CN109361692B

Movatterモバイル変換

Info

Publication number: CN109361692B
Application number: CN201811381710.8A
Authority: CN
Inventors: 刘天翔; 陈四强; 程明海
Original assignee: Webray Beijing Network Safety Technology Co ltd
Current assignee: Webray Beijing Network Safety Technology Co ltd
Priority date: 2018-11-20
Filing date: 2018-11-20
Publication date: 2020-12-04
Anticipated expiration: 2038-11-20
Also published as: CN109361692A

Abstract

The invention provides a web protection method based on asset type identification and self-discovery vulnerability, which comprises the following steps: step S1, obtaining HTTP request through Web application firewall, judging whether the type of the asset is known, if yes, executing step S5, otherwise, performing asset learning, judging the service type of the asset identified according to the HTTP request head information and response head information flow of the Web application firewall, and forming an asset list; step S2, according to the asset list, Web vulnerability scanning is carried out on assets of different types by adopting a Web scanning technology so as to find existing vulnerabilities; step S3, generating a virtual patch according to the bug scanning result; step S4, automatically generating a Web protection strategy according to the asset type and the virtual patch; and step S5, executing asset protection detection, judging whether the existing virtual vulnerability policy is met, if so, intercepting the HTTP request, otherwise, allowing the HTTP request to normally access. The invention improves the protection effect, reduces the problems of false alarm and missing report, and improves the protection performance.

Description

Web protection method based on asset type identification and self-discovery vulnerability

Technical Field

The invention relates to the technical field of network security, in particular to a web protection method based on asset type identification and vulnerability self-discovery.

Background

In the prior art, the method for web protection includes:

1. the rule-based protection may provide security rules for various Web applications, and the WAF manufacturer may maintain and update this rule base from time to time.

The disadvantages of the scheme are as follows: the abnormal flow is identified through the attack rule base, so that under the condition that a service system is complex, certain mistaken killing can be caused, normal functions are intercepted by a firewall, and normal service is influenced.

2. Establishing model protection based on legal application data: and establishing a URL model through Web access to the assets, and judging the abnormality of the application data according to the URL model.

The disadvantages of the scheme are as follows: it is very difficult to do this in reality, requiring a very thorough knowledge of the user's asset application.

Disclosure of Invention

The object of the present invention is to solve at least one of the technical drawbacks mentioned.

Therefore, the invention aims to provide a web protection method based on asset type identification and self-discovery vulnerability.

In order to achieve the above object, an embodiment of the present invention provides a web protection method based on asset type identification and vulnerability discovery, including the following steps:

step S1, obtaining HTTP request through Web application firewall, judging whether the type of the asset is known, if yes, executing step S5, otherwise, performing asset learning, judging the service type of the asset identified according to the HTTP request head information and response head information flow of the Web application firewall, and forming an asset list;

step S2, according to the asset list, Web vulnerability scanning is carried out on assets of different types by adopting a Web scanning technology so as to find existing vulnerabilities;

step S3, generating a virtual patch according to the bug scanning result;

step S4, automatically generating a Web protection strategy according to the asset type and the virtual patch;

and step S5, executing asset protection detection, judging whether the existing virtual vulnerability policy is met, if so, intercepting the HTTP request, otherwise, allowing the HTTP request to normally access.

Further, in step S1, the resource address of the network backend server is automatically learned according to the host attribute of the HTTP request passing through the Web application firewall, and the service type of the asset is identified by the HTTP response information returned by the server, so as to form the asset list.

Further, the service type of the asset includes one or more of: nginx, apache, iis.

Further, in the step S2, the existing vulnerabilities include one or more of: sql injection vulnerabilities, xss vulnerabilities, upload vulnerabilities.

According to the web protection method based on asset type identification and vulnerability self-discovery, the problems of effective management and protection of assets in a network by an administrator are solved through asset learning. The method has pertinence to the protection of different types of assets, improves the protection effect, reduces the problems of false alarm and missed alarm, and improves the protection performance.

Additional aspects and advantages of the invention will be set forth in part in the description which follows and, in part, will be obvious from the description, or may be learned by practice of the invention.

Drawings

The above and/or additional aspects and advantages of the present invention will become apparent and readily appreciated from the following description of the embodiments, taken in conjunction with the accompanying drawings of which:

FIG. 1 is a flow diagram of a method of web defense based on identifying asset types and self-discovering vulnerabilities in accordance with an embodiment of the present invention;

FIG. 2 is a schematic diagram of a web defense method based on identifying asset types and self-discovering vulnerabilities according to an embodiment of the present invention.

Detailed Description

Reference will now be made in detail to embodiments of the present invention, examples of which are illustrated in the accompanying drawings, wherein like or similar reference numerals refer to the same or similar elements or elements having the same or similar function throughout. The embodiments described below with reference to the drawings are illustrative and intended to be illustrative of the invention and are not to be construed as limiting the invention.

As shown in fig. 1 and fig. 2, the method for web protection based on asset type identification and vulnerability discovery in the embodiment of the present invention includes the following steps:

and step S1, acquiring the HTTP request passing through the Web application firewall, judging whether the type of the asset is known, if so, executing step S5, otherwise, performing asset learning, judging the service type of the asset identified according to the HTTP request header information and the response header information flow of the Web application firewall, and forming an asset list.

In one embodiment of the invention, when deploying a Web application defense system, the service types of the assets include one or more of: nginx, apache, iis, etc. It should be noted that the service type of the asset is not limited to the above example, and may also include other types of assets, which are not described herein again.

In step S1, the resource address of the Web backend server is automatically learned based on the host attribute of the HTTP request through the Web application firewall, and the service type of the asset is identified by the HTTP response information returned by the server, forming an asset list.

And step S2, according to the asset list, adopting Web scanning technology to perform Web vulnerability scanning on different types of assets so as to find existing vulnerabilities.

In one embodiment of the invention, when the Web application protection system is deployed, existing vulnerabilities include one or more of the following: sql injection vulnerabilities, xss vulnerabilities, upload vulnerabilities, and the like. It should be noted that the types of existing holes are not limited to the above examples, and may also include other types of holes, which are not described in detail.

And step S3, generating a virtual patch according to the vulnerability scanning result.

It should be noted that, different virtual patches of different services relatively generate different protection templates.

And step S4, automatically generating a Web protection strategy according to the asset type and the virtual patch.

In this step, a more targeted Web protection policy is generated by combining the virtual Web vulnerability patch and the asset type.

In the description herein, references to the description of the term "one embodiment," "some embodiments," "an example," "a specific example," or "some examples," etc., mean that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the invention. In this specification, the schematic representations of the terms used above do not necessarily refer to the same embodiment or example. Furthermore, the particular features, structures, materials, or characteristics described may be combined in any suitable manner in any one or more embodiments or examples.

Although embodiments of the present invention have been shown and described above, it is understood that the above embodiments are exemplary and should not be construed as limiting the present invention, and that variations, modifications, substitutions and alterations can be made in the above embodiments by those of ordinary skill in the art without departing from the principle and spirit of the present invention. The scope of the invention is defined by the appended claims and equivalents thereof.

Claims

1. A web protection method based on asset type identification and vulnerability self-discovery is characterized by comprising the following steps:

step S1, obtaining the HTTP request through the Web application firewall, judging whether the request is the service type of the known asset, if yes, executing step S5, otherwise, performing asset learning, automatically learning the resource address of the network back-end server according to the host attribute of the HTTP request through the Web application firewall, and identifying the service type of the asset through the HTTP response information returned by the server to form an asset list;

step S3, generating a virtual patch according to the bug scanning result;

step S4, automatically generating a Web protection strategy according to the service type of the assets and the virtual patch;

2. The method for web defense based on identifying asset types and self-discovering vulnerabilities as claimed in claim 1, wherein the service types of the assets include one or more of: nginx, apache, iis.

3. The method for web defense based on identifying asset types and self-discovering vulnerabilities according to claim 1, wherein in step S2, the existing vulnerabilities include one or more of: sql injection vulnerabilities, xss vulnerabilities, upload vulnerabilities.