WO2019231057A1 - 웹 공격 탐지 및 차단 시스템 및 그 방법 - Google Patents
웹 공격 탐지 및 차단 시스템 및 그 방법 Download PDFInfo
- Publication number
- WO2019231057A1 WO2019231057A1 PCT/KR2018/011981 KR2018011981W WO2019231057A1 WO 2019231057 A1 WO2019231057 A1 WO 2019231057A1 KR 2018011981 W KR2018011981 W KR 2018011981W WO 2019231057 A1 WO2019231057 A1 WO 2019231057A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- web
- request data
- web request
- filter unit
- risk
- Prior art date
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/30—Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information
- H04L63/306—Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information intercepting packet switched data communications, e.g. Web, Internet or IMS communications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/16—Implementing security features at a particular protocol layer
- H04L63/168—Implementing security features at a particular protocol layer above the transport layer
Definitions
- the present invention relates to web attack detection and blocking that detects and blocks web application attacks through a web server that provides a web service. More specifically, the present invention analyzes web request data received by a web server to block web request data. The present invention relates to a web attack detection and blocking system and a method thereof.
- the above-described prior art cannot provide a customized web security service without affecting the stability and availability of the web application, and there is a high possibility that a communication delay may occur according to the situation of the Internet network. It must be changed to the vendor's IP, and it is not possible to solve the problem of uploading the SSL certificate and private key to the web firewall service provider in order to serve with HTTPS.
- Patent Document 1 Republic of Korea Patent Publication No. 10-2010-0058695 (published June 4, 2010)
- the first object of the present invention for solving this problem is to provide a customized web security service without affecting the stability and availability of the web application, and to provide a web security service regardless of the Internet network situation, Provides easy installation, updates and version upgrades of the software, provides security services without changing existing network configurations, provides security services without changing IP and DNS, and eliminates initial SSL certificate and private key exposures Reduce costs, adapt flexibly to cloud server environments, apply to web application security, web servers installed in the cloud, END POINT on the mobile app server side and IOT user interface and END POINT on the server side To provide a web attack detection and blocking system.
- the second objective is to provide customized web security services without affecting the stability and availability of web applications, to provide web security services regardless of the internet network situation, and to install, update and upgrade software. Almost deliver, provide security services while keeping existing network configurations intact, provide security services without changing IP and DNS, reduce initial entry costs with eliminating SSL certificate and private key exposure, and cloud servers It can be flexibly applied to the environment and provides web attack detection and blocking methods that can be applied to web application security, web servers installed in the cloud, END POINT and IOT user interface on the mobile app server side, and END POINT on the server side. It is.
- the present invention receives the web request data from the user terminal, and receives the web request data from the filter unit and the filter unit for controlling the web application so that the web application is kept in a standby state It provides a web attack detection and blocking system including a web firewall daemon for analyzing the web request data to determine the risk, and transmits a result of the risk determination on the web request data to the filter unit.
- the filter unit may perform communication using the same protocol as the web firewall daemon, and correspond to a first communication module that receives a risk determination result for the web request data from the web firewall daemon and a risk determination result for the web request data. It may include a first control module for controlling the first communication module.
- the web firewall daemon includes a second communication module for receiving the web request data from the filter unit, a risk determination module for determining a risk by analyzing the web request data received by the second communication module, and the web request data. And as a result of the risk determination, when it is determined that the web request data needs to be corrected, the web request data is modified to generate modified web request data, and the second communication module is configured to modify the web request data. It can transmit to the filter unit.
- the filter unit may further include a storage module configured to store the web request data and a risk determination result for the web request data, wherein the first control module is configured to generate a risk determination result for the web request data stored by the storage module.
- the first communication module may be controlled to correspond to a risk determination result for the web request data.
- the filter unit may further include an information extraction module for extracting IP (Internet Protocol) address and Uniform Resource Locator (URL) information of the user terminal that has transmitted the web request data, from among the web request data.
- IP Internet Protocol
- URL Uniform Resource Locator
- the IP address and URL information of the user terminal extracted by the information extraction module is transmitted to the second communication module, and the risk determination module analyzes the IP address and URL information of the user terminal received by the second communication module. Determine the risk of the web request data, and if it is determined that the IP address and URL information of the user terminal are insufficient to determine the risk of the web request data, generate a request for additional information, and generate the second communication module. May transmit the additional information request to the first communication module.
- the information extraction module extracts additional information corresponding to the additional information request from the web request data
- the first communication module extracts the additional information extracted from the web request data by the information extraction module to the second communication module.
- the risk determining module analyzes the additional information received by the second communication module to determine a risk level for the web request data.
- the second communication module analyzes the additional information by the risk determining module.
- the risk determination result for the determined web request data may be transmitted to the first communication module.
- a filter unit receives web request data from a user terminal, the filter unit controls the web application so that the web application is kept in a standby state, the filter unit Web firewall daemon Transmitting the web request data to the web firewall daemon, the web firewall daemon analyzing the web request data to determine a risk level, and the web firewall daemon transmitting a result of the risk determination on the web request data to the filter unit.
- a web attack detection and blocking method that includes.
- the web firewall daemon transmitting the risk determination result for the web request data to the filter unit may include: a first communication module to correspond to a risk determination result for the web request data received from the web firewall daemon by the first control module; It may include the step of controlling.
- the web firewall daemon analyzes the web request data to determine a risk level.
- the web firewall daemon determines a risk level on the web request data. Modifying the web request data when the web request data is needed, and generating the modified web request data by modifying the web request data by the web firewall daemon, wherein the web firewall daemon performs the web.
- the transmitting of the risk determination result for the request data to the filter unit may include transmitting, by the web firewall daemon, the modified web request data to the filter unit.
- the web firewall daemon may transmit the risk determination result for the web request data to the filter unit by storing the web request data and the risk determination result for the web request data and storing the web request data.
- the first control module may control the first communication module to correspond to a risk determination result for the web request data by using the risk determination result for data.
- the transmitting of the web request data to the web firewall daemon by the filter unit may include extracting, by the filter unit, an IP address and URL information of the user terminal that has transmitted the web request data, and extracting the IP address of the user terminal extracted by the filter unit. And transmitting URL information to the web firewall daemon, the web firewall daemon analyzing the IP address and URL information of the user terminal to determine a risk level for the web request data, and the web firewall daemon to the user terminal. If it is determined that the IP address and the URL information is insufficient to determine the risk for the web request data, generating a request for additional information and the web firewall daemon to send the request for additional information to the filter unit; Can be.
- the web firewall daemon transmits the additional information request to the filter unit, wherein the filter unit extracts additional information corresponding to the additional information request from the web request data, and the filter unit extracts additional information from the web request data. Transmitting the web firewall daemon to the web firewall daemon, the web firewall daemon analyzing the additional information, determining a risk level for the web request data, and the web request data determined by the web firewall daemon analyzing the additional information.
- the method may include transmitting a result of the risk determination for the filter unit.
- the present invention can provide a web security service regardless of the internet network situation.
- the present invention can easily provide installation, update and version upgrade of the software.
- the present invention can provide a security service while maintaining an existing network configuration.
- the present invention can provide a security service without changing the IP and DNS.
- the present invention can reduce the initial introduction cost with the removal of SSL certificate and private key exposure.
- the present invention can be flexibly applied to a cloud server environment.
- the present invention can be applied to web application security, a web server installed in the cloud, an END POINT on the mobile app server side, and an IOT user interface and an END POINT on the server side.
- FIG. 1 is a view showing a schematic configuration of a web attack detection and blocking system according to an embodiment of the present invention.
- FIG. 2 is a diagram for illustrating a schematic configuration of a filter unit that is one configuration of the present invention.
- FIG. 3 is a diagram illustrating a schematic configuration of a web firewall daemon which is one configuration of the present invention.
- FIG. 4 is a diagram illustrating a schematic flow of a web attack detection and blocking method according to an embodiment of the present invention.
- first and second terms including ordinal numbers such as first and second may be used to describe various components, but the components are not limited by the terms. The terms are used only for the purpose of distinguishing one component from another.
- first component may be referred to as the second component, and similarly, the second component may also be referred to as the first component.
- the terms “comprise” or “have” are intended to designate that there exists a feature, number, step, operation, component, part, or a combination thereof described in the specification. Or other features or numbers, steps, operations, components, parts or combinations thereof in any way should not be excluded in advance.
- the module or unit performs at least one function or operation, and may be implemented in hardware or software, or in a combination of hardware and software.
- the plurality of modules or the units may be integrated into at least one module except for the modules or units that need to be implemented with specific hardware, and may be implemented as at least one processor.
- FIG. 1 is a view showing a schematic configuration of a web attack detection and blocking system according to an embodiment of the present invention
- Figure 2 is a view showing a schematic configuration of a filter unit of one configuration of the present invention
- Figure 3 A diagram illustrating a schematic configuration of a web firewall daemon, which is one configuration of the present invention.
- the web attack detection and blocking system 10 may include a filter unit 110 and a web firewall daemon 200.
- the filter unit 110 may include a first control module 111, a first communication module 112, an information extraction module 113, and a storage module 114.
- the web firewall daemon 200 may include a second communication module 210, a risk determination module 220, and a data change module 230.
- the filter unit 110 may receive the web request data from the user terminal 1 and may control the web application 120 to be maintained in a standby state.
- the filter unit 110 may be embedded in the web server daemon 100 and implemented.
- the user terminal 1 may be implemented as various electronic devices such as a smart phone, a smart watch, a smart glass, a tablet PC, a notebook PC, and the like.
- the web firewall daemon 200 may receive the web request data from the filter unit 110, and may determine the risk by analyzing the web request data.
- the web firewall daemon 200 may transmit a risk determination result for the web request data to the filter unit 110.
- the web firewall daemon 200 may be implemented to be completely physically separated from the filter unit 110 embedded in the web server daemon 100.
- the web application 120 is not affected even if a bug or an error occurs in the web firewall.
- the web server daemon 100 can perform a function on the web request data without interruption without restarting the web server daemon 100.
- the first communication module 112 and the second communication module 210 may communicate with each other using the same protocol.
- the first communication module 112 may receive a risk determination result for the web request data from the web firewall daemon 200.
- the first control module 111 may control the first communication module 112 such that the first communication module 112 corresponds to a risk determination result for the web request data received from the web firewall daemon 200. .
- the first control module 111 determines that the risk of blocking the web request data is found to be appropriate, the first control module 111 determines that the first control module 111 is the first communication module 112. ) Can block the web request data.
- the first control module 111 determines that the risk of the web request data is judged to be valid, the first control module 111 indicates that the first communication module 112 corresponds to the result.
- the web request data may be controlled to be transmitted to the web application 120.
- the first communication module 112 may receive response data corresponding to the corresponding web request data from the web application 120.
- the first communication module 112 may transmit response data to the corresponding web request data to the second communication module 210.
- the first communication module 112 may receive a risk determination result for the response data determined by the risk determination module 220 from the second communication module 210.
- the first control module 111 may control the first communication module 112 so that the first communication module 112 corresponds to a risk determination result for the response data received from the second communication module 210.
- the first control module 111 determines that it is reasonable to block the response data as a result of determining the risk of the response data, the first control module 111 determines that the first communication module 112 It can be controlled to block the corresponding response data.
- the first control module 111 determines that the risk of the response data results in determining that it is appropriate to pass the response data, determines that the first communication module 112 corresponds to the corresponding response data. Can be controlled to be transmitted to the user terminal 1 which transmitted the web request data.
- the second communication module 210 may receive web request data from the filter unit 110.
- the risk determination module 220 may determine the risk by analyzing the web request data received by the second communication module 210 from the first communication module 112.
- the risk determination module 220 may determine the risk by analyzing the response data received by the second communication module 210 from the first communication module 112.
- the risk determined by the risk determination module 220 determines a variety of attack risks that may be included in web request data, response data to the web request data, and the like.
- the risk determination module 220 corrects the web request data and the response data when the web request data and the response data include the risk of web attack based on HTTPS / HTTP v1.0, v1.1 and v2. This may be determined to be necessary, and it may be considered appropriate to block web request data, response data, and the like.
- the risk determination module 220 may include injection, authentication, and session management vulnerabilities (Sensitive Data Exposure), which are preset first criteria such as web request data and response data.
- XML External Entities XXE
- XSS Cross-Site Scripting
- Insecure Deserialization Insecure Deserialization
- the risk determination module 220 derives a determination result that it is reasonable to block web request data, response data, and the like. It may be determined that modification is necessary for web request data, response data, and the like.
- the injection may include SQL / XQuery / XPath / LDAP injection.
- the risk determination module 220 is a preset first rule that locks a rule (REQUEST-910-IP-REPUTATION) and a method (PUT, PATCH, etc.) to protect against known spam or malicious activity (REQUEST-911).
- the risk determination module 220 may determine that the web request data and the response data need modification.
- the risk determination module 220 may determine whether or not the web request data, response data, etc. are suitable for the PCI data security standard (PCI DSS), thereby determining the risk of the web request data, response data, and the like.
- PCI DSS PCI data security standard
- the risk determination module 220 may determine the web request data and the response data as normal when the web request data and the response data comply with the PCI data security standard (PCI DSS), and the web request data and the response data. If it does not conform to the PCI Data Security Standard (PCI DSS), it can be determined that blocking web request data, response data, etc. is reasonable, and it is determined that modification is necessary for web request data, response data, etc. can do.
- PCI DSS PCI data security standard
- PCI DSS PCI Data Security Standard
- the risk determination module 220 includes a directory listing vulnerability, a file download vulnerability, a cross-site script vulnerability, a file upload vulnerability, a WebDAV vulnerability, a Technote vulnerability, and a zero based on a preset second criteria such as web request data and response data. If it contains at least one of a Zeroboard vulnerability and a SQL Injection vulnerability, it can be determined that blocking Web request data, response data, etc. is appropriate, and it is necessary to modify Web request data, response data, etc. Can be judged.
- the risk determination module 220 may derive a determination result that it is appropriate to block the web request data, response data, etc., if the web request data, response data, etc. correspond to a file forgery for each path (URI). It may be determined that modification is necessary for the web request data and response data.
- URI file forgery for each path
- the data change module 230 modifies the web request data to correct the web request data. You can generate web request data.
- the web request data modification of the data change module 230 may include a change in the payload of the web request data.
- the data change module 230 is a preset first rule that locks a rule (REQUEST-910-IP-REPUTATION), a method (PUT, PATCH, etc.) to protect against known spam or malicious activity (REQUEST-911-).
- METHOD-ENFORCEMENT rules to protect against attacks (REQUEST-912-DOS-PROTECTION DoS), rules to protect against port and environment scanners (REQUEST-913-SCANNER-DETECTION), to protect against protocol and encoding issues Rules (REQUEST-920-PROTOCOL-ENFORCEMENT), rules to protect against header injection, smuggling requests, and response splitting (REQUEST-921-PROTOCOL-ATTACK), rules to protect against file and path attacks (REQUEST-930-APPLICATION-ATTACK- LFI), rules to protect against RFI (including remote files) (REQUEST-931-APPLICATION-ATTACK-RFI), rules to protect against remote code execution (REQUEST-932-APPLICATION-ATTACK-RCE), to protect against PHP
- the contents of the risk determination module 220 and the data change module 230 described above are not only web request data but also response data corresponding to web request data, modified web request data, and web request data or modified web request data. Can be applied.
- the second communication module 210 may transmit the modified web request data to the filter unit 110.
- the storage module 114 may store the web request data and the risk determination result for the web request data.
- the storage module 114 is at least one of the risk determination result of the risk determination module 220 for the web request data and the web request data received by the first communication module 112 from the second communication module 210. Can be stored.
- the storage module 114 may store at least one of a risk determination result of the risk determination module 220 for the response data and the response data received by the first communication module 112 from the second communication module 210. .
- the above-described first control module 111 uses the risk determination result for the web request data stored in the storage module 114 to correspond to the risk determination result for the web request data. Can be controlled.
- the first control module 111 stores the risk determination result for the corresponding web request data. You can determine if you are saving.
- the first control module 111 determines the risk for the web request data by using the risk determination result for the web request data.
- the first communication module 112 may be controlled to correspond to the result.
- the first control module 111 determines that the first communication module 112 corresponds. You can control to block web request data.
- the first control module 111 determines that the first communication module 112 corresponds.
- the web request data may be controlled to be transmitted to the web application 120.
- the first control module 111 controls the first communication module 112 to correspond to the risk determination result for the response data using the risk determination result for the response data stored in the storage module 114. can do.
- the storage module 114 stores the risk determination result for the response data. Can be determined.
- the first control module 111 responds to the risk determination result for the response data by using the risk determination result for the response data.
- the first communication module 112 may be controlled to perform the control.
- the first control module 111 determines that the first communication module 112 corresponds to the corresponding response data. Can be controlled to block.
- the first control module 111 determines that the first communication module 112 corresponds to the corresponding response data. Can be controlled to be transmitted to the user terminal 1.
- the filter unit 110 may perform filtering on the web request data more quickly and accurately. In addition, there is an effect that can be prepared even when the transmission and reception between the web firewall daemon 200 and the filter unit 110 is not smooth.
- the information extraction module 113 may extract IP (Internet Protocol) address and Uniform Resource Locator (URL) information of the user terminal 1 that has transmitted the web request data among the web request data.
- IP Internet Protocol
- URL Uniform Resource Locator
- the first communication module 112 may transmit the IP address and URL information of the user terminal 1 extracted by the information extraction module 113 to the second communication module 210.
- the risk determination module 220 may analyze the IP address and URL information of the user terminal 1 received by the second communication module 210 to determine the risk of the web request data.
- the risk determination module 220 may generate a request for additional information when it is determined that the IP address and URL information of the user terminal 1 are insufficient to determine the risk for the web request data.
- the second communication module 210 may transmit a request for additional information to the first communication module 112.
- the information extraction module 113 may extract additional information corresponding to the additional information request from the web request data.
- the first communication module 112 may transmit additional information extracted from the web request data by the information extraction module 113 to the second communication module 210.
- the risk determination module 220 may analyze the additional information received by the second communication module 210 from the first communication module 112 to determine the risk for the web request data.
- the second communication module 210 may transmit the risk determination result for the web request data determined by the risk determination module 220 by analyzing the additional information to the first communication module 112.
- FIG. 4 is a diagram illustrating a schematic flow of a web attack detection and blocking method according to an embodiment of the present invention.
- the filter unit 110 may receive web request data from the user terminal 1 (S430).
- the filter unit 110 may control the web application 120 to maintain the web application 120 in a standby state (S431).
- the filter unit 110 may transmit the web request data to the web firewall daemon 200 (S432).
- the filter unit 110 may extract IP address and URL information of the user terminal 1 that has transmitted the web request data.
- the filter unit 110 may transmit the extracted IP address and URL information of the user terminal 1 to the web firewall daemon 200.
- the web firewall daemon 200 may analyze the IP address and URL information of the user terminal 1 to determine the degree of risk for the web request data.
- the web firewall daemon 200 may generate a request for additional information.
- the web firewall daemon 200 may transmit a request for additional information to the filter unit 110.
- the filter unit 110 may extract additional information corresponding to the additional information request from the web request data.
- the filter unit 110 may transmit additional information extracted from the web request data to the web firewall daemon 200.
- the web firewall daemon 200 may analyze additional information to determine a degree of risk for the web request data.
- the web firewall daemon 200 may transmit the risk determination result for the web request data determined by analyzing additional information to the filter unit 110.
- the web firewall daemon 200 may determine the risk by analyzing the web request data (S433).
- the web firewall daemon 200 may modify the web request data.
- the web firewall daemon 200 may generate modified web request data by modifying web request data.
- the web firewall daemon 200 may transmit a risk determination result for the web request data to the filter unit 110 (S434).
- the first control module 111 of the filter unit 110 controls the first communication module 112 of the filter unit 110 to correspond to a result of the risk determination on the web request data received from the web firewall daemon 200. can do.
- the web firewall daemon 200 may transmit the modified web request data to the filter unit 110.
- the filter unit 110 may store the web request data and the risk determination result for the web request data.
- the first control module 111 of the filter unit 110 may use the result of the risk determination on the stored web request data, so that the first control module 111 of the filter unit 110 corresponds to the risk determination result on the stored web request data.
- the first communication module 112 may be controlled.
- filter unit 111 first control module
- first communication module 113 information extraction module
- the web attack detection and blocking system and method of the present invention it is possible to provide a customized web security service without affecting the stability and availability of a web application.
- Provide services, easily install, update, and upgrade versions of software provide security services while maintaining existing network configurations, and provide security services without changing IP and DNS.
- the initial cost of introduction can be reduced, and it can be flexibly applied to the cloud server environment, web application security, web server installed in the cloud, END POINT on the mobile app server side, Applicable to the IOT user interface and the server end point.
- Web attack detection and blocking systems and methods that can produce these various effects can have a positive impact on the software and security solutions industry and can be utilized in a variety of ways.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Technology Law (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
Description
Claims (12)
- 사용자 단말로부터 웹 요청 데이터를 수신하며, 웹 애플리케이션이 대기 상태로 유지되도록 상기 웹 애플리케이션을 제어하는 필터부;및상기 필터부로부터 상기 웹 요청 데이터를 수신하고, 상기 웹 요청 데이터를 분석하여 위험도를 판단하며, 상기 웹 요청 데이터에 대한 위험도 판단 결과를 상기 필터부로 송신하는 웹 방화벽 데몬;을 포함하는 웹 공격 탐지 및 차단 시스템.
- 제1항에 있어서,상기 필터부는상기 웹 방화벽 데몬과 동일 프로토콜로 통신을 수행하며, 상기 웹 방화벽 데몬으로부터 상기 웹 요청 데이터에 대한 위험도 판단 결과를 수신하는 제1통신 모듈;및상기 웹 요청 데이터에 대한 위험도 판단 결과에 대응하도록 상기 제1통신 모듈을 제어하는 제1제어 모듈;을 포함하는 웹 공격 탐지 및 차단 시스템.
- 제2항에 있어서,상기 웹 방화벽 데몬은상기 필터부로부터 상기 웹 요청 데이터를 수신하는 제2통신 모듈;상기 제2통신 모듈이 수신한 상기 웹 요청 데이터를 분석하여 위험도를 판단하는 위험도 판단 모듈;및상기 웹 요청 데이터에 대한 위험도 판단 결과, 상기 웹 요청 데이터의 수정이 필요하다고 판단한 경우, 상기 웹 요청 데이터를 수정하여, 수정 웹 요청 데이터를 생성하는 데이터 변경 모듈;을 포함하며,상기 제2통신 모듈은상기 수정 웹 요청 데이터를 상기 필터부로 송신하는 것을 특징으로 하는 웹 공격 탐지 및 차단 시스템.
- 제2항에 있어서,상기 필터부는상기 웹 요청 데이터 및 상기 웹 요청 데이터에 대한 위험도 판단 결과를 저장하는 저장 모듈;을 더 포함하며,상기 제1제어 모듈은상기 저장 모듈이 저장하고 있는 상기 웹 요청 데이터에 대한 위험도 판단 결과를 이용하여, 상기 웹 요청 데이터에 대한 위험도 판단 결과에 대응하도록 상기 제1통신 모듈을 제어하는 것을 특징으로 하는 웹 공격 탐지 및 차단 시스템.
- 제3항에 있어서,상기 필터부는상기 웹 요청 데이터 중 상기 웹 요청 데이터를 송신한 상기 사용자 단말의 IP(Internet Protocol) 어드레스 및 URL(Uniform Resource Locator) 정보를 추출하는 정보 추출 모듈;을 더 포함하며,상기 제1통신 모듈은상기 정보 추출 모듈이 추출한 상기 사용자 단말의 IP 어드레스 및 URL 정보를 상기 제2통신 모듈로 송신하며,상기 위험도 판단 모듈은상기 제2통신 모듈이 수신한 상기 사용자 단말의 IP 어드레스 및 URL 정보를 분석하여, 상기 웹 요청 데이터에 대한 위험도를 판단하며, 상기 사용자 단말의 IP 어드레스 및 URL 정보가 상기 웹 요청 데이터에 대한 위험도를 판단하기에 부족하다고 판단한 경우, 추가 정보 요청을 생성하며,상기 제2통신 모듈은상기 제1통신 모듈로 상기 추가 정보 요청을 송신하는 것을 특징으로 하는 웹 공격 탐지 및 차단 시스템.
- 제5항에 있어서,상기 정보 추출 모듈은상기 추가 정보 요청에 대응하는 추가 정보를 상기 웹 요청 데이터에서 추출하며,상기 제1통신 모듈은상기 정보 추출 모듈이 상기 웹 요청 데이터에서 추출한 상기 추가 정보를 상기 제2통신 모듈로 송신하고,상기 위험도 판단 모듈은상기 제2통신 모듈이 수신한 상기 추가 정보를 분석하여, 상기 웹 요청 데이터에 대한 위험도를 판단하며,상기 제2통신 모듈은상기 위험도 판단 모듈이 상기 추가 정보를 분석하여 판단한 상기 웹 요청 데이터에 대한 위험도 판단 결과를 상기 제1통신 모듈로 송신하는 것을 특징으로 하는 웹 공격 탐지 및 차단 시스템.
- 필터부가 사용자 단말로부터 웹 요청 데이터를 수신하는 단계;상기 필터부가 웹 애플리케이션이 대기 상태로 유지되도록 상기 웹 애플리케이션을 제어하는 단계;상기 필터부가 웹 방화벽 데몬으로 상기 웹 요청 데이터를 송신하는 단계;상기 웹 방화벽 데몬이 상기 웹 요청 데이터를 분석하여 위험도를 판단하는 단계;및상기 웹 방화벽 데몬이 상기 웹 요청 데이터에 대한 위험도 판단 결과를 상기 필터부로 송신하는 단계;를 포함하는 웹 공격 탐지 및 차단 방법.
- 제7항에 있어서,상기 웹 방화벽 데몬이 상기 웹 요청 데이터에 대한 위험도 판단 결과를 상기 필터부로 송신하는 단계는제1제어 모듈이 상기 웹 방화벽 데몬으로부터 수신한 상기 웹 요청 데이터에 대한 위험도 판단 결과에 대응하도록 제1통신 모듈을 제어하는 단계;를 포함하는 웹 공격 탐지 및 차단 방법.
- 제8항에 있어서,상기 웹 방화벽 데몬이 상기 웹 요청 데이터를 분석하여 위험도를 판단하는 단계는상기 웹 방화벽 데몬이 상기 웹 요청 데이터에 대한 위험도 판단 결과. 상기 웹 요청 데이터의 수정이 필요한 경우, 상기 웹 요청 데이터를 수정하는 단계;상기 웹 방화벽 데몬이 상기 웹 요청 데이터를 수정한 수정 웹 요청 데이터를 생성하는 단계;를 포함하며,상기 웹 방화벽 데몬이 상기 웹 요청 데이터에 대한 위험도 판단 결과를 상기 필터부로 송신하는 단계는상기 웹 방화벽 데몬이 상기 수정 웹 요청 데이터를 상기 필터부로 송신하는 단계;를 포함하는 웹 공격 탐지 및 차단 시스템.
- 제8항에 있어서,상기 웹 방화벽 데몬이 상기 웹 요청 데이터에 대한 위험도 판단 결과를 상기 필터부로 송신하는 단계는상기 필터부가 상기 웹 요청 데이터 및 상기 웹 요청 데이터에 대한 위험도 판단 결과를 저장하는 단계;및저장되어 있는 상기 웹 요청 데이터에 대한 상기 위험도 판단 결과를 이용하여, 상기 제1제어 모듈이 상기 웹 요청 데이터에 대한 위험도 판단 결과에 대응하도록 상기 제1통신 모듈을 제어하는 단계;를 포함하는 웹 공격 탐지 및 차단 방법.
- 제8항에 있어서,상기 필터부가 웹 방화벽 데몬으로 상기 웹 요청 데이터를 송신하는 단계는상기 필터부가 상기 웹 요청 데이터를 송신한 상기 사용자 단말의 IP 어드레스 및 URL 정보를 추출하는 단계;상기 필터부가 추출한 상기 사용자 단말의 IP 어드레스 및 URL 정보를 상기 웹 방화벽 데몬으로 송신하는 단계;상기 웹 방화벽 데몬이 상기 사용자 단말의 IP 어드레스 및 URL 정보를 분석하여 상기 웹 요청 데이터에 대한 위험도를 판단하는 단계;상기 웹 방화벽 데몬이 상기 사용자 단말의 IP 어드레스 및 URL 정보가 상기 웹 요청 데이터에 대한 위험도를 판단하기에 부족하다고 판단한 경우, 추가 정보 요청을 생성하는 단계;및상기 웹 방화벽 데몬이 상기 추가 정보 요청을 상기 필터부로 송신하는 단계;를 포함하는 웹 공격 탐지 및 차단 방법.
- 제11항에 있어서,상기 웹 방화벽 데몬이 상기 추가 정보 요청을 상기 필터부로 송신하는 단계는상기 필터부가 상기 추가 정보 요청에 대응하는 추가 정보를 상기 웹 요청 데이터에서 추출하는 단계;상기 필터부가 상기 웹 요청 데이터에서 추출한 추가 정보를 상기 웹 방화벽 데몬으로 송신하는 단계;상기 웹 방화벽 데몬이 상기 추가 정보를 분석하여, 상기 웹 요청 데이터에 대한 위험도를 판단하는 단계;및상기 웹 방화벽 데몬이 상기 추가 정보를 분석하여 판단한 상기 웹 요청 데이터에 대한 위험도 판단 결과를 상기 필터부로 송신하는 단계;를 포함하는 웹 공격 탐지 및 차단 방법.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US16/492,390 US11171919B1 (en) | 2018-06-01 | 2018-10-11 | Web attack detecting and blocking system and method thereof |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
KR10-2018-0063747 | 2018-06-01 | ||
KR1020180063747A KR101959544B1 (ko) | 2018-06-01 | 2018-06-01 | 웹 공격 탐지 및 차단 시스템 및 그 방법 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2019231057A1 true WO2019231057A1 (ko) | 2019-12-05 |
Family
ID=65948909
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/KR2018/011981 WO2019231057A1 (ko) | 2018-06-01 | 2018-10-11 | 웹 공격 탐지 및 차단 시스템 및 그 방법 |
Country Status (3)
Country | Link |
---|---|
US (1) | US11171919B1 (ko) |
KR (1) | KR101959544B1 (ko) |
WO (1) | WO2019231057A1 (ko) |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR20040042490A (ko) * | 2002-11-14 | 2004-05-20 | 한국전자통신연구원 | 네트워크 상의 방화벽 검열 우회 방지 시스템 및 그 방법 |
KR20090076556A (ko) * | 2008-01-09 | 2009-07-13 | 한남대학교 산학협력단 | 웹 서버 보안 방법 및 이를 위한 웹 방화벽 |
KR101005927B1 (ko) * | 2010-07-05 | 2011-01-07 | 펜타시큐리티시스템 주식회사 | 웹 어플리케이션 공격 탐지 방법 |
US20150244678A1 (en) * | 2013-11-13 | 2015-08-27 | ProtectWise, Inc. | Network traffic filtering and routing for threat analysis |
KR101625338B1 (ko) * | 2015-10-20 | 2016-05-27 | 홍익대학교세종캠퍼스산학협력단 | 악성 경유지를 탐지하는 시스템 및 방법 |
Family Cites Families (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20060080735A1 (en) * | 2004-09-30 | 2006-04-13 | Usa Revco, Llc | Methods and systems for phishing detection and notification |
KR20100058695A (ko) | 2008-11-25 | 2010-06-04 | 박영민 | 웹 어플리케이션 공격 탐지를 위한 프로파일 기반의 모델과 그 선택적 적용 기법 |
US8458769B2 (en) * | 2009-12-12 | 2013-06-04 | Akamai Technologies, Inc. | Cloud based firewall system and service |
US8751633B2 (en) * | 2010-04-01 | 2014-06-10 | Cloudflare, Inc. | Recording internet visitor threat information through an internet-based proxy service |
US20150020188A1 (en) * | 2013-07-14 | 2015-01-15 | Check Point Software Technologies Ltd. | Network Host Provided Security System for Local Networks |
US9860208B1 (en) * | 2014-09-30 | 2018-01-02 | Palo Alto Networks, Inc. | Bridging a virtual clone of a target device in a honey network to a suspicious device in an enterprise network |
US10044675B1 (en) * | 2014-09-30 | 2018-08-07 | Palo Alto Networks, Inc. | Integrating a honey network with a target network to counter IP and peer-checking evasion techniques |
US10855725B2 (en) * | 2016-06-02 | 2020-12-01 | Microsoft Technology Licensing, Llc | Hardware-based virtualized security isolation |
-
2018
- 2018-06-01 KR KR1020180063747A patent/KR101959544B1/ko active IP Right Grant
- 2018-10-11 US US16/492,390 patent/US11171919B1/en active Active
- 2018-10-11 WO PCT/KR2018/011981 patent/WO2019231057A1/ko active Application Filing
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR20040042490A (ko) * | 2002-11-14 | 2004-05-20 | 한국전자통신연구원 | 네트워크 상의 방화벽 검열 우회 방지 시스템 및 그 방법 |
KR20090076556A (ko) * | 2008-01-09 | 2009-07-13 | 한남대학교 산학협력단 | 웹 서버 보안 방법 및 이를 위한 웹 방화벽 |
KR101005927B1 (ko) * | 2010-07-05 | 2011-01-07 | 펜타시큐리티시스템 주식회사 | 웹 어플리케이션 공격 탐지 방법 |
US20150244678A1 (en) * | 2013-11-13 | 2015-08-27 | ProtectWise, Inc. | Network traffic filtering and routing for threat analysis |
KR101625338B1 (ko) * | 2015-10-20 | 2016-05-27 | 홍익대학교세종캠퍼스산학협력단 | 악성 경유지를 탐지하는 시스템 및 방법 |
Also Published As
Publication number | Publication date |
---|---|
US20210328970A1 (en) | 2021-10-21 |
KR101959544B1 (ko) | 2019-03-18 |
US11171919B1 (en) | 2021-11-09 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
WO2021060853A1 (ko) | 네트워크 접속 제어 시스템 및 그 방법 | |
EP3704846B1 (en) | Cloud-based multi-function firewall and zero trust private virtual network | |
US7716727B2 (en) | Network security device and method for protecting a computing device in a networked environment | |
US7814543B2 (en) | System and method for securing a computer system connected to a network from attacks | |
JP4741255B2 (ja) | ネットワーク化環境を介し保護された通信で配信されるコンピュータエクスプロイトからコンピューティングデバイスを保護するシステムおよび方法 | |
US8776254B1 (en) | System and method for the secure unidirectional transfer of software and software updates | |
WO2017091047A1 (ko) | 무선 침입 방지 시스템에서의 접속 차단 방법 및 장치 | |
WO2014069777A1 (en) | Transit control for data | |
EP1564964A2 (en) | Network security device and method for protecting a computing device in a networked environment | |
WO2019231135A1 (ko) | 차량 침입 감지 및 방지 시스템 | |
US20010042214A1 (en) | Apparatus and methods for intercepting, examining and controlling code, data and files and their transfer | |
WO2021112494A1 (ko) | 엔드포인트에 기반한 관리형 탐지 및 대응 시스템과 방법 | |
WO2012023657A1 (ko) | 가상 머신을 이용한 네트워크 기반 유해 프로그램 검출 방법 및 그 시스템 | |
WO2018101565A1 (ko) | 네트워크 가상화 환경에서 보안 관리를 위한 구조 | |
WO2013085217A1 (ko) | 다수의 중계 서버를 갖는 보안관리 시스템 및 보안관리 방법 | |
WO2021107177A1 (ko) | 랜섬웨어 또는 피싱 공격 차단 방법 및 시스템 | |
WO2015194829A2 (ko) | 인터넷 접속 요청을 하는 클라이언트 단말의 인터넷 접속 요청 트래픽으로부터 동일한 공인 ip를 이용하는 사설 네트워크상의 복수개의 클라이언트 단말 중에서 추가 비지정 도메인 네임을 구비한 웹서버에 의해 선별된 디바이스의 대수를 검출하는 방법 및 공인 ip 공유 상태의 디바이스의 선별적인 검출 시스템 | |
WO2023136658A1 (ko) | 컨트롤러 기반의 네트워크 접속을 제어하기 위한 시스템 및 그에 관한 방법 | |
WO2017026840A1 (ko) | 인터넷 연결 장치, 중앙 관리 서버 및 인터넷 연결 방법 | |
WO2016190663A1 (ko) | 홈 네트워크 시스템에서의 보안 관리 장치 및 보안 관리 방법 | |
WO2019231057A1 (ko) | 웹 공격 탐지 및 차단 시스템 및 그 방법 | |
WO2015102356A1 (ko) | 현재 시간 기준으로 공인 아이피를 공유하는 인터넷 접속 요청 트래픽을 선별적 허용 또는 차단하는 방법 및 그 방법을 실행하기 위한 공인 아이피 공유의 현재 상태 검출 및 차단 시스템 | |
WO2019221328A1 (ko) | 네트워크 보안 시스템 및 그 동작 방법 | |
WO2013018940A1 (ko) | 전자상거래 불법 거래 탐지 및 차단 방법과 시스템 | |
WO2014163355A1 (ko) | 전자문서 검역방법 및 검역시스템 |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 18920654 Country of ref document: EP Kind code of ref document: A1 |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 18920654 Country of ref document: EP Kind code of ref document: A1 |
|
32PN | Ep: public notification in the ep bulletin as address of the adressee cannot be established |
Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205 DATED 20/05/2021) |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 18920654 Country of ref document: EP Kind code of ref document: A1 |