Specific embodiment
For the deficiency for making up prior art means, the embodiment of the present invention will provide a kind of DPMA Protection Model that Web is applied,As shown in Figure 1, collection Web detection (Detect), Web protection (Protect), Web monitoring (Monitor) and Web audit (Audit)Four big functions are in DPMA (Detect, Protect, Monitor, Audit) Protection Model of one, wherein each function is all rightYing Yuyi security module corresponds to Web detection module for Web detection function, corresponding for Web safeguard functionIn Web protection module, Web monitoring module is corresponded to for Web monitoring function, is corresponded to for Web audit functionWeb Audit Module, the security protection of the DPMA Protection Model is through entire security incident life cycle, and each security moduleMutually linkage again, forms the safe Defense in depth system of Web while displaying one's respective advantages.
The specific mechanism of DPMA Protection Model is as follows: before there is attack, Web detection module to Web apply intoRow security breaches detection, so as to potential security risk in discovery system in advance;When there are unsafe incidents, Web protects mouldBlock carries out actual time safety protection;If by success attack, Web monitoring module in real time to attack result (such as distort and extension horse) in timePerception, and traced to the source by Web Audit Module attack.As it can be seen that project between modules in DPMA Protection ModelLinkage, learns from other's strong points to offset one's weaknesses.By the mechanism of above-mentioned DPMA Protection Model, to Web application establish it is a set of based on web portal security in advanceThe integral protection system defendd and audited afterwards in detection, thing.
Fig. 2 is flow diagram when DPMA of embodiment of the present invention Protection Model works, as shown in Fig. 2, the present invention is implementedThe DPMA Protection Model that example provides is provided simultaneously with four kinds of means, i.e., Web detection module have Web detection means, Web protectionWhat the Web monitoring means and Web Audit Module that Web preventive means that module has, Web monitoring module have hadWeb audit means, these four means form the Web Defense in depth system of a set of interconnection.Make introductions all round this four modules below.
1) Web detection module
Web detection module is detection (D, Detect) module in DPMA Protection Model.Web detection module major functionIt is that before potential security threat is found and utilizes in Web system, Web safety actively is carried out to potential security threatDetection, obtains testing result, potential risks point is then found out from testing result;Peace is provided according to the potential risks pointThen the safe restorative procedure is transferred to the Web protection module by full restorative procedure, so that described in the utilization of Web protection moduleSafe restorative procedure repairs the potential risks point, and according to the safe restorative procedure and corresponding potential windDanger point forms Web protection log, wherein it is the log of Web protection module output that Web, which protects log,.In the detection of Web detection moduleAny one that appearance includes at least following content includes: structured query language (SQL, Structured QueryLanguage) (Xpath, wherein X indicates extensible markup language (XML, Extensible Markup for injection, path languageLanguage)) injection, cross site scripting (XSS), the certification of mistake and session management, incorrect direct object reference, forge acrossStand request (CSRF, Cross-Site Request Forgery), security error configuration, failure remote access limitation, do not testThe redirection of card and transmitting, unsafe encryption storage, unsafe transmission protection.
Web detection module will test result and Web protection module, Web monitoring module and Web Audit Module transferred to be associatedAnalysis and protection.
2) Web protection module
Web protection module is protection (P, Protect) module in DPMA Protection Model.The main function of Web protection moduleIt can be that, when Web attack occurs, Web protection module can be measured in real time and protect to attack, effectively block eachThe generation of kind attack is formed simultaneously Web protection log.Protecting attack type includes various application layer attack behaviors.MeanwhileProtection information can also be transferred to Web detection module, Web monitoring module and Web Audit Module to carry out depth by Web safety protection moduleAssociation analysis achievees the effect that search for by following the clues and draw inferences about other cases from one instance.Wherein, the protection information includes attack source, attack pattern, attacksHit target, attack frequency is higher than the address URL and the parameter, unauthorized public affairs of preset first uniform resource locator URL threshold valueNet Internet protocol IP address, attack frequency are higher than the IP address of preset first IP threshold value, the address URL of high-risk loophole and ginsengNumber, by any one information in the information such as the address URL for extension horse/distort;Wherein parameter includes using to define in http agreementEach class variable for defining of the communication means such as GET, POST.
3) Web monitoring module
Web monitoring module is monitoring (M, Monitor) module in DPMA Protection Model.The main function of Web monitoring moduleIt can include that Safety monitoring and stability monitor two large divisions, have system stability, the page is distorted, horse detection and back door are examinedBrake etc..Wherein, system stability includes: Web system availability, transmission control protocol (TCP, TransmissionControl Protocol) response delay, hypertext transfer protocol (HTTP, Hyper-Text Transfer Protocol) soundTime delay is answered to be monitored.It includes: to distort monitoring in real time to monitored page progress that the page, which is distorted, illegally replaced when the page orWhen distorting, short message or mail alarm can be carried out in time.Horse detection includes: to carry out real-time extension horse prison to the monitored pageControl can carry out short message or mail alarm when the page is by extension horse in time.Back door detection includes: after carrying out to monitored systemDoor detection can carry out short message or mail alarm when detecting suspicious webpage password in time.
System response interval is big or attacker has bypassed and protected layer by layer when occurring, and distort to the page, extension horse or plantWhen entering back door, Web monitoring module meeting real-time detection comes out and is alerted.Meanwhile Web monitoring module also can be by monitoring information such asTransfer to Web detection module, Web in the address uniform resource locator (URL, Uniform Resource Locator) to go wrongProtection module and Web Audit Module are associated analysis and protection, accomplish to excavate security incident depth, to what is gone wrongThe address URL carries out security protection.
4) Web Audit Module
Web Audit Module is audit (A, Audit) module in DPMA Protection Model.The major function of WEB Audit ModuleIt is the security incident for success attack, Web Audit Module mainly carries out safety by the log to Web attackAnalysis detects attack and is traced to the source attack to obtain content of tracing to the source.Content of wherein tracing to the source includes attack, attack sourceAgreement (IP, Internet Protocol), attack pattern and the loophole utilized for interconnecting between network etc., accomplish " after autumnIt does accounts ".The major function of Web Audit Module includes: to support SQL injection, cross site scripting, request deception etc. various open across stationWeb application item security (OWASP, Open Web Application Security Project) and Web application are safeThe Web attack method detection that joint (WASC) defines;Support the attack detecting and association analysis of Behavior-based control;Support attack pathPlayback;Supported web page acess control and ranking.Meanwhile Web Audit Module also can be by log analysis information, such as attack source and suspiciousWebpage Trojan horse transfers to Web detection module, Web protection module and Web monitoring module to be associated analysis.To attack, loopholeWebpage Trojan horse is confirmed.
The embodiment of the present invention provide it is a kind of based on above-mentioned Web detection module, Web protection module, Web monitoring module andThe linked protection technology of Web Audit Module, linked protection technology are Web detection module in linkage DPMA Protection Model, Web protectionThe technology of module, Web monitoring module and Web Audit Module, i.e., the workflow based on event transfer mechanism, the target of task scheduleIt is the function such as to manage, issue by the way that security strategy to be combined to the safe task plan that be formed, and for task schedule plan realizationEnergy.It can be certainly after discovery website is under attack such as in the Log security audit event that Web protects log and Web attackThe dynamic Web scan task that generates goes the specific webpage of website to be verified, to determine that the loophole whether there is, if need administratorIt is handled.
Fig. 3 is the flow diagram of linked protection of embodiment of the present invention technology at work, as shown in figure 3, linked protectionVarious linkage scenes between four modules of technical definition, linkage model includes between Web Audit Module and Web monitoring moduleLinkage (being indicated below with A- > M), between Web Audit Module and Web detection module linkage model (below with A- > D comeIndicate), the linkage model (being indicated below with A- > P) between Web Audit Module and Web protection module, Web protection module withThe connection between linkage model (being indicated below with P- > A), Web detection module and Web protection module between Web Audit ModuleBetween movable model (being indicated below with D- > P) and Web monitoring module and Web detection module linkage model (below with M- > D comeIt indicates).The linkage model to be made introductions all round above below.
One, linkage model one (A- > M): Webshell positioning
Fig. 4-1 is the flow diagram of linkage of embodiment of the present invention model one at work, as shown in Fig. 4-1, A- > M'sMain linkage process is as follows: 1. Web Audit Module counts the dynamic page that user accessed, and extracts by guarding websiteDynamic page information;2. these dynamic page information are transferred to Web monitoring module by Web Audit Module, then Web monitoring module rootThese dynamic pages are crawled and detected according to the dynamic page information, to find concealed type Webshell and without linkType Webshell, here, Web Audit Module can also be audited by concealed type Webshell and without streptostyly Webshell with WebThe form of log exports, wherein Web audit log is the log of Web Audit Module output, and Webshell is one section for hackerCarry out the code of long-range control Web server.
General Webshell is hidden in some catalogue of website, with other pages without linking relationship, from the detection of black boxAngle, it is more difficult to detect the presence of Webshell;But linkage technique provided by A- > M linkage model, it can effectively solve the problem that biographyThe problem of crawler technology can not be detected without the Webshell for linking and hiding in system technological means.
Two, it links model two (A- > D): depth detection
Fig. 4-2 is the flow diagram of linkage of embodiment of the present invention model two at work, as shown in the Fig. 4-2, A- > D'sMain linkage process is as follows: 1. Web Audit Module mentions the higher address URL of statistical attack frequency in log and parameterIt takes;Wherein, the attack higher address URL of frequency refers to that attack frequency is higher than the address URL of the first URL threshold value;2. Web is examinedThe address URL extracted and parameter are transferred to Web detection module to carry out depth safety detection by meter module.
General scanner is all based on the scanning mode of black box, inevitably there is the part address URL and parameter crawl less thanSituation, and thereby result in failing to report for scanning result;But linkage technique provided by A- > D linkage model, it can effectively solve the problem thatScanner based on black box can not detect in website and fail to report problem caused by all addresses URL and parameter.
Three, it links model three (A- > P): unauthorized access
Fig. 4-3 is the flow diagram of linkage of embodiment of the present invention model three at work, as shown in Fig. 4-3, A- > P'sMain linkage process is as follows: 1. Web Audit Module counts the IP address on access portal management backstage, obtains unauthorizedPublic network IP address;2. unauthorized public network IP address is accessed portal management backstage situation, notice Web protection by Web Audit ModuleModule carries out linked protection.
General portal management backstage IP address forbid it is open to internet, there are Brute Force risk, but A- > PThe situation that linkage model can detect and protect automatically portal management backstage open to internet.
Four, it links model four (P- > A): intelligence attack confirmation
Fig. 4-4 is the flow diagram of linkage of embodiment of the present invention model four at work, as shown in Fig. 4-4, P- > A'sMain linkage process is as follows: the 1. IP address of Web protection module record initiation high-frequency attack, the IP of high frequency attackLocation is the first IP address, and first IP address is the IP address attacked frequency and be higher than preset first IP threshold value;2. Web is anti-Shield module will attack these first IP address and transfer to Audit module, other attacks of these the first IP address of depth analysis.P- > A linkage model is associated analysis to attack, touches melon in passing, avoids the occurrence of fish that has escape the net.
Five, it links model five (D- > P): defense-in-depth
Fig. 4-5 is the flow diagram of linkage of embodiment of the present invention model five at work, as illustrated in figures 4-5, D- > P'sMain linkage process is as follows: 1. there are the address URL of high-risk loophole and parameters for Web monitoring module record;2. Web monitoring module willThese parameters transfer to Web protection module, and notice Web protection module is customized protection.D- > P links model for there is high frequencyThe address URL and parameter that attack or attack are attempted, transfer to Web protection module to carry out fining protection.
Six, link model six (M- > P): intelligence distorts protection
Fig. 4-6 is the flow diagram of linkage of embodiment of the present invention model six at work, as Figure 4-Figure 6, M- > P'sMain linkage process is as follows: 1. the detection of Web monitoring module is by extension horse or the address URL distorted;2. Web monitoring module by theseURL issues address Web protection module and carries out linked protection.M- > P links model for that by the website of extension horse, can accomplish certainlyDynamic protection.
Based on upper DPMA Protection Model, the embodiment of the present invention provides a kind of safety protecting method again, and Fig. 5 is that the present invention is realThe implementation process schematic diagram of a safety protecting method is applied, as shown in figure 5, this method comprises:
Step 501, DPMA Protection Model obtains the protection information about Web attack;
Here, the DPMA Protection Model includes: Web detection module, Web protection module, Web monitoring module, Web auditModule.
Here, the protection information includes at least any one in following information: attack source, attack pattern, attack meshMark, website dynamic page information, attack frequency be higher than preset first uniform resource locator URL threshold value the address URL andParameter, unauthorized public network Internet protocol IP address, attack frequency are higher than the IP address of preset first IP threshold value, high-risk loopholeThe address URL and parameter, the address URL by extension horse/distort.
Step 502, the DPMA Protection Model links according to the protection information of the Web attack, to realizeFor the security protection of Web application.
Here, the linkage protects mould in Web detection module, Web including the use of the protection information of the Web attackBlock, Web monitoring module interact between Web Audit Module;
In the embodiment of the present invention, the Web detection module, be found for security threat potential in Web system andUsing before, Web safety detection is carried out to the potential security threat, testing result is obtained, is analyzed from testing resultPotential risks point;Safe restorative procedure is provided according to the potential risks point, then transfers to the safe restorative procedureThe Web protection module, so that Web protection module is repaired using the potential risks point;
Web detection module is also used to will test result and transfers to Web protection module, Web monitoring module and Web Audit ModuleIt is associated analysis and protection.
In the embodiment of the present invention, the Web protection module, for attacking the Web when Web attack occursEvent is measured in real time and protects, to block the generation of various attacks;Web protection module is also used to that information will be protectedWeb detection module, Web monitoring module and Web Audit Module is transferred to carry out depth association analysis and protection.
In the embodiment of the present invention, the Web monitoring module distorts monitoring, extension horse prison for system stability monitoring, the pageControl and back door monitoring, to obtain monitoring information, in which: system stability monitoring include Web system availability, TCP response delay,Http response time delay is monitored;Meanwhile Web monitoring module, it is also used to transferring to monitoring information into Web detection module, Web protectionModule, Web Audit Module are associated analysis and protection, wherein the monitoring information is for showing to supervise system stabilityControl, the page is distorted be monitored, extension horse monitoring and back door monitor to obtain monitored results.
In the embodiment of the present invention, the Web Audit Module passes through for the Web attack for success attackSafety analysis is carried out to the log of Web attack, detection obtains the content of tracing to the source of Web attack;The Web audit mouldBlock, the content that is also used to trace to the source are associated analysis and protection by Web detection module, Web monitoring module, Web protection module.
In the embodiment of the present invention, the joint-action mechanism based on to attack, so that the protection information is detected in WebModule, Web monitoring module, is interacted and is called between Web Audit Module Web protection module, comprising:
Web Audit Module counts the dynamic page that user accessed, and extracts and is believed by the dynamic page of guarding websiteBreath;
The dynamic page information is transferred to Web monitoring module by Web Audit Module;
Web monitoring module is crawled and is detected to dynamic page according to the dynamic page information, and concealed type is obtainedWebshell and without streptostyly Webshell.
In the embodiment of the present invention, the joint-action mechanism based on to attack, so that the protection information is detected in WebModule, Web monitoring module, is interacted and is called between Web Audit Module Web protection module, comprising:
The Web Audit Module is higher than the address URL of the first URL threshold value to statistical attack frequency in log and parameter carries outIt extracts;
Web detection module is transferred in the address URL extracted and parameter by the Web Audit Module;
The address URL and parameter that the Web Audit Module is transferred to according to the Web Audit Module carry out depth and examine safelyIt surveys.
In the embodiment of the present invention, the joint-action mechanism based on to attack, so that the protection information is detected in WebModule, Web monitoring module, is interacted and is called between Web Audit Module Web protection module, comprising:
The Web Audit Module counts the IP address on access portal management backstage, obtains unauthorized public network IPAddress;
The unauthorized public network IP address is accessed portal management backstage situation by the Web Audit Module, is transferred to describedWeb protection module is to carry out linked protection.
In the embodiment of the present invention, the joint-action mechanism based on to attack, so that the protection information is detected in WebModule, Web monitoring module, is interacted and is called between Web Audit Module Web protection module, comprising:
The Web protection module obtains the first IP address, and first IP address is that attack frequency is higher than preset firstThe IP address of IP threshold value;
First IP address is transferred to the Web Audit Module by the Web protection module;
The Web Audit Module analyzes the suffered Web attack of first IP address.
In the embodiment of the present invention, the joint-action mechanism based on to attack, so that the protection information is detected in WebModule, Web monitoring module, is interacted and is called between Web Audit Module Web protection module, comprising:
There are the address URL of high-risk loophole and parameters for the Web detection module record;
The address URL of high-risk loophole will be present in the Web detection module and parameter transfers to the Web protection module, by instituteIt states Web protection module and is customized protection.
In the embodiment of the present invention, the joint-action mechanism based on to attack, so that the protection information is detected in WebModule, Web monitoring module, is interacted and is called between Web Audit Module Web protection module, comprising:
Web monitoring module is detected by extension horse or the address URL distorted;
Web monitoring module issues Web protection module progress linked protection by extension horse or the address URL distorted for described.
It should be understood that " one embodiment " or " embodiment " that specification is mentioned in the whole text mean it is related with embodimentA particular feature, structure, or characteristic is included at least one embodiment of the present invention.Therefore, occur everywhere in the whole instruction" in one embodiment " or " in one embodiment " not necessarily refer to identical embodiment.In addition, these specific features, knotStructure or characteristic can combine in any suitable manner in one or more embodiments.It should be understood that in various implementations of the inventionIn example, magnitude of the sequence numbers of the above procedures are not meant that the order of the execution order, the execution sequence Ying Yiqi function of each processIt can determine that the implementation process of the embodiments of the invention shall not be constituted with any limitation with internal logic.
In several embodiments provided herein, it should be understood that disclosed device and method can pass through itIts mode is realized.Apparatus embodiments described above are merely indicative, for example, the division of the unit, onlyA kind of logical function partition, there may be another division manner in actual implementation, such as: multiple units or components can combine, orIt is desirably integrated into another system, or some features can be ignored or not executed.In addition, shown or discussed each composition portionMutual coupling or direct-coupling or communication connection is divided to can be through some interfaces, the INDIRECT COUPLING of equipment or unitOr communication connection, it can be electrical, mechanical or other forms.
Above-mentioned unit as illustrated by the separation member, which can be or may not be, to be physically separated, aobvious as unitThe component shown can be or may not be physical unit;Both it can be located in one place, and may be distributed over multiple network listsIn member;Some or all of units can be selected to achieve the purpose of the solution of this embodiment according to the actual needs.
In addition, each functional unit in various embodiments of the present invention can be fully integrated in one processing unit, it can alsoTo be each unit individually as a unit, can also be integrated in one unit with two or more units;It is above-mentionedIntegrated unit both can take the form of hardware realization, can also realize in the form of hardware adds SFU software functional unit.
Those of ordinary skill in the art will appreciate that: realize that all or part of the steps of above method embodiment can pass throughThe relevant hardware of program instruction is completed, and program above-mentioned can store in computer-readable storage medium, which existsWhen execution, step including the steps of the foregoing method embodiments is executed;And storage medium above-mentioned includes: movable storage device, read-only depositsThe various media that can store program code such as reservoir (Read Only Memory, ROM), magnetic or disk.
If alternatively, the above-mentioned integrated unit of the present invention is realized in the form of software function module and as independent productWhen selling or using, it also can store in a computer readable storage medium.Based on this understanding, the present invention is implementedSubstantially the part that contributes to existing technology can be embodied in the form of software products the technical solution of example in other words,The computer software product is stored in a storage medium, including some instructions are used so that computer equipment (can be withIt is personal computer, server or network equipment etc.) execute all or part of each embodiment the method for the present invention.And storage medium above-mentioned includes: various Jie that can store program code such as movable storage device, ROM, magnetic or diskMatter.
The above description is merely a specific embodiment, but scope of protection of the present invention is not limited thereto, anyThose familiar with the art in the technical scope disclosed by the present invention, can easily think of the change or the replacement, and should all containLid is within protection scope of the present invention.Therefore, protection scope of the present invention should be based on the protection scope of the described claims.