CN113660215A - Attack behavior detection method and device based on Web application firewall - Google Patents

Attack behavior detection method and device based on Web application firewall Download PDF

Info

Publication number
CN113660215A
CN113660215A CN202110846276.1A CN202110846276A CN113660215A CN 113660215 A CN113660215 A CN 113660215A CN 202110846276 A CN202110846276 A CN 202110846276A CN 113660215 A CN113660215 A CN 113660215A
Authority
CN
China
Prior art keywords
request data
web application
application firewall
code
attack behavior
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
CN202110846276.1A
Other languages
Chinese (zh)
Inventor
王珅
范渊
杨勃
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
DBAPPSecurity Co Ltd
Original Assignee
DBAPPSecurity Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by DBAPPSecurity Co Ltd filed Critical DBAPPSecurity Co Ltd
Priority to CN202110846276.1A priority Critical patent/CN113660215A/en
Publication of CN113660215A publication Critical patent/CN113660215A/en
Withdrawn legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The application relates to an attack behavior detection method, device, electronic device and storage medium based on a Web application firewall, wherein the method comprises the following steps: acquiring a plurality of response status codes of the Web application firewall within a preset time period; extracting an abnormal status code from the plurality of response status codes; under the condition that the quantity ratio of the abnormal state codes in all the response state codes is larger than a preset threshold value, acquiring request data received by a Web application firewall in a preset time period; and determining whether the request data has an attack behavior within a preset time period according to the request data and the abnormal state code. By the method and the device, the problem of low efficiency of detecting the attack behavior of the abnormal traffic data flowing through the Web application firewall in the related technology is solved, and the technical effect of improving the efficiency of detecting the attack behavior of the abnormal traffic data flowing through the Web application firewall is achieved.

Description

Attack behavior detection method and device based on Web application firewall
Technical Field
The present application relates to the field of information security technologies, and in particular, to a method and an apparatus for detecting an attack behavior based on a Web application firewall, an electronic apparatus, and a storage medium.
Background
With the function of Web applications becoming more and more rich, the Web server becomes a main attacked target because of its strong computing power, processing performance and high implication value. The traditional firewall is powerless when the attack by the application program bug needs to be prevented; in this context, Web Application firewalls (WAFs for short) have come into existence.
The WAF is a product that provides protection for Web applications by executing a series of security policies for HTTP (Hypertext Transfer Protocol, HTTP for short), HTTPs (Hypertext Transfer Protocol over secure Layer, HTTPs for short). The WAF is a protection device based on rule protection in the initial stage, the protection based on the rule can provide various Web application safety rules, a WAF manufacturer maintains the rule base and updates the rule base in real time, and a user can comprehensively protect the application according to the rules.
At present, a WAF in the related art adopts a reverse proxy mode, and after receiving an HTTP access request of each client through a TCP (Transmission Control Protocol, TCP for short), forwards a valid HTTP access request to a corresponding source station according to a preset mapping relationship; and after receiving the HTTP response message responded by the source station, the WAF forwards the HTTP response message to the corresponding client according to the same method. However, in such schemes, when the WAF detects a large amount of abnormal traffic data, the WAF cannot automatically identify the abnormal traffic data, and needs a large amount of manpower to perform comprehensive analysis, so as to determine whether the abnormal traffic data belongs to a source station fault problem or an attack behavior, thereby reducing the detection efficiency and accuracy of the attack behavior.
At present, no effective solution is provided for the problem of low efficiency of detecting the attack behavior of abnormal traffic data flowing through a Web application firewall in the related technology.
Disclosure of Invention
The embodiment of the application provides a method, a device, an electronic device and a storage medium for detecting an attack behavior based on a Web application firewall, so as to at least solve the problem of low efficiency of detecting the attack behavior of abnormal traffic data flowing through the Web application firewall in the related technology.
In a first aspect, an embodiment of the present application provides a method for detecting an attack behavior based on a Web application firewall, where the method includes: acquiring a plurality of response status codes of the Web application firewall within a preset time period; extracting an abnormal status code from the plurality of response status codes; under the condition that the number proportion of the abnormal state codes in all the response state codes is larger than a preset threshold value, acquiring request data received by the Web application firewall in the preset time period; and determining whether the request data has an attack behavior in the preset time period according to the request data and the abnormal state code.
In some embodiments, determining whether there is an attack behavior on the request data within the preset time period according to the request data and the abnormal status code includes: determining a status code category of each abnormal status code, wherein the status code category comprises a client error status code and a server error status code; determining that the request data corresponding to the abnormal state code has an attack behavior under the condition that the abnormal state code is a client error state code; and under the condition that the abnormal state code is the server error state code, determining that the source station corresponding to the abnormal state code has a fault.
In some of these embodiments, the method further comprises: judging whether each abnormal state code is subjected to mapping processing or not; and under the condition that the abnormal state code is not subjected to mapping processing, determining that the Web application firewall has a fault.
In some of these embodiments, the method further comprises: and generating a visual report according to the request data corresponding to the client error state code and the request data corresponding to the server error state code.
In some embodiments, generating the visual report according to the request data corresponding to the client error status code and the request data corresponding to the server error status code includes: extracting an IP address for launching an attack behavior from the request data corresponding to the client error state code; extracting a first domain name address pointed by an attack behavior from request data corresponding to the client error state code; extracting a second domain name address with a fault from the request data corresponding to the server error status code; and generating a visual report according to the IP address, the first domain name address and the second domain name address.
In some of these embodiments, the method further comprises: carrying out black pulling processing or current limiting processing on the IP address which initiates the attack behavior; and sending alarm information to a preset communication address corresponding to the first domain name address and/or the second domain name address.
In some embodiments, before obtaining the plurality of response status codes of the Web application firewall within the preset time period, the method further comprises: acquiring a plurality of request data by using the Web application firewall, and carrying out flow cleaning on the plurality of request data to remove abnormal request data in the plurality of request data; respectively forwarding each request data to a source station corresponding to the request data by using the Web application firewall, and receiving an initial state code which is sent by the source station and corresponds to each request data; and mapping each initial state code by using the Web application firewall to obtain a plurality of response state codes.
In a second aspect, an embodiment of the present application provides an attack behavior detection apparatus based on a Web application firewall, where the apparatus includes: the acquisition module is used for acquiring a plurality of response status codes of the Web application firewall within a preset time period; the extracting module is used for extracting the abnormal state code from the plurality of response state codes; the judging module is used for acquiring the request data received by the Web application firewall in the preset time period under the condition that the quantity ratio of the abnormal state codes in all the response state codes is greater than a preset threshold value; and the determining module is used for determining whether the request data has an attack behavior in the preset time period according to the request data and the abnormal state code.
In a third aspect, an embodiment of the present application further provides an electronic apparatus, which includes a memory and a processor, where the memory stores a computer program, and the processor is configured to execute the computer program to perform the method for detecting an attack behavior based on a Web application firewall as described in the first aspect.
In a fourth aspect, an embodiment of the present application further provides a storage medium, where a computer program is stored in the storage medium, where the computer program, when executed by a processor, implements the method for detecting an attack behavior based on a Web application firewall according to the first aspect.
Compared with the related art, the attack behavior detection method, the device, the electronic device and the storage medium based on the Web application firewall provided by the embodiment of the application acquire a plurality of response status codes of the Web application firewall within a preset time period and extract abnormal status codes from the plurality of response status codes; under the condition that the quantity ratio of the abnormal state codes in all the response state codes is larger than a preset threshold value, the request data received by the Web application firewall in a preset time period is obtained, whether the attack behavior exists in the request data in the preset time period is determined according to the request data and the abnormal state codes, whether the attack behavior exists in the request data flowing through the Web application firewall is automatically identified based on the abnormal state codes, the problem that the efficiency of detecting the attack behavior of the abnormal traffic data flowing through the Web application firewall in the related technology is low is solved, and the technical effect of improving the efficiency of detecting the attack behavior of the abnormal traffic data flowing through the Web application firewall is achieved.
The details of one or more embodiments of the application are set forth in the accompanying drawings and the description below to provide a more thorough understanding of the application.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the application and together with the description serve to explain the application and not to limit the application. In the drawings:
fig. 1 is a flowchart of an attack behavior detection method based on a Web application firewall according to an embodiment of the present application;
FIG. 2 is a flowchart of a method for detecting an attack behavior based on a Web application firewall according to a preferred embodiment of the present application;
fig. 3 is a block diagram of an attack behavior detection apparatus based on a Web application firewall according to an embodiment of the present application;
fig. 4 is a schematic structural diagram of an electronic device according to an embodiment of the present application.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the present application will be described and illustrated below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the present application and are not intended to limit the present application. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments provided in the present application without any inventive step are within the scope of protection of the present application. Moreover, it should be appreciated that in the development of any such actual implementation, as in any engineering or design project, numerous implementation-specific decisions must be made to achieve the developers' specific goals, such as compliance with system-related and business-related constraints, which may vary from one implementation to another.
Reference in the specification to "an embodiment" means that a particular feature, structure, or characteristic described in connection with the embodiment can be included in at least one embodiment of the specification. The appearances of the phrase in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments. Those of ordinary skill in the art will explicitly and implicitly appreciate that the embodiments described herein may be combined with other embodiments without conflict.
Unless defined otherwise, technical or scientific terms referred to herein shall have the ordinary meaning as understood by those of ordinary skill in the art to which this application belongs. Reference to "a," "an," "the," and similar words throughout this application are not to be construed as limiting in number, and may refer to the singular or the plural. The present application is directed to the use of the terms "including," "comprising," "having," and any variations thereof, which are intended to cover non-exclusive inclusions; for example, a process, method, system, article, or apparatus that comprises a list of steps or modules (elements) is not limited to the listed steps or elements, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus. Reference to "connected," "coupled," and the like in this application is not intended to be limited to physical or mechanical connections, but may include electrical connections, whether direct or indirect. Reference herein to "a plurality" means greater than or equal to two. "and/or" describes an association relationship of associated objects, meaning that three relationships may exist, for example, "A and/or B" may mean: a exists alone, A and B exist simultaneously, and B exists alone. Reference herein to the terms "first," "second," "third," and the like, are merely to distinguish similar objects and do not denote a particular ordering for the objects.
The present embodiment provides a method for detecting an attack behavior based on a Web application firewall, and fig. 1 is a flowchart of a method for detecting an attack behavior based on a Web application firewall according to an embodiment of the present application, and as shown in fig. 1, the method includes:
in step S101, a plurality of response status codes of the Web application firewall within a preset time period are acquired.
In this embodiment, after receiving the HTTP response packet from the source station, the Web application firewall records a response Status Code (HTTP Status Code) of the HTTP response packet, and records the response Status Code in a log of the Web application firewall. The response state code is a 3-bit digital code used for representing the HTTP response state of the web server, and the response state code comprises five types: an informational status code, a success status code, a redirection status code, a client error status code, and a server error status code.
In the above embodiments, the preset time period may be 1 minute, 5 minutes, etc., and the present application is not limited.
Step S102, an abnormal state code is extracted from a plurality of response state codes.
In this embodiment, the client error status code and the server error status code in the response status code may be taken as the exception status code, where the representation of the client error status code is 4XX, and the representation of the server error status code is 5XX or 6XX, that is, the exception status codes of 4XX, 5XX, and 6XX are extracted from the plurality of response status codes.
Step S103, under the condition that the number ratio of the abnormal status codes in all the response status codes is larger than the preset threshold value, acquiring the request data received by the Web application firewall in the preset time period.
In this embodiment, the preset threshold may be set according to a user requirement or an operation experience of the Web application firewall, for example, the preset threshold may be set to 10%, 30%, 60%, or the like, and may also perform a graded early warning according to 10%, 30%, 60%, which is not limited in this application.
And step S104, determining whether the request data has an attack behavior within a preset time period according to the request data and the abnormal state code.
In this embodiment, after acquiring the request data received by the Web application firewall within the preset time period, the type of the abnormal status code may be determined: when the abnormal state code recorded by the Web application firewall is 4XX, the request data corresponding to the abnormal state code can be determined to have an attack behavior; and when the abnormal state code recorded by the Web application firewall is 5XX or 6XX, determining that the source station corresponding to the abnormal state code has a fault.
In the foregoing embodiment, the attack behavior detection method based on the Web application firewall provided in this embodiment may be implemented by a cloud WAF, for example, a basalt cloud protection system, and a working mode adopted by the cloud WAF is a reverse proxy mode, and a client used by a user communicates with the cloud WAF, and the cloud WAF communicates with each source station through TCP connections.
After adopting a reverse proxy mode, the WAF in the related technology receives the HTTP access request of each client through TCP connection, and forwards the legal HTTP access request to the corresponding source station according to a preset mapping relation; and after receiving the HTTP response message responded by the source station, the WAF forwards the HTTP response message to the corresponding client according to the same method. However, in such schemes, when the WAF detects a large amount of abnormal traffic data, the WAF cannot automatically identify the abnormal traffic data, and needs a large amount of manpower to perform comprehensive analysis, so as to determine whether the abnormal traffic data belongs to a source station fault problem or an attack behavior, thereby reducing the detection efficiency and accuracy of the attack behavior.
Through the steps S101 to S104, a plurality of response status codes of the Web application firewall within a preset time period are acquired, and an abnormal status code is extracted from the plurality of response status codes; under the condition that the quantity ratio of the abnormal state codes in all the response state codes is larger than a preset threshold value, the request data received by the Web application firewall in a preset time period is obtained, and finally whether the attack behavior exists in the request data in the preset time period is determined according to the request data and the abnormal state codes, whether the attack behavior exists in the request data flowing through the Web application firewall is automatically identified based on the abnormal state codes, and the detection efficiency and the detection accuracy are improved. By the method and the device, the problem of low efficiency of detecting the attack behavior of the abnormal traffic data flowing through the Web application firewall in the related technology is solved, and the technical effect of improving the efficiency of detecting the attack behavior of the abnormal traffic data flowing through the Web application firewall is achieved.
In some embodiments, determining whether the request data has an attack behavior within a preset time period according to the request data and the abnormal state code is implemented by the following steps:
step 1, determining the status code type of each abnormal status code, wherein the status code type comprises a client error status code and a server error status code.
And 2, determining that the request data corresponding to the abnormal state code has an attack behavior under the condition that the abnormal state code is the client error state code.
And 3, determining that the source station corresponding to the abnormal state code has a fault under the condition that the abnormal state code is the server error state code.
In this embodiment, the status code category of the exception status code includes a client error status code and a server error status code, wherein the client error status code is represented by 4XX, and the server error status code is represented by 5XX or 6 XX.
Under the condition that the abnormal state code is detected to be in a 4XX format, determining that the abnormal state code is a client error state code, and determining that the request data corresponding to the abnormal state code has an attack behavior; and under the condition that the abnormal state code is detected to be in a 5XX or 6XX format, determining that the abnormal state code is a server error state code, and determining that the source station corresponding to the abnormal state code has a fault.
In the above embodiment, the request data flowing through the Web application firewall may include data such as a requesting body, an HTTP message header, a request IP (client IP address), and a requested domain name, and the request data corresponding to the server error status code may be obtained first, and the source station corresponding to the server error status code may be obtained from the request data, and it is determined that the source station fails.
In some embodiments, before obtaining the plurality of response status codes of the Web application firewall within the preset time period, the method further implements the following steps:
step 1, a Web application firewall is used for obtaining a plurality of request data, flow cleaning is carried out on the plurality of request data, and abnormal request data in the plurality of request data are removed.
And 2, respectively forwarding each request data to a source station corresponding to the request data by using a Web application firewall, and receiving an initial state code which is sent by the source station and corresponds to each request data.
And 3, respectively mapping each initial state code by using the Web application firewall to obtain a plurality of response state codes.
In this embodiment, after receiving the request data of each client through the TCP connection, the Web application firewall performs traffic cleaning to clean the obviously abnormal request data, and then forwards the compliant request data to the corresponding source station according to the mapping relationship; after receiving the HTTP response message responded by the source station, the Web application firewall forwards the HTTP response message to the corresponding client according to the same method.
In the above embodiment, in order to determine whether the Web application firewall has a failure, the Web application firewall may perform mapping processing on the initial status code, for example, the Web application firewall obtains the initial status code 501, adds a preset value, for example, a preset value 50 (or 60, 70, etc.), to the initial status code to obtain a response status code 551, and records the response status code 551 in a log.
If the preset value is less than 50, it may be impossible to distinguish whether the Web application firewall is out of order, for example, when the preset value is set to 20, the initial status code is 401, the response status code is 421, and 401 and 421 indicate two types of exceptions, it may be impossible to distinguish whether the Web application firewall is out of order.
In this embodiment, determining whether the Web application firewall fails may be implemented by:
step 1, judging whether each abnormal state code is subjected to mapping processing.
And 2, under the condition that the abnormal state codes are not subjected to mapping processing, determining that the Web application firewall has a fault.
In this embodiment, whether the abnormal status code is subjected to the mapping process may be determined, so as to determine whether the Web application firewall has a fault. For example, when the abnormal status code recorded in the log of the Web application firewall is 501, it indicates that the Web application firewall has a fault; when the abnormal state code recorded in the log of the Web application firewall is 551, the Web application firewall is indicated to normally operate, but the source station has a fault.
In some of these embodiments, the method further comprises: and generating a visual report according to the request data corresponding to the client error state code and the request data corresponding to the server error state code.
In this embodiment, generating a visual report according to the request data corresponding to the client error status code and the request data corresponding to the server error status code is implemented by the following steps:
step 1, extracting an IP address for launching an attack behavior from request data corresponding to a client error state code.
And 2, extracting a first domain name address pointed by the attack behavior from the request data corresponding to the client error state code.
And 3, extracting the second domain name address with the fault from the request data corresponding to the server error state code.
And 4, generating a visual report according to the IP address, the first domain name address and the second domain name address.
In the above embodiment, after the request data corresponding to the abnormal status code is obtained, an intuitive visual report may be generated, for example, an IP address initiating an attack is extracted from the request data corresponding to the client error status code, TOP10 ranking is performed, the IP address initiating the attack is listed, a Web application firewall may be used to perform subsequent operations such as blacking and current limiting on the IP addresses, or a first domain name address to which the attack is directed is extracted from the request data corresponding to the client error status code, a second domain name address having a fault is extracted from the request data corresponding to the server error status code, TOP10 is performed on the first domain name address and the second domain name address, respectively, to determine which website is subjected to the attack or the source station fault occurs.
In this embodiment, since the client may write its IP address into the HTTP message header file in the request data or may not write it, in some cases, it may not be possible to directly obtain the IP address of the client from the HTTP message header file in the request data. Therefore, the IP address of the client may be obtained by establishing a TCP connection log, for example, after counting that there is an abnormality in the response status code within a preset time period, the TCP connection log may be queried for active TCP connections within the preset time period, and obtain the IP addresses of the requesters of the TCP connections, that is, obtain the IP address of the client.
In some of these embodiments, the method further performs the steps of:
step 1, black-pulling processing or current-limiting processing is carried out on the IP address which initiates the attack behavior.
And step 2, sending alarm information to a preset communication address corresponding to the first domain name address and/or the second domain name address.
In this embodiment, after the IP address initiating the attack behavior is extracted from the request data corresponding to the client error status code, the IP address initiating the attack behavior may be displayed on a Web application firewall, and the Web application firewall is used to automatically perform black-pulling processing or current-limiting processing on the IP addresses, so as to prevent the client corresponding to such IP address from continuing to initiate the attack behavior; meanwhile, under the condition that the source station is attacked or the source station is in fault, alarm information can be sent to the preset communication address corresponding to the first domain name address and/or the second domain name address, the corresponding abnormal state code is returned, the operation side is timely notified, and the operation side contacts a client to check problems.
Fig. 2 is a flowchart of a method for detecting an attack behavior based on a Web application firewall according to a preferred embodiment of the present application, as shown in fig. 2, in some embodiments, the method includes:
in step S201, the number ratio of the abnormal status codes in all the response status codes within the preset time period is detected.
Step S202, it is determined whether the number ratio is greater than a preset threshold, and the process proceeds to step S203 if the number ratio is greater than the preset threshold.
Step S203, sending alarm information to the state code analysis module.
In step S204, request data received by the Web application firewall within a preset time period is acquired.
Step S205, according to the request data received by the Web application firewall, the abnormal state code is analyzed and processed.
Step S206, judging the state code type of the abnormal state code, and entering step S207 when the abnormal state code is the client error state code; if the abnormal status code is the server error status code, the process proceeds to step S208.
And step S207, automatically pulling the black attack IP according to the IP address TOP list.
Step S208, the source station client is notified.
In this embodiment, steps S201 to S203 may be implemented by an early warning module in the Web application firewall-based attack behavior detection system, and steps S204 to S208 may be implemented by a status code analysis module in the Web application firewall-based attack behavior detection system.
It should be noted that, for specific examples in this embodiment, reference may be made to examples described in the foregoing embodiments and optional implementations, and details of this embodiment are not described herein again.
The present embodiment provides an attack behavior detection apparatus based on a Web application firewall, and fig. 3 is a block diagram of a structure of an attack behavior detection apparatus based on a Web application firewall according to an embodiment of the present application, and as shown in fig. 3, the apparatus includes: an obtaining module 30, configured to obtain multiple response status codes of the Web application firewall within a preset time period; an extracting module 31, configured to extract an abnormal status code from the plurality of response status codes; the judging module 32 is configured to acquire request data received by the Web application firewall within a preset time period when the number proportion of the abnormal status codes in all the response status codes is greater than a preset threshold; the determining module 33 is configured to determine whether the requested data has an attack behavior within a preset time period according to the requested data and the abnormal status code.
In some of these embodiments, the determination module 33 is further configured to determine a status code category for each exception status code, wherein the status code category includes a client error status code and a server error status code; determining that the request data corresponding to the abnormal state code has an attack behavior under the condition that the abnormal state code is the client error state code; and determining that the source station corresponding to the abnormal state code has a fault when the abnormal state code is the server error state code.
In some embodiments, the determining module 33 is further configured to determine whether each exception status code has undergone mapping processing; and under the condition that the abnormal state code is not subjected to mapping processing, determining that the Web application firewall has a fault.
In some embodiments, the apparatus further includes a generation module configured to generate a visual report according to the request data corresponding to the client error status code and the request data corresponding to the server error status code.
In some embodiments, the generation module is further configured to extract an IP address from the request data corresponding to the client error status code that initiated the attack; extracting a first domain name address pointed by an attack behavior from request data corresponding to a client error state code; extracting a second domain name address with a fault from the request data corresponding to the server error status code; and generating a visual report according to the IP address, the first domain name address and the second domain name address.
In some embodiments, the apparatus further includes a processing module, configured to perform black-pulling processing or current-limiting processing on the IP address that initiates the attack behavior; and sending alarm information to a preset communication address corresponding to the first domain name address and/or the second domain name address.
In some embodiments, the apparatus further includes a mapping module, configured to acquire a plurality of request data by using a Web application firewall, perform traffic cleaning on the plurality of request data, and remove abnormal request data in the plurality of request data; respectively forwarding each request data to a source station corresponding to the request data by utilizing a Web application firewall, and receiving an initial state code which is sent by the source station and corresponds to each request data; and respectively mapping each initial state code by using a Web application firewall to obtain a plurality of response state codes.
It should be noted that, for specific examples in this embodiment, reference may be made to examples described in the foregoing embodiments and optional implementations, and details of this embodiment are not described herein again.
The present embodiment further provides an electronic device, fig. 4 is a schematic diagram of a hardware structure of an electronic device according to an embodiment of the present application, and as shown in fig. 4, the electronic device includes a memory 404 and a processor 402, the memory 404 stores a computer program, and the processor 402 is configured to execute the computer program to perform the steps in any of the method embodiments.
Specifically, the processor 402 may include a Central Processing Unit (CPU), or A Specific Integrated Circuit (ASIC), or may be configured to implement one or more Integrated circuits of the embodiments of the present Application.
Memory 404 may include, among other things, mass storage for data or instructions. By way of example, and not limitation, memory 404 may include a Hard Disk Drive (Hard Disk Drive, abbreviated to HDD), a floppy Disk Drive, a Solid State Drive (SSD), flash memory, an optical Disk, a magneto-optical Disk, tape, or a Universal Serial Bus (USB) Drive or a combination of two or more of these. Memory 404 may include removable or non-removable (or fixed) media, where appropriate. The memory 404 may be internal or external to the Web application firewall based attack behavior detection apparatus, where appropriate. In a particular embodiment, the memory 404 is a Non-Volatile (Non-Volatile) memory. In particular embodiments, Memory 404 includes Read-Only Memory (ROM) and Random Access Memory (RAM). The ROM may be mask-programmed ROM, Programmable ROM (PROM), Erasable PROM (EPROM), Electrically Erasable PROM (EEPROM), Electrically rewritable ROM (EAROM), or FLASH Memory (FLASH), or a combination of two or more of these, where appropriate. The RAM may be a Static Random-Access Memory (SRAM) or a Dynamic Random-Access Memory (DRAM), where the DRAM may be a Fast Page Mode Dynamic Random-Access Memory (FPMDRAM), an Extended data output Dynamic Random-Access Memory (EDODRAM), a Synchronous Dynamic Random-Access Memory (SDRAM), and the like.
Memory 404 may be used to store or cache various data files for processing and/or communication use, as well as possibly computer program instructions for execution by processor 402.
The processor 402 reads and executes the computer program instructions stored in the memory 404 to implement any one of the above-described methods for detecting an attack behavior based on a Web application firewall.
Optionally, the electronic apparatus may further include a transmission device 406 and an input/output device 408, where the transmission device 406 is connected to the processor 402, and the input/output device 408 is connected to the processor 402.
Optionally, in this embodiment, the processor 402 may be configured to execute the following steps by a computer program:
s1, acquiring a plurality of response status codes of the Web application firewall within a preset time period.
S2, an abnormal status code is extracted from the plurality of response status codes.
And S3, acquiring the request data received by the Web application firewall in a preset time period under the condition that the number ratio of the abnormal state codes in all the response state codes is greater than a preset threshold value.
And S4, determining whether the request data has attack behavior within a preset time period according to the request data and the abnormal state code.
It should be noted that, for specific examples in this embodiment, reference may be made to examples described in the foregoing embodiments and optional implementations, and details of this embodiment are not described herein again.
In addition, in combination with the attack behavior detection method based on the Web application firewall in the foregoing embodiment, the embodiment of the present application may provide a storage medium to implement. The storage medium having stored thereon a computer program; the computer program, when executed by a processor, implements any one of the above-described embodiments of the method for detecting an attack behavior based on a Web application firewall.
It should be understood by those skilled in the art that various features of the above embodiments can be combined arbitrarily, and for the sake of brevity, all possible combinations of the features in the above embodiments are not described, but should be considered as within the scope of the present disclosure as long as there is no contradiction between the combinations of the features.
The above examples are merely illustrative of several embodiments of the present application, and the description is more specific and detailed, but not to be construed as limiting the scope of the present application. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the concept of the present application, which falls within the scope of protection of the present application. Therefore, the protection scope of the present application shall be subject to the appended claims.

Claims (10)

1. A method for detecting an attack behavior based on a Web application firewall is characterized by comprising the following steps:
acquiring a plurality of response status codes of the Web application firewall within a preset time period;
extracting an abnormal status code from the plurality of response status codes;
under the condition that the number proportion of the abnormal state codes in all the response state codes is larger than a preset threshold value, acquiring request data received by the Web application firewall in the preset time period;
and determining whether the request data has an attack behavior in the preset time period according to the request data and the abnormal state code.
2. The method for detecting the attack behavior based on the Web application firewall according to claim 1, wherein the determining whether the attack behavior exists in the request data within the preset time period according to the request data and the abnormal status code comprises:
determining a status code category of each abnormal status code, wherein the status code category comprises a client error status code and a server error status code;
determining that the request data corresponding to the abnormal state code has an attack behavior under the condition that the abnormal state code is a client error state code;
and under the condition that the abnormal state code is the server error state code, determining that the source station corresponding to the abnormal state code has a fault.
3. The method of claim 2, further comprising:
judging whether each abnormal state code is subjected to mapping processing or not;
and under the condition that the abnormal state code is not subjected to mapping processing, determining that the Web application firewall has a fault.
4. The method of claim 2, further comprising:
and generating a visual report according to the request data corresponding to the client error state code and the request data corresponding to the server error state code.
5. The method for detecting the attack behavior based on the Web application firewall according to claim 4, wherein the generating of the visual report according to the request data corresponding to the client error status code and the request data corresponding to the server error status code comprises:
extracting an IP address for launching an attack behavior from the request data corresponding to the client error state code;
extracting a first domain name address pointed by an attack behavior from request data corresponding to the client error state code;
extracting a second domain name address with a fault from the request data corresponding to the server error status code;
and generating a visual report according to the IP address, the first domain name address and the second domain name address.
6. The method of claim 5, further comprising:
carrying out black pulling processing or current limiting processing on the IP address which initiates the attack behavior;
and sending alarm information to a preset communication address corresponding to the first domain name address and/or the second domain name address.
7. The method of claim 1, wherein before obtaining the plurality of response status codes of the Web application firewall within the preset time period, the method further comprises:
acquiring a plurality of request data by using the Web application firewall, and carrying out flow cleaning on the plurality of request data to remove abnormal request data in the plurality of request data;
respectively forwarding each request data to a source station corresponding to the request data by using the Web application firewall, and receiving an initial state code which is sent by the source station and corresponds to each request data;
and mapping each initial state code by using the Web application firewall to obtain a plurality of response state codes.
8. An attack behavior detection device based on a Web application firewall, characterized in that the device comprises:
the acquisition module is used for acquiring a plurality of response status codes of the Web application firewall within a preset time period;
the extracting module is used for extracting the abnormal state code from the plurality of response state codes;
the judging module is used for acquiring the request data received by the Web application firewall in the preset time period under the condition that the quantity ratio of the abnormal state codes in all the response state codes is greater than a preset threshold value;
and the determining module is used for determining whether the request data has an attack behavior in the preset time period according to the request data and the abnormal state code.
9. An electronic device comprising a memory and a processor, wherein the memory stores a computer program, and the processor is configured to execute the computer program to perform the method for detecting the attack behavior based on the firewall of the Web application according to any one of claims 1 to 7.
10. A storage medium, in which a computer program is stored, wherein the computer program, when executed by a processor, implements the method for detecting an attack behavior based on a Web application firewall according to any one of claims 1 to 7.
CN202110846276.1A 2021-07-26 2021-07-26 Attack behavior detection method and device based on Web application firewall Withdrawn CN113660215A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110846276.1A CN113660215A (en) 2021-07-26 2021-07-26 Attack behavior detection method and device based on Web application firewall

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110846276.1A CN113660215A (en) 2021-07-26 2021-07-26 Attack behavior detection method and device based on Web application firewall

Publications (1)

Publication Number Publication Date
CN113660215A true CN113660215A (en) 2021-11-16

Family

ID=78478723

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110846276.1A Withdrawn CN113660215A (en) 2021-07-26 2021-07-26 Attack behavior detection method and device based on Web application firewall

Country Status (1)

Country Link
CN (1) CN113660215A (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114598615A (en) * 2022-03-07 2022-06-07 中国农业银行股份有限公司 Method, device, equipment and medium for monitoring firewall abnormity
CN115001759A (en) * 2022-05-19 2022-09-02 国网数字科技控股有限公司 Access information processing method and device, electronic equipment and readable storage medium
CN115499492A (en) * 2022-09-14 2022-12-20 平安壹钱包电子商务有限公司 Application service exception handling method, device, equipment and readable storage medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108199914A (en) * 2017-12-27 2018-06-22 杭州迪普科技股份有限公司 Server-side condition detection method and device
CN108449368A (en) * 2018-06-26 2018-08-24 北京云枢网络科技有限公司 A kind of application layer attack detection method, device and electronic equipment
CN109547282A (en) * 2018-10-22 2019-03-29 中国平安人寿保险股份有限公司 Overload protection method, device, computer readable storage medium and server
CN112165450A (en) * 2020-08-27 2021-01-01 杭州安恒信息技术股份有限公司 Safety protection method and device for WEB application firewall and electronic device
WO2021023053A1 (en) * 2019-08-05 2021-02-11 阿里巴巴集团控股有限公司 Data processing method and device, and storage medium

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108199914A (en) * 2017-12-27 2018-06-22 杭州迪普科技股份有限公司 Server-side condition detection method and device
CN108449368A (en) * 2018-06-26 2018-08-24 北京云枢网络科技有限公司 A kind of application layer attack detection method, device and electronic equipment
CN109547282A (en) * 2018-10-22 2019-03-29 中国平安人寿保险股份有限公司 Overload protection method, device, computer readable storage medium and server
WO2021023053A1 (en) * 2019-08-05 2021-02-11 阿里巴巴集团控股有限公司 Data processing method and device, and storage medium
CN112165450A (en) * 2020-08-27 2021-01-01 杭州安恒信息技术股份有限公司 Safety protection method and device for WEB application firewall and electronic device

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
京东云: "web应用防火墙", 《HTTPS://DOCS.JDCLOUD.COM/CN/WEB-APPLICATION-FIREWALL/SET-UP-STATUS-CODE-MODIFY》 *

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114598615A (en) * 2022-03-07 2022-06-07 中国农业银行股份有限公司 Method, device, equipment and medium for monitoring firewall abnormity
CN114598615B (en) * 2022-03-07 2023-10-13 中国农业银行股份有限公司 Firewall abnormality monitoring method, device, equipment and medium
CN115001759A (en) * 2022-05-19 2022-09-02 国网数字科技控股有限公司 Access information processing method and device, electronic equipment and readable storage medium
CN115001759B (en) * 2022-05-19 2024-01-12 国网数字科技控股有限公司 Access information processing method and device, electronic equipment and readable storage medium
CN115499492A (en) * 2022-09-14 2022-12-20 平安壹钱包电子商务有限公司 Application service exception handling method, device, equipment and readable storage medium

Similar Documents

Publication Publication Date Title
CN113660215A (en) Attack behavior detection method and device based on Web application firewall
US11070569B2 (en) Detecting outlier pairs of scanned ports
WO2017041666A1 (en) Processing method and device directed at access request
CN113301012B (en) Network threat detection method and device, electronic equipment and storage medium
US11770397B2 (en) Malicious port scan detection using source profiles
US11770396B2 (en) Port scan detection using destination profiles
US11316872B2 (en) Malicious port scan detection using port profiles
CN112769775A (en) Threat information correlation analysis method, system, equipment and computer medium
CN112165450A (en) Safety protection method and device for WEB application firewall and electronic device
US8694659B1 (en) Systems and methods for enhancing domain-name-server responses
CN111970262B (en) Method and device for detecting third-party service enabling state of website and electronic device
US10757118B2 (en) Method of aiding the detection of infection of a terminal by malware
CN113678419B (en) Port scan detection
CN104219219A (en) Method, server and system for handling data
CN113904843B (en) Analysis method and device for abnormal DNS behaviors of terminal
CN113765914B (en) CC attack protection method, system, computer equipment and readable storage medium
CN113329035B (en) Method and device for detecting attack domain name, electronic equipment and storage medium
CN115484110A (en) DDOS processing method and device, electronic equipment and storage medium
TW201928746A (en) Method and apparatus for detecting malware
JP6330280B2 (en) Alert output device, alert output method, and alert output program
JP2021077373A (en) Threat detection method and computer device
JP6055726B2 (en) Web page monitoring device, web page monitoring system, web page monitoring method and computer program
CN114024937B (en) DNS cache poisoning detection method and device
CN110784471A (en) Blacklist collection management method and device, computer equipment and storage medium
CN115297083B (en) Domain name system tunnel detection method and system based on data volume and behavior characteristics

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
WW01 Invention patent application withdrawn after publication
WW01 Invention patent application withdrawn after publication

Application publication date: 20211116