TWI640894B - Method of detecting internet information security and its implemented system - Google Patents

Method of detecting internet information security and its implemented system Download PDF

Info

Publication number
TWI640894B
TWI640894B TW105136157A TW105136157A TWI640894B TW I640894 B TWI640894 B TW I640894B TW 105136157 A TW105136157 A TW 105136157A TW 105136157 A TW105136157 A TW 105136157A TW I640894 B TWI640894 B TW I640894B
Authority
TW
Taiwan
Prior art keywords
information
connection request
processing module
connection
website
Prior art date
Application number
TW105136157A
Other languages
Chinese (zh)
Other versions
TW201818289A (en
Inventor
劉國良
Original Assignee
劉國良
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 劉國良 filed Critical 劉國良
Priority to TW105136157A priority Critical patent/TWI640894B/en
Publication of TW201818289A publication Critical patent/TW201818289A/en
Application granted granted Critical
Publication of TWI640894B publication Critical patent/TWI640894B/en

Links

Abstract

本發明揭露一種網路資訊安全偵測方法及其實施系統,其架設於一網站平台上,主要具有一辨識模組、一處理模組、一紀錄模組、以及一警報模組,辨識模組偵測一連線請求之一封包資訊、及一連線請求端資訊後,可解析出一連線請求端資訊、一變形特徵碼、以及一傳輸流量異常次數,處理模組可根據辨識模組的辨識結果,即時作出應變措施,若傳輸流量異常次數達到一定閾值,即偽造網站平台所提供的網頁內容,並驅動警報模組以通知網站管理者,藉此,可降低資訊安全偵測系統之軟硬體建置成本、及降低網站伺服器因遭到DDoS攻擊而無法提供服務之可能性。 The invention discloses a network information security detection method and an implementation system thereof, which are installed on a website platform, and mainly have an identification module, a processing module, a recording module, and an alarm module, and an identification module. After detecting a packet request information of a connection request and a connection request end information, a connection request end information, a deformation signature code, and a transmission flow abnormal number can be parsed, and the processing module can be identified according to the identification module. The identification result, the immediate response measures, if the abnormal number of transmission traffic reaches a certain threshold, that is, forging the webpage content provided by the website platform, and driving the alarm module to notify the website administrator, thereby reducing the information security detection system The cost of hardware and software construction, and the possibility that the website server will not be able to provide services due to DDoS attacks.

Description

網路資訊安全偵測方法及其實施系統 Network information security detection method and implementation system thereof

一種網路資訊安全偵測方法及其實施系統,供以阻止一網站平台遭到資訊攻擊,本發明尤指一種可透過偽造網頁資訊,達到有效應對DDoS攻擊的網路資訊安全偵測方法及其實施系統。 A network information security detection method and an implementation system thereof for preventing a website platform from being attacked by information. The present invention particularly relates to a network information security detection method capable of effectively coping with DDoS attacks by forging webpage information and Implement the system.

隨著資訊科技的發達,網站已成為企業品牌經營、電子商務獲利、新聞媒體宣傳以及獲取知識的重要管道,然而,當今的資訊攻擊已不再僅限於使用者端(Client)的個人電腦(Personal Computer,PC)或行動裝置,而已轉向攻擊伺服器端(Server)上的網站平台,若網站平台遭到攻擊而淪陷,將可能導致會員資料遭竊、網站無法提供服務等嚴重後果,進而造成難以估計的損失,而目前最為盛行的網站攻擊行為包括:阻斷服務攻擊(Denial of Service Attack,DoS)、分散式阻斷服務攻擊(Distributed Denial of Service attack,下稱DDoS攻擊)、跨網站指令碼攻擊(Cross-site scripting,通稱XSS)、隱碼攻擊(SQL injection)、以及跨站請求偽造攻擊(Cross-site request forgery,CSRF)等,依此, 針對網站平台設計出網路資訊安全偵測系統的需求由此而生,而習知網路資訊安全偵測系統主要係於伺服器端前設置一網頁應用程式防火牆(Web Application Firewall,WAF)、以及一入侵防禦系統(Intrusion Prevention System,IPS),以彌補一般網路防火牆(Firewall)僅能偵測開放式系統互聯通訊參考模型(Open System Interconnection Reference Model,OSI)第2層至第4層封包資訊的缺陷。 With the development of information technology, the website has become an important channel for corporate brand management, e-commerce profit, news media promotion and knowledge acquisition. However, today's information attacks are no longer limited to the client's personal computer ( Personal Computer, PC) or mobile device, has turned to attack the server platform on the server (Server), if the website platform is attacked and framed, it may lead to serious consequences such as theft of member information and the inability of the website to provide services. Unpredictable losses, and the most popular website attacks include: Denial of Service Attack (DoS), Distributed Denial of Service attack (DDoS attack), cross-site command Cross-site scripting (commonly known as XSS), hidden code attack (SQL injection), and cross-site request forgery (CSRF), etc., according to which, network information security detection is designed for the website platform. The demand for the measurement system is born, and the conventional network information security detection system mainly sets a web page in front of the server. Application Application Firewall (WAF) and an Intrusion Prevention System (IPS) to compensate for the general network firewall (Firewall) can only detect the Open System Interconnection Reference Model (Open System Interconnection Reference Model) , OSI) Defects in Layer 2 to Layer 4 packet information.

所謂的網頁應用程式防火牆(WAF)係以比對特徵碼(Feature Code或Signature)的方式,偵測屬於OSI應用層的連線請求(例如HTTP/HTTPS Request)是否異常並加以阻擋,更可檢查與限制網站表單、欄位的內容,如美國發明專利公開案第US20140373125A1號「Web Security protection method,device and system」,其即揭露一種網路安全防護方法及系統,主要係以網路安全設備(Web Security Device)偵測一網站是否有安全漏洞,並依據偵測結果發送給一網頁應用防火牆,若該網頁應用防火牆認定該偵測結果為一安全漏洞,則會擷取該安全漏洞的一可疑特徵碼,再與本機規則庫(Local Rule Library)所儲存之複數特徵碼進行比對,進而對該網站配置相應的安全策略,或將該可疑特徵碼儲存至本機規則庫中。 The so-called web application firewall (WAF) detects whether the connection request (such as HTTP/HTTPS Request) belonging to the OSI application layer is abnormal and blocked by comparing the feature code (Feature Code or Signature), and can check And the content of the restricted website form and the field, such as the "Web Security protection method, device and system" of the US Patent Publication No. US20140373125A1 , which discloses a network security protection method and system, mainly using a network security device ( The Web Security Device detects whether a website has a security vulnerability and sends it to a web application firewall according to the detection result. If the web application firewall determines that the detection result is a security vulnerability, it will take a suspicious vulnerability. The feature code is then compared with the complex feature code stored in the local rule library, and then the corresponding security policy is configured for the website, or the suspicious feature code is stored in the local rule base.

入侵防禦系統(Intrusion Prevention System,IPS)則利用特徵碼比對、以及深層封包檢測(Deep Packet Inspection,DPI)技術偵測OSI各層封包內容是否含有異常資料,並主動過濾異常的封包資訊,以防堵病毒(Virus)、蠕蟲(Worm)、木馬程式(Trojan Horses)、間諜軟體(Spyware),此外,入侵防禦系統亦可偵測該連線行為之傳輸流量是否異常,以防範DDoS攻擊,如中國發明專利公告案第CN101034975B號「防範小報文攻擊的方法和裝置」,其主要係以一比較單元對所接收到的資料傳輸量進行比較,並以一處理單元進行校正,以有效控管傳送到伺服器端的封包數量,此外,更有網站管理者採取加大網路頻寬、提升伺服器硬體規格(如記憶體、硬碟空間、硬碟種類等)、以及採取流量清洗、或流量分流作為DDoS攻擊的應對方式。 Intrusion Prevention System (IPS) uses signature matching and Deep Packet Inspection (DPI) technology to detect whether the contents of OSI packets contain abnormal data and actively filter abnormal packet information. Virus, Worm, Trojan Horses, Spyware, and Intrusion Prevention System can also detect whether the transmission traffic of the connection is abnormal to prevent DDoS attacks, such as Chinese Invention Patent Publication No. CN101034975B "Method and Apparatus for Preventing Small Message Attack" mainly compares the received data transmission amount with a comparison unit and performs correction by a processing unit to effectively control The number of packets sent to the server side, in addition, more website administrators to increase network bandwidth, improve server hardware specifications (such as memory, hard disk space, hard disk type, etc.), and take traffic cleaning, or Traffic offloading is a response to DDoS attacks.

然而,由於入侵防禦系統(IPS)無法檢視經過加密後的封包資訊(如利用HTTPS協定所傳送的封包資訊),亦無法判斷SQL(Structural Query Language)隱碼攻擊、XSS(Cross-site scripting)攻擊等網站攻擊為異常連線行為,因此,網站管理者通常亦需建置網頁應用程式防火牆(WAF);如此一來,勢必會增加網路資訊安全偵測系統架構的複雜性、故障點數量、以及產生產品不相容、管理介面各有差異的問題,進而可能影響到網路資訊安全偵測系統的防禦能力、以及增加網站管理者的工作負擔,又,針對大流量的異常連線行為,網站管理者主要以提升伺服器硬體規格、加大網路頻寬、以及建置流量清洗中心(Scrubbing Center)作為解決方案,是以,如何提出一種可降低網站管理者架設網路資訊安全偵測系統之軟硬體成本、與阻擋各種網站攻擊、且能有效應對DDoS攻擊的網路資訊安全偵測方法及其實施系統,乃有待解決之問題。 However, because the Intrusion Prevention System (IPS) cannot view encrypted packet information (such as packet information transmitted using the HTTPS protocol), it is also impossible to determine SQL (Structural Query Language) hidden code attacks and XSS (Cross-site scripting) attacks. Website attacks are abnormally connected. Therefore, webmasters usually need to build a web application firewall (WAF). This will inevitably increase the complexity of the network information security detection system architecture, the number of fault points, And the problems of product incompatibility and management interface are different, which may affect the defense capability of the network information security detection system, increase the workload of the website administrator, and the abnormal connection behavior for large traffic. Website administrators mainly improve server hardware specifications, increase network bandwidth, and build a traffic cleaning center (Scrubbing Center) as a solution, so how to propose a way to reduce website administrators to set up network information security detection Measuring the hardware and software costs of the system, and the network information security detection party that blocks various website attacks and can effectively deal with DDoS attacks. The law and its implementation system are issues to be resolved.

有鑑於上述的問題,本發明人係依據多年來從事研究資訊安全的經驗,針對如何降低網站管理者架設網路資訊安全偵測系統之軟硬體成本,且能有效阻擋各種網站攻擊等問題進行研究;緣此,本發明之主要目的在於提供一種可降低架設網路資訊安全偵測系統之軟硬體成本、可達到有效阻擋各種網站攻擊、且能有效應對DDoS攻擊的「網路資訊安全偵測方法及其實施系統」。 In view of the above problems, the inventors have based on years of experience in researching information security, and how to reduce the software and hardware costs of network administrators to set up network information security detection systems, and can effectively block various website attacks and the like. Therefore, the main purpose of the present invention is to provide a network information security detection that can reduce the cost of software and hardware for erecting a network information security detection system, can effectively block various website attacks, and can effectively cope with DDoS attacks. Measurement method and its implementation system".

為達上述目的,本發明之網路資訊安全偵測之系統係包括:一辨識模組、一處理模組、一紀錄模組、一警報模組、一攻擊特徵資料庫、以及一黑白名單資料庫;所述的攻擊特徵資料庫用以儲存複數個特徵碼,黑白名單資料庫用以儲存允許與不允許存取網站平台之連線請求端資訊,辨識模組用以解析一連線請求之連線請求端資訊、及一封包資訊,以判定連線請求端連線至一網站平台的連線請求是否異常,處理模組用以根據辨識模組的辨識結果,即時作出應變措施(例如直接拒絕連線請求),同時標記異常連線請求之連線請求端資訊為黑名單資訊,並驅動警報模 組發出一警報資訊,以通知持有一監控端裝置之一網站管理者,又,若攻擊行為屬於DDoS攻擊,則處理模組會設定一閾值、以及偽造網站平台所提供的網站內容(例如檔案較小的網頁),而非立即阻斷其連線請求,以讓一網站伺服器得以較小的負擔,達到欺瞞連線請求端、以及大量降低網站伺服器遭到DDoS攻擊而無法提供服務的可能性;據此,本發明實施後確實能提供一種可降低網路資訊安全偵測系統之軟硬體建置成本、可即時對各種網站攻擊作出應變措施、可即時通知網站管理者、以及同時能解決網站伺服器因遭到DDoS攻擊而無法提供服務的問題的「網路資訊安全偵測方法及其實施系統」。 To achieve the above objective, the network information security detection system of the present invention comprises: an identification module, a processing module, a recording module, an alarm module, an attack signature database, and a black and white list data. The attack feature database is used to store a plurality of signature codes, and the black and white list database is used to store the connection request information of the website that allows and does not allow access to the website platform, and the identification module is configured to parse the connection request. Connect the requester information and a packet information to determine whether the connection request from the connection requester to a website platform is abnormal. The processing module is configured to immediately make contingency measures according to the identification result of the identification module (for example, directly Rejecting the connection request), marking the connection requester information of the abnormal connection request as blacklist information, and driving the alarm module to send an alarm message to notify the website manager holding one of the monitoring device, and if If the attack is a DDoS attack, the processing module will set a threshold and falsify the website content provided by the website platform (for example, a web page with a smaller file) instead of blocking it immediately. Wired requests, so that a web server can be burdened with a small burden, to reach a fraudulent connection request end, and to greatly reduce the possibility that the web server is attacked by DDoS and cannot provide services; accordingly, the present invention can indeed Providing a software and hardware construction cost that can reduce the network information security detection system, promptly responding to various website attacks, promptly notify the website administrator, and simultaneously solve the problem that the website server is attacked by DDoS "Network Information Security Detection Method and Implementation System" for providing service problems.

為使 貴審查委員得以清楚了解本發明之目的、技術特徵及其實施後之功效,茲以下列說明搭配圖示進行說明,敬請參閱。 In order for your review board to have a clear understanding of the purpose, technical features and effects of the present invention, the following description will be used in conjunction with the illustrations, please refer to it.

1‧‧‧網路資訊安全偵測系統 1‧‧‧Network Information Security Detection System

11‧‧‧辨識模組 11‧‧‧ Identification Module

12‧‧‧處理模組 12‧‧‧Processing module

13‧‧‧紀錄模組 13‧‧‧record module

14‧‧‧警報模組 14‧‧‧Alarm module

15‧‧‧攻擊特徵資料庫 15‧‧‧ Attack signature database

16‧‧‧黑白名單資料庫 16‧‧‧Black and White List Database

2‧‧‧網站伺服器 2‧‧‧Web server

21‧‧‧網站平台 21‧‧‧ website platform

22‧‧‧網站資料庫 22‧‧‧Website database

3‧‧‧監控端裝置 3‧‧‧Monitor device

S1‧‧‧偵測連線請求步驟 S1‧‧‧Detection connection request step

S2‧‧‧判斷連線請求是否異常步驟 S2‧‧‧Determining whether the connection request is abnormal

S21‧‧‧判斷連線請求端資訊是否列於黑名單步驟 S21‧‧‧Determination of whether the connection requester information is listed in the blacklist step

S22‧‧‧判斷連線請求是否包含特徵碼步驟 S22‧‧‧Determination of whether the connection request contains a signature step

S23‧‧‧判斷流量異常次數是否達到第一閾值步驟 S23‧‧‧Determination of whether the number of abnormal traffic times reaches the first threshold step

S24‧‧‧提供偽造網頁資訊步驟 S24‧‧‧Provide steps for forging webpage information

S25‧‧‧判斷第二閾值是否被滿足步驟 S25‧‧‧Determination of whether the second threshold is satisfied

S3‧‧‧拒絕連線請求步驟 S3‧‧‧Reject connection request step

S4‧‧‧警示步驟 S4‧‧‧ Warning Steps

S5‧‧‧更新連線請求端資訊與特徵碼步驟 S5‧‧‧Update connection requester information and signature steps

S6‧‧‧允許連線請求步驟 S6‧‧‧ Allow connection request steps

S7‧‧‧紀錄連線請求資訊步驟 S7‧‧‧Record connection request information step

第1圖,為本發明之系統架構圖。 Figure 1 is a diagram showing the system architecture of the present invention.

第2圖,為本發明之系統組成示意圖。 Fig. 2 is a schematic view showing the composition of the system of the present invention.

第3圖,為本發明之實施流程示意圖(一)。 Figure 3 is a schematic view (I) of the implementation flow of the present invention.

第4圖,為本發明之實施流程示意圖(二)。 Figure 4 is a schematic view (2) of the implementation flow of the present invention.

請參閱「第1圖」,圖中所示為本發明之系統架構圖,如圖,一網站伺服器2上架設有一網站平台21、以及一網站資料庫22,網站平台21資訊連結至網站資料庫22,以存取網站資料庫22所儲存之網站內容,而網站平台21上架設有本發明之網路資訊安全偵測系統1,一監控端裝置3可直接資訊連結至網路資訊安全偵測系統1,以查看網站平台21的監控資訊,依此,一連線請求端若欲連線至網站平台21,則必須先通過網路資訊安全偵測系統1之過濾機制,方可順利連線至網站平台21,以存取網站平台21所提供之網站資料,監控端裝置3用以查看網路資訊安全偵測系統1是否有回報任何異常狀況。 Please refer to "FIG. 1", which is a system architecture diagram of the present invention. As shown in the figure, a website server 2 is provided with a website platform 21 and a website database 22, and the website platform 21 information is linked to the website information. The library 22 stores the website content stored in the website database 22, and the website platform 21 is provided with the network information security detection system 1 of the present invention. A monitoring device 3 can directly link information to the network information security detection. Test system 1 to view the monitoring information of the website platform 21, according to which, if a connection request terminal wants to connect to the website platform 21, it must first pass the filtering mechanism of the network information security detection system 1 in order to smoothly connect The website to the website platform 21 is configured to access the website information provided by the website platform 21, and the monitoring device 3 is used to check whether the network information security detection system 1 reports any abnormal condition.

請參閱「第2圖」,圖中所示為本發明之系統組成示意圖,如圖,網路資訊安全偵測系統1主要包含:一辨識模組11、一處理模組12、一紀錄模組13、一警報模組14、一攻擊特徵資料庫15、以及一黑白名單資料庫16;攻擊特徵資料庫15、黑白名單資料庫16分別與辨識模組11、處理模組12建立資訊連結,紀錄模組13與警報模組14則分別資訊連結至處理模組12,辨識模組11用以判斷一連線請求是否包含相同、或疑似攻擊特徵資料庫15所儲存的特徵碼、與連線請求端資訊是否為黑白名單資料庫16所儲存之黑名單資訊、以及連線請求端之傳輸流量是否異常等,而網站管理者可自行編輯黑白名單資料庫16所儲存之黑白名單資訊,黑白名單資訊例如包括:儲存允許與不允許存取網站 平台21之IP位址、封包資訊、連接埠(Port)號碼等連線請求端資訊,特徵碼之比對機制則包括:判斷連線請求之封包資訊是否含有惡意程式特徵碼(如電腦病毒、蠕蟲、或木馬程式等)、是否含有惡意SQL輸入字串、是否含有網站資料庫22內檔案名稱的索引值、是否含有經過編碼(Encoding)後的URL(Uniform Resource Locator)或屬性值(Attribute)、連線請求端是否於留言板輸入疑似XSS攻擊之惡意指令、以及連線請求端之傳輸流量是否異常等。處理模組12可根據辨識模組11的辨識結果,即時作出應變措施(如直接阻斷連線請求),再交由紀錄模組13儲存連線請求端之相關連線請求資訊,所述的相關連線請求資訊例如有:連線請求時間、連接埠號碼、IP位址、防護紀錄、檔案名稱、威脅類型、或處理措施等資訊,處理模組12可更新攻擊特徵資料庫15所儲存之特徵碼及黑白名單資料庫16所儲存之連線請求端資訊,警報模組14可生成一警報資訊,並回報給監控端裝置3,監控端裝置3可為個人電腦(Personal Computer,PC)、筆記型電腦(Notebook Computer,NB)、智慧型手機、或平板電腦(Tablet)等,不以此為限,特先陳明。 Please refer to FIG. 2, which is a schematic diagram of the system composition of the present invention. As shown in the figure, the network information security detection system 1 mainly includes: an identification module 11, a processing module 12, and a recording module. 13. An alarm module 14, an attack signature database 15, and a black and white list database 16; the attack signature database 15 and the black and white list database 16 respectively establish information links with the identification module 11 and the processing module 12, and record The module 13 and the alarm module 14 are respectively connected to the processing module 12, and the identification module 11 is configured to determine whether a connection request includes the signature code and the connection request stored in the same or suspected attack signature database 15. Whether the end information is the blacklist information stored in the black and white list database 16 and whether the transmission traffic of the connection request end is abnormal, and the website administrator can edit the black and white list information stored in the black and white list database 16 and the black and white list information. For example, the method includes: storing and allowing access to the IP address of the website platform 21, the packet information, the port number, and the like, and the comparison mechanism of the signature includes: Whether the packet information of the connection request contains malware signature (such as computer virus, worm, or Trojan), whether it contains malicious SQL input string, whether it contains the index value of the file name in the website database 22, whether it contains Encoded URL (Uniform Resource Locator) or attribute value (Attribute), whether the connection requester enters a malicious command that is suspected of XSS attack on the message board, and whether the transmission traffic of the connection request end is abnormal. The processing module 12 can immediately make a contingency measure according to the identification result of the identification module 11 (such as directly blocking the connection request), and then the recording module 13 stores the relevant connection request information of the connection request end, the The related connection request information includes, for example, a connection request time, a connection number, an IP address, a protection record, a file name, a threat type, or a processing measure, and the processing module 12 can update the attack feature database 15 to store the information. The alarm code and the connection requester information stored in the black and white list database 16 can generate an alarm information and report it to the monitoring device 3, and the monitoring device 3 can be a personal computer (PC). Notepad (Notebook Computer, NB), smart phone, or tablet (Tablet), etc., not limited to this, especially first.

請參閱「第3圖」,圖中所示為本發明之實施流程示意圖(一),如圖,本發明之網路資訊安全偵測系統1之實施方法包括:(1)偵測連線請求步驟S1:當一連線請求端欲存取一網站伺服器2中網站平台21的網站資料時,連線請求端會發出 一連線請求(例如HTTP/HTTPs Request),則架設於網站平台21上的一網路資訊安全偵測系統1會先接收連線請求,並交由網路資訊安全偵測系統1所具有的一辨識模組11偵測連線請求之封包資訊,所述的封包資訊包括:表頭(Header)、及承載資料(Payload),而表頭內含有一連線請求端資訊,辨識模組11完成偵測連線請求步驟S1後,即執行判斷連線請求是否異常步驟S2;(2)判斷連線請求是否異常步驟S2:承偵測連線請求步驟S1,辨識模組11即判斷一連線請求之封包資訊是否包含攻擊特徵資料庫15的特徵碼、是否為黑白名單資料庫16所儲存之黑名單資訊、或連線請求端之傳輸流量是否異常等,若辨識模組11判斷連線請求為異常,則辨識模組資訊連結至一處理模組12,並由處理模組12執行拒絕連線請求步驟S3;若辨識模組11判斷連線請求並無異常,則處理模組12執行允許連線請求步驟S5;(3)拒絕連線請求步驟S3:承判斷連線請求是否異常步驟S2,若辨識模組11認定連線請求為異常,則一處理模組12即可作出應變措施,例如:立即拒絕連線請求及標記連線請求端資訊為黑名單資訊,或以連線請求端之流量異常次數是否已滿足一閾值(Threshold value)而判斷是否拒絕連線請求、標記連線請求端資訊為黑名單資訊、或偽造網站平台21所提供之一網頁資料;(4)警示步驟S4:承拒絕連線請求步驟S3,當辨識模組11認定連線請求為異常,且處理模組12對連線請求作出應變 措施後,一警報模組14即資訊連結至一監控端裝置3,以傳輸其所產生之一警報資訊,以供網站管理者得知有異常連線請求欲連線至網站平台21:(5)更新連線請求端資訊與特徵碼步驟S5:承警示步驟S4,當辨識模組11認定連線請求為異常,則處理模組12即可新增一變形特徵碼至攻擊特徵資料庫15、與標記連線請求端資訊為黑白名單資料庫16所儲存之黑名單資訊;(6)允許連線請求步驟S6:承判斷連線請求是否異常步驟S2,若辨識模組11認定連線請求並無異常,則處理模組12允許連線請求通過網路資訊安全偵測系統1,依此,連線請求即可順利存取網站平台21所提供之網頁資料;(7)紀錄連線請求資訊S7:當處理模組12完成更新連線請求端資訊或特徵碼步驟S5、或處理模組12執行允許連線請求步驟S6後,處理模組12即資訊連結至一紀錄模組13,以記錄相關連線請求資訊,紀錄模組13完成紀錄請求資訊步驟S7後,辨識模組11將繼續執行偵測連線請求步驟S1,又,所述的相關連線請求資訊包含:連線請求時間、連接埠號碼、IP位址、防護紀錄、檔案名稱、威脅類型、或處理措施等資訊。 Please refer to FIG. 3, which is a schematic diagram (1) of an implementation flow of the present invention. As shown in the figure, the implementation method of the network information security detection system 1 of the present invention includes: (1) detecting a connection request. Step S1: When a connection requesting party wants to access the website information of the website platform 21 in the website server 2, the connection requesting end sends a connection request (for example, HTTP/HTTPs Request), and is installed on the website platform 21 The above-mentioned network information security detection system 1 first receives the connection request, and sends an identification module 11 of the network information security detection system 1 to detect the packet information of the connection request, the packet The information includes: a header (Header) and a bearer data (Payload), and the header includes a connection request end information, and after the identification module 11 completes the detection connection request step S1, it performs to determine whether the connection request is abnormal. Step S2; (2) determining whether the connection request is abnormal. Step S2: The detection connection request step S1, the identification module 11 determines whether the packet information of the connection request includes the signature of the attack signature database 15, and whether it is Blacklists stored in the black and white list database 16 If the identification module 11 determines that the connection request is abnormal, the identification module information is coupled to a processing module 12, and the processing module 12 performs the reject connection request step. S3; if the identification module 11 determines that the connection request is not abnormal, the processing module 12 executes the permission connection request step S5; (3) rejects the connection request step S3: determines whether the connection request is abnormal step S2, if If the module 11 determines that the connection request is abnormal, the processing module 12 can make a contingency measure, for example, immediately reject the connection request and mark the connection request side information as blacklist information, or the traffic of the connection request end is abnormal. Whether the number of times has met a threshold (Threshold value) to determine whether to reject the connection request, mark the connection requester information as blacklist information, or falsify one of the webpage materials provided by the website platform 21; (4) Warning step S4: refusal After the connection requesting step S3, when the identification module 11 determines that the connection request is abnormal, and the processing module 12 responds to the connection request, an alarm module 14 is connected to the monitoring device 3 to Transmitting one of the generated alarm information for the website administrator to know that there is an abnormal connection request to connect to the website platform 21: (5) updating the connection request side information and the signature step S5: the warning step S4, when When the identification module 11 determines that the connection request is abnormal, the processing module 12 can add a deformation signature to the attack signature database 15, and the information of the marker connection request is the blacklist information stored in the blacklist database 16. (6) Allow connection request Step S6: Determine whether the connection request is abnormal Step S2, if the identification module 11 determines that the connection request is not abnormal, the processing module 12 allows the connection request to pass the network information security detection. System 1, according to the connection request, the webpage data provided by the website platform 21 can be smoothly accessed; (7) the record connection request information S7: when the processing module 12 completes the update connection request end information or signature step S5 After the processing module 12 executes the allow connection request step S6, the processing module 12 links the information to a record module 13 to record the relevant connection request information, and the record module 13 completes the record request information step S7, and then identifies Module 11 will continue Execute the connection request detection step S1, and the related connection request information includes: the connection request time, port number, IP address, protection record, file name, type of threat or action and other information.

請參閱「第4圖」,圖中所示為本發明之實施流程示意圖(二),如圖,當本發明之辨識模組11完成偵測連線請求步驟S1後,判斷連線請求是否異常步驟S2之實施方法包括: (1)判斷連線請求端資訊是否列於黑名單步驟S21:承判斷連線請求是否異常步驟S2,一辨識模組11先將連線請求之連線請求端資訊與黑白名單資料庫16進行比對,以確認連線請求端資訊是否列於黑白名單資料庫16所儲存之黑名單資訊中,若有,則辨識模組11認定連線請求為異常,並由處理模組12執行拒絕連線請求步驟S3;若無,則辨識模組11認定連線請求之連線請求端資訊不屬於黑名單資訊,並進而執行判斷連線請求是否包含特徵碼步驟S22;(2)判斷連線請求是否包含特徵碼步驟S22:承判斷連線請求端資訊是否列於黑名單步驟S21,辨識模組11確認連線請求之連線請求端資訊不屬於黑名單資訊後,先對連線請求之封包資訊與攻擊特徵資料庫15進行比對,以確認連線請求之封包資訊是否包含相同、或疑似攻擊特徵資料庫15所儲存之特徵碼,若有,則辨識模組11認定連線請求為異常,並由處理模組12執行拒絕連線請求步驟S3;若無,則認定連線請求並未包含相同、或變形的特徵碼,並繼續執行判斷流量異常次數是否達到第一閾值步驟S23,又,特徵碼比對機制可為:判斷連線請求之封包資訊是否含有惡意程式特徵碼(如電腦病毒、蠕蟲、或木馬程式等)、是否含有惡意SQL輸入字串、是否含有網站資料庫22內檔案名稱的索引值、是否含有經過編碼(Encoding)後的URL或屬性值(Attribute)、連線請求端於留言板是否輸入疑似XSS攻擊之惡意指令、以及連 線請求端之傳輸流量是否異常等;(3)判斷流量異常次數是否達到第一閾值步驟S23:承判斷連線請求是否包含特徵碼步驟S22,辨識模組11確認連線請求之封包資訊並未包含特徵碼後,即開始偵測連線請求端之異常傳輸流量次數是否達到處理模組12所預設之一第一閾值,若有達到第一閾值,則處理模組12執行提供偽造網頁資訊步驟S24;若未滿足第一閾值,則處理模組12執行允許連線請求步驟S6,又,辨識模組11判斷異常傳輸流量次數之判斷機制為:若連線請求端於一平均時間內,發出相同、或不同的正常連線請求之次數滿足第一閾值時(例如連線請求端於30分鐘內發出超過200次相同、或不同連線請求時),意即大量瀏覽、或存取網站平台21之網站資料,辨識模組11即認定此連線請求之傳輸流量為異常;(4)提供偽造網頁資訊步驟S24:承判斷流量異常次數是否達到第一閾值步驟S23,若辨識模組11認定連線請求端之流量異常次數已滿足第一閾值,則處理模組12先資訊連結至網站平台21,以對網站平台21所提供的網站資料進行偽造,再允許連線請求端繼續發出連線請求,其後,處理模組12再繼續執行判斷第二閾值是否被滿足步驟S25,另,所述經過偽造的網頁資料可為:空白網頁、或顯示僅有少數字串的網頁,藉此,可讓網站平台21對連線請求端提供較小、或極小的網頁檔案,以欺瞞發動DDoS攻擊之連線請求端,同時能減輕網站伺服器2 的負擔,進而降低網站伺服器2遭到DDoS攻擊而無法提供服務的可能性;(5)判斷第二閾值是否被滿足步驟S25:承提供偽造網頁資訊步驟S24,辨識模組11繼續判斷處理模組12所預設之一第二閾值是否有被滿足,若第二閾值有被滿足,則處理模組12執行拒絕連線請求步驟S3;若第二閾值未被滿足,則處理模組12對第二閾值進行累加,並執行允許連線請求步驟S6;(6)又,所述的判斷連線請求端是否列於黑名單步驟S21執行完畢後,可先執行判斷流量異常次數是否達到第一閾值步驟S23,換言之,處理模組12判斷流量異常次數是否達到第一閾值步驟S23的判斷結果若為「第一閾值未被滿足」,則處理模組12並非直接執行允許連線請求步驟S6,而是接續執行判斷連線請求是否包含特徵碼步驟S22;相對地,判斷流量異常次數是否達到第一閾值步驟S23的判斷結果若為「第一閾值已被滿足」,則處理模組12可直接執行提供偽造網頁資訊步驟S24,並接續執行是否滿足第二閾值步驟S25,其後,若是否滿足第二閾值步驟S25的判斷結果為「第二閾值未被滿足」,則處理模組12可接續執行判斷連線請求是否包含特徵碼步驟S22。 Please refer to FIG. 4, which is a schematic diagram (2) of the implementation process of the present invention. As shown in the figure, when the identification module 11 of the present invention completes the detection connection request step S1, it is determined whether the connection request is abnormal. The implementation method of step S2 includes: (1) determining whether the information of the connection requesting end is listed in the blacklist step S21: determining whether the connection request is abnormal or not, step S2, and the identification module 11 firstly connects the request request information of the connection request. Comparing with the black and white list database 16 to confirm whether the connection requester information is listed in the blacklist information stored in the black and white list database 16, and if so, the identification module 11 determines that the connection request is abnormal, and The processing module 12 performs the reject connection request step S3; if not, the identification module 11 determines that the connection request end information of the connection request does not belong to the blacklist information, and further performs determining whether the connection request includes the signature code step S22; (2) determining whether the connection request includes the feature code. Step S22: determining whether the connection request end information is listed in the blacklist step S21, and the identification module 11 confirms that the connection request end information of the connection request does not belong to the blacklist information. First, the packet information of the connection request is compared with the attack signature database 15 to confirm whether the packet information of the connection request includes the signature code stored in the same or suspected attack signature database 15, and if so, the identification module 11: The connection request is determined to be abnormal, and the processing module 12 performs the reject connection request step S3; if not, it is determined that the connection request does not include the same or deformed signature, and continues to perform to determine whether the flow abnormality number reaches The first threshold step S23, in addition, the feature code comparison mechanism may be: determining whether the packet information of the connection request contains a malicious program signature (such as a computer virus, a worm, or a Trojan, etc.), and whether the malicious SQL input string is included. Whether it contains the index value of the file name in the website database 22, whether it contains the encoded (Encoding) URL or attribute value (Attribute), whether the connection request end enters the malicious message of the suspected XSS attack on the message board, and the connection Whether the transmission traffic of the requesting end is abnormal or the like; (3) determining whether the abnormal number of traffic abnormalities reaches the first threshold value. Step S23: determining whether the connection request includes the characteristic code step S22, after the identification module 11 confirms that the packet information of the connection request does not include the signature, it starts to detect whether the abnormal transmission traffic of the connection requesting end reaches a first threshold preset by the processing module 12, if any If the first threshold is reached, the processing module 12 performs the step of providing the forged webpage information S24; if the first threshold is not met, the processing module 12 executes the allow connection request step S6, and the identification module 11 determines the abnormal transmission traffic number. The judging mechanism is: if the connection requester sends the same or different normal connection request times within an average time to satisfy the first threshold (for example, the connection request end sends more than 200 times in 30 minutes, the same or different When the connection request is made, it means to browse or access the website data of the website platform 21 in a large amount, and the identification module 11 determines that the transmission traffic of the connection request is abnormal; (4) providing forged webpage information, step S24: judging the traffic If the number of abnormalities reaches the first threshold step S23, if the identification module 11 determines that the number of traffic abnormalities of the connection requesting end has met the first threshold, the processing module 12 first links the information to the website platform 21 The website information provided by the website platform 21 is forged, and then the connection requesting end is allowed to continue to issue the connection request. Thereafter, the processing module 12 continues to perform the determination of whether the second threshold is satisfied, and the step S25 is further performed. The forged webpage data may be: a blank webpage, or a webpage displaying only a small number of digits, thereby allowing the website platform 21 to provide a smaller or minimal webpage file to the connection requester to deceive the DDoS attack. The connection request side can reduce the burden on the website server 2, thereby reducing the possibility that the website server 2 is not D2S attacked and unable to provide the service; (5) determining whether the second threshold is satisfied, step S25: providing the forged webpage In step S24, the identification module 11 continues to determine whether the second threshold value preset by the processing module 12 is satisfied. If the second threshold is satisfied, the processing module 12 performs the reject connection request step S3; If the threshold is not satisfied, the processing module 12 accumulates the second threshold, and executes the allow connection request step S6; (6) again, whether the connection requesting end is listed in the blacklist step S21 After the line is completed, it may be determined whether the number of abnormal traffic times reaches the first threshold step S23. In other words, the processing module 12 determines whether the number of abnormal traffic times reaches the first threshold. If the determination result of the step S23 is “the first threshold is not satisfied”, The processing module 12 does not directly execute the allow connection request step S6, but successively performs a determination of whether the connection request includes the feature code step S22; and relatively, determines whether the flow abnormality number reaches the first threshold value. If the first threshold has been satisfied, the processing module 12 can directly perform the step of providing the forged webpage information S24 and continue to perform the second threshold step S25. Then, if the second threshold is satisfied, the determination result of the step S25 is " The second threshold is not satisfied, and the processing module 12 can continue to determine whether the connection request includes the signature step S22.

由上所述可知,本發明主要係包括:一辨識模組、一處理模組、一紀錄模組、一警報模組、一攻擊特徵資料 庫、以及一黑白名單資料庫;攻擊特徵資料庫用以儲存複數個特徵碼,黑白名單資料庫用以儲存允許與不允許存取網站平台之連線請求端資訊,辨識模組用以解析一連線請求之連線請求端資訊、及一封包資訊,以判定連線請求端連線至一網站平台的連線請求是否異常,處理模組用以根據辨識模組的辨識結果,即時作出應變措施(例如直接拒絕連線請求),同時標記異常連線請求之連線請求端資訊為黑名單資訊,並驅動警報模組發出一警報資訊,以通知持有監控端裝置之網站管理者,又,若判定連線請求端所發出之連線請求屬於DDoS攻擊,則處理模組會設定一閾值、以及偽造網站平台所提供的網站內容(例如檔案較小的網頁),而非立即阻斷其連線請求,以讓網站伺服器得以最小的負擔,達到欺瞞連線請求端、以及大量降低網站伺服器遭到DDoS攻擊而無法提供服務的可能性;據此,本發明實施後確實能提供一種可降低網路資訊安全偵測系統之軟硬體建置成本、可即時對各種網站攻擊作出應變措施、可即時通知網站管理者的目的、以及同時能解決網站伺服器因遭到DDoS攻擊而無法提供服務的問題的「網路資訊安全偵測方法及其實施系統」。 As can be seen from the above, the present invention mainly includes: an identification module, a processing module, a recording module, an alarm module, an attack feature database, and a black and white list database; To store a plurality of signature codes, the black and white list database is used to store the information of the connection requester that allows and does not allow access to the website platform, and the identification module uses the connection requester information for parsing a connection request, and a package information. To determine whether the connection request from the connection request end to a website platform is abnormal, the processing module is configured to immediately make a contingency measure according to the identification result of the identification module (for example, directly reject the connection request), and mark the abnormal connection. The connection request side information of the line request is blacklist information, and the alarm module is driven to send an alarm information to notify the website manager holding the monitoring device, and if it is determined that the connection request issued by the connection request end belongs to For DDoS attacks, the processing module will set a threshold and falsify the website content provided by the website platform (for example, a web page with a smaller file) instead of immediately blocking its connection. In order to minimize the burden on the web server, to reach the fraudulent connection request end, and to greatly reduce the possibility that the web server is attacked by DDoS and unable to provide services; accordingly, the present invention can provide a network reduction The cost of hardware and software construction of the road information security detection system, the immediate response to various website attacks, the purpose of notifying the website administrator immediately, and the ability of the website server to be unable to provide services due to DDoS attacks. The problem of "network information security detection method and its implementation system".

唯,以上所述者,僅為本發明之較佳之實施例而已,並非用以限定本發明實施之範圍;任何熟習此技藝者,在不脫離本發明之精神與範圍下所作之均等變化與修飾,皆應涵蓋於本發明之專利範圍內。 The above description is only for the preferred embodiment of the present invention, and is not intended to limit the scope of the present invention; any changes and modifications made by those skilled in the art without departing from the spirit and scope of the invention All should be covered by the patent of the present invention.

綜上所述,本發明之功效,係具有「產業利用性」、「新穎性」與「進步性」等專利要件;申請人爰依專利法之規定,向 鈞局提起發明專利之申請。 In summary, the effects of the present invention are patents such as "industry useability", "novelty" and "progressiveness"; the applicant filed an application for an invention patent to the bureau in accordance with the provisions of the Patent Law.

Claims (17)

一種網路資訊安全偵測方法,用以偵測一連線請求端對一網站平台所發出之一連線請求是否異常,以使一監控端裝置資訊連結至一網路資訊安全偵測系統後,可取得一警報資訊,其包括以下步驟:一偵測連線請求步驟:一辨識模組對該連線請求進行偵測,以解析出該連線請求的一連線請求端資訊、以及該連線請求端之一傳輸流量異常次數;一判斷傳輸流量是否異常步驟:該辨識模組判斷該連線請求端於一平均時間內所發出該連線請求的次數,是否滿足一處理模組所預設之一第一閾值;一提供偽造網頁資訊步驟:當該傳輸流量異常次數達到該第一閾值時,該處理模組資訊連結至該網站平台,偽造該網站平台所提供之一網站資料,並允許該連線請求端繼續發出該連線請求至該網站平台,同時累加該處理模組所預設之一第二閾值;以及若該第二閾值被滿足,該辨識模組認定該連線請求端為異常,該處理模組即拒絕該連線請求、以及標記該連線請求端資訊為一黑白名單資料庫所儲存之一黑名單資訊。A network information security detection method for detecting whether a connection request from a connection requester to a website platform is abnormal, so that a monitoring device information is linked to a network information security detection system Obtaining an alarm information, comprising the steps of: detecting a connection request step: an identification module detecting the connection request, parsing a connection request end information of the connection request, and the One of the connection requesting ends transmits the abnormal number of traffic; a step of determining whether the transmission traffic is abnormal: the identification module determines whether the connection requesting end sends the connection request within an average time, whether it satisfies a processing module Presetting a first threshold; providing a forged webpage information step: when the abnormal number of transmission traffic reaches the first threshold, the processing module information is linked to the website platform, forging a website information provided by the website platform, And allowing the connection requesting end to continue to send the connection request to the website platform, and accumulating a second threshold preset by the processing module; and if the second threshold is full The identification module finds that the connection request terminal is abnormal, that is, the processing module rejects the connection request, as well as marking the end of the connection request information to one of a black and white list blacklist information stored in the database. 如申請專利範圍第1項所述之網路資訊安全偵測方法,其中,該偵測連線請求步驟執行完畢後,先執行一判斷連線請求端資訊是否列於黑白單步驟:該辨識模組判斷該連線請求端資訊是否屬於該黑白名單資料庫所儲存之該黑名單資訊。For example, in the network information security detection method described in claim 1, wherein after the detecting connection request step is performed, performing a judgment on whether the connection request end information is listed in the black and white single step: the identification mode The group determines whether the connection requester information belongs to the blacklist information stored in the black and white list database. 如申請專利範圍第1項所述之網路資訊安全偵測方法,其中,若該傳輸流量異常次數未達到該第一閾值,則該處理模組允許該連線請求端繼續發出該連線請求至該網站平台。The method for detecting a network information security according to claim 1, wherein the processing module allows the connection requesting party to continue to issue the connection request if the abnormal number of transmission traffic does not reach the first threshold. To the website platform. 如申請專利範圍第1項所述之網路資訊安全偵測方法,其中,若該第二閾值未被滿足,則該處理模組可先允許該連線請求端繼續發出該連線請求至該網站平台。The method for detecting a network information security according to the first aspect of the invention, wherein, if the second threshold is not met, the processing module may first allow the connection requesting party to continue to send the connection request to the Website platform. 如申請專利範圍第2項所述之網路資訊安全偵測方法,其中,當該連線請求端資訊屬於該黑名單資訊時,該辨識模組認定該連線請求為異常,該處理模組即拒絕該連線請求。The method for detecting a network information security according to the second aspect of the patent application, wherein, when the information of the connection request end belongs to the blacklist information, the identification module determines that the connection request is abnormal, and the processing module That is, the connection request is rejected. 如申請專利範圍第2項所述之網路資訊安全偵測方法,其中,當該連線請求端資訊不屬於該黑名單資訊時,執行該判斷傳輸流量是否異常步驟。The network information security detection method of claim 2, wherein when the connection request end information does not belong to the blacklist information, performing the step of determining whether the transmission traffic is abnormal. 如申請專利範圍第3項所述之網路資訊安全偵測方法,其中,若該傳輸流量異常次數未達到該第一閾值,先執行一判斷連線請求是否包含特徵碼步驟:該辨識模組判斷該連線請求之一封包資訊是否包含相同或疑似一攻擊特徵資料庫所儲存之一特徵碼。The network information security detection method of claim 3, wherein if the abnormal number of transmission traffic does not reach the first threshold, first performing a determination of whether the connection request includes a signature step: the identification module Determining whether a packet request information of the connection request contains a signature code stored in the same or suspected attack signature database. 如申請專利範圍第7項所述之網路資訊安全偵測方法,其中,當該連線請求之該封包資訊包含有相同或疑似該攻擊特徵資料庫所儲存之該特徵碼,則該處理模組即拒絕該連線請求、以及標記該連線請求端資訊為一黑白名單資料庫所儲存之一黑名單資訊。The method for detecting a network information security according to claim 7, wherein the processing mode is configured when the packet information of the connection request includes the same or suspected signature of the attack signature database. The group rejects the connection request and marks the connection requester information as one of the blacklist information stored in the black and white list database. 如申請專利範圍第7項所述之網路資訊安全偵測方法,其中,當該連線請求之該封包資訊並未包含相同或疑似該攻擊特徵資料庫所儲存之該特徵碼,則該處理模組允許該連線請求端發出該連線請求至該網站平台。The method for detecting a network information security according to claim 7 , wherein the processing of the packet requesting the connection does not include the signature stored in the same or suspected signature database, the processing The module allows the connection requester to issue the connection request to the website platform. 如申請專利範圍第8項所述之網路資訊安全偵測方法,其中,當該處理模組拒絕該連線請求後,即執行一更新連線請求端資訊或特徵碼步驟:該處理模組新增一變形特徵碼至該攻擊特徵資料庫、與更新該黑白名單資料庫所儲存之該連線請求端資訊。The method for detecting a network information security according to claim 8 , wherein when the processing module rejects the connection request, performing an update connection request information or a signature step: the processing module A deformation feature code is added to the attack feature database, and the connection request end information stored in the black and white list database is updated. 如申請專利範圍第1項所述之網路資訊安全偵測方法,其中,當該處理模組拒絕該連線請求後,即執行一更新連線請求端資訊步驟:該處理模組更新該黑白名單資料庫所儲存之該連線請求端資訊。The method for detecting a network information security according to claim 1, wherein when the processing module rejects the connection request, performing an update connection request information step: the processing module updates the black and white The connection requester information stored in the list database. 如申請專利範圍第1項所述之網路資訊安全偵測方法,其中,該連線請求端資訊包括:連線請求時間、連接埠號碼、IP位址、防護紀錄、檔案名稱、威脅類型、以及處理措施資訊。The method for detecting a network information security according to the first aspect of the patent application, wherein the connection request end information includes: connection request time, port number, IP address, protection record, file name, threat type, And processing information. 如申請專利範圍第1項、第5項、或第8項所述之網路資訊安全偵測方法,其中,該處理模組拒絕該連線請求後,即可進行一警示步驟:該處理模組資訊連結至一警報模組,使該警報模組生成該警報資訊後,以供該監控端裝置可取得該警報資訊。The method for detecting a network information security according to the first, fifth, or eighth aspect of the patent application, wherein the processing module rejects the connection request, and then performs a warning step: the processing mode The group information is linked to an alarm module, and the alarm module generates the alarm information for the monitoring device to obtain the alarm information. 一種網路資訊安全偵測系統,架設於一網站平台上,用以偵測一連線請求端對該網站平台所發出之一連線請求是否異常,以使一監控端裝置資訊連結後,可取得一警報資訊,包括:一辨識模組,分別與一攻擊特徵資料庫、及一黑白名單資料庫建立資訊連結,供以接收該連線請求並解析出一封包資訊、一連線請求端資訊、以及該連線請求端之一傳輸流量異常次數,並辨識該連線請求端資訊是否屬於該黑白名單資料庫所儲存之一黑名單資訊、以及該傳輸流量異常次數是否滿足一第一閾值;一處理模組,與該辨識模組建立資訊連結,用以根據該辨識模組之辨識結果,作出一應變措施;一紀錄模組,供該處理模組資訊連結,以記錄該連線請求端之一相關連線請求資訊;一警報模組,供該處理模組資訊連結,以產生該警報資訊;以及該應變措施為該處理模組偽造該網站平台所提供之一網站資料,並累加該處理模組所預設之一第二閾值,當該第二閾值被滿足時,該處理模組即拒絕該連線請求,並資訊連結至該黑白名單資料庫,以標記該連線請求端資訊為該黑名單資訊。A network information security detection system is installed on a website platform for detecting whether a connection request sent by a connection requesting end to the website platform is abnormal, so that a monitoring device information link is available. Obtaining an alarm information, comprising: an identification module, respectively establishing an information link with an attack feature database and a black and white list database, for receiving the connection request and parsing a package information, and a connection request information. And the one of the connection requesting end transmits the traffic abnormal number, and identifies whether the connection request end information belongs to one of the blacklist information stored in the black and white list database, and whether the abnormal number of the transmission traffic meets a first threshold; a processing module for establishing an information link with the identification module for making a contingency measure based on the identification result of the identification module; a recording module for the processing module information link to record the connection request end a related connection request information; an alarm module for linking the processing module information to generate the alarm information; and the contingency measure is the processing module Creating a website data provided by the website platform, and accumulating a second threshold preset by the processing module, when the second threshold is satisfied, the processing module rejects the connection request, and the information is linked to The black and white list database is used to mark the connection requester information as the blacklist information. 如申請專利範圍第14項所述之網路資訊安全偵測系統,其中,該辨識模組可比對該封包資訊是否包含相同或疑似該攻擊特徵資料庫所儲存之一特徵碼,且該處理模組可新增一變形特徵碼至該攻擊特徵資料庫。The network information security detection system of claim 14, wherein the identification module compares the signature information to the signature information stored in the same or suspected attack signature database, and the processing module The group may add a variant signature to the attack signature database. 如申請專利範圍第15項所述之網路資訊安全偵測系統,其中,該應變措施更包括該處理模組資訊連結至該攻擊特徵資料庫,以標記該連線請求端資訊為該黑名單資訊、以及更新該變形特徵碼至該攻擊特徵資料庫。The network information security detection system of claim 15, wherein the contingency measure further includes the processing module information being linked to the attack signature database to mark the connection requester information as the blacklist. Information, and updating the deformation signature to the attack signature database. 如申請專利範圍第14項所述之網路資訊安全偵測系統,其中,該處理模組所偽造之該網站資料為一檔案極小的網站頁面、或一空白網站頁面。For example, the network information security detection system described in claim 14 is characterized in that the website material forged by the processing module is a website page with a minimum file size or a blank website page.
TW105136157A 2016-11-07 2016-11-07 Method of detecting internet information security and its implemented system TWI640894B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
TW105136157A TWI640894B (en) 2016-11-07 2016-11-07 Method of detecting internet information security and its implemented system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
TW105136157A TWI640894B (en) 2016-11-07 2016-11-07 Method of detecting internet information security and its implemented system

Publications (2)

Publication Number Publication Date
TW201818289A TW201818289A (en) 2018-05-16
TWI640894B true TWI640894B (en) 2018-11-11

Family

ID=62949409

Family Applications (1)

Application Number Title Priority Date Filing Date
TW105136157A TWI640894B (en) 2016-11-07 2016-11-07 Method of detecting internet information security and its implemented system

Country Status (1)

Country Link
TW (1) TWI640894B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109447651A (en) * 2018-10-22 2019-03-08 武汉极意网络科技有限公司 Business air control detection method, system, server and storage medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020035683A1 (en) * 2000-09-07 2002-03-21 Kaashoek Marinus Frans Architecture to thwart denial of service attacks
US20110214161A1 (en) * 2005-10-31 2011-09-01 The Trustees Of Columbia University In The City Of New York Methods, media, and systems for securing communications between a first node and a second node
US20140201836A1 (en) * 2012-08-23 2014-07-17 David B. Amsler Automated Internet Threat Detection and Mitigation System and Associated Methods
US20150264077A1 (en) * 2014-03-13 2015-09-17 International Business Machines Corporation Computer Implemented Techniques for Detecting, Investigating and Remediating Security Violations to IT Infrastructure
TWM542807U (en) * 2016-11-07 2017-06-01 Kuo-Liang Liu Network information security inspection system

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020035683A1 (en) * 2000-09-07 2002-03-21 Kaashoek Marinus Frans Architecture to thwart denial of service attacks
US20110214161A1 (en) * 2005-10-31 2011-09-01 The Trustees Of Columbia University In The City Of New York Methods, media, and systems for securing communications between a first node and a second node
US20140201836A1 (en) * 2012-08-23 2014-07-17 David B. Amsler Automated Internet Threat Detection and Mitigation System and Associated Methods
US20150264077A1 (en) * 2014-03-13 2015-09-17 International Business Machines Corporation Computer Implemented Techniques for Detecting, Investigating and Remediating Security Violations to IT Infrastructure
TWM542807U (en) * 2016-11-07 2017-06-01 Kuo-Liang Liu Network information security inspection system

Also Published As

Publication number Publication date
TW201818289A (en) 2018-05-16

Similar Documents

Publication Publication Date Title
US9661008B2 (en) Network monitoring apparatus, network monitoring method, and network monitoring program
US8024804B2 (en) Correlation engine for detecting network attacks and detection method
US7925883B2 (en) Attack resistant phishing detection
US8429751B2 (en) Method and apparatus for phishing and leeching vulnerability detection
US8347383B2 (en) Network monitoring apparatus, network monitoring method, and network monitoring program
US8161538B2 (en) Stateful application firewall
WO2021139643A1 (en) Method and apparatus for detecting encrypted network attack traffic, and electronic device
CN104219200B (en) A kind of apparatus and method for taking precautions against DNS cache attack
TWM542807U (en) Network information security inspection system
EP1330095A1 (en) Monitoring of data flow for enhancing network security
US20080034424A1 (en) System and method of preventing web applications threats
KR20110089179A (en) Network intrusion protection
US20090178140A1 (en) Network intrusion detection system
US8006303B1 (en) System, method and program product for intrusion protection of a network
KR20220081145A (en) AI-based mysterious symptom intrusion detection and system
US8763121B2 (en) Mitigating multiple advanced evasion technique attacks
TWI640894B (en) Method of detecting internet information security and its implemented system
US20210136038A1 (en) Method and system for web filtering implementation consisting of integrated web extension and connected hardware device
US10757118B2 (en) Method of aiding the detection of infection of a terminal by malware
US20170346844A1 (en) Mitigating Multiple Advanced Evasion Technique Attacks
KR100728446B1 (en) Hardware based intruding protection device, system and method
US20200067973A1 (en) Safer Password Manager, Trusted Services, and Anti-Phishing Process
EP3989519B1 (en) Method for tracing malicious endpoints in direct communication with an application back end using tls fingerprinting technique
US11451584B2 (en) Detecting a remote exploitation attack
CN116566634A (en) Security protection method, system, electronic device and computer readable storage medium