CN105871775B - A kind of safety protecting method and DPMA Protection Model - Google Patents
A kind of safety protecting method and DPMA Protection Model Download PDFInfo
- Publication number
- CN105871775B CN105871775B CN201510026104.4A CN201510026104A CN105871775B CN 105871775 B CN105871775 B CN 105871775B CN 201510026104 A CN201510026104 A CN 201510026104A CN 105871775 B CN105871775 B CN 105871775B
- Authority
- CN
- China
- Prior art keywords
- web
- module
- protection
- attack
- monitoring
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Landscapes
- Computer And Data Communications (AREA)
Abstract
The invention discloses a kind of safety protecting methods, wherein, the described method includes: DPMA Protection Model obtains the protection information about Web attack, wherein the DPMA Protection Model includes: four Web detection module, Web protection module, Web monitoring module, Web Audit Module modules;The DPMA Protection Model links according to the protection information of the Web attack, to realize the security protection for Web application, wherein, the linkage interacts between Web detection module, Web protection module, Web monitoring module, Web Audit Module including the use of the protection information of the Web attack.The present invention also discloses a kind of DPMA Protection Models.
Description
Technical field
The present invention relates to Web technology more particularly to a kind of safety protecting method and DPMA (Detect, Protect,
Monitor, Audit, detection, protection, monitoring and audit) Protection Model.
Background technique
Being constantly progressive and develop with network (Web) application technology, web application carries more and more industry
Business, and following is also Web using the safety problem to become increasingly complex faced.According to the statistics of authoritative institution, Web
The summation of other level security attacks is had been over using the security attack of class, hacker attack is gradually turned by traditional network layer
To application layer.
Web application is directly externally to provide the business of service, while for the business of user provider's housecoat, also allows malicious attack
Person has opportunity, once being broken, attacker can collect more information as springboard or service others
Device is detected.Although firewall largely can provide protection to website, since firewall operates mainly in
Network layer seems helpless for the attack of application layer.In addition, since Web application developer level is irregular, when exploitation
Insufficient fragility that can all lead to website itself of shortage and test to secure context knowledge.How to guarantee that Web is applied
The safety of itself preferably provides fast stable service for user, is the challenge that enterprise must cope with.
The technological means of existing Web security protection is broadly divided into detection class and the protection camp Lei Liang great: the first kind is inspection
Class security means is surveyed, Web vulnerability scanning and intrusion detection etc. are generally comprised;Second class is protection class security means, is generally comprised
Network level firewall, application layer firewall (WAF), security gateway (UTM) and intrusion prevention equipment etc..Existing safety detection
It can be used to detect and protect some attacks with safeguard such as firewall, vulnerability scanners etc., play very important work
With, but certain limitation is still remained, be mainly manifested in: from detection class technological means: vulnerability scanning is by being then based on
It is unavoidable to there is the case where failing to report and reporting by mistake in the detection mode of black box;Intrusion detection is mainly based upon rule base/feature database
Detection method, for not in Web attack (also known as attack) more difficult discovery of rule base, and for having escaped detection
Web attack, it is more difficult to replay attacks scene can not be traced to the source afterwards.From guard technology means, firewall is main
Work seems helpless for the security attack of application layer in network layer;For Web application firewall, although work is being answered
With layer, but since writing for Web application code itself has lack of standard, no unified standard, so that Web application firewall occurs
It largely reports by mistake and can not effectively use;Lack corresponding audit after there is Web application security incident and tool is traced to the source hand
Section.In addition, these safety detections and safeguard are all to work independently, do not interact between each other, it can not be to a certain security row
To be associated analysis and linkage processing with event, alarm event is relatively more isolated.
Summary of the invention
In view of this, the embodiment of the present invention be solve the problems, such as it is existing in the prior art at least one and a kind of safety is provided
Means of defence and DPMA Protection Model can be associated analysis using a variety of preventive means, to improve safety.
The technical solution of the embodiment of the present invention is achieved in that
In a first aspect, the embodiment of the present invention provides a kind of safety protecting method, which comprises
DPMA Protection Model obtains protection information about Web attack, wherein the DPMA Protection Model includes:
Four Web detection module, Web protection module, Web monitoring module, Web Audit Module modules;
The DPMA Protection Model links according to the protection information of the Web attack, is answered with realizing for Web
Security protection, wherein the linkage is including the use of the protection information of the Web attack in Web detection module, Web
Protection module, Web monitoring module interact between Web Audit Module.
Second aspect, the embodiment of the present invention provide a kind of DPMA Protection Model, and the DPMA Protection Model includes: Web inspection
Survey module, Web protection module, four Web monitoring module, Web Audit Module modules, in which:
The Web detection module obtains testing result, from inspection for carrying out Web safety detection to potential security threat
It surveys in result and analyzes potential risks point;Safe restorative procedure is provided according to the potential risks point, then by the peace
Full restorative procedure transfers to the Web protection module, so that Web protection module is using safe restorative procedure to the potential risks
Point is repaired;
Web detection module is also used to will test result and transfers to Web protection module, Web monitoring module and Web Audit Module
It is associated analysis and protection.
Safety protecting method and DPMA Protection Model provided in an embodiment of the present invention, wherein the described method includes: DPMA is anti-
Protect protection information of the model acquisition about Web attack, wherein the DPMA Protection Model includes: Web detection module, Web
Four protection module, Web monitoring module, Web Audit Module modules;The DPMA Protection Model is according to the Web attack
Protection information link, with realize for Web application security protection, wherein the linkage is attacked including the use of the Web
The protection information for hitting event is handed between Web detection module, Web protection module, Web monitoring module, Web Audit Module
Mutually, it so, it is possible to be associated analysis using a variety of preventive means, to improve safety.
Detailed description of the invention
Fig. 1 is that the composed structure of DPMA of embodiment of the present invention Protection Model is intended to;
Fig. 2 is flow diagram when DPMA of embodiment of the present invention Protection Model works;
Fig. 3 is the flow diagram of linked protection of embodiment of the present invention technology at work;
Fig. 4-1 is the flow diagram of linkage of embodiment of the present invention model one at work;
Fig. 4-2 is the flow diagram of linkage of embodiment of the present invention model two at work;
Fig. 4-3 is the flow diagram of linkage of embodiment of the present invention model three at work;
Fig. 4-4 is the flow diagram of linkage of embodiment of the present invention model four at work;
Fig. 4-5 is the flow diagram of linkage of embodiment of the present invention model five at work;
Fig. 4-6 is the flow diagram of linkage of embodiment of the present invention model six at work;
Fig. 5 is the implementation process schematic diagram of safety protecting method of the embodiment of the present invention.
Specific embodiment
For the deficiency for making up prior art means, the embodiment of the present invention will provide a kind of DPMA Protection Model that Web is applied,
As shown in Figure 1, collection Web detection (Detect), Web protection (Protect), Web monitoring (Monitor) and Web audit (Audit)
Four big functions are in DPMA (Detect, Protect, Monitor, Audit) Protection Model of one, wherein each function is all right
Ying Yuyi security module corresponds to Web detection module for Web detection function, corresponding for Web safeguard function
In Web protection module, Web monitoring module is corresponded to for Web monitoring function, is corresponded to for Web audit function
Web Audit Module, the security protection of the DPMA Protection Model is through entire security incident life cycle, and each security module
Mutually linkage again, forms the safe Defense in depth system of Web while displaying one's respective advantages.
The specific mechanism of DPMA Protection Model is as follows: before there is attack, Web detection module to Web apply into
Row security breaches detection, so as to potential security risk in discovery system in advance;When there are unsafe incidents, Web protects mould
Block carries out actual time safety protection;If by success attack, Web monitoring module in real time to attack result (such as distort and extension horse) in time
Perception, and traced to the source by Web Audit Module attack.As it can be seen that project between modules in DPMA Protection Model
Linkage, learns from other's strong points to offset one's weaknesses.By the mechanism of above-mentioned DPMA Protection Model, to Web application establish it is a set of based on web portal security in advance
The integral protection system defendd and audited afterwards in detection, thing.
Fig. 2 is flow diagram when DPMA of embodiment of the present invention Protection Model works, as shown in Fig. 2, the present invention is implemented
The DPMA Protection Model that example provides is provided simultaneously with four kinds of means, i.e., Web detection module have Web detection means, Web protection
What the Web monitoring means and Web Audit Module that Web preventive means that module has, Web monitoring module have had
Web audit means, these four means form the Web Defense in depth system of a set of interconnection.Make introductions all round this four modules below.
1) Web detection module
Web detection module is detection (D, Detect) module in DPMA Protection Model.Web detection module major function
It is that before potential security threat is found and utilizes in Web system, Web safety actively is carried out to potential security threat
Detection, obtains testing result, potential risks point is then found out from testing result;Peace is provided according to the potential risks point
Then the safe restorative procedure is transferred to the Web protection module by full restorative procedure, so that described in the utilization of Web protection module
Safe restorative procedure repairs the potential risks point, and according to the safe restorative procedure and corresponding potential wind
Danger point forms Web protection log, wherein it is the log of Web protection module output that Web, which protects log,.In the detection of Web detection module
Any one that appearance includes at least following content includes: structured query language (SQL, Structured Query
Language) (Xpath, wherein X indicates extensible markup language (XML, Extensible Markup for injection, path language
Language)) injection, cross site scripting (XSS), the certification of mistake and session management, incorrect direct object reference, forge across
Stand request (CSRF, Cross-Site Request Forgery), security error configuration, failure remote access limitation, do not test
The redirection of card and transmitting, unsafe encryption storage, unsafe transmission protection.
Web detection module will test result and Web protection module, Web monitoring module and Web Audit Module transferred to be associated
Analysis and protection.
2) Web protection module
Web protection module is protection (P, Protect) module in DPMA Protection Model.The main function of Web protection module
It can be that, when Web attack occurs, Web protection module can be measured in real time and protect to attack, effectively block each
The generation of kind attack is formed simultaneously Web protection log.Protecting attack type includes various application layer attack behaviors.Meanwhile
Protection information can also be transferred to Web detection module, Web monitoring module and Web Audit Module to carry out depth by Web safety protection module
Association analysis achievees the effect that search for by following the clues and draw inferences about other cases from one instance.Wherein, the protection information includes attack source, attack pattern, attacks
Hit target, attack frequency is higher than the address URL and the parameter, unauthorized public affairs of preset first uniform resource locator URL threshold value
Net Internet protocol IP address, attack frequency are higher than the IP address of preset first IP threshold value, the address URL of high-risk loophole and ginseng
Number, by any one information in the information such as the address URL for extension horse/distort;Wherein parameter includes using to define in http agreement
Each class variable for defining of the communication means such as GET, POST.
3) Web monitoring module
Web monitoring module is monitoring (M, Monitor) module in DPMA Protection Model.The main function of Web monitoring module
It can include that Safety monitoring and stability monitor two large divisions, have system stability, the page is distorted, horse detection and back door are examined
Brake etc..Wherein, system stability includes: Web system availability, transmission control protocol (TCP, Transmission
Control Protocol) response delay, hypertext transfer protocol (HTTP, Hyper-Text Transfer Protocol) sound
Time delay is answered to be monitored.It includes: to distort monitoring in real time to monitored page progress that the page, which is distorted, illegally replaced when the page or
When distorting, short message or mail alarm can be carried out in time.Horse detection includes: to carry out real-time extension horse prison to the monitored page
Control can carry out short message or mail alarm when the page is by extension horse in time.Back door detection includes: after carrying out to monitored system
Door detection can carry out short message or mail alarm when detecting suspicious webpage password in time.
System response interval is big or attacker has bypassed and protected layer by layer when occurring, and distort to the page, extension horse or plant
When entering back door, Web monitoring module meeting real-time detection comes out and is alerted.Meanwhile Web monitoring module also can be by monitoring information such as
Transfer to Web detection module, Web in the address uniform resource locator (URL, Uniform Resource Locator) to go wrong
Protection module and Web Audit Module are associated analysis and protection, accomplish to excavate security incident depth, to what is gone wrong
The address URL carries out security protection.
4) Web Audit Module
Web Audit Module is audit (A, Audit) module in DPMA Protection Model.The major function of WEB Audit Module
It is the security incident for success attack, Web Audit Module mainly carries out safety by the log to Web attack
Analysis detects attack and is traced to the source attack to obtain content of tracing to the source.Content of wherein tracing to the source includes attack, attack source
Agreement (IP, Internet Protocol), attack pattern and the loophole utilized for interconnecting between network etc., accomplish " after autumn
It does accounts ".The major function of Web Audit Module includes: to support SQL injection, cross site scripting, request deception etc. various open across station
Web application item security (OWASP, Open Web Application Security Project) and Web application are safe
The Web attack method detection that joint (WASC) defines;Support the attack detecting and association analysis of Behavior-based control;Support attack path
Playback;Supported web page acess control and ranking.Meanwhile Web Audit Module also can be by log analysis information, such as attack source and suspicious
Webpage Trojan horse transfers to Web detection module, Web protection module and Web monitoring module to be associated analysis.To attack, loophole
Webpage Trojan horse is confirmed.
The embodiment of the present invention provide it is a kind of based on above-mentioned Web detection module, Web protection module, Web monitoring module and
The linked protection technology of Web Audit Module, linked protection technology are Web detection module in linkage DPMA Protection Model, Web protection
The technology of module, Web monitoring module and Web Audit Module, i.e., the workflow based on event transfer mechanism, the target of task schedule
It is the function such as to manage, issue by the way that security strategy to be combined to the safe task plan that be formed, and for task schedule plan realization
Energy.It can be certainly after discovery website is under attack such as in the Log security audit event that Web protects log and Web attack
The dynamic Web scan task that generates goes the specific webpage of website to be verified, to determine that the loophole whether there is, if need administrator
It is handled.
Fig. 3 is the flow diagram of linked protection of embodiment of the present invention technology at work, as shown in figure 3, linked protection
Various linkage scenes between four modules of technical definition, linkage model includes between Web Audit Module and Web monitoring module
Linkage (being indicated below with A- > M), between Web Audit Module and Web detection module linkage model (below with A- > D come
Indicate), the linkage model (being indicated below with A- > P) between Web Audit Module and Web protection module, Web protection module with
The connection between linkage model (being indicated below with P- > A), Web detection module and Web protection module between Web Audit Module
Between movable model (being indicated below with D- > P) and Web monitoring module and Web detection module linkage model (below with M- > D come
It indicates).The linkage model to be made introductions all round above below.
One, linkage model one (A- > M): Webshell positioning
Fig. 4-1 is the flow diagram of linkage of embodiment of the present invention model one at work, as shown in Fig. 4-1, A- > M's
Main linkage process is as follows: 1. Web Audit Module counts the dynamic page that user accessed, and extracts by guarding website
Dynamic page information;2. these dynamic page information are transferred to Web monitoring module by Web Audit Module, then Web monitoring module root
These dynamic pages are crawled and detected according to the dynamic page information, to find concealed type Webshell and without link
Type Webshell, here, Web Audit Module can also be audited by concealed type Webshell and without streptostyly Webshell with Web
The form of log exports, wherein Web audit log is the log of Web Audit Module output, and Webshell is one section for hacker
Carry out the code of long-range control Web server.
General Webshell is hidden in some catalogue of website, with other pages without linking relationship, from the detection of black box
Angle, it is more difficult to detect the presence of Webshell;But linkage technique provided by A- > M linkage model, it can effectively solve the problem that biography
The problem of crawler technology can not be detected without the Webshell for linking and hiding in system technological means.
Two, it links model two (A- > D): depth detection
Fig. 4-2 is the flow diagram of linkage of embodiment of the present invention model two at work, as shown in the Fig. 4-2, A- > D's
Main linkage process is as follows: 1. Web Audit Module mentions the higher address URL of statistical attack frequency in log and parameter
It takes;Wherein, the attack higher address URL of frequency refers to that attack frequency is higher than the address URL of the first URL threshold value;2. Web is examined
The address URL extracted and parameter are transferred to Web detection module to carry out depth safety detection by meter module.
General scanner is all based on the scanning mode of black box, inevitably there is the part address URL and parameter crawl less than
Situation, and thereby result in failing to report for scanning result;But linkage technique provided by A- > D linkage model, it can effectively solve the problem that
Scanner based on black box can not detect in website and fail to report problem caused by all addresses URL and parameter.
Three, it links model three (A- > P): unauthorized access
Fig. 4-3 is the flow diagram of linkage of embodiment of the present invention model three at work, as shown in Fig. 4-3, A- > P's
Main linkage process is as follows: 1. Web Audit Module counts the IP address on access portal management backstage, obtains unauthorized
Public network IP address;2. unauthorized public network IP address is accessed portal management backstage situation, notice Web protection by Web Audit Module
Module carries out linked protection.
General portal management backstage IP address forbid it is open to internet, there are Brute Force risk, but A- > P
The situation that linkage model can detect and protect automatically portal management backstage open to internet.
Four, it links model four (P- > A): intelligence attack confirmation
Fig. 4-4 is the flow diagram of linkage of embodiment of the present invention model four at work, as shown in Fig. 4-4, P- > A's
Main linkage process is as follows: the 1. IP address of Web protection module record initiation high-frequency attack, the IP of high frequency attack
Location is the first IP address, and first IP address is the IP address attacked frequency and be higher than preset first IP threshold value;2. Web is anti-
Shield module will attack these first IP address and transfer to Audit module, other attacks of these the first IP address of depth analysis.
P- > A linkage model is associated analysis to attack, touches melon in passing, avoids the occurrence of fish that has escape the net.
Five, it links model five (D- > P): defense-in-depth
Fig. 4-5 is the flow diagram of linkage of embodiment of the present invention model five at work, as illustrated in figures 4-5, D- > P's
Main linkage process is as follows: 1. there are the address URL of high-risk loophole and parameters for Web monitoring module record;2. Web monitoring module will
These parameters transfer to Web protection module, and notice Web protection module is customized protection.D- > P links model for there is high frequency
The address URL and parameter that attack or attack are attempted, transfer to Web protection module to carry out fining protection.
Six, link model six (M- > P): intelligence distorts protection
Fig. 4-6 is the flow diagram of linkage of embodiment of the present invention model six at work, as Figure 4-Figure 6, M- > P's
Main linkage process is as follows: 1. the detection of Web monitoring module is by extension horse or the address URL distorted;2. Web monitoring module by these
URL issues address Web protection module and carries out linked protection.M- > P links model for that by the website of extension horse, can accomplish certainly
Dynamic protection.
Based on upper DPMA Protection Model, the embodiment of the present invention provides a kind of safety protecting method again, and Fig. 5 is that the present invention is real
The implementation process schematic diagram of a safety protecting method is applied, as shown in figure 5, this method comprises:
Step 501, DPMA Protection Model obtains the protection information about Web attack;
Here, the DPMA Protection Model includes: Web detection module, Web protection module, Web monitoring module, Web audit
Module.
Here, the protection information includes at least any one in following information: attack source, attack pattern, attack mesh
Mark, website dynamic page information, attack frequency be higher than preset first uniform resource locator URL threshold value the address URL and
Parameter, unauthorized public network Internet protocol IP address, attack frequency are higher than the IP address of preset first IP threshold value, high-risk loophole
The address URL and parameter, the address URL by extension horse/distort.
Step 502, the DPMA Protection Model links according to the protection information of the Web attack, to realize
For the security protection of Web application.
Here, the linkage protects mould in Web detection module, Web including the use of the protection information of the Web attack
Block, Web monitoring module interact between Web Audit Module;
In the embodiment of the present invention, the Web detection module, be found for security threat potential in Web system and
Using before, Web safety detection is carried out to the potential security threat, testing result is obtained, is analyzed from testing result
Potential risks point;Safe restorative procedure is provided according to the potential risks point, then transfers to the safe restorative procedure
The Web protection module, so that Web protection module is repaired using the potential risks point;
Web detection module is also used to will test result and transfers to Web protection module, Web monitoring module and Web Audit Module
It is associated analysis and protection.
In the embodiment of the present invention, the Web protection module, for attacking the Web when Web attack occurs
Event is measured in real time and protects, to block the generation of various attacks;Web protection module is also used to that information will be protected
Web detection module, Web monitoring module and Web Audit Module is transferred to carry out depth association analysis and protection.
In the embodiment of the present invention, the Web monitoring module distorts monitoring, extension horse prison for system stability monitoring, the page
Control and back door monitoring, to obtain monitoring information, in which: system stability monitoring include Web system availability, TCP response delay,
Http response time delay is monitored;Meanwhile Web monitoring module, it is also used to transferring to monitoring information into Web detection module, Web protection
Module, Web Audit Module are associated analysis and protection, wherein the monitoring information is for showing to supervise system stability
Control, the page is distorted be monitored, extension horse monitoring and back door monitor to obtain monitored results.
In the embodiment of the present invention, the Web Audit Module passes through for the Web attack for success attack
Safety analysis is carried out to the log of Web attack, detection obtains the content of tracing to the source of Web attack;The Web audit mould
Block, the content that is also used to trace to the source are associated analysis and protection by Web detection module, Web monitoring module, Web protection module.
In the embodiment of the present invention, the joint-action mechanism based on to attack, so that the protection information is detected in Web
Module, Web monitoring module, is interacted and is called between Web Audit Module Web protection module, comprising:
Web Audit Module counts the dynamic page that user accessed, and extracts and is believed by the dynamic page of guarding website
Breath;
The dynamic page information is transferred to Web monitoring module by Web Audit Module;
Web monitoring module is crawled and is detected to dynamic page according to the dynamic page information, and concealed type is obtained
Webshell and without streptostyly Webshell.
In the embodiment of the present invention, the joint-action mechanism based on to attack, so that the protection information is detected in Web
Module, Web monitoring module, is interacted and is called between Web Audit Module Web protection module, comprising:
The Web Audit Module is higher than the address URL of the first URL threshold value to statistical attack frequency in log and parameter carries out
It extracts;
Web detection module is transferred in the address URL extracted and parameter by the Web Audit Module;
The address URL and parameter that the Web Audit Module is transferred to according to the Web Audit Module carry out depth and examine safely
It surveys.
In the embodiment of the present invention, the joint-action mechanism based on to attack, so that the protection information is detected in Web
Module, Web monitoring module, is interacted and is called between Web Audit Module Web protection module, comprising:
The Web Audit Module counts the IP address on access portal management backstage, obtains unauthorized public network IP
Address;
The unauthorized public network IP address is accessed portal management backstage situation by the Web Audit Module, is transferred to described
Web protection module is to carry out linked protection.
In the embodiment of the present invention, the joint-action mechanism based on to attack, so that the protection information is detected in Web
Module, Web monitoring module, is interacted and is called between Web Audit Module Web protection module, comprising:
The Web protection module obtains the first IP address, and first IP address is that attack frequency is higher than preset first
The IP address of IP threshold value;
First IP address is transferred to the Web Audit Module by the Web protection module;
The Web Audit Module analyzes the suffered Web attack of first IP address.
In the embodiment of the present invention, the joint-action mechanism based on to attack, so that the protection information is detected in Web
Module, Web monitoring module, is interacted and is called between Web Audit Module Web protection module, comprising:
There are the address URL of high-risk loophole and parameters for the Web detection module record;
The address URL of high-risk loophole will be present in the Web detection module and parameter transfers to the Web protection module, by institute
It states Web protection module and is customized protection.
In the embodiment of the present invention, the joint-action mechanism based on to attack, so that the protection information is detected in Web
Module, Web monitoring module, is interacted and is called between Web Audit Module Web protection module, comprising:
Web monitoring module is detected by extension horse or the address URL distorted;
Web monitoring module issues Web protection module progress linked protection by extension horse or the address URL distorted for described.
It should be understood that " one embodiment " or " embodiment " that specification is mentioned in the whole text mean it is related with embodiment
A particular feature, structure, or characteristic is included at least one embodiment of the present invention.Therefore, occur everywhere in the whole instruction
" in one embodiment " or " in one embodiment " not necessarily refer to identical embodiment.In addition, these specific features, knot
Structure or characteristic can combine in any suitable manner in one or more embodiments.It should be understood that in various implementations of the invention
In example, magnitude of the sequence numbers of the above procedures are not meant that the order of the execution order, the execution sequence Ying Yiqi function of each process
It can determine that the implementation process of the embodiments of the invention shall not be constituted with any limitation with internal logic.
In several embodiments provided herein, it should be understood that disclosed device and method can pass through it
Its mode is realized.Apparatus embodiments described above are merely indicative, for example, the division of the unit, only
A kind of logical function partition, there may be another division manner in actual implementation, such as: multiple units or components can combine, or
It is desirably integrated into another system, or some features can be ignored or not executed.In addition, shown or discussed each composition portion
Mutual coupling or direct-coupling or communication connection is divided to can be through some interfaces, the INDIRECT COUPLING of equipment or unit
Or communication connection, it can be electrical, mechanical or other forms.
Above-mentioned unit as illustrated by the separation member, which can be or may not be, to be physically separated, aobvious as unit
The component shown can be or may not be physical unit;Both it can be located in one place, and may be distributed over multiple network lists
In member;Some or all of units can be selected to achieve the purpose of the solution of this embodiment according to the actual needs.
In addition, each functional unit in various embodiments of the present invention can be fully integrated in one processing unit, it can also
To be each unit individually as a unit, can also be integrated in one unit with two or more units;It is above-mentioned
Integrated unit both can take the form of hardware realization, can also realize in the form of hardware adds SFU software functional unit.
Those of ordinary skill in the art will appreciate that: realize that all or part of the steps of above method embodiment can pass through
The relevant hardware of program instruction is completed, and program above-mentioned can store in computer-readable storage medium, which exists
When execution, step including the steps of the foregoing method embodiments is executed;And storage medium above-mentioned includes: movable storage device, read-only deposits
The various media that can store program code such as reservoir (Read Only Memory, ROM), magnetic or disk.
If alternatively, the above-mentioned integrated unit of the present invention is realized in the form of software function module and as independent product
When selling or using, it also can store in a computer readable storage medium.Based on this understanding, the present invention is implemented
Substantially the part that contributes to existing technology can be embodied in the form of software products the technical solution of example in other words,
The computer software product is stored in a storage medium, including some instructions are used so that computer equipment (can be with
It is personal computer, server or network equipment etc.) execute all or part of each embodiment the method for the present invention.
And storage medium above-mentioned includes: various Jie that can store program code such as movable storage device, ROM, magnetic or disk
Matter.
The above description is merely a specific embodiment, but scope of protection of the present invention is not limited thereto, any
Those familiar with the art in the technical scope disclosed by the present invention, can easily think of the change or the replacement, and should all contain
Lid is within protection scope of the present invention.Therefore, protection scope of the present invention should be based on the protection scope of the described claims.
Claims (14)
1. a kind of safety protecting method, which is characterized in that the described method includes:
DPMA Protection Model obtains the protection information about Web attack, wherein the DPMA Protection Model includes: Web inspection
Survey module, Web protection module, Web monitoring module, Web Audit Module;
The DPMA Protection Model links according to the protection information of the Web attack, to realize for Web application
Security protection, wherein the linkage is protected including the use of the protection information of the Web attack in Web detection module, Web
Module, Web monitoring module interact between Web Audit Module;
Wherein, the Web protection module is measured in real time and prevents to the Web attack when Web attack occurs
Shield, to block the generation of various attacks;The Web protection module will protect information that Web detection module, Web is transferred to monitor
Module and Web Audit Module carry out depth association analysis and protection.
2. the method according to claim 1, wherein the protection information includes at least any in following information
Kind: attack source, attack pattern, target of attack, the dynamic page information of website, attack frequency are higher than preset first unified resource
The address URL of locator URL threshold value and parameter, unauthorized public network Internet protocol IP address, attack frequency are higher than preset the
The IP address of one IP threshold value, the address URL of high-risk loophole and parameter, the address URL by extension horse/distort.
3. the method according to claim 1, wherein the DPMA Protection Model is according to the Web attack
Protection information link, comprising:
The Web detection module carries out Web safety detection to potential security threat, testing result is obtained, from testing result
Analyze potential risks point;
The Web detection module provides safe restorative procedure according to the potential risks point, then by the safety reparation side
Method transfers to the Web protection module;Web protection module repairs the potential risks point using the safe restorative procedure
It is multiple, and Web is formed according to the safe restorative procedure and corresponding potential risks point and protects log;
The Web detection module will test result and Web protection module, Web monitoring module and Web Audit Module transferred to be associated
Analysis and protection.
4. the method according to claim 1, wherein the DPMA Protection Model is according to the Web attack
Protection information link, comprising:
The Web monitoring module carries out system stability monitoring, the page distorts monitoring, extension horse monitoring and back door monitor, to obtain
Monitoring information, in which: system stability monitoring is supervised including Web system availability, TCP response delay, http response time delay
Control;Meanwhile
Monitoring information is transferred to Web detection module, Web protection module and Web Audit Module to be associated by the Web monitoring module
Analysis and protection.
5. the method according to claim 1, wherein the DPMA Protection Model is according to the Web attack
Protection information link, comprising:
The Web Audit Module carries out the Web attack of success attack by the log to Web attack
Safety analysis, detection obtain the content of tracing to the source of Web attack;
The Web Audit Module content that will trace to the source is associated point by Web detection module, Web monitoring module and Web protection module
Analysis and protection.
6. method according to any one of claims 1 to 5, which is characterized in that the DPMA Protection Model is according to the Web
The protection information of attack links, comprising:
Web Audit Module counts the dynamic page that user accessed, and extracts by the dynamic page information of guarding website;
The dynamic page information is transferred to Web monitoring module by Web Audit Module;
Web monitoring module is crawled and is detected to dynamic page according to the dynamic page information, and concealed type is obtained
Webshell and without streptostyly Webshell, and exported by concealed type Webshell and without streptostyly Webshell.
7. method according to any one of claims 1 to 5, which is characterized in that the DPMA Protection Model is according to the Web
The protection information of attack links, comprising:
The Web Audit Module is higher than the address URL of the first URL threshold value to statistical attack frequency in log and parameter mentions
It takes;
Web detection module is transferred in the address URL extracted and parameter by the Web Audit Module;
The address URL and parameter that the Web detection module is transferred to according to the Web Audit Module carry out depth safety detection.
8. method according to any one of claims 1 to 5, which is characterized in that the DPMA Protection Model is according to the Web
The protection information of attack links, comprising:
The Web Audit Module counts the IP address on access portal management backstage, obtains unauthorized public network IP address;
The unauthorized public network IP address is accessed portal management backstage situation by the Web Audit Module, is sent to the Web
Protection module.
9. method according to any one of claims 1 to 5, which is characterized in that the DPMA Protection Model is according to the Web
The protection information of attack links, comprising:
The Web protection module obtains the first IP address, and first IP address is that attack frequency is higher than preset first IP threshold
The IP address of value;
First IP address is transferred to the Web Audit Module by the Web protection module;
The Web Audit Module analyzes the suffered Web attack of first IP address.
10. method according to any one of claims 1 to 5, which is characterized in that the DPMA Protection Model is according to
The protection information of Web attack links, comprising:
There are the address URL of high-risk loophole and parameters for the Web detection module record;
The address URL of high-risk loophole will be present in the Web detection module and parameter transfers to the Web protection module;
The Web protection module is customized protection according to the address URL of high-risk loophole and parameter.
11. method according to any one of claims 1 to 5, which is characterized in that the DPMA Protection Model is according to
The protection information of Web attack links, comprising:
Web monitoring module is detected by extension horse or the address URL distorted;
Web monitoring module issues Web protection module by extension horse or the address URL distorted for described.
12. a kind of DPMA Protection Model, which is characterized in that the DPMA Protection Model includes: Web detection module, Web protection mould
Four block, Web monitoring module, Web Audit Module modules, in which:
The Web detection module obtains testing result, ties from detection for carrying out Web safety detection to potential security threat
Potential risks point is analyzed in fruit;Safe restorative procedure is provided according to the potential risks point, then repairs the safety
Compound method transfers to the Web protection module, so that Web protection module is using the safe restorative procedure to the potential risks
Point is repaired;
Web detection module is also used to will test result and Web protection module, Web monitoring module and Web Audit Module is transferred to carry out
Association analysis and protection.
13. model according to claim 12, which is characterized in that the Web protection module, in Web attack
When generation, the Web attack is measured in real time and is protected, to block the generation of various attacks;
Web protection module is also used to protect information that Web detection module, Web monitoring module and Web Audit Module is transferred to carry out
Depth association analysis and protection.
14. model according to claim 12 or 13, which is characterized in that the Web monitoring module is used for system stability
Monitoring, extension horse monitoring and back door monitoring are distorted in monitoring, the page, to obtain monitoring information, in which: system stability, which monitors, includes
Web system availability, TCP response delay, http response time delay are monitored;Meanwhile
Web monitoring module is also used to transfer to monitoring information Web detection module, Web protection module and Web Audit Module to carry out
Association analysis and protection.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510026104.4A CN105871775B (en) | 2015-01-19 | 2015-01-19 | A kind of safety protecting method and DPMA Protection Model |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510026104.4A CN105871775B (en) | 2015-01-19 | 2015-01-19 | A kind of safety protecting method and DPMA Protection Model |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN105871775A CN105871775A (en) | 2016-08-17 |
| CN105871775B true CN105871775B (en) | 2019-03-12 |
Family
ID=56622805
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510026104.4A Active CN105871775B (en) | 2015-01-19 | 2015-01-19 | A kind of safety protecting method and DPMA Protection Model |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105871775B (en) |
Families Citing this family (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106656975B (en) * | 2016-10-18 | 2020-01-24 | 新华三技术有限公司 | Attack defense method and device |
| CN108234431A (en) * | 2016-12-22 | 2018-06-29 | 阿里巴巴集团控股有限公司 | A kind of backstage logs in behavioral value method and detection service device |
| CN106790169B (en) * | 2016-12-29 | 2020-06-09 | 杭州迪普科技股份有限公司 | Protection method and device for scanning of scanning equipment |
| CN107277080A (en) * | 2017-08-23 | 2017-10-20 | 深信服科技股份有限公司 | A kind of is the internet risk management method and system of service based on safety |
| CN109067772A (en) * | 2018-09-10 | 2018-12-21 | 四川中电启明星信息技术有限公司 | A kind of component and safety protecting method for security protection |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101257399A (en) * | 2007-12-29 | 2008-09-03 | ***通信集团四川有限公司 | Service system united safe platform |
| CN102111420A (en) * | 2011-03-16 | 2011-06-29 | 上海电机学院 | Intelligent NIPS framework based on dynamic cloud/fire wall linkage |
| CN102739647A (en) * | 2012-05-23 | 2012-10-17 | 国家计算机网络与信息安全管理中心 | High-interaction honeypot based network security system and implementation method thereof |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7603711B2 (en) * | 2002-10-31 | 2009-10-13 | Secnap Networks Security, LLC | Intrusion detection system |
-
2015
- 2015-01-19 CN CN201510026104.4A patent/CN105871775B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101257399A (en) * | 2007-12-29 | 2008-09-03 | ***通信集团四川有限公司 | Service system united safe platform |
| CN102111420A (en) * | 2011-03-16 | 2011-06-29 | 上海电机学院 | Intelligent NIPS framework based on dynamic cloud/fire wall linkage |
| CN102739647A (en) * | 2012-05-23 | 2012-10-17 | 国家计算机网络与信息安全管理中心 | High-interaction honeypot based network security system and implementation method thereof |
Non-Patent Citations (3)
| Title |
|---|
| WebTrust应用防火墙产品介绍;北京众信君安科技有限公司;《百度文库》;20111020;正文第1页第17行-第4页第6行 |
| 国内下一代防火墙第一品牌;深信服科技;《百度文库》;20140318;正文第1页第2行-第3页第4行 |
| 面向应用层的网络安全方案的设计与实施;江超;《中国优秀硕士学位论文全文数据库》;20131115;正文第10页第8行-第41页第6行 |
Also Published As
| Publication number | Publication date |
|---|---|
| CN105871775A (en) | 2016-08-17 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109818985B (en) | Industrial control system vulnerability trend analysis and early warning method and system | |
| US7376969B1 (en) | Real time monitoring and analysis of events from multiple network security devices | |
| CN104811447B (en) | One kind is based on the associated safety detection method of attack and system | |
| CN109474607A (en) | A kind of industrial control network safeguard protection monitoring system | |
| CN105871775B (en) | A kind of safety protecting method and DPMA Protection Model | |
| CN107888607A (en) | A kind of Cyberthreat detection method, device and network management device | |
| CN108259462A (en) | Big data Safety Analysis System based on mass network monitoring data | |
| Elia et al. | Comparing SQL injection detection tools using attack injection: An experimental study | |
| Dahbul et al. | Enhancing honeypot deception capability through network service fingerprinting | |
| Han et al. | Evaluation of deception-based web attacks detection | |
| CN106650436A (en) | Safety detecting method and device based on local area network | |
| CN105939311A (en) | Method and device for determining network attack behavior | |
| Marotta et al. | Integrating a proactive technique into a holistic cyber risk management approach | |
| CN113422779B (en) | Active security defense system based on centralized management and control | |
| Gupta et al. | Automated discovery of JavaScript code injection attacks in PHP web applications | |
| CN111625821A (en) | Application attack detection system based on cloud platform | |
| Touseef et al. | Analysis of automated web application security vulnerabilities testing | |
| Aboelfotoh et al. | A review of cyber-security measuring and assessment methods for modern enterprises | |
| Barabas et al. | Behavioral signature generation using shadow honeypot | |
| Adeyanju et al. | Digital industrial control systems: Vulnerabilities and security technologies | |
| Sherif et al. | Intrusion detection: methods and systems. Part II | |
| US20210258331A1 (en) | Penetration test monitoring server and system | |
| CN106993005A (en) | The method for early warning and system of a kind of webserver | |
| Rahmawati et al. | Web Application Firewall Using Proxy and Security Information and Event Management (SIEM) for OWASP Cyber Attack Detection | |
| TWI738078B (en) | Penetration test monitoring server and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |