US20210328970A1 - Web attack detecting and blocking system and method thereof - Google Patents

Web attack detecting and blocking system and method thereof Download PDF

Info

Publication number
US20210328970A1
US20210328970A1 US16/492,390 US201816492390A US2021328970A1 US 20210328970 A1 US20210328970 A1 US 20210328970A1 US 201816492390 A US201816492390 A US 201816492390A US 2021328970 A1 US2021328970 A1 US 2021328970A1
Authority
US
United States
Prior art keywords
web
request data
risk
web request
filtering unit
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
US16/492,390
Other versions
US11171919B1 (en
Inventor
In Young Lee
Dae Ho Lee
Sung Su CHOI
Young Suk HWANG
Dong Geun Lee
Ki Hwan Kim
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
F1 Security Inc
Original Assignee
F1 Security Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by F1 Security Inc filed Critical F1 Security Inc
Assigned to F1 SECURITY INC. reassignment F1 SECURITY INC. ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: CHOI, SUNG SU, HWANG, YOUNG SUK, KIM, KI HWAN, LEE, DAE HO, LEE, DONG GEUN, LEE, IN YOUNG
Publication of US20210328970A1 publication Critical patent/US20210328970A1/en
Application granted granted Critical
Publication of US11171919B1 publication Critical patent/US11171919B1/en
Active legal-status Critical Current
Adjusted expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/30Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information
    • H04L63/306Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information intercepting packet switched data communications, e.g. Web, Internet or IMS communications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/168Implementing security features at a particular protocol layer above the transport layer

Definitions

  • the present invention relates to web attack detecting and blocking that detect and block web application attacks through a web server providing web services. More particularly, the present invention relates to a system for detecting and blocking a web attack, and a method thereof, the system and method being capable of determining whether or not to block web request data by analyzing the web request data which is received in the web server.
  • the above-described conventional technique cannot provide a customer customized web security service without affecting the stability and availability of the web application.
  • there is a high possibility of communication delay depending on the situation of the Internet network and the DNS information has to be changed to the service provider's IP information. Accordingly, in order to provide services through HTTPS, an SSL authentication and a personal key have to be uploaded to a web firewall service provider.
  • Patent document 1 Korean Patent Application Publication No. 10-2010-0058695 (Published on Jun. 4, 2010)
  • the present invention has been made keeping in mind the above problems occurring in the prior art, and the first objective of the present invention is to provide a system for detecting and blocking a web attack, the system being capable of: providing customer customized web security service without affecting the stability and availability of the web application; providing web security service regardless of an Internet network situation; providing easy installation, update, and version upgrade of software; providing security services while maintaining an existing network configuration; providing security services without changing IP and DNS information; providing preventing an SSL authentication and a personal key from being exposed and reduction in an initial cost of introduction; being applicable to a cloud server environment in a smooth manner; and being applicable to a web application security system, a web server installed in a could system, an end point of a mobile application server side, an end point of an IOT user interface, and an end point of a server side.
  • the second objective of the present invention is to provide a method of detecting and blocking a web attack, the method being capable of: providing customer customized web security service without affecting the stability and availability of the web application; providing web security service regardless of an Internet network situation; providing easy installation, update, and version upgrade on software; providing security services while maintaining an existing network configuration; providing security services without changing IP and DNS information; providing preventing an SSL authentication and a personal key from being exposed and reduction in the initial cost of introduction; being applicable to a cloud server environment in a smooth manner; and being applicable to a web application security system, a web server installed in a cloud system, an end point of a mobile application server side, an end point of an IOT user interface, and an end point of a server side.
  • the present invention provides a system for detecting and blocking a web attack, the system including: a filter unit receiving web request data from a user terminal, and controlling a web application to maintain a standby state; and a web firewall daemon receiving the web request data from the filter unit, and determining a risk by analyzing the web request data and transmitting the resulting risk of the web request data to the filtering unit.
  • the filtering unit may include: a first communication module performing communication with the web firewall daemon by using the same protocol, and receiving the resulting risk of the web request data from the web firewall daemon; and a first control module controlling the first communication module to prepare for the resulting risk of the web request data.
  • the web firewall daemon may include: a second communication module receiving the web request data from the filtering unit; a risk determining module determining the risk by analyzing the web request data received in the second communication module; and a data changing module modifying the web request data when it is determined that the resulting risk of the web request data represents that changes in the web request data are necessary so as to generate modified web request data, wherein the second communication module may transmit the modified web request data to the filtering unit.
  • the filtering unit may further include: a storage module for storing the web request data and the resulting risk of the web request data, wherein the first control module may control the first communication module to prepare for the resulting risk of the web request data by using the resulting risk of the web request data stored in the storage module.
  • the filtering unit may further include: an information obtaining module obtaining an IP (Internet protocol) address and URL (uniform resource locator) information of the user terminal that has transmitted the web request data from the web request data, wherein the first communication module may transmit to the second communication module the IP address and the URL information of the user terminal, the IP address and the URL information being obtained in the information obtaining module, the risk determining module may determine the risk of the web request data by analyzing the IP address and the URL information of the user terminal, the IP address and the URL information being received in the second communication module, and when it is determined that the IP address and the URL information of the user terminal are not sufficient for determining the risk of the web request data, the risk determining module may generate a request for additional information, and the second communication module may transmit the request for additional information to the first communication module.
  • IP Internet protocol
  • URL uniform resource locator
  • the information obtaining module may obtain additional information in association with the request for additional information from the web request data
  • the first communication module may transmit the additional information obtained in the information obtaining module from the web request data to the second communication module
  • the risk determining module may determine the risk of the web request data by analyzing the additional information received in the second communication module
  • the second communication module may transmit the resulting risk of the web request data to the first communication module which is obtained by analyzing the additional information in the risk determining module.
  • the present invention provides a method of detecting and blocking a web attack, the method including: receiving, by a filtering unit, web request data from a user terminal; controlling, by the filtering unit, a web application to maintain a standby state; transmitting, by the filtering unit, the web request data to a web firewall daemon; determining, by the web firewall daemon, a risk by analyzing the web request data; and transmitting, by the web firewall daemon, the risk of the web request data to the filtering unit.
  • the transmitting, by the web firewall daemon, of the risk of the web request data to the filtering unit may include: controlling, by a first control module, a first communication module to prepare for the risk of the web request data which is received in the first control module from the web firewall daemon.
  • the determining, by the web firewall daemon, of the risk by analyzing the web request data may include: modifying, by the web firewall daemon, the web request data when it is determined that the resulting risk of the web request data represents that modification on the web request data is necessary; and generating, by the web firewall daemon, modified web request data where the web request data has been modified, and the transmitting, by the web firewall daemon, of the risk of the web request data to the filtering unit may include: transmitting, by the web firewall daemon, the modified web request data to the filtering unit.
  • the transmitting, by the web firewall daemon, of the risk of the web request data to the filtering unit may include: storing, by the filtering unit, the web request data and the resulting risk of the web request data; and controlling, by the first control module, the first communication module to prepare for the risk of the web request data by using the stored resulting risk of the web request data.
  • the transmitting, by the filtering unit, of the web request data to the web firewall daemon may include: obtaining, by the filtering unit, an IP address and URL information of the user terminal that has transmitted the web request data; transmitting, by the filtering unit, the obtained IP address and the URL information of the user terminal to the web firewall daemon; determining, by the web firewall daemon, the risk of the web request data by analyzing the IP address and the URL information of the user terminal; generating, by the web firewall daemon, a request for additional information when the IP address and the URL information of the user terminal are not sufficient for determining the risk of the web request data; and transmitting, by the web firewall daemon, the request for additional information to the filtering unit.
  • the transmitting, by the web firewall daemon, of the request for additional information to the filtering unit may include: obtaining, by the filtering unit, additional information in association with the request for additional information from the web request data; transmitting, by the filtering unit, the additional information obtained from the web request data to the web firewall daemon; determining, by the web firewall daemon, the risk of the web request data by analyzing the additional information; and transmitting, by the web firewall daemon, the resulting risk of the web request data which is determined by analyzing the additional information to the filtering unit.
  • the present invention can provide web security service regardless of an Internet network situation.
  • the present invention can provide easy installation, update, and version upgrade of software.
  • the present invention can provide security services while maintaining an existing network configuration.
  • the present invention can provide security services without changing IP and DNS information.
  • the present invention can prevent an SSL authentication and a personal key from being exposed, and reduce the initial cost of introduction.
  • the present invention can be applied to a cloud server environment in a smooth manner.
  • the present invention can be applied to a web application security system, a web server installed in a cloud system, an end point of a mobile application server side, an end point of an IOT user interface, and an end point of a server side.
  • FIG. 1 is a view showing a schematic configuration of a web attack detecting and blocking system according to an embodiment of the present invention.
  • FIG. 2 is a view showing a schematic configuration of a filtering unit that is a partial configuration of the present invention.
  • FIG. 3 is a view showing a schematic configuration of a web firewall daemon that is a partial configuration of the present invention.
  • FIG. 4 is a view showing a schematic flow of a web attack detection and blocking method according to an embodiment of the present invention.
  • a description of a certain part “including” certain constituents means capable of further including other constituents, and does not exclude other constituents unless particularly stated on the contrary.
  • the terms “ . . . unit”, “ . . . module”, and “ . . . means” described in the present specification refer to a unit for processing at least one function or operation, and may be implemented as hardware, software, or a combination thereof.
  • first or second may be used to describe various elements, but the elements are not limited to these terms. These terms are used to distinguish one element from another element. For example, a first element could be termed a second element, and a second element could similarly be termed a first element without departing from the scope of the present invention.
  • the term “and/or” includes any and all combinations of one or more of the associated listed items.
  • a term “comprise” or “have” indicates presence of a characteristic, numeral, step, operation, element, component, or combination thereof described in the specification and does not exclude presence or addition of at least one other characteristic, numeral, step, operation, element, component, or combination thereof.
  • a module or “a unit” performs at least one function or operation, and may be realized as hardware, software, or combination thereof. Further, except the “modules” or “units” that have to be implemented by certain hardware, a plurality of “modules” or a plurality of “units” may be integrated into at least one module and realized as at least one processor (not illustrated).
  • a certain part in the case where a certain part is “connected” to the other part, it may include not only the case where the part is “directly connected” to the other part, but also the case where the part is “electrically connected” to the other part with another element interposed therebetween.
  • FIG. 1 is a view showing a schematic configuration of a web attack detecting and blocking system according to an embodiment of the present invention
  • FIG. 2 is a view showing a schematic configuration of a filtering unit that is a partial configuration of the present invention
  • FIG. 3 is a view showing a schematic configuration of a web firewall daemon that is a partial configuration of the present invention.
  • a system 10 for detecting and blocking a web attack may include a filter unit 110 and a web firewall daemon 200 .
  • the filter unit 110 may include a first control module 111 , a first communication module 112 , an information obtaining module 113 , and a storage module 114 .
  • the web firewall daemon 200 may include a second communication module 210 , a risk determining module 220 , and a data changing module 230 .
  • the filter unit 110 may receive web request data from a user terminal 1 , and control the web application 120 to maintain a standby state.
  • the filter unit 110 may be employed by being embedded in a web server daemon 100 .
  • the user terminal 1 may be employed in various electric devices such as smart-phone, smart watch, smart glasses, tablet PC, laptop PC, etc.
  • the web firewall daemon 200 may receive web request data from the filter unit 110 , and determine a risk by analyzing the web request data.
  • the web firewall daemon 200 may transmit the resulting risk of the web request data to the filter unit 110 .
  • the web firewall daemon 200 may be employed by being physically completely separated from the filter unit 110 that is employed by being embedded in the web server daemon 100 .
  • the web application 120 is not affected even when a bug or an error occurs in the web firewall.
  • a function of requesting for web data, by the web server daemon 100 can be available without re-operating the web server daemon 100 and without stopping operation of the same.
  • the first communication module 112 and the second communication module 210 may perform communication with each other by using the same protocol.
  • the first communication module 112 may receive a resulting risk of a request of web data from the web firewall daemon 200 .
  • the first control module 111 may control the first communication module 112 to prepare for the resulting risk of the web request data which is received in the first communication module 112 from the web firewall daemon 200 .
  • the first control module 111 may control the first communication module 112 to block the corresponding web request data when it is determined that the resulting risk of the request of web data represents that blocking the web request data is reasonable.
  • the first control module 111 may control the first communication module 112 to transmit the corresponding web request data to the web application 120 when it is determined that the resulting risk of the web request data represents that passing the web request data is reasonable.
  • the first communication module 112 may receive response data in association with the web request data from the web application 120 .
  • the first communication module 112 may transmit response data in association with the web request data to the second communication module 210 .
  • the first communication module 112 may receive a resulting risk of response data determined in the risk determining module 220 from the second communication module 210 .
  • the first control module 111 may control the first communication module 112 to prepare for the resulting risk of the response data received in the first communication module 112 from the second communication module 210 .
  • the first control module 111 may control the first communication module 112 to block the corresponding response data when it is determined that the resulting risk of the response data represents that blocking the response data is reasonable.
  • the first control module 111 may control the first communication module 112 to transmit the corresponding response data to the user terminal 1 that has transmitted the web request data when it is determined that the resulting risk of the response data represents that passing the response data is reasonable.
  • the second communication module 210 may receive web request data from the filter unit 110 .
  • the risk determining module 220 may determine a risk by analyzing the web request data received in the second communication module 210 from the first communication module 112 .
  • the risk determining module 220 may determine a risk by analyzing response data received in the second communication module 210 from the first communication module 112 .
  • the risk determined in the risk determining module 220 is for determining various attack risks that may be included in web request data, response data to web request data, etc.
  • the risk determining module 220 may determine that changes in web request data, response data, etc. are necessary when the web request data, the response data, etc. include web attack risks based on HTTPS/HTTP v1.0, v1.1, v2, and determine that blocking of the web request data, the response data, etc. is reasonable.
  • the risk determining module 220 may determine that web request data, response data, etc. are abnormal, when the request for the web data, the response data, etc. include a preset first reference that is at least one of an injection, a broken authentication and session management, a sensitive data exposure, an XML external entities (XXE), a broken access control, a security misconfiguration, a cross-site scripting (XSS), an insecure deserialization, a using components with known vulnerabilities, and insufficient logging & monitoring. Accordingly, the risk determining module 220 may derive a result that blocking of the web request data, the response data, etc. is reasonable, and determine that changes in the web request data, the response data, etc. are necessary.
  • a preset first reference that is at least one of an injection, a broken authentication and session management, a sensitive data exposure, an XML external entities (XXE), a broken access control, a security misconfiguration, a cross-site scripting (XSS), an insecure deserialization, a
  • the injection may include SQL/XQuery/XPath/LDAP injection.
  • the risk determining module 220 may derive a result that blocking of the web request data, the response data, etc. is reasonable by using a preset first rule of at least one of rules to protect against known spammers or malicious activity (REQUEST-910-IP-REPUTATION), rules to lock down methods (PUT, PATCH, etc.) (REQUEST-911-METHOD-ENFORCEMENT), rules to protect against denial of service (DoS) attacks (REQUEST-912-DOS-PROTECTION), rules to protect against port and environment scanners (REQUEST-913-SCANNER-DETECTION), rules to protect against protocol and encoding issues (REQUEST-920-PROTOCOL-ENFORCEMENT), rules to protect against header injection, request smuggling, and response splitting (REQUEST-921-PROTOCOL-ATTACK), rules to protect against file and path attacks (REQUEST-930-APPLICATION-ATTACK-LFI), rules to protect against remote file inclusion (RFI) (REQUEST-931-APPLICATION-ATT
  • the risk determining module 220 may determine that changes in the web request data, the response data, etc. are necessary.
  • the risk determining module 220 may determine a risk of the web request data, the response data, etc. by determining whether or not the web request data, the response data, etc. satisfy the PCI data security standard (PCI DSS).
  • PCI DSS PCI data security standard
  • the risk determining module 220 may derive a result that the web request data, the response data, etc. are normal when the web request data, the response data, etc. satisfy the PCI data security standard (PCI DSS). Also, the risk determining module 220 may derive a result that blocking of the web request data, the response data, etc. is reasonable when the web request data, the response data, etc. do not satisfy the PCI data security standard (PCI DSS), and determine that changes in the web request data, the response data, etc. are necessary.
  • PCI DSS PCI data security standard
  • the risk determining module 220 may derive a result that blocking of the web request data, the response data, etc. is reasonable when the web request data, the response data, etc. include a preset second reference of at least one of directory listing vulnerability, file download vulnerability, cross-site scripting vulnerability, file upload vulnerability, WebDAV vulnerability, technote vulnerability, zeroboard vulnerability, and SQL injection vulnerability, and determine that changes in the web request data, the response data, etc. are necessary.
  • the risk determining module 220 may derive a result that blocking of the web request data, the response data, etc. is reasonable when the web request data, the response data, etc. correspond to URI file forgeries, and determine that changes in the web request data, the response data, etc. are necessary.
  • the data changing module 230 may modify the web request data, and generate modified web request data.
  • modifying, by the data changing module 230 , the web request data may include changes in payload of the web request data.
  • the data changing module 230 may modify the web request data by using the preset first rule of at least one of rules to protect against known spammers or malicious activity (REQUEST-910-IP-REPUTATION), rules to lock down methods (PUT, PATCH, etc.) (REQUEST-911-METHOD-ENFORCEMENT), rules to protect against denial of service (DoS) attacks (REQUEST-912-DOS-PROTECTION), rules to protect against port and environment scanners (REQUEST-913-SCANNER-DETECTION), rules to protect against protocol and encoding issues (REQUEST-920-PROTOCOL-ENFORCEMENT), rules to protect against header injection, request smuggling, and response splitting (REQUEST-921-PROTOCOL-ATTACK), rules to protect against file and path attacks (REQUEST-930-APPLICATION-ATTACK-LFI), rules to protect against remote file inclusion (RFI) (REQUEST-931-APPLICATION-ATTACK-RFI), rules to protect again remote code execution (REQUEST-9
  • the above-described risk determining module 220 and the data changing module 230 may be applied to, in addition to web request data, modifying web request data, or response data in association with the modified web request data.
  • the second communication module 210 may transmit modified web request data to the filter unit 110 .
  • web request data, and a resulting risk of the web request data may be stored in the storage module 114 .
  • At least one of web request data which is received in the first communication module 112 from the second communication module 210 , and a resulting risk of the web request data determined in the risk determining module 220 may be stored in the storage module 114 .
  • At least one of response data received in the first communication module 112 from the second communication module 210 , and a resulting risk of the response data determined in the risk determining module 220 may be stored in the storage module 114 .
  • the first control module 111 may control the first communication module 112 to prepare for the resulting risk of the web request data.
  • the first control module 111 may determine whether or not a corresponding resulting risk of the web request data is stored in the storage module 114 when the first communication module 112 receives the web request data from the user terminal 1 .
  • the first control module 111 may control the first communication module 112 to prepare for the resulting risk of the web request data by using the corresponding resulting risk of the web request data.
  • the first control module 111 may control the first communication module 112 to block the corresponding web request data.
  • the first control module 111 may control the first communication module 112 to transmit the corresponding web request data to the web application 120 .
  • the first control module 111 may control the first communication module 112 to prepare for the resulting risk of the response data.
  • the first control module 111 may determine whether or not a resulting risk of corresponding response data is stored in the storage module 114 when the first communication module 112 receives the response data from the web application 120 .
  • the first control module 111 may control the first communication module 112 to prepare for the resulting risk of response data by using the resulting risk of corresponding response data.
  • the first control module 111 may control the first communication module 112 to block the corresponding response data.
  • the first control module 111 may control the first communication module 112 to transmit the corresponding response data to the user terminal 1 .
  • the resulting risk of the web request data or the resulting risk of the response data are stored in the storage module 114 , and thus the filter unit 110 can rapidly and accurately perform filtering for the web request data. Accordingly, there is an effect that a case where transmission and reception between the web firewall daemon 200 and the filter unit 110 is not smooth can be prepared.
  • the information obtaining module 113 may obtain an IP (Internet protocol) address and URL (uniform resource locator) information of the user terminal 1 that has transmitted the web request data from the web request data.
  • IP Internet protocol
  • URL uniform resource locator
  • the first communication module 112 may transmit the IP address and URL information of the user terminal 1 which are obtained in the information obtaining module 113 to the second communication module 210 .
  • the risk determining module 220 may determine a risk of the web request data by analyzing the IP address and URL information of the user terminal 1 received in the second communication module 210 .
  • the risk determining module 220 may generate a request for additional information when the IP address and URL information of the user terminal 1 are not sufficient for determining the risk of the web request data.
  • the second communication module 210 may transmit the request for additional information to the first communication module 112 .
  • the information obtaining module 113 may obtain additional information in association with the request for additional information from the web request data.
  • the first communication module 112 may transmit the additional information obtained from the web request data by the information obtaining module 113 to the second communication module 210 .
  • the risk determining module 220 may analyze the additional information received in the second communication module 210 from the first communication module 112 , and determine the risk of the web request data.
  • the second communication module 210 may transmit to the first communication module 112 the resulting risk of the web request data which is determined by analyzing the additional information by the risk determining module 220 .
  • FIG. 4 is a view showing a schematic flow of a web attack detection and blocking method according to an embodiment of the present invention.
  • the filter unit 110 may receive web request data from the user terminal 1 .
  • the filter unit 110 may control the web application 120 to maintain a standby state.
  • the filter unit 110 may transmit the web request data to the web firewall daemon 200 .
  • the filter unit 110 may obtain an IP address and URL information of the user terminal 1 that has transmitted the web request data.
  • the filter unit 110 may transmit the obtained IP address and the URL information of the user terminal 1 to the web firewall daemon 200 .
  • the web firewall daemon 200 may determine a risk of the web request data by analyzing the IP address and the URL information of the user terminal 1 .
  • the web firewall daemon 200 may generate a request for additional information when the IP address and the URL information of the user terminal 1 are not sufficient for determining the risk of the web request data.
  • the web firewall daemon 200 may transmit the request for additional information to the filter unit 110 .
  • the filter unit 110 may obtain additional information in association with the request for additional information from the request of web data.
  • the filter unit 110 may transmit the additional information obtained from the web request data to the web firewall daemon 200 .
  • the web firewall daemon 200 may determine the risk of the web request data by analyzing the additional information.
  • the web firewall daemon 200 may transmit the resulting risk of the web request data which is determined by analyzing the additional information to the filter unit 110 .
  • the web firewall daemon 200 may determine the risk by analyzing the web request data.
  • the web firewall daemon 200 may modify the web request data when the web firewall daemon 200 determined that changes in the web request data are necessary according to the resulting determination.
  • the web firewall daemon 200 may generate modified web request data where the web request data is modified.
  • the firewall daemon 200 may transmit the resulting risk of the web request data to the filter unit 110 .
  • the first control module 111 of the filter unit 110 may control the first communication module 112 of the filter unit 110 so as to prepare for the resulting risk of the web request data which is received from the web firewall daemon 200 .
  • the web firewall daemon 200 may transmit the modified web request data to the filter unit 110 .
  • the filter unit 110 may store the web request data and the resulting risk of the web request data.
  • the first control module 111 of the filter unit 110 may control the first communication module 112 of the filter unit 110 so as to prepare for the stored resulting risk of the web request data.
  • a system for detecting and blocking a web attack and a method thereof of the present invention, first, customer customized web security service without affecting the stability and availability of the web application can be provided, web security service regardless of an Internet network situation can be provided, easy installation, update, and version upgrade on software can be provided, security services while maintaining an existing network configuration can be provided, security services without changing IP and DNS information can be provided, an SSL authentication and a personal key can be prevented from being exposed and the initial cost of introduction can be reduced, application to a cloud server environment in a smooth manner can be available, and application to a web application security system, a web server installed in a cloud system, an end point of a mobile application server side, an end point of an IOT user interface, and an end point of a server side can be available.
  • a system for detecting and blocking a web attack, and a method thereof providing the above various effects can have a positive impact on the software and security solutions industries and can be used in many ways.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Technology Law (AREA)
  • Computer And Data Communications (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

A system for detecting and blocking a web attack includes a filter unit receiving web request data from a user terminal, and controlling a web application to maintain a standby state, and a web firewall daemon receiving the web request data from the filter unit and determining a risk by analyzing the web request data and transmitting the resulting risk to the filtering unit. A method of detecting and blocking a web attack includes receiving web request data from a user terminal, controlling a web application to maintain a standby state, transmitting the web request data to a web firewall daemon, determining a risk by analyzing the web request data, and transmitting the risk of the web request data to the filtering unit. Embodiments of the present invention can provide customer customized web security service without affecting the stability and the availability of the web application.

Description

    TECHNICAL FIELD
  • The present invention relates to web attack detecting and blocking that detect and block web application attacks through a web server providing web services. More particularly, the present invention relates to a system for detecting and blocking a web attack, and a method thereof, the system and method being capable of determining whether or not to block web request data by analyzing the web request data which is received in the web server.
  • BACKGROUND ART
  • As attacks through the Internet has evolved and developed day by day, attacks through normal web (ports 80 and 443) have also diversified. In addition, intelligent attack methods that continuously discover and attack function-specific vulnerabilities of web applications continue to appear.
  • It is difficult to handle such intelligent attack methods by using conventional general network firewalls, intrusion detect systems (IDS), and intrusion prevention system (IPS), etc.
  • Web services through cloud services such as AWS (Amazon web services cloud), Microsoft Azure, etc. are becoming more and more active. In addition, there is a need for effectively detecting and preventing system web attacks while removing dependencies of the underlying infrastructure while making it easy to use the system in a low cost even in a cloud environment.
  • In order to meet these needs, a conventional Korean Patent Application Publication No. 10-2010-0058695 (Published on Jun. 4, 2010) discloses a model based on a profile for web application attack detection and a method of selectively applying the same, but the above needs are not satisfied.
  • In other words, the above-described conventional technique cannot provide a customer customized web security service without affecting the stability and availability of the web application. In addition, there is a high possibility of communication delay depending on the situation of the Internet network, and the DNS information has to be changed to the service provider's IP information. Accordingly, in order to provide services through HTTPS, an SSL authentication and a personal key have to be uploaded to a web firewall service provider.
  • (Patent document 1) Korean Patent Application Publication No. 10-2010-0058695 (Published on Jun. 4, 2010)
  • DISCLOSURE Technical Problem
  • Accordingly, the present invention has been made keeping in mind the above problems occurring in the prior art, and the first objective of the present invention is to provide a system for detecting and blocking a web attack, the system being capable of: providing customer customized web security service without affecting the stability and availability of the web application; providing web security service regardless of an Internet network situation; providing easy installation, update, and version upgrade of software; providing security services while maintaining an existing network configuration; providing security services without changing IP and DNS information; providing preventing an SSL authentication and a personal key from being exposed and reduction in an initial cost of introduction; being applicable to a cloud server environment in a smooth manner; and being applicable to a web application security system, a web server installed in a could system, an end point of a mobile application server side, an end point of an IOT user interface, and an end point of a server side.
  • In addition, the second objective of the present invention is to provide a method of detecting and blocking a web attack, the method being capable of: providing customer customized web security service without affecting the stability and availability of the web application; providing web security service regardless of an Internet network situation; providing easy installation, update, and version upgrade on software; providing security services while maintaining an existing network configuration; providing security services without changing IP and DNS information; providing preventing an SSL authentication and a personal key from being exposed and reduction in the initial cost of introduction; being applicable to a cloud server environment in a smooth manner; and being applicable to a web application security system, a web server installed in a cloud system, an end point of a mobile application server side, an end point of an IOT user interface, and an end point of a server side.
  • Technical Solution
  • In order to accomplish the above first objective, the present invention provides a system for detecting and blocking a web attack, the system including: a filter unit receiving web request data from a user terminal, and controlling a web application to maintain a standby state; and a web firewall daemon receiving the web request data from the filter unit, and determining a risk by analyzing the web request data and transmitting the resulting risk of the web request data to the filtering unit.
  • The filtering unit may include: a first communication module performing communication with the web firewall daemon by using the same protocol, and receiving the resulting risk of the web request data from the web firewall daemon; and a first control module controlling the first communication module to prepare for the resulting risk of the web request data.
  • The web firewall daemon may include: a second communication module receiving the web request data from the filtering unit; a risk determining module determining the risk by analyzing the web request data received in the second communication module; and a data changing module modifying the web request data when it is determined that the resulting risk of the web request data represents that changes in the web request data are necessary so as to generate modified web request data, wherein the second communication module may transmit the modified web request data to the filtering unit.
  • The filtering unit may further include: a storage module for storing the web request data and the resulting risk of the web request data, wherein the first control module may control the first communication module to prepare for the resulting risk of the web request data by using the resulting risk of the web request data stored in the storage module.
  • The filtering unit may further include: an information obtaining module obtaining an IP (Internet protocol) address and URL (uniform resource locator) information of the user terminal that has transmitted the web request data from the web request data, wherein the first communication module may transmit to the second communication module the IP address and the URL information of the user terminal, the IP address and the URL information being obtained in the information obtaining module, the risk determining module may determine the risk of the web request data by analyzing the IP address and the URL information of the user terminal, the IP address and the URL information being received in the second communication module, and when it is determined that the IP address and the URL information of the user terminal are not sufficient for determining the risk of the web request data, the risk determining module may generate a request for additional information, and the second communication module may transmit the request for additional information to the first communication module.
  • The information obtaining module may obtain additional information in association with the request for additional information from the web request data, the first communication module may transmit the additional information obtained in the information obtaining module from the web request data to the second communication module, the risk determining module may determine the risk of the web request data by analyzing the additional information received in the second communication module, and the second communication module may transmit the resulting risk of the web request data to the first communication module which is obtained by analyzing the additional information in the risk determining module.
  • In order to accomplish the above second objective, the present invention provides a method of detecting and blocking a web attack, the method including: receiving, by a filtering unit, web request data from a user terminal; controlling, by the filtering unit, a web application to maintain a standby state; transmitting, by the filtering unit, the web request data to a web firewall daemon; determining, by the web firewall daemon, a risk by analyzing the web request data; and transmitting, by the web firewall daemon, the risk of the web request data to the filtering unit.
  • The transmitting, by the web firewall daemon, of the risk of the web request data to the filtering unit may include: controlling, by a first control module, a first communication module to prepare for the risk of the web request data which is received in the first control module from the web firewall daemon.
  • The determining, by the web firewall daemon, of the risk by analyzing the web request data may include: modifying, by the web firewall daemon, the web request data when it is determined that the resulting risk of the web request data represents that modification on the web request data is necessary; and generating, by the web firewall daemon, modified web request data where the web request data has been modified, and the transmitting, by the web firewall daemon, of the risk of the web request data to the filtering unit may include: transmitting, by the web firewall daemon, the modified web request data to the filtering unit.
  • The transmitting, by the web firewall daemon, of the risk of the web request data to the filtering unit may include: storing, by the filtering unit, the web request data and the resulting risk of the web request data; and controlling, by the first control module, the first communication module to prepare for the risk of the web request data by using the stored resulting risk of the web request data.
  • The transmitting, by the filtering unit, of the web request data to the web firewall daemon may include: obtaining, by the filtering unit, an IP address and URL information of the user terminal that has transmitted the web request data; transmitting, by the filtering unit, the obtained IP address and the URL information of the user terminal to the web firewall daemon; determining, by the web firewall daemon, the risk of the web request data by analyzing the IP address and the URL information of the user terminal; generating, by the web firewall daemon, a request for additional information when the IP address and the URL information of the user terminal are not sufficient for determining the risk of the web request data; and transmitting, by the web firewall daemon, the request for additional information to the filtering unit.
  • The transmitting, by the web firewall daemon, of the request for additional information to the filtering unit may include: obtaining, by the filtering unit, additional information in association with the request for additional information from the web request data; transmitting, by the filtering unit, the additional information obtained from the web request data to the web firewall daemon; determining, by the web firewall daemon, the risk of the web request data by analyzing the additional information; and transmitting, by the web firewall daemon, the resulting risk of the web request data which is determined by analyzing the additional information to the filtering unit.
  • Advantageous Effects
  • According to a system for detecting and blocking a web attack, and a method thereof of the present invention described above, first, customer customized web security service without affecting the stability and the availability of the web application can be provided.
  • Subsequently, second, the present invention can provide web security service regardless of an Internet network situation.
  • In addition, third, the present invention can provide easy installation, update, and version upgrade of software.
  • Subsequently, fourth, the present invention can provide security services while maintaining an existing network configuration.
  • In addition, fifth, the present invention can provide security services without changing IP and DNS information.
  • Subsequently, sixth, the present invention can prevent an SSL authentication and a personal key from being exposed, and reduce the initial cost of introduction.
  • In addition, seventh, the present invention can be applied to a cloud server environment in a smooth manner.
  • Subsequently, eighth, the present invention can be applied to a web application security system, a web server installed in a cloud system, an end point of a mobile application server side, an end point of an IOT user interface, and an end point of a server side.
  • DESCRIPTION OF DRAWINGS
  • FIG. 1 is a view showing a schematic configuration of a web attack detecting and blocking system according to an embodiment of the present invention.
  • FIG. 2 is a view showing a schematic configuration of a filtering unit that is a partial configuration of the present invention.
  • FIG. 3 is a view showing a schematic configuration of a web firewall daemon that is a partial configuration of the present invention.
  • FIG. 4 is a view showing a schematic flow of a web attack detection and blocking method according to an embodiment of the present invention.
  • BEST MODE
  • All terms or words used herein should not be interpreted as being limited merely to common and dictionary meanings but should be interpreted as having meanings and concepts which are defined within the technical scope of the present invention.
  • In the present specification, a description of a certain part “including” certain constituents means capable of further including other constituents, and does not exclude other constituents unless particularly stated on the contrary. Further, the terms “ . . . unit”, “ . . . module”, and “ . . . means” described in the present specification refer to a unit for processing at least one function or operation, and may be implemented as hardware, software, or a combination thereof.
  • Terms used in the embodiments of the present invention will be briefly described, and the embodiments will be described in detail.
  • Technical and scientific teams used herein have the same meaning as commonly understood by one of ordinary skill in the art to which example embodiments of the present invention belong. It will be further understood that terms, such as those defined in commonly used dictionaries, should be interpreted as having a meaning that is consistent with their meaning in the context of the relevant art and will not be interpreted in an idealized or overly formal sense unless expressly so defined herein. Also, terms used herein are defined to appropriately describe exemplary embodiments of the present invention and thus may be changed depending on the intent of a user or an operator, or a custom. Accordingly, the terms must be defined based on the following overall description of this specification.
  • In an example of the present invention, although the terms including an ordinal number such as first or second may be used to describe various elements, but the elements are not limited to these terms. These terms are used to distinguish one element from another element. For example, a first element could be termed a second element, and a second element could similarly be termed a first element without departing from the scope of the present invention. As used herein, the term “and/or” includes any and all combinations of one or more of the associated listed items.
  • In addition, in an example embodiment, singular expressions used herein include plural expressions unless they have definitely opposite meanings in the context.
  • Further, in this specification, a term “comprise” or “have” indicates presence of a characteristic, numeral, step, operation, element, component, or combination thereof described in the specification and does not exclude presence or addition of at least one other characteristic, numeral, step, operation, element, component, or combination thereof.
  • In an example embodiment, “a module” or “a unit” performs at least one function or operation, and may be realized as hardware, software, or combination thereof. Further, except the “modules” or “units” that have to be implemented by certain hardware, a plurality of “modules” or a plurality of “units” may be integrated into at least one module and realized as at least one processor (not illustrated).
  • In the example embodiments, in the case where a certain part is “connected” to the other part, it may include not only the case where the part is “directly connected” to the other part, but also the case where the part is “electrically connected” to the other part with another element interposed therebetween.
  • Hereinafter, embodiments of the present invention will be described in detail with reference to the accompanying drawings.
  • FIG. 1 is a view showing a schematic configuration of a web attack detecting and blocking system according to an embodiment of the present invention, FIG. 2 is a view showing a schematic configuration of a filtering unit that is a partial configuration of the present invention, and FIG. 3 is a view showing a schematic configuration of a web firewall daemon that is a partial configuration of the present invention.
  • Referring to FIGS. 1 to 3, a system 10 for detecting and blocking a web attack may include a filter unit 110 and a web firewall daemon 200.
  • In addition, the filter unit 110 may include a first control module 111, a first communication module 112, an information obtaining module 113, and a storage module 114.
  • Also, the web firewall daemon 200 may include a second communication module 210, a risk determining module 220, and a data changing module 230.
  • The filter unit 110 may receive web request data from a user terminal 1, and control the web application 120 to maintain a standby state.
  • In addition, the filter unit 110 may be employed by being embedded in a web server daemon 100.
  • Herein, the user terminal 1 may be employed in various electric devices such as smart-phone, smart watch, smart glasses, tablet PC, laptop PC, etc.
  • Also, the web firewall daemon 200 may receive web request data from the filter unit 110, and determine a risk by analyzing the web request data.
  • The web firewall daemon 200 may transmit the resulting risk of the web request data to the filter unit 110.
  • Herein, the web firewall daemon 200 may be employed by being physically completely separated from the filter unit 110 that is employed by being embedded in the web server daemon 100.
  • Accordingly, the web application 120 is not affected even when a bug or an error occurs in the web firewall.
  • Accordingly, when performing updating or version upgrading on the web firewall, a function of requesting for web data, by the web server daemon 100, can be available without re-operating the web server daemon 100 and without stopping operation of the same.
  • The first communication module 112 and the second communication module 210 may perform communication with each other by using the same protocol.
  • In addition, the first communication module 112 may receive a resulting risk of a request of web data from the web firewall daemon 200.
  • In addition, the first control module 111 may control the first communication module 112 to prepare for the resulting risk of the web request data which is received in the first communication module 112 from the web firewall daemon 200.
  • In detail, the first control module 111 may control the first communication module 112 to block the corresponding web request data when it is determined that the resulting risk of the request of web data represents that blocking the web request data is reasonable.
  • In addition, the first control module 111 may control the first communication module 112 to transmit the corresponding web request data to the web application 120 when it is determined that the resulting risk of the web request data represents that passing the web request data is reasonable.
  • Also, the first communication module 112 may receive response data in association with the web request data from the web application 120.
  • In addition, the first communication module 112 may transmit response data in association with the web request data to the second communication module 210.
  • Also, the first communication module 112 may receive a resulting risk of response data determined in the risk determining module 220 from the second communication module 210.
  • In addition, the first control module 111 may control the first communication module 112 to prepare for the resulting risk of the response data received in the first communication module 112 from the second communication module 210.
  • In detail, the first control module 111 may control the first communication module 112 to block the corresponding response data when it is determined that the resulting risk of the response data represents that blocking the response data is reasonable.
  • In addition, the first control module 111 may control the first communication module 112 to transmit the corresponding response data to the user terminal 1 that has transmitted the web request data when it is determined that the resulting risk of the response data represents that passing the response data is reasonable.
  • The second communication module 210 may receive web request data from the filter unit 110.
  • In addition, the risk determining module 220 may determine a risk by analyzing the web request data received in the second communication module 210 from the first communication module 112.
  • Also, the risk determining module 220 may determine a risk by analyzing response data received in the second communication module 210 from the first communication module 112.
  • Herein, the risk determined in the risk determining module 220 is for determining various attack risks that may be included in web request data, response data to web request data, etc.
  • In detail, the risk determining module 220 may determine that changes in web request data, response data, etc. are necessary when the web request data, the response data, etc. include web attack risks based on HTTPS/HTTP v1.0, v1.1, v2, and determine that blocking of the web request data, the response data, etc. is reasonable.
  • Also, the risk determining module 220 may determine that web request data, response data, etc. are abnormal, when the request for the web data, the response data, etc. include a preset first reference that is at least one of an injection, a broken authentication and session management, a sensitive data exposure, an XML external entities (XXE), a broken access control, a security misconfiguration, a cross-site scripting (XSS), an insecure deserialization, a using components with known vulnerabilities, and insufficient logging & monitoring. Accordingly, the risk determining module 220 may derive a result that blocking of the web request data, the response data, etc. is reasonable, and determine that changes in the web request data, the response data, etc. are necessary.
  • Herein, the injection may include SQL/XQuery/XPath/LDAP injection.
  • Also, the risk determining module 220 may derive a result that blocking of the web request data, the response data, etc. is reasonable by using a preset first rule of at least one of rules to protect against known spammers or malicious activity (REQUEST-910-IP-REPUTATION), rules to lock down methods (PUT, PATCH, etc.) (REQUEST-911-METHOD-ENFORCEMENT), rules to protect against denial of service (DoS) attacks (REQUEST-912-DOS-PROTECTION), rules to protect against port and environment scanners (REQUEST-913-SCANNER-DETECTION), rules to protect against protocol and encoding issues (REQUEST-920-PROTOCOL-ENFORCEMENT), rules to protect against header injection, request smuggling, and response splitting (REQUEST-921-PROTOCOL-ATTACK), rules to protect against file and path attacks (REQUEST-930-APPLICATION-ATTACK-LFI), rules to protect against remote file inclusion (RFI) (REQUEST-931-APPLICATION-ATTACK-RFI), rules to protect again remote code execution (REQUEST-932-APPLICATION-ATTACK-RCE), rules to protect against PHP injection attacks (REQUEST-933-APPLICATION-ATTACK-PHP), rules for protecting against cross site scripting (REQUEST-941-APPLICATION-ATTACK-XSS), rules for protecting against SQL injection attacks (REQUEST-942-APPLICATION-ATTACK-SQLI), and rules to protect against session fixation attacks (REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION). In addition, the risk determining module 220 may determine that changes in the web request data, the response data, etc. are necessary.
  • In addition, when the web request data, the response data, etc. include at least one first preset reference, the risk determining module 220 may determine that changes in the web request data, the response data, etc. are necessary.
  • Also, the risk determining module 220 may determine a risk of the web request data, the response data, etc. by determining whether or not the web request data, the response data, etc. satisfy the PCI data security standard (PCI DSS).
  • In other words, the risk determining module 220 may derive a result that the web request data, the response data, etc. are normal when the web request data, the response data, etc. satisfy the PCI data security standard (PCI DSS). Also, the risk determining module 220 may derive a result that blocking of the web request data, the response data, etc. is reasonable when the web request data, the response data, etc. do not satisfy the PCI data security standard (PCI DSS), and determine that changes in the web request data, the response data, etc. are necessary.
  • In addition, the risk determining module 220 may derive a result that blocking of the web request data, the response data, etc. is reasonable when the web request data, the response data, etc. include a preset second reference of at least one of directory listing vulnerability, file download vulnerability, cross-site scripting vulnerability, file upload vulnerability, WebDAV vulnerability, technote vulnerability, zeroboard vulnerability, and SQL injection vulnerability, and determine that changes in the web request data, the response data, etc. are necessary.
  • Also, the risk determining module 220 may derive a result that blocking of the web request data, the response data, etc. is reasonable when the web request data, the response data, etc. correspond to URI file forgeries, and determine that changes in the web request data, the response data, etc. are necessary.
  • In addition, when the risk determining module 220 determines that changes in the web request data, by the data changing module 230, are necessary according to the resulting risk of the web request data, the data changing module 230 may modify the web request data, and generate modified web request data.
  • Also, modifying, by the data changing module 230, the web request data may include changes in payload of the web request data.
  • In addition, the data changing module 230 may modify the web request data by using the preset first rule of at least one of rules to protect against known spammers or malicious activity (REQUEST-910-IP-REPUTATION), rules to lock down methods (PUT, PATCH, etc.) (REQUEST-911-METHOD-ENFORCEMENT), rules to protect against denial of service (DoS) attacks (REQUEST-912-DOS-PROTECTION), rules to protect against port and environment scanners (REQUEST-913-SCANNER-DETECTION), rules to protect against protocol and encoding issues (REQUEST-920-PROTOCOL-ENFORCEMENT), rules to protect against header injection, request smuggling, and response splitting (REQUEST-921-PROTOCOL-ATTACK), rules to protect against file and path attacks (REQUEST-930-APPLICATION-ATTACK-LFI), rules to protect against remote file inclusion (RFI) (REQUEST-931-APPLICATION-ATTACK-RFI), rules to protect again remote code execution (REQUEST-932-APPLICATION-ATTACK-RCE), rules to protect against PHP injection attacks (REQUEST-933-APPLICATION-ATTACK-PHP), rules for protecting against cross site scripting (REQUEST-941-APPLICATION-ATTACK-XSS), rules for protecting against SQL injection attacks (REQUEST-942-APPLICATION-ATTACK-SQLI), and rules to protect against session fixation attacks (REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION). In addition, the data changing module 230 may generate modified web request data.
  • Also, the above-described risk determining module 220 and the data changing module 230 may be applied to, in addition to web request data, modifying web request data, or response data in association with the modified web request data.
  • In addition, the second communication module 210 may transmit modified web request data to the filter unit 110.
  • Also, web request data, and a resulting risk of the web request data may be stored in the storage module 114.
  • In detail, at least one of web request data which is received in the first communication module 112 from the second communication module 210, and a resulting risk of the web request data determined in the risk determining module 220 may be stored in the storage module 114.
  • Also, at least one of response data received in the first communication module 112 from the second communication module 210, and a resulting risk of the response data determined in the risk determining module 220 may be stored in the storage module 114.
  • In addition, by using a resulting risk of web request data which is stored in the above-described the storage module 114, the first control module 111 may control the first communication module 112 to prepare for the resulting risk of the web request data.
  • In detail, the first control module 111 may determine whether or not a corresponding resulting risk of the web request data is stored in the storage module 114 when the first communication module 112 receives the web request data from the user terminal 1.
  • In addition, when the corresponding resulting risk of the web request data is stored in the storage module 114, the first control module 111 may control the first communication module 112 to prepare for the resulting risk of the web request data by using the corresponding resulting risk of the web request data.
  • In other words, when it is represented that blocking of the web request data is reasonable in the corresponding resulting risk of the web request data which is stored in the storage module 114, the first control module 111 may control the first communication module 112 to block the corresponding web request data.
  • Also, when it is represented that passing the web request data is reasonable in the corresponding resulting risk of the web request data which is stored in the storage module 114, the first control module 111 may control the first communication module 112 to transmit the corresponding web request data to the web application 120.
  • In addition, by using a resulting risk of response data which is stored in the above-described storage module 114, the first control module 111 may control the first communication module 112 to prepare for the resulting risk of the response data.
  • In detail, the first control module 111 may determine whether or not a resulting risk of corresponding response data is stored in the storage module 114 when the first communication module 112 receives the response data from the web application 120.
  • In addition, when the resulting risk of corresponding response data is stored in the storage module 114, the first control module 111 may control the first communication module 112 to prepare for the resulting risk of response data by using the resulting risk of corresponding response data.
  • In other words, when it is represented that blocking the response data is reasonable in the resulting risk of the response data which is stored in storage module 114, the first control module 111 may control the first communication module 112 to block the corresponding response data.
  • Also, when it is represented that passing the response data is reasonable in the resulting risk of the response data which is stored in storage module 114, the first control module 111 may control the first communication module 112 to transmit the corresponding response data to the user terminal 1.
  • As described above, the resulting risk of the web request data or the resulting risk of the response data are stored in the storage module 114, and thus the filter unit 110 can rapidly and accurately perform filtering for the web request data. Accordingly, there is an effect that a case where transmission and reception between the web firewall daemon 200 and the filter unit 110 is not smooth can be prepared.
  • In addition, the information obtaining module 113 may obtain an IP (Internet protocol) address and URL (uniform resource locator) information of the user terminal 1 that has transmitted the web request data from the web request data.
  • Also, the first communication module 112 may transmit the IP address and URL information of the user terminal 1 which are obtained in the information obtaining module 113 to the second communication module 210.
  • In addition, the risk determining module 220 may determine a risk of the web request data by analyzing the IP address and URL information of the user terminal 1 received in the second communication module 210.
  • Also, the risk determining module 220 may generate a request for additional information when the IP address and URL information of the user terminal 1 are not sufficient for determining the risk of the web request data.
  • In addition, the second communication module 210 may transmit the request for additional information to the first communication module 112.
  • Also, the information obtaining module 113 may obtain additional information in association with the request for additional information from the web request data.
  • In addition, the first communication module 112 may transmit the additional information obtained from the web request data by the information obtaining module 113 to the second communication module 210.
  • Also, the risk determining module 220 may analyze the additional information received in the second communication module 210 from the first communication module 112, and determine the risk of the web request data.
  • In addition, the second communication module 210 may transmit to the first communication module 112 the resulting risk of the web request data which is determined by analyzing the additional information by the risk determining module 220.
  • FIG. 4 is a view showing a schematic flow of a web attack detection and blocking method according to an embodiment of the present invention.
  • Referring to FIG. 4, in 5430, the filter unit 110 may receive web request data from the user terminal 1.
  • Subsequently, in 5431, the filter unit 110 may control the web application 120 to maintain a standby state.
  • Subsequently, in 5432, the filter unit 110 may transmit the web request data to the web firewall daemon 200.
  • The filter unit 110 may obtain an IP address and URL information of the user terminal 1 that has transmitted the web request data.
  • Subsequently, the filter unit 110 may transmit the obtained IP address and the URL information of the user terminal 1 to the web firewall daemon 200.
  • Also, the web firewall daemon 200 may determine a risk of the web request data by analyzing the IP address and the URL information of the user terminal 1.
  • Subsequently, the web firewall daemon 200 may generate a request for additional information when the IP address and the URL information of the user terminal 1 are not sufficient for determining the risk of the web request data.
  • Also, the web firewall daemon 200 may transmit the request for additional information to the filter unit 110.
  • Subsequently, the filter unit 110 may obtain additional information in association with the request for additional information from the request of web data.
  • Also, the filter unit 110 may transmit the additional information obtained from the web request data to the web firewall daemon 200.
  • Subsequently, the web firewall daemon 200 may determine the risk of the web request data by analyzing the additional information.
  • Also, the web firewall daemon 200 may transmit the resulting risk of the web request data which is determined by analyzing the additional information to the filter unit 110.
  • Subsequently, in 5433, the web firewall daemon 200 may determine the risk by analyzing the web request data.
  • Also, the web firewall daemon 200 may modify the web request data when the web firewall daemon 200 determined that changes in the web request data are necessary according to the resulting determination.
  • Subsequently, the web firewall daemon 200 may generate modified web request data where the web request data is modified.
  • Subsequently, in web 5434, the firewall daemon 200 may transmit the resulting risk of the web request data to the filter unit 110.
  • Subsequently, the first control module 111 of the filter unit 110 may control the first communication module 112 of the filter unit 110 so as to prepare for the resulting risk of the web request data which is received from the web firewall daemon 200.
  • Also, the web firewall daemon 200 may transmit the modified web request data to the filter unit 110.
  • Subsequently, the filter unit 110 may store the web request data and the resulting risk of the web request data.
  • Subsequently, by using the stored web request data and the resulting risk of the web request data, the first control module 111 of the filter unit 110 may control the first communication module 112 of the filter unit 110 so as to prepare for the stored resulting risk of the web request data.
  • Configurations and operations of a web attack detection and blocking system and a method thereof according to the present invention may be employed as described above. Meanwhile, in the above description of the present invention, specific embodiments have been described, but various modifications may be made without departing from the scope of the present invention.
  • Although the present invention has been described with reference to the limited embodiments and the drawings, the present invention is not limited thereto, and various modifications and changes can be made by those skilled in the art to which the present invention pertains.
  • Those skilled in the art will appreciate that the present invention may be embodied in a modified form without departing from the essential characteristics of the above-described substrate. Therefore the embodiments described above would be considered in a descriptive way, not in a limitative way. The scope of the present invention is shown in the claims rather than the foregoing description, and all differences within the scope will be construed as being included in the present invention.
  • DESCRIPTION OF THE REFERENCE NUMERALS
      • 1: user terminal
      • 2: network firewall
      • 10: web attack detection and blocking system 100: web server daemon
      • 110: filter unit 111: first control module
      • 112: first communication module
      • 113: information obtaining module
      • 114: storage module 120: web application
      • 200: web firewall daemon 210: second communication module
      • 220: risk determining module 230: data changing module
    INDUSTRIAL APPLICABILITY
  • According to a system for detecting and blocking a web attack, and a method thereof of the present invention, first, customer customized web security service without affecting the stability and availability of the web application can be provided, web security service regardless of an Internet network situation can be provided, easy installation, update, and version upgrade on software can be provided, security services while maintaining an existing network configuration can be provided, security services without changing IP and DNS information can be provided, an SSL authentication and a personal key can be prevented from being exposed and the initial cost of introduction can be reduced, application to a cloud server environment in a smooth manner can be available, and application to a web application security system, a web server installed in a cloud system, an end point of a mobile application server side, an end point of an IOT user interface, and an end point of a server side can be available.
  • A system for detecting and blocking a web attack, and a method thereof providing the above various effects can have a positive impact on the software and security solutions industries and can be used in many ways.

Claims (12)

1: A system for detecting and blocking a web attack, the system comprising:
a filter unit receiving web request data from a user terminal, and controlling a web application to maintain a standby state; and
a web firewall daemon receiving the web request data from the filter unit, and determining a risk by analyzing the web request data and transmitting the resulting risk of the web request data to the filtering unit.
2: The system of claim 1, wherein the filtering unit includes:
a first communication module performing communication with the web firewall daemon by using the same protocol, and receiving the resulting risk of the web request data from the web firewall daemon; and
a first control module controlling the first communication module to prepare for the resulting risk of the web request data.
3: The system of claim 2, wherein the web firewall daemon includes:
a second communication module receiving the web request data from the filtering unit;
a risk determining module determining the risk by analyzing the web request data received in the second communication module; and
a data changing module modifying the web request data when it is determined that the resulting risk of the web request data represents that changes in the web request data are necessary so as to generate a modified web request data,
wherein the second communication module transmits the modified web request data to the filtering unit.
4: The system of claim 2, wherein the filtering unit further includes: a storage module for storing the web request data and the resulting risk of the web request data,
wherein the first control module controls the first communication module to prepare for the resulting risk of the web request data by using the resulting risk of the web request data stored in the storage module.
5: The system of claim 3, wherein the filtering unit further includes: an information obtaining module obtaining an IP (Internet protocol) address and URL (uniform resource locator) information of the user terminal that has transmitted the web request data from the web request data,
wherein the first communication module transmits to the second communication module the IP address and the URL information of the user terminal, the IP address and the URL information being obtained in the information obtaining module,
the risk determining module determines the risk of the web request data by analyzing the IP address and the URL information of the user terminal, the IP address and the URL information being received in the second communication module, and when it is determined that the IP address and the URL information of the user terminal are not sufficient for determining the risk of the web request data, the risk determining module generates a request for additional information, and
the second communication module transmits the request for additional information to the first communication module.
6: The system of claim 5, wherein the information obtaining module obtains additional information in association with the request for additional information from the web request data,
the first communication module transmits the additional information obtained in the information obtaining module from the web request data to the second communication module,
the risk determining module determines the risk of the web request data by analyzing the additional information received in the second communication module, and
the second communication module transmits the resulting risk of the web request data to the first communication module which is obtained by analyzing the additional information in the risk determining module.
7: A method of detecting and blocking a web attack, the method comprising:
receiving, by a filtering unit, web request data from a user terminal;
controlling, by the filtering unit, a web application to maintain a standby state;
transmitting, by the filtering unit, the web request data to a web firewall daemon;
determining, by the web firewall daemon, a risk by analyzing the web request data; and
transmitting, by the web firewall daemon, the risk of the web request data to the filtering unit.
8: The method of claim 7, wherein the transmitting, by the web firewall daemon, of the risk of the web request data to the filtering unit includes: controlling, by a first control module, a first communication module to prepare for the risk of the web request data which is received in the first control module from the web firewall daemon.
9: The method of claim 8, wherein the determining, by the web firewall daemon, of the risk by analyzing the web request data includes:
modifying, by the web firewall daemon, the web request data when it is determined that the resulting risk of the web request data represents that modification on the web request data is necessary; and
generating, by the web firewall daemon, modified web request data where the web request data has been modified, and
the transmitting, by the web firewall daemon, of the risk of the web request data to the filtering unit includes:
transmitting, by the web firewall daemon, the modified web request data to the filtering unit.
10: The method of claim 8, wherein the transmitting, by the web firewall daemon, of the risk of the web request data to the filtering unit includes:
storing, by the filtering unit, the web request data and the resulting risk of the web request data; and
controlling, by the first control module, the first communication module to prepare for the risk of the web request data by using the stored resulting risk of the web request data.
11: The method of claim 8, wherein the transmitting, by the filtering unit, of the web request data to the web firewall daemon includes:
obtaining, by the filtering unit, an IP address and URL information of the user terminal that has transmitted the web request data;
transmitting, by the filtering unit, the obtained IP address and the URL information of the user terminal to the web firewall daemon;
determining, by the web firewall daemon, the risk of the web request data by analyzing the IP address and the URL information of the user terminal;
generating, by the web firewall daemon, a request for additional information when the IP address and the URL information of the user terminal are not sufficient for determining the risk of the web request data; and
transmitting, by the web firewall daemon, the request for additional information to the filtering unit.
12: The method of claim 11, wherein the transmitting, by the web firewall daemon, of the request for additional information to the filtering unit includes:
obtaining, by the filtering unit, additional information in association with the request for additional information from the web request data;
transmitting, by the filtering unit, the additional information obtained from the web request data to the web firewall daemon;
determining, by the web firewall daemon, the risk of the web request data by analyzing the additional information; and
transmitting, by the web firewall daemon, the resulting risk of the web request data which is determined by analyzing the additional information to the filtering unit.
US16/492,390 2018-06-01 2018-10-11 Web attack detecting and blocking system and method thereof Active 2039-07-21 US11171919B1 (en)

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
KR10-2018-0063747 2018-06-01
KR1020180063747A KR101959544B1 (en) 2018-06-01 2018-06-01 Web attack detection and prevention system and method
PCT/KR2018/011981 WO2019231057A1 (en) 2018-06-01 2018-10-11 System and method for detecting and blocking web attack

Publications (2)

Publication Number Publication Date
US20210328970A1 true US20210328970A1 (en) 2021-10-21
US11171919B1 US11171919B1 (en) 2021-11-09

Family

ID=65948909

Family Applications (1)

Application Number Title Priority Date Filing Date
US16/492,390 Active 2039-07-21 US11171919B1 (en) 2018-06-01 2018-10-11 Web attack detecting and blocking system and method thereof

Country Status (3)

Country Link
US (1) US11171919B1 (en)
KR (1) KR101959544B1 (en)
WO (1) WO2019231057A1 (en)

Family Cites Families (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR100470918B1 (en) * 2002-11-14 2005-03-11 한국전자통신연구원 Elusion prevention system and method for firewall censorship on the network
US20060080735A1 (en) * 2004-09-30 2006-04-13 Usa Revco, Llc Methods and systems for phishing detection and notification
KR100958250B1 (en) * 2008-01-09 2010-05-17 한남대학교 산학협력단 Method for Securiting Web Server and Web Firewall Therefor
KR20100058695A (en) 2008-11-25 2010-06-04 박영민 Profile-based models and selective use for web application attack detection
US8458769B2 (en) * 2009-12-12 2013-06-04 Akamai Technologies, Inc. Cloud based firewall system and service
US8751633B2 (en) * 2010-04-01 2014-06-10 Cloudflare, Inc. Recording internet visitor threat information through an internet-based proxy service
KR101005927B1 (en) * 2010-07-05 2011-01-07 펜타시큐리티시스템 주식회사 Method for detecting a web application attack
US20150020188A1 (en) * 2013-07-14 2015-01-15 Check Point Software Technologies Ltd. Network Host Provided Security System for Local Networks
US9654445B2 (en) * 2013-11-13 2017-05-16 ProtectWise, Inc. Network traffic filtering and routing for threat analysis
US9860208B1 (en) * 2014-09-30 2018-01-02 Palo Alto Networks, Inc. Bridging a virtual clone of a target device in a honey network to a suspicious device in an enterprise network
US10044675B1 (en) * 2014-09-30 2018-08-07 Palo Alto Networks, Inc. Integrating a honey network with a target network to counter IP and peer-checking evasion techniques
KR101625338B1 (en) * 2015-10-20 2016-05-27 홍익대학교세종캠퍼스산학협력단 System and method for detecting malicious landing sites
US10855725B2 (en) * 2016-06-02 2020-12-01 Microsoft Technology Licensing, Llc Hardware-based virtualized security isolation

Also Published As

Publication number Publication date
KR101959544B1 (en) 2019-03-18
WO2019231057A1 (en) 2019-12-05
US11171919B1 (en) 2021-11-09

Similar Documents

Publication Publication Date Title
EP3704846B1 (en) Cloud-based multi-function firewall and zero trust private virtual network
US11863582B2 (en) Gateway deployment for a zero trust environment
US11652792B2 (en) Endpoint security domain name server agent
EP3298527B1 (en) Secured access control to cloud-based applications
US7814543B2 (en) System and method for securing a computer system connected to a network from attacks
US9654507B2 (en) Cloud application control using man-in-the-middle identity brokerage
US7950056B1 (en) Behavior based processing of a new version or variant of a previously characterized program
US7716726B2 (en) System and method for protecting a computing device from computer exploits delivered over a networked environment in a secured communication
US7735116B1 (en) System and method for unified threat management with a relational rules methodology
US7716727B2 (en) Network security device and method for protecting a computing device in a networked environment
US20230216860A1 (en) Internet of things security system
US9928359B1 (en) System and methods for providing security to an endpoint device
EP1956463A2 (en) Method and apparatus for providing network security based on device security status
US20230019448A1 (en) Predefined signatures for inspecting private application access
US11803647B2 (en) Computer system vulnerability lockdown mode
Kim et al. A survey of common security vulnerabilities and corresponding countermeasures for SaaS
US9390290B1 (en) Applying group policies
US11171919B1 (en) Web attack detecting and blocking system and method thereof
Dey et al. Warezmaster and Warezclient: An implementation of FTP based R2L attacks
Kalil Policy Creation and Bootstrapping System for Customer Edge Switching
Cunha Cybersecurity Threats for a Web Development
US11451584B2 (en) Detecting a remote exploitation attack
US20210218747A1 (en) System and method for computer network communication
JP2020107335A (en) Information processing system, server device, control method of server device, and program
Pravail 2100 Series Appliances Version 5.4

Legal Events

Date Code Title Description
AS Assignment

Owner name: F1 SECURITY INC., KOREA, REPUBLIC OF

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:LEE, IN YOUNG;LEE, DAE HO;CHOI, SUNG SU;AND OTHERS;REEL/FRAME:050314/0782

Effective date: 20190829

FEPP Fee payment procedure

Free format text: ENTITY STATUS SET TO UNDISCOUNTED (ORIGINAL EVENT CODE: BIG.); ENTITY STATUS OF PATENT OWNER: SMALL ENTITY

FEPP Fee payment procedure

Free format text: ENTITY STATUS SET TO SMALL (ORIGINAL EVENT CODE: SMAL); ENTITY STATUS OF PATENT OWNER: SMALL ENTITY

STCF Information on status: patent grant

Free format text: PATENTED CASE