TWI640894B - Method of detecting internet information security and its implemented system - Google Patents
Method of detecting internet information security and its implemented system Download PDFInfo
- Publication number
- TWI640894B TWI640894B TW105136157A TW105136157A TWI640894B TW I640894 B TWI640894 B TW I640894B TW 105136157 A TW105136157 A TW 105136157A TW 105136157 A TW105136157 A TW 105136157A TW I640894 B TWI640894 B TW I640894B
- Authority
- TW
- Taiwan
- Prior art keywords
- information
- connection request
- processing module
- connection
- website
- Prior art date
Links
Abstract
本發明揭露一種網路資訊安全偵測方法及其實施系統,其架設於一網站平台上,主要具有一辨識模組、一處理模組、一紀錄模組、以及一警報模組,辨識模組偵測一連線請求之一封包資訊、及一連線請求端資訊後,可解析出一連線請求端資訊、一變形特徵碼、以及一傳輸流量異常次數,處理模組可根據辨識模組的辨識結果,即時作出應變措施,若傳輸流量異常次數達到一定閾值,即偽造網站平台所提供的網頁內容,並驅動警報模組以通知網站管理者,藉此,可降低資訊安全偵測系統之軟硬體建置成本、及降低網站伺服器因遭到DDoS攻擊而無法提供服務之可能性。 The invention discloses a network information security detection method and an implementation system thereof, which are installed on a website platform, and mainly have an identification module, a processing module, a recording module, and an alarm module, and an identification module. After detecting a packet request information of a connection request and a connection request end information, a connection request end information, a deformation signature code, and a transmission flow abnormal number can be parsed, and the processing module can be identified according to the identification module. The identification result, the immediate response measures, if the abnormal number of transmission traffic reaches a certain threshold, that is, forging the webpage content provided by the website platform, and driving the alarm module to notify the website administrator, thereby reducing the information security detection system The cost of hardware and software construction, and the possibility that the website server will not be able to provide services due to DDoS attacks.
Description
一種網路資訊安全偵測方法及其實施系統,供以阻止一網站平台遭到資訊攻擊,本發明尤指一種可透過偽造網頁資訊,達到有效應對DDoS攻擊的網路資訊安全偵測方法及其實施系統。 A network information security detection method and an implementation system thereof for preventing a website platform from being attacked by information. The present invention particularly relates to a network information security detection method capable of effectively coping with DDoS attacks by forging webpage information and Implement the system.
隨著資訊科技的發達,網站已成為企業品牌經營、電子商務獲利、新聞媒體宣傳以及獲取知識的重要管道,然而,當今的資訊攻擊已不再僅限於使用者端(Client)的個人電腦(Personal Computer,PC)或行動裝置,而已轉向攻擊伺服器端(Server)上的網站平台,若網站平台遭到攻擊而淪陷,將可能導致會員資料遭竊、網站無法提供服務等嚴重後果,進而造成難以估計的損失,而目前最為盛行的網站攻擊行為包括:阻斷服務攻擊(Denial of Service Attack,DoS)、分散式阻斷服務攻擊(Distributed Denial of Service attack,下稱DDoS攻擊)、跨網站指令碼攻擊(Cross-site scripting,通稱XSS)、隱碼攻擊(SQL injection)、以及跨站請求偽造攻擊(Cross-site request forgery,CSRF)等,依此, 針對網站平台設計出網路資訊安全偵測系統的需求由此而生,而習知網路資訊安全偵測系統主要係於伺服器端前設置一網頁應用程式防火牆(Web Application Firewall,WAF)、以及一入侵防禦系統(Intrusion Prevention System,IPS),以彌補一般網路防火牆(Firewall)僅能偵測開放式系統互聯通訊參考模型(Open System Interconnection Reference Model,OSI)第2層至第4層封包資訊的缺陷。 With the development of information technology, the website has become an important channel for corporate brand management, e-commerce profit, news media promotion and knowledge acquisition. However, today's information attacks are no longer limited to the client's personal computer ( Personal Computer, PC) or mobile device, has turned to attack the server platform on the server (Server), if the website platform is attacked and framed, it may lead to serious consequences such as theft of member information and the inability of the website to provide services. Unpredictable losses, and the most popular website attacks include: Denial of Service Attack (DoS), Distributed Denial of Service attack (DDoS attack), cross-site command Cross-site scripting (commonly known as XSS), hidden code attack (SQL injection), and cross-site request forgery (CSRF), etc., according to which, network information security detection is designed for the website platform. The demand for the measurement system is born, and the conventional network information security detection system mainly sets a web page in front of the server. Application Application Firewall (WAF) and an Intrusion Prevention System (IPS) to compensate for the general network firewall (Firewall) can only detect the Open System Interconnection Reference Model (Open System Interconnection Reference Model) , OSI) Defects in Layer 2 to Layer 4 packet information.
所謂的網頁應用程式防火牆(WAF)係以比對特徵碼(Feature Code或Signature)的方式,偵測屬於OSI應用層的連線請求(例如HTTP/HTTPS Request)是否異常並加以阻擋,更可檢查與限制網站表單、欄位的內容,如美國發明專利公開案第US20140373125A1號「Web Security protection method,device and system」,其即揭露一種網路安全防護方法及系統,主要係以網路安全設備(Web Security Device)偵測一網站是否有安全漏洞,並依據偵測結果發送給一網頁應用防火牆,若該網頁應用防火牆認定該偵測結果為一安全漏洞,則會擷取該安全漏洞的一可疑特徵碼,再與本機規則庫(Local Rule Library)所儲存之複數特徵碼進行比對,進而對該網站配置相應的安全策略,或將該可疑特徵碼儲存至本機規則庫中。 The so-called web application firewall (WAF) detects whether the connection request (such as HTTP/HTTPS Request) belonging to the OSI application layer is abnormal and blocked by comparing the feature code (Feature Code or Signature), and can check And the content of the restricted website form and the field, such as the "Web Security protection method, device and system" of the US Patent Publication No. US20140373125A1 , which discloses a network security protection method and system, mainly using a network security device ( The Web Security Device detects whether a website has a security vulnerability and sends it to a web application firewall according to the detection result. If the web application firewall determines that the detection result is a security vulnerability, it will take a suspicious vulnerability. The feature code is then compared with the complex feature code stored in the local rule library, and then the corresponding security policy is configured for the website, or the suspicious feature code is stored in the local rule base.
入侵防禦系統(Intrusion Prevention System,IPS)則利用特徵碼比對、以及深層封包檢測(Deep Packet Inspection,DPI)技術偵測OSI各層封包內容是否含有異常資料,並主動過濾異常的封包資訊,以防堵病毒(Virus)、蠕蟲(Worm)、木馬程式(Trojan Horses)、間諜軟體(Spyware),此外,入侵防禦系統亦可偵測該連線行為之傳輸流量是否異常,以防範DDoS攻擊,如中國發明專利公告案第CN101034975B號「防範小報文攻擊的方法和裝置」,其主要係以一比較單元對所接收到的資料傳輸量進行比較,並以一處理單元進行校正,以有效控管傳送到伺服器端的封包數量,此外,更有網站管理者採取加大網路頻寬、提升伺服器硬體規格(如記憶體、硬碟空間、硬碟種類等)、以及採取流量清洗、或流量分流作為DDoS攻擊的應對方式。 Intrusion Prevention System (IPS) uses signature matching and Deep Packet Inspection (DPI) technology to detect whether the contents of OSI packets contain abnormal data and actively filter abnormal packet information. Virus, Worm, Trojan Horses, Spyware, and Intrusion Prevention System can also detect whether the transmission traffic of the connection is abnormal to prevent DDoS attacks, such as Chinese Invention Patent Publication No. CN101034975B "Method and Apparatus for Preventing Small Message Attack" mainly compares the received data transmission amount with a comparison unit and performs correction by a processing unit to effectively control The number of packets sent to the server side, in addition, more website administrators to increase network bandwidth, improve server hardware specifications (such as memory, hard disk space, hard disk type, etc.), and take traffic cleaning, or Traffic offloading is a response to DDoS attacks.
然而,由於入侵防禦系統(IPS)無法檢視經過加密後的封包資訊(如利用HTTPS協定所傳送的封包資訊),亦無法判斷SQL(Structural Query Language)隱碼攻擊、XSS(Cross-site scripting)攻擊等網站攻擊為異常連線行為,因此,網站管理者通常亦需建置網頁應用程式防火牆(WAF);如此一來,勢必會增加網路資訊安全偵測系統架構的複雜性、故障點數量、以及產生產品不相容、管理介面各有差異的問題,進而可能影響到網路資訊安全偵測系統的防禦能力、以及增加網站管理者的工作負擔,又,針對大流量的異常連線行為,網站管理者主要以提升伺服器硬體規格、加大網路頻寬、以及建置流量清洗中心(Scrubbing Center)作為解決方案,是以,如何提出一種可降低網站管理者架設網路資訊安全偵測系統之軟硬體成本、與阻擋各種網站攻擊、且能有效應對DDoS攻擊的網路資訊安全偵測方法及其實施系統,乃有待解決之問題。 However, because the Intrusion Prevention System (IPS) cannot view encrypted packet information (such as packet information transmitted using the HTTPS protocol), it is also impossible to determine SQL (Structural Query Language) hidden code attacks and XSS (Cross-site scripting) attacks. Website attacks are abnormally connected. Therefore, webmasters usually need to build a web application firewall (WAF). This will inevitably increase the complexity of the network information security detection system architecture, the number of fault points, And the problems of product incompatibility and management interface are different, which may affect the defense capability of the network information security detection system, increase the workload of the website administrator, and the abnormal connection behavior for large traffic. Website administrators mainly improve server hardware specifications, increase network bandwidth, and build a traffic cleaning center (Scrubbing Center) as a solution, so how to propose a way to reduce website administrators to set up network information security detection Measuring the hardware and software costs of the system, and the network information security detection party that blocks various website attacks and can effectively deal with DDoS attacks. The law and its implementation system are issues to be resolved.
有鑑於上述的問題,本發明人係依據多年來從事研究資訊安全的經驗,針對如何降低網站管理者架設網路資訊安全偵測系統之軟硬體成本,且能有效阻擋各種網站攻擊等問題進行研究;緣此,本發明之主要目的在於提供一種可降低架設網路資訊安全偵測系統之軟硬體成本、可達到有效阻擋各種網站攻擊、且能有效應對DDoS攻擊的「網路資訊安全偵測方法及其實施系統」。 In view of the above problems, the inventors have based on years of experience in researching information security, and how to reduce the software and hardware costs of network administrators to set up network information security detection systems, and can effectively block various website attacks and the like. Therefore, the main purpose of the present invention is to provide a network information security detection that can reduce the cost of software and hardware for erecting a network information security detection system, can effectively block various website attacks, and can effectively cope with DDoS attacks. Measurement method and its implementation system".
為達上述目的,本發明之網路資訊安全偵測之系統係包括:一辨識模組、一處理模組、一紀錄模組、一警報模組、一攻擊特徵資料庫、以及一黑白名單資料庫;所述的攻擊特徵資料庫用以儲存複數個特徵碼,黑白名單資料庫用以儲存允許與不允許存取網站平台之連線請求端資訊,辨識模組用以解析一連線請求之連線請求端資訊、及一封包資訊,以判定連線請求端連線至一網站平台的連線請求是否異常,處理模組用以根據辨識模組的辨識結果,即時作出應變措施(例如直接拒絕連線請求),同時標記異常連線請求之連線請求端資訊為黑名單資訊,並驅動警報模 組發出一警報資訊,以通知持有一監控端裝置之一網站管理者,又,若攻擊行為屬於DDoS攻擊,則處理模組會設定一閾值、以及偽造網站平台所提供的網站內容(例如檔案較小的網頁),而非立即阻斷其連線請求,以讓一網站伺服器得以較小的負擔,達到欺瞞連線請求端、以及大量降低網站伺服器遭到DDoS攻擊而無法提供服務的可能性;據此,本發明實施後確實能提供一種可降低網路資訊安全偵測系統之軟硬體建置成本、可即時對各種網站攻擊作出應變措施、可即時通知網站管理者、以及同時能解決網站伺服器因遭到DDoS攻擊而無法提供服務的問題的「網路資訊安全偵測方法及其實施系統」。 To achieve the above objective, the network information security detection system of the present invention comprises: an identification module, a processing module, a recording module, an alarm module, an attack signature database, and a black and white list data. The attack feature database is used to store a plurality of signature codes, and the black and white list database is used to store the connection request information of the website that allows and does not allow access to the website platform, and the identification module is configured to parse the connection request. Connect the requester information and a packet information to determine whether the connection request from the connection requester to a website platform is abnormal. The processing module is configured to immediately make contingency measures according to the identification result of the identification module (for example, directly Rejecting the connection request), marking the connection requester information of the abnormal connection request as blacklist information, and driving the alarm module to send an alarm message to notify the website manager holding one of the monitoring device, and if If the attack is a DDoS attack, the processing module will set a threshold and falsify the website content provided by the website platform (for example, a web page with a smaller file) instead of blocking it immediately. Wired requests, so that a web server can be burdened with a small burden, to reach a fraudulent connection request end, and to greatly reduce the possibility that the web server is attacked by DDoS and cannot provide services; accordingly, the present invention can indeed Providing a software and hardware construction cost that can reduce the network information security detection system, promptly responding to various website attacks, promptly notify the website administrator, and simultaneously solve the problem that the website server is attacked by DDoS "Network Information Security Detection Method and Implementation System" for providing service problems.
為使 貴審查委員得以清楚了解本發明之目的、技術特徵及其實施後之功效,茲以下列說明搭配圖示進行說明,敬請參閱。 In order for your review board to have a clear understanding of the purpose, technical features and effects of the present invention, the following description will be used in conjunction with the illustrations, please refer to it.
1‧‧‧網路資訊安全偵測系統 1‧‧‧Network Information Security Detection System
11‧‧‧辨識模組 11‧‧‧ Identification Module
12‧‧‧處理模組 12‧‧‧Processing module
13‧‧‧紀錄模組 13‧‧‧record module
14‧‧‧警報模組 14‧‧‧Alarm module
15‧‧‧攻擊特徵資料庫 15‧‧‧ Attack signature database
16‧‧‧黑白名單資料庫 16‧‧‧Black and White List Database
2‧‧‧網站伺服器 2‧‧‧Web server
21‧‧‧網站平台 21‧‧‧ website platform
22‧‧‧網站資料庫 22‧‧‧Website database
3‧‧‧監控端裝置 3‧‧‧Monitor device
S1‧‧‧偵測連線請求步驟 S1‧‧‧Detection connection request step
S2‧‧‧判斷連線請求是否異常步驟 S2‧‧‧Determining whether the connection request is abnormal
S21‧‧‧判斷連線請求端資訊是否列於黑名單步驟 S21‧‧‧Determination of whether the connection requester information is listed in the blacklist step
S22‧‧‧判斷連線請求是否包含特徵碼步驟 S22‧‧‧Determination of whether the connection request contains a signature step
S23‧‧‧判斷流量異常次數是否達到第一閾值步驟 S23‧‧‧Determination of whether the number of abnormal traffic times reaches the first threshold step
S24‧‧‧提供偽造網頁資訊步驟 S24‧‧‧Provide steps for forging webpage information
S25‧‧‧判斷第二閾值是否被滿足步驟 S25‧‧‧Determination of whether the second threshold is satisfied
S3‧‧‧拒絕連線請求步驟 S3‧‧‧Reject connection request step
S4‧‧‧警示步驟 S4‧‧‧ Warning Steps
S5‧‧‧更新連線請求端資訊與特徵碼步驟 S5‧‧‧Update connection requester information and signature steps
S6‧‧‧允許連線請求步驟 S6‧‧‧ Allow connection request steps
S7‧‧‧紀錄連線請求資訊步驟 S7‧‧‧Record connection request information step
第1圖,為本發明之系統架構圖。 Figure 1 is a diagram showing the system architecture of the present invention.
第2圖,為本發明之系統組成示意圖。 Fig. 2 is a schematic view showing the composition of the system of the present invention.
第3圖,為本發明之實施流程示意圖(一)。 Figure 3 is a schematic view (I) of the implementation flow of the present invention.
第4圖,為本發明之實施流程示意圖(二)。 Figure 4 is a schematic view (2) of the implementation flow of the present invention.
請參閱「第1圖」,圖中所示為本發明之系統架構圖,如圖,一網站伺服器2上架設有一網站平台21、以及一網站資料庫22,網站平台21資訊連結至網站資料庫22,以存取網站資料庫22所儲存之網站內容,而網站平台21上架設有本發明之網路資訊安全偵測系統1,一監控端裝置3可直接資訊連結至網路資訊安全偵測系統1,以查看網站平台21的監控資訊,依此,一連線請求端若欲連線至網站平台21,則必須先通過網路資訊安全偵測系統1之過濾機制,方可順利連線至網站平台21,以存取網站平台21所提供之網站資料,監控端裝置3用以查看網路資訊安全偵測系統1是否有回報任何異常狀況。 Please refer to "FIG. 1", which is a system architecture diagram of the present invention. As shown in the figure, a website server 2 is provided with a website platform 21 and a website database 22, and the website platform 21 information is linked to the website information. The library 22 stores the website content stored in the website database 22, and the website platform 21 is provided with the network information security detection system 1 of the present invention. A monitoring device 3 can directly link information to the network information security detection. Test system 1 to view the monitoring information of the website platform 21, according to which, if a connection request terminal wants to connect to the website platform 21, it must first pass the filtering mechanism of the network information security detection system 1 in order to smoothly connect The website to the website platform 21 is configured to access the website information provided by the website platform 21, and the monitoring device 3 is used to check whether the network information security detection system 1 reports any abnormal condition.
請參閱「第2圖」,圖中所示為本發明之系統組成示意圖,如圖,網路資訊安全偵測系統1主要包含:一辨識模組11、一處理模組12、一紀錄模組13、一警報模組14、一攻擊特徵資料庫15、以及一黑白名單資料庫16;攻擊特徵資料庫15、黑白名單資料庫16分別與辨識模組11、處理模組12建立資訊連結,紀錄模組13與警報模組14則分別資訊連結至處理模組12,辨識模組11用以判斷一連線請求是否包含相同、或疑似攻擊特徵資料庫15所儲存的特徵碼、與連線請求端資訊是否為黑白名單資料庫16所儲存之黑名單資訊、以及連線請求端之傳輸流量是否異常等,而網站管理者可自行編輯黑白名單資料庫16所儲存之黑白名單資訊,黑白名單資訊例如包括:儲存允許與不允許存取網站 平台21之IP位址、封包資訊、連接埠(Port)號碼等連線請求端資訊,特徵碼之比對機制則包括:判斷連線請求之封包資訊是否含有惡意程式特徵碼(如電腦病毒、蠕蟲、或木馬程式等)、是否含有惡意SQL輸入字串、是否含有網站資料庫22內檔案名稱的索引值、是否含有經過編碼(Encoding)後的URL(Uniform Resource Locator)或屬性值(Attribute)、連線請求端是否於留言板輸入疑似XSS攻擊之惡意指令、以及連線請求端之傳輸流量是否異常等。處理模組12可根據辨識模組11的辨識結果,即時作出應變措施(如直接阻斷連線請求),再交由紀錄模組13儲存連線請求端之相關連線請求資訊,所述的相關連線請求資訊例如有:連線請求時間、連接埠號碼、IP位址、防護紀錄、檔案名稱、威脅類型、或處理措施等資訊,處理模組12可更新攻擊特徵資料庫15所儲存之特徵碼及黑白名單資料庫16所儲存之連線請求端資訊,警報模組14可生成一警報資訊,並回報給監控端裝置3,監控端裝置3可為個人電腦(Personal Computer,PC)、筆記型電腦(Notebook Computer,NB)、智慧型手機、或平板電腦(Tablet)等,不以此為限,特先陳明。 Please refer to FIG. 2, which is a schematic diagram of the system composition of the present invention. As shown in the figure, the network information security detection system 1 mainly includes: an identification module 11, a processing module 12, and a recording module. 13. An alarm module 14, an attack signature database 15, and a black and white list database 16; the attack signature database 15 and the black and white list database 16 respectively establish information links with the identification module 11 and the processing module 12, and record The module 13 and the alarm module 14 are respectively connected to the processing module 12, and the identification module 11 is configured to determine whether a connection request includes the signature code and the connection request stored in the same or suspected attack signature database 15. Whether the end information is the blacklist information stored in the black and white list database 16 and whether the transmission traffic of the connection request end is abnormal, and the website administrator can edit the black and white list information stored in the black and white list database 16 and the black and white list information. For example, the method includes: storing and allowing access to the IP address of the website platform 21, the packet information, the port number, and the like, and the comparison mechanism of the signature includes: Whether the packet information of the connection request contains malware signature (such as computer virus, worm, or Trojan), whether it contains malicious SQL input string, whether it contains the index value of the file name in the website database 22, whether it contains Encoded URL (Uniform Resource Locator) or attribute value (Attribute), whether the connection requester enters a malicious command that is suspected of XSS attack on the message board, and whether the transmission traffic of the connection request end is abnormal. The processing module 12 can immediately make a contingency measure according to the identification result of the identification module 11 (such as directly blocking the connection request), and then the recording module 13 stores the relevant connection request information of the connection request end, the The related connection request information includes, for example, a connection request time, a connection number, an IP address, a protection record, a file name, a threat type, or a processing measure, and the processing module 12 can update the attack feature database 15 to store the information. The alarm code and the connection requester information stored in the black and white list database 16 can generate an alarm information and report it to the monitoring device 3, and the monitoring device 3 can be a personal computer (PC). Notepad (Notebook Computer, NB), smart phone, or tablet (Tablet), etc., not limited to this, especially first.
請參閱「第3圖」,圖中所示為本發明之實施流程示意圖(一),如圖,本發明之網路資訊安全偵測系統1之實施方法包括:(1)偵測連線請求步驟S1:當一連線請求端欲存取一網站伺服器2中網站平台21的網站資料時,連線請求端會發出 一連線請求(例如HTTP/HTTPs Request),則架設於網站平台21上的一網路資訊安全偵測系統1會先接收連線請求,並交由網路資訊安全偵測系統1所具有的一辨識模組11偵測連線請求之封包資訊,所述的封包資訊包括:表頭(Header)、及承載資料(Payload),而表頭內含有一連線請求端資訊,辨識模組11完成偵測連線請求步驟S1後,即執行判斷連線請求是否異常步驟S2;(2)判斷連線請求是否異常步驟S2:承偵測連線請求步驟S1,辨識模組11即判斷一連線請求之封包資訊是否包含攻擊特徵資料庫15的特徵碼、是否為黑白名單資料庫16所儲存之黑名單資訊、或連線請求端之傳輸流量是否異常等,若辨識模組11判斷連線請求為異常,則辨識模組資訊連結至一處理模組12,並由處理模組12執行拒絕連線請求步驟S3;若辨識模組11判斷連線請求並無異常,則處理模組12執行允許連線請求步驟S5;(3)拒絕連線請求步驟S3:承判斷連線請求是否異常步驟S2,若辨識模組11認定連線請求為異常,則一處理模組12即可作出應變措施,例如:立即拒絕連線請求及標記連線請求端資訊為黑名單資訊,或以連線請求端之流量異常次數是否已滿足一閾值(Threshold value)而判斷是否拒絕連線請求、標記連線請求端資訊為黑名單資訊、或偽造網站平台21所提供之一網頁資料;(4)警示步驟S4:承拒絕連線請求步驟S3,當辨識模組11認定連線請求為異常,且處理模組12對連線請求作出應變 措施後,一警報模組14即資訊連結至一監控端裝置3,以傳輸其所產生之一警報資訊,以供網站管理者得知有異常連線請求欲連線至網站平台21:(5)更新連線請求端資訊與特徵碼步驟S5:承警示步驟S4,當辨識模組11認定連線請求為異常,則處理模組12即可新增一變形特徵碼至攻擊特徵資料庫15、與標記連線請求端資訊為黑白名單資料庫16所儲存之黑名單資訊;(6)允許連線請求步驟S6:承判斷連線請求是否異常步驟S2,若辨識模組11認定連線請求並無異常,則處理模組12允許連線請求通過網路資訊安全偵測系統1,依此,連線請求即可順利存取網站平台21所提供之網頁資料;(7)紀錄連線請求資訊S7:當處理模組12完成更新連線請求端資訊或特徵碼步驟S5、或處理模組12執行允許連線請求步驟S6後,處理模組12即資訊連結至一紀錄模組13,以記錄相關連線請求資訊,紀錄模組13完成紀錄請求資訊步驟S7後,辨識模組11將繼續執行偵測連線請求步驟S1,又,所述的相關連線請求資訊包含:連線請求時間、連接埠號碼、IP位址、防護紀錄、檔案名稱、威脅類型、或處理措施等資訊。 Please refer to FIG. 3, which is a schematic diagram (1) of an implementation flow of the present invention. As shown in the figure, the implementation method of the network information security detection system 1 of the present invention includes: (1) detecting a connection request. Step S1: When a connection requesting party wants to access the website information of the website platform 21 in the website server 2, the connection requesting end sends a connection request (for example, HTTP/HTTPs Request), and is installed on the website platform 21 The above-mentioned network information security detection system 1 first receives the connection request, and sends an identification module 11 of the network information security detection system 1 to detect the packet information of the connection request, the packet The information includes: a header (Header) and a bearer data (Payload), and the header includes a connection request end information, and after the identification module 11 completes the detection connection request step S1, it performs to determine whether the connection request is abnormal. Step S2; (2) determining whether the connection request is abnormal. Step S2: The detection connection request step S1, the identification module 11 determines whether the packet information of the connection request includes the signature of the attack signature database 15, and whether it is Blacklists stored in the black and white list database 16 If the identification module 11 determines that the connection request is abnormal, the identification module information is coupled to a processing module 12, and the processing module 12 performs the reject connection request step. S3; if the identification module 11 determines that the connection request is not abnormal, the processing module 12 executes the permission connection request step S5; (3) rejects the connection request step S3: determines whether the connection request is abnormal step S2, if If the module 11 determines that the connection request is abnormal, the processing module 12 can make a contingency measure, for example, immediately reject the connection request and mark the connection request side information as blacklist information, or the traffic of the connection request end is abnormal. Whether the number of times has met a threshold (Threshold value) to determine whether to reject the connection request, mark the connection requester information as blacklist information, or falsify one of the webpage materials provided by the website platform 21; (4) Warning step S4: refusal After the connection requesting step S3, when the identification module 11 determines that the connection request is abnormal, and the processing module 12 responds to the connection request, an alarm module 14 is connected to the monitoring device 3 to Transmitting one of the generated alarm information for the website administrator to know that there is an abnormal connection request to connect to the website platform 21: (5) updating the connection request side information and the signature step S5: the warning step S4, when When the identification module 11 determines that the connection request is abnormal, the processing module 12 can add a deformation signature to the attack signature database 15, and the information of the marker connection request is the blacklist information stored in the blacklist database 16. (6) Allow connection request Step S6: Determine whether the connection request is abnormal Step S2, if the identification module 11 determines that the connection request is not abnormal, the processing module 12 allows the connection request to pass the network information security detection. System 1, according to the connection request, the webpage data provided by the website platform 21 can be smoothly accessed; (7) the record connection request information S7: when the processing module 12 completes the update connection request end information or signature step S5 After the processing module 12 executes the allow connection request step S6, the processing module 12 links the information to a record module 13 to record the relevant connection request information, and the record module 13 completes the record request information step S7, and then identifies Module 11 will continue Execute the connection request detection step S1, and the related connection request information includes: the connection request time, port number, IP address, protection record, file name, type of threat or action and other information.
請參閱「第4圖」,圖中所示為本發明之實施流程示意圖(二),如圖,當本發明之辨識模組11完成偵測連線請求步驟S1後,判斷連線請求是否異常步驟S2之實施方法包括: (1)判斷連線請求端資訊是否列於黑名單步驟S21:承判斷連線請求是否異常步驟S2,一辨識模組11先將連線請求之連線請求端資訊與黑白名單資料庫16進行比對,以確認連線請求端資訊是否列於黑白名單資料庫16所儲存之黑名單資訊中,若有,則辨識模組11認定連線請求為異常,並由處理模組12執行拒絕連線請求步驟S3;若無,則辨識模組11認定連線請求之連線請求端資訊不屬於黑名單資訊,並進而執行判斷連線請求是否包含特徵碼步驟S22;(2)判斷連線請求是否包含特徵碼步驟S22:承判斷連線請求端資訊是否列於黑名單步驟S21,辨識模組11確認連線請求之連線請求端資訊不屬於黑名單資訊後,先對連線請求之封包資訊與攻擊特徵資料庫15進行比對,以確認連線請求之封包資訊是否包含相同、或疑似攻擊特徵資料庫15所儲存之特徵碼,若有,則辨識模組11認定連線請求為異常,並由處理模組12執行拒絕連線請求步驟S3;若無,則認定連線請求並未包含相同、或變形的特徵碼,並繼續執行判斷流量異常次數是否達到第一閾值步驟S23,又,特徵碼比對機制可為:判斷連線請求之封包資訊是否含有惡意程式特徵碼(如電腦病毒、蠕蟲、或木馬程式等)、是否含有惡意SQL輸入字串、是否含有網站資料庫22內檔案名稱的索引值、是否含有經過編碼(Encoding)後的URL或屬性值(Attribute)、連線請求端於留言板是否輸入疑似XSS攻擊之惡意指令、以及連 線請求端之傳輸流量是否異常等;(3)判斷流量異常次數是否達到第一閾值步驟S23:承判斷連線請求是否包含特徵碼步驟S22,辨識模組11確認連線請求之封包資訊並未包含特徵碼後,即開始偵測連線請求端之異常傳輸流量次數是否達到處理模組12所預設之一第一閾值,若有達到第一閾值,則處理模組12執行提供偽造網頁資訊步驟S24;若未滿足第一閾值,則處理模組12執行允許連線請求步驟S6,又,辨識模組11判斷異常傳輸流量次數之判斷機制為:若連線請求端於一平均時間內,發出相同、或不同的正常連線請求之次數滿足第一閾值時(例如連線請求端於30分鐘內發出超過200次相同、或不同連線請求時),意即大量瀏覽、或存取網站平台21之網站資料,辨識模組11即認定此連線請求之傳輸流量為異常;(4)提供偽造網頁資訊步驟S24:承判斷流量異常次數是否達到第一閾值步驟S23,若辨識模組11認定連線請求端之流量異常次數已滿足第一閾值,則處理模組12先資訊連結至網站平台21,以對網站平台21所提供的網站資料進行偽造,再允許連線請求端繼續發出連線請求,其後,處理模組12再繼續執行判斷第二閾值是否被滿足步驟S25,另,所述經過偽造的網頁資料可為:空白網頁、或顯示僅有少數字串的網頁,藉此,可讓網站平台21對連線請求端提供較小、或極小的網頁檔案,以欺瞞發動DDoS攻擊之連線請求端,同時能減輕網站伺服器2 的負擔,進而降低網站伺服器2遭到DDoS攻擊而無法提供服務的可能性;(5)判斷第二閾值是否被滿足步驟S25:承提供偽造網頁資訊步驟S24,辨識模組11繼續判斷處理模組12所預設之一第二閾值是否有被滿足,若第二閾值有被滿足,則處理模組12執行拒絕連線請求步驟S3;若第二閾值未被滿足,則處理模組12對第二閾值進行累加,並執行允許連線請求步驟S6;(6)又,所述的判斷連線請求端是否列於黑名單步驟S21執行完畢後,可先執行判斷流量異常次數是否達到第一閾值步驟S23,換言之,處理模組12判斷流量異常次數是否達到第一閾值步驟S23的判斷結果若為「第一閾值未被滿足」,則處理模組12並非直接執行允許連線請求步驟S6,而是接續執行判斷連線請求是否包含特徵碼步驟S22;相對地,判斷流量異常次數是否達到第一閾值步驟S23的判斷結果若為「第一閾值已被滿足」,則處理模組12可直接執行提供偽造網頁資訊步驟S24,並接續執行是否滿足第二閾值步驟S25,其後,若是否滿足第二閾值步驟S25的判斷結果為「第二閾值未被滿足」,則處理模組12可接續執行判斷連線請求是否包含特徵碼步驟S22。 Please refer to FIG. 4, which is a schematic diagram (2) of the implementation process of the present invention. As shown in the figure, when the identification module 11 of the present invention completes the detection connection request step S1, it is determined whether the connection request is abnormal. The implementation method of step S2 includes: (1) determining whether the information of the connection requesting end is listed in the blacklist step S21: determining whether the connection request is abnormal or not, step S2, and the identification module 11 firstly connects the request request information of the connection request. Comparing with the black and white list database 16 to confirm whether the connection requester information is listed in the blacklist information stored in the black and white list database 16, and if so, the identification module 11 determines that the connection request is abnormal, and The processing module 12 performs the reject connection request step S3; if not, the identification module 11 determines that the connection request end information of the connection request does not belong to the blacklist information, and further performs determining whether the connection request includes the signature code step S22; (2) determining whether the connection request includes the feature code. Step S22: determining whether the connection request end information is listed in the blacklist step S21, and the identification module 11 confirms that the connection request end information of the connection request does not belong to the blacklist information. First, the packet information of the connection request is compared with the attack signature database 15 to confirm whether the packet information of the connection request includes the signature code stored in the same or suspected attack signature database 15, and if so, the identification module 11: The connection request is determined to be abnormal, and the processing module 12 performs the reject connection request step S3; if not, it is determined that the connection request does not include the same or deformed signature, and continues to perform to determine whether the flow abnormality number reaches The first threshold step S23, in addition, the feature code comparison mechanism may be: determining whether the packet information of the connection request contains a malicious program signature (such as a computer virus, a worm, or a Trojan, etc.), and whether the malicious SQL input string is included. Whether it contains the index value of the file name in the website database 22, whether it contains the encoded (Encoding) URL or attribute value (Attribute), whether the connection request end enters the malicious message of the suspected XSS attack on the message board, and the connection Whether the transmission traffic of the requesting end is abnormal or the like; (3) determining whether the abnormal number of traffic abnormalities reaches the first threshold value. Step S23: determining whether the connection request includes the characteristic code step S22, after the identification module 11 confirms that the packet information of the connection request does not include the signature, it starts to detect whether the abnormal transmission traffic of the connection requesting end reaches a first threshold preset by the processing module 12, if any If the first threshold is reached, the processing module 12 performs the step of providing the forged webpage information S24; if the first threshold is not met, the processing module 12 executes the allow connection request step S6, and the identification module 11 determines the abnormal transmission traffic number. The judging mechanism is: if the connection requester sends the same or different normal connection request times within an average time to satisfy the first threshold (for example, the connection request end sends more than 200 times in 30 minutes, the same or different When the connection request is made, it means to browse or access the website data of the website platform 21 in a large amount, and the identification module 11 determines that the transmission traffic of the connection request is abnormal; (4) providing forged webpage information, step S24: judging the traffic If the number of abnormalities reaches the first threshold step S23, if the identification module 11 determines that the number of traffic abnormalities of the connection requesting end has met the first threshold, the processing module 12 first links the information to the website platform 21 The website information provided by the website platform 21 is forged, and then the connection requesting end is allowed to continue to issue the connection request. Thereafter, the processing module 12 continues to perform the determination of whether the second threshold is satisfied, and the step S25 is further performed. The forged webpage data may be: a blank webpage, or a webpage displaying only a small number of digits, thereby allowing the website platform 21 to provide a smaller or minimal webpage file to the connection requester to deceive the DDoS attack. The connection request side can reduce the burden on the website server 2, thereby reducing the possibility that the website server 2 is not D2S attacked and unable to provide the service; (5) determining whether the second threshold is satisfied, step S25: providing the forged webpage In step S24, the identification module 11 continues to determine whether the second threshold value preset by the processing module 12 is satisfied. If the second threshold is satisfied, the processing module 12 performs the reject connection request step S3; If the threshold is not satisfied, the processing module 12 accumulates the second threshold, and executes the allow connection request step S6; (6) again, whether the connection requesting end is listed in the blacklist step S21 After the line is completed, it may be determined whether the number of abnormal traffic times reaches the first threshold step S23. In other words, the processing module 12 determines whether the number of abnormal traffic times reaches the first threshold. If the determination result of the step S23 is “the first threshold is not satisfied”, The processing module 12 does not directly execute the allow connection request step S6, but successively performs a determination of whether the connection request includes the feature code step S22; and relatively, determines whether the flow abnormality number reaches the first threshold value. If the first threshold has been satisfied, the processing module 12 can directly perform the step of providing the forged webpage information S24 and continue to perform the second threshold step S25. Then, if the second threshold is satisfied, the determination result of the step S25 is " The second threshold is not satisfied, and the processing module 12 can continue to determine whether the connection request includes the signature step S22.
由上所述可知,本發明主要係包括:一辨識模組、一處理模組、一紀錄模組、一警報模組、一攻擊特徵資料 庫、以及一黑白名單資料庫;攻擊特徵資料庫用以儲存複數個特徵碼,黑白名單資料庫用以儲存允許與不允許存取網站平台之連線請求端資訊,辨識模組用以解析一連線請求之連線請求端資訊、及一封包資訊,以判定連線請求端連線至一網站平台的連線請求是否異常,處理模組用以根據辨識模組的辨識結果,即時作出應變措施(例如直接拒絕連線請求),同時標記異常連線請求之連線請求端資訊為黑名單資訊,並驅動警報模組發出一警報資訊,以通知持有監控端裝置之網站管理者,又,若判定連線請求端所發出之連線請求屬於DDoS攻擊,則處理模組會設定一閾值、以及偽造網站平台所提供的網站內容(例如檔案較小的網頁),而非立即阻斷其連線請求,以讓網站伺服器得以最小的負擔,達到欺瞞連線請求端、以及大量降低網站伺服器遭到DDoS攻擊而無法提供服務的可能性;據此,本發明實施後確實能提供一種可降低網路資訊安全偵測系統之軟硬體建置成本、可即時對各種網站攻擊作出應變措施、可即時通知網站管理者的目的、以及同時能解決網站伺服器因遭到DDoS攻擊而無法提供服務的問題的「網路資訊安全偵測方法及其實施系統」。 As can be seen from the above, the present invention mainly includes: an identification module, a processing module, a recording module, an alarm module, an attack feature database, and a black and white list database; To store a plurality of signature codes, the black and white list database is used to store the information of the connection requester that allows and does not allow access to the website platform, and the identification module uses the connection requester information for parsing a connection request, and a package information. To determine whether the connection request from the connection request end to a website platform is abnormal, the processing module is configured to immediately make a contingency measure according to the identification result of the identification module (for example, directly reject the connection request), and mark the abnormal connection. The connection request side information of the line request is blacklist information, and the alarm module is driven to send an alarm information to notify the website manager holding the monitoring device, and if it is determined that the connection request issued by the connection request end belongs to For DDoS attacks, the processing module will set a threshold and falsify the website content provided by the website platform (for example, a web page with a smaller file) instead of immediately blocking its connection. In order to minimize the burden on the web server, to reach the fraudulent connection request end, and to greatly reduce the possibility that the web server is attacked by DDoS and unable to provide services; accordingly, the present invention can provide a network reduction The cost of hardware and software construction of the road information security detection system, the immediate response to various website attacks, the purpose of notifying the website administrator immediately, and the ability of the website server to be unable to provide services due to DDoS attacks. The problem of "network information security detection method and its implementation system".
唯,以上所述者,僅為本發明之較佳之實施例而已,並非用以限定本發明實施之範圍;任何熟習此技藝者,在不脫離本發明之精神與範圍下所作之均等變化與修飾,皆應涵蓋於本發明之專利範圍內。 The above description is only for the preferred embodiment of the present invention, and is not intended to limit the scope of the present invention; any changes and modifications made by those skilled in the art without departing from the spirit and scope of the invention All should be covered by the patent of the present invention.
綜上所述,本發明之功效,係具有「產業利用性」、「新穎性」與「進步性」等專利要件;申請人爰依專利法之規定,向 鈞局提起發明專利之申請。 In summary, the effects of the present invention are patents such as "industry useability", "novelty" and "progressiveness"; the applicant filed an application for an invention patent to the bureau in accordance with the provisions of the Patent Law.
Claims (17)
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
TW105136157A TWI640894B (en) | 2016-11-07 | 2016-11-07 | Method of detecting internet information security and its implemented system |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
TW105136157A TWI640894B (en) | 2016-11-07 | 2016-11-07 | Method of detecting internet information security and its implemented system |
Publications (2)
Publication Number | Publication Date |
---|---|
TW201818289A TW201818289A (en) | 2018-05-16 |
TWI640894B true TWI640894B (en) | 2018-11-11 |
Family
ID=62949409
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
TW105136157A TWI640894B (en) | 2016-11-07 | 2016-11-07 | Method of detecting internet information security and its implemented system |
Country Status (1)
Country | Link |
---|---|
TW (1) | TWI640894B (en) |
Families Citing this family (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109447651A (en) * | 2018-10-22 | 2019-03-08 | 武汉极意网络科技有限公司 | Business air control detection method, system, server and storage medium |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20020035683A1 (en) * | 2000-09-07 | 2002-03-21 | Kaashoek Marinus Frans | Architecture to thwart denial of service attacks |
US20110214161A1 (en) * | 2005-10-31 | 2011-09-01 | The Trustees Of Columbia University In The City Of New York | Methods, media, and systems for securing communications between a first node and a second node |
US20140201836A1 (en) * | 2012-08-23 | 2014-07-17 | David B. Amsler | Automated Internet Threat Detection and Mitigation System and Associated Methods |
US20150264077A1 (en) * | 2014-03-13 | 2015-09-17 | International Business Machines Corporation | Computer Implemented Techniques for Detecting, Investigating and Remediating Security Violations to IT Infrastructure |
TWM542807U (en) * | 2016-11-07 | 2017-06-01 | Kuo-Liang Liu | Network information security inspection system |
-
2016
- 2016-11-07 TW TW105136157A patent/TWI640894B/en active
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20020035683A1 (en) * | 2000-09-07 | 2002-03-21 | Kaashoek Marinus Frans | Architecture to thwart denial of service attacks |
US20110214161A1 (en) * | 2005-10-31 | 2011-09-01 | The Trustees Of Columbia University In The City Of New York | Methods, media, and systems for securing communications between a first node and a second node |
US20140201836A1 (en) * | 2012-08-23 | 2014-07-17 | David B. Amsler | Automated Internet Threat Detection and Mitigation System and Associated Methods |
US20150264077A1 (en) * | 2014-03-13 | 2015-09-17 | International Business Machines Corporation | Computer Implemented Techniques for Detecting, Investigating and Remediating Security Violations to IT Infrastructure |
TWM542807U (en) * | 2016-11-07 | 2017-06-01 | Kuo-Liang Liu | Network information security inspection system |
Also Published As
Publication number | Publication date |
---|---|
TW201818289A (en) | 2018-05-16 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US9661008B2 (en) | Network monitoring apparatus, network monitoring method, and network monitoring program | |
US8024804B2 (en) | Correlation engine for detecting network attacks and detection method | |
US7925883B2 (en) | Attack resistant phishing detection | |
US8429751B2 (en) | Method and apparatus for phishing and leeching vulnerability detection | |
US8347383B2 (en) | Network monitoring apparatus, network monitoring method, and network monitoring program | |
US8161538B2 (en) | Stateful application firewall | |
WO2021139643A1 (en) | Method and apparatus for detecting encrypted network attack traffic, and electronic device | |
CN104219200B (en) | A kind of apparatus and method for taking precautions against DNS cache attack | |
TWM542807U (en) | Network information security inspection system | |
EP1330095A1 (en) | Monitoring of data flow for enhancing network security | |
US20080034424A1 (en) | System and method of preventing web applications threats | |
KR20110089179A (en) | Network intrusion protection | |
US20090178140A1 (en) | Network intrusion detection system | |
US8006303B1 (en) | System, method and program product for intrusion protection of a network | |
KR20220081145A (en) | AI-based mysterious symptom intrusion detection and system | |
US8763121B2 (en) | Mitigating multiple advanced evasion technique attacks | |
TWI640894B (en) | Method of detecting internet information security and its implemented system | |
US20210136038A1 (en) | Method and system for web filtering implementation consisting of integrated web extension and connected hardware device | |
US10757118B2 (en) | Method of aiding the detection of infection of a terminal by malware | |
US20170346844A1 (en) | Mitigating Multiple Advanced Evasion Technique Attacks | |
KR100728446B1 (en) | Hardware based intruding protection device, system and method | |
US20200067973A1 (en) | Safer Password Manager, Trusted Services, and Anti-Phishing Process | |
EP3989519B1 (en) | Method for tracing malicious endpoints in direct communication with an application back end using tls fingerprinting technique | |
US11451584B2 (en) | Detecting a remote exploitation attack | |
CN116566634A (en) | Security protection method, system, electronic device and computer readable storage medium |