JP4977888B2 - ウェブアプリケーション攻撃の検知方法 - Google Patents
ウェブアプリケーション攻撃の検知方法 Download PDFInfo
- Publication number
- JP4977888B2 JP4977888B2 JP2010178803A JP2010178803A JP4977888B2 JP 4977888 B2 JP4977888 B2 JP 4977888B2 JP 2010178803 A JP2010178803 A JP 2010178803A JP 2010178803 A JP2010178803 A JP 2010178803A JP 4977888 B2 JP4977888 B2 JP 4977888B2
- Authority
- JP
- Japan
- Prior art keywords
- http traffic
- attack
- reconfigured
- packet
- web application
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000001514 detection method Methods 0.000 title claims description 31
- 238000000034 method Methods 0.000 claims description 23
- 230000002159 abnormal effect Effects 0.000 claims description 6
- 238000012545 processing Methods 0.000 claims description 4
- 230000006870 function Effects 0.000 description 16
- 230000007123 defense Effects 0.000 description 6
- 238000010586 diagram Methods 0.000 description 6
- 238000002347 injection Methods 0.000 description 5
- 239000007924 injection Substances 0.000 description 5
- 230000008569 process Effects 0.000 description 4
- 230000008859 change Effects 0.000 description 3
- 238000004891 communication Methods 0.000 description 3
- 230000037430 deletion Effects 0.000 description 3
- 238000012217 deletion Methods 0.000 description 3
- 230000008685 targeting Effects 0.000 description 3
- 230000002265 prevention Effects 0.000 description 2
- 238000012958 reprocessing Methods 0.000 description 2
- 230000004044 response Effects 0.000 description 2
- LZDYZEGISBDSDP-UHFFFAOYSA-N 2-(1-ethylaziridin-1-ium-1-yl)ethanol Chemical compound OCC[N+]1(CC)CC1 LZDYZEGISBDSDP-UHFFFAOYSA-N 0.000 description 1
- IMQLKJBTEOYOSI-UHFFFAOYSA-N Diphosphoinositol tetrakisphosphate Chemical compound OP(O)(=O)OC1C(OP(O)(O)=O)C(OP(O)(O)=O)C(OP(O)(O)=O)C(OP(O)(O)=O)C1OP(O)(O)=O IMQLKJBTEOYOSI-UHFFFAOYSA-N 0.000 description 1
- 230000008901 benefit Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 230000000903 blocking effect Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- WHWDWIHXSPCOKZ-UHFFFAOYSA-N hexahydrofarnesyl acetone Natural products CC(C)CCCC(C)CCCC(C)CCCC(C)=O WHWDWIHXSPCOKZ-UHFFFAOYSA-N 0.000 description 1
- 238000007689 inspection Methods 0.000 description 1
- 230000000873 masking effect Effects 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000008520 organization Effects 0.000 description 1
- 230000009466 transformation Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/66—Arrangements for connecting between networks having differing types of switching systems, e.g. gateways
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/554—Detecting local intrusion or implementing counter-measures involving event detection and direct action
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/16—Implementing security features at a particular protocol layer
- H04L63/168—Implementing security features at a particular protocol layer above the transport layer
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- Computing Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computer And Data Communications (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Description
20 ウェブサーバ
30 使用者サーバ
Claims (6)
- HTTPトラフィックを形成するパケットが受信されると、ウェブアプリケーション・ファイアウォールが、前記HTTPトラフィックを形成する各パケットのヘッダーを除去した後、前記各パケットのペイロード部分のみを集めて、前記HTTPトラフィックを再構成するステップと、
再構成されたHTTPトラフィックを分析することで、該再構成されたHTTPトラフィックが攻撃に関連した内容を含んでいるか否かをパーサーにて判断するステップと、
前記判断の結果、前記再構成されたHTTPトラフィックが攻撃に関連した内容を含んでいないと、前記再構成されたHTTPトラフィックをウェブサーバまたは使用者サーバへ伝送して正常に処理されるようにするステップと、
前記判断の結果、前記再構成されたHTTPトラフィックが攻撃に関連した内容を含んでいると、前記再構成されたHTTPトラフィックを攻撃と検知した後、前記再構成されたHTTPトラフィックに含まれている正常でないパケットを送信したウェブサーバまたは使用者サーバに対して前記正常でないパケットに対応するパケットの再伝送を要請する、または前記パケットを削除する、または前記再構成されたHTTPトラフィックに含まれている正常ではないパケットを変調して前記ウェブサーバまたは使用者サーバへ伝送する方式のいずれかにて再処理するステップと、
を含むウェブアプリケーション攻撃の検知方法。 - 前記パーサーはXMLパーサーを含み、前記XMLパーサーは、前記再構成されたHTTPトラフィックに対し、Tagの始端と終端を把握してXML構文の整合性と、上・下位概念を把握することで、前記再構成されたHTTPトラフィックに攻撃文が含まれているか否かを判断することを特徴とする請求項1に記載のウェブアプリケーション攻撃の検知方法。
- 前記パーサーはJavaScriptパーサーを含み、前記JavaScriptパーサーは、JavaScript構文の有効性の有無を把握することで、前記再構成されたHTTPトラフィックに攻撃文が含まれているか否かを判断することを特徴とする請求項1に記載のウェブアプリケーション攻撃の検知方法。
- 前記パーサーはSQLパーサーを含み、前記SQLパーサーは、前記再構成されたHTTPトラフィックを最小単位に分解し、各結果がSQL構文の一部分であるか否かをチェックすることで、前記再構成されたHTTPトラフィックに攻撃文が含まれているか否かを判断することを特徴とする請求項1に記載のウェブアプリケーション攻撃の検知方法。
- 前記変調においては、
前記ウェブアプリケーション・ファイアウォールが、前記再構成されたHTTPトラフィックに含まれている攻撃と疑われ得るメッセージを正常なメッセージに変調することを特徴とする請求項1に記載のウェブアプリケーション攻撃の検知方法。 - 前記変調においては、
前記ウェブアプリケーション・ファイアウォールが、前記再構成されたHTTPトラフィックに含まれているメッセージのうち、個人情報に関連したメッセージの一部を外部から読み取り不可能なメッセージに変調することを特徴とする請求項1に記載のウェブアプリケーション攻撃の検知方法。
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
KR1020100064363A KR101005927B1 (ko) | 2010-07-05 | 2010-07-05 | 웹 어플리케이션 공격 탐지 방법 |
KR10-2010-0064363 | 2010-07-05 |
Publications (2)
Publication Number | Publication Date |
---|---|
JP2012014667A JP2012014667A (ja) | 2012-01-19 |
JP4977888B2 true JP4977888B2 (ja) | 2012-07-18 |
Family
ID=43615822
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
JP2010178803A Active JP4977888B2 (ja) | 2010-07-05 | 2010-08-09 | ウェブアプリケーション攻撃の検知方法 |
Country Status (4)
Country | Link |
---|---|
US (1) | US20120124661A1 (ja) |
JP (1) | JP4977888B2 (ja) |
KR (1) | KR101005927B1 (ja) |
CN (1) | CN102316087A (ja) |
Families Citing this family (19)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US9361394B2 (en) * | 2010-06-30 | 2016-06-07 | Oracle International Corporation | Response header invalidation |
US20130019314A1 (en) * | 2011-07-14 | 2013-01-17 | International Business Machines Corporation | Interactive virtual patching using a web application server firewall |
CN102938771B (zh) * | 2012-12-05 | 2016-04-06 | 山东中创软件商用中间件股份有限公司 | 一种网络应用防火墙的方法和系统 |
GB201302402D0 (en) * | 2013-02-11 | 2013-03-27 | Telecom Ltd Q | Communication apparatus |
US8997232B2 (en) * | 2013-04-22 | 2015-03-31 | Imperva, Inc. | Iterative automatic generation of attribute values for rules of a web application layer attack detector |
CA2884321C (en) * | 2013-08-15 | 2015-06-30 | Immun.io Inc. | Method and system for protecting web applications against web attacks |
KR101488271B1 (ko) | 2013-11-26 | 2015-02-02 | 한국전자통신연구원 | Ids 오탐 검출 장치 및 방법 |
KR101468601B1 (ko) | 2014-03-13 | 2014-12-03 | 한국전자통신연구원 | 웹 서버/웹 어플리케이션 서버 보안 관리 장치 및 방법 |
EP3211853B1 (en) * | 2016-02-26 | 2019-10-30 | Mitsubishi Electric R & D Centre Europe B.V. | Real-time validation of json data applying tree graph properties |
US10404744B2 (en) * | 2016-09-20 | 2019-09-03 | Microsoft Technology Licensing, Llc | Database query injection detection and prevention |
CN106534209B (zh) * | 2016-12-29 | 2017-12-19 | 广东睿江云计算股份有限公司 | 一种分流反射型ddos流量的方法及系统 |
CN108268774B (zh) * | 2017-01-04 | 2021-07-23 | 阿里巴巴集团控股有限公司 | 攻击请求的判定方法和装置 |
US10931790B2 (en) * | 2017-08-17 | 2021-02-23 | Saudi Arabian Oil Company | Systems and methods for securely transferring selective datasets between terminals with multi-applications support |
US10389685B2 (en) * | 2017-08-17 | 2019-08-20 | Saudi Arabian Oil Company | Systems and methods for securely transferring selective datasets between terminals |
KR101959544B1 (ko) * | 2018-06-01 | 2019-03-18 | 주식회사 에프원시큐리티 | 웹 공격 탐지 및 차단 시스템 및 그 방법 |
US11297091B2 (en) * | 2019-09-24 | 2022-04-05 | Bank Of America Corporation | HTTP log integration to web application testing |
CN111988280A (zh) * | 2020-07-24 | 2020-11-24 | 网宿科技股份有限公司 | 服务器与请求处理方法 |
KR102258956B1 (ko) * | 2020-11-20 | 2021-06-02 | (주)시큐레이어 | 관계형 데이터베이스를 관리하기 위한 언어인 SQL(Structured Query Language)이 사용되는 환경에서 공격을 탐지하기 위한 방법 및 이를 사용한 서버 |
CN113297577B (zh) * | 2021-06-16 | 2024-05-28 | 深信服科技股份有限公司 | 一种请求处理方法、装置、电子设备及可读存储介质 |
Family Cites Families (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6307487B1 (en) * | 1998-09-23 | 2001-10-23 | Digital Fountain, Inc. | Information additive code generator and decoder for communication systems |
US7149966B2 (en) * | 2002-06-24 | 2006-12-12 | Microsoft Corporation | Word processor for freestyle editing of well-formed XML documents |
US7725934B2 (en) * | 2004-12-07 | 2010-05-25 | Cisco Technology, Inc. | Network and application attack protection based on application layer message inspection |
JP4997242B2 (ja) * | 2005-08-25 | 2012-08-08 | フォーティファイ ソフトウェア, エルエルシー | セキュリティを提供するためのプログラムの解析および補完のための装置および方法 |
KR20080036706A (ko) * | 2006-10-24 | 2008-04-29 | 박재철 | 웹 공격 정규표현과 스크립트 파일의 포함 기능을 이용한웹 보안 모듈 |
KR101343673B1 (ko) * | 2007-02-05 | 2013-12-20 | 주식회사 엘지씨엔에스 | 네트워크 보안 장치 및 방법 |
KR100951930B1 (ko) * | 2007-11-19 | 2010-04-09 | (주) 시스메이트 | 부적절한 패킷의 분류 방법 및 장치 |
KR101045332B1 (ko) * | 2008-12-24 | 2011-06-30 | 한국인터넷진흥원 | Irc 및 http 봇넷 정보 공유 시스템 및 그 방법 |
-
2010
- 2010-07-05 KR KR1020100064363A patent/KR101005927B1/ko active IP Right Grant
- 2010-08-09 JP JP2010178803A patent/JP4977888B2/ja active Active
- 2010-09-07 US US12/876,820 patent/US20120124661A1/en not_active Abandoned
- 2010-09-17 CN CN2010102872622A patent/CN102316087A/zh active Pending
Also Published As
Publication number | Publication date |
---|---|
CN102316087A (zh) | 2012-01-11 |
US20120124661A1 (en) | 2012-05-17 |
JP2012014667A (ja) | 2012-01-19 |
KR101005927B1 (ko) | 2011-01-07 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
JP4977888B2 (ja) | ウェブアプリケーション攻撃の検知方法 | |
US9356937B2 (en) | Disambiguating conflicting content filter rules | |
Wang et al. | Shield: Vulnerability-driven network filters for preventing known vulnerability exploits | |
US7302480B2 (en) | Monitoring the flow of a data stream | |
US8533824B2 (en) | Resisting the spread of unwanted code and data | |
Rafique et al. | Firma: Malware clustering and network signature generation with mixed network behaviors | |
JP5642856B2 (ja) | クロスサイトスクリプティングフィルタ | |
US9516045B2 (en) | Resisting the spread of unwanted code and data | |
Razzaq et al. | Ontology for attack detection: An intelligent approach to web application security | |
CN104348803B (zh) | 链路劫持检测方法、装置、用户设备、分析服务器及系统 | |
US20200120109A1 (en) | Iterative constraint solving in abstract graph matching for cyber incident reasoning | |
US8751787B2 (en) | Method and device for integrating multiple threat security services | |
US8051484B2 (en) | Method and security system for indentifying and blocking web attacks by enforcing read-only parameters | |
US20140189879A1 (en) | Method for identifying file type and apparatus for identifying file type | |
CN111835777B (zh) | 一种异常流量检测方法、装置、设备及介质 | |
CN110362992A (zh) | 在基于云端环境中阻挡或侦测计算机攻击的方法和设备 | |
CN106470214A (zh) | 攻击检测方法和装置 | |
CN104954345B (zh) | 基于对象分析的攻击识别方法及装置 | |
CN113810381B (zh) | 一种爬虫检测方法、web应用云防火墙、装置和存储介质 | |
JP5656266B2 (ja) | ブラックリスト抽出装置、抽出方法および抽出プログラム | |
CN110581780B (zh) | 针对web服务器资产的自动识别方法 | |
WO2022001577A1 (zh) | 一种基于白名单的内容锁防火墙方法及系统 | |
CN108259416B (zh) | 检测恶意网页的方法及相关设备 | |
CN110933094A (zh) | 一种网络安全设备及其smb漏洞检测方法、装置和介质 | |
US20120054861A1 (en) | Secure third party scripting environment |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
A871 | Explanation of circumstances concerning accelerated examination |
Free format text: JAPANESE INTERMEDIATE CODE: A871 Effective date: 20111205 |
|
TRDD | Decision of grant or rejection written | ||
A975 | Report on accelerated examination |
Free format text: JAPANESE INTERMEDIATE CODE: A971005 Effective date: 20111227 |
|
A01 | Written decision to grant a patent or to grant a registration (utility model) |
Free format text: JAPANESE INTERMEDIATE CODE: A01 Effective date: 20120110 |
|
A61 | First payment of annual fees (during grant procedure) |
Free format text: JAPANESE INTERMEDIATE CODE: A61 Effective date: 20120124 |
|
A61 | First payment of annual fees (during grant procedure) |
Free format text: JAPANESE INTERMEDIATE CODE: A61 Effective date: 20120327 |
|
FPAY | Renewal fee payment (event date is renewal date of database) |
Free format text: PAYMENT UNTIL: 20150427 Year of fee payment: 3 |
|
R150 | Certificate of patent or registration of utility model |
Free format text: JAPANESE INTERMEDIATE CODE: R150 Ref document number: 4977888 Country of ref document: JP Free format text: JAPANESE INTERMEDIATE CODE: R150 |
|
FPAY | Renewal fee payment (event date is renewal date of database) |
Free format text: PAYMENT UNTIL: 20150427 Year of fee payment: 3 |
|
FPAY | Renewal fee payment (event date is renewal date of database) |
Free format text: PAYMENT UNTIL: 20150427 Year of fee payment: 3 |
|
R250 | Receipt of annual fees |
Free format text: JAPANESE INTERMEDIATE CODE: R250 |
|
R250 | Receipt of annual fees |
Free format text: JAPANESE INTERMEDIATE CODE: R250 |
|
R250 | Receipt of annual fees |
Free format text: JAPANESE INTERMEDIATE CODE: R250 |
|
R250 | Receipt of annual fees |
Free format text: JAPANESE INTERMEDIATE CODE: R250 |
|
R250 | Receipt of annual fees |
Free format text: JAPANESE INTERMEDIATE CODE: R250 |
|
R250 | Receipt of annual fees |
Free format text: JAPANESE INTERMEDIATE CODE: R250 |
|
R250 | Receipt of annual fees |
Free format text: JAPANESE INTERMEDIATE CODE: R250 |
|
R250 | Receipt of annual fees |
Free format text: JAPANESE INTERMEDIATE CODE: R250 |
|
R250 | Receipt of annual fees |
Free format text: JAPANESE INTERMEDIATE CODE: R250 |
|
R250 | Receipt of annual fees |
Free format text: JAPANESE INTERMEDIATE CODE: R250 |