Method and device for improving detection accuracy of Web application layer attacks

An attack detection and web application technology, applied in the field of network security, can solve the problems of high false alarm rate and lack of solutions, and achieve the effect of alleviating the false alarm rate

Active Publication Date: 2017-12-15
HANGZHOU ANHENG INFORMATION TECH CO LTD
View PDF10 Cites 7 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

[0004] Aiming at the technical problem of high false positive rate in the traditional application layer attack detection method, there is currently no effective solution

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Method and device for improving detection accuracy of Web application layer attacks
  • Method and device for improving detection accuracy of Web application layer attacks
  • Method and device for improving detection accuracy of Web application layer attacks

Examples

Experimental program
Comparison scheme
Effect test

Embodiment 1

[0044] A method for improving the accuracy of Web application layer attack detection provided by the embodiment of the present invention, such as figure 1 shown, including:

[0045] Step S102, acquiring target request information sent by the user, wherein the target request information is request information for accessing a network server.

[0046] Specifically, when the target request information is request information stipulated by the HTTP protocol, the target request information is an HTTP request message. It should be emphasized that the protocol for the information requested by the target may use the HTTP protocol, but is not limited to the HTTP protocol.

[0047] Step S104 , detecting an execution command triggered by the network server based on the target request information, where the execution command is a command for executing a target operation, and the target operation is an operation for generating a response message based on the target request information.

[...

example 1

[0071] Example 1. SQL injection

[0072] First, using the Instrumentation principle in the JVMTI technology, a jar package named websec.jar with a function of detecting attacks is developed. The websec.jar includes a preset script, wherein the preset script includes a first subscript and a second subscript, The first sub-script obtains HTTP request parameters by intercepting the method of the HttpServletRequest class according to the characteristics of the HTTP protocol, and the second sub-script obtains the SQL execution statement by intercepting the method of the StatementImpl class according to the execution behavior characteristics triggered by identifying the target request information.

[0073] Then, edit the Tomcat startup script javaagent:websec.jar, and add websec.jar to the Tomcat server with parameters.

[0074] After the Tomcat server is started, the user accesses the test.jsp test page through the browser, and the Tomcat server receives the target request informat...

example 2

[0078] Example 2. Command Injection

[0079] First, using the Instrumentation principle in the JVMTI technology, a jar package named websec.jar with a function of detecting attacks is developed. The websec.jar includes a preset script, wherein the preset script includes a first subscript and a second subscript, The first sub-script obtains HTTP request parameters by intercepting the method of the HttpServletRequest class according to the characteristics of the HTTP protocol, and the second sub-script obtains the execution command by intercepting the method of the ProcessBuilder class according to the execution behavior characteristics triggered by the identification target request information.

[0080] Then, edit the Tomcat startup script javaagent:websec.jar, and add websec.jar to the Tomcat server with parameters.

[0081] After the Tomcat server is started, the user accesses the cmd.jsp test page through the browser, and the Tomcat server receives the target request informa...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

PUM

No PUM Login to view more

Abstract

The invention provides a method and device for improving the detection accuracy of Web application layer attacks and relates to the technical field of network safety. The method comprises the steps that target request information sent by a user is acquired, wherein the target request information is request information for access to a network server; an execution command triggered by the network server based on the target request information is detected, wherein the execution command is a command used for executing a target operation, and the target operation is an operation of generating responding information based on the target request information; according to the execution command, whether or not an attack action exists in the target request information is determined, wherein the attack action is the attack action conducted on the Web application layer. The method and device solve the technical problem that a traditional application layer attack detection method is relatively high in misinformation rate.

Description

technical field [0001] The invention relates to the technical field of network security, in particular to a method and a device for improving the accuracy of Web application layer attack detection. Background technique [0002] Currently, WAF (Web Application Firewall) is used to detect application layer attacks. WAF is set up at the front end of the web server, and cannot understand the specific business run by the web server. It can only obtain HTTP request packets, and then perform application layer attack detection based on feature matching. Specifically, compare the obtained HTTP request content with the features in the rule feature library, and analyze whether the HTTP request content conforms to the feature definition, and if it does, it is determined that the HTTP request content is an attack on the application layer. [0003] First of all, this traditional detection method has a strong dependence on the signature database. If the signature definition in the signatu...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

Application Information

Patent Timeline
no application Login to view more
IPC IPC(8): H04L29/06
CPCH04L63/1416H04L63/168
Inventor 寇石垒范渊莫金友
Owner HANGZHOU ANHENG INFORMATION TECH CO LTD
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap