding to the application firewall, calling the application firewall to provide an interception strategy pushing interface of the enhanced log scanning analysis component, and sending the first interception strategy to the application firewall so that the application firewall intercepts an attack request by using the first interception strategy.
According to an embodiment of the present disclosure, the method for generating an interception policy further includes:
the cloud platform is called to provide suspicious attack requests and strategy pushing interfaces for the enhanced log scanning analysis component, the suspicious attack request clearance list is sent to the cloud platform, so that after confirmation and adjustment operation are carried out on each suspicious attack request and an analysis strategy corresponding to each suspicious attack request in the suspicious attack request list, the analysis strategy corresponding to each confirmed attack request in the suspicious attack request list is determined to be a second interception strategy corresponding to the application firewall, and the second interception strategy is sent to the application firewall;
The second interception policy is sent to the application firewall by the cloud platform through calling an interception policy pushing interface provided by the application firewall to the cloud platform, so that the application firewall intercepts an attack request by using the second interception policy.
According to an embodiment of the present disclosure, the method for generating an interception policy further includes:
invoking a large data platform to provide a confident attack request and interception policy acquisition interface of the enhanced log scanning analysis component to acquire an analysis policy and an attack characteristic corresponding to each confident attack request in the suspicious attack request list in the large data platform; and
updating the configuration information by using an analysis strategy and attack characteristics corresponding to each confident attack request in the suspicious attack request list;
the analysis strategy and the attack characteristics corresponding to each assurance attack request in the suspicious attack request list are obtained from the cloud platform by the large data platform through calling the assurance attack request and intercepting a strategy pushing interface.
According to an embodiment of the present disclosure, the method for generating an interception policy further includes:
And slicing and classifying each log before extracting the characteristics of each log.
Another aspect of the present disclosure provides an interception policy generating apparatus, including: the device comprises an acquisition module, an analysis module and a generation module. The acquisition module is used for calling the application firewall to provide a monitoring interface for the enhanced log scanning analysis component, and acquiring a distribution log and an application service log under the condition that the times of intercepting the attack request by the application firewall meet preset conditions. And the analysis module is used for analyzing the distribution log and the application service log according to the configuration information to obtain a confirmed attack request list and a suspicious attack request list. And the generation module is used for generating an interception policy corresponding to the application firewall according to the confirmed attack request list and the suspicious attack request list.
Another aspect of the present disclosure provides an electronic device, comprising: one or more processors; and a memory for storing one or more programs, wherein the one or more programs, when executed by the one or more processors, cause the one or more processors to perform the method of generating the interception policy described above.
Another aspect of the present disclosure also provides a computer-readable storage medium having stored thereon executable instructions that, when executed by a processor, cause the processor to perform the method of generating an interception policy as described above.
Another aspect of the present disclosure also provides a computer program product comprising a computer program which, when executed by a processor, implements the method of generating an interception policy as described above.
According to the method, the device, the equipment, the medium and the program product for generating the interception policy, the application firewall is called to provide the interception interface of the enhanced log scan analysis component, under the condition that the times of intercepting the attack request by the application firewall meet the preset conditions, the distribution log and the application service log are obtained, and the distribution log and the application service log are analyzed according to the configuration information, so that the attack request penetrating the application firewall is rapidly and accurately identified, and the ensured attack request list and the suspected attack request list are obtained, and therefore the interception policy corresponding to the application firewall can be generated according to the ensured attack request list and the suspected attack request list, and the real-time dynamic update of the application firewall interception policy is realized, so that the network attack can be rapidly decided to be responded, and the safety of the application service is ensured.
Drawings
The foregoing and other objects, features and advantages of the disclosure will be more apparent from the following description of embodiments of the disclosure with reference to the accompanying drawings, in which:
fig. 1 schematically illustrates an application scenario diagram of a method of generating an interception policy according to an embodiment of the present disclosure;
FIG. 2 schematically illustrates a flow chart of a method of generating an interception policy, according to an embodiment of the disclosure;
FIG. 3 schematically illustrates a flow diagram of obtaining a list of trusted attack requests and a list of suspicious attack requests according to an embodiment of the present disclosure;
FIG. 4 schematically illustrates an architecture diagram of an enhanced log scan analysis component according to an embodiment of the present disclosure;
FIG. 5 schematically illustrates a block diagram of a log analysis real-time computing framework in accordance with an embodiment of the present disclosure;
FIG. 6 schematically illustrates a block diagram of a generation method for implementing an interception policy, according to an embodiment of the disclosure;
fig. 7 schematically illustrates a block diagram of a structure of an interception policy generating apparatus according to an embodiment of the present disclosure; and
fig. 8 schematically illustrates a block diagram of an electronic device adapted to implement a method of generating an interception policy according to an embodiment of the disclosure.
Detailed Description
Hereinafter, embodiments of the present disclosure will be described with reference to the accompanying drawings. It should be understood that the description is only exemplary and is not intended to limit the scope of the present disclosure. In the following detailed description, for purposes of explanation, numerous specific details are set forth in order to provide a thorough understanding of the embodiments of the present disclosure. It may be evident, however, that one or more embodiments may be practiced without these specific details. In addition, in the following description, descriptions of well-known structures and techniques are omitted so as not to unnecessarily obscure the concepts of the present disclosure.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the disclosure. The terms "comprises," "comprising," and/or the like, as used herein, specify the presence of stated features, steps, operations, and/or components, but do not preclude the presence or addition of one or more other features, steps, operations, or components.
All terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art unless otherwise defined. It should be noted that the terms used herein should be construed to have meanings consistent with the context of the present specification and should not be construed in an idealized or overly formal manner.
Where expressions like at least one of "A, B and C, etc. are used, the expressions should generally be interpreted in accordance with the meaning as commonly understood by those skilled in the art (e.g.," a system having at least one of A, B and C "shall include, but not be limited to, a system having a alone, B alone, C alone, a and B together, a and C together, B and C together, and/or A, B, C together, etc.).
In the technical scheme of the disclosure, the related data (such as including but not limited to personal information of a user) are collected, stored, used, processed, transmitted, provided, disclosed, applied and the like, all conform to the regulations of related laws and regulations, necessary security measures are adopted, and the public welcome is not violated.
In the implementation process of the disclosure, it is found that in the actual operation and maintenance work on cloud security, when coping with a large-scale network attack, parameters such as a interception log of a WAF, a basic performance index of an application server, a request amount and the like are monitored and analyzed in a key way, an IP (Internet Protocol ) network segment of a high-frequency high-risk request is blocked, and the application log is checked in a targeted manner according to a destination address of the intercepted attack request, so as to confirm the security of an application service, but the process has large workload, is time-consuming and has slow response speed to the attack. Therefore, how to quickly and accurately identify the high-risk attack request penetrating to the application service and customize the interception policy for the high-risk attack request is a technical problem to be solved in the related art.
To this end, an embodiment of the present disclosure provides a method for generating an interception policy, including: calling an application firewall to provide a monitoring interface of the enhanced log scanning analysis component, and acquiring a distribution log and an application service log under the condition that the times of intercepting an attack request by the application firewall meet preset conditions; analyzing the distribution log and the application service log according to the configuration information to obtain a confident attack request list and a suspicious attack request list; and generating an interception strategy corresponding to the application firewall according to the confirmed attack request list and the suspicious attack request list.
Fig. 1 schematically illustrates an application scenario diagram of a method of generating an interception policy according to an embodiment of the present disclosure.
As shown in fig. 1, an application scenario 100 according to this embodiment may include a first terminal device 101, a second terminal device 102, a third terminal device 103, a network 104, and a server 105. The network 104 is a medium used to provide a communication link between the first terminal device 101, the second terminal device 102, the third terminal device 103, and the server 105. The network 104 may include various connection types, such as wired, wireless communication links, or fiber optic cables, among others.
The user may interact with the server 105 through the network 104 using at least one of the first terminal device 101, the second terminal device 102, the third terminal device 103, to receive or send messages, etc. Various communication client applications, such as a shopping class application, a web browser application, a search class application, an instant messaging tool, a mailbox client, social platform software, etc. (by way of example only) may be installed on the first terminal device 101, the second terminal device 102, and the third terminal device 103.
The first terminal device 101, the second terminal device 102, the third terminal device 103 may be various electronic devices having a display screen and supporting web browsing, including but not limited to smartphones, tablets, laptop and desktop computers, and the like.
The server 105 may be a server providing various services, such as a background management server (by way of example only) providing support for websites browsed by the user using the first terminal device 101, the second terminal device 102, and the third terminal device 103. The background management server may analyze and process the received data such as the user request, and feed back the processing result (e.g., the web page, information, or data obtained or generated according to the user request) to the terminal device.
For example, the server 105 may call the application firewall to provide the monitoring interface of the enhanced log scan analysis component, obtain the distribution log and the application service log when the number of times the application firewall intercepts the attack request meets the preset condition, and analyze the distribution log and the application service log according to the configuration information to obtain a confident attack request list and a suspicious attack request list, so as to generate an interception policy corresponding to the application firewall according to the confident attack request list and the suspicious attack request list.
It should be noted that, the method for generating the interception policy provided by the embodiment of the disclosure may be generally performed by the server 105. Accordingly, the generation device of the interception policy provided by the embodiments of the present disclosure may be generally disposed in the server 105. The method for generating the interception policy provided by the embodiments of the present disclosure may also be performed by a server or a server cluster that is different from the server 105 and is capable of communicating with the first terminal device 101, the second terminal device 102, the third terminal device 103, and/or the server 105. Accordingly, the generation apparatus of the interception policy provided by the embodiments of the present disclosure may also be provided in a server or a server cluster that is different from the server 105 and is capable of communicating with the first terminal device 101, the second terminal device 102, the third terminal device 103, and/or the server 105.
It should be understood that the number of terminal devices, networks and servers in fig. 1 is merely illustrative. There may be any number of terminal devices, networks, and servers, as desired for implementation.
The method of generating the interception policy of the disclosed embodiment will be described in detail with reference to fig. 2 to 6 based on the scenario described in fig. 1.
Fig. 2 schematically illustrates a flowchart of a method of generating an interception policy according to an embodiment of the disclosure.
As shown in fig. 2, the method 200 includes operations S210 to S230.
In operation S210, the application firewall is invoked to provide the listening interface of the enhanced log scan analysis component, and the distribution log and the application service log are obtained when the number of times the application firewall intercepts the attack request satisfies the preset condition.
According to embodiments of the present disclosure, an application firewall may be provided to an enhanced log scan analysis component listening interface so that the enhanced log scan analysis component listens through the listening interface for the number of times the application firewall intercepts an attack request within a preset time. Under the condition that the times of intercepting the attack request by the firewall in the preset time meets the preset condition, the enhanced log scanning analysis component can be automatically started.
The preset condition can be used for indicating that the number of times of intercepting the attack request in unit time of the application firewall exceeds an upper limit threshold. The preset time may characterize a set period of time, e.g., 10 minutes, 20 minutes, etc.
According to the embodiment of the disclosure, the enhanced log scan analysis component may be automatically turned off when the number of times the firewall is applied to intercept the attack request is below a lower threshold within a preset time. The upper limit threshold and the lower limit threshold corresponding to the times of intercepting attack requests by applying the firewall in the preset time are the upper limit threshold and the lower limit threshold of the interception times set in advance in a scanning and analysis strategy configuration module in the enhanced log scanning analysis component.
For example, during periods when application services are subject to large-scale network attacks on the cloud, an attacker initiates attack requests to the domain name address of each application service over the internet, with most of the attack requests intercepted by the high-security IP and application firewall. The enhanced log scanning analysis component monitors the times of intercepting attack requests by the firewall in a preset time through the monitoring interface, and can be automatically started under the condition that the quantity of intercepting attack requests by the firewall reaches an upper threshold in the preset time.
According to the embodiment of the disclosure, under the condition that the enhanced log scanning analysis component is started, an analysis log of SLB (service load balancing) and an application service log on a cloud server can be acquired according to a log acquisition rule configured in a scanning and analysis strategy configuration module. The log collection rules can be divided into a manner of collecting according to text and collecting according to a protocol.
According to the embodiment of the disclosure, according to the collection path, collection frequency, log coding, log format and the like of the well-defined logs can be characterized in a text collection mode, and the logs are collected and archived piece by piece.
Wherein the rule name may characterize the definition for each set of ad hoc systems; operating system types may include win (Windows system), linux, unix (a development platform and desktop operating system), AIX (Advanced Interactive eXecutive, unix-like operating system), etc.; the acquisition frequency may include n seconds/times; log path, for example, may be set to/var/nginx/access; the log format may be used to define a timestamp format within the log to facilitate log-by-bar archiving, e.g., the log format may be set to yyyy-MM-ddHH: MM ss; the log encoding may characterize the encoding format of the log, e.g., the log encoding may be set to gbk\utf-8\ascii.
According to the embodiment of the disclosure, the application service address and the port of the well-defined log to be collected can be characterized in a protocol collection mode, and the characteristics of the log to be collected, such as keywords or regularities, are set in the filter.
Wherein the rule name may characterize the definition for each set of ad hoc systems; operating system types may include win, linux, unix, AIX, etc.; the acquisition protocol may be set to TCP\UDP\HTTP; addresses and ports, for example, may be set to 127.0.0.1:8080; the collection rules may include by keyword or by regularization; specific rules may include keyword groups or regular expressions.
In operation S220, the distribution log and the application service log are analyzed according to the configuration information, and a confident attack request list and a suspicious attack request list are obtained.
According to embodiments of the present disclosure, configuration information may be set in a scan and analysis policy configuration module. According to the configuration information, the distribution log and the application service log can be analyzed to obtain a confident attack request list and a suspicious attack request list. According to embodiments of the present disclosure, the configuration information may include attack signatures and analysis policies corresponding to each attack signature. The attack feature may include an attack type corresponding to the rule ID, and the analysis policy may characterize the configuration rule.
According to the embodiment of the disclosure, by analyzing each log and matching the attack characteristic corresponding to each log with the attack characteristic in the configuration information, the request corresponding to each log can be divided into a confident attack request list and a suspicious attack request list.
Wherein, the list of the confident attack requests and the list of the suspicious attack requests can also comprise analysis strategies corresponding to each request, which are determined according to the configuration information.
For example, with rule ID: the attack type corresponding to 01001 can be XSS (Cross Site Scripting) cross-site scripting attack, and the configuration rule can be Alert (Alert) (WAF); and rule ID: the attack type corresponding to 02001 can be SQL injection, and the configuration rule can be @ tmp @; and rule ID: the attack type corresponding to 03001 can be code command injection attack, and the configuration rule can be x p_cmdshell; gnlcontext. And rule ID: the attack type corresponding to 04001 may be a WEB vulnerability attack, and the configuration rule may be: < -! DOCTYPE. And rule ID: the attack type corresponding to 05001 may be illegal access of the core file, and the configuration rule may be backup. \\conf; and rule ID:06001 may be a file upload attack, the configuration rule may be:/(d99|cmd|nc|database|sql|dump|papsppy|jsspy|aspsppy|out|shell|spy| ([ 1-9] \\d {0,2} |o)) + \\is (php|aspx|jsp|asp) +; and rule ID:07001 corresponding attack type may be malicious scan, the configuration rules may be \\\\is \is \is a/; * WEB-INF; and rule ID:08001 may be a CSRF attack (Cross-site request forgery, cross-station request forgery), and the configuration rule may be redirect.
In operation S230, an interception policy corresponding to the application firewall is generated according to the belief attack request list and the suspicious attack request list.
According to the embodiment of the disclosure, the analysis strategy corresponding to the request can be included in the attack request list and the suspicious attack request list, so that the interception strategy corresponding to the application firewall can be generated according to the analysis strategy.
The interception policy may include an IP blocking, WAF blacklist feature string, and other suggested policies.
For example, IP may be blocked according to an interception policy: 15.5.192; the interception policy may be newly added according to the interception policy: * upper.
According to the embodiment of the disclosure, the application firewall is called to provide the monitoring interface of the enhanced log scan analysis component, under the condition that the number of times of intercepting the attack request by the application firewall meets the preset condition, the distribution log and the application service log are obtained, and the distribution log and the application service log are analyzed according to the configuration information, so that the attack request penetrating the application firewall is rapidly and accurately identified, the ensured attack request list and the suspected attack request list are obtained, and therefore the interception policy corresponding to the application firewall can be generated according to the ensured attack request list and the suspected attack request list, and the real-time dynamic update of the application firewall interception policy is realized, the network attack can be rapidly resolved, and the safety of the application service is ensured.
Fig. 3 schematically illustrates a flow chart of obtaining a list of trusted attack requests and a list of suspicious attack requests according to an embodiment of the present disclosure.
As shown in fig. 3, the method 300 includes operations S310 to S330.
In operation S310, feature extraction is performed on each log in the distribution log and the application service log by using the log intelligent analysis module in the enhanced log scanning analysis component, so as to obtain attack features corresponding to each log.
According to the embodiment of the disclosure, the log intelligent analysis module can analyze the distributed log and the application service log according to the configuration information to obtain a confident attack request list and a suspicious attack request list.
According to an embodiment of the present disclosure, the distribution log and the application service log are each a plurality of logs. And respectively extracting the characteristics of each log to obtain attack characteristics corresponding to each log.
According to the embodiment of the disclosure, the extracted attack characteristics of each log can be formed into a general format to be analyzed, so that general log information is obtained. Such as request time, server name, client IP request method, request resource, server port, server IP response status code, request source, request protocol.
In operation S320, the attack feature corresponding to each log and the attack feature in the configuration information are subjected to feature matching, so as to obtain a matching result corresponding to each log.
According to embodiments of the present disclosure, the configuration information may include attack signatures and analysis policies corresponding to each attack signature. The attack characteristics corresponding to the logs and the attack characteristics in the configuration information can be matched, so that a matching result corresponding to each log can be obtained.
The matching result may include a request corresponding to the log, a matching degree, and an analysis policy.
According to the embodiment of the disclosure, in the case that the attack feature corresponding to the log and the attack feature in the configuration information are matched, the analysis policy corresponding to the attack feature in the configuration information may be determined as the analysis policy corresponding to the log. The matching situations of the attack features corresponding to the logs and the attack features in the configuration information can comprise high matching and partial matching.
For example, the attack feature in the configuration information may be matched according to general log information corresponding to the log, and a matching result corresponding to each log may be obtained. Wherein, the attack characteristic can include characteristic code, can also include the regular; the matching result may include hit ID, source request content, degree of matching, and analysis policy; the hit ID is the rule ID.
In operation S330, the requests corresponding to each log are divided into a belief attack request list and a suspicious attack request list according to the matching result corresponding to each log.
According to the embodiment of the disclosure, the requests corresponding to each log can be divided into a belief attack request list and a suspicious attack request list according to the matching degree in the matching result.
According to the embodiment of the disclosure, by matching the attack characteristic corresponding to each log with the attack characteristic in the configuration information, the request corresponding to each log can be divided to obtain a confident attack request list and a suspicious attack request list, so that the request list and the suspicious attack request list can be used for generating an interception policy corresponding to an application firewall.
According to an embodiment of the present disclosure, according to a matching result corresponding to each log, dividing a request corresponding to each log into a belief attack request list and a suspicious attack request list includes: dividing a certainty attack request, an attack characteristic and an analysis strategy corresponding to the log into a certainty attack request list under the condition that the matching degree corresponding to the log is larger than or equal to a first threshold value for each log; and dividing the suspicious attack request, the attack characteristics and the analysis strategy corresponding to the log into a suspicious attack request list under the condition that the matching degree corresponding to the log is larger than or equal to a second threshold value and smaller than a first threshold value.
According to embodiments of the present disclosure, the matching results may include a degree of matching and an analysis policy.
According to the embodiment of the disclosure, for each log, in the case that the matching degree corresponding to the log is greater than or equal to the first threshold, the attack feature of the log and the attack feature in the configuration information may be indicated to be highly matched, that is, the request corresponding to the log may be determined as a confident attack request, so that the confident attack request, the attack feature and the analysis policy corresponding to the log may be divided into a list of confident attack requests. It is believed that an attack request may characterize a request as a network attack.
According to the embodiment of the disclosure, when the matching degree corresponding to the log is greater than or equal to the second threshold and less than the first threshold, it may be indicated that the attack feature of the log is partially matched with the attack feature in the configuration information, that is, the request corresponding to the log may be a suspicious attack request, so that the suspicious attack request, the attack feature and the analysis policy corresponding to the log may be classified into a suspicious attack request list. The suspicious attack request may characterize that a request may or may not be a network attack, i.e., it is not certain whether the request is a network attack.
According to an embodiment of the present disclosure, in a case where the matching degree corresponding to the log is smaller than the second threshold value, it may be indicated that the request corresponding to the log is not a network attack.
According to the embodiment of the disclosure, based on the first threshold value and the first threshold value, whether the request corresponding to the log is a network attack is judged, so that the request corresponding to the log can be divided into a confirmed attack request list and a suspicious attack request list, and the high-risk attack request penetrating to an application layer can be rapidly and accurately identified.
FIG. 4 schematically illustrates an architecture diagram of an enhanced log scan analysis component according to an embodiment of the present disclosure.
As shown in FIG. 4, the enhanced log scan analysis component 400 can include a log collection system 410, a log processing distributed message queue 420, a log analysis real-time computing framework 430, an analysis results data store 440, a high-risk request and intercept policy push module 450, and a log scan rules and log analysis policy configuration 460.
The scanning and analysis policy configuration module may include a log scanning rule and a log analysis policy configuration 460; the log intelligence analysis module may include a log analysis real-time computing framework 430.
According to embodiments of the present disclosure, the log collection system 410 may include a jume (distributed system of mass log collection, aggregation, and transmission) capable of enabling collection of distribution logs of SLBs and application service logs on cloud servers. I.e., the log collection system 410 may perform the above-described operation S210, acquire a distribution log and an application service log.
The journal collection can be realized by configuring basic information such as journal collection paths, collection rules, collection frequencies and the like of each application server and server load balancing through a plug-in of a journal collection Agent installed on each application server and combining a ZooKeeper (distributed and open source application coordination service) of the journal.
According to embodiments of the present disclosure, the log scan rules and log analysis policy configuration 460 may implement the configuration of log scan rules and analysis policies based on ZooKeeper.
According to an embodiment of the present disclosure, log processing distributed message queue 420 may include a kafka distributed message queue for collecting logs.
According to embodiments of the present disclosure, with the kafka distributed message queue, the collected distribution log and application service log may be pushed to the queue to be analyzed so that the log analysis real-time computation framework 430 achieves real-time analysis of the log by reading the message queue.
According to embodiments of the present disclosure, log analysis real-time computing framework 430 may include a Storm (real-time computing system) streaming computing framework for implementing high-risk attack request screening and generation of intercept policies.
The log scanning rules and log analysis policy configuration 460 may also serve the log analysis real-time computing framework 430, and may also implement a visualization configuration based on ZooKeeper. The log scan rules and log analysis policy configuration 460 are mainly used to configure analysis rules for various types of attack requests.
For example, the classification may be by attack type, including but not limited to: SQL injection, cross-site scripting, malicious URL request, malicious file execution, SQL or shell file execution, administrator resource access, directory listing rejection, doS attack, directory traversal, flexible configuration of feature codes of various attack types, regular matching, judgment standards and thresholds, interception policy rule generation and the like.
According to embodiments of the present disclosure, the log analysis real-time computing framework 430 may retrieve locating network attack requests in a massive log based on the log scan rules and the freely configured analysis rules of the log analysis policy configuration 460. The real-time processing of the log data can be realized through stream processing, so that the requirements of high real-time performance, high throughput and low delay of the log analysis real-time computing framework 430 are met, and the method is suitable for continuous log data source scenes.
According to embodiments of the present disclosure, log analysis results obtained using the log analysis real-time computing framework 430 may be stored in an analysis results data store (HBase, an open-source, non-relational distributed database) 440.
According to the embodiment of the disclosure, the high-risk request and interception policy pushing module 450 mainly pushes the confident attack request list to the WAF directly through the interface between the enhanced log scanning analysis component and the WAF, so as to realize the real-time dynamic update of the application firewall attack interception policy according to the analysis policy in the confident attack request list; pushing the suspicious attack request list to the cloud platform for display through an interface between the enhanced log scanning analysis component and the cloud platform so as to confirm and adjust each suspicious attack request in the suspicious attack request list and an analysis strategy corresponding to each suspicious attack request.
According to an embodiment of the present disclosure, generating an interception policy corresponding to an application firewall according to a belief attack request list and a suspicious attack request list includes: and determining the analysis strategy in the ensured attack request list as a first interception strategy corresponding to the application firewall, calling the application firewall to provide an interception strategy pushing interface of the enhanced log scanning analysis component, and sending the first interception strategy to the application firewall so that the application firewall can intercept the attack request by using the first interception strategy.
According to the embodiment of the disclosure, the analysis strategy corresponding to each ensured attack request in the ensured attack request list can be determined to be the first interception strategy corresponding to the application firewall, and the first interception strategy can be directly pushed to the application firewall by calling the interception strategy pushing interface provided by the application firewall to the enhanced log scan analysis component, so that the application firewall intercepts the attack request by using the first interception strategy.
According to the embodiment of the disclosure, the analysis strategy corresponding to the confident attack request is directly sent to the application firewall, so that the application firewall can intercept the corresponding confident attack request by utilizing the analysis strategy, and the quick and accurate customized interception strategy is realized, so that the network attack is quickly decided to be handled, and the safety of the application service is ensured.
According to an embodiment of the present disclosure, the method for generating an interception policy further includes: and calling a suspicious attack request and a strategy pushing interface provided by the cloud platform for the enhanced log scanning analysis component, sending a suspicious attack request list to the cloud platform so as to determine an analysis strategy corresponding to each believing attack request in the suspicious attack request list as a second interception strategy corresponding to the application firewall after confirming and adjusting each suspicious attack request and the analysis strategy corresponding to each suspicious attack request in the suspicious attack request list, and sending the second interception strategy to the application firewall.
According to the embodiment of the disclosure, the second interception policy is sent to the application firewall by the cloud platform by calling an interception policy pushing interface provided by the application firewall to the cloud platform, so that the application firewall intercepts an attack request by using the second interception policy.
According to the embodiment of the disclosure, the enhanced log scan analysis component may push the obtained suspicious attack request list to the cloud platform through the suspicious attack request and the policy pushing interface provided to the enhanced log scan analysis component, so as to perform confirmation and adjustment on the suspicious attack request and the analysis policy corresponding to the suspicious attack request in the suspicious attack request list, that is, confirm whether the suspicious attack request is a network attack, and determine the suspicious attack request as a confident attack request if the suspicious attack request is a network attack, confirm whether the analysis policy corresponding to the suspicious attack request is correct, and adjust the error analysis policy corresponding to the suspicious attack request as a correct analysis policy if the analysis policy corresponding to the suspicious attack request is incorrect.
According to the embodiment of the disclosure, after confirmation and adjustment operations are performed on each suspicious attack request and the analysis policy corresponding to each suspicious attack request, the confident attack request and the analysis policy corresponding to the confident attack request can be directly sent to the application firewall through the interception policy pushing interface provided to the cloud platform by the application firewall.
According to the embodiment of the disclosure, the cloud platform is utilized to confirm and adjust each suspicious attack request and the analysis strategy corresponding to each suspicious attack request in the suspicious attack request list, so that the confident attack request can be determined from the suspicious attack request list, and the network attack can be rapidly and accurately identified.
According to an embodiment of the present disclosure, the method for generating an interception policy further includes: invoking a large data platform to provide a confident attack request and interception policy acquisition interface of the enhanced log scanning analysis component, and acquiring an analysis policy and an attack characteristic corresponding to each confident attack request in a suspicious attack request list in the large data platform; and updating the configuration information by using the analysis strategy and the attack characteristics corresponding to each believing attack request in the suspicious attack request list.
According to the embodiment of the disclosure, the analysis strategy and the attack characteristic corresponding to each assurance attack request in the suspicious attack request list are obtained from the cloud platform by the large data platform through calling the assurance attack request and intercepting the strategy pushing interface.
According to the embodiment of the disclosure, the cloud platform can push the analysis strategy and the attack characteristics corresponding to each confident attack request in the suspicious attack request list to the big data platform for archiving and saving by calling the confident attack request and the interception strategy pushing interface provided by the big data platform for the cloud platform.
According to the embodiment of the disclosure, the large data platform can push the stored analysis strategy and attack characteristics corresponding to each confident attack request to the enhanced log scanning analysis component by calling the confident attack request and interception strategy acquisition interface provided by the large data platform to the enhanced log scanning analysis component for updating the configuration information in the enhanced log scanning analysis component.
According to the embodiment of the disclosure, the configuration information in the enhanced log scanning analysis component can be updated through the analysis strategy and the attack characteristic corresponding to the believed attack request determined on the cloud platform, so that continuous training and optimization of the configuration information can be realized, the accuracy of the interception strategy corresponding to the application firewall is improved, and the safety of the application service is ensured.
According to an embodiment of the present disclosure, the method for generating an interception policy further includes: each log is sliced and classified prior to feature extraction.
According to the embodiment of the disclosure, before feature extraction is performed on each log, the log may be sliced, and then classified according to classification conditions, and on the basis of the slicing, feature extraction is performed on the log.
According to the embodiment of the disclosure, the logs are sliced and classified so as to facilitate the subsequent feature extraction of the logs and avoid the overlarge logs.
Fig. 5 schematically illustrates a block diagram of a log analysis real-time computing framework in accordance with an embodiment of the present disclosure.
According to embodiments of the present disclosure, log processing distributed message queue 420 may push collected dispatch logs and application service logs to a queue to be analyzed so that log analysis real-time computing framework 430 reads the message queue, resulting in thread set 431.
According to embodiments of the present disclosure, multiple threads may be included in thread set 431, e.g., thread 1 and thread 2. One log in the message queue may be processed in each thread. According to an embodiment of the present disclosure, after performing data flow splitting 432 on each log in the thread set 431, the log may be classified based on an error return code, an abnormal error code (error code), a feature string, a feature regular matching degree, and the like corresponding to the log by using the application log feature extraction aggregation 433, so as to implement aggregation of the log. After classifying the logs, the logs may be further extracted by using the application log feature extraction collection 433 to obtain attack features corresponding to each log.
According to embodiments of the present disclosure, the attack request identification 434 may identify whether the request corresponding to each log is a confident attack request or a suspicious attack request according to the attack characteristics corresponding to each log in combination with the attack characteristics in the scan and analysis policy configuration module 510. The attack features corresponding to each log may be feature matched with the attack features in the scan and analysis policy configuration module 510 using the attack request identification 434 to obtain a matching result corresponding to each log.
The scan and analysis policy configuration module 510 may include the above-described log scan rules and log analysis policy configuration 460.
According to an embodiment of the present disclosure, the attack features and analysis policies corresponding to each log may be obtained and sorted by the data sorting and saving module 435, the confident attack requests and the suspicious attack requests are identified to distinguish the confident attack requests and the suspicious attack requests, and the matching results corresponding to each log are saved to the analysis results data repository (Hbase) 440.
Fig. 6 schematically illustrates a block diagram of a generation method for implementing an interception policy according to an embodiment of the present disclosure.
As shown in fig. 6, the architecture 600 for implementing the generation method of interception policies may include an application firewall 614, an enhanced log scan analysis component 620, a cloud platform 630, and a big data platform 640.
According to embodiments of the present disclosure, during periods when application services are subject to large-scale network attacks on the cloud, an attacker may initiate attack requests to domain name addresses 612 of each application service over the internet 611, with most of the attack requests intercepted by high-security IP613 and application firewall 614. Wherein the domain name address 612 is obtained by performing domain name resolution on each application service.
According to an embodiment of the present disclosure, the enhanced log scan analysis component 620 may monitor, through a listening interface, the number of times the application firewall 614 intercepts an attack request within a preset time, and in a case that the number of times the application firewall 614 intercepts the attack request within the preset time satisfies a preset condition, the enhanced log scan analysis component 620 may be automatically turned on.
According to an embodiment of the present disclosure, with the log scan collection module 621, distribution logs may be collected from the load balancing 615 and application service logs, such as the cloud server 1, the cloud server 2, and the cloud server 3, may be collected from the cloud server according to the log collection rules configured in the scan and analysis policy configuration module 622. I.e., the log scan collecting component 621 may perform operation S210 described above. The log scan collection module 621 may include, among other things, the log collection system 410 and the log processing distributed message queue 420 described above.
According to an embodiment of the present disclosure, by using the log intelligent analysis module 623, the distributed log and the application service log are analyzed according to the configuration information configured in the scan and analysis policy configuration module 622, a confident attack request list and a suspicious attack request list can be obtained. I.e., the log intelligent analysis module 623 may perform the above-described operation S220. The log intelligence analysis module 623 may include, among other things, the log analysis real-time computing framework 430 described above.
According to embodiments of the present disclosure, with the high-risk request and intercept policy pushing module 624, the list of confident attack requests may be sent directly to the application firewall 614 through the intercept policy pushing interface provided by the application firewall 614 to the enhanced log scan analysis component 620; the list of suspicious attack requests may be sent directly to cloud platform 630 through suspicious attack requests and policy pushing interfaces provided by cloud platform 630 to enhanced log scan analysis component 620. The high-risk request and intercept policy pushing module 624 is identical to the high-risk request and intercept policy pushing module 450 described above.
According to embodiments of the present disclosure, suspicious distribution logs in the suspicious attack request list may be presented in the suspicious distribution log presentation module 631 and suspicious application service logs may be presented in the suspicious application service log presentation module 632. And according to the interception policy configured in the policy display module 633, performing a validation and adjustment operation on each suspicious attack request in the suspicious attack request list and an analysis policy corresponding to each suspicious attack request in the policy validation and adjustment and pushing module 634.
According to an embodiment of the present disclosure, after performing the validation and adjustment operation on each suspicious attack request and the analysis policy corresponding to each suspicious attack request in the suspicious attack request list, the policy validation and adjustment and pushing module 634 may further determine the analysis policy corresponding to each confident attack request in the suspicious attack request list as a second interception policy corresponding to the application firewall, and send the second interception policy directly to the application firewall 614 through the interception policy pushing interface provided to the cloud platform 630 by the application firewall 614.
According to the embodiment of the present disclosure, by invoking the trusted attack request and the interception policy pushing interface provided by the big data platform 640 to the cloud platform 630, the big data platform 640 may obtain the analysis policy and the attack feature corresponding to each trusted attack request in the suspicious attack request list from the cloud platform 630.
According to embodiments of the present disclosure, the analysis policy and attack feature corresponding to each confident attack request in the list of suspicious attack requests in the big data platform 640 may be obtained by invoking the confident attack request and intercept policy acquisition interface provided by the big data platform 640 to the enhanced log scan analysis component 620, thereby updating the configuration information in the scan and analysis policy configuration module 622 with the analysis policy and attack feature corresponding to each confident attack request in the list of suspicious attack requests.
According to the embodiment of the disclosure, through strengthening interface interaction among the log scanning analysis component 620, the cloud platform 630, the WAF614 and the big data platform 640, continuous training optimization of the log intelligent analysis module 623 and real-time intelligent updating of WAF interception strategies are realized, so that security operation and maintenance personnel can be assisted, and network attack requests penetrating through the high-protection IP-DDOS and the WAF can be rapidly and accurately positioned when large-scale network attacks and security attack and defense exercises are handled.
Based on the method for generating the interception policy, the disclosure also provides a device for generating the interception policy. The device will be described in detail below in connection with fig. 7.
Fig. 7 schematically illustrates a block diagram of a structure of an interception policy generating apparatus according to an embodiment of the present disclosure.
As shown in fig. 7, the generating device 700 of the interception policy of this embodiment includes an acquiring module 710, an analyzing module 720, and a generating module 730.
The obtaining module 710 is configured to invoke the listening interface provided by the application firewall to the enhanced log scan analysis component, and obtain the distribution log and the application service log when the number of times the application firewall intercepts the attack request meets a preset condition. In an embodiment, the obtaining module 710 may be configured to perform the operation S210 described above, which is not described herein.
The analysis module 720 is configured to analyze the distribution log and the application service log according to the configuration information, and obtain a confident attack request list and a suspicious attack request list. In an embodiment, the analysis module 720 may be configured to perform the operation S220 described above, which is not described herein.
The generating module 730 is configured to generate an interception policy corresponding to the application firewall according to the sure attack request list and the suspicious attack request list. In an embodiment, the generating module 730 may be configured to perform the operation S230 described above, which is not described herein.
According to an embodiment of the present disclosure, the analysis module 720 includes an extraction unit, a matching unit, and a division unit.
And the extraction unit is used for respectively extracting the characteristics of each log in the distribution log and the application service log by utilizing the log intelligent analysis module in the enhanced log scanning analysis component to obtain attack characteristics corresponding to each log.
And the matching unit is used for carrying out characteristic matching on the attack characteristic corresponding to each log and the attack characteristic in the configuration information to obtain a matching result corresponding to each log.
And the dividing unit is used for dividing the request corresponding to each log into a belief attack request list and a suspicious attack request list according to the matching result corresponding to each log.
According to an embodiment of the present disclosure, the dividing unit includes a first dividing subunit and a second dividing subunit.
The first dividing subunit is configured to divide, for each log, the trusted attack request, the attack feature and the analysis policy corresponding to the log into a trusted attack request list when the matching degree corresponding to the log is greater than or equal to a first threshold.
And the second dividing subunit is used for dividing the suspicious attack request, the attack characteristics and the analysis strategy corresponding to the log into a suspicious attack request list under the condition that the matching degree corresponding to the log is larger than or equal to a second threshold value and smaller than the first threshold value.
According to an embodiment of the present disclosure, the generating module 730 includes a first determining unit.
The first determining unit is used for determining the analysis strategy in the confirmed attack request list as a first interception strategy corresponding to the application firewall, calling the application firewall to provide an interception strategy pushing interface of the enhanced log scanning analysis component, and sending the first interception strategy to the application firewall so that the application firewall can intercept the attack request by using the first interception strategy.
According to an embodiment of the present disclosure, the generating module 730 further comprises a second determining unit.
The second determining unit is used for calling suspicious attack requests and strategy pushing interfaces provided by the cloud platform for the enhanced log scanning analysis component, sending suspicious attack request clearance to the cloud platform so as to determine the analysis strategy corresponding to each believing attack request in the suspicious attack request list as a second interception strategy corresponding to the application firewall after confirming and adjusting each suspicious attack request and the analysis strategy corresponding to each suspicious attack request in the suspicious attack request list; the second interception policy is sent to the application firewall by calling an interception policy pushing interface provided by the application firewall to the cloud platform, so that the application firewall can intercept the attack request by using the second interception policy.
The generating module 730 further includes an acquiring unit and an updating unit according to an embodiment of the present disclosure.
The acquisition unit is used for calling the confident attack request and the interception policy acquisition interface provided by the big data platform for the enhanced log scanning analysis component, and acquiring the analysis policy and the attack characteristic corresponding to each confident attack request in the suspicious attack request list in the big data platform.
The updating unit is used for updating the configuration information by utilizing the analysis strategy and the attack characteristics corresponding to each confident attack request in the suspicious attack request list; the analysis strategy and the attack characteristics corresponding to each assurance attack request in the suspicious attack request list are obtained from the cloud platform by the big data platform through calling the assurance attack request and intercepting the strategy pushing interface.
According to an embodiment of the present disclosure, the analysis module 720 further comprises a processing unit.
And the processing unit is used for slicing and classifying each log before extracting the characteristics of each log.
Any of the acquisition module 710, the analysis module 720, and the generation module 730 may be combined in one module to be implemented, or any of the modules may be split into a plurality of modules, according to embodiments of the present disclosure. Alternatively, at least some of the functionality of one or more of the modules may be combined with at least some of the functionality of other modules and implemented in one module. According to embodiments of the present disclosure, at least one of the acquisition module 710, the analysis module 720, and the generation module 730 may be implemented at least in part as hardware circuitry, such as a Field Programmable Gate Array (FPGA), a Programmable Logic Array (PLA), a system-on-chip, a system-on-substrate, a system-on-package, an Application Specific Integrated Circuit (ASIC), or in hardware or firmware, such as any other reasonable manner of integrating or packaging the circuitry, or in any one of or a suitable combination of any of three implementations of software, hardware, and firmware. Alternatively, at least one of the acquisition module 710, the analysis module 720 and the generation module 730 may be at least partially implemented as computer program modules which, when executed, may perform the corresponding functions.
Fig. 8 schematically illustrates a block diagram of an electronic device adapted to implement a method of generating an interception policy according to an embodiment of the disclosure.
As shown in fig. 8, an electronic device 800 according to an embodiment of the present disclosure includes a processor 801 that can perform various appropriate actions and processes according to a program stored in a Read Only Memory (ROM) 802 or a program loaded from a storage section 808 into a Random Access Memory (RAM) 803. The processor 801 may include, for example, a general purpose microprocessor (e.g., a CPU), an instruction set processor and/or an associated chipset and/or a special purpose microprocessor (e.g., an Application Specific Integrated Circuit (ASIC)), or the like. The processor 801 may also include on-board memory for caching purposes. The processor 801 may include a single processing unit or multiple processing units for performing the different actions of the method flows according to embodiments of the disclosure.
In the RAM 803, various programs and data required for the operation of the electronic device 800 are stored. The processor 801, the ROM 802, and the RAM 803 are connected to each other by a bus 804. The processor 801 performs various operations of the method flow according to the embodiments of the present disclosure by executing programs in the ROM 802 and/or the RAM 803. Note that the program may be stored in one or more memories other than the ROM 802 and the RAM 803. The processor 801 may also perform various operations of the method flows according to embodiments of the present disclosure by executing programs stored in the one or more memories.
According to an embodiment of the present disclosure, the electronic device 800 may also include an input/output (I/O) interface 805, the input/output (I/O) interface 805 also being connected to the bus 804. The electronic device 800 may also include one or more of the following components connected to an input/output (I/O) interface 805: an input portion 806 including a keyboard, mouse, etc.; an output portion 807 including a display such as a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), and a speaker; a storage section 808 including a hard disk or the like; and a communication section 809 including a network interface card such as a LAN card, a modem, or the like. The communication section 809 performs communication processing via a network such as the internet. The drive 810 is also connected to an input/output (I/O) interface 805 as needed. A removable medium 811 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is mounted on the drive 810 as needed so that a computer program read out therefrom is mounted into the storage section 808 as needed.
The present disclosure also provides a computer-readable storage medium that may be embodied in the apparatus/device/system described in the above embodiments; or may exist alone without being assembled into the apparatus/device/system. The computer-readable storage medium carries one or more programs which, when executed, implement methods in accordance with embodiments of the present disclosure.
According to embodiments of the present disclosure, the computer-readable storage medium may be a non-volatile computer-readable storage medium, which may include, for example, but is not limited to: a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this disclosure, a computer-readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. For example, according to embodiments of the present disclosure, the computer-readable storage medium may include ROM 802 and/or RAM 803 and/or one or more memories other than ROM 802 and RAM 803 described above.
Embodiments of the present disclosure also include a computer program product comprising a computer program containing program code for performing the methods shown in the flowcharts. When the computer program product runs in a computer system, the program code is used for enabling the computer system to implement the method for generating the interception policy provided by the embodiment of the disclosure.
The above-described functions defined in the system/apparatus of the embodiments of the present disclosure are performed when the computer program is executed by the processor 801. The systems, apparatus, modules, units, etc. described above may be implemented by computer program modules according to embodiments of the disclosure.
In one embodiment, the computer program may be based on a tangible storage medium such as an optical storage device, a magnetic storage device, or the like. In another embodiment, the computer program may also be transmitted, distributed, and downloaded and installed in the form of a signal on a network medium, and/or from a removable medium 811 via a communication portion 809. The computer program may include program code that may be transmitted using any appropriate network medium, including but not limited to: wireless, wired, etc., or any suitable combination of the foregoing.
In such an embodiment, the computer program may be downloaded and installed from a network via the communication section 809, and/or installed from the removable media 811. The above-described functions defined in the system of the embodiments of the present disclosure are performed when the computer program is executed by the processor 801. The systems, devices, apparatus, modules, units, etc. described above may be implemented by computer program modules according to embodiments of the disclosure.
According to embodiments of the present disclosure, program code for performing computer programs provided by embodiments of the present disclosure may be written in any combination of one or more programming languages, and in particular, such computer programs may be implemented in high-level procedural and/or object-oriented programming languages, and/or assembly/machine languages. Programming languages include, but are not limited to, such as Java, c++, python, "C" or similar programming languages. The program code may execute entirely on the user's computing device, partly on the user's device, partly on a remote computing device, or entirely on the remote computing device or server. In the case of remote computing devices, the remote computing device may be connected to the user computing device through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computing device (e.g., connected via the Internet using an Internet service provider).
The flowcharts and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
Those skilled in the art will appreciate that the features recited in the various embodiments of the disclosure and/or in the claims may be provided in a variety of combinations and/or combinations, even if such combinations or combinations are not explicitly recited in the disclosure. In particular, the features recited in the various embodiments of the present disclosure and/or the claims may be variously combined and/or combined without departing from the spirit and teachings of the present disclosure. All such combinations and/or combinations fall within the scope of the present disclosure.
The embodiments of the present disclosure are described above. However, these examples are for illustrative purposes only and are not intended to limit the scope of the present disclosure. Although the embodiments are described above separately, this does not mean that the measures in the embodiments cannot be used advantageously in combination. The scope of the disclosure is defined by the appended claims and equivalents thereof. Various alternatives and modifications can be made by those skilled in the art without departing from the scope of the disclosure, and such alternatives and modifications are intended to fall within the scope of the disclosure.

Claims (11)

1. A method of generating an interception policy, comprising:
calling an application firewall to provide a monitoring interface of the enhanced log scanning analysis component, and acquiring a distribution log and an application service log under the condition that the times of intercepting an attack request by the application firewall meet preset conditions;
Analyzing the distribution log and the application service log according to the configuration information to obtain a confirmed attack request list and a suspicious attack request list; and
and generating an interception policy corresponding to the application firewall according to the confirmed attack request list and the suspicious attack request list.
2. The method of claim 1, wherein the configuration information includes attack characteristics and analysis policies corresponding to each of the attack characteristics, and the analyzing the distribution log and the application service log according to the configuration information to obtain a confident attack request list and a suspicious attack request list includes:
utilizing a log intelligent analysis module in the enhanced log scanning analysis component to respectively extract characteristics of each log in the distribution log and the application service log to obtain attack characteristics corresponding to each log;
performing feature matching on the attack features corresponding to each log and the attack features in the configuration information to obtain a matching result corresponding to each log; and
and dividing the request corresponding to each log into the belief attack request list and the suspicious attack request list according to the matching result corresponding to each log.
3. The method of claim 2, wherein the matching result includes a matching degree and an analysis policy, and the dividing the request corresponding to each log into the confident attack request list and the suspicious attack request list according to the matching result corresponding to each log includes:
dividing a certain attack request, an attack characteristic and an analysis strategy corresponding to the log into the certain attack request list under the condition that the matching degree corresponding to the log is larger than or equal to a first threshold value for each log; and
and dividing suspicious attack requests, attack characteristics and analysis strategies corresponding to the logs into suspicious attack request lists under the condition that the matching degree corresponding to the logs is larger than or equal to a second threshold value and smaller than the first threshold value.
4. The method of claim 1, wherein the generating an interception policy corresponding to the application firewall from the confident attack request list and the suspicious attack request list comprises:
and determining the analysis strategy in the ensured attack request list as a first interception strategy corresponding to the application firewall, calling the application firewall to provide an interception strategy pushing interface of the enhanced log scanning analysis component, and sending the first interception strategy to the application firewall so that the application firewall intercepts an attack request by using the first interception strategy.
5. The method of claim 4, further comprising:
the method comprises the steps of calling a suspicious attack request and a strategy pushing interface provided by a cloud platform for an enhanced log scanning analysis component, sending a suspicious attack request list to the cloud platform, so that after confirming and adjusting each suspicious attack request and an analysis strategy corresponding to each suspicious attack request in a suspicious attack request list, determining the analysis strategy corresponding to each belief attack request in the suspicious attack request list as a second interception strategy corresponding to the application firewall, and sending the second interception strategy to the application firewall;
the second interception policy is sent to the application firewall by calling an interception policy pushing interface provided by the application firewall to the cloud platform, so that the application firewall intercepts an attack request by using the second interception policy.
6. The method of claim 5, further comprising:
invoking a large data platform to provide a confident attack request and interception policy acquisition interface of the enhanced log scanning analysis component, and acquiring an analysis policy and an attack characteristic corresponding to each confident attack request in the suspicious attack request list in the large data platform; and
Updating the configuration information by using an analysis strategy and attack characteristics corresponding to each confident attack request in the suspicious attack request list;
the analysis strategy and the attack characteristics corresponding to each assurance attack request in the suspicious attack request list are obtained from the cloud platform by calling the assurance attack request and intercepting a strategy pushing interface through the big data platform.
7. The method of claim 2, further comprising:
and slicing and classifying each log before extracting the characteristics of each log.
8. An interception policy generation device, comprising:
the acquisition module is used for calling an application firewall to provide a monitoring interface of the enhanced log scanning analysis component, and acquiring a distribution log and an application service log under the condition that the times of intercepting attack requests by the application firewall meet preset conditions;
the analysis module is used for analyzing the distribution log and the application service log according to the configuration information to obtain a confirmed attack request list and a suspicious attack request list; and
and the generation module is used for generating an interception strategy corresponding to the application firewall according to the confirmed attack request list and the suspicious attack request list.
9. An electronic device, comprising:
one or more processors;
storage means for storing one or more programs,
wherein the one or more programs, when executed by the one or more processors, cause the one or more processors to perform the method of any of claims 1-7.
10. A computer readable storage medium having stored thereon executable instructions which, when executed by a processor, cause the processor to perform the method according to any of claims 1-7.
11. A computer program product comprising a computer program which, when executed by a processor, implements the method according to any one of claims 1 to 7.
CN202311141842.4A 2023-09-06 2023-09-06 Interception policy generation method, device, equipment and storage medium Pending CN117040904A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202311141842.4A CN117040904A (en) 2023-09-06 2023-09-06 Interception policy generation method, device, equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202311141842.4A CN117040904A (en) 2023-09-06 2023-09-06 Interception policy generation method, device, equipment and storage medium

Publications (1)

Publication Number Publication Date
CN117040904A true CN117040904A (en) 2023-11-10

Family

ID=88631777

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202311141842.4A Pending CN117040904A (en) 2023-09-06 2023-09-06 Interception policy generation method, device, equipment and storage medium

Country Status (1)

Country Link
CN (1) CN117040904A (en)

Similar Documents

Publication Publication Date Title
US11212305B2 (en) Web application security methods and systems
CN113228585B (en) Network security system with feedback loop based enhanced traffic analysis
US8732304B2 (en) Method and system for ensuring authenticity of IP data served by a service provider
US9584541B1 (en) Cyber threat identification and analytics apparatuses, methods and systems
US20160241574A1 (en) Systems and methods for determining trustworthiness of the signaling and data exchange between network systems
US20100325685A1 (en) Security Integration System and Device
US11784974B2 (en) Method and system for intrusion detection and prevention
US11374946B2 (en) Inline malware detection
US11636208B2 (en) Generating models for performing inline malware detection
CN111181924A (en) Web application firewall method and system based on application gateway
CN114024764A (en) Monitoring method, monitoring system, equipment and storage medium for abnormal access of database
US20220086173A1 (en) Improving incident classification and enrichment by leveraging context from multiple security agents
US20230319097A1 (en) Threat mitigation system and method
US20220210180A1 (en) Automated Detection of Cross Site Scripting Attacks
US20220391500A1 (en) Automated adjustment of security alert components in networked computing systems
US20210409441A1 (en) Cloud access security broker determining risk score of cloud applications based on security attributes
CN117040904A (en) Interception policy generation method, device, equipment and storage medium
WO2021015941A1 (en) Inline malware detection
EP3721364A1 (en) Detecting and mitigating forged authentication object attacks using an advanced cyber decision platform
US20230056625A1 (en) Computing device and method of detecting compromised network devices
US20230082289A1 (en) Automated fuzzy hash based signature collecting system for malware detection
CN115941294A (en) Firewall strategy recommendation method and device
Han et al. Threat evaluation method for distributed network environment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination